TLDR: This is about making rules like the one below
︎ using LuCI:
action = accept proto = tcp src = <-ipset1->:{*} dst = <-ipset2-or-ipset1(again)->:{80,443}I use lists, ip sets, aliases, and [firewall] groups interchangeably. I'll try to avoid it.
I'm about to add IPv6 rules, which as you prob. know being all global and stuff, you can't rely on non-routable addresses as a safeguard for bad rule making.
I've been trying to set up rules with lists forever but I can't figure them out, so I've put them off over continuously which landed me a mess of "temporary" makeshift rules old enough to drive.
The most important thing I need to figure out is how to re-use a list in more fields than just one. Which [sidenote] that one is very ambiguous/confusing as to what does it apply or what can or can not overrule/have precedence over. I wouldn't be wasting anybody's time with such a basic feature question but it's not on the docs, I spent a lot of time there already.
Anyway, here's an example of what I mean applied on pfSense:
To replicate it on OpenWRT, it's um… challenging. Here's another quick screenshot compo about trying to work it out in OpenWRT:
OpenWRT, or rather LuCI, has many things that contradict each other but no place for one ipset where it's clear how will it be used, let alone two.
On top of that, there's another set of IP sets in Network → DHCP and DNS, I have no idea what that does but it's the same thing in the end since there only one ambiguous place to reference it from.
I thought, maybe if I chain them and instead of many rules per host or group, I group hosts and groups by rule type even it needed two rules per traffic flow, it'd be much cleaner and easy to diagnose, but rules have just the one action, right? And jump would probably be it. I haven't thought it through, though, but I didn't want to spent more time chasing after another wrong thing, so I came looking for help instead.
Could you guide me a little here, maybe a few tips? I'm okay of ditching LuCI for config files. Often I do just that when I get frustrated with LuCI1.
Thanks.
1
UCI on the other hand, I skipped out on. I found the syntax was more difficult that working with config files, which are kind of the goal.