Author Topic: Default / Hidden rules (Read 1279 times)

southman · « **on:** July 09, 2016, 03:04:30 pm »

Where/how can I view (show) the default/hidden rules? I have searched high and low. Am I missing it?

-M

phoenix · « **Reply #1 on:** July 09, 2016, 04:37:23 pm »

Which hidden rules are you talking about and how do you know about them if they're hidden?

Surely all the rules are listed on each of the relevant UI pages (including the disabled ones) or am I missing something?

southman · « **Reply #2 on:** July 09, 2016, 08:05:17 pm »

Because it's s fork.....| | |
|_|_|
|
|
|

-M

weust · « **Reply #3 on:** July 09, 2016, 10:09:48 pm »

southman · « **Reply #4 on:** July 09, 2016, 10:33:20 pm »

What are the "hidden rules" installed when the "default settings are applied" ? Doesn't a "default" install of OPNsense default install with "default/hidden" rules?

If it does, what is that rule set, and how/where can I view them?

weust · « **Reply #5 on:** July 09, 2016, 11:37:55 pm »

No idea, but why would it have hidden rules and which kind of rules would these be?
You seem to have the idea there are hidden rules in all firewall/routers?

southman · « **Reply #6 on:** July 10, 2016, 12:56:22 am »

I am not looking to pick a fight here. It's really pretty simple, opnsense either uses hidden/default rules or it doesn't (neither good or bad). For my own personal edification, it is something I would like to know.

It is not uncommon for firewalls to use this type of architecture. Since opnsense is a fork of pfsense it would make sense that was carries over into opnsense.

All I am asking for is a simple confirmation or denial, and if they are using default/hidden rules, what are they?

AdSchellevis · « **Reply #7 on:** July 10, 2016, 02:30:40 pm »

Hi,

Yes, there are default rules which are not visible in the UI, the source of the defaults is filter.inc (https://github.com/opnsense/core/blob/master/src/etc/inc/filter.inc).
Eventually we are going to restructure the auto-generated rules to make these defaults visible and simply our filter generation (https://github.com/opnsense/core/issues/993), which will very likely mature in our 17.1 release.

The easiest way to inspect which rules are actually generated for your setup (some rules are optional) is to read the /tmp/rules.debug file.

Best regards,

Ad

mibtac · « **Reply #8 on:** July 12, 2016, 05:34:49 am »

You can also simply go to the shell and use the PF tools to inspect the rules in detail. For example, pfctl -sr will show you the currently loaded rules. The rules in PF are quite a bit easier to read than, say, in Linux iptables.

This is one big advantage of an open solution: You can dig as deep as you like and see exactly what's going on.

Author Topic: Default / Hidden rules (Read 1279 times)

southman

Default / Hidden rules

phoenix

Re: Default / Hidden rules

southman

Re: Default / Hidden rules

weust

Re: Default / Hidden rules

southman

Re: Default / Hidden rules

weust

Re: Default / Hidden rules

southman

Re: Default / Hidden rules

AdSchellevis

Re: Default / Hidden rules

mibtac

Re: Default / Hidden rules