Rule Separators

[franco]

Sure, we can do that. There are enough ideas around as well. I just want everyone to understand that business wise it doesn't make sense to sink more time into the static PHP pages that makes the required transition to MVC/API even harder than it already is. Most of these conversion efforts are self-funded based on direct need.


Cheers,
Franco

[Patrick M. Hausen]

Sure, we can do that. There are enough ideas around as well. I just want everyone to understand that business wise it doesn't make sense to sink more time into the static PHP pages that makes the required transition to MVC/API even harder than it already is.

Absolutely!

Looking forward to finally meeting in person.

[bimbar]

> but still professionally we do fortinet for the better firewall rule UI.

And the incentive to make it happen here is what?

We did discuss in the meeting but the bottom line is it won't help us overcomplicate the situation in static firewall pages that still need an MVC migration. Categories are flexible enough. Building containers from categories would actually put more restrictions on categories in terms of rule location and overlapping use.


Cheers,
Franco

The incentive would be making opnsense better? I don't understand that question.

Still I do understand not wanting to do it in the old firewall UI code - is a migration to MVC planned?

[franco]

> The incentive would be making opnsense better? I don't understand that question.

Better for who? You? :)

> Still I do understand not wanting to do it in the old firewall UI code - is a migration to MVC planned?

Not fixed in time yet, but working on the firewall end probably 40% carried through by now with most of the easier migrations elsewhere already done in the last decade. The roadmap will likely feature one more firewall page conversion


Cheers,
Franco

[ivica.glavocic]

Sorry to revive this topic after so long time, just to give you one example - currently two companies are in the process of choosing new edge firewall (with paid support) and usability is very important to them. I am pushing them towards opnsense, but rule separators are the thing they want because their firewalls have hundreds of rules and, in their opinion, visibility is so much better with separators in pfsense than categories in opnsense. Their 2 cents, not mine :)

[franco]

Corporate decisions are an eternal uphill battle. Use what fits the bill, because there is little leeway in checklists and arbitrary requirements.

From experience there is always "just one little thing" someone needs to make the switch to OPNsense and otherwise cannot.


Cheers,
Franco

[Seimus]

Once again, those "companies" could just use the Groups feature to do the visualization and segregation for rules.

If they have so many rules they would have to need to use groups anyway cause to either:
A. create Policies
B. create ZONEs

Otherwise a large ruleset its unmanageable.

+ as well use categories

I use both and and my ruleset is not small...

Regards,
S.

[franco]

Plus if you have one big setup you probably have more than one firewall so OPNcentral could be helpful managing that. I'm unsure how others are doing with their "early look" here before it's buried in some cloud. On premise central management seems like a no-brainer.  ;)


Cheers,
Franco

[chemlud]

If you want to make something possible, you look for a way to go.
If you want to block something, you look for reasons (good or bad).

Such a fuss for avoiding these few lines of codes? After all these years? I can't believe it. And still miss the separators.

[franco]

If you don't me being frank to your strawman: we do not want to introduce a suboptimal feature that will get bugfixes for years because it's not a good technical solution to a problem that doesn't even exist in the grand scheme of things.

I think I've said so before. Nothing has changed here.


Cheers,
Franco

[chemlud]

There have been so many suboptimal decisions over the years, later reverted. The rule separators wouldn't be in that line ;-)

[OXL-Rath]

As I've just found this topic - just wanted to give my opinion:

First of all => I know the pain of running Open-Source projects. Time and other resources can be very limited.
Thank you for providing this nice product :D
Even if this is not a feature for the 'old' UI => it could be benefitial for the new MVP-based components.

But this is also still an issue for us today.
Sadly the interface-groups mentioned in the topic https://forum.opnsense.org/index.php?topic=42177 are not really the answer to this problem :/

Mainly we have these issues with large(r) ruleset (100+ rules):
* We have no visual separators between 'chains' of rules
  * This can lead to possible misconfiguration issues when working in a team of admins (as a separate ruleset documentation might be necessary)
  * Optimally such rule-groups could be opened and closed (accordion/spoiler-like) so the user would have a better overview
* It is easy to overlook some misconfigured rule inside this large 'block'
* Off topic: Simulating traffic over the ruleset (automated regression tests) can only be done by sending the actual traffic and analyzing the logs (as I can allocate some time I might write an open-source tool for running such simulations)

We currently periodically export the config of the firewall, convert the XML-rules to CSV and then analyze the ruleset in Python and/or Google Sheets to get an overview and check for regressions/misconfigurations :(  (see backup-to-rule-csv script: https://gist.github.com/NiceRath/54ead58ae29bd67e680edc1767578e06)

Just as a reference => I've really loved the administration of Barracuda Firewalls as we were able to cleanly separated in sub-groups. There they used chains to also logically separate these groups of rules, but the visual separation is also a big part of it.

[Monviech (Cedrik)]

Why do you need visual separators between rules if you can put them into categories and then select the category you want to display?

[pfry]

Why do you need visual separators between rules if you can put them into categories and then select the category you want to display?

My question as well. Perhaps it is to stick a banner in the user's face. But given that rules are ordered, I see any hierarchy built using separators to be functionally deceptive, unless the rule configuration is designed for such. (Of course, a functional hierarchy could be built through configuration discipline.)

Perhaps have a pop-up banner option for categories, e.g. add a "Category" column to the rule display, and pop a floaty message when hovered over (if configured). The banner/message can be statically displayed when the rules are displayed by Category (in addition to the floaty hover message).

Note that I have never used categories, etc., so I may have completely whiffed the concept.

[Patrick M. Hausen]

I would love to have a hierarchical tree view with rule groups that can be collapsed and expanded like in Windows Explorer. Sidewinder had that.

If I don't get that, I don't really care if it's categories or separators or none of them - the gold standard is hierarchical rule groups.

Why? Because you could reorder entire groups. You could enable or disable entire groups.

OPNsense is perfectly OK. IMHO don't bother with separators but think about if it is conceivable to implement the real thing.


Kind regards,
Patrick