As an example of how we can change rules generated by the pfSense traffic shaper wizard to suit our needs, let's revisit the penalty box rule. As you might recall, the traffic shaper wizard lets us assign a single IP address to the low-priority queue (qOthersLow). Suppose we want to make two modifications to the penalty box:

• Instead of a single IP address, we want to ban a range of IP addresses.
• The only traffic we want to penalize is from a video streaming application that uses the Real-time Transport Protocol (RTP). RTP in turn uses UDP, so we only want to block UDP traffic.

The traffic shaper wizard does not allow us to do this. Fortunately, changing the existing penalty box rule is relatively easy to do. Assume that we want to assign 172.16.1.1 to 172.16.1.15 to the penalty box. Rather conveniently, the IP addresses all fall within a subnet that is defined by the subnet mask 255.255.255.240, or a CIDR of 28. Thus, we click on the edit icon for the penalty box rule and make the necessary changes:

1. Protocol is currently set to Any. Select UDP from the Protocol drop-down box.
2. Source is currently set to Single host or alias and to an IP address of 172.16.1.10. Select Network from the Source drop-down box.

3. Set the network to 172.16.1.0, and set the CIDR in the corresponding drop-down box to 28.
4. Click on the Save button at the bottom of the page, and when the main Floating rules page loads, click on the Apply Changes button at the top of the page.

Now the entire subnet from 172.16.1.1 to 172.16.1.15 will be in the penalty box. But what if we want to assign an arbitrary set of IP addresses to the penalty box? For example, assume that we want to assign 172.17.1.10, 172.18.1.12, and 172.18.1.17 to the penalty box. Obviously, we cannot use the approach outlined earlier, since the nodes are on different networks. We could create three separate rules (one for each IP address), but we should try to avoid duplication when possible. Thus we revisit a concept Aliases introduced in the Chapter 4, pfSense as a Firewall, and utilize the following approach:

1. Navigate to Firewall | Aliases and click on the Add button.
2. In the Name edit box, type PENALTYBOX. You may also enter a brief description in the Description edit box (for example, Nodes assigned to the low priority queue). In the Type drop-down box, select Host(s).
3. In the Host(s) section of the page, enter each IP address. Click on the Add Host button after entering the first and second IP address. The CIDR will be updated automatically.
4. Click on the Save button at the bottom of the page, then click on the Apply Changes button on the main Aliases page.
5. Now that we have an alias we can use, we will return to Firewall | Rules and click on the Floating tab. Click on the Edit icon on the penalty box rule.
6. For Source, select Single host or alias in the drop-down box. In the edit box, type PENALTYBOX (as soon as you start typing, the autocomplete feature should do the rest).
7. Click on the Save button at the bottom of the page, and click on the Apply Changes button on the main Floating rules page.