When creating a firewall rule that mixes destination ports and destination port groups, no error message is displayed after commit. The resulting netfilter rule does not work, however. Only after removing either the port or port-group, the rule is working as expected.
Example rule config:
name stdnt-in {
default-action drop
enable-default-log
rule 3 {
action accept
destination {
group {
domain-group scl01
port-group pg-http_s
}
port 3128
}
log enable
protocol tcp
state {
new enable
}
}
}Resulting netfilter rule:
ct state new tcp dport 3128 ip daddr @D_scl01 tcp dport @P_pg-http_s log prefix "[stdnt-in-3-A]" counter packets 0 bytes 0 return comment "stdnt-in-3" # handle 27