Community discussions

MUM Europe 2020
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1290
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Feature Requests: Port Lists, and Multiple address lists in a filter rule

Wed Dec 23, 2015 11:20 am

Port Lists: This would really simplify managing many of my rules, functioning just like Address Lists.


Multiple Address Lists: Again, this would simplify things. I have several dozen rules that are repeated with just different address lists. The ability to add additional address lists to a rule would clean this up.


Thanks in advance. ;)
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
th0massin0
Member Candidate
Member Candidate
Posts: 145
Joined: Sun May 11, 2014 4:16 am
Location: Poland

Re: Feature Requests: Port Lists, and Multiple address lists in a filter rule

Wed Dec 23, 2015 2:16 pm

+1
It would be extremly usuable to make something like Address book for hosts (or scopes)
and fixed service list with ability of create it's own.
My proposal: One service = one or few TCP or/and UDP port (s).
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: Feature Requests: Port Lists, and Multiple address lists in a filter rule

Sun Dec 27, 2015 1:27 pm

i was asked for "ports lists" in conntrack part of webui/winbox myself atleast twice. but nobody supported/commented it, yet, sadly :/
its make fw config both very short, manageable and easy to undrestand and rule.
based on "common sense" and ergonomics.
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

Sun Dec 27, 2015 3:04 pm

And by the way the multiple protocol with "or" relation would be also useful in firewall rules.
It would allow to use one udp/tcp rule instead of two.
 
poisons
just joined
Posts: 11
Joined: Wed Sep 18, 2013 3:50 pm

Re: Feature Requests: Port Lists, and Multiple address lists in a filter rule

Mon Jan 11, 2016 1:01 pm

Yep, very intresting thing. I wanna something like cisco ASA object model for firewall rules, something that allow to define service objects, groups objects, groups for tcp/upd ports and so on.
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

Mon Jan 11, 2016 3:29 pm

I like the rules without objects how they are now. I just would like to be able to create more complex rules but less of them hoping the processing will be faster.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Feature Requests: Port Lists, and Multiple address lists in a filter rule

Mon Jan 11, 2016 4:32 pm

Does netfilter support these features? If not, then it's pretty unlikely to see them in ROS any time soon.....

You can actually get pretty close to some of these behaviors by designing the logic of your chains.

e.g. if you want to apply a set of ports to an arbitrary number of things, make a chain which checks for the ports you want, and then anything that needs this particular set of ports can jump into that one chain. It's not quite as efficient process-wise, but if the logic is only being done on new connections, then the added "cost" of doing it this way shouldn't impact the router too much, but at least you're able to get the readability and simplified manageability that you're wanting.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

Feature Requests: Port Lists, and Multiple address lists in a filter rule

Mon Jan 11, 2016 6:16 pm

Sure the chains are the way I go now. But still I see the possibility of reducing processing steps in firewall. But it's not critical for me.
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Feature Requests: Port Lists, and Multiple address lists in a filter rule

Mon Jan 11, 2016 6:26 pm

AFAIK, you can specify a port list by simply separating the different port numbers with a comma, so a port list is kind of already supported.

Just "kind of" though, as the set is not named nor manageable separately. You need to modify the rule with the port "list", rather than adding an item in a separate menu, and have all firewall rules referencing it suddenly match the new item too.

So yeah, a separate "port-list" menu would be nice. It would enable the "instant" scenario, where you have not just a firewall, nat OR mangle rule, but have two of those, or all three of them... And can then alter their behavior together.

(chains already work nice if you have only filter, only nat or only mangle rules using the same port set)



And yeah, multiple address lists in firewall rules, +1 to that. It shouldn't be difficult to implement this as being the union of all addresses in the lists.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Feature Requests: Port Lists, and Multiple address lists in a filter rule

Mon Jan 11, 2016 6:53 pm

If you want IP in list_X, list_Y, or list_Z -> action, then you can make a chain for the three lists.
Put all other criteria on the jump check, e.g. port number, nth, time of day, etc)

1) all other criteria are true -> jump to chain multi_list_check

multi 1) list_X -> action
multi 2) list_Y -> action
multi 3) list_Z -> action
multi 4) return

I think this would only be nominally slower than a single rule checking all 3 lists, because behind the scenes, a single rule would have to check each list separately anyway.

If you want "AND" behavior, then simply reversing the logic gives the desired behavior:
multi 1) ! list_X -> return
multi 2) ! list_Y -> return
multi 3) ! list_Z -> return
multi 4) action

The other nice thing about a stand-alone chain is that the same chain can be called from any other chain in the same table. It's not quite as portable as the address-lists are, but it's pretty flexible.

I suppose that if the ability to specify multiple IP lists were provided, I would expect "OR" behavior, in order to remain consistent with the other such fields (dst-port=xxxx,yyyy,zzzz is an OR behavior, for instance)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
fmarais007
just joined
Posts: 18
Joined: Thu Jan 11, 2018 9:16 am

Re: Feature Requests: Port Lists, and Multiple address lists in a filter rule

Mon Jul 15, 2019 11:18 pm

I know this is an old thread, but would just like to say this helped a lot
Thanks
If you want IP in list_X, list_Y, or list_Z -> action, then you can make a chain for the three lists.
Put all other criteria on the jump check, e.g. port number, nth, time of day, etc)

1) all other criteria are true -> jump to chain multi_list_check

multi 1) list_X -> action
multi 2) list_Y -> action
multi 3) list_Z -> action
multi 4) return

I think this would only be nominally slower than a single rule checking all 3 lists, because behind the scenes, a single rule would have to check each list separately anyway.

If you want "AND" behavior, then simply reversing the logic gives the desired behavior:
multi 1) ! list_X -> return
multi 2) ! list_Y -> return
multi 3) ! list_Z -> return
multi 4) action

The other nice thing about a stand-alone chain is that the same chain can be called from any other chain in the same table. It's not quite as portable as the address-lists are, but it's pretty flexible.

I suppose that if the ability to specify multiple IP lists were provided, I would expect "OR" behavior, in order to remain consistent with the other such fields (dst-port=xxxx,yyyy,zzzz is an OR behavior, for instance)
 
IntLDaniel
just joined
Posts: 4
Joined: Thu Apr 04, 2019 7:21 pm

Re: Feature Requests: Port Lists, and Multiple address lists in a filter rule

Fri Aug 16, 2019 9:50 pm

Could you @fmarais007 please post some code example how to use "multiple IP lists" in firewall rule using custom chain? I am not so much skilled in Mikrotik now...thanks. In my example I have several IP lists and I would like to make one srcnat rule for more IP address lists instead of repeating 5 srcnat rules for each IP address list.
 
User avatar
fmarais007
just joined
Posts: 18
Joined: Thu Jan 11, 2018 9:16 am

Re: Feature Requests: Port Lists, and Multiple address lists in a filter rule

Tue Aug 27, 2019 1:31 pm

Hi,

Below is the code i'm using in the firewall, but the principle will remain the same.
add action=jump chain=input jump-target=unknown-input src-address-list=!addresslist1
add action=jump chain=input jump-target=unknown-input src-address-list=!addresslist2
add action=return chain=input

This was designed to exclude certain address lists from the chain "unknown-input".
From here, wherever I use the unknown-input chain for a rule, the IP's in those address lists will not be filtered.

The opposite will then also be true. By removing the "!", you will then only add those address lists to the custom srcnat chain you create.

Hope this helps.

Could you @fmarais007 please post some code example how to use "multiple IP lists" in firewall rule using custom chain? I am not so much skilled in Mikrotik now...thanks. In my example I have several IP lists and I would like to make one srcnat rule for more IP address lists instead of repeating 5 srcnat rules for each IP address list.
 
IntLDaniel
just joined
Posts: 4
Joined: Thu Apr 04, 2019 7:21 pm

Re: Feature Requests: Port Lists, and Multiple address lists in a filter rule

Tue Sep 03, 2019 11:46 am

Thank you @fmarais007 !

Who is online

Users browsing this forum: abjaterza, Kickoleg, Tuktron, vectieba and 120 guests