Community discussions

MikroTik App
 
TheIce
just joined
Topic Author
Posts: 5
Joined: Wed Apr 10, 2013 7:15 am

Feature request: grouping interfaces in firewall

Sat Mar 29, 2014 6:30 am

It would be usefull to have in-interface-list/out-interface-list in terms of src-address-list/dst-address-list:

for example:
/interface gre add name="tun0" ...
/ip firewall interface-list
add list=transport interface=ether1
add list=transport interface=tun0
add list=lan interface=ether2
add list=lan interface=ether3
/ip firewall filter
add chain=forward action=jump jump-target=transport_lan in-interface-list=transport out-interface-list=lan
add chain=forward action=jump jump-target=lan_transport out-interface-list=transport in-interface-list=lan
add chain=forward action=drop

add chain=input action=jump jump-target=transport_self in-interface-list=transport
add chain=input action=jump jump-target=lan_self in-interface-list=lan
add chain=input action=drop

#real policies
add chain=transport_lan action=accept protocol=tcp dst-port=80
add chain=transport_self protocol=icmp action=accept
add chain=lan_transport action=accept
add chain=lan_self action=accept
So, to add new tunnel tun1 for new office and ether4 for new "lan" you just need to type
/ip fi interface-list add list=transport interface=tun1
/ip fi interface-list add list=lan interface=ether4
Currently, to achieve the same result, you will need to use buffer chain:
/ip firewall filter
add chain=forward action=jump jump-target=transport_forward in-interface=ether1
add chain=forward action=jump jump-target=transport_forward in-interface=tun0
add chain=forward action=jump jump-target=lan_forward in-interface=ether2
add chain=forward action=jump jump-target=lan_forward in-interface=ether3
add chain=forward action=drop

add chain=input action=jump jump-target=transport_self in-interface=ether1
add chain=input action=jump jump-target=transport_self in-interface=tun0
add chain=input action=jump jump-target=lan_self in-interface=ether2
add chain=input action=jump jump-target=lan_self in-interface=ether3
add chain=input action=drop

add chain=transport_forward action=jump jump-target=transport_lan out-interface=ether2
add chain=transport_forward action=jump jump-target=transport_lan out-interface=ether3

add chain=lan_forward action=jump jump-target=lan_transport out-interface=ether1
add chain=lan_forward action=jump jump-target=lan_transport out-interface=tun0

#real policies
add chain=transport_lan action=accept protocol=tcp dst-port=80
add chain=transport_self protocol=icmp action=accept
add chain=lan_transport action=accept
add chain=lan_self action=accept
so to add tun1 and ether4:
/ip fi fi
add place-before=2 chain=forward action=jump jump-target=transport_forward in-interface=tun1
add place-before=2 chain=forward action=jump jump-target=lan_forward in-interface=ether4
add place-before=2 chain=input action=jump jump-target=transport_self in-interface=tun1
add place-before=2 chain=input action=jump jump-target=lan_self in-interface=ether4

add chain=transport_forward action=jump jump-target=transport_lan out-interface=ether4
add chain=lan_forward action=jump jump-target=lan_transport in-interface=ether4
As result, we would have readeable and manageable config even with many tunnel interfaces and etc without growing forward and input chains
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Feature request: grouping interfaces in firewall

Sat Mar 29, 2014 2:22 pm

+1

Being able to "group" or "zone" interfaces would certainly make for far tidier firewall configs! Several manufacturers have already implemented similar concepts.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
User avatar
c0d3rSh3ll
Long time Member
Long time Member
Posts: 558
Joined: Mon Jul 25, 2011 9:42 pm
Location: [admin@Chile] >

Re: Feature request: grouping interfaces in firewall

Sat Mar 29, 2014 5:29 pm

+1 also

We dont need to add a rule for each interface.

sent from my mobile phone using tapatalk
nothing
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 952
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: Feature request: grouping interfaces in firewall

Wed Apr 09, 2014 11:10 am

+1 again :-)
And maybe named port and address groups. Would be very handy for rapid building of rules - like in other firewall appliances...
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
bawolek
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Thu Mar 29, 2007 3:33 pm
Location: Poland/Wroclaw

Re: Feature request: grouping interfaces in firewall

Wed Apr 09, 2014 11:53 am

+1 from me :)
 
User avatar
spippan
Member Candidate
Member Candidate
Posts: 100
Joined: Wed Nov 12, 2014 1:00 pm

Re: Feature request: grouping interfaces in firewall

Tue Mar 03, 2015 1:13 pm

It would be usefull to have in-interface-list/out-interface-list in terms of src-address-list/dst-address-list:

for example:
/interface gre add name="tun0" ...
/ip firewall interface-list
add list=transport interface=ether1
add list=transport interface=tun0
add list=lan interface=ether2
add list=lan interface=ether3
/ip firewall filter
add chain=forward action=jump jump-target=transport_lan in-interface-list=transport out-interface-list=lan
add chain=forward action=jump jump-target=lan_transport out-interface-list=transport in-interface-list=lan
add chain=forward action=drop

add chain=input action=jump jump-target=transport_self in-interface-list=transport
add chain=input action=jump jump-target=lan_self in-interface-list=lan
add chain=input action=drop

#real policies
add chain=transport_lan action=accept protocol=tcp dst-port=80
add chain=transport_self protocol=icmp action=accept
add chain=lan_transport action=accept
add chain=lan_self action=accept
So, to add new tunnel tun1 for new office and ether4 for new "lan" you just need to type
/ip fi interface-list add list=transport interface=tun1
/ip fi interface-list add list=lan interface=ether4
Currently, to achieve the same result, you will need to use buffer chain:
/ip firewall filter
add chain=forward action=jump jump-target=transport_forward in-interface=ether1
add chain=forward action=jump jump-target=transport_forward in-interface=tun0
add chain=forward action=jump jump-target=lan_forward in-interface=ether2
add chain=forward action=jump jump-target=lan_forward in-interface=ether3
add chain=forward action=drop

add chain=input action=jump jump-target=transport_self in-interface=ether1
add chain=input action=jump jump-target=transport_self in-interface=tun0
add chain=input action=jump jump-target=lan_self in-interface=ether2
add chain=input action=jump jump-target=lan_self in-interface=ether3
add chain=input action=drop

add chain=transport_forward action=jump jump-target=transport_lan out-interface=ether2
add chain=transport_forward action=jump jump-target=transport_lan out-interface=ether3

add chain=lan_forward action=jump jump-target=lan_transport out-interface=ether1
add chain=lan_forward action=jump jump-target=lan_transport out-interface=tun0

#real policies
add chain=transport_lan action=accept protocol=tcp dst-port=80
add chain=transport_self protocol=icmp action=accept
add chain=lan_transport action=accept
add chain=lan_self action=accept
so to add tun1 and ether4:
/ip fi fi
add place-before=2 chain=forward action=jump jump-target=transport_forward in-interface=tun1
add place-before=2 chain=forward action=jump jump-target=lan_forward in-interface=ether4
add place-before=2 chain=input action=jump jump-target=transport_self in-interface=tun1
add place-before=2 chain=input action=jump jump-target=lan_self in-interface=ether4

add chain=transport_forward action=jump jump-target=transport_lan out-interface=ether4
add chain=lan_forward action=jump jump-target=lan_transport in-interface=ether4
As result, we would have readeable and manageable config even with many tunnel interfaces and etc without growing forward and input chains

i guess many people would like to see such a feature
also it could be possible (if someone does not want that option) to enable/disable grouping

and in terms of grouping it would be very very nice, that grouping-options could be set by the winbox user (e.g. group by src-port, group by in-interface, group by out-interface, group by protocol, .......)

would be a GREAT feature (especially for firewalls with 50+ rules .... like i have O:-P )
---
raiffeisen data center infrastructure and security
...stay curious
 
lucygp
just joined
Posts: 1
Joined: Wed Mar 04, 2015 7:03 am

Re: Feature request: grouping interfaces in firewall

Wed Mar 04, 2015 7:06 am

i guess many people would like to see such a feature











____________________________
Fifa coins
 
evince
Member
Member
Posts: 329
Joined: Thu Jul 05, 2012 12:11 pm
Location: Weiswampach - Luxemburg
Contact:

Re: Feature request: grouping interfaces in firewall

Wed Mar 04, 2015 11:37 pm

+1 and address-group would be nice too :)

Who is online

Users browsing this forum: csntjessie, Majestic-12 [Bot], mrz, nz_monkey, xvo and 103 guests