Firewall Builder

unfortunately fwbuilder can does not do this optimization.

You could try to use module ipset, if you can install it on your
firewall. Fwbuilder has support for it:

http://www.fwbuilder.org/4.0/docs/users_guide5/address-table-object.html

(specifically section 5.2.14.1  Using Address Tables Objects with
iptables IP Sets)

--vk


On Tue, Jul 10, 2012 at 4:06 AM, Robert Sander <fwbuilder@...> wrote:
> Hi,
>
> we have a number of rules where a set of IP addresses are added
> to the destination attribute via various groups for administrative
> reasons.
>
> Fwbuilder compiles these rules by creating a new chain and adding
> iptables rules for every single address. Some / most of these
> addresses are consecutive (which is pure luck as the groups are
> quite random).
>
> Wouldn't it be possible to automatically create an address range
> here with only one resulting iptables rule per range?
>
> Example:
>
>     $IPTABLES -N Cid102217X7940.0
>     $IPTABLES -A FORWARD -p tcp -m tcp  --dport 21  -m state --state NEW  -j Cid102217X7940.0
>     $IPTABLES -A Cid102217X7940.0  -d 10.0.0.50   -j ACCEPT
>     $IPTABLES -A Cid102217X7940.0  -d 10.0.0.51   -j ACCEPT
>     $IPTABLES -A Cid102217X7940.0  -d 10.0.0.53   -j ACCEPT
>     $IPTABLES -A Cid102217X7940.0  -d 10.0.0.54   -j ACCEPT
>     $IPTABLES -A Cid102217X7940.0  -d 10.0.0.55   -j ACCEPT
>     $IPTABLES -A Cid102217X7940.0  -d 10.0.0.56   -j ACCEPT
>     $IPTABLES -A Cid102217X7940.0  -d 10.0.0.57   -j ACCEPT
>     $IPTABLES -A Cid102217X7940.0  -d 10.0.0.58   -j ACCEPT
>     $IPTABLES -A Cid102217X7940.0  -d 10.0.0.59   -j ACCEPT
>     $IPTABLES -A Cid102217X7940.0  -d 10.0.0.60   -j ACCEPT
>     $IPTABLES -A Cid102217X7940.0  -d 10.0.0.61   -j ACCEPT
>     $IPTABLES -A Cid102217X7940.0  -d 10.0.0.62   -j ACCEPT
>     $IPTABLES -A Cid102217X7940.0  -d 10.0.0.66   -j ACCEPT
>     $IPTABLES -A Cid102217X7940.0  -d 10.0.0.67   -j ACCEPT
>     $IPTABLES -A Cid102217X7940.0  -d 10.0.0.85   -j ACCEPT
>
> could result in
>
>     $IPTABLES -N Cid102217X7940.0
>     $IPTABLES -A FORWARD -p tcp -m tcp  --dport 21  -m state --state NEW  -j Cid102217X7940.0
>     $IPTABLES -A Cid102217X7940.0  -m iprange --dst-range 10.0.0.50-10.0.0.51   -j ACCEPT
>     $IPTABLES -A Cid102217X7940.0  -m iprange --dst-range 10.0.0.53-10.0.0.62   -j ACCEPT
>     $IPTABLES -A Cid102217X7940.0  -m iprange --dst-range 10.0.0.66-10.0.0.67   -j ACCEPT
>     $IPTABLES -A Cid102217X7940.0  -d 10.0.0.85   -j ACCEPT
>
> Is this optimization too expensive when compiling the rules
> or is it not an optimization at all because using iprange in
> the rules is too expensive in an active firewall?
>
> Kindest Regards
> --
> Robert Sander                                 http://www.gurubert.de
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Fwbuilder-discussion mailing list
> Fwbuilder-discussion@...
> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion