idiot's guide to is this a valid firewall construct?

ldvaden · October 23, 2006, 9:19pm

In other words, must you do the test in 2 statements, one specifying
add chain=forward src-address-list=illegal-addr

and one specifying

dst-address-list=illegal-addr

or can you combine as in the construct below (the syntax answer is YES)?

If you can combine as in the construct below, is the implicit operator OR or is it AND?

thnx/rgds/ldv


add chain=forward src-address-list=illegal-addr dst-address-list=illegal-addr action=log log-prefix="ILLEGAL ADDR" \
comment="log illegal addresses" disabled=no
add chain=forward src-address-list=illegal-addr dst-address-list=illegal-addr action=drop comment="drop illegal \
addresses" disabled=no

eflanery · October 24, 2006, 12:07am

It’s AND; for a packet to match, all enabled matchers must match.

If you want OR, you will need to use two rules.

–Eric

ldvaden · October 24, 2006, 5:42pm

Hmm …

Over the last 24 hours, that rule has fired 324 times on an AP … is the interpretation of that

“the source address is in the list” AND “the destination address is in the list”?

e.g., given that illegal-addr is the industry standard RFC1918+bogon list,

src 10.11.12.13 and dst 192.168.1.1 would trigger the rule, but

src 64.236.16.52 and dst 192.168.1.1 would NOT trigger the rule?

or am I missing something?

rgds/ldv