Rules [new] vs. Rules

Started by ks, Today at 08:41:39 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 08:41:39 AM
Hello all,

I'm running few OPNsense 26.1.8_5 firewalls, and one of these is getting me nuts.

In details the (in)famous bTicino Classe 100X16E intercom system is struggling to connect to Wi-Fi and thus internet.

After days of tests (and other devices connected to same Wi-Fi 2.4 GHz network working properly) I narrowed the issue to the specific ports this intercom system needs.

They are:
-5061 SIP
-5228 SIP
-0 to 65000 UDP
-80/ 443 HTTP/HTTPS
-8883 MQTTS

Now my question and request to help/hints is: where should I create new firewall rules in OPNsense? In the new Rules [new] tab, or in the older Rules tab?
Are they still working togheter, so I need to create rules in both?

Can someone shed some light on this?

Thanks
Today at 10:02:31 AM #1
Both work, but with 26.7 the legacy rules management GUI will be available as a plugin only. You can still use it but it won't receive any more feature updates and will eventually be removed although that could be 2-3 years from now.

So long story short: use Rules [new].


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT
Today at 10:34:29 AM #2
Hello Franco,

thanks for the reply.

That means the actually present rules in > Rules can be safely all deleted?


Cheers,
ks
Today at 02:06:44 PM #3
If you have the same set of rules in the new GUI, yes. If not you need to put all of them there first.


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT
Today at 02:41:51 PM #4
I haven't been able to find a clear answer to this in the docs (https://docs.opnsense.org/manual/firewall.html) or the UI (haven't gone trawling through forum posts to try to find it)...

What happens if rules exist in both old and new interfaces?

I'm guessing that if any legacy rules exist, then only those legacy rules are used, and any in the "new" interface are ignored? (this would give the opportunity to construct the new rule set without breaking connectivity)

If that is the case, it might be helpful to put a banner at the top of the "new" interface saying something to the effect of "Because legacy rules exist, these rules will not take effect"

Whatever the situation is, it'd be nice of the documentation could state it clearly...
Today at 02:47:28 PM #5
In the processing order the documentation states "and", meaning both rulesets are active at the same time.
Hardware:
DEC740
Today at 04:33:21 PM #6 Last Edit: Today at 05:08:36 PM by dseven
I see. I didn't expect the answer to be there - I expected it either in the "Overview" (where the two implementations are called out) or under "Implementations".

So now I have another question... the processing order is given as:

1. System defined rules at the beginning of the ruleset
2. Firewall > Rules [new] and Firewall > Rules floating rules
3. Firewall > Rules [new] and Firewall > Rules group rules
4. Firewall > Rules [new] single interface rules
5. Firewall > Rules single interface rules
6. System defined rules at the end of the ruleset

Why aren't the 4th and 5th items combined as "Firewall > Rules [new] and Firewall > Rules single interface rules"? i.e. what's the difference between "and" vs two separate line items?
Today at 05:22:58 PM #7
I dont know out of my head.

Check with "pfctl -s rules" and "cat /tmp/rules.debug" how legacy vs new are loaded.

If there is an error in the docs a PR is always welcome.
Hardware:
DEC740
Today at 10:15:31 PM #8
I was just wondering if there's an actual difference, like "and" means some kind of merge, vs. just one list followed by the other, or something, but I think it's just an accidental inconsistency in the doc.
Print
Go Up Pages1
User actions