Will This Rule Ever Match?....

efaden · Thu Mar 20, 2014 3:14 am

Hey,

So I have a CRS where port 1 is the gateway and ports 2-24 are all one switch group. I am cleaning up a rule set and found:

ros code

add chain=forward comment="Private Ranges" dst-address-list=PrivateRanges \
    in-interface=!ether01-gateway out-interface=!ether01-gateway \
    src-address-list=PrivateRanges

PrivateRanges has only 10.0.0.0/24 in it...

I cannot for the life of me figure out what this rule would match... I could see it matching if PrivateRanges had more than one range in it, but not without that. Can anyone else see something that I am missing?

rextended · Thu Mar 20, 2014 3:54 am

Simply translation of this rule:
accept all the packet between 2 machine on 10.0.0.0/24 range.
Is like to disable firewall for all internal comunications between internal computers.
You can put in address list private-ranges all the range you use inside your network.

If I have solved your mystery, add Karma!

efaden · Thu Mar 20, 2014 3:57 am

But those packets should never get to the router since they are in the same subnet.

Sent from my SCH-I545 using Tapatalk

rextended · Thu Mar 20, 2014 3:58 am

But those packets should never get to the router since they are in the same subnet.

Sent from my SCH-I545 using Tapatalk

Why not?
If one PC is on ether2 and another on ether3, this rule count if cpu are on the same switch group or connection tracking or bridge firewall are active.

However, useful or not, the rule do this.

pongko · Wed Apr 30, 2014 3:50 pm

in forward chain? try to catch in prerouting chain .. since you just matching packet at other than eth1-public .. and is this a "switch", right?