Hello all, I wonder if it is possible (now or as an RFE) to nest defined IP address pools, and if we can see "port pools" in some future?
As a background, I'm now revising and porting an old SunScreen Firewall config into a new ipfilter firewall. And I miss SunScreen's complex nesting language for grouping all rules needed for a large network into a screenful of rulesets. This network has some registered and some private IP address ranges, which also split into different LAN roles (net-management, desktops, servers, etc.) They obviously suit different filter rules as a couple (or actually much more) different address pools. However many rules equally apply to all internal networks "on this side of the firewall" as opposed to all and any external networks. It would be convenient to have a pool composed of other pools, instead of copy-pasting the same address ranges to different pools involved - which is tedious and bound to be error-prone some time in the future. A similar wish concerns "pooling" specific tcp/udp ports and nesting of such port-pools to minimize required ruleset lines. For example, a ruleset to publish a fileserver needs some ports for Samba (137-139 some in tcp, some in udp), CIFS (445) and say NFS (2029, 4045 and 111 to say the least). This can be a dozen rules listing each port, or this can be a single rule using a port-pool... And simple short config files leave less room for error :) -- +============================================================+ | | | Климов Евгений, Jim Klimov | | технический директор CTO | | ЗАО "ЦОС и ВТ" JSC COS&HT | | | | +7-903-7705859 (cellular) mailto:[email protected] | | CC:[email protected],[email protected] | +============================================================+ | () ascii ribbon campaign - against html mail | | /\ - against microsoft attachments | +============================================================+
