I use the IPFire to protect several computers from the Internet and to have a closed network.
In this network there are several computers for exercises with students.
These computers can be reached from the Internet using ssh. I use NAT for this.
In the firewall rules I have e.g. following rules:
Red interface port 24230 to green interface port 22 PC1
Red interface port 24231 to green interface port 22 PC2
Red interface port 24232 to green interface port 22 PC3
Since there are 20 PCs, I have 20 rules.
Therefore it would be nice if there was a host group in which I could list all PCs with the corresponding port details and then only have one rule in the firewall rules.
Or is that already possible with the existing firewall groups? I didnât see a solution to this.
And how the firewall should guess which RED port should be redirected on which PCâs 22 port?
Edit:
maybe an access rule can group all the things (if NAT and Firewall Rules would be separated) but you still have to write all port/network translation for every single port.
This is unfortunately not possible at the moment. I agree on 20 firewall rules being rather confusing and complicated to read, but since they are all distinct from another, grouping them together would probably cause even more confusion.
well I donât know much about firewall rules. I imagine that you could specify both the port from the PC (e.g. port 22) and the port from the firewall (e.g. port 24230) for each PC in a host group.
Then you could set up a rule that says connect this new host group with the red interface and the specified ports are then assigned in the background.
This isnât possible with the existing infrastructure.
What you suggest is a new sort of group, letâs name it âDNAT groupâ. This type of group would define tuples <RED port, internal IP, internal port>.
Interesting extension. Maybe someone tries to implement it.
My plus one for Peter hint. Before create something really wrong, take full comprehensive read of the article and how to write a rule on Firewall interface.
And by the way: firewall is a âstupidâ software. It needs to know exactly what to do, and it does exactly what itâs âtoldâ, not what humans wish for.
