Overview of rules and usage

Started by Mr. Happy, August 20, 2020, 04:32:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 20, 2020, 04:32:36 PM
Is it possible to create an overview of the present firewall-rules and how often they're used??
August 21, 2020, 04:10:31 PM #1
I like this idea, a complete report of each interfaces and what rules, no matter how it is created, so one can more easily follow whar is going on... I still do not know why my Multi WAN is not working...
August 21, 2020, 09:50:40 PM #2
You mean something like, Firewall, Diagnostics, pfTop, Rules perhaps?

Bart...
August 21, 2020, 10:23:26 PM #3
What I meant was an overview of the firewall rules and the frequency they were used, and maybe a last-triggered time.


Verstuurd vanaf mijn HD1903 met Tapatalk

August 22, 2020, 07:43:15 AM #4
Hmm, it sounds like we should have a way to list not only explicit rules but also automatic rules in the overview of each interface. And while there, an "inspect" button to show statistics of said rules (bytes, packets, evaluations, states). Does that sound about right? ;)


Cheers,
Franco
August 22, 2020, 09:35:51 AM #5
Quote from: bartjsmit on August 21, 2020, 09:50:40 PM
You mean something like, Firewall, Diagnostics, pfTop, Rules perhaps?

Bart...

That is one more way of the Inspect button so to speak - but still it does not give to overall picture that I seem to need.

The thing is, when one (like I did) moves to Firewall Groups, and then Alias on top of that so to speak, then it gets hard (at least for me) to understand which rule actually comes first and why some rules (in my case the Multi WAN rules) never seem to fire. I am doing a lot of guess work for the moment. And yes I have a config (in a backup) that does have Multi WAN fail over working (however that one has problems with my scanner/printer for som ugly reason, so I am back on my previous non Multi WAN fail over setup for that specific reason).

I am trying to figure out how I would like this to be presented, so I can make some sort of contribution to this - however I am still not sure why so can not recommend anything just yet. And I am on vacation also so....
August 22, 2020, 10:26:25 AM #6
Oh and don't forgett forward rules and anything else that seems to be included in the firewall rules evaluation...
August 22, 2020, 10:50:57 AM #7
Quote from: franco on August 22, 2020, 07:43:15 AM
Hmm, it sounds like we should have a way to list not only explicit rules but also automatic rules in the overview of each interface. And while there, an "inspect" button to show statistics of said rules (bytes, packets, evaluations, states). Does that sound about right? ;)


Cheers,
Franco
For me it does.
Would there also be a way to simulate the rules?

Verstuurd vanaf mijn HD1903 met Tapatalk

August 23, 2020, 05:15:42 PM #8
Both features exist in 20.7 today.

I'm not sure what "simulate" would mean. FreeBSD doesn't support the "match" keyword. pfSense uses it I think but since these changes never went mainstream FreeBSD we decided to remove it in OPNsense. With this you could tap the rule statistics without forcing a decision, but that is just a theory that has no real chance of having a field day in the foreseeable future.


Cheers,
Franco
August 26, 2020, 07:12:32 AM #9
What would be REALLY nice for newbs like me would be a "set rule for 1/5/permanent minutes" to allow a quick test without a long-term commitment or the hassle of having to physically get into the console and roll back if you lock yourself out.

Lockout yourself out is very easy when trying to manage a device over a VPN connection or a VLAN.
ProtectLi FW6 | Intel i3-7100U CPU @ 2.40GHz (4 cores) | 8GB RAM | 120GB SSD
Prod Release Train.
September 09, 2020, 09:31:32 PM #10
The statistics are kind of nice, but what I'm looking for is some kind of debug possibility.
I.e. I've created a rule that is supposed to work, but it is evaluated over 2000 times but never triggered.
The rule consists of an alias (for now with 1 ip address) which is blocked access to another alias (for now with 1 ip address).
If there would a some kind of debuglogging which show what rules are evaluated and why they are discarded and finally why it acts on the last one would be great.
September 09, 2020, 10:06:55 PM #11
@Xelas good point, I know cisco does and monowall had this feature, similar to display settings in Windows where change is reverted if not confirmed working (presumably because you're locked out).
September 10, 2020, 10:29:56 AM #12
@Mr. Happy: I would have considered the statistics a very good debugging tool, but you seem to be asking for kernel code tracing instead. It's probably not something that can be included in a sensible way.


Cheers,
Franco
September 10, 2020, 05:43:51 PM #13
@franco,
For my previous mentioned problem I will start a new thread.
The statistics help, but it would be nice to have a possibility to log (for a short period of time) the rules it passed and (maybe?) on what it tried to match and why it didn't match. Until it finds the last rule on which it matches.
(Sort of an enhancement of the 'Detailed rule info'?)
Print
Go Up Pages1
User actions