Hi!
I have many VLANs and most of them only need a default ruleset like "allow DNS, forbid private networks, allow internet". I thought that you can pretty well slay with firewall groups and not create the same rule sets over and over again. But what do I do if one of these VLANs needs an additional rule? Do I have to take it out of the firewall group and build individual rules again?
Thanks!
Hi,
Use the group rules tab for grouped rules, use the interface rules tab for single interface rules :)
Cheers,
Franco
I also thought it would be that simple, but the following example:
the Interface/Firewall Group has this set of rules, also in this order:
allow 10.27.100.1 port 53UDP
deny private-ipranges
allow any
on an interface I now create this rule, but it does not take effect:
allow 10.27.100.1 Protocol ICMP
This means that the private-ipranges matched first and does not allow my individual rule anymore
It's one reason why quick/non-quick matching exists. I'm sure this can be achieved with a little tweaking.
Cheers,
Franco
Okay I have a solution, at the moment still a bit brainfuck for me but I think this is safe, or what you think?
Instead using of a "deny any private-range" I now have an "allow any !private-range"
So that rule says, that all traffic is allowed until it is an private IP (I use an alias here with the ranges by the way). Now I can use my individual rules on an specific interface.
If I uncheck the quick box, all private traffic was allowed for me.
I assume you have also removed your "allow any" rule on the firewall group
Yep, forgot to write that. the allow any any rule is not anymore needed and would do the wrong thing at that position.