UI - firewall rules

[ivica.glavocic]

Do you think that UI on firewall editing rules could be enhanced in terms of visibility?

Imo there are 3 important segments of rule: source info, destination info and action info. Grouping or for example different colors of those segments would result in better visibility.

For example, source direction is candidate for advanced screen, when source direction can be out?

For me, sometimes less is more, and visibility is better on less.

[Monviech (Cedrik)]

If you are on the latest version you could check out Firewall - Automation - Filter

In there you can put rules into categories and press "Tree" to show them in folders in these categories.

[keeka]

I think the OP is referring to layout and colors within a rule definition rather than the organisation of a list rules.

Regarding migrating existing conventional rule definitions to the new MVC based rules. If I were to do it piecemeal, say convert floating rules, then later rules for one interface, is there a possibility of unexpected consequences with, for example, rule ordering?

[Monviech (Cedrik)]

Yeah but with the new flexibility of categories and possibly the tree view they could structure the rules in a way that makes sense for them.

Regarding your question the rule precedence is described here, both features can live happily side by side:

https://docs.opnsense.org/manual/firewall_automation.html

[keeka]

Thanks.
When automation rules eventually supersede firewall rules, will port-forward rules create their corresponding firewall rule under automation rules? Will that functionality remain available?

[meyergru]

According to the docs, those are completely separate and the processing order is explained at the end of the man page.

"Superceding" by abolishing the old rules would render many installations useless, so I reckon that they will both exist side-by-side for a long time.

[keeka]

I was thinking of fw rules that are created when 'filter rule association' is enabled in a port-forward rule. The corresponding rules can be manually reordered whilst their association with the port forward rule (as shown in the UI/config) remains intact.

I formed the impression the new firewall management would ultimately supersede the existing method, much like how OpenVPN has been modernised. I also formed the impression that the new automation was not intended solely to expose the rules via the API but aimed to offer improved fw rule management generally. I was not worried the existing method was suddenly going to disappear though :-)

[Monviech (Cedrik)]

The features exist side by side and will continue for a long time as theres no simple automatic migration or overlay possible.

I dont know if the automagic port forward rule creating will be implemented for the mvc part, you can ask in the roadmap ticket:

https://github.com/opnsense/core/issues/8401

[keeka]

Thanks. Just a matter of interest on what was planned for the new mvc based rules management. It looks promising and I'm looking forward to trying it some time soon.

[ivica.glavocic]

One more thing regarding UI. When I create IPSEC site to site tunnel, it gets interface automatically associated to it. Since I have 50+ tunnels with same simple rules (LAN to remote OK, remote to LAN ping one IP), I created firewall group and put all IPSEC interfaces in. Those simple rules are applied on group and it works OK.

In Interfaces menu I have clean visibility - all of 50+ interfaces are grouped and expandable.

In Firewall Rules menu I have:

• one generic ipsec submenu
• firewall group submenu
• each of 50+ interface submenu

In terms of visibility, that is a problem. I hoped for submenus in Firewall Rules to be grouped as they are in Interfaces menu. Can it be accomplished?

[Monviech (Cedrik)]

Sorry Im not sure I understand, maybe screenshots will help.

[ivica.glavocic]

Screenshots contain sensitive data, names of the real companies. I will redact them on Monday and put them here.