GUI Request - Simplified Firewall Rule Creation Wizard



  • As the subject states, I'd like to request a wizard that includes a simplified method for firewall rule creation. The current method is pretty awesome but requires a large amount of know how and putting things in incorrectly can render the system in accessible. What would be really nice is if during the initial setup that occurs when logging in the first time, a few steps are added that asks what kind of network you have and what kind of devices and web services you use i.e. computers, game consoles, Netflix, amazon, Hulu etc, which allows the user to select what they are using. Additionally, the wizard should ask if the users intends to install security packages such as Snort, Suricata etc and create/provision configuration files on the file system that will be called up automatically by these packages later during their installation. Once this wizard is completed, rules are automatically created for these services based on only what is needed to allow these services to function through the firewall and additional security measures that a user may install.

    Later on these rules can be modified using the standard methods.

    I believe the above will be great addition which will help users start with an installation that is more tailored to each users network needs, improve overall performance and help prevent overlapping problems and entries created by user input.



  • My initial reaction to this request is - hmmmmmm

    On one hand I can see where you might try to eliminate people shooting themselves in the foot with rule generation and locking out the GUI for eg.

    On the other hand, there's an argument to be made that proper firewall setup requires understanding what you are doing before you start.

    My opinion (such as it is) is that pfSense is a powerful effective tool for securing your network, but with great power comes great responsibility.
    Namely, if you don't make an effort to understand what you need to do (and not do) to properly setup and secure your network, you should probably step back and reconsider.
    I don't see that "dumbing" up the front end with another Wizard or two is going to actually improve the support situation if someone doesn't understand what they're doing in the first place.

    I would agree the documentation of pfSense is still a work in progress.
    It has come light years since the early days, but it is still an interesting task for a "newbie" to drop in and find what they might be looking for.

    To my mind, you're on the best resource for pfSense information right now.
    It's managed by the best interactive resource for problem solving that I know of - people  ;)

    Just my $.02



  • It's just an idea to assist in getting a more tailored INITIAL setup.



  • The initial setup is fine: allow all on LAN, allow none on WAN.  Everything else depends on your environment and policies.



  • The problem with wizzards is they make it harder for power users. Wizzards make a huge mess of things the instant anyone tried to make any manual changes that side-channel the wizzard.

    Either everything is via wizzards or nothing is. Doing a hybrid is never a good idea.



  • Pardon my thought process here but it would seem that the dev's would strive to create a product that workable for the masses as opposed to the small group of "power users". I personally think that pfsense might get broader exposure if it were adoptable by average users. As it stands though, based on the feedback that is given and usually trampled on by the dev's and so called "power users", it seems like it is locked into a 1 track scheme of development. Essentially, the vision for this product is very…. how do I say.. BLAND.

    If feedback isn't welcome or if it doesn't fit your vision, what good is asking for feedback? With the suggestion I posted above, it's designed to give users a better start than what you actually end up with. Yes users can load it up, read up on options included but, how does this research explain how options interface with others options? Answer, it does not. In fact, I can very easily break pfsense if I want to. It isn't hard; nor should it be that easy.

    So, back to my original point, why not make this program more enticing to a broader spectrum of people. You never know, you might actually sell more support bundles and high dollar equipement; or do you realy care about that? Are people not as experienced as you viewed as inferior?

    Either way, this community is a rough one. I'm an average experience user and I find reading the help posts largely unhelpful because users either users speak to technical or to specific. In essence, help that is not understandable, is not help and it makes me want to delete pfsense off my box and find something else.



  • It is too bad you feel that way but is that not how feedback works. The other guys were being honest in their views. You have to remember this software has to run on smaller setups with only a memory stick so it is not like they can add much extra without running into problems for others with smaller amounts of space.
    For future builds I think most would choose other functions than wizards if room was a priority.
    I don't think home users are going to fork up cash for expensive equipment or pay for support bundles or you would have done so already and avoided the frustration. By the way have you even bothered to try and get the manual yet. It would help you out a great deal I am sure. I did.  Plus it helps the developers out since this is an opensource product.
    Your Idea may have merit but as the others tried to point out, the luxury is not possible and for many reasons. In my view this is the best firewall product for the price range you are looking for.
    For the average home user PFSense may be overkill.
    As for the small number of power users or enthusiasts it is 74656 and growing plus many run multiple units so this community is very diverse and from many different countries.
    Many of the members have been in the trade for decades and for a technical problem you would find no better help, but you need to do your own homework to understand what they may be trying to communicate to you. There is no such thing as yep, I know everything now so no more homework.
    One thing I have learned with computers is you will never know everything, ever.
    If the crowd seems edgy just use the search and read through the older posts, there are thousands and quite a good source of info. You are usually not the first to ask a certain question. I do it all the time.



  • so in other words, everyone is saying. your feedback is stupid, you are dumb and get the hell off my forums.



  • @jbhowlesr:

    so in other words, everyone is saying. your feedback is stupid, you are dumb and get the hell off my forums.

    No not at all. Just meet half way. If your skill set is not in this field help us help you by doing your part with more research to help your understanding. I can understand your frustration, LOL once I took a Dlink router outside that was giving me problems and took a 10lb sledge to it. Felt better after.
    Experience has nothing to do with your intelligence as a person. Everyone has their skills.
    Just trying to help out.



  • It's not a stupid idea but I think you haven't thought trough how the wizard would work and if it would actually make the rule creation easier. Come up with a real world example and post it here as simple and precise steps that could be turned into a wizard. You'll also have to explain why it makes the rule creation easier in the example case you're using. In my humble opinion there's no need for such wizard because pfSense assumes certain level of competence to use and that includes solid understanding of networking basics and if you understand those basics you won't need a wizard style hand holding to create firewall rules.



  • There is a very difficult issue that designing a product that works great for both entry level and professional level is extremely difficult to impossible. A product should focus on one or the other. Some ideas to make things easier will work, but many will not.

    Most ideas about making the product "easier" are really just "I don't want to have to know how anything works and I want PFSense to make some horrible assumptions on my behalf and leave me ignorant of the potential pitfalls of my decision". Most issues that the average person thinks should be easy is actually hard and you really need to weigh the pros and cons. Programming multithreaded code sounds easy to some, but I don't recommend making a wizard for it.

    For every person who points out "this other product has a simple check box to enable this feature", there is a forum for that product wondering why their network does odd things.

    There are actually a lot of Linux based firewalls that make things easy and have wizards, but they have the opposite complaints. They want more powerful features. It is a very hard problem to make something that caters to both crowds without alienating the others.



  • so in other words, everyone is saying. your feedback is stupid, you are dumb and get the hell off my forums.

    You're entitled and encouraged to offer feedback.  Others can either agree or disagree, with reasons.  That's how public discourse works.  If you can't handle differing opinions expressed civilly without feeling like you're under attack, well… I don't know what to tell you because nobody said your feedback was stupid nor did anyone ask you to leave.  My belief is that pfSense is aimed at professional environments under the control of professional network staff.  You have to know what you're doing or you're not going to get the desired results.  You can only simplify complex subjects so much.  Wizards just either get in the way or limit your options.