#290 Support for networks with "special" netmasks

open-rejected
Vadim Kurland
1
2011-08-22
2011-08-22
tigalch
No

Currently, fwbuilder using iptables does not support generating rules with netmasks like 255.0.0.248.
10.0.0.248/255.0.0.248 would translate into all addresses starting with 10. and ending with IPs from 248 to 255. This would be a great feature to define i.e. router-IPs in all available networks behind a firewall. If a networtk is added, the previously generated rule is still valid, as the new router-IPs are within 10.0.0.248/255.0.0.248.

Just a suggestion.

Discussion

  • Vadim Kurland
    Vadim Kurland
    2011-08-22

    this is a duplicate of 3390447

    netmasks with "holes" are not supported and we do not have plans to add support for them. v5.0.1.3575 adds a check for this in the Network object dialog.

     
  • Vadim Kurland
    Vadim Kurland
    2011-08-22

    • priority: 5 --> 1
    • status: open --> open-invalid
     
  • Vadim Kurland
    Vadim Kurland
    2011-08-22

    to clarify: I know some firewall platforms and routers support this kind of netmasks, notably Cisco IOS access lists and as you say iptables. However in fwbuilder netmasks like that break address arithmetics. For once, operations that need to check if an address or a subnet belongs to anoth subnet do not work. It should be possible to make them work but it will make code much more complicated and slow. We may reconsider this if there is big demand for this feature, but so far demand was not that great and so we do not have plans to implement it any time soon.

     
  • Vadim Kurland
    Vadim Kurland
    2011-08-22

    • status: open-invalid --> open-rejected
     
  • tigalch
    tigalch
    2011-08-23

    Thanks for considering and the clarification :)

    cheers
    BTW: fwbuilder is a superb tool!!!