[ previous ] [ next ] [ threads ]
 
 From:  Michael Brown <knightmb at knightmb dot dyndns dot org>
 To:  Monowall User List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Groups in rules
 Date:  Sat, 23 Feb 2008 15:04:47 -0600
I agree with the principal of it, but if you are certain that your mail 
server is only listening to those ports (run a port scan or what not to 
make sure), it's just as easy to make one rule that ranges port 25 to 
443 and get it all done in one shot. The extra ports, your server will 
just ignore anyway.

Now if you want to traffic shape those (smtp has lower priority than 
HTTP), this would not be a good option. That's why I rather have my 
rules separate than group together. So, each has it's place really, but 
as it is now, we just have the separate rules option. I would see the 
usefulness of the groups, though I imagine it would be just a GUI thing. 
I'm sure it's that way with all firewall, the groups just mask all the 
extra rules.

Thanks,
Michael

Michel Servaes wrote:
> I agree.
>
> eg. let's say I want to open up an email-server with webmail, I need 
> to add approx seperate 5 rules :
>
> 25, 110, 143, 80, 443... it would be really nice to have all ports 
> under one rule, this sure would increase readability!
>
> Claus@Monowall schreef:
>> Hi
>>
>> Has the concept of address groups ever been considered.
>>
>> Other firewalls I know allows the admin to group IP-adresses into named
>> groups which then can be used in rules like host/network/any.
>>
>> Allowing groups reduces the number of rules alot.
>>
>> Thanks
>> Claus
>>
>>
>>   
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>