Skip to content

pfsense_rule

Orion Poplawski edited this page Jan 1, 2024 · 11 revisions

pfsensible.core.pfsense_rule


        Manage pfSense firewall rules

ADDED IN: version 0.1.0 of pfsensible.core

OPTIONS (= is mandatory):

- ackqueue
        QOS acknowledge queue
        default: null
        type: str

- action
        The action of the rule
        choices: [pass, block, match, reject]
        default: pass
        type: str

- after
        Rule to go after, or `top'
        default: null
        type: str

- before
        Rule to go before, or `bottom'
        default: null
        type: str

- destination
        The destination address, in
        [!]{IP,HOST,ALIAS,any,(self),IP:INTERFACE,NET:INTERFACE}
        format.
        default: null
        type: str

- destination_port
        Destination port or port range specification.
        This can either be a alias or a port number.
        An inclusive range can also be specified, using the format
        `first-last'..
        default: null
        type: str

- direction
        Direction floating rule applies to
        choices: [any, in, out]
        default: null
        type: str

- disabled
        Is the rule disabled
        default: false
        type: bool

- floating
        Is the rule floating
        default: null
        type: bool

- gateway
        Leave as `default' to use the system routing table or choose a
        gateway to utilize policy based routing.
        default: default
        type: str

- icmptype
        One or more of these ICMP subtypes may be specified, separated
        by comma, or `any' for all of them.
        The types must match ip protocol.
        althost, dataconv, echorep, echoreq, fqdnrep, fqdnreq,
        groupqry, grouprep, groupterm, inforep, inforeq, ipv6-here,
        ipv6-where, listendone, listenrep, listqry, maskrep, maskreq,
        mobredir, mobregrep, mobregreq, mtrace, mtraceresp,
        neighbradv, neighbrsol, niqry, nirep, paramprob, photuris,
        redir, routeradv, routersol, routrrenum, skip, squench,
        timerep, timereq, timex, toobig, trace, unreach, wrurep,
        wrureq
        default: any
        type: str

- in_queue
        Limiter queue for traffic coming into the chosen interface
        default: null
        type: str

= interface
        The interface for the rule
        type: str

- ipprotocol
        The IP protocol
        choices: [inet, inet46, inet6]
        default: inet
        type: str

- log
        Log packets matched by rule
        default: null
        type: bool

= name
        The name the rule
        default: null
        type: str

- out_queue
        Limiter queue for traffic leaving the chosen interface
        default: null
        type: str

- protocol
        The protocol
        choices: [any, tcp, udp, tcp/udp, icmp, igmp, ospf, esp, ah, gre, pim, sctp, pfsync, carp]
        default: any
        type: str

- queue
        QOS default queue
        default: null
        type: str

- queue_error
        Raise an error if a specified queue is missing
        default: true
        type: bool

- quick
        Set this option to apply this action to traffic that matches
        this rule immediately
        default: false
        type: bool

- sched
        Schedule day/time when the rule must be active
        default: null
        type: str

- source
        The source address, in
        [!]{IP,HOST,ALIAS,any,(self),IP:INTERFACE,NET:INTERFACE}
        format.
        default: null
        type: str

- source_port
        Source port or port range specification.
        This can either be a alias or a port number.
        An inclusive range can also be specified, using the format
        `first-last'..
        default: null
        type: str

- state
        State in which to leave the rule
        choices: [present, absent]
        default: present
        type: str

- statetype
        State type
        choices: [keep state, sloppy state, synproxy state, none]
        default: keep state
        type: str

- tcpflags_any
        Allow TCP packets with any flags set.
        default: null
        type: bool

- tracker
        Rule tracking ID. Defaults to timestamp of rule creation and
        not modified if not set or set to 0.
        default: null
        type: str


AUTHOR: Orion Poplawski (@opoplawski), Frederic Bor (@f-bor)

METADATA:
  metadata_version: '1.1'
  status:
  - preview
  supported_by: community

EXAMPLES:

- name: "Add Internal DNS out rule"
  pfsense_rule:
    name: 'Allow Internal DNS traffic out'
    action: pass
    interface: lan
    ipprotocol: inet
    protocol: udp
    source: dns_int
    destination: any
    destination_port: 53
    after: 'Allow proxies out'
    state: present
- name: "Allow inbound port range"
  pfsense_rule:
    name: 'Allow inbound port range'
    action: pass
    interface: wan
    ipprotocol: inet
    protocol: tcp
    source: any
    destination: NET:lan
    destination_port: 4000-5000
    after: 'Allow Internal DNS traffic out'
    state: present