quick blocking of groups

Murus
Post Reply
dweimer
Posts: 1
Joined: Tue Nov 22, 2016 6:21 pm

quick blocking of groups

Post by dweimer » Tue Nov 22, 2016 6:40 pm

For configuring an inclusive firewall, I would like to set up a "block in quick" rule for blocking specific groups. Is there a way to do that?
Right now it seems as if all blocked groups need to be specified for every port/service that I'm adding, which gets tedious, and bloats the rule set. When defining a custom rule, the group definitions don't seem to be available. Any custom rule that I try to add appears at the bottom of the list, and I can't seem to be able to move them up. (From what I understand, if a "quick" rule is above the other service definitions, any match on the block will not pass down to any of the other services.)

hany
Posts: 483
Joined: Wed Dec 10, 2014 5:20 pm

Re: quick blocking of groups

Post by hany » Wed Nov 23, 2016 2:00 am

To use groups in custom rules you need to use to their corresponding PF tables like in the screenshot below.

Image
Any custom rule that I try to add appears at the bottom of the list, and I can't seem to be able to move them up. (From what I understand, if a "quick" rule is above the other service definitions, any match on the block will not pass down to any of the other services.)
Custom rules can be added only to their dedicated anchor which is placed at the end of the ruleset.
It's true, if a quick rule is above service definitions then any match will be blocked and not checked against services rules. Next Murus version will let you place custom rules where you want, but currently you must use the dedicated anchor only.
However, being PF a "last match wins" firewall, you can simply put your overrides in the custom anchor, you don't need the "quick" option. If you are worried about performances then forget it, you can put hundreds of rules in your murus.inbound or murus.outbound anchors without affecting both network latency and cpu usage.

Post Reply