Default / Hidden rules

[southman]

Where/how can I view (show) the default/hidden rules?  I have searched high and low.  Am I missing it?

-M

[phoenix]

Which hidden rules are you talking about and how do you know about them if they're hidden?  Surely all the rules are listed on each of the relevant UI pages (including the disabled ones) or am I missing something?

[southman]

Because it's s fork.....|  | |
                               |_|_|   
                                  |
                                  |
                                  |

-M

[weust]

Wut?

[southman]

What are the "hidden rules" installed when the "default settings are applied" ? Doesn't a "default" install of OPNsense default install with "default/hidden" rules?

If it does, what is that rule set, and how/where can I view them?

[weust]

No idea, but why would it have hidden rules and which kind of rules would these be?
You seem to have the idea there are hidden rules in all firewall/routers?

[southman]

I am not looking to pick a fight here.  It's really pretty simple, opnsense either uses hidden/default rules or it doesn't (neither good or bad).  For my own personal edification, it is something I would like to know. 

It is not uncommon for firewalls to use this type of architecture.  Since opnsense is a fork of pfsense it would make sense that was carries over into opnsense. 

All I am asking for is a simple confirmation or denial, and if they are using default/hidden rules, what are they?

[AdSchellevis]

Hi,

Yes, there are default rules which are not visible in the UI, the source of the defaults is filter.inc (https://github.com/opnsense/core/blob/master/src/etc/inc/filter.inc).
Eventually we are going to restructure the auto-generated rules to make these defaults visible and simply our filter generation (https://github.com/opnsense/core/issues/993), which will very likely mature in our 17.1 release.

The easiest way to inspect which rules are actually generated for your setup (some rules are optional) is to read  the /tmp/rules.debug file.

Best regards,

Ad

[mibtac]

You can also simply go to the shell and use the PF tools to inspect the rules in detail. For example, pfctl -sr will show you the currently loaded rules. The rules in PF are quite a bit easier to read than, say, in Linux iptables.

This is one big advantage of an open solution: You can dig as deep as you like and see exactly what's going on. 

[pvols1979]

Hi,

Yes, there are default rules which are not visible in the UI, the source of the defaults is filter.inc (https://github.com/opnsense/core/blob/master/src/etc/inc/filter.inc).
Eventually we are going to restructure the auto-generated rules to make these defaults visible and simply our filter generation (https://github.com/opnsense/core/issues/993), which will very likely mature in our 17.1 release.

The easiest way to inspect which rules are actually generated for your setup (some rules are optional) is to read  the /tmp/rules.debug file.

Best regards,

Ad

Is this still something that is being considered?  I would love to see the default rules.  I have some that are taking actions on traffic and I am having a hard time understanding the intent.

[AdSchellevis]

Just install 19.7  'Jazzy Jaguar'

From the road-map (https://opnsense.org/about/road-map/):

Firewall insights in generated rules

Best regards,

Ad