Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Insert a title between rules to easily find an area to work on

    Scheduled Pinned Locked Moved Bounties
    18 Posts 8 Posters 9.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adam65535
      last edited by

      When you have a ton of rules (100 for example) it can be very time consuming just to find the rules you are interested in changing.

      Rule 1
      Rule 2
      Rule 3
      Rule 4
      Rule 5
      Rule 6
      Rule 7
      Rule 8
      Rule 9
      Rule 10
      Rule 11
      Rule 12
      …
      Rule 100

      If you could put section titles into the rule list it would make modifying the rules much quicker and safer when you can easily find the section of the rule listing you are looking for.

      • External Server access rules
        Rule 1
        Rule 2
        Rule 3
      • Development access rules
        Rule 4
        Rule 5
        Rule 6
        Rule 7
      • General internet rules
        Rule 8
        Rule 9
        Rule 10
        ...
        Rule 100

      Optionally it would be great to be able to compact them by clicking on the title too. As another option store the hidden/compact state so that later when you come back at another time to look at the rules, The sections remain compacted until you un-compact them.  The example below rules 1 through 3 are now hidden indicated by the + sign for the status of the title.

      • External Server access rules
      • Development rules
        Rule 4
        Rule 5
        Rule 6
        Rule 7
      • General internet rules
        Rule 8
        Rule 9
        Rule 10
        ...
        Rule 100

      I do not know how much work would be involved to do something like this so I really don't know what kind of cost to put down.  I got my tax refund money though and I would like to put that to good use to help.  I know it would not involve any actual firewall logic changes.  This is only cosmetic to help organize the rule base.  I could see this being a big help even for sites with smaller rule counts.

      Any estimates for the cost would be helpful.  The code would have to be something that upsteam would consider merging so that everyone would benefit from it.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Where that is a good idea, reminds of working with the checkpoint gui for rules.  Keep in mind that hiding rules with a collapsible title block could allow for missing an important rule when looking for what is not right.

        Since the rules are evaluated from top down..  You could have a rule in the collapsed External Server section that messes up your rules down in the General internet rules section, since its collapsed you might not see it, etc.

        As a sort of work around, in your comment block on the first rule that starts your sections put in say External, Development or General - now you can use your browser find feature to jump to specific area of your rules that start that section of rules.

        As to estimate of cost, how much is it worth to you? ;)  When it reaches the price that someone thinks is fair for their time will do it ;)  The higher the offer the faster or more likely it will get done.  If the price is high enough it will get done (if possible to do)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • G
          Gabri.91
          last edited by

          In this way I think that Netasq rules page is a well done model:
          you can collapse and expand rules with a title line and above all when you apply rules it shows some warning if a rule won't be applied due to its position under another rule..

          1 Reply Last reply Reply Quote 0
          • C
            Clear-Pixel
            last edited by

            Nested tabs might would be a better path.

            The code for tabs are already being utilized … may need additional work on the nested side.

            To solve the order issue .... first tap list all rules in order, than the nested category's below. You would need a category selection drop down box within each rule settings page and to create new categories when needed.

            Examples Below

            t34.gif
            t34.gif_thumb
            t19.gif
            t19.gif_thumb

            HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
            Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
            Single Ethernet Port - VLAN
            Cisco SG300 10-port Gigabit Managed Switch
            Cisco DPC3008 Cable Modem  30/4 Mbps
            Pfsense 2.1-RELEASE (amd64)
            –------------------------------------------------------------
            Total Network Power Consumption - 29 Watts

            1 Reply Last reply Reply Quote 0
            • C
              Clear-Pixel
              last edited by

              Bump….

              HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
              Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
              Single Ethernet Port - VLAN
              Cisco SG300 10-port Gigabit Managed Switch
              Cisco DPC3008 Cable Modem  30/4 Mbps
              Pfsense 2.1-RELEASE (amd64)
              –------------------------------------------------------------
              Total Network Power Consumption - 29 Watts

              1 Reply Last reply Reply Quote 0
              • A
                adam65535
                last edited by

                I don't think the nested tabs would work well.  Sometimes you would need to look at all the rules.  An expand all feature would allow you to quickly scroll through the rules.  With tabs you would be forced to click on the tabs to get to all the rules.  I could be wrong though of course.  I haven't ever used a firewall with such subra bing though.

                In a Checkpoint install I have about 200 rules with about 25 section titles for example.  Checkpoint does what I mentioned in the first post.  That is where I got the idea.  Without section titles or something similar keeping track of the rules and quickly getting to parts of the rule base you want would be slow.

                @johnpoz:

                As a sort of work around, in your comment block on the first rule that starts your sections put in say External, Development or General - now you can use your browser find feature to jump to specific area of your rules that start that section of rules.

                I tried doing that actually.  Search only works when you know what you named the sections.  The more rules, firewalls, etc you have the less likely you will know what to search for.  If someone else comes in to look at the rules who didn't create them search is not very helpful either.  If they can quickly scroll through unexpanded section titles it potentially could be much quicker to find for example…  VPN outgoing rules to a certain site that had a section title of 'VPN NewYork to Chicago'.

                1 Reply Last reply Reply Quote 0
                • C
                  Clear-Pixel
                  last edited by

                  @adam65535:

                  I don't think the nested tabs would work well.  Sometimes you would need to look at all the rules.  An expand all feature would allow you to quickly scroll through the rules.  With tabs you would be forced to click on the tabs to get to all the rules.  I could be wrong though of course.  I haven't ever used a firewall with such subra bing though.

                  In a Checkpoint install I have about 200 rules with about 25 section titles for example.  Checkpoint does what I mentioned in the first post.  That is where I got the idea.  Without section titles or something similar keeping track of the rules and quickly getting to parts of the rule base you want would be slow.

                  Its not a problem all rule would be listed as normal on the first tab …....

                  Based on how Pfsense has been approaching some of the problems of filtering is using various search options at top of page. I'm sure this is how they would approach the problem. But there would be a need for a category option for each rule.

                  HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
                  Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
                  Single Ethernet Port - VLAN
                  Cisco SG300 10-port Gigabit Managed Switch
                  Cisco DPC3008 Cable Modem  30/4 Mbps
                  Pfsense 2.1-RELEASE (amd64)
                  –------------------------------------------------------------
                  Total Network Power Consumption - 29 Watts

                  1 Reply Last reply Reply Quote 0
                  • A
                    adam65535
                    last edited by

                    I understand what you are saying now.  That would work with small number of sub tabs.  With 25 sub tabs though maybe not.  With 25 section titles in the main tab I think that would scale better and overall look better.

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Tabs wouldn't be good for that. I'm not sure we'd ever consider subdividing rules.

                      In general, if your ruleset is that complex, you've designed something wrong. Obviously there are many exceptions to that, but most things can be done elegantly in a screenful of rules or less using aliases.

                      If we did any kind of separation, it may be something more like subheadings:

                      • Title
                          + Rule 1
                          + Rule 2
                      • Title 2
                          + Rule 3
                          + Rule 4

                      Headings could be collapsed if need be, but would be expanded by default.

                      Could even use anchors and a drop-down at the top to jump to a specific header, but tabs would be too busy and would hurt more than they help.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • C
                        Clear-Pixel
                        last edited by

                        @jimp:

                        Headings could be collapsed if need be, but would be expanded by default.

                        A Collapsible category header would work better than tabs  ;)

                        A Search drop down field using the category's would also work well and may be easier to implement.

                        HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
                        Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
                        Single Ethernet Port - VLAN
                        Cisco SG300 10-port Gigabit Managed Switch
                        Cisco DPC3008 Cable Modem  30/4 Mbps
                        Pfsense 2.1-RELEASE (amd64)
                        –------------------------------------------------------------
                        Total Network Power Consumption - 29 Watts

                        1 Reply Last reply Reply Quote 0
                        • A
                          adam65535
                          last edited by

                          jimp, that is precisely what I was thinking.  That would make rules management so much easier for really big sites that have large rule bases.  Even with lower number of rules though which most sites can get by with being able to create subheadings would make management of the rule base easier to manage IMHO based on my experience with Checkpoint which does have a feature similar to that.

                          1 Reply Last reply Reply Quote 0
                          • C
                            Clear-Pixel
                            last edited by

                            Only page found on web for development http://devwiki.pfsense.org/PfSenseDevHome   :-[

                            Can anyone give me some Ideas of how Pfsense is storing input data?

                            HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
                            Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
                            Single Ethernet Port - VLAN
                            Cisco SG300 10-port Gigabit Managed Switch
                            Cisco DPC3008 Cable Modem  30/4 Mbps
                            Pfsense 2.1-RELEASE (amd64)
                            –------------------------------------------------------------
                            Total Network Power Consumption - 29 Watts

                            1 Reply Last reply Reply Quote 0
                            • T
                              thurines
                              last edited by

                              This is just an idea but with the current version as it is cant you just have a disabled rule that doesnt really do anything. You could for instance block a private network that you dont use in your environment and then disable that rule. Then you set a description on that rule that explains what the next "group" of rules is doing. OFc there is some flaw like, uuh what if I realy want to disable a rule then I will mix all the disabled rules up and so on but hey, its just an idea :P

                              1 Reply Last reply Reply Quote 0
                              • A
                                adam65535
                                last edited by

                                @thurines:

                                This is just an idea but with the current version as it is cant you just have a disabled rule that doesnt really do anything. You could for instance block a private network that you dont use in your environment and then disable that rule. Then you set a description on that rule that explains what the next "group" of rules is doing. OFc there is some flaw like, uuh what if I realy want to disable a rule then I will mix all the disabled rules up and so on but hey, its just an idea :P

                                I have actually done that in some spots to help identify sections.  I setup a deny for 1.1.1.1 to 1.1.1.1 with a description and disable the rule to make it a gray color.  It is still difficult to scan through the rules and find them though while still reading the description.  I do have disabled rules in the rule bases for temporary rules that need to be enabled or disabled at times or if it is an experimental change.

                                Subheaders would of course be much easier to scroll through and find if they are created in such a way that they are easy to spot (assuming a different color or shade of gray and hopefully even smaller height if possible to make them really different and visible).

                                1 Reply Last reply Reply Quote 0
                                • A
                                  adam65535
                                  last edited by

                                  If this ever does get implemented for some big sites I might try to use the Floating tab for most rules (setting interface and direction when needed of course).  I can then group all my VPN rules (incoming and outgoing) in one section (and easily find them in a long list) instead of split between a LAN for outgoing and IPSEC tab for incoming as it is now.  Yes the list will be longer in the Floating tab but with subheaders overall i think it will be easier to work on with different VPN sites having their own VPN subheader sections on one tab.

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    thurines
                                    last edited by

                                    @adam65535:

                                    @thurines:

                                    This is just an idea but with the current version as it is cant you just have a disabled rule that doesnt really do anything. You could for instance block a private network that you dont use in your environment and then disable that rule. Then you set a description on that rule that explains what the next "group" of rules is doing. OFc there is some flaw like, uuh what if I realy want to disable a rule then I will mix all the disabled rules up and so on but hey, its just an idea :P

                                    I have actually done that in some spots to help identify sections.  I setup a deny for 1.1.1.1 to 1.1.1.1 with a description and disable the rule to make it a gray color.  It is still difficult to scan through the rules and find them though while still reading the description.  I do have disabled rules in the rule bases for temporary rules that need to be enabled or disabled at times or if it is an experimental change.

                                    Subheaders would of course be much easier to scroll through and find if they are created in such a way that they are easy to spot (assuming a different color or shade of gray and hopefully even smaller height if possible to make them really different and visible).

                                    For such a grouping feature I would also suggest the ability to collapse the entiregroup to make it invisible and only show the group header. Like a +/- you press to show/hide the group.

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      mikee
                                      last edited by

                                      I sum to this pledge. Even with a low number of rules in the ruleset this will be of GREAT help.

                                      The existance and use of Aliases do NOT avoid the need of rules grouping as it has been said.

                                      Suppose that you have 10 openVPN servers. The need to have 10 servers is because you want to limit access to the internal resources based on which goup is connecting and you keep groups apart by giving them different subnets. May be there is another way to do this but, so far, I have not found it as the ip pool asignment is configured in the openvpn server not anywere else.

                                      As you cannot create alias entries that have both an ip address (the server part) AND a given port (mainly because this is what a firewall rule is for) then your aliases cannot help in locking a given VPN group to a pool of internal resources (server:port pairs).

                                      So I end up with 5 or more rules for each external vpn group that messes up the interface. It would be lot easier to manage if I could have a collapsible header for each of the blocks. Not that it cannot be done without this but a big improvement anywhere.

                                      This could perhaps be done by adding a collapsableover the group of rules but as rules listing is actually built based on a draggable table, this table should have to be cut-off in portions (you cannot div a group of table rows in a single table) thus loosing the draggability (can you have inter-table draggable cells?). Besides the headers maintenance in the config.xml structure should be taken into account.

                                      Anyway BIG thanks for a GREAT product to all those who have dedicated their time, effor and intelligence to making it possible.

                                      1 Reply Last reply Reply Quote 0
                                      • B
                                        bryan.paradis
                                        last edited by

                                        Interesting idea for sure.

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.