Firewall rules, How do we see what changed?

[alsoeric]

Why see what change in the firewall rules. I had a fumble fingers moment thinking I was typing in a text field but instead I was typing with focus on the firewall rules. Screen flashed,  I got the message that the firewall rules have changed but I have no idea what changed and in what rule.

How do I figure out what changed?

There really needs to be a "discard changes" option.

[tiermutter]

System/Configuration/History

Powerful tool

[alsoeric]

Yes, that is very powerful but it doesn't show what the staged changes are. It only shows the changes in the last time I explicitly made a change which was October 25.

[tiermutter]

By default it tracks about 100 changes, for me it reaches to Sept. 6th.
For sure you can see exactly what changes are made by selecting two backups to compare, e.g.

Code: [Select]

       </created>
     </rule>
     <rule>
+      <type>reject</type>
+      <interface>opt2</interface>
+      <ipprotocol>inet46</ipprotocol>
+      <statetype>keep state</statetype>
+      <descr>Reject hardcoded DoT-DNS access</descr>
+      <direction>in</direction>
+      <category>DNS block_redirect</category>
+      <log>1</log>
+      <quick>1</quick>
+      <protocol>tcp</protocol>
       <source>
         <any>1</any>
       </source>
+      <destination>
+        <network>lanip</network>
+        <not>1</not>
+        <port>853</port>
+      </destination>

[Patrick M. Hausen]

He's asking about staged and not yet applied. These are not in the saved configuration history, are they?

[tiermutter]

Maybe I don't understand, sorry...
Changing / adding / deleting a rule is also saved in history, even if "apply changes" is not hit.

[Patrick M. Hausen]

Thanks. I did not know and certainly not expect that. Thought they were kept in memory and only written out at "apply". What happens when you change things, don't apply, then reboot?

[tiermutter]

What happens when you change things, don't apply, then reboot?

Tested with a testing VM (22.7.6) something happens that I really didn't expect:
Created a FW rule, saved, did not apply but reboot, the rule is set as if I hit the "apply changes" button. 

I would have expected that nothing changes after reboot (rule is still not applied).

[Patrick M. Hausen]

So

• changes are written immediately.
• the "apply" button just reloads the active pf ruleset

That is at least consistent with other subsystems. I wonder if there might ve a UI improvement making this more evident. Not quite sure, yet.

[Helle]

I have been in the same situation applying "something" by mistake and looking for an undo or revert or so but it seems to be implied that changes are committed or staged for next reboot (whatever those changes was).

I wish there were a preview were staged changes would be presented and an option to discard those changes.

On the other hand, such behavior is mostly useful on firewalls that takes a rather long time to commit changes and all changes are committed in bulk.

Opnsense has "apply buttons" everywhere and a more direct approach for "commits"

I still think this could need a more practical gui experience..

(Just my 2c)

//Helle

[Helle]

A way to name configurations and revert back to an older *local* config (or just the previous config) would also be nice.

Of course that can be done with exporting but to have a few local configs to revert to is super nice imho

(just some more thoughts while discussing the subject)

[Ricardo]

So

• changes are written immediately.
• the "apply" button just reloads the active pf ruleset

That is at least consistent with other subsystems. I wonder if there might ve a UI improvement making this more evident. Not quite sure, yet.

It is alarming and concerning, if such Hero tier members are not clear how the literally most basic function of this firewall product works. Guess how clear it may be for complete beginners.

[chemlud]

OMG, that's the standard behaviour since I use these senses. Change something, sometimes a "Save" is needed, then "Apply" to make it work (reload module with new set of instructions) and a reboot is like pressing "Apply". Nothing new here...