Firewallgroup/Hostgroup

Hi Guys,

I use the IPFire to protect several computers from the Internet and to have a closed network.
In this network there are several computers for exercises with students.
These computers can be reached from the Internet using ssh. I use NAT for this.
In the firewall rules I have e.g. following rules:

Red interface port 24230 to green interface port 22 PC1
Red interface port 24231 to green interface port 22 PC2
Red interface port 24232 to green interface port 22 PC3

Since there are 20 PCs, I have 20 rules.

Therefore it would be nice if there was a host group in which I could list all PCs with the corresponding port details and then only have one rule in the firewall rules.
Or is that already possible with the existing firewall groups? I didn’t see a solution to this.

Greeting
Gerd

And how the firewall should guess which RED port should be redirected on which PC’s 22 port?
Edit:
maybe an access rule can group all the things (if NAT and Firewall Rules would be separated) but you still have to write all port/network translation for every single port.

1 Like

Hi,

first, welcome to the IPFire community. :slight_smile:

This is unfortunately not possible at the moment. I agree on 20 firewall rules being rather confusing and complicated to read, but since they are all distinct from another, grouping them together would probably cause even more confusion.

Thanks, and best regards,
Peter Müller

1 Like

Hi,

well I don’t know much about firewall rules. I imagine that you could specify both the port from the PC (e.g. port 22) and the port from the firewall (e.g. port 24230) for each PC in a host group.
Then you could set up a rule that says connect this new host group with the red interface and the specified ports are then assigned in the background.

Best regards
Gerd

This isn’t possible with the existing infrastructure.
What you suggest is a new sort of group, let’s name it ‘DNAT group’. This type of group would define tuples <RED port, internal IP, internal port>.
Interesting extension. Maybe someone tries to implement it.

Hi,

no offense indented, but we strongly recommend to read about it first before setting up and administering a firewall, for reasons explained here.

Thanks, and best regards,
Peter Müller

My plus one for Peter hint. Before create something really wrong, take full comprehensive read of the article and how to write a rule on Firewall interface.
And by the way: firewall is a “stupid” software. It needs to know exactly what to do, and it does exactly what it’s “told”, not what humans wish for.

1 Like