New the Tik environment and have a best practice question on the firewall forward chain in interface. If the in is a bridge interface with an IP bound to it is it best to select that as the in interface for the src or dst firewall chain rule or to create an interface list for the physical ports and use that interface list as the src or dst for the firewall rules in the chain? My assumption is that using the bridge interface is the best way, but just wanted to confirm as I learn the tikisms.
Generally selecting interface carrying L3 configuration for use in firewall rules is the way to go. Using some other interface (e.g. port member of a bridge) is warranted only rarely.
There are two approaches (and probably more).
One can create interfaces (not just use the standard ones such as LAN and WAN) where its clear that interfaces are the best vehicle for rules.
On the other hand address lists for source and destination are very popular in FW rules to control who or where data is flowing.
It is not clear to me when to use one or the other, other than address lists are easier and make it seem more like an object oriented approach in that one doesnt have to change firewall rules, if changes apply to the address list. Perhaps that is the key. If one expects frequent changes to the list, then the interface List is probably not the way to go.
Another way to think about it, … if a rule will clearly affect an entire interface and its not likely to change, the interface-list may be appropriate, if one is applying rules to various groups and individuals, address list may be more applicable.
Interface list is what tik default config is using. It’s flexible (and somewhat friendly to future changes), as it can support multiple entries for a target group.
But if you know “there can be only one”, no point in using lists.
My response to use bridge port in FW rules is response to
If the in is a bridge interface with an IP bound to it is it best to select that as the in interface for the src or dst firewall chain rule or to create an interface list for the physical ports and use that interface list as the src or dst for the firewall rules in the chain?
under assumption that mentioned WAN bridge spans more than one port in a kind of WAN switch, e.g. ports ether1 and ether2. In this case using interface list with members ether1 and ether2 is not correct, used should be either bridge interface or interface list containing bridge port.
To put it differently: in any case use interfaces with L3 config. If a single interface is in play, you can either use interface directly or as sole member of interface list (later being future proof in case you change the topology and you only have to change the setting in one interface list instead of many firewall rules). If there’s more than one interface in play (i.e. LAN ports carrying multiple subnets), then use of interface lists is a must.