WebAdmin: Display of Auto Packet Filter Rules
The "Automatic packet filter rule" checkboxes in DNST/SNAT and VPN are a nice option, but are not often used by "old school" admins, because they like to see their packet filter rules displayed in webadmin and sort them as they like it, so they do not use this option and instead manually create their rules.
It would be nice, if in packet filter site in Webadmin an "Advanced view" button or something similar would be shown, which will also display implicit rules created by the "Automatic packet filter rule" option.
show rules as "readonly" rules which cannot be edited
more optimal requirement:
When the rules itself are readonly, but at least the comment field and group field can be edited
If the rules can be displayed AND completely edited
Add a button under Network Security: Firewall --> That allows the administrator to view (Read Only) Automatically Created Rules. Those rules created by ticking the (Automatic Firewall rule) box under new NAT rule definitions. That way admins can verify those rules actually exist and are operational.
I think that packets that passes through Astaro because of automatic packet filter rules (ie in vpn ssl) should be logged. Today I have noticed this service listed in top 10 services:
TCP , 2928, "REDSTONE-CPSS", 687.661 connections,358.4 MB
And I don't konw WHY, I only see in reports that this 358mb are OUTBOUND! Because I don't allow the packets to pass throught this port, the only reason is autopacketfilter in VPN SSL, that is enabled
Request for integrated and easier configuration of the security policy for all network layers. Packet filter uses the rules in which we can easily implement company security policy at the 3 level of the network layer. Unfortunately, proxy services (application layer) are not integrated into the packet filter and thus it is very difficult to configure it to function in accordance with the rules implemented by the filter package. If you want to configure multiple networks in Astaro, you must have this feature. You can read more at http://www.astaro.org/astaro-gateway-products/general-discussion-feature-requests/25371-when-we-can-easily-implement-security-policies-astaro.html
This feature has been released as part of UTM 9.1. Rules which are created as a result of selecting “auto firewall rule” in various configuration options (like NAT) can have their view toggled from the main firewall rules page. Enjoy!
Will we also be able to see the triggered (automatic packet filter) rule number in the livelog after implementing this? That would be really good for troubleshooting!
That are good news, I like :)
I'd like to extend this issue because same issue applies if you activate features such as SSL-scanning, which obviously generates a SNAT rule in the USR_POST chain, as i had to learn the hard way. There is nothing wrong in checking rules on the console, but certainly does not fit the GUI-concept that ASG is all about.
Thus: ALL active rules should be visible in the GUI, and having those automatically or implicitly generated rules displayed read-only is a brilliant idea in my opinion, while having them editable may cause trouble, when interfering with subordinated requirements connected with the feature which activation actually generated the respective rule, and therefore is possibly NOT that much of a good idea...
Yes please this would be great to have!
absolutey essential and on my personal "wishlist" since ages!!!
Gert Hansen commented
the missing rule sorting by number is a bug which we will fix in the next up2date.
Andrew S. commented
In addition, I'd request the simple ability to sort the packet filter rules by the rule number. That is not currently an option and it's amazingly frustrating.
It could be implemented as an option. If you like it on turn display auto generated packet filters on,if not leave it off. Everyone wins. Would also help to not always show them only when debugging.
Might as wel add a menu to tools called debugging imp,ementing multiple switchboxes for other questions like this.
I think its easier for most admins when they see the Auto Packet Filter Rules. At least I get that feedback
Sindbad Sailor commented
Just use the CLI
iptables -L -nv
iptables -L -nv -t nat
iptables -L -nv -t mangle
iptables -L -nv -t ips
(here come the AUTO PF)
I hate it when I create a rule to do something specific only to find out I have been defeated by an automatic/implied rule that I can't see. Then you can spend quite a while trying to figure it all out.
Sebastian Eichinger commented
In my opinion it would also be great if these rules could be audited and viewed.
Bob Alfson commented
I agree, William, but we usually only are interested in an implied packet filter rule when we're looking at a DNAT/SNAT, VPN or proxy. It would help debugging to have a place to see the implied rules along with the explicit ones, even if that is only in the configuration report coming in V8.
This is a important feature.
William Warren commented
there's ane asy way to defeat this..don't use autogenerate rules.
I would also like to see rules that get auto generated by via the various GUI sections of the ASG. ex. when configuring SMTP, clicking the allow pings check box, etc
Oxiel Contreras commented
Indeed, livelog showing DNAT/SNAT very needed, every time we've to debug traffic, we've to recreate the DNAT/SNAT rules in PF and disable the originals, in order to watch livelog, after the changes are done, the complete reverse process, a lot of work .......
Afdeling Systeembeheer commented
Also would be nice if the option for livelog is available with DNAT/SNAT
Bob Alfson commented
To illustrate. If you have a "large-ish" organization with multiple subnets behind an Astaro, it is easy to manage unproxied traffic between them with traffic selectors in packet filter, NAT and Routing rules.
The same is not true in the proxies. The NAT and Routing rules in a proxy all apply to all traffic regardless of subnet source, and these rules are applied before any explicit PF, NAT or routes are considered.