Messages

[simulating network-traffic across firewalls]

Greetings - I hope you are having a nice day (:

Just wanted to post about a tool I created for simulating network-traffic across firewalls.

This can be useful for:

* Troubleshooting problems with complex rulesets
* Troubleshooting issues where you do not control the source
* Analysing problems without access to the firewall (the admin/user only needs to send you the config-backup & network-export)
* Automating regression tests (CI/CD and Infrastructure-as-Code)
* More

Links:

* Documentation
* GitHub: O-X-L/firewall-testing-framework (and soon Codeberg..)
* PyPI: pip install firewall-test

BTW: It also works for Linux-Netfilter (IPTables/NFTables)

I would be happy to get some feedback - and feel free to contribute to the project :D :+1:



Edit: Adding Preview-GIF

Greetings!

If someone has use for it:

I have created a Python3 client for the OPNsense API: github.com/O-X-L/opnsense-api-client, pypi.org/project/oxl-opnsense-client

Docs: python-opnsense.oxl.app

It is based on our Ansible Collection for OPNsense that is already used by many admins.

Grüße!

Im Business Bereich schreckt das den einen oder anderen aber ab, wenn die usability zum Problem wird

Sehe ich ähnlich. Von dem was ich schon so mitbekommen habe hat die Usability der UI auch bei internen Admins (berechtigtermaßen) oft einen hohen Stellenwert. Das 'Bauchgefühl' wird davon doch beeinflusst.


Zur Ergänzung: Mir ging es jetzt gar nicht darum mit bei jemandem 'einzuhängen', sondern interessiert mich einfach die derzeitige Situation 'am Markt' und welche Erfahrungen andere im Bereich Dienstleistung/Freelancing mit OPNsense Projekten gemacht haben.

Grüße
- Rath

Grüße an euch alle!

Ich bin seit knapp einem Jahr nebenberuflich als IT-Sysadmin und Software-Entwicker (GitHub) selbstständig - daher würde es mich dafür interessieren ob jemand von euch Erfahrungen mit OPNsense Projekten im Bereich Dienstleitung oder Freelancing gemacht hat.

Das OPNsense Projekt/Produkt ist doch sehr mächtig!
Wenn man es mit close-source Systemen wie Barracuda, SonicWall, Fortigate, etc vergleicht kann sich ein Kunde ordentlich Lizenzkosten einsparen und dabei viele* der Funktionen bewahren (*einige Funktionen bauen auf der Infrastruktur des größeren Vendors auf; und der Support eines Partner-Netzwerks ist auch nicht zu unterschätzen..)

Habe natürlich schon einige der Freelancer-Online-Portale getestet, doch die meisten gehen mir mit ihren 'tollen' Verträgen etwas gegen den Strich.

Dementsprechend hätte gerne erfragt, ob:

• es in dem Bereich schon direkte 'Kanäle' gibt (wie ein Partner-Netzwerk)
• oder ob ihr Online-Portale empfehlen könnt
• oder (wie so oft) einfach jeder Dienstleister sein eigenes Süppchen kocht

Soweit ich gesehen habe, gibt es ja auch (noch) keine offiziellen OPNsense Trainings bzw. Zertifizierungen (?)


Einen schönen Abend wünsche ich euch noch (:
- LG Rath (E-Mail)

As I've just found this topic - just wanted to give my opinion:

First of all => I know the pain of running Open-Source projects. Time and other resources can be very limited.
Thank you for providing this nice product :D
Even if this is not a feature for the 'old' UI => it could be benefitial for the new MVP-based components.

But this is also still an issue for us today.
Sadly the interface-groups mentioned in the topic https://forum.opnsense.org/index.php?topic=42177 are not really the answer to this problem :/

Mainly we have these issues with large(r) ruleset (100+ rules):
* We have no visual separators between 'chains' of rules
  * This can lead to possible misconfiguration issues when working in a team of admins (as a separate ruleset documentation might be necessary)
  * Optimally such rule-groups could be opened and closed (accordion/spoiler-like) so the user would have a better overview
* It is easy to overlook some misconfigured rule inside this large 'block'
* Off topic: Simulating traffic over the ruleset (automated regression tests) can only be done by sending the actual traffic and analyzing the logs (as I can allocate some time I might write an open-source tool for running such simulations)

We currently periodically export the config of the firewall, convert the XML-rules to CSV and then analyze the ruleset in Python and/or Google Sheets to get an overview and check for regressions/misconfigurations :(  (see backup-to-rule-csv script: https://gist.github.com/NiceRath/54ead58ae29bd67e680edc1767578e06)

Just as a reference => I've really loved the administration of Barracuda Firewalls as we were able to cleanly separated in sub-groups. There they used chains to also logically separate these groups of rules, but the visual separation is also a big part of it.

> Even PFSense has something like that

Bold strategy.  :)


Cheers,
Franco

Just as a reference... (;

The interface groups https://docs.opnsense.org/manual/firewall_groups.html are pretty much the feature I was looking for - thank you for informing me  ;D

Yeah - would be possible. But that's an extra attribute per rule that needs to be maintained.
As there is already a section feature in use by the 'Automatically generated rules' I though there may be a way to utilize it for other rules  ;)

Even PFSense has something like that: https://docs.netgate.com/pfsense/en/latest/firewall/rule-list-intro.html#rule-separators

Greetings!

First of all - thank you for the great product :D Really love it so far.

I've encountered a customer that has the need for 200+ floating rules.

This is because there are many VLANs and most rules need to be enabled for multiple interfaces.

The abstracted ruleset looks like this:

* Public Security Filters (Blacklists, Countries)
* Public MGMT Rules
* Public Services (NAT)
* Public DENY any
* Access of Untrusted Networks
* Untrusted DENY any
* Intern to Internet Filters (Blacklists, ...)
* Intern to Internet Rules
* Intern to Internet DENY any
* Intern to Intern Rules

This works, but it gets a little messy as there is no clear separation between those sections.

Is there any way of creating sections? Like the one used for 'Automatically generated rules'? I have not found any documentation regarding it :(  https://docs.opnsense.org/manual/firewall.html
What would be even better - adding custom chains. (src/dest match to jump to custom chain and return afterwards)

I've been using the custom chains of Barracuda CloudGen Firewall's - as they are a game changer for complex rulesets..