I am using Firewall Builder 188.8.131.5299, creating firewall rules for an iptables-based Linux machine.
I don't know if the following is the expected behaviour or I have done some strange configuration.
For instance: I try to accept DHCP requests on a number of VLANS from the corresponding interfaces, and the compiler generates the following construction:
# DHCP allowed for VLANs VLAN_1, VLAN_2, VLAN_3, VLAN_4
$IPTABLES -N Cid8513X2311.0
$IPTABLES -A FORWARD -i eth6.103 -p udp -m udp -m multiport -dports 68,67 -m state -state NEW -j Cid8513X2311.0
$IPTABLES -A Cid8513X2311.0 -s 10.141.12.0/24 -j ACCEPT
$IPTABLES -A Cid8513X2311.0 -s 10.141.13.0/24 -j ACCEPT
$IPTABLES -A Cid8513X2311.0 -s 10.141.14.0/24 -j ACCEPT
$IPTABLES -A Cid8513X2311.0 -s 10.141.15.0/24 -j ACCEPT
$IPTABLES -A FORWARD -i eth6.104 -p udp -m udp -m multiport -dports 68,67 -m state -state NEW -j Cid8513X2311.1
$IPTABLES -A Cid8513X2311.1 -s 10.141.12.0/24 -j ACCEPT
$IPTABLES -A Cid8513X2311.1 -s 10.141.13.0/24 -j ACCEPT
$IPTABLES -A Cid8513X2311.1 -s 10.141.14.0/24 -j ACCEPT
$IPTABLES -A Cid8513X2311.1 -s 10.141.15.0/24 -j ACCEPT
I assume this would work, but isn't there a simpler way to do it, without generating the additional chains and targeting them? Or did I just misconfigure something?
this is just an optimization. Compiler builds rules that way to avoid unnecessary matches of source address in case udp port is not 67 or 68.
Log in to post a comment.
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.