Well, lets say you use the firewall alot for shaping, which i do. Lets say you have a large block of ips, /20 perhaps, and have a lot of abusers, spammers, viruses, etc. The classifier section will get filled up easily by having to put in each abusive ip individually. Especially since i think there’s a bug where the classifier section won’t display anything more than 60 rules, but any new ones still work, but can only be viewed by the console/ssh, etc..
What if there was a way to incorporate ipset, to say, only 1 classifier, named “abusers”, and add all the abusive ips to the group, and also add on the fly, and delete on the fly. This way only 1 classifier is made, yet containing the same shaping parameters, but for a group of ips.
Saves time and cleaning house at the same time. And if i am remembering it right from Netfilter documentation and ipset, it would technically be “faster” to shape against an ipset of 100 ips, than against 100 individual ip rules. Correct me if I am wrong though.
Also groups of ports would be nice, or at least a way to incorporate multiple ports. Right now you can only do single ports, or a range. Lets say you want to have a /24 block for a school lab have access to only certain ports, 80, 53, 25, 995, etc… Right now, again you’d be cluttering up the classifer section with single port rules for the subnet. Same thing for the L7 as well. Right now you can view by groups, such as chat, p2p, web, etc. But, you can only classify using a signal signature.
So, in 1 classifier you could says 192.168.1.x/24 gets only these certain ports, bam, one rule, done, not 20 or so, for only common ports. Then in another signal classifier, say ipset “abusers” get 64k of download traffic, and add/delete on the fly to the specified ipset. Then in a third classifier, state, L7 group p2p drop, which incorporates bittorrent, edonkey, etc… in the firewall section.
Or mix it up and use the “p2p” ipset group in the firewall section and add/delete on the fly to drop the L7 group p2p. Or make another ipset named “spammers” and deny port 25 outbound in 1 single rule.
Or it’d be great to add/delete your own L7 groups, named common, add http, mail, etc… and add an ipset to it, and those ips/subnet in the ipset, get only common L7 signatures, and can add classes to them, etc.. Many possibilities if ip groups, port groups, and L7 groups could work.