Concatenate Rulesets

  • Hey, here's my problem. I have a blacklist and a whitelist. My whitelist can have thousands of hosts, subnets in any two-five tuple combination. What's the best way to make efficient rules from it?  As an example, suppose I have the following:

    Allow the following separate rules:

    • Pass {src_network:, src_port: 80, dst_ip:, dst_port: ANY, proto: tcp}
    • Pass {src_network:, src_port: ANY, dst_network:, dst_port: 53, proto: udp}
    • Pass {src_ip:, src_port: 22, dst_network:, dst_port: ANY, proto: tcp}
    • Pass {src_network:, src_port: *, dst_network:, dst_port: *, proto: ANY}

    Instead of needing to make 4 different rules, is it possible to concatenate these rules into a singular rule to improve performance?  I could end up having a couple thousand of these individual rules.


  • Such a large set of rules in a single location seems like a recipe for disaster. Complexity is the enemy of security. There's got to be a better way. I have a feeling there's is a better point of responsibility.

    In general, a firewall rule should be a general rule(applies to entire subnets) or an exception rule(one offs). Exceptional rules are exceptions to the general rules. Human error increases relative to the number of rules, even more so to the exceptions. The cost of micromanagement is more mistakes.

    Hope someone can help you.

  • You can use URL table aliases to reduce the rule set.  Once you have the aliases defined, you only need a handful of rules to handle all cases.

Log in to reply