Hi all, I have a question about best practice in nfsen for creating a default rule to catch 'unclassifed traffic' in a channel group.
At present, I create a bunch of rules to defined the major protocols like SMTP, HTTP, HTTPS etc. /nfsen --modify-channel George-link1/HTTP__in filter="IN IF 13 and port 80 and proto TCP" order=1 color="#3333FF" ./nfsen --modify-channel George-link1/HTTP_out filter="OUT IF 13 and port 80 and proto TCP" order=1 color="#3333FF" /nfsen --modify-channel George-link1/Other__in filter="IN IF 13 and (not port 80 and proto TCP) and (not port 443 and proto TCP) and ...." etc. ./nfsen --modify-channel George-link1/Other_out filter="OUT IF 13 and (not port 80 and proto TCP) and (not port 443 and proto TCP) and ...." etc. My problem is lay where I have 25 applications defined. The 'Other' rule gets rather long and tediuous to update. Not to mention probelms updating it through the CLI, so I edit it in the web GUI online with mutiple carriage returns) I am wondering if someone has a bit of code to update nfsen, or if there is a plugin module, that would basically say "channel: anything else not matching all other rules in this profile" Lastly, there is a lot of computational and memory overhead with long filters in a 'serial', and + and + and + fashion. I did see in a mailgroup post somehting like:- port list [80,443,25,110] but I could not get it working. Has anyone got a working example of this ??? Thanks very much. Jason ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
