What's your firewall rule / alias naming scheme

Started by binaryanomaly, May 26, 2021, 12:13:09 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 26, 2021, 12:13:09 AM
As I'm just in progress of setting up everything from scratch again I am thinking about how to name the aliases and firewall rules best in order to have an efficient and self-explainable standard.

What is the alias and firewall rule naming scheme you guys use and why?

For aliases I'm thinking of something like

Code Select

[Domain]_[Asset type]_[Name]

Domain = net, web, com, p2p, media, ...
Asset type = ip, network, port, ...
Name = Service or App name


and use nesting wherever it makes sense.

For rules I'm thinking of

Code Select

[Origin] to [Target] [Service or App] [allow/deny]


Does this make sense?
Would you recommend something else, why?

Bonus question: Would you recommend using interface groups even if there's only 1 interface?
May 26, 2021, 12:00:48 PM #1
Hi binaryanomaly,

As I am new to OPNsense a never thought about this topic.

A naming scheme for alias makes sense when you will use a huge amount of aliases. In my small home use case I need only some aliases. All aliases I created starts with an upper case character (They will appear before all system created aliases). I use P_ as prefix for ports.

In my understanding rules "only" have descriptions (which you can use as "name" with a scheme). I currently do not see any advantage having a scheme in rule description. You can not sort the rule list. You only can use the browser "find"-function. As for aliases this makes sense only if you have many rules configured.

Creating groups for a single interface in my opinion makes only sense if you expect that you will create new interface in future to assign it this group. The only use case I can imagine is that many VLANs will be used. Because you can copy rules1 from one interface/group to an other interface/group I see no real advantage of creating a group for every interface just "to be prepared". I would assume this approach will end in a lot of groups having only one interface.

In general my credo is "keep it small and simple"  :)

Kind Regards,
Thomas

1 Clone a rule and before saving you can change the interface the rule is assinged to. In the new interface/group you must edit and save the rule the rule  so you can apply it to the new interface.
Don't forget to [applaud] those offering time and brainpower to help you!
May 26, 2021, 01:06:34 PM #2
Thanks for your thoughts Thomas.

Using capital letters as a prefix seems like a good idea.

From my past experience aliases can grow quite quickly because of the numerous ports you need to open for quite some services. Using aliases makes it very simple to add/remove ports quickly from my experience.

As for firewall rules your right it's the description only. I found that a meaningful description helps me to identify the desired rules after some time much quicker than if have to look at every one in detail to identify the required one. But that's just my personal experience/preference.

This helps to keep it simple and efficient from my point of view.

I had 1:1 interface groups in the past. While it wasn't particular helpful until I changed NICs once it also wasn't really additional effort. Just want to understand if this is recommended as general best practice of abstraction similar to aliases.
Print
Go Up Pages1
User actions