When creating a firewall rule that mixes destination ports and destination port groups, no error message is displayed after commit. The resulting netfilter rule does not work, however. Only after removing either the port or port-group, the rule is working as expected.
Example rule config:
name stdnt-in { default-action drop enable-default-log rule 3 { action accept destination { group { domain-group scl01 port-group pg-http_s } port 3128 } log enable protocol tcp state { new enable } } }
Resulting netfilter rule:
ct state new tcp dport 3128 ip daddr @D_scl01 tcp dport @P_pg-http_s log prefix "[stdnt-in-3-A]" counter packets 0 bytes 0 return comment "stdnt-in-3" # handle 27