Help with Rules

Hi,
I’ve really tried to get rules working, but I’m struggling to get it working without completely locking myself out. I suspect I need more rules than I’m trying to create.

  • I’m using tags - which are already setup and configured.
    – tag 200 - general devices (also has this setup as “default”)
    – tag 300 - devices which require LDAP
    – tag 400 - Gateways or Bridges
  • I’m using a bridged network.
  • I have a gateway to allow global routing.

Here’s what I want to achieve:-

  • 1st Requirement - From any device
    – allow icmp traffic (v4)

  • 2nd Requirement - From tag 200 or no tag
    – allow traffic to
    — any IP AND ports 389 (tcp/udp), 636, 3268,3269,88,53,445,135,5722,123,464
    — IP 192.168.99.120 AND ports 790,791
    — IP 192.168.99.122 AND ports 790,791
    — IP 192.168.99.121 AND ports 137 (udp),138 (udp), 139, 530
    — Worth noting that all of the above addresses are via the bridge
    — Any traffic created by one of the above that then uses a dynamic port

  • 3rd Requirement - from tag 300
    – allow traffic to
    — any IP AND ports 389 (tcp/udp), 636

  • 4th Requirement - block ALL communication between devices of the same tag type (including ICMP)

How to deal with gateway and bridge devices (tag 400)? Obviously I need to allow all traffic to pass through gateways, bridges need to allow traffic as above. I obviously also need traffic to be passed back.

The first one is easy:-

accept
icmp 4 -1
;

Then I would imagine the second one looking something like this:-

accept
tor 1000 200
dport 389
or dport 636
or dport 3268
or dport 3269
or dport 88
or dport 53
or dport 445
or dport 135
or dport 5722
or dport 123
or dport 464
;

accept
tor 1000 200
ipdest 192.168.99.120/32
or ipdest 192.168.99.122/32
dport 790
or dport 791
;

accept
tor 1000 200
ipdest 192.168.99.121
dport 137
or dport 138
or dport 139
or dport 530
;

drop
tor 1000 200
;

Clearly, I’m missing handling the return data here. I can’t seem to figure that out…

Third requirement would be something like…

accept
tor 1000 300
dport 389
or dport 636
;

drop
tor 1000 300
;

Fourth requirement (this would presumably go at the top of the rules list)

drop
tand 1000 200
or tand 1000 300
or tand 1000 400
;

I hope all that makes sense and someone can help me finish it off :slight_smile:

Hello,
It can be pretty tricky because it’s stateless.
One this I see is dport and ipdest rules and your note about return traffic.

Some notes about that