Organizing large Floting Ruleset

[OXL-Rath]

Greetings!

First of all - thank you for the great product :D Really love it so far.

I've encountered a customer that has the need for 200+ floating rules.

This is because there are many VLANs and most rules need to be enabled for multiple interfaces.

The abstracted ruleset looks like this:

* Public Security Filters (Blacklists, Countries)
* Public MGMT Rules
* Public Services (NAT)
* Public DENY any
* Access of Untrusted Networks
* Untrusted DENY any
* Intern to Internet Filters (Blacklists, ...)
* Intern to Internet Rules
* Intern to Internet DENY any
* Intern to Intern Rules

This works, but it gets a little messy as there is no clear separation between those sections.

Is there any way of creating sections? Like the one used for 'Automatically generated rules'? I have not found any documentation regarding it :(  https://docs.opnsense.org/manual/firewall.html
What would be even better - adding custom chains. (src/dest match to jump to custom chain and return afterwards)

I've been using the custom chains of Barracuda CloudGen Firewall's - as they are a game changer for complex rulesets..

[doktornotor]

Maybe use the Firewall - Categories and the filtering feature in top right corner in the firewall rules list?

[OXL-Rath]

Yeah - would be possible. But that's an extra attribute per rule that needs to be maintained.
As there is already a section feature in use by the 'Automatically generated rules' I though there may be a way to utilize it for other rules  ;)

Even PFSense has something like that: https://docs.netgate.com/pfsense/en/latest/firewall/rule-list-intro.html#rule-separators

[bimbar]

At the moment there is no good way to do this, but check out https://forum.opnsense.org/index.php?topic=2851.0

[franco]

> Even PFSense has something like that

Bold strategy.  :)


Cheers,
Franco

[Seimus]

Looks like the rule separator outcry will never stop :D


Anyway, groups is the way to go, when you implement groups not only it makes management of the rules sets easier (cause yes you can create a group and look at it as a rule set), but when you assign it to an "Interface"; it will give you expandable field per that assigned interface.

I find this very usefully, and when you have a lot of VLANs where those VLANs have similar configurations such as DNS, DHCP, Internet access etc. using this is just a blessing. However, you can not have them colored :D; anyway > categories.

Regards,
S.

[doktornotor]

Yeah - would be possible. But that's an extra attribute per rule that needs to be maintained.
...
Even PFSense has something like that: https://docs.netgate.com/pfsense/en/latest/firewall/rule-list-intro.html#rule-separators

Yeah, they keep breaking all the time since - guess what - they are not tied to any rules.

[OXL-Rath]

The interface groups https://docs.opnsense.org/manual/firewall_groups.html are pretty much the feature I was looking for - thank you for informing me  ;D

[ansibleguy]

BTW: I'm just processing a PR to allow Ansible-management of those  :)
https://github.com/ansibleguy/collection_opnsense/pull/84

[OXL-Rath]

> Even PFSense has something like that

Bold strategy.  :)


Cheers,
Franco

Just as a reference... (;

[franco]

Just as a reference... (;

No worries. It's just funny a long long time ago we were "just a pretty GUI" now pfSense is "rule separators and pfBlockerNG".


Cheers,
Franco

[bimbar]

Still, there is a need for better visual organisation of firewall rules.

I have always maintained that only an easily understood firewall ruleset is a secure one.

[franco]

I'm sure you have good reasons for your policy. The main factor in your reasoning is that we've always listened to the users not agreeing with you on that and chose OPNsense as their firewall solution.


Cheers,
Franco