Page 1 of 1
Are add-*-to-address-list actions terminal
Posted: Sun Feb 08, 2015 11:31 am
by sejtam
ie, do they stop further processing of the chain?
I couldn't find that just now.
The 'mark packet' actions have a passthrough option, but the above don't .
Re: Are add-*-to-address-list actions terminal
Posted: Mon Feb 09, 2015 1:33 pm
by sejtam
Ok. just found out they are not terminal.
Next question:
Say I have an address already in a list
A.B.C.D 1h
and now the same address gets executed with
Add-*-to*list address=A.B.C.D timeout=2h
will this
a) fail (and keep the original timeout
b) extend the timeout to 2H
c) add the timeouts to make 3h?
What if the new timeout is shorter (say 30 mins) , will it
c) reduce the timeout (effectively overriding the old entry)
d) keep it at the old value?
e) addthe shorter timeout to the exiting one (making it 1:30:00 from now)?
Re: Are add-*-to-address-list actions terminal
Posted: Mon Feb 09, 2015 2:37 pm
by strods
If you will have two rules and both of them will add same address to same address list, then timeout will be max value of both timeouts. Timeout of address list entry can only be increased.
In what kind of configuration it would be useful to add same address to address list twice?
Re: Are add-*-to-address-list actions terminal
Posted: Mon Feb 09, 2015 3:56 pm
by sejtam
It would be important to know if a firewall detection catches the same address twice.
In most cases it shoudl extend the entry time IMHO.
I also noticed that if the entry is untimed, it won't be changed to timed, ie untimed is effectively 'infinite'