We have a server that acts as a tcp proxy for various services. This results in the server having a large number of alias IPs attached to an interface. (Class C network) The server has a firewall builder generated policy installed as a iptables host protection firewall. (ie: no FORWARD chain rules)
eg: 192.168.1.1 is the primary IP of the machine for management, etc
And individual proxies may listen on 192.168.1.2 - 192.168.2.254 ( ie:192.168.1.0/23)
As far as I can tell, I would need to add @508 IPs to the interface object in firewall builder in order for rules allowing traffic bound for 192.168.1.2 - 192.168.1.254 to be added to the INPUT or OUTPUT chains.
This is rather tedious to setup, and can be annoying to navigate in the object tree. Can the software be modified to allow network or address range (probably simplest) objects to be attached to an interface object, and the policy compilers be modified to cope (eg: A pre-processing stage to expand the address range object).
Log in to post a comment.