Good day!
I'm confused by the order of the rules. The default deny rule should be the last one on any firewall. But for some reason I don't seem to be able to place a rule in front of the default deny rule. Also the automatically generated rules don't seem to be in the proper order. Some automatically generated pass rules are placed behind the default deny rule.
So how am I supposed to place a rule before the default deny rule?
Many Greetings!
Zorgoban
Rules are either "quick" or not. You can tell by the small lightning symbol in the rule view. Quick rules are applied in order and rule processing terminated after the first match. Non-quick ones are applied after all quick rules. So the default deny rule really comes last.
Hello Patrick!
Thanks for the answer!
I really didn't understand the explanation of the quick option. I also don't understand why this quick concept exists. Wouldn't it be much more intuitive to just have a rule ordering in place like any other firewall does?
Many Greetings!
Zorgoban
Did you have a look at this part of the docs?
https://docs.opnsense.org/manual/firewall.html#processing-order
QuoteRules can either be set to quick or not set to quick, the default is to use quick. When set to quick, the rule is handled on "first match" basis, which means that the first rule matching the packet will take precedence over rules following in sequence.
When quick is not set, last match wins. This can be useful for rules which define standard behaviour. Our default deny rule uses this property for example (if no rule applies, drop traffic).
Hello Patrick!
Yes, I read that. But my view is probably biased by the products I used the last 30 years, starting with iptables and ipchains. The quick concept doesn't make any sense to me. It feels like complexity without any reason or benefit. I get why I want to continue rules processing for a packet after a log-pass rule. But that option only applies to a single rule and doesn't invisibly split my whole ruleset into two groups.
Many Greetings!
Zorgoban
It was inherited from pf, released first with OpenBSD in 2001, so that debate can be considered settled.
I guess from the OpenBSD docs that the idea at the time was for non-quick to be the default and rule processing to continue through an arbitrary number of rules possibly performing multiple actions of tagging and rewriting and such things. And then the quick keyword was possibly added to get the behaviour people are used from other firewalls.
But that's just an educated guess.
I see...
So the problem is actually less with the technical concept than the display in the GUI. If the rules were properly ordered like they are processed by the system it would cause less confusion.
Many Greetings!
Zorgoban