Suggestion for PORT LIST

cavital · June 19, 2008, 5:53am

Is there someone posting this subject, cause i dont see it.

My suggestion is there is a port lists like address lists at firewall so we can filter the good port and the bad port using the port list that we can modify only for the port. I think its more easier than using port filter with mangle.

I hope everyone agree with this feature.

normis · June 19, 2008, 5:58am

what is a good port? some people say that port 135 is bad, some people need it for MS Active Directory. It completely depends on your needs. There is no bad port list.

If you want a really secure network, allow all the basic ports (http, https, mail send, mail receive, ntp, something else … ) and then block other ports. very simple firewall will do that.

cavital · June 19, 2008, 6:01am

forgive me for my english, what i need is to filter port based on the port lists not to filter bad or good port.

normis · June 19, 2008, 6:02am

what do you mean by port list ? can you give an example?

cavital · June 19, 2008, 6:09am

ok, in firewall theres address lists that i use to group a list of ip, so i make firewall rule based on address lists.
if i theres port lists, i want to use it to group and make firewall or mangle rules based on the port lists too.

normis · June 19, 2008, 6:10am

sorry, such feature is not yet implemented. we’ll see - maybe in future

cavital · June 19, 2008, 6:13am

ic you cool normis

is there anyone need this feature too?

jp1 · June 20, 2008, 2:42pm

That would make my firewall setup quite a bit simpler!

changeip · June 20, 2008, 5:16pm

in 3.x cant you use dst-port=10,20,30-35,40 ? Havent tested but I thought they allow that now.

pedja · June 23, 2008, 2:09pm

Implementation of port lists would be significant improvement.

Chupaka · June 24, 2008, 12:32am

address lists is useful where you need frequently changing list of addresses. where do you need frequently changing list of ports? =)

msorensen · June 24, 2008, 1:03am

address lists is useful where you need frequently changing list of addresses

I would disagree…

It is for convienience… when you have a list of addresses which you plan to treat with firewall rules (for example) in the same way… It’s a heck of lot easier to just refer to the variable (the address list) than it is to implicitly refer to each one.

Similarly with a port list… when constructing firewalls with Mik (for example) there are a bunch of ports that come to mind that I treat the same… Currently that is done by writing rule after rule after rule after rule - all with the same result.

A port list would simplify this.

Though… someone posted:

in 3.x cant you use dst-port=10,20,30-35,40

Apparently now you can also list a variety of contiguous and non-contiguous ports within a single rule… This kinda gets us to the same place.

But, a port list would be easier.

Though, the only two ‘port lists’ that I can think of using would be:

the lists of ports allowed (only from an address-list of specific ip’s) on an input chain of a mik router before dropping virtually everything else…
the list of destination ports that we typically dis-allow in the forward chain (you know the ones that I am refering to)

pedja · June 25, 2008, 10:57am

list of ports would be useful if tehre are several firewall riles that apply different rules on the same list ofports. It would let us update list in one palce

also, list of ports has a human readable name, so you can name list accoring to the purpose, making administering it much easier.