Assume we have created the DCC Port Forwarding entry described previously, but now we want to exclude a subset of these ports (5215 to 5220) from the range of allowed ports. Fortunately, pfSense makes this process easy:

1. Navigate to Firewall |NAT. Port Forward is the default tab, so you should not have to click on that tab. Click on the Add button with the up arrow to add a port forwarding entry at the top of the list.
2. Enable No RDR (NOT) to disable redirection for traffic matching the rule.
3. For Protocol, keep the default of TCP. Destination port range should be set to 5215 for the From port and 5220 for the To port. Note that Redirect target IP, Redirect target port, and Filter rule association go away when No RDR (NOT) is enabled.
4. Enter an appropriate description (such as Port forwarding for DCC) and click on the Save button. On the Port Forwarding page, click on Apply Changes.

You now should have a subset of the ports forwarded in the previous example blocked. Whether or not your IRC client supports multiple port ranges for DCC, however, is another issue. Keep in mind that NAT entries are evaluated on a top-down basis, so if the new entry appears after the earlier entry, you will want to drag it above the more permissive DCC rule, otherwise the traffic will match the first rule and never get to the second one.