Rule Separators

[GreG.P.]

Hi, there is some indispensable options in firewall rules and NAT rules interface: Separators and object drag and drop.
Something Like this https://redmine.pfsense.org/issues/5373 but with regroup rules below each inserted separators.

One more essential option is regarding the objects (alias) database, an quick dynamic menu access to the objects (alias) in the same rules page configuration will be really appreciated and the drag&drop function to copy and paste an object (alias) from one rule to another rule.

Thanks.

[franco]

Hi PsykoGreG,

Are you looking for this? https://docs.opnsense.org/manual/how-tos/fwcategory.html

What do you mean by quick dynamic menu access in the same rules page?


Cheers,
Franco

[GreG.P.]

Hi Franco,

I see this category to filter rules, there are indexed on the description field or rule name?

I do a screen shot to exactly show you all interesting options.

Regards,
GreG

[GreG.P.]

Red : The dynamic Objects (alias) menu with the first field that's permit to sort the list of objects dynamically by typing first characters of objects (alias).
Second red circle permit to filter the category of objects (alias) to view only these in the objects menu in the left. For example: machines, network, protocols, ports, groups, .. objects.
And the last red circle permit to create directly an object (alias) or a group of objects from this menu without exit the filter rules page.
Dark Blue : Search field that permit to filter dynamically the rules view (I think like the OPNsense "Filter by category" option)
Pink circles : There are drag and drop fields object. Can be drag&drop between rules or from the objects menu in the left side.
Green : This is Separator rule (with custom colours) that permit to regroup all rules until the next separator and indicate the number of contained rules in the separator.

[m2nis]

Hello,

Sorry to reopen this topic, but I must admit that, when you come from Pfs, these separators are really missing in the firewall rules. They are simple but really great to explain the rules and separate them. Any chance to have it one day ?

Have a good day.

[franco]

There are no plans to add any non-functional abstractions to the rule listing.


Cheers,
Franco

[m2nis]

Sad but... perfectly clear. 

Thank's for your reply.

[RGijsen]

+1 for me though too. 'We won't' is a bit of a sad answer honestly. We are currently migrating to OPNsense (and the reason is pure ideological), and really the rule-list look like a long mess in OPNsense. The ability to put some descriptive lines in there like 'Exchange', 'RD Servers' and such is a real addition. They are certainly not non-functional. Network wise they may be, but it's certainly functional to us.

Everyone has their own believes, but we think it's really useful. For example we used red seperators when we had rules we had to review later on.

[chemlud]

+1...

[Sopor]

I'm also an old pfsense user and that separator was really really nice. When you have many entries it will be so much easier if it is possible to separate them. I really hope the devs reconsidering this and add a separator or at least something similar.

[ole]

I'm also an old pfsense user and that separator was really really nice. When you have many entries it will be so much easier if it is possible to separate them. I really hope the devs reconsidering this and add a separator or at least something similar.

+1

[ninjax]

+2

[chemlud]

...I would chip in 50.- Euros for this feature. Anyone? 

[Gcon]

There are no plans to add any non-functional abstractions to the rule listing.


Cheers,
Franco

Anything that improves the readabiity and maintainability of firewall rules is not in fact "non-functional". Rule seperators and/or groupings serve a very important function, at least from a human perspective (and the web GUI is, by its very nature created for humans to use). In my 25+ years in networking I've worked on Checkpoint, Fortinet, Netscreen and Juniper firewalls for national Internet Service Providers and guess what?! - they all have rule seperation/grouping. It's far from being a pfSense thing - it's an industry-wide thing.

pFsense's approach is OK - better than nothing - but even that could do with some improvement. Individual filter rules should be programatically linked to the categories they fall within, and ideally have the ability to toggle collapsing of groups, reorder groups (drag and drop) and toggle group rules on and off. Basically, they act as "first-class citizens" in the whole scheme of things. This is one thing that seperates the commercial enterprise firewall offerings from more hobbyist/enthusiast ones.

As a bare minimum though, there should be text seperators to visually indicate logical groupings of rules. This lack of functionality is one of the main reasons why I conitnue to favour pfSense over OPNsense.

This issue makes me think of the late 90's novel by Allan Cooper entitled, "The Inmates Are Running the Asylum", which details how programmers ruin interface design by thinking that they know what's best for the end-user (and to no-one's surprise, they don't)

+1

[bdl]

+1