Improving floating firewall rules?

[pasha-19]

If floating rules could  generate context sensitive addresses based on the actual interface that is being tested be of assistance to others.  For example using @.@.@.@/@ in an alias to specify the interface IP address of the interface.  Another case using an alias containing @.@.@.32/27 or @.@.@.32-@.@.@.63 to indicate a range of addresses that are part of the specific interface assigned network interfaces that is being tested by the floating rule.  If the rule includes the lan and opt1 interface is being tested for the lan interface and the lan interface IP address is 10.1.2.1/24 then @.@.@.@/@ above is 10.1.2.1/24.  @.@.@.32/27 would be 10.1.2.32/27 which if I am correct would be the same as @.@.@.32-@.@.@.63 which would be 10.1.2.32-10.1.2.63 for that requested test.  If the same rule is executed for the opt1 interface and the opt1 IP address was 192.168.13.254/24 then @.@.@.@/@ is 192.168.13.254/24  and @.@.@.32/27 would be 192.168.13.32/27 and @.@.@.32-@.@.@.63 is 192.168.13.32-192.168.13.63 for that specific test.  Pass rules especially in my opinion benefit from such a feature.  Does such a feature currently exist?  Would you find it useful if it did?

I have similar switches one with static routing capability and two without that capability.  I have been able to write switch ACLS that perform a number of the router rules at the switch level for the switch with static routing capability.  I appear to have the local access worked out including to the router for some traffic and the use of context sensitive gateway selection would also appear to be useful.  The non-switch access is a problem because the switch only appears to provide one gateway address for non-switch traffic which appears to funnel all vlans though a single interface.  I am still working on that issue.  The gateway issue is not what I am writing about in this request.  If I can get that resolved I will be more sure a context sensitive gateway option would be of greater value.


I have coded such a set of rules as floating rules for multiple vlans.  I estimate in my case that 80 rules that only cover the basics could be reduced to 14 rules and 70 vlan specific aliases could be reduced to around 10 context sensitive aliases.  In addition lists of 7 rules would become one making reading the rules in context to each other easier there would not tend to be a full page of rules that do the same thing to different vlans.  This is not unlike having to code a full set of rules at the interface level that would be more readable but equally tedious to construct and due to replication of similar tasks more prone to mistakes like typos and transpositions.