Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to modify large firewall rule sets

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 3 Posters 583 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance @tinfoilmatt
      last edited by

      @tinfoilmatt 'ruleset page'?

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      tinfoilmattT 1 Reply Last reply Reply Quote 0
      • tinfoilmattT
        tinfoilmatt @michmoor
        last edited by

        @michmoor Firewall / Rules / [INTERFACE NAME]

        M 1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @tinfoilmatt
          last edited by

          @tinfoilmatt you misunderstand my issue. I care about trackingID not rule descriptions.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          tinfoilmattT 1 Reply Last reply Reply Quote 0
          • tinfoilmattT
            tinfoilmatt @michmoor
            last edited by

            @michmoor You misunderstand my "alternatve suggestion."

            M 1 Reply Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @tinfoilmatt
              last edited by michmoor

              @tinfoilmatt but its not really doable. Modifying over 300 rules to include trackingID in a description
              For new rules going forward - sure.
              Better solution in my mind would be a trackingID column.

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              tinfoilmattT 1 Reply Last reply Reply Quote 0
              • tinfoilmattT
                tinfoilmatt @michmoor
                last edited by

                @michmoor Yes. Clearly that's what you're demanding.

                M 1 Reply Last reply Reply Quote 0
                • M
                  michmoor LAYER 8 Rebel Alliance @tinfoilmatt
                  last edited by

                  @tinfoilmatt
                  well......yeah.....hence the post to figure out if its searchable via another way...........

                  Firewall: NetGate,Palo Alto-VM,Juniper SRX
                  Routing: Juniper, Arista, Cisco
                  Switching: Juniper, Arista, Cisco
                  Wireless: Unifi, Aruba IAP
                  JNCIP,CCNP Enterprise

                  tinfoilmattT 1 Reply Last reply Reply Quote 0
                  • tinfoilmattT
                    tinfoilmatt @michmoor
                    last edited by

                    @michmoor said in How to modify large firewall rule sets:

                    @tinfoilmatt
                    well......yeah.....hence the post to figure out if its searchable via another way...........

                    To put it disingenuously? Sure. And that's what I offered, at which point you suggested I misunderstood.

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      michmoor LAYER 8 Rebel Alliance @tinfoilmatt
                      last edited by

                      @tinfoilmatt ok......

                      Firewall: NetGate,Palo Alto-VM,Juniper SRX
                      Routing: Juniper, Arista, Cisco
                      Switching: Juniper, Arista, Cisco
                      Wireless: Unifi, Aruba IAP
                      JNCIP,CCNP Enterprise

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        If you have the ID you can just search the ruleset for it:

                        [25.03-BETA][root@fw1.stevew.lan]/root: pfctl -vsr | grep 1736810441
                        pass in log quick on mvneta0 inet proto tcp from <LAN__NETWORK> to 208.123.73.69 flags S/SA keep state (if-bound) label "USER_RULE: Connections to ews" label "id:1736810441" ridentifier 1736810441
                        

                        Or if you have the ID you likely have the rule number like:
                        Screenshot from 2025-03-31 22-45-14.png

                        In which case you can use the rules view in Diag > pftop

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.