What to do with "Rules" now? There are still rules contained ...

[senseOPN]

After migration, I still see "Rules [new]" and "Rules".
Within "Rules" there are still 9 automatically added rules - and I am not sure if that means they now exist double, in the old and in the new rules.

A clear way would be to remove the "Rule" and rename "Rules [new]" to simply "Rules".

Can I do this somehow?
Will this be added later?

As there are still rules listed with in the old rules (), this is not just cosmetic.
It is quite confusing :-)

Also, even as I deleted all "Floating Rules" they are still listed for other Interfaces, see the screenshot.

[OPNenthu]

After migration, I still see "Rules [new]" and "Rules".
Within "Rules" there are still 9 automatically added rules - and I am not sure if that means they now exist double, in the old and in the new rules.

No, not double.  It's just a Jedi mind trick.

All the rules exist in the new UI and can only be edited there after migration.  Assuming you don't subsequently add more legacy rules.

As you click through each of the interfaces in the legacy UI, you'll notice they're all empty in terms of the rules that would normally be editable there.  In other words, none of the interfaces have interface rules.  None of the groups (if you have any) have group rules.  Floating doesn't have any floating rules.  They're all empty now.

Nevertheless, each of them still shows the rules from higher and lower sequence ranges, including automatic rules, in the drop-downs.  Those are the overall, combined rules from both legacy and new UIs that still govern the interface at various levels besides the one you're looking at.

(Not sure if that last paragraph made sense.)

A clear way would be to remove the "Rule" and rename "Rules [new]" to simply "Rules".

Can I do this somehow?

No, not yet.  Unless you want to hack on the code.

Will this be added later?

The devs have said the old rules UI will be deprecated at some point, but it's too early.  They're not even asking people to migrate at this time.

As there are still rules listed with in the old rules (), this is not just cosmetic.

It isn't cosmetic and those are indeed real rules, just not duplicates.  There's no conflict.

It is quite confusing :-)

Agreed.  Takes a minute to realize what's going on.

Also, even as I deleted all "Floating Rules" they are still listed for other Interfaces, see the screenshot.

Hopefully it makes sense now. :)

---

TLDR; there's nothing more you need to do after migration if you followed all the steps up to and including the one to delete the legacy rules.

Unsolicited advice: once you've migrated, don't look back at the legacy UI for any reason.  Just forget it exists and try to acclimate to the new one (which is a lot like a spreadsheet).  The exception is for Outbound NAT as that isn't migrated yet.

[falken]

Can I do this somehow?

You can create a restricted administrator account and deny access to the the old Rules section (and anything else you don't use in your environment) to clean up the menu, and use that account.

[franco]

There's a commit on master branch that hides old rules. It has it's ups and downs and we're still trying to think of the best way forward for 26.7 and perhaps 26.1.x but that latter part is actually trickier if we don't know what people expect. We only hear about the ones that don't like hiding after its hidden.  ;)


Cheers,
Franco

[OPNenthu]

We only hear about the ones that don't like hiding after its hidden.  ;)

I'm prone to oversimplification as I'm not familiar with the code, but-

As a transitional step, why not have a setting that toggles the old rules UI on/off?  Then people can easily go back if they change their mind.

[franco]

The pain of having two menu entries is much smaller than the pain of having a setting that needs to be placed, documented and then not forgetting to remove it afterwards.

The plan is to make the legacy firewall a plugin similar to legacy OpenVPN/IPsec.  With that the setting to have legacy firewall rules is with the click of install/uninstall said plugin.


Cheers,
Franco

[allenlook]

After migrating all of my Rules I used a port scanning service to make sure I still had a firewall in place - I used GRC Shields-Up and a couple local tools we have in place.

[ProximusAl]

I have no plans at all to move to the new rules, until it is forced upon me. :)

The old rules work fine, and until such point @franco starts asking for us to move, they can stay where they are :)

[nero355]

I have no plans at all to move to the new rules, until it is forced upon me. :)

The old rules work fine, and until such point @franco starts asking for us to move, they can stay where they are :)

+1 :)

[senseOPN]

Unsolicited advice: once you've migrated, don't look back at the legacy UI for any reason.  Just forget it exists and try to acclimate to the new one (which is a lot like a spreadsheet).  The exception is for Outbound NAT as that isn't migrated yet.

That was very informative.
Those multiple groups of automatically created rules were confusing.

BUT, in my Interfaces below the old rules, I still see "Floating rules" and those are clearly MY floating rules, not automatically created!

They seem to be the same as from the new rules, at least I can see one new rule that I added in the new rules section after the upgrade.
But they have no Delete button.

Really, this is confusing!
But I hear you and will try to ignore :-)
Thanks!

BTW, in the old version, you could create a floating rule for any and all selection of Interfaces - now, adding a second Interface, will change the rule to a Floating rules and vice versa!

That means, adding a second Interface moves a rule automatically up to the Floating rules, which are handled before other rules.
And removing all but one Interface, removes the rules from the Floating rules, dropping it in priority!

This seems to be a fundamental change to before, where changing such things would never change the priority (rule-number)!

And, I cannot have "late" rules anymore for more than one Interface! Now, such a rule get's moved to the front.
Before, "Floating" was simply separate, not decided by the number of Interfaces.

[OPNenthu]

BUT, in my Interfaces below the old rules, I still see "Floating rules" and those are clearly MY floating rules, not automatically created!

They seem to be the same as from the new rules, at least I can see one new rule that I added in the new rules section after the upgrade.
But they have no Delete button.

I can't tell from your screenshot what those Floating rules are but I think they would all be yours.  System-generated and automatic rules go into their own categories.

If you created Floating rules in either of the new or old UIs, then I think those would reflect in the Floating folder in your screenshot.

It's true that in the new system rules with multiple interfaces get promoted to Floating, but it was always the case that multi-interface rules had to be Floating.  You can't have an interface level rule with multiple interfaces.

I think the reason the Delete button is missing is because if the rules are native to the new UI then you can only delete them from there.  You can't manage 'new' style rules from the 'old' style interface, even if they're visible.  They're read-only.

This seems to be a fundamental change to before, where changing such things would never change the priority (rule-number)!

And, I cannot have "late" rules anymore for more than one Interface! Now, such a rule get's moved to the front.

Not sure I understand this, but I'm interested.  Can you elaborate on what you mean by "late" rule?

There's a kind of open challenge from the devs to come up with cases that no longer work in the new Floating system:

https://github.com/opnsense/core/issues/9652

I think so far the devs are winning with the caveat that you have to use a dummy or loopback interface to avoid splitting related Floating rules across interfaces :P