Definitions: IP-Range network definition object
Currently Astaro only supports single ip address and complete networks or multiple instances of these two. Adding a range object for the network objects should enable the admin to specify a list of addresses which are in a consecutive order and can be applied to most of not all cases where a network group can be used. a range object could look like this: 10.0.0.13-10.0.0.19 As not all subsystems of the ASG support this kind of data, we would need to split the range into a group if single ip addresses and networks, than all underlaying system would be able to use them. this would increase the flexibility and usability how administrator could define their security policy.
This feature has been completed and is ready for testing in the current Sophos UTM 9 Beta version which can be found at http://www.astaro.org/beta-versions/utm-9-public-beta/
Thx Astaro PM Team
I have UTM 9 installed but I cannot figure out how to define a range object that encompasses an IP range as show above. Is there an example anywhere?
When you do this, please include the ability to create "definitions by exception" like "0.0.0.0/0 except 188.8.131.52/24".
Narender Singh Rathee commented
When this 8.300 is going to be released.
Andre B commented
This feature would help us to create exceptions to our firewall rules much faster - Please get it into production ASAP, thanks!
Andy Roffe commented
This would be extremely useful. We often need to apply apply filters to ranges of addresses. It creates a lot of work if we have to create groups and maintain them.
"About a year ago" below, I suggested to expand the network definition object to accept a list of IPs. An alternative to that would be to make Astaro DNS capable of having a list of IPs in a 'static DNS mapping', and then one could create a DNS Group definition: http://feature.astaro.com/forums/17359-astaro-security-gateway-feature-requests/suggestions/203286-astaro-as-a-fully-functional-dns-server-with-backw?ref=title
Noel Diaz commented
Is important to note that for purposes of displace competitors, would be a useful tool as other appliances have the ability to define IP address ranges. eg FortiGate and Sonicwall.
would be very helpful as this feature is to prioritize additional quick.
Kelly Wong commented
if the end user is using service like message labs for filtering mail, they require a specific range of more then 100 addresses. and due to rapid growth/poor infra planning, many end users have specific blocks of internal IP for servers/groups etc, they do not want to change their infrastructure just because they are changing the firewall.
Ricky Martin commented
I hope this one will be added soon
Bottom line, other vendors allow this, if you want ease of switching to ASG you should add it.
I hope this can be added on astaro it is very helpful.
Along with this, expand the network definition object to accept a list of IPs as per the suggestion by BigO on the User BB: http://www.astaro.org/118911-post6.html.
Thieu Hon Tran commented
Hello bram kortleven,
we cannot change the subnets of external networks. One example: The German ISP Arcor uses (among others) the IP-range 184.108.40.206 - 220.127.116.11. Currently, I need 4 network definitions to cover this IP-range.
bram kortleven commented
Why not seperating the network into subnets for such a use?
We do that at our clients, as for instance a couple of PC's aren't allowed to use several services, which other do need. By setting DHCP/MAC fixes, and using a subnet for those specific PC's (a subnet which is in the entire network off course, no _seperate_ subnets), we can set specific rules for packet filter, webfilter, ...