Packet Filtering

[roxy]

The Packet Filtering Access List SoftEther provides is a big mechanism applied on Layer-2 connection. So one can benefit from Layer-2 having a robust security mechanism to use to Allow/Drop certain packets. Using the Access List as is now however is not so practical nor very intuitive. I configured a priority 1000 Drop All Rule (user and group empty, checked all other boxes for all ip all mac all) but any other Rule before 1000 (from 1 to 999) does not take precedence or does not get matched, so with a generic Drap All Rule no other allow rule works. If I add a Drop Rule more specific (ie a Drop All Rule specifying a User or Group) any Rule before 1000 for the some User or Group works. This is by design ? Also, can you think to add a protocols group, so on the some Virtual Hub one can Drop All by default and Group together Allow Rules that can be assigned to a group of users o single users ? There is another method not to have lot of Rules difficult to maintain ?

Best Regards

[thisjun]

I think you may make mistake something.
Please show rule which you configured.

[roxy]

As you can see in the screenshot, I can make to work drop any packet non specifically allowed only using group. If I enable the last 2 rules without group specified in the rule (more generalized drop for all connection for IPv4 and IPv6), nothing is allowed also if these are the last 2 rules evaluated.

[thisjun]

I want see 'contents' column.
Please re-upload a screen shot.

[roxy]

I cannot make larger, windows cannot be resized. In attach right part with contentscolumn

[thisjun]

You allow packet from client to server.
However you don't allow opposite direction.

[roxy]

I do not think this is a solution. Drop All Rule that works is the same as that that does not work, the only difference is that in the working Drop All rule we specified User or Group, generic Drop All rules seems to take precedence also if there are previous more specific rules (in which one specify User or Group).

Also, rules works well, we do not specify back direction as we think packet filtering is Stateful, otherwise it would not work no rules.

[Beeza]

Did anyone get anywhere with this?
I am trying to do the simplest thing, allow just one port, and reject everything else.
Screen shot attached shows just two rules - allow port 3306, reject everything else.
But this does not work - the 'reject everything' always rejects my packets.
I know my 'allow' is correct - if I disable the 'reject all', everything works. If I then change my 3306 rule to a 'reject' - then it rejects.
But if I have 'allow 3306' followed by 'reject all' then my 3306 packets get rejected.

Any help much appreciated.

[Beeza]

OK just to confirm what Roxy said in the original post back in 2016.

I need to add a group selection to both my Pass and my Discard rules. Then it works as I expect.

If I have a group my Pass rule, but no group on the 'discard' all rule - then the Discard All rule applies.

This is not ideal and is as Roxy said 'not intuitive'. I think that is putting it mildly.

[cedar]

You should just add a reversal route for returning packet.

(Of course, it works even in your way to allow all users not joining the group.)