Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rule description length limitation

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 9 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      somebodythatiusedtoknow
      last edited by

      @johnpoz:

      To be honest your prob doing it wrong if your using books for descriptions..  The rule by itself tells you what its doing, all the description needs to be is maybe for who to contact, or sounds like your in a business setup why not just put in the change control number that requested/allowed the rule to be created.. Then if any questions on that rule you just look up the change control doc..

      Yes, some places we are required to follow a strict change management procedure. It is not that we are writing novels about our rulesets, but putting a descriptive comment (comment, as in short) in the rule allows us to determine whether what the rule is used for and whether it is still what we need to use when reviewing. Some places we are required to use a generic ID of up to 26 characters. Let me give you an example of why this is an issue:

      "This-is-a-24-characterID Allow x traffic from a to b"
      This string is exactly 52 characters long, with an ID of 24 characters and no chance to describe the purpose of the rule. Perhaps I am doing it wrong, but it works :-)

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        while i agree with the comments of the other members, you can always change the field yourself:

        https://github.com/pfsense/pfsense/blob/RELENG_2_2/usr/local/www/firewall_rules_edit.php#L723

        https://github.com/pfsense/pfsense/blob/RELENG_2_2/usr/local/www/firewall_rules_edit.php#L1254

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          @heper:

          while i agree with the comments of the other members, you can always change the field yourself

          …and break your ruleset.

          The limit isn't something arbitrary we dreamed up for kicks, the descriptions are put into the ruleset as labels and those have length restrictions at the OS level because you don't want to load huge amounts of text into memory as part of your ruleset.

          1 Reply Last reply Reply Quote 0
          • H
            heper
            last edited by

            til : descriptions are inserted into the ruleset

            thanks for the input chris

            1 Reply Last reply Reply Quote 0
            • S
              somebodythatiusedtoknow
              last edited by

              @cmb:

              The limit isn't something arbitrary we dreamed up for kicks, the descriptions are put into the ruleset as labels and those have length restrictions at the OS level because you don't want to load huge amounts of text into memory as part of your ruleset.

              Thanks for your reply! The limitation did seem intentional to me, but it sounds like increasing the limit would "only" cause a larger memory usage - is that correct?
              A larger memory overhead could be acceptable to us depending on the size, hardware and environment.

              EDIT: Nevermind, I didn't notice that the links was only for the web-interface. I think we're going to work with the limitations :)

              @heper:

              while i agree with the comments of the other members, you can always change the field yourself

              And thank you, I will discuss this option with my coworkers while mentioning Chris' warning.

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                @somebodythatiusedtoknow:

                Thanks for your reply! The limitation did seem intentional to me, but it sounds like increasing the limit would "only" cause a larger memory usage - is that correct?

                No. The ruleset won't load at all if you exceed that limit, so nothing will work.

                1 Reply Last reply Reply Quote 0
                • awebsterA
                  awebster
                  last edited by

                  I think each rule should have:

                  • Rule name: This is the current 52 character limited field that names the rule; EG: DMZ OUT, or MAIL IN, etc.

                  • Comment: A free form text field that is just a multi-line comment field that sticks with the rule, no processing is done on it, put whatever you want, a novel or whatever.  Ie: click it and a pop-up text box opens for editing it.

                  • Tag: A tag that can be used for automation purposes for finding rules in the rulebase (A-Za-z0-9) charset limitation.  Similar to comment, but something you can automate on without having to use some funky regex to find the rules.  I am currently using the rule name for this with delimiters, but it isn't pretty.

                  –A.

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    I find it deliciously ironic that somone who is having problems with long firewall rule descriptions has a username so long it bleeds into the post header  ;D  ;D  ;D

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      ^ yeah that is good isn't it..  Not sure what firewall he was using, but most of the major players juniper, cisco, checkpoint all have limitations..

                      What were you using before that allowed you to use unlimited text fields to describe your rules? If you want to know if the rule should still be used, place a date field in there and by policy review all rules after X days, months, years.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • awebsterA
                        awebster
                        last edited by

                        @johnpoz:

                        ^ yeah that is good isn't it..  Not sure what firewall he was using, but most of the major players juniper, cisco, checkpoint all have limitations..

                        What were you using before that allowed you to use unlimited text fields to describe your rules? If you want to know if the rule should still be used, place a date field in there and by policy review all rules after X days, months, years.

                        I know for a fact that both Checkpoint and Paloalto Networks have comment fields that you can put basically anything you want in them, but rule names are limited in length.
                        Completely agree on policy review review after X days, but rarely seen it done in practice.  Just keeps the auditors happy I guess.

                        –A.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Have not been on checkpoint in well over year if not 2..  Rule names for sure were limited, I don't remember using comment field..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • awebsterA
                            awebster
                            last edited by

                            I'm on Checkpoint R77.20 and Paloalto Pan OS 6.1.x on a daily basis, and pfSense of course!

                            Actually to followup on my earlier post, one neat feature that I've seen on Checkpoint is a rule expiry field.  They already have schedule like time conditions, but the expiry field just basically completely disables the rule after a certain date.
                            Again, great for audit compliance, would be cool to have that AND a feature that cleans up expired rules after an amount of time, and a flag to mark it as do not delete in the case of a rule that needs to be enabled from time to time but only for a certain amount of time, like remote support via SSH type of thing.

                            –A.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.