Open daanw1978 opened 2 years ago
abelbeck
commented
2 years ago The NETSET feature using ipset denies all access for the IP addresses and/or Networks. No selectivity by port or protocol as you want.
You would have to create the functionality via code in custom-rules if you are so inclined.
daanw1978
commented
2 years ago I understand that the current netset/ipset implementation in AIF is only used as blocklist. What I am basically looking for is a possibility to open a port to a defined (number of) IP range(s). From my experience adding large amount of IP ranges in the firewall will create a large amount of iptables rulesets, resulting in considerable (re)loading times. netset/ipset hashing seems like the way to go to handle these amounts of ip ranges. I am not enough an expert on the matter to know if this is possible at all or that ipset/netset was designed only to block ip ranges instead of also allowing them.
Is it possible to use NETSET in combination with HOST_OPEN_TCP? The use case is allowing for example certain mobile provider IP ranges to connect to a port instead of the whole internet. This should be much faster with NETSET compared to regular IPTABLES rules?