Insert a title between rules to easily find an area to work on



  • When you have a ton of rules (100 for example) it can be very time consuming just to find the rules you are interested in changing.

    Rule 1
    Rule 2
    Rule 3
    Rule 4
    Rule 5
    Rule 6
    Rule 7
    Rule 8
    Rule 9
    Rule 10
    Rule 11
    Rule 12

    Rule 100

    If you could put section titles into the rule list it would make modifying the rules much quicker and safer when you can easily find the section of the rule listing you are looking for.

    • External Server access rules
      Rule 1
      Rule 2
      Rule 3
    • Development access rules
      Rule 4
      Rule 5
      Rule 6
      Rule 7
    • General internet rules
      Rule 8
      Rule 9
      Rule 10
      ...
      Rule 100

    Optionally it would be great to be able to compact them by clicking on the title too. As another option store the hidden/compact state so that later when you come back at another time to look at the rules, The sections remain compacted until you un-compact them.  The example below rules 1 through 3 are now hidden indicated by the + sign for the status of the title.

    • External Server access rules
    • Development rules
      Rule 4
      Rule 5
      Rule 6
      Rule 7
    • General internet rules
      Rule 8
      Rule 9
      Rule 10
      ...
      Rule 100

    I do not know how much work would be involved to do something like this so I really don't know what kind of cost to put down.  I got my tax refund money though and I would like to put that to good use to help.  I know it would not involve any actual firewall logic changes.  This is only cosmetic to help organize the rule base.  I could see this being a big help even for sites with smaller rule counts.

    Any estimates for the cost would be helpful.  The code would have to be something that upsteam would consider merging so that everyone would benefit from it.


  • Rebel Alliance Global Moderator

    Where that is a good idea, reminds of working with the checkpoint gui for rules.  Keep in mind that hiding rules with a collapsible title block could allow for missing an important rule when looking for what is not right.

    Since the rules are evaluated from top down..  You could have a rule in the collapsed External Server section that messes up your rules down in the General internet rules section, since its collapsed you might not see it, etc.

    As a sort of work around, in your comment block on the first rule that starts your sections put in say External, Development or General - now you can use your browser find feature to jump to specific area of your rules that start that section of rules.

    As to estimate of cost, how much is it worth to you? ;)  When it reaches the price that someone thinks is fair for their time will do it ;)  The higher the offer the faster or more likely it will get done.  If the price is high enough it will get done (if possible to do)



  • In this way I think that Netasq rules page is a well done model:
    you can collapse and expand rules with a title line and above all when you apply rules it shows some warning if a rule won't be applied due to its position under another rule..



  • Nested tabs might would be a better path.

    The code for tabs are already being utilized … may need additional work on the nested side.

    To solve the order issue .... first tap list all rules in order, than the nested category's below. You would need a category selection drop down box within each rule settings page and to create new categories when needed.

    Examples Below






  • Bump….



  • I don't think the nested tabs would work well.  Sometimes you would need to look at all the rules.  An expand all feature would allow you to quickly scroll through the rules.  With tabs you would be forced to click on the tabs to get to all the rules.  I could be wrong though of course.  I haven't ever used a firewall with such subra bing though.

    In a Checkpoint install I have about 200 rules with about 25 section titles for example.  Checkpoint does what I mentioned in the first post.  That is where I got the idea.  Without section titles or something similar keeping track of the rules and quickly getting to parts of the rule base you want would be slow.

    @johnpoz:

    As a sort of work around, in your comment block on the first rule that starts your sections put in say External, Development or General - now you can use your browser find feature to jump to specific area of your rules that start that section of rules.

    I tried doing that actually.  Search only works when you know what you named the sections.  The more rules, firewalls, etc you have the less likely you will know what to search for.  If someone else comes in to look at the rules who didn't create them search is not very helpful either.  If they can quickly scroll through unexpanded section titles it potentially could be much quicker to find for example…  VPN outgoing rules to a certain site that had a section title of 'VPN NewYork to Chicago'.



  • @adam65535:

    I don't think the nested tabs would work well.  Sometimes you would need to look at all the rules.  An expand all feature would allow you to quickly scroll through the rules.  With tabs you would be forced to click on the tabs to get to all the rules.  I could be wrong though of course.  I haven't ever used a firewall with such subra bing though.

    In a Checkpoint install I have about 200 rules with about 25 section titles for example.  Checkpoint does what I mentioned in the first post.  That is where I got the idea.  Without section titles or something similar keeping track of the rules and quickly getting to parts of the rule base you want would be slow.

    Its not a problem all rule would be listed as normal on the first tab …....

    Based on how Pfsense has been approaching some of the problems of filtering is using various search options at top of page. I'm sure this is how they would approach the problem. But there would be a need for a category option for each rule.



  • I understand what you are saying now.  That would work with small number of sub tabs.  With 25 sub tabs though maybe not.  With 25 section titles in the main tab I think that would scale better and overall look better.


  • Rebel Alliance Developer Netgate

    Tabs wouldn't be good for that. I'm not sure we'd ever consider subdividing rules.

    In general, if your ruleset is that complex, you've designed something wrong. Obviously there are many exceptions to that, but most things can be done elegantly in a screenful of rules or less using aliases.

    If we did any kind of separation, it may be something more like subheadings:

    • Title
        + Rule 1
        + Rule 2
    • Title 2
        + Rule 3
        + Rule 4

    Headings could be collapsed if need be, but would be expanded by default.

    Could even use anchors and a drop-down at the top to jump to a specific header, but tabs would be too busy and would hurt more than they help.



  • @jimp:

    Headings could be collapsed if need be, but would be expanded by default.

    A Collapsible category header would work better than tabs  ;)

    A Search drop down field using the category's would also work well and may be easier to implement.



  • jimp, that is precisely what I was thinking.  That would make rules management so much easier for really big sites that have large rule bases.  Even with lower number of rules though which most sites can get by with being able to create subheadings would make management of the rule base easier to manage IMHO based on my experience with Checkpoint which does have a feature similar to that.



  • Only page found on web for development http://devwiki.pfsense.org/PfSenseDevHome   :-[

    Can anyone give me some Ideas of how Pfsense is storing input data?



  • This is just an idea but with the current version as it is cant you just have a disabled rule that doesnt really do anything. You could for instance block a private network that you dont use in your environment and then disable that rule. Then you set a description on that rule that explains what the next "group" of rules is doing. OFc there is some flaw like, uuh what if I realy want to disable a rule then I will mix all the disabled rules up and so on but hey, its just an idea :P



  • @thurines:

    This is just an idea but with the current version as it is cant you just have a disabled rule that doesnt really do anything. You could for instance block a private network that you dont use in your environment and then disable that rule. Then you set a description on that rule that explains what the next "group" of rules is doing. OFc there is some flaw like, uuh what if I realy want to disable a rule then I will mix all the disabled rules up and so on but hey, its just an idea :P

    I have actually done that in some spots to help identify sections.  I setup a deny for 1.1.1.1 to 1.1.1.1 with a description and disable the rule to make it a gray color.  It is still difficult to scan through the rules and find them though while still reading the description.  I do have disabled rules in the rule bases for temporary rules that need to be enabled or disabled at times or if it is an experimental change.

    Subheaders would of course be much easier to scroll through and find if they are created in such a way that they are easy to spot (assuming a different color or shade of gray and hopefully even smaller height if possible to make them really different and visible).



  • If this ever does get implemented for some big sites I might try to use the Floating tab for most rules (setting interface and direction when needed of course).  I can then group all my VPN rules (incoming and outgoing) in one section (and easily find them in a long list) instead of split between a LAN for outgoing and IPSEC tab for incoming as it is now.  Yes the list will be longer in the Floating tab but with subheaders overall i think it will be easier to work on with different VPN sites having their own VPN subheader sections on one tab.



  • @adam65535:

    @thurines:

    This is just an idea but with the current version as it is cant you just have a disabled rule that doesnt really do anything. You could for instance block a private network that you dont use in your environment and then disable that rule. Then you set a description on that rule that explains what the next "group" of rules is doing. OFc there is some flaw like, uuh what if I realy want to disable a rule then I will mix all the disabled rules up and so on but hey, its just an idea :P

    I have actually done that in some spots to help identify sections.  I setup a deny for 1.1.1.1 to 1.1.1.1 with a description and disable the rule to make it a gray color.  It is still difficult to scan through the rules and find them though while still reading the description.  I do have disabled rules in the rule bases for temporary rules that need to be enabled or disabled at times or if it is an experimental change.

    Subheaders would of course be much easier to scroll through and find if they are created in such a way that they are easy to spot (assuming a different color or shade of gray and hopefully even smaller height if possible to make them really different and visible).

    For such a grouping feature I would also suggest the ability to collapse the entiregroup to make it invisible and only show the group header. Like a +/- you press to show/hide the group.



  • I sum to this pledge. Even with a low number of rules in the ruleset this will be of GREAT help.

    The existance and use of Aliases do NOT avoid the need of rules grouping as it has been said.

    Suppose that you have 10 openVPN servers. The need to have 10 servers is because you want to limit access to the internal resources based on which goup is connecting and you keep groups apart by giving them different subnets. May be there is another way to do this but, so far, I have not found it as the ip pool asignment is configured in the openvpn server not anywere else.

    As you cannot create alias entries that have both an ip address (the server part) AND a given port (mainly because this is what a firewall rule is for) then your aliases cannot help in locking a given VPN group to a pool of internal resources (server:port pairs).

    So I end up with 5 or more rules for each external vpn group that messes up the interface. It would be lot easier to manage if I could have a collapsible header for each of the blocks. Not that it cannot be done without this but a big improvement anywhere.

    This could perhaps be done by adding a collapsableover the group of rules but as rules listing is actually built based on a draggable table, this table should have to be cut-off in portions (you cannot div a group of table rows in a single table) thus loosing the draggability (can you have inter-table draggable cells?). Besides the headers maintenance in the config.xml structure should be taken into account.

    Anyway BIG thanks for a GREAT product to all those who have dedicated their time, effor and intelligence to making it possible.



  • Interesting idea for sure.