[ Solved ] When adding firewall rules, option to add groups of ports



  • For example, in iptables you can do the following

    
    # Allow HTTP, HTTPS, and 8080 TCP streams
    iptables -A INPUT -p tcp -i eth0 -m multiport --dports 80,443,8080 -j accept
    
    

    Implementation Ideas:

    • Create separate rules for each port with same other settings (might go well with the "grouping/separation" bounty posted a while back)

    • Add in an alias feature to do this - groups of ports can be assigned an alias. Overlap will be ignored at time of rule creation (eg: ports can be added to more than one alias)

    Not knowing how pf works on the backend, I'm not entirely sure this is doable but I figured I'd throw a bounty up none the less.

    Note: This is distinctly different than the port range option that already exists.

    Pat


  • Moderator

    Hello geudrik,

    You can do this with Firewall:Aliases,

    Define an "Alias" that has the ports you need and reference that "Alias" in your Rules.

    Karma is accepted in lieu !!  ;) ;) ;)



  • .. how .. how have I missed this ?  :o

    Cheers! :)


  • Moderator

    @geudrik:

    .. how .. how have I missed this ?  :o

    Cheers! :)

    Did you read my tagline?  ;)



  • @BBcan177:

    @geudrik:

    .. how .. how have I missed this ?  :o

    Cheers! :)

    Did you read my tagline?  ;)

    Lol yes, I did. Thank for pointing out the obvious to me… I never noticed the "Ports" tab in all my time defining aliases :P



  • I get the whole alias aspect (I think!). Is there a way to set the protocol for each port when you define the alias?

    For my use I would like to use the alias to assist with port forwarding, but I would like them grouped by application in the NAT section. That way I can open and close ports when needed for specific applications.

    I use apps that need a variety of TCP and UDP ports forwarded and it makes sense to my mind to have these set together.

    Does anyone have any method of doing this, or even reasoning as to why it is the way it is?

    Cheers,

    rancid



  • Further to my above post, I believe that in 2.x you can create an alias inside another alias, this is almost what I am after. But I still don't think you can then specify different protocols to each 'sub alias' on the NAT/Port forward page - if you get me. Am I making sense?!

    Cheers,

    rancid


  • Rebel Alliance Developer Netgate

    Ports do not have any protocol association. That's only on the rules.


Log in to reply