Firewall: manage egress rules per interface #3594
Comments
|
So for a LAN rule you have a dropdown for outgoing interface and rule logic is still inbound? Outbound should be multi select for multi wan setups. Just a quick thought |
|
@mimugmail no, this is just about the Specifically, these will become available in per interface rules: |
|
I would like to see in/out, but not any for the same policy routing fail reason. People won't understand this worst case. |
|
This issue is based on the wishes from wowas in IRC, correct? |
|
no, one of our clients. For traceability I made sure there's an issue to refer in future commits. |
AdSchellevis
added a commit
that referenced
this issue
Jul 29, 2019
* unlock quick and direction on regular interface rules * only support in/out for direction on interfaces (not any) * when using policy based routing on interfaces, validate for [in] usage. Although technically you can specify out policy rules, we choose not to support this at the moment to avoid confusion. * make sure "quick" setting respects previous defaults (unset on floating -> unchecked, unset on interface -> checked) Since quick is already properly applied in the plugin code (https://github.com/opnsense/core/blob/eeae08415038e80285c100c5e4c425830adc40b3/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php#L171-L174), we shouldn't need additional logic for writing out the rules.
AdSchellevis
added a commit
that referenced
this issue
Jul 29, 2019
|
note to self: missed a rule in our overview while debugging this (f8d5c01) |
AdSchellevis
added a commit
that referenced
this issue
Jul 30, 2019
… in Floating section (slightly related to #3594)
AdSchellevis
added a commit
that referenced
this issue
Jul 30, 2019
* unlock quick and direction on regular interface rules * only support in/out for direction on interfaces (not any) * when using policy based routing on interfaces, validate for [in] usage. Although technically you can specify out policy rules, we choose not to support this at the moment to avoid confusion. * make sure "quick" setting respects previous defaults (unset on floating -> unchecked, unset on interface -> checked) Since quick is already properly applied in the plugin code (https://github.com/opnsense/core/blob/eeae08415038e80285c100c5e4c425830adc40b3/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php#L171-L174), we shouldn't need additional logic for writing out the rules.
AdSchellevis
added a commit
that referenced
this issue
Jul 30, 2019
AdSchellevis
added a commit
that referenced
this issue
Jul 30, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently the direction of the traffic can only be chosen in floating rules, but in some scenario's it's much easier to create outbound rules (only inbound is supported now).
When using a lot of interfaces, which should all be allowed to access devices on one specific interface, this would save quite some rules and is easier to track for the administrator.
This FR should add direction as on option and while already changing these pages, also allow to create "non quick" rules on interfaces.
Functionally the "regular" rules would be more aligned with the "floating" rules as we have now, with the exception that you can't add multiple interfaces in a normal rule due to the inability to reorder a single rule in multiple rulesets (rules are positional).
Considerations while adding this:
Test current status (including relevant commits in master) on 19.7.1:
The text was updated successfully, but these errors were encountered: