OPNsense Forum
English Forums => General Discussion => Topic started by: southman on July 09, 2016, 03:04:30 pm
-
Where/how can I view (show) the default/hidden rules? I have searched high and low. Am I missing it?
-M
-
Which hidden rules are you talking about and how do you know about them if they're hidden? ;D Surely all the rules are listed on each of the relevant UI pages (including the disabled ones) or am I missing something?
-
Because it's s fork.....| | |
|_|_|
|
|
|
-M
-
Wut?
-
What are the "hidden rules" installed when the "default settings are applied" ? Doesn't a "default" install of OPNsense default install with "default/hidden" rules?
If it does, what is that rule set, and how/where can I view them?
-
No idea, but why would it have hidden rules and which kind of rules would these be?
You seem to have the idea there are hidden rules in all firewall/routers?
-
I am not looking to pick a fight here. It's really pretty simple, opnsense either uses hidden/default rules or it doesn't (neither good or bad). For my own personal edification, it is something I would like to know.
It is not uncommon for firewalls to use this type of architecture. Since opnsense is a fork of pfsense it would make sense that was carries over into opnsense.
All I am asking for is a simple confirmation or denial, and if they are using default/hidden rules, what are they?
-
Hi,
Yes, there are default rules which are not visible in the UI, the source of the defaults is filter.inc (https://github.com/opnsense/core/blob/master/src/etc/inc/filter.inc (https://github.com/opnsense/core/blob/master/src/etc/inc/filter.inc)).
Eventually we are going to restructure the auto-generated rules to make these defaults visible and simply our filter generation (https://github.com/opnsense/core/issues/993 (https://github.com/opnsense/core/issues/993)), which will very likely mature in our 17.1 release.
The easiest way to inspect which rules are actually generated for your setup (some rules are optional) is to read the /tmp/rules.debug file.
Best regards,
Ad
-
You can also simply go to the shell and use the PF tools to inspect the rules in detail. For example, pfctl -sr will show you the currently loaded rules. The rules in PF are quite a bit easier to read than, say, in Linux iptables.
This is one big advantage of an open solution: You can dig as deep as you like and see exactly what's going on. ;)
-
Hi,
Yes, there are default rules which are not visible in the UI, the source of the defaults is filter.inc (https://github.com/opnsense/core/blob/master/src/etc/inc/filter.inc (https://github.com/opnsense/core/blob/master/src/etc/inc/filter.inc)).
Eventually we are going to restructure the auto-generated rules to make these defaults visible and simply our filter generation (https://github.com/opnsense/core/issues/993 (https://github.com/opnsense/core/issues/993)), which will very likely mature in our 17.1 release.
The easiest way to inspect which rules are actually generated for your setup (some rules are optional) is to read the /tmp/rules.debug file.
Best regards,
Ad
Is this still something that is being considered? I would love to see the default rules. I have some that are taking actions on traffic and I am having a hard time understanding the intent.
-
Just install 19.7 'Jazzy Jaguar' :)
From the road-map (https://opnsense.org/about/road-map/):
Firewall insights in generated rules
Best regards,
Ad