Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to verify rule and separator position in the Firewall Rules menu !?

    Scheduled Pinned Locked Moved Development
    3 Posts 3 Posters 343 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      louis2
      last edited by

      In the past I noticed that:

      • On the Firewall Interface screens, rules did not always stick on the same relative position.
      • The same was true for separator lines
      • and I think that rule numbers (in the GUI known as TrackingID) could sometimes change over time

      I found that very annoying in the Gui, but it was also affecting the lookup table which I did create using login via ssh option 8
      pfctl -vvsr > <YYYYMMDD_HHMM>_RuleDump.txt

      Very recent there was a patch (Fix rule order after deleting or adding a firewall rule (Redmine #16076) )which should fix that behavoir. The patch is available under menu item system / patches.

      As the title suggest, my intention is/was to check the rule and separator position stability in the Firewall Rules Menu's. My intention was to do that via the ruledump generated as described above.

      In the rule dump you find three fields which feels related to ^rule processing order^

      • QueryNo
      • ridentifier (which is the same as he GUI known as TrackingID)
      • and a label called "id:1694963511" which is not always present and which equals the ridentifier

      A firewall rule as shown in the GUI (having one ridentifier), is in most cases split into a set of subrules handling certain aspects of the rule.
      Example one subrule for IPV4 and one for IV6. Often it is more complex than that.

      The query (pfctl -vvsr > <YYYYMMDD_HHMM>_RuleDump.txt) creates a list of all those subrules. Each subrule has the same ridentifier. There is one QueryNo for each subrule.

      Back to the GUI A small test shows that

      • a rule gets an number at creation time and seems to keep that number
      • also when moved on the same rule page
      • the number is higher than existing numbers. The number is not just ^+1^
        The number is raised via an unknown algorithm

      Given that the ridentifier is stable even when moved, ridentifier can not be the key which de terms the rule processing order.

      So the big questions are:

      • which key does determine the rule processing order
      • related what de terms the rule and separator position on the rules screen
      • how to verify the rule processing order stability and the relative positions of the rules and the separators (as I tried to do, given negative experiences in the past)
      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        The rule order is given by the position/order in the config file.

        There is a thread for this here: https://forum.netgate.com/topic/196601/rules-order-randomly-changes/

        Including steps to reproduce it to test.

        1 Reply Last reply Reply Quote 0
        • M
          marcosm Netgate
          last edited by

          The rule order in the configuration file is supposed to reflect both the rule processing and rule position (i.e. what's shown in the GUI) order. Ultimately, the processing itself is determined by what gets put into /tmp/rules.debug. As for the rule position in the GUI, there are multiple factors involved. With the latest fixes (referenced in the thread linked above), what does happen should finally match what is supposed to happen.

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.