Can I have an interface belonging to two lists that will be used for different situations? For example, the same interface is in two lists, one list for firewall and other for the MAC server and ip neighbor discovery-settings.
If I remove an interface from the interface/list, will the interface/list contain the garbage on the interface removed?
How to use the include and exclude when the complementary? Line 5 or 6?
/interface list
add comment="Contains interfaces Connected to Trusted Domains" name=CTD
add name=FW_SoRedesG9
add comment="Contains interfaces on FW withTrafic From Redes de Confianca" name=FW_SoRedesConfianca
add exclude=FW_SoRedesConfianca,FW_SoRedesG9 include=all name=FW_Off
add comment="Contains interfaces Connected to Untrusted Domains" exclude=CTD name=CUD
/interface list member
add interface=ether4 list=CTD
add interface=b0vlan400 list=CTD
add interface=b1vlan131 list=FW_SoRedesConfianca
add interface=v131vrrp1 list=FW_SoRedesConfianca
add interface=v131vrrp2 list=FW_SoRedesConfianca
An interface can be in more than one list. Unfortunately, it is not possible to have a list-of-lists.
(i.e. a list cannot be member of another list)
Adding/removing an interface to a list can sometimes result in an interface down/up flapping, just like any
configuration change even those that appear completely harmless (like changing the comment). Other
than that it is a safe operation.
I’ve been doing some firewall rules using interface/list, and I was wondering if in this particular case it is preferable to have less a rule and let go to the default policy or have more rules to ensure additional verification?
/ip firewall filter
#---- default policy-----------
add action=accept chain=forward comment="FW_fw121 - Permite acesso de qualquer maquina as interfaces FW_SoRedesConfianca para ligacoes ja estabelecidas" connection-state=established,related out-interface-list=FW_SoRedesConfianca
add action=drop chain=forward comment="FW_fw121 - Barra acesso de qualquer maquina fora das redes de confianca as interfaces FW_SoRedesConfianca" out-interface-list=FW_SoRedesConfianca src-address-list=!G9RedesConfianca
#---- additional rules -----
add action=accept chain=forward comment="FW_fw130 - Permite acesso de qualquer maquina as interfaces FW_SoRedesG9 para ligacoes ja estabelecidas" connection-state=established,related out-interface-list=FW_SoRedesG9
add action=accept chain=forward comment="FW_fw130 - Permite acesso so das redes G9 as interfaces FW_SoRedesG9" out-interface-list=FW_SoRedesG9 src-address-list=G9RedesPublicas
add action=drop chain=forward comment="FW_fw130 - Barra acesso de qualquer as interfaces FW_SoRedesG9" out-interface-list=FW_SoRedesG9
Lastly, Should I create a rule for all interfaces without firewall to prevent this traffic to go through all the rules?