Project

General

Profile

Feature #96

Add "All local networks" to source and destination drop down boxen in firewall rules

Added by Scott Ullrich about 8 years ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Rules/NAT
Target version:
Start date:
09/22/2009
Due date:
% Done:

0%


Description

This would allow easily negating all local networks (internet) where usage of "floating rules" is not desirable easily.

Associated revisions

Revision 377f8799
Added by ohauer over 5 years ago

- update to svn revision 241 (v0.6.2dev)

Bug Fixes:
- Bug #79 - Fixed race condition that did not allow for disabled rules to be modified using modifysid
These rules would then be enabled by flowbit dependency check and be unmodified
- Bug #77 - Adjusted chown property of archive::tar
- Bug #78 - Adjusted per bug report to allow for proper ignoring of preproc.rules
- Bug #102 - Only Enabled rules are written to sid-msg.map now when E flag is specified
Bug #99 - Doc Bug, updated docs associated with snort_version variable
- Bug #96 - Modified code to allow for same-line traling comments: "1:10011 #can haz disable!"
Also updated the rulestate files (enable,disable,drop)
- Bug #82 - Modified run order to force modifysid to run before all other sid state modification routines
This allows for sid changes to be made prior to automatic state determination ala automatic
flowbit resolution. NOTE that this DOES NOT AND WILL NOT disable automatic flowbit
resolution, this is a critical piece.
- Bug #81 - Updated valid SO distro pre-compiled list

New Features / changes:
- Bug #105 - Removed Switch function as it is deprecated in > 5.12 perl

Changelog: http://code.google.com/p/pulledpork/source/browse/trunk/doc/README.CHANGES?r=241

Revision 50ea0588
Added by Sjon Hortensius over 2 years ago

bindCollapseToOptions - support multiple options targeting single section

fix #96

History

#1 Updated by Chris Buechler over 7 years ago

  • Target version changed from 3 to Future
  • Affected version deleted (All)

#2 Updated by Ermal Luçi over 7 years ago

  • Status changed from New to Closed

#3 Updated by Jim Pingle over 7 years ago

  • Status changed from Closed to New

This isn't the same as the other ticket.

The other ticket is a list of IPs directly assigned to the router itself (Like an alias with host entries). This is a list of all locally connected networks (like an alias with network entries with appropriate subnet masks).

#4 Updated by Josh Stompro about 7 years ago

Please consider expanding this enhancement to include the following.

Automatically add aliases that correspond to the local interface networks. The source/destination drop downs under firewall rules include shortcuts for "LAN network", "WAN network", etc. If the system automatically added those as aliases "WANNetwork" = "WAN Network", it would be possible to construct an alias that includes a certain subset of local networks, and would automatically stay synchronized with interface subnet changes.

Say you had 10 local LAN interfaces/vlans, LAN01-LAN10. And you wanted to block traffic from LAN01 and LAN02 from reaching LAN03-LAN10. It would be nice to be able to construct an alias that included the networks "LAN03Network", "LAN04Network"... so only two firewall rules would be needed to block traffic from LAN01 and LAN02. This is possible now by manually entering the network info to an alias, but that needs to be updated separately when interface network settings are changes, adding an extra point of failure.

My particular use case is that I have 30 pfSense firewalls that all have slightly different local network settings, and when I set them up I go through and change the local network info on my master config image. A feature like this would save me some time since I wouldn't need to touch the aliases or firewall rules when changing local lan info.

Thanks
Josh

#5 Updated by Ermal Luçi about 3 years ago

  • Status changed from New to Resolved

(self) has been introduced as a selection.

#6 Updated by Jim Pingle about 3 years ago

  • Status changed from Resolved to New

That's not the same, this would be for all local subnets, not all IPs on the firewall. (self) was only relevant to that other ticket (#597)

#7 Updated by Anonymous about 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#8 Updated by Jim Pingle about 2 years ago

  • Status changed from Feedback to New
  • % Done changed from 100 to 0

Accidentally was caught by an unrelated commit message

#9 Updated by Chris Buechler over 1 year ago

  • Category set to Rules/NAT

Also available in: Atom PDF