Hello all, Currently, firewall rules that agree with the default firewall policy don't ever get applied. While thinking about this recently, I suspect that this isn't the behaviour that people want or expect. Take for example a case where you want to open up a port to the internet, but want to apply a block list to prevent spammers or other abusers from connecting:
FROM any to tag mta ALLOW TCP port 25 FROM (subnet <badsub> OR ip <badip1> OR ip <badip2>) TO tag mta BLOCK TCP port 25 Or (this is the train of thought that lead me down this path), you might have a global SDC rule that you want to counter. After giving it some thought, I think that the more intuitive thing to do is to apply rules in order of their scope, so that more specific rules take precedence over other rules. I've outlined some of my initial thoughts here: https://smartos.org/bugview/FWAPI-233 Another avenue of possibility is introducing a PRIORITY keyword (with a default of the lowest priority), so that you could write rules like this: PRIORITY 10 FROM any TO tag b ALLOW TCP port 8000 PRIORITY 5 FROM any TO tag a BLOCK TCP port 8000 Something like this would be necessary for tags since there's no sensible way to determine which tag the user considers more important for a machine with both tags. What are people's thoughts here? I'd especially appreciate hearing from anyone who makes heavy use of fwadm(1M) or FWAPI. - Cody ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
