How to modify large firewall rule sets
-
For context
https://redmine.pfsense.org/issues/16113
Can someone please point to me where in the GUI i can search for TrackingIDs and the rules they relate to?
I have a large security policy and in order for the Ops team to correctly identify and modify/delete rules its better to identify them in some way. Is there a preferred method of searching for trackingIDs which is the method used in pfsense to identify unique rules.edit: Yes, if i click on the firewall rule at the bottom there is the tracking ID but that's still not a very efficient way of locating on the GUI page the rule. In my mind, once you have the ID, you should be able to ctrl+f for the ID, locate the rule, click on the checkbox on the left (do this multiple times for the rules that needed deletion).
-
@michmoor Alternative suggestion: enforce rule descriptions.
-
@tinfoilmatt Not sure how that would help.
The tracking ID is acceptable but being able to search for it with 100s of rules is an inconvenience.
For example, I can say that I will delete rules 24 and 102 and give a screenshot in my change ticket. Everyone's on the same page, and there is no doubt what I'm modifying. I can use trackingIDs but its not present in the GUI in a searchable way. -
@michmoor Rule descriptions are 'CTRL + f'-able from the ruleset page.
-
@tinfoilmatt 'ruleset page'?
-
@michmoor
Firewall / Rules / [INTERFACE NAME] -
@tinfoilmatt you misunderstand my issue. I care about trackingID not rule descriptions.
-
@michmoor You misunderstand my "alternatve suggestion."
-
@tinfoilmatt but its not really doable. Modifying over 300 rules to include trackingID in a description
For new rules going forward - sure.
Better solution in my mind would be a trackingID column. -
@michmoor Yes. Clearly that's what you're demanding.
-
@tinfoilmatt
well......yeah.....hence the post to figure out if its searchable via another way........... -
@michmoor said in How to modify large firewall rule sets:
@tinfoilmatt
well......yeah.....hence the post to figure out if its searchable via another way...........To put it disingenuously? Sure. And that's what I offered, at which point you suggested I misunderstood.
-
@tinfoilmatt ok......
-
If you have the ID you can just search the ruleset for it:
[25.03-BETA][root@fw1.stevew.lan]/root: pfctl -vsr | grep 1736810441 pass in log quick on mvneta0 inet proto tcp from <LAN__NETWORK> to 208.123.73.69 flags S/SA keep state (if-bound) label "USER_RULE: Connections to ews" label "id:1736810441" ridentifier 1736810441Or if you have the ID you likely have the rule number like:
In which case you can use the rules view in Diag > pftop
