GUI feature requests

  • I've been doing a migration to Netgate firewalls, and as a result of the experience I have a few GUI feature requests. I don't know if these have been raised before, and I can create them on redmine if required.

    1. In the display list of Floating Rules, there is currently no way to see whether the rule is "in", "out" or "both". I'd like an icon for this.

      Reason: my design only needs these to be "in", and an icon would allow a quick visual inspection to confirm this. Right now rules I have to either open each rule individually, or grok the XML, to see if I forgot to set any rule to "in", since they default to "both".

      (Since pfSense uses the font-awesome icons, perhaps sign-in and sign-out might be suitable for "in" and "out", and arrows-h for bidirectional)

    2. Related: I don't know if people agree, but I'd prefer floating rules to default to "in" rather than "both". ISTM this is a safer default - if you want the rule to activate in the outbound direction, you can explicitly choose it. However I believe the choice of "in", which matches in fewer cases, is a safer default.

      Similarly: I'd like floating rules to default to "Quick" checked, as I also think this is the simpler and safer option, consistent with per-interface rule behaviour. However this is not so important, as there's an icon for Quick rules so I can easily determine if I've forgotten to check the box.

    3. Given an IP address or alias, I'd like a way to search for all rules which match that value.

      There is a sort-of workaround for an alias, although it's a bit scary: you can try to delete the alias. If it's in use, you'll get an error message. However the error message only gives the rule description, and if you didn't add a description, it's just blank:

      "Cannot delete alias. Currently in use by ."

      Furthermore, if it's in use at more than one place, it only shows you the first one.

      What I'd want is to be able to enter an IP address, and see a list of all rules where this address matches either source or destination (which could be as part of an explicit address/network, an interface address/network, or as matching an alias). I'd also like the ability for this to match "Any" and negated ranges as well, but for this to be disabled by default.

    4. Building on this, I'd like to be able to enter a protocol, a source/dest IP pair and source/dest port pair, and see exactly which rule would match to make the final decision for traffic flow - and any earlier, non-quick floating rules which match.

    Points (3) and (4) are equivalent to "Where used?" and "packet tracer" respectively on ASA. These are the only two features that I miss :-)



  • LAYER 8 Global Moderator

    While your suggestions all seem very reasonable.. Question for you - why are you using floating in the first place.. Rules to block traffic are better to put on the actual interface where traffic will hit the firewall.. Rules on the interface will always be "in" and will be "quick" as well.

    The floating tab is more designed for odd ball sorts of needs from my understanding.

    3 and 4 yeah sure would be good additions.

    I do not recall ever seeing such requests before. So yeah you could search redmine though.

  • @johnpoz said in GUI feature requests:

    Question for you - why are you using floating in the first place..

    Reasonable question, and the answer is due to multiple paths.

    Case 1: we have servers on a DMZ in a data centre. There is an IPSEC tunnel between office and data centre, to allow secure administration of servers. So an inbound access rule like "permit any to server X port 443" has to work both for traffic from the Internet (via WAN interface) and traffic from the office (via VTI/IPSec). Better to do this on a floating rule than to duplicate every rule.

    Case 2: multiple networks behind the firewall all need to access the local DNS/NTP servers. It's simpler to put a single floating rule ("allow from all these networks to DNS/NTP") than a separate rule on every network.

    Case 3: point-to-point links with VTI backup, BGP failover. Traffic could come via a real interface (if P2P link is up) or IPSec VTI interface (if P2P is down). I don't want to duplicate the rules, or worse, find that things don't work when we fail over to IPSec because a rule was missed.

    Something else I realised about the GUI for floating rules: it doesn't show when a rule has been bound to one or more interfaces, or is not bound. That would be really useful to see as well.

  • LAYER 8 Global Moderator

    Valid use cases for sure.. And I also like your suggestion of showing what interfaces rule is bound too, etc.

Log in to reply