On Thu, Nov 15, 2018 at 03:20:38PM -0000, Steven Schroeder wrote:
The problem is that I receive traps from hundreds of subnets that need to be forwarded to our noc and they are always adding new subnets, so the catch-all was an attempt to not have to worry about missing traps to the noc when new subnets are turned up.
Select subnets within those hundreds of subnets have to also forward to a second destination IP.
This is what i have in place as of this morning, the first rule is sending all traps received to the noc. I added the second rule which stops traps from being sent to the noc, but does forward to the second destination, which is good, but I still need that to go to the noc as well.
Are you saying that you need to duplicate the packet to both the noc and the second destination? That's not possible with firewalld rich rules.
It sounds like you want something like iptables TEE extension, in which case you'll have to use --direct rules. See the iptables-extensions man page.