Page 1 of 1
feature request for firewall rules
Posted: Wed Aug 17, 2005 9:42 am
by dwright
Is it possible to add the mport like option to the firewall? That way we can match multiple ports to one firewall rule.
For example:
dst-port=
add protocol=tcp dst-address=192.168.0.1 dst-port=22,25,80 action=accept
Thanks,
D~
Posted: Wed Aug 17, 2005 5:19 pm
by maximan
You can use list of port like
add protocol=tcp dst-address=192.168.0.1 dst-port=22-80 action=accept
But not multiple catch port.
Posted: Wed Aug 17, 2005 5:33 pm
by dwright
I know. I think it would be helpful to specify a list of specific ports, so you can sometimes combine multiple firewall rules into one.
D~
Posted: Wed Aug 17, 2005 5:47 pm
by changeip
it would even be cooler to create a port-list just like address-list.
Sam
Posted: Wed Aug 17, 2005 7:36 pm
by wildbill442
it would even be cooler to create a port-list just like address-list.
Sam
you can just mangle the packets mark them as needed and then you can block by the name, and block multiple ports with one rule!
so mangle ports 135-139 TCP/UDP and 445 TCP and mark as NETBIOS..
Create a firewall rule that drops packets with packet mark NETBIOS.. cool stuff eh?
of course you still have to create multiple mangle rules
Posted: Wed Aug 17, 2005 7:43 pm
by changeip
I think mangling is more overhead than needed if you run a high traffic system. Also, if connection tracking is not on does mangling still work?
Sam
Posted: Wed Aug 17, 2005 7:57 pm
by wildbill442
I think mangling is more overhead than needed if you run a high traffic system. Also, if connection tracking is not on does mangling still work?
Sam
Good point. I don't believe it does. (mangle w/o connection tracking)
The overhead would be minimal I believe...
Posted: Wed Aug 17, 2005 9:05 pm
by dwright
There are multiple ways to skin a cat.
I thinking adding this feature would make it the easiest of all of them.