feature request for firewall rules

dwright · Wed Aug 17, 2005 9:42 am

Is it possible to add the mport like option to the firewall? That way we can match multiple ports to one firewall rule.

For example: dst-port=

add protocol=tcp dst-address=192.168.0.1 dst-port=22,25,80 action=accept

Thanks,

D~

maximan · Wed Aug 17, 2005 5:19 pm

You can use list of port like

add protocol=tcp dst-address=192.168.0.1 dst-port=22-80 action=accept

But not multiple catch port.

dwright · Wed Aug 17, 2005 5:33 pm

I know. I think it would be helpful to specify a list of specific ports, so you can sometimes combine multiple firewall rules into one.

D~

changeip · Wed Aug 17, 2005 5:47 pm

it would even be cooler to create a port-list just like address-list.

Sam

wildbill442 · Wed Aug 17, 2005 7:36 pm

it would even be cooler to create a port-list just like address-list.

Sam

you can just mangle the packets mark them as needed and then you can block by the name, and block multiple ports with one rule!

so mangle ports 135-139 TCP/UDP and 445 TCP and mark as NETBIOS..

Create a firewall rule that drops packets with packet mark NETBIOS.. cool stuff eh?

of course you still have to create multiple mangle rules

changeip · Wed Aug 17, 2005 7:43 pm

I think mangling is more overhead than needed if you run a high traffic system. Also, if connection tracking is not on does mangling still work?

Sam

wildbill442 · Wed Aug 17, 2005 7:57 pm

I think mangling is more overhead than needed if you run a high traffic system. Also, if connection tracking is not on does mangling still work?

Sam

Good point. I don't believe it does. (mangle w/o connection tracking)

The overhead would be minimal I believe...

dwright · Wed Aug 17, 2005 9:05 pm

There are multiple ways to skin a cat.

I thinking adding this feature would make it the easiest of all of them.