Default / Hidden rules

[southman]

Where/how can I view (show) the default/hidden rules?  I have searched high and low.  Am I missing it?

-M

[phoenix]

Which hidden rules are you talking about and how do you know about them if they're hidden?  ;D Surely all the rules are listed on each of the relevant UI pages (including the disabled ones) or am I missing something?

[southman]

Because it's s fork.....|  | |
                               |_|_|   
                                  |
                                  |
                                  |

-M

[weust]

Wut?

[southman]

What are the "hidden rules" installed when the "default settings are applied" ? Doesn't a "default" install of OPNsense default install with "default/hidden" rules?

If it does, what is that rule set, and how/where can I view them?

[weust]

No idea, but why would it have hidden rules and which kind of rules would these be?
You seem to have the idea there are hidden rules in all firewall/routers?

[southman]

I am not looking to pick a fight here.  It's really pretty simple, opnsense either uses hidden/default rules or it doesn't (neither good or bad).  For my own personal edification, it is something I would like to know. 

It is not uncommon for firewalls to use this type of architecture.  Since opnsense is a fork of pfsense it would make sense that was carries over into opnsense. 

All I am asking for is a simple confirmation or denial, and if they are using default/hidden rules, what are they?

[AdSchellevis]

Hi,

Yes, there are default rules which are not visible in the UI, the source of the defaults is filter.inc (https://github.com/opnsense/core/blob/master/src/etc/inc/filter.inc).
Eventually we are going to restructure the auto-generated rules to make these defaults visible and simply our filter generation (https://github.com/opnsense/core/issues/993), which will very likely mature in our 17.1 release.

The easiest way to inspect which rules are actually generated for your setup (some rules are optional) is to read  the /tmp/rules.debug file.

Best regards,

Ad

[mibtac]

You can also simply go to the shell and use the PF tools to inspect the rules in detail. For example, pfctl -sr will show you the currently loaded rules. The rules in PF are quite a bit easier to read than, say, in Linux iptables.

This is one big advantage of an open solution: You can dig as deep as you like and see exactly what's going on.  ;)

[pvols1979]

Hi,

Yes, there are default rules which are not visible in the UI, the source of the defaults is filter.inc (https://github.com/opnsense/core/blob/master/src/etc/inc/filter.inc).
Eventually we are going to restructure the auto-generated rules to make these defaults visible and simply our filter generation (https://github.com/opnsense/core/issues/993), which will very likely mature in our 17.1 release.

The easiest way to inspect which rules are actually generated for your setup (some rules are optional) is to read  the /tmp/rules.debug file.

Best regards,

Ad

Is this still something that is being considered?  I would love to see the default rules.  I have some that are taking actions on traffic and I am having a hard time understanding the intent.

[AdSchellevis]

Just install 19.7  'Jazzy Jaguar' :)

From the road-map (https://opnsense.org/about/road-map/):

Firewall insights in generated rules

Best regards,

Ad