firewall groups and interfaces

[fabio]

First of all thanks for the great work
I’ve updated my lab firewall and all looks good.

Till now I just not understand the meaning of “use firewall groups to group interfaces menu accordingly"

I do not see a direct relation between a group of firewall rules and the interfaces menu
With the result to hide interfaces in sub-menus and possibly duplicate them if you use an interface in more than one group

I found it a bit confusing but maybe I’m missing something obvious;
can someone explain me the reason of this choice ... I’m curious to understand

Thanks again to all the developers and the community
--
Fabio

[mimugmail]

Let's say you have 6 interfaces .. 2 are building one bridge and 2 are building another bridge.
If you want to handle Firewall rules for Bridge one it's easier to build a group BridgeA and put in the two interfaces plus the created bridge.

[fabio]

this it's fine
I'm using a group to manage "common rules" between various interfaces and you right it's a easy way.

So it  should be "more logic" see this aggregation under the "Firewall->Rules" tree and not in the "interfaces" one.

Probably for my taste the optimum would be to see a label (or something else) on the top of "Firewall->Rules->_interface_name_" page; an info that show which groups of rules are matched before the one listed in the page itself ... but this is just a thought and not really related to the "grouped interface menu".

[franco]

Two things:

If this will stir up controversy we are happy to provide a group-based override to avoid groups from mapping interfaces in the menu.

For the firewall rules the menu mapping is a bit harder, because there it's not just a group but also an "interface" where rules apply so groups must be clickable and folders at the same time (weird?!). And we do not have a fourth level currently in the menu to keep it as flat as possible. Grouping firewall rules interfaces would change that (also weird?!).

Not sure how to proceed, but if there was no willingness to push it there would be no improvements. And the good thing is discussion and feedback has already started.


Cheers,
Franco

[fabio]

The grouped interfaces is not a big deal but in my currently 5 minutes works I felt a bit uncomforted so an opt-in/out would be great 

Then, for the pleasure of the discussion, my first "random thoughts" about the firewall group are ... 

1) Have a clear distinction between rules applied to a specific interface and rules applied to a bunch of interfaces
So a menu like: 
Firewall
- Groups <-- groups rules
- - grp1
- - grp1
- Rules
- - LAN
- - OPT1
- - OPTx
- - WAN
- Settings
- - Groups <-- groups creation page

2) (As in the previous post) Some references in the rules pages that indicate:
- Which groups are used on this interface (in Rules)
- Which interfaces are used this group (in Groups)

In my case I use the groups as group of rules and not as group of interfaces.
In the specific in I've a '"common rules" group applied to most of all the interfaces where I allow service like  ping / remote syslog / smtp / backup / and-so-on  and deny a few others ... then I add specific rules to specific interface.

I think this is more useful than a hierarchical side menu  … but as I told this is just my taste and the way I use this feature

Told this I've a doubt, never tried, about what happen if an interface is used in 2 or more groups ... in which order the rules are evaluated ?
 
Cheers
--
Fabio