Firewall Groups and individual rules

[c-mu]

Hi!
I have many VLANs and most of them only need a default ruleset like "allow DNS, forbid private networks, allow internet". I thought that you can pretty well slay with firewall groups and not create the same rule sets over and over again. But what do I do if one of these VLANs needs an additional rule? Do I have to take it out of the firewall group and build individual rules again?

Thanks!

[franco]

Hi,

Use the group rules tab for grouped rules, use the interface rules tab for single interface rules


Cheers,
Franco

[c-mu]

I also thought it would be that simple, but the following example:
the Interface/Firewall Group has this set of rules, also in this order:

allow 10.27.100.1 port 53UDP
deny private-ipranges
allow any

on an interface I now create this rule, but it does not take effect:
allow 10.27.100.1 Protocol ICMP

This means that the private-ipranges matched first and does not allow my individual rule anymore

[franco]

It's one reason why quick/non-quick matching exists. I'm sure this can be achieved with a little tweaking.


Cheers,
Franco

[c-mu]

Okay I have a solution, at the moment still a bit brainfuck for me but I think this is safe, or what you think?

Instead using of a "deny any private-range" I now have an "allow any !private-range"

So that rule says, that all traffic is allowed until it is an private IP (I use an alias here with the ranges by the way). Now I can use my individual rules on an specific interface.

If  I uncheck the quick box, all private traffic was allowed for me.

[Greelan]

I assume you have also removed your “allow any” rule on the firewall group

[c-mu]

Yep, forgot to write that. the allow any any rule is not anymore needed and would do the wrong thing at that position.