@89 block drop in log quick inet proto tcp from any to (self:6) port = https label "cf71bd279bf362b692660bb2087a81a9"@90 block drop in log quick inet6 proto tcp from any to (self:6) port = https label "cf71bd279bf362b692660bb2087a81a9"@91 block drop in log quick inet proto udp from any to (self:6) port = https label "0001e43c0bef4ff4e9024fe574d42dff"@92 block drop in log quick inet6 proto udp from any to (self:6) port = https label "0001e43c0bef4ff4e9024fe574d42dff"@93 block drop in log quick inet proto tcp from any to (self:6) port = ssh label "b44abaa9b56f07027e164eec809d325e"@94 block drop in log quick inet6 proto tcp from any to (self:6) port = ssh label "b44abaa9b56f07027e164eec809d325e"@95 block drop in log quick inet proto udp from any to (self:6) port = ssh label "177759f6467fe65f14333f0313a2577d"@96 block drop in log quick inet6 proto udp from any to (self:6) port = ssh label "177759f6467fe65f14333f0313a2577d"@97 block drop in log quick inet proto tcp from any to (self:6) port = http label "0db008d6c8271e5489cbc5041e7ffbc0"@98 block drop in log quick inet6 proto tcp from any to (self:6) port = http label "0db008d6c8271e5489cbc5041e7ffbc0"@99 block drop in log quick inet proto udp from any to (self:6) port = http label "423204b862c056f9cc6bff5c305bcf5c"@100 block drop in log quick inet6 proto udp from any to (self:6) port = http label "423204b862c056f9cc6bff5c305bcf5c"
PACKET FILTERING...PARAMETERS The rule parameters specify the packets to which a rule applies. A packet always comes in on, or goes out through, one interface. Most pa- rameters are optional. If a parameter is specified, the rule only ap- plies to packets with matching attributes. Certain parameters can be ex- pressed as lists, in which case pfctl generates all needed rule combi- nations....on <interface> This rule applies only to packets coming in on, or going out through, this particular interface or interface group. For more information on interface groups, see the group keyword in ifconfig.
I have another question: does the way I use it follow the standard?
Is it possible opnsense change the actual rule it generate when no interface is choose in the future
in part of using interfaces field - yes )(I cannot reason about the meaning of the rules shown without knowing the purpose.)
dont think soyou can always check the code (its opensource, right? )https://github.com/opnsense/core/blob/7c251db7207f6499dc094375e6a1b06f6f12346c/src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php#L315"rule constructor" will just add "" instead of "on {something}" if there is no interfaces selected
...The purpose I use these rules is to only allow access to web gui and ssh of the firewall on the LAN interface....
Enable DHCP, reserve an IP based on MAC (and enable static ARP) and allow access to GUI/ssh only for this IP (and a backup machine with another MAC. Or use a USB-RJ45 as a key to your router, that can be used on different machines). An additional layer of security.