On 01/05/2019 10:17, Pablo Neira Ayuso wrote: > Is this what you want to achieve? Actually it's not about the rules. Basically I just want to know what should happen when the set is full. This example was simple, but image a set where you put 10K or 100K addresses and at some point the set becomes full. According to the simple example, the packets will skip the "set" rule and go through the FW without any control (at least without the one we wanted to achieve using the set). Shouldn't be some mechanism to drop other packets from IPs that can't fit in the set and match the drop rule?
Attachment:
signature.asc
Description: OpenPGP digital signature
