I created a policy to allow connections out on an interface to port ms-wbt-server, i.e. MS RDP, using the Well Known Service MS-WBT-SERVER in the GUI port selection.
See Firewall policy using service ms-wbt-server.png.
After troubleshooting I discovered the policy was never created as a rule in pf and it appears to be the case when selecting other Microsoft services.
_fictional@gatekeeper:~ % sudo pfctl -gsr | grep DMZ
_fictional@gatekeeper:~ %
Testing the policy using other well known services such as NTP, POP3 & DOMAIN, it gets added to the pf rule set.
See Firewall policy using service domain.png
_fictional@gatekeeper:~ % sudo pfctl -gsr | grep DMZ
@522 pass in log quick on MGMT inet proto tcp from any to (DMZ:network:*) port = domain flags S/SA keep state label "3d50d6c4-680c-40cf-b61b-bf00ae6b224b"
@523 pass in log quick on MGMT inet proto udp from any to (DMZ:network:*) port = domain keep state label "3d50d6c4-680c-40cf-b61b-bf00ae6b224b"
_fictional@gatekeeper:~ %
Is this a Feature or a Bug when Microsoft services are used in a policy?
I've filed a bug report regarding this issue: https://github.com/opnsense/core/issues/9835
Resolved in https://github.com/opnsense/core/issues/9835#issuecomment-3933115711