LAN exclusion / multiple IPs #73
Comments
|
Hi, you are bringing up valid points. Is this what you were asking for? |
|
There should be a toggle for all RFC1918 IPs imho. |
Probably it's safe to write: Normally you would validate each part of the IP: 127.[0-9]+.[0-9]+.[0-9]+ , but in this case as we're comparing only IPs, 127..* would match "127." and everything behind it (not only numbers). |
|
Thanks. I think the edit box hint misled me and the hint rather describes two examples. I can filter LAN with [127.0.0.[0-9]|192.168.1.[0-9] ] for example. I'd love your example to be dropped on wiki, if possible. |
rules are only saved to disk if you select Duration: Always. If it's not saved, check the daemon logs, maybe the regexp failed.
Sure, no problem. In fact, I added it yesterday :) If you have more doubts or necessities regarding regular expressions, drop them here and I'll update the wiki.
It's not a bad idea @licaon-kter , we could also add some common LAN IP ranges like 192.168.1.0/24, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8. We could also load the list of known ports with their names. |
|
I've got ready this change. Now you can filter by destination network or IP, using regular expressions if you want. I've added some common private ranges from here https://en.wikipedia.org/wiki/Reserved_IP_addresses ::1/128 Filtering by multiple networks on the same rule is not possible yet. Any other network range that I should add? |
|
Do you mean those values will be in a combo box? Or can be typed in x.x.x.x/y format from now? As for skipped 255* and ff: ranges for broadcasts. Not entirely sure it has to be part of private group, and i personally have a separate rule for them. It's confusing that some of the ranges from wikipedia overlap with broadcasts it seems. E.g. i detected these and googled each of them is used for multicast: Thanks for the priorities, seems like no need to create anti-rules per each WAN connection for the LAN apps anymore. Superb. |
yes and yes. So now you can type an IP, a network, a regexp to match IPs or select predefined network ranges from a combo box. Regular expressions are powerful, but it's more natural to type
ah okok, I didn't read that part I guess, or ignored it O:) . Added now, as also suggested by @licaon-kter : |
Now you can filter by destination network, for example: - 127.0.0.1/8 - 192.168.1.0/24 This will ease to solve the request #89 . Some common network ranges have also been added so you can select them from a combo box. More info #73. Added process.id operator operand for future use, in order to filter by PID.
Hello
first step for me is to exclude LAN. Just like in NetLimiter. So many local devices and local broadcast and i want to enable it all as this is not what i want to filter. IMO it's very good to first enable LAN and then watch for misbehaving apps who want to reach WAN as well. If you don't distinguish between LAN and WAN, you end up with way more popups and you also introduce WAN leaks. Imagine you allow a standard app like avahi/bonjour which works with local broadcasts. An user without LAN rule would tend to allow this app completely, but that way you never find out about WAN leaks.
So the question is. Is there a way to enter multiple IP ranges? The "[X] To this destination IP" literally offers this as an example:
127.0.0.1, 1.2.3.[0-9]+
but it doesn't work. You can have only 1 regexp i guess. You can't combine normal and regexp in one line i think.
Since regexp is so ugly for IPs, what about simple nonregexp format "127.0.0.1/24, 1.2.3.0/8".
Or better, have a simple way of enabling all LAN communication (a zone for LAN / WAN).
Can we have more examples in general. There are few regexp examples, and linked guides, but it's unknown to me how to do the example from the edit box above. Thanks!
The text was updated successfully, but these errors were encountered: