Firewall Policy using Microsoft Well Known Services

[lmoore]

I created a policy to allow connections out on an interface to port ms-wbt-server, i.e. MS RDP, using the Well Known Service MS-WBT-SERVER in the GUI port selection.

See Firewall policy using service ms-wbt-server.png.

After troubleshooting I discovered the policy was never created as a rule in pf and it appears to be the case when selecting other Microsoft services.

_fictional@gatekeeper:~ % sudo pfctl -gsr | grep DMZ
_fictional@gatekeeper:~ %

Testing the policy using other well known services such as NTP, POP3 & DOMAIN, it gets added to the pf rule set.

See Firewall policy using service domain.png

_fictional@gatekeeper:~ % sudo pfctl -gsr | grep DMZ
@522 pass in log quick on MGMT inet proto tcp from any to (DMZ:network:*) port = domain flags S/SA keep state label "3d50d6c4-680c-40cf-b61b-bf00ae6b224b"
@523 pass in log quick on MGMT inet proto udp from any to (DMZ:network:*) port = domain keep state label "3d50d6c4-680c-40cf-b61b-bf00ae6b224b"
_fictional@gatekeeper:~ %

Is this a Feature or a Bug when Microsoft services are used in a policy?

[lmoore]

I've filed a bug report regarding this issue: https://github.com/opnsense/core/issues/9835

[lmoore]

Resolved in https://github.com/opnsense/core/issues/9835#issuecomment-3933115711