OPNsense Forum
English Forums => General Discussion => Topic started by: GreG.P. on April 18, 2016, 04:23:49 pm
-
Hi, there is some indispensable options in firewall rules and NAT rules interface: Separators and object drag and drop.
Something Like this https://redmine.pfsense.org/issues/5373 but with regroup rules below each inserted separators.
One more essential option is regarding the objects (alias) database, an quick dynamic menu access to the objects (alias) in the same rules page configuration will be really appreciated and the drag&drop function to copy and paste an object (alias) from one rule to another rule.
Thanks.
-
Hi PsykoGreG,
Are you looking for this? https://docs.opnsense.org/manual/how-tos/fwcategory.html
What do you mean by quick dynamic menu access in the same rules page?
Cheers,
Franco
-
Hi Franco,
I see this category to filter rules, there are indexed on the description field or rule name?
I do a screen shot to exactly show you all interesting options.
Regards,
GreG
-
Red : The dynamic Objects (alias) menu with the first field that's permit to sort the list of objects dynamically by typing first characters of objects (alias).
Second red circle permit to filter the category of objects (alias) to view only these in the objects menu in the left. For example: machines, network, protocols, ports, groups, .. objects.
And the last red circle permit to create directly an object (alias) or a group of objects from this menu without exit the filter rules page.
Dark Blue : Search field that permit to filter dynamically the rules view (I think like the OPNsense "Filter by category" option)
Pink circles : There are drag and drop fields object. Can be drag&drop between rules or from the objects menu in the left side.
Green : This is Separator rule (with custom colours) that permit to regroup all rules until the next separator and indicate the number of contained rules in the separator.
-
Hello,
Sorry to reopen this topic, but I must admit that, when you come from Pfs, these separators are really missing in the firewall rules. They are simple but really great to explain the rules and separate them. Any chance to have it one day ?
Have a good day.
-
There are no plans to add any non-functional abstractions to the rule listing.
Cheers,
Franco
-
Sad but... perfectly clear. :)
Thank's for your reply.
-
+1 for me though too. 'We won't' is a bit of a sad answer honestly. We are currently migrating to OPNsense (and the reason is pure ideological), and really the rule-list look like a long mess in OPNsense. The ability to put some descriptive lines in there like 'Exchange', 'RD Servers' and such is a real addition. They are certainly not non-functional. Network wise they may be, but it's certainly functional to us.
Everyone has their own believes, but we think it's really useful. For example we used red seperators when we had rules we had to review later on.
-
+1...
-
I'm also an old pfsense user and that separator was really really nice. When you have many entries it will be so much easier if it is possible to separate them. I really hope the devs reconsidering this and add a separator or at least something similar.
-
I'm also an old pfsense user and that separator was really really nice. When you have many entries it will be so much easier if it is possible to separate them. I really hope the devs reconsidering this and add a separator or at least something similar.
+1
-
+2
-
...I would chip in 50.- Euros for this feature. Anyone?
-
There are no plans to add any non-functional abstractions to the rule listing.
Cheers,
Franco
Anything that improves the readabiity and maintainability of firewall rules is not in fact "non-functional". Rule seperators and/or groupings serve a very important function, at least from a human perspective (and the web GUI is, by its very nature created for humans to use). In my 25+ years in networking I've worked on Checkpoint, Fortinet, Netscreen and Juniper firewalls for national Internet Service Providers and guess what?! - they all have rule seperation/grouping. It's far from being a pfSense thing - it's an industry-wide thing.
pFsense's approach is OK - better than nothing - but even that could do with some improvement. Individual filter rules should be programatically linked to the categories they fall within, and ideally have the ability to toggle collapsing of groups, reorder groups (drag and drop) and toggle group rules on and off. Basically, they act as "first-class citizens" in the whole scheme of things. This is one thing that seperates the commercial enterprise firewall offerings from more hobbyist/enthusiast ones.
As a bare minimum though, there should be text seperators to visually indicate logical groupings of rules. This lack of functionality is one of the main reasons why I conitnue to favour pfSense over OPNsense.
This issue makes me think of the late 90's novel by Allan Cooper entitled, "The Inmates Are Running the Asylum", which details how programmers ruin interface design by thinking that they know what's best for the end-user (and to no-one's surprise, they don't)
+1 :)
-
+1 :)
-
+1 for this.
Can't believe this is not yet implemented?
This makes the Rules a real nightmare (and is a possible security risk)
-
Another +1 for this.
Readability of rules is made far easier with separators.
Of course if there is a different "Opnsense" way to do this happy to learn.
-
My 50.- euros are still in the pot, anybody joining? ;-)
-
I'd prefer hierarchical rule groups/folders that can be collapsed and expanded in the UI. They would enable everything separators do but also a whole bunch of other features like enable/disable an entire group, reorder on the group/folder level by drag and drop, ...
Sidewinder did this.
50€ for that? Sure, count me in.
-
... I would take the simple separators, but if a more elaborate solutions keeps the face for the programmers, I'm happy with that, too ;-)
-
.. and we offer simple, easy to use categories, objects without functional value as already mentioned years ago won't be added to OPNsense.
Showing category membership in an hierarchical fashion would be nice, but highly likely more work than anyone would like to invest in these legacy components. (Also challenging if one rule can be mapped to multiple categories).
-
...if we can get together some hundred bucks some software developer might design a community plug-in. This functionality is far from "without functional value" and the categories are not helpful in my experience.
-
This is the Sidewinder UI - the best one I ever used. Of course one rule can be only in one place ...
-
There is already the ability to add a description for each rule, do it logically and it becomes clear. For my two cents I'd rather the devs concentrate on improving the overall operation than graphical niceties. If pfsense was so great why leave it.
-
Clarity in FW rules is not nicety, but security. The description does not replace the separators. pfsense is no longer actively developed as CE, or?
Ad and Franco have a strong opinion on this topic. But maybe someone with coding experience can/will help out? Repeating the same "arguments" over and over again does not make them better... ;-)
-
I'm baffled. With Catogories and descriptions it's as clear as dayligh to me. Maybe my brain works differently.
-
+1 for such an important Feature! :)
-
What about using interface groups to group rules?
-
+1 Would love to see this feature, as I was used to it when using Fortigate. Even something fairly simple like pfSense did would do the job for me. I would also throw 20.- euros into the pot :)
-
...I thought about buying a used LCD-screen and these here
https://www.post-it.com/3M/en_US/post-it/products/~/Post-it-Flags-in-Portable-Dispenser-47-in-x-1-7-in-20-Each-of-Red-Bright-Orange-Yellow-Green-and-Blue-100-Flags-Pack/?N=4327+3294529207+3294647198&preselect=5927578+3293786499&rt=rud
just for the firewall rules tab of each interface. At least a fast solution, if I have a look how long users are begging for this simple feature ;-)
-
Working with +300 rules and +20 VLANs, separators (and able to fold them) is IMHO a must when looking for the right place to add rules. Usually network guys nowadays also work with tight schedules and multiple projects so to find the right place fast to add a rule is highly valuable, at least for me.
Not an OpnSense user (yet) but might consider coming onboard if we get this feature implemented. Since obviously 70e doesn't interest devs to create this UI feature; at what price would you mr. Developer implement this?
Thanks!
-
Which firewall vendor besides pfsense uses rule separators, just out of curiosity.
I dont know much of them, only Cisco ASA, Sophos UTM and Sophos XG where there are no separators.
I saw Juniper and Netscreen in the wild and didn't noticed them, if I'm right also Forti doesn't. IMHO Sonicwall also has very ugly displaying of rules.
-
Sophos UTM has the groups with the background which does a good enough job of separating the rule groups.
The small dots in opnsense don't quite do it as well.
-
Sidewinder, Forcepoint NGFW, ... look at my screenshot from Sidewinder for an example. Actually they allow hierarchical rule groups.
-
Which firewall vendor besides pfsense uses rule separators, just out of curiosity.
I dont know much of them, only Cisco ASA, Sophos UTM and Sophos XG where there are no separators.
I saw Juniper and Netscreen in the wild and didn't noticed them, if I'm right also Forti doesn't. IMHO Sonicwall also has very ugly displaying of rules.
Sorry, but that's a non-argument. As nothing will change, we should stop here discussing. Some people will find the thread overthe years and get an answer (no) to the question, if there are separators in opnsense. End of story... ;-)
-
Which firewall vendor besides pfsense uses rule separators, just out of curiosity.
- Fortigate
- Forcepoint
- Checkpoint
- Cisco
to name a few.
Had a look at the source code of how pfSense does this and it was a bit more tricky than I initially thought (also not perhaps the best design..).
However, tell us a price mighty developers and let's see if we can cough up the dough for you!
Thanks!
-
The problem is and always was that the rules pages are all static PHP pages and adding unnecessary complexity there will increase maintenance and lower the quality of an MVC migration which we also need for privilege separation to happen rather sooner than later (even if it takes years to get there). This is not limited to firewall_rules.php but also all the NAT and Normalization pages as well.
Other than that, within the last year when I got the chance to manage the business release cycle and I learned that open source community happens to ask for features that no business needs and/or considers paying for (and this includes the willingness to development sponsorship). This is true for things like custom configuration options and PPPoE support in FreeBSD amongst others. It could be true for rule separators as well.
Cheers,
Franco
-
I would not ask for or endorse implementing some unclean hack to get separators. Maybe a real rule group hierarchy is something you could think about for the future. I have routinely operated enterprise installations with hundreds of rules that would be completely unmanageable without the hierarchical folder structure for rules ...
Just my 2 ct.
Patrick
-
I have routinely operated enterprise installations with hundreds of rules that would be completely unmanageable without the hierarchical folder structure for rules ...
Patrick
Yep - in the same boat here! And now especially when zero trust is no buzz word anymore but customers actually want and pay for to implement it, you quickly get loads of rules and VLANs. Having them all straight up and down on a single page with no grouping/hiding sections that not worked on, no fun and risk for errors gets high.
However, I completely understand the underlying issue here and when lookin into that pfSense "separator hack", I understand why nobody wants to touch this :-D
I have though learned, with enough cash on the table, someone is sooner or later eager to take on the most shitty task. That is - can we get a cost estimate of doing the change; what will it cost in man hours to make the needed changes on a rough estimate if we outsource this to a "outside dev" (put it as a one off project on Stackoverflow, LinkedIn or similar)?
The requirements should be quite straight forward but then if someone active on the project could give some technical design ideas/guidelines for the task, that would be great!
-
DynDNS, PPPoE -> community problem, no money in it, no solution in sight. That was my impression for some years now. Thank's for confirming this. On the other hand: Community does the beta testing and some forum support (even for the "bussiness" edition, although that has changed somewhat in the past, my impression), so... life is give and take. ;-)
As "community" is not capable of coding (adequate quality , at least), there should be found a way to involve CE users more. There wishes and some money to make them come true. But I guess there is no way to make the community pay alone for new features (at commercial pricing). The same way imho the pfsense CE went the way down to "mostly unmaintained" status...
-
As "community" is not capable of coding (adequate quality , at least), there should be found a way to involve CE users more. There wishes and some money to make them come true. But I guess there is no way to make the community pay alone for new features (at commercial pricing). The same way imho the pfsense CE went the way down to "mostly unmaintained" status...
Actually - this is not a bad idea! Perhaps somekind of a feature wish list where you could "donate $$$" to the feature you want and then, bring on devs from also outside current devs when needed?
I'll talk to my boss and see if we can start offering OPNSense when edge firewalls are needed and then donate some $$$ for each sell for starters..
-
Fright should have the knowhow to do this, but I'd guess it will stay unofficial ;)
-
Referring to what bimbar wrote, what do u guys think of this:
Instead of having the small dots, maybe the category colors could instead be used as background color shades in their respective rows? I haven't looked at any of the code yet, but i (perhaps naively) assume that's not a big change, with very little additional risk of maintenance required down the road.
This might already give a big boost to visibility, don't u think?
/e: rough idea just quickly F12ed together. Please ignore that i messed up source/destination settings in some my example rules :-D
(https://i.postimg.cc/VkNqHd8T/2022-01-27-23-51-09-Window.png)
/e: and here's the same with some readability improvements around the first icons just to demonstrate how this problem from the 1st screenshot could be circumvented:
(https://i.postimg.cc/9MPwfh2Z/2022-01-27-23-51-09-Window.png)
If there's enough positive feedback, and perhaps a hint from the core team whether they would be willing to pull such a change in, i'll try to craft a PR :)
-
Referring to what bimbar wrote, what do u guys think of this:
This could work! And it also seems, that pfSense uses "an empty rule" to add the separators (then only hiding some of the rule elements if it uses certain tag). So yes, absolutely better than nothing!
-
Referring to what bimbar wrote, what do u guys think of this:
Instead of having the small dots, maybe the category colors could instead be used as background color shades in their respective rows? I haven't looked at any of the code yet, but i (perhaps naively) assume that's not a big change, with very little additional risk of maintenance required down the road.
This might already give a big boost to visibility, don't u think?
/e: rough idea just quickly F12ed together. Please ignore that i messed up source/destination settings in some my example rules :-D
(https://i.postimg.cc/VkNqHd8T/2022-01-27-23-51-09-Window.png)
/e: and here's the same with some readability improvements around the first icons just to demonstrate how this problem from the 1st screenshot could be circumvented:
(https://i.postimg.cc/9MPwfh2Z/2022-01-27-23-51-09-Window.png)
If there's enough positive feedback, and perhaps a hint from the core team whether they would be willing to pull such a change in, i'll try to craft a PR :)
The problem with this is that a rule can have multiple categories. Still, only being able to have one category would be a worthwhile tradeoff, I think.
I also like the idea with the hierarchical rule groups.
-
Referring to what bimbar wrote, what do u guys think of this:
Instead of having the small dots, maybe the category colors could instead be used as background color shades in their respective rows? I haven't looked at any of the code yet, but i (perhaps naively) assume that's not a big change, with very little additional risk of maintenance required down the road.
This might already give a big boost to visibility, don't u think?
/e: rough idea just quickly F12ed together. Please ignore that i messed up source/destination settings in some my example rules :-D
(https://i.postimg.cc/VkNqHd8T/2022-01-27-23-51-09-Window.png)
/e: and here's the same with some readability improvements around the first icons just to demonstrate how this problem from the 1st screenshot could be circumvented:
(https://i.postimg.cc/9MPwfh2Z/2022-01-27-23-51-09-Window.png)
If there's enough positive feedback, and perhaps a hint from the core team whether they would be willing to pull such a change in, i'll try to craft a PR :)
The problem with this is that a rule can have multiple categories. Still, only being able to have one category would be a worthwhile tradeoff, I think.
I also like the idea with the hierarchical rule groups.
Thats exactly the reason why there are colored dot's to have more categories for one rule:
-
Sophos UTM has the groups with the background which does a good enough job of separating the rule groups.
The small dots in opnsense don't quite do it as well.
Above all rules there's a dropdown (multiselect) for categories which does the same as UTM. :)
-
I’m not sure that I understood correctly and whether there is a benefit in this (in my opinion, the existing filters are more than useful), but are we talking about something like that?
https://user-images.githubusercontent.com/36099472/151666001-dc546b80-dde4-4976-9cce-8c4bd9c71133.mp4
-
This looks beautiful :)
-
This looks beautiful :)
Agreed, BUT it might cause confusion because a single rule can appear more than once.
The fact that categories aren't a 1:1 relation (didn't know that before :-D) makes it somewhat difficult to visualize them in an intuitive way, the coloured dots are accounting for that fact, the other solutions aren't.
Guess this is a never-ending dilemma?
-
I only see progress here :) but the fact that it can appear more than once might confuse, yes
-
@mimugmail thanks!! :) (you dragged me into it ;) it's fun, thanks)
@marcquark yep, but I like the idea of multiple categories per rule and in this case I think it's more correct to display the rule in each group. but that's why I suggested it for discussion (maybe someone will suggest another way to display)
-
You're absolutely right, not displaying them under each category would add even more layers of indirection between what the eye sees and what the packetfilter actually does - they should definitely be displayed under every category.
I like your solution visually, and in the end it's up to the user how they choose to use categories. Maybe it's best to display a "here be dragons" warning when the view is opened for the first time or so?
There's another thing that springs to mind though; your representation mixes up the rule order visually doesn't it? Because it first "sorts" by category and then by actual rule order. That's something that would probably need some more thought aswell
-
Well, rule reorder does have to be disabled for this to make sense. Whether or not categories/tags are given on overlapping rules is up to the user.
This is smart use of what we have already built in. This might be more of an UX issue than technical after all and depending on the technical approach all have their upsides and downsides so it looks like it comes down to preference on which side of "rule separators are what we need" one might settle.
Cheers,
Franco
-
My 2c goes to copy how Fortigate or Forcepoint have tackled the "presentation layer issue":
(https://www.forcepoint.com/sites/default/files/inline/product-pages/ngfw/ss-policy2.png)
(https://d2908q01vomqb2.cloudfront.net/761f22b2c1593d0bb87e0b606f990ba4974706de/2020/10/21/Screen-Shot-2020-10-21-at-12.29.04-PM.png)
Able to hide/expand and group rules as above is extremely helpful when you have plenty of rules (example you have many VLANs and "zero thrust" approach between the VLANs and servers/services)
I usually "design the rules sections" per VLAN (ex VLAN for OfficePCs, ProdPCs, Printers, MGMT, IoT, RnD, WiFi, Automation etc) and then quite often a own rules section per server. And if the firewall allows it, also different IPS per VLAN or server depending on its function.
HTH
-
@franco
Well, rule reorder does have to be disabled for this to make sense
sounds logical, thanks! if it develops, I will definitely take into account
variant with movement buttons disabled and rule numbers added to reduce confusion with duplicate rules:
-
@Fright is it strictly frontend work that you're doing to achieve this?
I'm wondering because, since there are clearly good arguments both for and against change to the product in this regard, wouldn't it also be an option to make a browser extension that handles it? That way it's decoupled from core development, and there's room for creativity.
One user might use categories strictly 1:1, in which case a colorization like mine could work really well. Another will be happy with your solution, and a third will want to keep things as they are. Putting all the different options into Core and making it configurable is probably too much. Choosing one option over the other will only satisfy a portion of the users. A plugin with different modes of operation can serve everyone, can be maintained independently by the community and the devs won't have to bother with compatibility at all
If you feel like that's a viable option HMU with a PN, i want to contribute :)
-
@marcquark
this can definitely be done entirely on the frontend (all the necessary data is already on the page) imho. but to reduce the DOM manipulation, I made small changes on the backend (added a hidden column, attached category data to the category filter select). the rest on the jQuery.
the full solution will require some additional work to make it work on the NAT rules pages as well (haven't looked at any other backend changes yet).
I don’t know about the browser extension, I’m unlikely to find time for this. if the proposed idea is developed, I will post the code on github for discussion
-
I’m not sure that I understood correctly and whether there is a benefit in this (in my opinion, the existing filters are more than useful), but are we talking about something like that?
https://user-images.githubusercontent.com/36099472/151666001-dc546b80-dde4-4976-9cce-8c4bd9c71133.mp4
This is very nice. I want it.
-
@marcquark
the full solution will require some additional work to make it work on the NAT rules pages as well (haven't looked at any other backend changes yet).
If much trouble, adding this to NAT section is not IMHO necessarily. Usually NAT rules are not that many so a rules list straight up and down is OK.
-
@chropnsense
no trouble )
draft is ready.
https://github.com/kulikov-a/rules/issues/2#issuecomment-1027656562
very interesting in speed assessment by guys with "tons of rules")
-
Hi,
I'm planning to migrate from pfsense to OPNsense.
I know this is an old topic, and I don't want to upset anyone, but I do have a question regarding this topic.
Me too, I would love to see some kind of separation, segregation between blocks of rules within an interface or group. Besides using that a lot in my pfsense, also in my professional life, all firewalls I worked with (Fortinet, Checkpoint, Fortinet, Juniper, ...) have one way or another to separate or group blocks of rules.
I already read that the OPNsense developers are unlikely to implement rule separation headers like in pfsense. I can understand most of the points they raised about this, but....
It seems to me, it is already possible (in a way)? Because I see exactly that, when looking at the line "Automatically generated rules"... it has all I would like:
- a set of rules grouped together
- can be collapsed/expanded
https://imgur.com/a/OKY2jYg
Is it not possible to open up that feature for when we add rules ourselves?
-
If its just about collapse you can try categories
-
If its just about collapse you can try categories
I tried that, but it is different ... how do I explain .... categories do not enforce or are not "inline" with the order of the rules. If you know what I mean?
-
I know what you mean. I for myself accepted, whether in closed or open source, you dont get every wish/feature implemented :)
-
Just wanted to say, that I'm about to embark on 170+ OPNsense installs each with lots of rules and this feature is sorely missing.
-
https://forum.opnsense.org/index.php?topic=2851.msg87606#msg87606
It can be only a few lines of code ;-)