Hi,
I have upgraded to the 25.4 business edition recently. One of the new features is the ability to perform a multi-selection for the source and destinations in the filter rules. I found that the logic is not working when the selection is inverted via the checkboxes "Source / Invert" or "Destination / Invert". At least, it is not working to my expectations.
For example, I have defined two network aliases a1 and a2. When I select both of them as the destination in a "allow" firewall rule, and also turn on "Destination / Invert", I would expect that traffic to both network aliases a1 and a2 will be blocked (assuming there is no other rule allowing the traffic). But this is not the case, only the traffic to one of the two networks seems to be blocked.
As a workaround, I simply created a new network group a3 containing both a1 and a2, and used that single group a3 instead of the multiple selection a1 and a2. This works as expected.
I think I remember having read that there was a limitation at a different place with inverting a selection or a range, but I cannot remember.
Is this behaviour of inverting a multiple selection a bug? Or is it working differently from my expectations?
Correct - when using source/destination invert you can have only one object or the results will be "surprising".
Could be called a bug - or a lack of documentation.
There is no lack of documentation, it's described here in a note that describes this feature:
https://docs.opnsense.org/manual/how-tos/security-zones.html#create-security-zone-policies
QuoteThis single GUI rule will create a Cartesian product and result in six firewall rules in pf(4). Be mindful using inversions in rules or inverted aliases, since they can be generated in an order that creates an unexpected result.
Expanding the rules into two separate rules makes the first one allow the traffic of the second one. I think we better prevent this via validation?!
Cheers,
Franco
Quote from: Monviech (Cedrik) on April 16, 2025, 10:20:17 AMThere is no lack of documentation, it's described here in a note that describes this feature:
https://docs.opnsense.org/manual/how-tos/security-zones.html#create-security-zone-policies
Thanks. I was checking the Firewall > Rules part of the docs and did not find anything expanding on the basic function of "invert". Maybe add a single sentence and a link in the table describing the rule options?
Now that theres multi select it makes sense to update other parts of the documentation as well, I'll put it on my list.
https://github.com/opnsense/docs/issues/700
https://github.com/opnsense/core/issues/8559
Hero! :-)
Thanks for all your replies :) And thanks for creating a GitHub for adding a check and/or clarifying in the documentation.