Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

View ALL Rules #1306

Closed
sachaz opened this issue Dec 16, 2016 · 5 comments
Closed

View ALL Rules #1306

sachaz opened this issue Dec 16, 2016 · 5 comments
Assignees
@AdSchellevis
Labels
feature Adding new functionality
Milestone
19.7

Comments

@sachaz
Copy link

sachaz commented Dec 16, 2016

An important feature is to see ALL the rules in PF.
Maybe the auto generated stuff could have a special flag.
@AdSchellevis
Copy link
Member

We are changing the way automatic rules are created (the old code was quite unstructured), but this is a long term operation to keep things operational in the meantime, first parts will be in 17.1.
Although there probably will always be some rules in the firewall, which are either hard-coded or coming from other services using anchors.

If you want to see the internals, you will have to use pfctl on the command line, its not very likely that we're going to parse those back to the UI in a structured way (maybe as a diagnostics page like pfinfo, although people who understand this content usually don't mind running pfctl from the command line).

@AdSchellevis AdSchellevis mentioned this issue Dec 16, 2016
Closed
@sachaz
Copy link
Author

sachaz commented Dec 17, 2016

Your work on auto-generated rules is very cool, but as you know automation should not always required. Sure pfctl can show all the rules and I was expecting this answer :)
But: an advanced mode will be very useful to view AND manage these automated rules and give to the user the full control on his firewall.

@AdSchellevis
Copy link
Member

Thanks, it's a long way still, but when all rules are "plugged-in" we probably can disable parts in an advanced mode....
The original idea was to always sync all rules back to the config, but given the legacy already in there this turned out to be nearly impossible to keep in sync.

I don't mind having some automatic rules, as long as it's very obvious where they came from... it's a journey to a proper implementation, including api access eventually.
There probably will be some advanced mode at some point in time, we just have to be very careful in the steps we take ;)

Let's keep this issue open for reference.

@fichtner
Copy link
Member

FWIW, the new rules format makes it possible to render the previously "hidden" rules in the GUI, so that's a big plus on our way to 17.7 to increase visibility for a kind of "show all rules" diagnostics page. But as long as we have hardcoded rules, that effort shouldn't be started.

@AdSchellevis AdSchellevis self-assigned this Oct 15, 2017
@fichtner fichtner added this to the Future milestone Dec 20, 2017
@fichtner fichtner added feature Adding new functionality help wanted Contributor missing / timeout labels Dec 20, 2017
@fichtner fichtner removed this from the Future milestone Jul 30, 2018
@AdSchellevis
Copy link
Member

done as part of #3312

@AdSchellevis AdSchellevis removed the help wanted Contributor missing / timeout label Mar 19, 2019
@fichtner fichtner added this to the 19.7 milestone Mar 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AdSchellevis AdSchellevis

Labels
feature Adding new functionality
Milestone
19.7
Development

No branches or pull requests
3 participants
@fichtner @sachaz @AdSchellevis