Rule Separators

Started by GreG.P., April 18, 2016, 04:23:49 PM

Previous topic - Next topic
Print
Go Down Pages 1 ... 3 4 5 6
User actions
February 02, 2022, 08:37:12 AM #60
@chropnsense
no trouble )

draft is ready.
https://github.com/kulikov-a/rules/issues/2#issuecomment-1027656562

very interesting in speed assessment by guys with "tons of rules")
May 26, 2023, 05:11:53 PM #61
Hi,

I'm planning to migrate from pfsense to OPNsense.

I know this is an old topic, and I don't want to upset anyone, but I do have a question regarding this topic.
Me too, I would love to see some kind of separation, segregation between blocks of rules within an interface or group. Besides using that a lot in my pfsense, also in my professional life, all firewalls I worked with (Fortinet, Checkpoint, Fortinet, Juniper, ...) have one way or another to separate or group blocks of rules.

I already read that the OPNsense developers are unlikely to implement rule separation headers like in pfsense. I can understand most of the points they raised about this, but....

It seems to me, it is already possible (in a way)? Because I see exactly that, when looking at the line "Automatically generated rules"... it has all I would like:
- a set of rules grouped together
- can be collapsed/expanded

https://imgur.com/a/OKY2jYg

Is it not possible to open up that feature for when we add rules ourselves?

May 26, 2023, 08:28:46 PM #62
If its just about collapse you can try categories
May 26, 2023, 10:03:21 PM #63
Quote from: mimugmail on May 26, 2023, 08:28:46 PM
If its just about collapse you can try categories

I tried that, but it is different ... how do I explain .... categories do not enforce or are not "inline" with the order of the rules. If you know what I mean?
May 27, 2023, 01:31:56 PM #64
I know what you mean. I for myself accepted, whether in closed or open source, you dont get every wish/feature implemented :)
February 08, 2024, 07:33:38 AM #65
Just wanted to say, that I'm about to embark on 170+ OPNsense installs each with lots of rules and this feature is sorely missing.
February 08, 2024, 09:49:46 AM #66
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
August 05, 2024, 04:48:16 AM #67
Completely agree with "Anything that improves the readability and maintainability of firewall rules is not in fact 'non-functional' ".  It's the same reason the "automatically generated" rules are collapsed and out of view.  You just don't want to see those most of the time, but still need them.  I moved from pfsense in the last year, and love OPNsense, but honestly, I miss this ONE feature a lot.  It's just the pure organization visually, and ability to quickly find sections to make adjustments.

In the meantime I just create a disabled "fake rule" with a recognizable comment separator such as:

****************************** Rules for routing clients to VPN ********************************

and put those rules below it.  The only downside is that it's not collapsible.  I hope this can be available some day in the future, but completely understand that resources are limited.

Thanks for all the hard work on OPNsense.
August 05, 2024, 08:50:57 AM #68
> Completely agree with "Anything that improves the readability and maintainability of firewall rules is not in fact 'non-functional' ".

Disagree. These are non-functional rules and to this day pfSense usually fixes some rule-separator-related bug in the GUI. Here's one just recently https://github.com/pfsense/pfsense/commit/e0a827cffc5 and I don't think dealing with constant fallout of cosmetics is worth it.

> It's the same reason the "automatically generated" rules are collapsed and out of view. You just don't want to see those most of the time, but still need them.

Kind of a bad example because we wrote that. The previous pfSense behaviour was not to show these rules at all. pfSense may have solved this nowadays, but I have no interest to double-check.

> I moved from pfsense in the last year, and love OPNsense, but honestly, I miss this ONE feature a lot.

One of the recurring feature request themes is exactly this: I moved but I really only need this one feature. I'm afraid this doesn't work out all the time. IMO you should switch because the bulk of the features is better, not because you liked the old wallpaper so much you want to bring it over to your new home.

Please remember, I'm not trying to be unfriendly. I merely want to share our side of the picture, because I feel it gets lost in the excitement and disappointment over trying something new.


Cheers,
Franco
August 05, 2024, 08:56:44 AM #69
Collapsable and expandable groups would be fantastic, IMHO. Double bonus points for enabling/disabling and reordering entire groups. Triple bonus for hierarchical groups  ;D

Sidewinder had that and it is just awesome with very large rulesets.

Maybe after everything else is moved to MVC? Not going to file a feature request right now, I get your point.

My point is: separators are not nearly enough. Either groups or just live without.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 05, 2024, 09:38:19 AM #70
> Please remember, I'm not trying to be unfriendly. I merely want to share our side of the picture, because I feel it gets lost in the excitement and disappointment over trying something new.

Understand, and get it.  No unfriendlies taken at any time.  I also want to clarify that I didn't say "I moved and NEED this one thing", I simply said I really miss it.  ;)  Hearing the Dev side of it I can see why time hasn't been burnt on it, so thanks for sharing that.  But I still miss it.  :)

Regards and best

August 05, 2024, 09:53:42 AM #71
I'll try to pass on the collapsible container idea for the categories in today's meeting. There are a couple of challenges regarding this but let's see what the consensus is.


Cheers,
Franco
August 13, 2024, 12:13:38 PM #72
Quote from: fuskadoo on August 05, 2024, 09:38:19 AM
> Please remember, I'm not trying to be unfriendly. I merely want to share our side of the picture, because I feel it gets lost in the excitement and disappointment over trying something new.

Understand, and get it.  No unfriendlies taken at any time.  I also want to clarify that I didn't say "I moved and NEED this one thing", I simply said I really miss it.  ;)  Hearing the Dev side of it I can see why time hasn't been burnt on it, so thanks for sharing that.  But I still miss it.  :)

Regards and best

Most firewalls have pretty much the same feature set, the main differentiator for me is price and UI.
Now opnsense has a few additional features, and it is cheap, but still professionally we do fortinet for the better firewall rule UI.
IMO an opnsense ruleset with more than 20 rules is well on the way to be pretty much unmanageable.
August 13, 2024, 12:37:19 PM #73
> but still professionally we do fortinet for the better firewall rule UI.

And the incentive to make it happen here is what?

We did discuss in the meeting but the bottom line is it won't help us overcomplicate the situation in static firewall pages that still need an MVC migration. Categories are flexible enough. Building containers from categories would actually put more restrictions on categories in terms of rule location and overlapping use.


Cheers,
Franco
August 13, 2024, 01:02:24 PM #74
Want a demo of the Sidewinder UI in Dublin?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages 1 ... 3 4 5 6
User actions