All the documentation indicates you should be able to but I can't either. I'll ask the devs when I next speak to them

Note that I believe this bit of the firewall is just for passing a set of public IP addresses from the internet to the LAN and it is a very wasteful way of working. As an example, ig you have 16 IP addresses, you'd need to assign 8 of them externally on your WAN the the other 8 on your LAN. I have seen a document or write up on this somewhere and I'll post back if I find it

Thanks for your update; this firewall just allows incoming traffic to DMZ network (they are disabled by default). We have next-hop setup for subnet on core switch to clearos system. With DMZ setup, there is no LAN involved - public IP is directly assigned to the machine behind clearos; just that you need to allow incoming connections in DMZ incoming firewall. With current setup (allowing just 1 IP per rule), we will need to create 256 rules for a /24 subnet! I can see the rule in iptables but unsure where exactly is this loaded from so that we can make backend update of rule to include entire /24 subnet.

The rule is probably in /etc/clearos/firewall.conf.

Hmm, thanks! That’s the location! Can we have IPv4 in CIDR format in this file (1.2.3.4/24)? Comments in this file mention ‘an’ IPv4 or ‘an’ IPv6 - so probably not ?

I would expect you could use CIDR format but it would break the webconfig as the webconfig writes directly to the file. I suggest you don't do it!

I've just been speaking to the devs and I'm not sure you going down the right route. You can assign your DMZ subnet in IP Settings. The firewall rule is only needed if you want to run incoming services on a DMZ machine. If a machine in the DMZ was just used for things like web browsing, you would not need a firewall rule. Only if it was running a web server, mail server or some other service accessible from the internet.