Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rule description length limitation

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 9 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      somebodythatiusedtoknow
      last edited by

      Hello all of you,

      I am currently working on migrating to pfSense firewalls. It took me a little while, but I'm pretty happy with it except for one thing especially. The description field of a firewall rule is limited to contain no more than 52 characters. This is an issue to me, as we are several people managing the firewalls. This calls for a need to use generic ID's and useful descriptions, and we find it impossible to do so with just 52 characters in most cases. We don't want to end up using an external document to keep track of the descriptions, but read a complicated ruleset with the help of descriptions and ID's.

      I noticed just one other description field was limited, in the firewall schedules. This was limited to 40 characters, and all of the others (that I've checked) are unlimited. This made me think there could be a reasonable explanation to the length limitation.

      So my questions:
      1. Is it possible to work around this firewall rule description length limit?
      2. Is there an explanation to the limitations? If yes, what is it?

      Best regards,
      somebodythatiusedtoknow

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        To be honest your prob doing it wrong if your using books for descriptions..  The rule by itself tells you what its doing, all the description needs to be is maybe for who to contact, or sounds like your in a business setup why not just put in the change control number that requested/allowed the rule to be created.. Then if any questions on that rule you just look up the change control doc..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          muswellhillbilly
          last edited by

          ^ Exactly what I would have said. Though in answer to your questions directly, I would have thought that 1.) No, there isn't a workaround and 2.) The limitations are there to keep your ruleset from looking like a cluttered, text-ridden mess. Most firewalls - and I've used a good many - have such limitations set on the descriptive field for that very reason.

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            +3. If you want to write novels, your FW rules' descriptions are not the place to do so. And if there's someone to inherit the work after you and requires the novels to understand the rules, then it's either a wrong person for the job, or your FW rules design sucks elephant's nuts.

            1 Reply Last reply Reply Quote 0
            • JailerJ
              Jailer
              last edited by

              threadshouldhavebeentitledscreennamelengthlimitation.

              1 Reply Last reply Reply Quote 0
              • S
                somebodythatiusedtoknow
                last edited by

                @johnpoz:

                To be honest your prob doing it wrong if your using books for descriptions..  The rule by itself tells you what its doing, all the description needs to be is maybe for who to contact, or sounds like your in a business setup why not just put in the change control number that requested/allowed the rule to be created.. Then if any questions on that rule you just look up the change control doc..

                Yes, some places we are required to follow a strict change management procedure. It is not that we are writing novels about our rulesets, but putting a descriptive comment (comment, as in short) in the rule allows us to determine whether what the rule is used for and whether it is still what we need to use when reviewing. Some places we are required to use a generic ID of up to 26 characters. Let me give you an example of why this is an issue:

                "This-is-a-24-characterID Allow x traffic from a to b"
                This string is exactly 52 characters long, with an ID of 24 characters and no chance to describe the purpose of the rule. Perhaps I am doing it wrong, but it works :-)

                1 Reply Last reply Reply Quote 0
                • H
                  heper
                  last edited by

                  while i agree with the comments of the other members, you can always change the field yourself:

                  https://github.com/pfsense/pfsense/blob/RELENG_2_2/usr/local/www/firewall_rules_edit.php#L723

                  https://github.com/pfsense/pfsense/blob/RELENG_2_2/usr/local/www/firewall_rules_edit.php#L1254

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    @heper:

                    while i agree with the comments of the other members, you can always change the field yourself

                    …and break your ruleset.

                    The limit isn't something arbitrary we dreamed up for kicks, the descriptions are put into the ruleset as labels and those have length restrictions at the OS level because you don't want to load huge amounts of text into memory as part of your ruleset.

                    1 Reply Last reply Reply Quote 0
                    • H
                      heper
                      last edited by

                      til : descriptions are inserted into the ruleset

                      thanks for the input chris

                      1 Reply Last reply Reply Quote 0
                      • S
                        somebodythatiusedtoknow
                        last edited by

                        @cmb:

                        The limit isn't something arbitrary we dreamed up for kicks, the descriptions are put into the ruleset as labels and those have length restrictions at the OS level because you don't want to load huge amounts of text into memory as part of your ruleset.

                        Thanks for your reply! The limitation did seem intentional to me, but it sounds like increasing the limit would "only" cause a larger memory usage - is that correct?
                        A larger memory overhead could be acceptable to us depending on the size, hardware and environment.

                        EDIT: Nevermind, I didn't notice that the links was only for the web-interface. I think we're going to work with the limitations :)

                        @heper:

                        while i agree with the comments of the other members, you can always change the field yourself

                        And thank you, I will discuss this option with my coworkers while mentioning Chris' warning.

                        1 Reply Last reply Reply Quote 0
                        • C
                          cmb
                          last edited by

                          @somebodythatiusedtoknow:

                          Thanks for your reply! The limitation did seem intentional to me, but it sounds like increasing the limit would "only" cause a larger memory usage - is that correct?

                          No. The ruleset won't load at all if you exceed that limit, so nothing will work.

                          1 Reply Last reply Reply Quote 0
                          • awebsterA
                            awebster
                            last edited by

                            I think each rule should have:

                            • Rule name: This is the current 52 character limited field that names the rule; EG: DMZ OUT, or MAIL IN, etc.

                            • Comment: A free form text field that is just a multi-line comment field that sticks with the rule, no processing is done on it, put whatever you want, a novel or whatever.  Ie: click it and a pop-up text box opens for editing it.

                            • Tag: A tag that can be used for automation purposes for finding rules in the rulebase (A-Za-z0-9) charset limitation.  Similar to comment, but something you can automate on without having to use some funky regex to find the rules.  I am currently using the rule name for this with delimiters, but it isn't pretty.

                            –A.

                            1 Reply Last reply Reply Quote 0
                            • KOMK
                              KOM
                              last edited by

                              I find it deliciously ironic that somone who is having problems with long firewall rule descriptions has a username so long it bleeds into the post header  ;D  ;D  ;D

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                ^ yeah that is good isn't it..  Not sure what firewall he was using, but most of the major players juniper, cisco, checkpoint all have limitations..

                                What were you using before that allowed you to use unlimited text fields to describe your rules? If you want to know if the rule should still be used, place a date field in there and by policy review all rules after X days, months, years.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • awebsterA
                                  awebster
                                  last edited by

                                  @johnpoz:

                                  ^ yeah that is good isn't it..  Not sure what firewall he was using, but most of the major players juniper, cisco, checkpoint all have limitations..

                                  What were you using before that allowed you to use unlimited text fields to describe your rules? If you want to know if the rule should still be used, place a date field in there and by policy review all rules after X days, months, years.

                                  I know for a fact that both Checkpoint and Paloalto Networks have comment fields that you can put basically anything you want in them, but rule names are limited in length.
                                  Completely agree on policy review review after X days, but rarely seen it done in practice.  Just keeps the auditors happy I guess.

                                  –A.

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    Have not been on checkpoint in well over year if not 2..  Rule names for sure were limited, I don't remember using comment field..

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • awebsterA
                                      awebster
                                      last edited by

                                      I'm on Checkpoint R77.20 and Paloalto Pan OS 6.1.x on a daily basis, and pfSense of course!

                                      Actually to followup on my earlier post, one neat feature that I've seen on Checkpoint is a rule expiry field.  They already have schedule like time conditions, but the expiry field just basically completely disables the rule after a certain date.
                                      Again, great for audit compliance, would be cool to have that AND a feature that cleans up expired rules after an amount of time, and a flag to mark it as do not delete in the case of a rule that needs to be enabled from time to time but only for a certain amount of time, like remote support via SSH type of thing.

                                      –A.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.