1. It would be greate to make rules with source or destination as interfaces, not IP address. (Like src="br0"). It simplifies maintaining of rules when IP changes.
2. I suggest to add a feature for firewall rules to be defined with NOT logic applied to address, port (or maybe proto, and segment - that wood be greate). I can't find a way to make a NOT logic rule. I mean a rule with, for example, destination not equal to X logic.
As i understand in current implementation i need to allow one and block others, or vice-versa, but this can lead to unintended interfere with other Keenetic logic applied after user custom one rules (block needed ports, just because i don't know they are used later), or make a list of rules much larger that it can be (when intersegment connection logic is controlled with firewall).
3. As I see it could be effective to allow user to make "global" firewall rules which are applied to all interfaces (segments) at once, and there will be no need to specify them for every segment manually. (It makes sense if there are more that 2 segments defined).
You can post now and register later.
If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.
Question
YevhenK
1. It would be greate to make rules with source or destination as interfaces, not IP address. (Like src="br0"). It simplifies maintaining of rules when IP changes.
2. I suggest to add a feature for firewall rules to be defined with NOT logic applied to address, port (or maybe proto, and segment - that wood be greate). I can't find a way to make a NOT logic rule. I mean a rule with, for example, destination not equal to X logic.
As i understand in current implementation i need to allow one and block others, or vice-versa, but this can lead to unintended interfere with other Keenetic logic applied after user custom one rules (block needed ports, just because i don't know they are used later), or make a list of rules much larger that it can be (when intersegment connection logic is controlled with firewall).
3. As I see it could be effective to allow user to make "global" firewall rules which are applied to all interfaces (segments) at once, and there will be no need to specify them for every segment manually. (It makes sense if there are more that 2 segments defined).
0 answers to this question
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.