Feature ideas: rule grouping, changelogs / notes

  • Hi guys,

    I've been using pfSense as a perimeter bridging firewall in production for 6 over months now and I'm more than happy with it, not a single issue. I have a suggestion though, that could make pfSense administration even easier, especially in larger companies (and I think pfSense definitely is on it's way to get into those). As the number of firewall rules grows and when you have multiple admins, and there are lots of changes made, especially those that add big batches of new rules. Even with a very strict naming and description scheme, you will eventually find it harder and harder to manage the rules - and even browsing the rule list will become unpleasant.

    What could really simplify this, is rule groups. You could still keep all rules in the same place, but you could also categorize rules.
    Say, the 200 rules I have I could divide into:

    • services (servers in dmz behind the firewall)
    • security (deny RFC1918, bogons, p2p catcher etc)
    • access (remote site to site VPN peers, remote networks belonging to the same company etc.).
      Even if nested groups were not possible, it would still be great. However if nesting groups was implemented, it could be further categorized i.e. access/mail/ access/ftp etc.
      Since the configuration is XML, I think this would be relatively easy to implement (though I know it's always easier said than done). So ideally you'd get a tree-like list of groups with [+] signs to fold-unfold.

    The other idea is a comment or changelog entry field to be filled in when you press the "apply" button, and then being able to view the changelog. Since pfSense doesn't support multiple logins, you would probably have to enter your name as well. With this feature, you could add your internal change request IDs to the logs etc. So ideally the log would consist of:
    timestamp + user name  + comment + changes made [ generated by pfSense i.e. Alias changed, Alias added, Rule changed, Rule added ].
    Apart from the changelog fields appearing automatically upon "Apply", there should  also be an option of manually logging changes, just a "Log a configuration change" link.

    Thanks for all the good work on pfSense, Im waiting impatiently for 2.0 ( especially gui for link aggregation ).


  • Multiple users are already possible in 2.0.

    I'm not sure if you could already do the grouping you're suggesting with aliases.

    The first rule would be the security rule.
    Have a security-source-alias, and a security-destination-alias and add all the sources and destinations you want to block to their respective alias.
    The same for the servers.

    But i see your point that with a LOT of rules the granularity of the alias system might not be good enough.

    I think there was already a bounty for a package to track changes not only of the firewall but of all the changes you make on the pfSense.
    This would probably be what you want.

  • Hi,

    Thanks for the info. I am using aliases extensively - actually, apart from only a few, I don't have a single rule not using aliases, and it does make my life much easier. And yes, I'm talking about a LOT of rules. One deployment is a perimeter firewall, but I want to deploy another as firewall filtering traffic between remote VPNs - multiple customer sites, company branches, and the internal network. I have it in order, using Cisco only, but I want to migrate this all to pfSense just for easier management. After migrating the whole lot, that would be over 2000 rules - this is quite a specific environment with lots of exotic types of connectivity. In this case I think you get my point:

    Inside interface: Rule group: Customer XX outbound - 30 rules using aliases
    Outside interface: Rule group: Customer XX inbound - 15 rules using aliases



  • btw: this is thread about tracking changes:

Log in to reply