How to properly configure a rule for RPC?

[Guybrush]

Greetings,

I am currently testing out how to enable RPC through Opnsense (current). The standard ports are no big deal, but how do I handle the dynamic high range ports? I do not want to (means - cannot) restrict RPC ports on the destination Windows machines for several reasons. I usually work with Barracuda Firewalls, they have a RPC helper, which works fine. I wonder if there is something similar available with Opnsense? If so, can anybody point me to a how-to/docs/something to accomplish that?

Huge thanks in advance
Guybrush

[benyamin]

I believe that would require a helper capable of inspection and control at OSI Layer 5 (Session Layer) at a minimum and for that information to be maintained in some sort of session state table (or THE session state table).

Usually this would require hardware inspection, i.e. ASICs, to not adversely affect performance. That being said, clearly some software firewalls over the years have been able to do this (think M$). IIRC, with the demise of TMG, I think Barracuda and some others picked up this feature.

I'm not aware of anything in the OPNsense space that would fit the bill.

Maybe some Layer 7 plugin...? Are there any?