How to modify large firewall rule sets

michmoor · Mar 31, 2025, 2:34 PM

For context

https://redmine.pfsense.org/issues/16113

Can someone please point to me where in the GUI i can search for TrackingIDs and the rules they relate to?
I have a large security policy and in order for the Ops team to correctly identify and modify/delete rules its better to identify them in some way. Is there a preferred method of searching for trackingIDs which is the method used in pfsense to identify unique rules.

edit: Yes, if i click on the firewall rule at the bottom there is the tracking ID but that's still not a very efficient way of locating on the GUI page the rule. In my mind, once you have the ID, you should be able to ctrl+f for the ID, locate the rule, click on the checkbox on the left (do this multiple times for the rules that needed deletion).

tinfoilmatt · Mar 31, 2025, 3:35 PM

@michmoor Alternative suggestion: enforce rule descriptions.

michmoor · Mar 31, 2025, 3:39 PM

@tinfoilmatt Not sure how that would help.
The tracking ID is acceptable but being able to search for it with 100s of rules is an inconvenience.
For example, I can say that I will delete rules 24 and 102 and give a screenshot in my change ticket. Everyone's on the same page, and there is no doubt what I'm modifying. I can use trackingIDs but its not present in the GUI in a searchable way.

tinfoilmatt · Mar 31, 2025, 3:42 PM

@michmoor Rule descriptions are 'CTRL + f'-able from the ruleset page.

michmoor · Mar 31, 2025, 3:44 PM

@tinfoilmatt 'ruleset page'?

tinfoilmatt · Mar 31, 2025, 3:49 PM

@michmoor Firewall / Rules / [INTERFACE NAME]

michmoor · Mar 31, 2025, 3:50 PM

@tinfoilmatt you misunderstand my issue. I care about trackingID not rule descriptions.

tinfoilmatt · Mar 31, 2025, 3:51 PM

@michmoor You misunderstand my "alternatve suggestion."

michmoor · Mar 31, 2025, 3:52 PM

@tinfoilmatt but its not really doable. Modifying over 300 rules to include trackingID in a description
For new rules going forward - sure.
Better solution in my mind would be a trackingID column.

tinfoilmatt · Mar 31, 2025, 3:54 PM

@michmoor Yes. Clearly that's what you're demanding.

michmoor · Mar 31, 2025, 3:56 PM

@tinfoilmatt
well......yeah.....hence the post to figure out if its searchable via another way...........

tinfoilmatt · Mar 31, 2025, 3:58 PM

@michmoor said in How to modify large firewall rule sets:

@tinfoilmatt
well......yeah.....hence the post to figure out if its searchable via another way...........

To put it disingenuously? Sure. And that's what I offered, at which point you suggested I misunderstood.

michmoor · Mar 31, 2025, 4:00 PM

@tinfoilmatt ok......

stephenw10 · Mar 31, 2025, 10:12 PM

If you have the ID you can just search the ruleset for it:

[25.03-BETA][root@fw1.stevew.lan]/root: pfctl -vsr | grep 1736810441
pass in log quick on mvneta0 inet proto tcp from <LAN__NETWORK> to 208.123.73.69 flags S/SA keep state (if-bound) label "USER_RULE: Connections to ews" label "id:1736810441" ridentifier 1736810441

Or if you have the ID you likely have the rule number like:

In which case you can use the rules view in Diag > pftop