OPNsense Forum

English Forums => Development and Code Review => Topic started by: GurliGebis on February 14, 2017, 08:25:39 am

Title: Would Address Objects like in Sonicwall be an idea?
Post by: GurliGebis on February 14, 2017, 08:25:39 am

I've been playing with the Sonicwall firewalls we have, and one thing I like about it is the concept of Address Objects.

Think of them like aliases for subnets, specific addresses ect.

Would it be an idea to add the same feature to OPNsense, so people can create objects for their subnets, servers etc., and then just select them from a list (like currently where you have LAN Subnet, LAN IP), instead of typing them manually.
This could also be extended to the rest of the system, like DHCP Relay, where the target DHCP servers could be selected from a list of objects (or written manually still).

If it makes sense, I would suggest 4 different types of Address Objects (IPv4 address, IPv4 subnet, IPv6 address, IPv6 subnet).

What do you guys think?

Title: Re: Would Address Objects like in Sonicwall be an idea?
Post by: GurliGebis on February 14, 2017, 01:00:44 pm

I know of aliases, but they only work for the firewall - this should be system wide :)

Title: Re: Would Address Objects like in Sonicwall be an idea?
Post by: bartjsmit on February 14, 2017, 02:35:25 pm

There seems to be some work going on with fwbuilder https://github.com/opnsense/ports/tree/master/security/fwbuilder.

Bart...

Title: Re: Would Address Objects like in Sonicwall be an idea?
Post by: AdSchellevis on February 14, 2017, 09:25:30 pm

It's quite difficult to implement the concept and make sure all components follow the same rules, unless an object is a simple distinct type (single address, single network), but then it still needs to be implemented in a lot of legacy code.
New mvc style features are easier to extend, but unfortunately there's still quite some legacy in there which we're cleaning up/migrating step by step.

We have had questions about extending the aliases to other components (like the trafficshaper/ipfw) before, but the current definitions make it almost impossible to provide the same user experience across the full system.
A simpler definition (single network, single address, etc) could work for more services,

More structural changes are planned to the core firewall, so we don't want to change too much there, an idea could be to add simple (more portable) alias types for the objects first, cleanup the related firewall code for the aliases, add some kind of plumbing to select objects per type and take it from there...
If you're willing to work on the subject, just try to keep the steps small and backwards compatible, which makes it easier to review and accept.

The idea is good, just asks for quite some time investment to handle it properly.