It would be usefull to have in-interface-list/out-interface-list in terms of src-address-list/dst-address-list:

for example: So, to add new tunnel tun1 for new office and ether4 for new "lan" you just need to type Currently, to achieve the same result, you will need to use buffer chain: so to add tun1 and ether4: As result, we would have readeable and manageable config even with many tunnel interfaces and etc without growing forward and input chains

+1

Being able to "group" or "zone" interfaces would certainly make for far tidier firewall configs! Several manufacturers have already implemented similar concepts.

+1 also

We dont need to add a rule for each interface.

sent from my mobile phone using tapatalk

+1 again
And maybe named port and address groups. Would be very handy for rapid building of rules - like in other firewall appliances...

+1 from me

It would be usefull to have in-interface-list/out-interface-list in terms of src-address-list/dst-address-list:

for example:

Code: Select all

/interface gre add name="tun0" ...
/ip firewall interface-list
add list=transport interface=ether1
add list=transport interface=tun0
add list=lan interface=ether2
add list=lan interface=ether3
/ip firewall filter
add chain=forward action=jump jump-target=transport_lan in-interface-list=transport out-interface-list=lan
add chain=forward action=jump jump-target=lan_transport out-interface-list=transport in-interface-list=lan
add chain=forward action=drop

add chain=input action=jump jump-target=transport_self in-interface-list=transport
add chain=input action=jump jump-target=lan_self in-interface-list=lan
add chain=input action=drop

#real policies
add chain=transport_lan action=accept protocol=tcp dst-port=80
add chain=transport_self protocol=icmp action=accept
add chain=lan_transport action=accept
add chain=lan_self action=accept

So, to add new tunnel tun1 for new office and ether4 for new "lan" you just need to type

Code: Select all

/ip fi interface-list add list=transport interface=tun1
/ip fi interface-list add list=lan interface=ether4

Currently, to achieve the same result, you will need to use buffer chain:

Code: Select all

/ip firewall filter
add chain=forward action=jump jump-target=transport_forward in-interface=ether1
add chain=forward action=jump jump-target=transport_forward in-interface=tun0
add chain=forward action=jump jump-target=lan_forward in-interface=ether2
add chain=forward action=jump jump-target=lan_forward in-interface=ether3
add chain=forward action=drop

add chain=input action=jump jump-target=transport_self in-interface=ether1
add chain=input action=jump jump-target=transport_self in-interface=tun0
add chain=input action=jump jump-target=lan_self in-interface=ether2
add chain=input action=jump jump-target=lan_self in-interface=ether3
add chain=input action=drop

add chain=transport_forward action=jump jump-target=transport_lan out-interface=ether2
add chain=transport_forward action=jump jump-target=transport_lan out-interface=ether3

add chain=lan_forward action=jump jump-target=lan_transport out-interface=ether1
add chain=lan_forward action=jump jump-target=lan_transport out-interface=tun0

#real policies
add chain=transport_lan action=accept protocol=tcp dst-port=80
add chain=transport_self protocol=icmp action=accept
add chain=lan_transport action=accept
add chain=lan_self action=accept

so to add tun1 and ether4:

Code: Select all

/ip fi fi
add place-before=2 chain=forward action=jump jump-target=transport_forward in-interface=tun1
add place-before=2 chain=forward action=jump jump-target=lan_forward in-interface=ether4
add place-before=2 chain=input action=jump jump-target=transport_self in-interface=tun1
add place-before=2 chain=input action=jump jump-target=lan_self in-interface=ether4

add chain=transport_forward action=jump jump-target=transport_lan out-interface=ether4
add chain=lan_forward action=jump jump-target=lan_transport in-interface=ether4

As result, we would have readeable and manageable config even with many tunnel interfaces and etc without growing forward and input chains

i guess many people would like to see such a feature
also it could be possible (if someone does not want that option) to enable/disable grouping

and in terms of grouping it would be very very nice, that grouping-options could be set by the winbox user (e.g. group by src-port, group by in-interface, group by out-interface, group by protocol, .......)

would be a GREAT feature (especially for firewalls with 50+ rules .... like i have O:-P )

+1 and address-group would be nice too