Bit of a feedback + Question about automatically generated rules

[Mindflayer]

Hello everyone,

I have spent the last two weeks trying to get into OPNsense as much as I could. Reading through the manual, reading reddit/forum threads and excessively experimenting with it in my homelab. I also wrote myself a small pcap-based tool to try a bit "hacking" like VLAN-hopping etc.
So far, I had no experience with open source firewalls, but my job is... let's say: Very technical. So I think I have a solid foundation of knowledge in networking.
And since I wanted to improve my homelab, I am in search of a sophisticated open source firewall/router software. And OPNsense is a possible candidate, which I like so far. The manual is very well written, and was super helpful in the last weeks, when I stumbled upon problems. In the future I could even imagine applying as a developer (in case you need one).

What I don't understand are those "Automatically generated rules". And (dear moderator) before you delete my thread and perma ban me, please hear me out first.
Like I said, I read quite some forum posts. Also about this topic. And I understand its a pretty "disliked" topic. But I did not find any real explanation why those rules are implemented in the way they are.

franco said (Funnily to-the-day exactly one year ago), those "Automatically generated rules" are there

Because people have relied upon them for years, even a decade and suddenly removing them would have left everyone stranded. Couple with with the fact that pfSense tried to say OPNsense is just a buggy pfSense it would have discouraged even more people in the beginning.

Which is a valid claim. But then why not just (in the next version of OPNsense) leave those rules there, but make them deletable? -Maybe show a similar message like the one, which appears when I try to change the listening interface for the webGUI: "Be sure that you know what you are doing by deleting these rules". This would ensure nobody is "left stranded" AND people who want to be in control of all of their firewall rules, can do so as well.

To anticipate another answer: There is no particular "Automatically generated rule", which I dislike. Me, and seemingly a lot of other people, just don't like to have to have them there. (People tend to dislike it, when something is forced on them)
For example, I try to always block IPv6 wherever and whenever I can. Now I know one can disable IPv6 via Interfaces>Settings>Allow IPv6, which adds a "Block all IPv6" "first match"-rule at the top of the firewall rules. Rendering all the other IPv6 rules useless. So having the other rules there doesn't change anything, expect maybe a little bit more CPU load. But why forcing me to have them there? And there are a lot of "useless" IPv6 rules... In my firewall of choice I will often change and adapt my firewall rules, and I will always have to skim over those IPv6 rules, wasting time.

Or another idea: Why not (at least) allow people to put their own firewall rules above the automatically generated ones? This would not solve the problem of having them there, but at least people would be in full control and able to block the automatic "pass" rules. For example, what if I would like to block the "IPv4 CARP" traffic? I have no chance to do so... 

If someone (of the developers or others) would like to answer, please don't hesitate to answer in a technical way of why it seems to be so hard to implement a possibility for people to get rid of the auto rules. Gladly also with a link to the affecting code lines in the OPNsense source code.

franco also said:

To add irony to insult: we've inherited automatic rules from pfSense where you couldn't even even see them.

Is this still true? Does pfSense still have the same or similar rules in place and you can't even see them?

Greetings

[chemlud]

In pfsense you see under LAN the antilockout rule. As the default behaviour of both senses is (by and large) comparable, the remaining rules have to be present under the hood imho.

[Patrick M. Hausen]

The firewall that I used to swear by before I switched to OPNsense was Secure Computing's Sidewinder. There were no visible rules for ARP, NDP and the like, yet IPv4 and IPv6 worked, so there must have been rules in place permitting these.

I am fine with having the fundamental working of protocols enabled automatically. I doubt anyone here is intimate enough with e.g. SLAAC to write down a working and minimal rule set to have that work from memory on a blank sheet of paper.

Blocking IPv6 in 2024 does not make much sense to me, given that IPv6 is the Internet and IPv4 is legacy, now. But you do you 

[bimbar]

The automatic rules are there to enable services that you have enabled.

There are rules, so that CARP works.
There are the RFC4890 ICMPv6 rules.
There are rules that allow outbound traffic from the firewall itself.
There are some rules blocking invalid traffic.

I do not disagree with a single one of those rules. I also do not want to have to configure them manually.
I also do mikrotik, where you have to do those yourself, and it is not fun.

So I do disagree with the OP.

[Mindflayer]

In pfsense you see under LAN the antilockout rule. As the default behaviour of both senses is (by and large) comparable, the remaining rules have to be present under the hood imho.

Thank you for your answer. But it does not reply to any of my questions.

The firewall that I used to swear by before I switched to OPNsense was Secure Computing's Sidewinder. There were no visible rules for ARP, NDP and the like, yet IPv4 and IPv6 worked, so there must have been rules in place permitting these.

I see. So you want to say there are little to no firewalls which don't use "hidden rules"? That would be somewhat dissapointing.

I am fine with having the fundamental working of protocols enabled automatically. I doubt anyone here is intimate enough with e.g. SLAAC to write down a working and minimal rule set to have that work from memory on a blank sheet of paper.

That is exactly what I mean. I am not fine with it. I want that nothing works and nothing is let through what I don't know. And you might deem it a bold statement, but I think that allows everything important in a homelab to still work.

Blocking IPv6 in 2024 does not make much sense to me, given that IPv6 is the Internet and IPv4 is legacy, now. But you do you 

That is completely wrong in my eyes. IPv6 is now over 12 years old and has little to no adoption. My ISP provides me with an exclusive, publicly routable IPv4 address, like he does to any other of its customers. I understand, that, at some point, we will need IPv6 because we run (resp. already ran) out of IPv4 addresses, but from my experience, no one needs IPv6 at the moment. You will never (in the foreseeable future) need anything more than 10.0.0.0/8 in a LAN.
And your statement "IPv6 is the Internet" is objectively false. There is not a single (useful) website, which is reachable only by a/its IPv6 address. Those few websites which are IPv6-only belong to experimenters. IPv4 is the Internet.
However, this is not the topic of this thread.

The automatic rules are there to enable services that you have enabled.

There are rules, so that CARP works.
There are the RFC4890 ICMPv6 rules.
There are rules that allow outbound traffic from the firewall itself.
There are some rules blocking invalid traffic.

I do not disagree with a single one of those rules. I also do not want to have to configure them manually.
I also do mikrotik, where you have to do those yourself, and it is not fun.

So I do disagree with the OP.

I don't think that is true, but I would like to be convinced of the opposite.
I disabled everything about IPv6, yet I have >12 rules especially about IPv6. There seem to be now dedicated services, which are using these rules.
Yet I think I know what you mean. When I enable DHCP, I get automatically generated DHCP rules. And I can get rid of them by disabling DHCP.
Yet there are many rules which dont seem to belong to any service.

Edit:
Maybe to clarify what I mean, I attach a screenshot to this post.
The rules in the upper red box, are completely useless to me, but I can't get rid of them
The rules in the lower red box allow traffic, which I don't want. But I can't get rid of them. Nor can I overrule them with my own firewall rules.

[Patrick M. Hausen]

That is completely wrong in my eyes. IPv6 is now over 12 years old and has little to no adoption. My ISP provides me with an exclusive, publicly routable IPv4 address, like he does to any other of its customers. I understand, that, at some point, we will need IPv6 because we run (resp. already ran) out of IPv4 addresses, but from my experience, no one needs IPv6 at the moment.

1. 26 years.

2. Where I live adoption is 60% and growing. In India it's 80%.

https://stats.labs.apnic.net/ipv6

3. IPv4 has not yet been declared historic and the corresponding draft RFC generated a lot of controversy. Yet it is bound to happen.

4. If you go dual stack now, you will benefit now. Simple as that. Our AS 16188 is 100% dual stack.

[bimbar]

I don't think that is true, but I would like to be convinced of the opposite.
I disabled everything about IPv6, yet I have >12 rules especially about IPv6. There seem to be now dedicated services, which are using these rules.
Yet I think I know what you mean. When I enable DHCP, I get automatically generated DHCP rules. And I can get rid of them by disabling DHCP.
Yet there are many rules which dont seem to belong to any service.

Edit:
Maybe to clarify what I mean, I attach a screenshot to this post.
The rules in the upper red box, are completely useless to me, but I can't get rid of them
The rules in the lower red box allow traffic, which I don't want. But I can't get rid of them. Nor can I overrule them with my own firewall rules.

Without those rules, IPv6 will not work. At all. So if you want to get rid of those, disable IPv6.
CARP is core functionality that can not be disabled. Without those rules, CARP does not work.

Somewhere above you are surprised that many other firewalls have automatic rules. All firewalls I know of have automatic rules, in some you can see them, in some you can not.
If you don't want that, you need to build it yourself, or use a router like mikrotik. But it seems to me, it's just a different device you want. That does exist, but it's not a UTM firewall.