The need for enhanced firewall management through organized and structured IP and domain sets.
To simplify and automate the handling of firewall rules, port forwards, multiwan rules, and DPI rules by using predefined objects.
To improve security and ease of administration by using object-based configurations that expand dynamically based on their definitions.
Proposed Solution
Implement firewall objects as described in the documentation. This includes two main types of objects: host set and domain set, with each supporting both IPv4 and IPv6 addresses. These objects will be used within firewall rules and other configurations to reference sets of IP addresses or DNS names.
DHCP reservations, DNS records and OpenVPN users with a reservation are parts of the objects.
Key Elements:
Host Sets:
Represent sets of IP addresses.
Can include single IPs, CIDR networks, ranges, DHCP reservations, domain names, and VPN users.
Support both IPv4 and IPv6.
Domain Sets:
Represent sets of DNS names resolved to IP addresses.
Include a timeout for DNS resolution.
Support both IPv4 and IPv6.
Usage in Rules:
Firewall rules, port forwards, multiwan rules, and DPI rules can reference these objects.
Fields such as ns_src and ns_dst will be used to specify source and destination objects.
Automatically update and manage IP sets based on object definitions.
Additional Context
Known limitations of fw4:
A rule can only use one ipset for either source or destination, not both.
Ipsets cannot contain entries with different timeouts.
Rules cannot match both an IP address and a MAC address simultaneously.
Why is this feature being requested?
Proposed Solution Implement firewall objects as described in the documentation. This includes two main types of objects:
host set
anddomain set
, with each supporting both IPv4 and IPv6 addresses. These objects will be used within firewall rules and other configurations to reference sets of IP addresses or DNS names. DHCP reservations, DNS records and OpenVPN users with a reservation are parts of the objects.Key Elements:
Host Sets:
Domain Sets:
Usage in Rules:
ns_src
andns_dst
will be used to specify source and destination objects.