Redundancy not found in enclosed port range

Question

Redundancy not found in enclosed port range

Closed this issue 3 years ago · 2 comments

See test case in 5b9497c

Answer 1 · 2016-11-10T15:28:40.000Z

service:s1 could be found to be redundant to service:s2, since host:h1 < network:n1.
But protocol tcp 80 - 81 > tcp 80, and hence redundancy isn't recognized.
This would only be recognized, if port range tcp 80 - 81 is internally split into tcp 80 and tcp 81.

Answer 2 · 2021-12-21T12:01:03.000Z

The same issue could be made up with host ranges.
But don't split host ranges anyway.

network:n1 = { ip = 10.1.1.0/24; host:h1 = { ip = 10.1.1.10; } }
network:n3 = { ip = 10.1.3.0/24;
  host:h80 = { ip = 10.1.3.80; }
  host:r80-81 = { ip = 10.1.3.80-10.1.3.81; }
}
router:asa1 = {
  managed;
  model = ASA;
  interface:n1 = { ip = 10.1.1.1; hardware = n1; }
  interface:n3 = { ip = 10.1.3.1; hardware = n3; }
}
service:s1 = {
  user = host:h1;
  permit src = user; dst = host:r80-81; prt = tcp 80;
}
service:s2 = {
  user = network:n1;
  permit src = user; dst = host:h80; prt = tcp 80;
}