Hello,
I have more address lists which should be ignored for my destination NAT rules.
It would be fine if there could be specified more than one address list - it also should be possible to negate some of the address lists.
Or can I create dynamically a new address list which contains the IP addresses of two or three other adress lists (but this would be a waste of memory). It would be better when the rule checks more address lists.
Or can I add two identically destination NAT rules but only the address list is different?
-
-
onlineuser
Member Candidate
- Posts: 250
- Joined:
destination rule - src address list
You do not have the required permissions to view the files attached to this post.
Re: destination rule - src address list
Sure.Or can I add two identically destination NAT rules but only the address list is different?
-
-
onlineuser
Member Candidate
- Posts: 250
- Joined:
Re: destination rule - src address list
No, it's not possible.
example:
address list 1: block_scanner
address list 2: block_permanent_blacklisted
When there are two rules (first one only allows IP addresses which are not in block_scanner, this rule will be taken without checking the second one if the IP is maybe on the block_permanent_blacklisted address list.
I think there is the only way to generate a third address list which includes all the IP addresses from block_scanner and block_permanent_blacklisted address lists.
Or the feature from my first post will be implemented which would not waste memory.
example:
address list 1: block_scanner
address list 2: block_permanent_blacklisted
When there are two rules (first one only allows IP addresses which are not in block_scanner, this rule will be taken without checking the second one if the IP is maybe on the block_permanent_blacklisted address list.
I think there is the only way to generate a third address list which includes all the IP addresses from block_scanner and block_permanent_blacklisted address lists.
Or the feature from my first post will be implemented which would not waste memory.
Re: destination rule - src address list
Instead of allow ip addresses not in list just block those in list.No, it's not possible.
example:
address list 1: block_scanner
address list 2: block_permanent_blacklisted
When there are two rules (first one only allows IP addresses which are not in block_scanner, this rule will be taken without checking the second one if the IP is maybe on the block_permanent_blacklisted address list.
-
-
onlineuser
Member Candidate
- Posts: 250
- Joined:
Re: destination rule - src address list
Yeah, in meantime I solved it in this way - but it would be also nice if a rule (firewall or NAT) could consider more than one address list.
Re: destination rule - src address list
Or you can do pretty much anything using chains:
Code: Select all
/ip firewall nat
add action=jump chain=srcnat jump-target=test
add action=masquerade chain=srcnat
add action=accept chain=test src-address-list=test1
add action=return chain=test src-address-list=test2
add action=accept chain=test dst-address-list=!test4 src-address-list=test3-
-
onlineuser
Member Candidate
- Posts: 250
- Joined:
Re: destination rule - src address list
Cool, thanks - why do not use the same schema like on firewall rules - good idea.
-
-
onlineuser
Member Candidate
- Posts: 250
- Joined:
Re: destination rule - src address list
For NAT rules there is no DROP available.
A RETURN jumps back where the jump came from.
Why there is no DROP for NAT rules available?
Is a return equivalent to a drop?
A RETURN jumps back where the jump came from.
Why there is no DROP for NAT rules available?
Is a return equivalent to a drop?
Re: destination rule - src address list
NAT is not for filtering packets but for substituting SRC/DST/PORTS part of packet.
Use firewall rules to drop them. Why do you want NAT do do this ?
Use firewall rules to drop them. Why do you want NAT do do this ?
-
-
onlineuser
Member Candidate
- Posts: 250
- Joined:
Re: destination rule - src address list
Ok, thanks. I thought when the NAT rule could drop the packet then the firewall rules get a little bit more clearly to read because then there would be less rules in it.
Who is online
Users browsing this forum: ShindigNZ and 71 guests