When setting a rule to use source/destination address lists it would be helpful to be able to choose more than one, this would give you great flexibility.


For example, you have several Class Cs that you know are mainly illegitimate traffic you wish to block outbound traffic to it, so you put in:

add chain=forward dst-address-list=BlacklistedCs-addr action=drop comment="Drop Known Illegitimate outbound" disabled=no

add list=BlacklistedCs-addr address=206.142.17.0/24 comment="" disabled=no
add list=BlacklistedCs-addr address=211.7.81.0/24 comment="" disabled=no
add list=BlacklistedCs-addr address=207.243.117.0/24 comment="" disabled=no

This does properly block all 3 Class Cs you wished to, however a customer calls complaining they cant reach a speficif website, when you check the specific IP it is 211.7.81.87, which of course is inside the 211.7.81.0 Class C your blocking.
To correct this currently you need to edit your original rule to:

add chain=forward dst-address=!211.7.81.87/32 dst-address-list=BlacklistedCs-addr action=drop comment="Drop Known Illegitimate outbound" disabled=no


This accomplishes this just fine, UNTIL customer #2 calls and they visit a website at 207.243.117.13

So now your in a pickle, you cant just make a second address-list and exclude it, as you can only pick one, so your stuck.

My current solution is now this (many extra steps for something that should be simple):


;;Modified rule to jump to a handling routine instead of simple exclude
add chain=forward dst-address-list=BlacklistedCs-addr action=jump jump-target=blacklist-handling comment="Jumpt to handle Illegitimate access" disabled=no

;;Chain Handling Blacklisted

add chain=blacklist-handling dst-address-list=Exc-BlacklistedCs-addr action=accept comment="Do not dump Excluded IPs" disabled=no
add chain=blacklist-handling action=drop comment="Drop any not passing exlusions" disabled=no

;;Blacklisted Class Cs
add list=BlacklistedCs-addr address=206.142.17.0/24 comment="" disabled=no
add list=BlacklistedCs-addr address=211.7.81.0/24 comment="" disabled=no
add list=BlacklistedCs-addr address=207.243.117.0/24 comment="" disabled=no

;;Allowed single IPs inside the Class Cs to function
add list=Exc-BlacklistedCs-addr address=211.7.81.87/32 comment="" disabled=no
add list=Exc-BlacklistedCs-addr address=207.243.117.13/32 comment="" disabled=no


My suggestion would work something like this to accomplish the same thing:

;;Only Change from original is a second dst-address-list to match or not match, in this case, not match:

add chain=forward dst-address-list=BlacklistedCs-addr dst-address-list=!Exc-BlacklistedCs-addr action=drop comment="Drop Known Illegitimate outbound" disabled=no

;;Utilizing Same Address Lists as above
add list=BlacklistedCs-addr address=206.142.17.0/24 comment="" disabled=no
add list=BlacklistedCs-addr address=211.7.81.0/24 comment="" disabled=no
add list=BlacklistedCs-addr address=207.243.117.0/24 comment="" disabled=no

add list=Exc-BlacklistedCs-addr address=211.7.81.87/32 comment="" disabled=no
add list=Exc-BlacklistedCs-addr address=207.243.117.13/32 comment="" disabled=no

I too have run into situations where multiple address list fields would have been usefull!
Please incorporate!

I too have run into situations where multiple address list fields would have been usefull!
Please incorporate!

I have them all the time. It is quite common that you may have severas address lists for several groups of clinets to be able toset different privileges on them, but alos youneed sereis of privileges to be the same for all (or some) groups.

Now youhave to set the same rules again and again but to link them to different address lists. problem is that it s ihard to maintain, first since there ere more rules you have to check, and second, address lists are not shown in winboh, so you have to open rule to check it.

The best grouping options I saw were provided in WinRoute. Not that you can assign several groups to the same rule, but also group can contain other group. that gives admin open handed easy maintanable solution to any problem

different src/dst-addresses may be achieved through access lists... Got no problems with that. I do have a problem with matching multiple ports though!!!
Would not only simplify, but also reduce the amount of rules required to do things MASSIVELY.

ICMP for example, if we can specify more than one ICMP type per rule... Same affect...

I also found situations where I needed to set rule to match one address list but only if it does (or does not) match other address list. That is very hard to accomplish in MT.