How to manage thousands of firewall rules

[aa007]

Hi,

we are in a process of choosing a replacement for our old Linux firewall. We currently use Shorewall framework to control IP tables. Currently we have something around 5000 rules. Our environment is restrictive, so when an user wants to connect to a production server, we need to add a rule for it. Now we have a config file per user, so using zone based approach allows us to easily see where any user can connect - so auditing is somehow easy.
We like OPNsense but we cant find any reasonable method how to migrate this number of rules into it. Is anyone using OPNsense with this high amount of rules? How to manage it? We dont want to list through hundreds of rules on one page until we find the correct ones - this will be a place for making a lot of mistakes.

Thanks for any ideas.

[bartjsmit]

I would separate the security policy from the firewall - i.e. create a policy database of rules and write an import script to import the current iptables rules from Linux and apply them to your new firewall via an export script.

I don't know if the OPNsense API is capable of implementing rules, but the config file is straightforward XML with <rule></rule> elements.

Bart...