How to place a rule before the automatically generated?

Started by Zorgoban, May 02, 2025, 11:51:44 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 02, 2025, 11:51:44 AM
Good day!

I'm confused by the order of the rules. The default deny rule should be the last one on any firewall. But for some reason I don't seem to be able to place a rule in front of the default deny rule. Also the automatically generated rules don't seem to be in the proper order. Some automatically generated pass rules are placed behind the default deny rule.

So how am I supposed to place a rule before the default deny rule?

Many Greetings!
Zorgoban
May 02, 2025, 11:59:49 AM #1
Rules are either "quick" or not. You can tell by the small lightning symbol in the rule view. Quick rules are applied in order and rule processing terminated after the first match. Non-quick ones are applied after all quick rules. So the default deny rule really comes last.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 02, 2025, 12:30:58 PM #2 Last Edit: May 02, 2025, 12:40:27 PM by Zorgoban
Hello Patrick!

Thanks for the answer!

I really didn't understand the explanation of the quick option. I also don't understand why this quick concept exists. Wouldn't it be much more intuitive to just have a rule ordering in place like any other firewall does?

Many Greetings!
Zorgoban
May 02, 2025, 12:35:23 PM #3
Did you have a look at this part of the docs?

https://docs.opnsense.org/manual/firewall.html#processing-order

QuoteRules can either be set to quick or not set to quick, the default is to use quick. When set to quick, the rule is handled on "first match" basis, which means that the first rule matching the packet will take precedence over rules following in sequence.

When quick is not set, last match wins. This can be useful for rules which define standard behaviour. Our default deny rule uses this property for example (if no rule applies, drop traffic).
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 02, 2025, 12:45:10 PM #4
Hello Patrick!

Yes, I read that. But my view is probably biased by the products I used the last 30 years, starting with iptables and ipchains. The quick concept doesn't make any sense to me. It feels like complexity without any reason or benefit. I get why I want to continue rules processing for a packet after a log-pass rule. But that option only applies to a single rule and doesn't invisibly split my whole ruleset into two groups.

Many Greetings!
Zorgoban
May 02, 2025, 01:01:58 PM #5
It was inherited from pf, released first with OpenBSD in 2001, so that debate can be considered settled.

I guess from the OpenBSD docs that the idea at the time was for non-quick to be the default and rule processing to continue through an arbitrary number of rules possibly performing multiple actions of tagging and rewriting and such things. And then the quick keyword was possibly added to get the behaviour people are used from other firewalls.

But that's just an educated guess.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 02, 2025, 01:22:34 PM #6
I see...

So the problem is actually less with the technical concept than the display in the GUI. If the rules were properly ordered like they are processed by the system it would cause less confusion.

Many Greetings!
Zorgoban
Print
Go Up Pages1
User actions