WebAdmin: Display of Auto Packet Filter Rules
The "Automatic packet filter rule" checkboxes in DNST/SNAT and VPN are a nice option, but are not often used by "old school" admins, because they like to see their packet filter rules displayed in webadmin and sort them as they like it, so they do not use this option and instead manually create their rules.
It would be nice, if in packet filter site in Webadmin an "Advanced view" button or something similar would be shown, which will also display implicit rules created by the "Automatic packet filter rule" option.
Minimum requirement:
show rules as "readonly" rules which cannot be edited
more optimal requirement:
When the rules itself are readonly, but at least the comment field and group field can be edited
optimal requirement:
If the rules can be displayed AND completely edited
Sascha Paris
shared this idea
This feature has been released as part of UTM 9.1. Rules which are created as a result of selecting “auto firewall rule” in various configuration options (like NAT) can have their view toggled from the main firewall rules page. Enjoy!
21 comments
-
ehofstede
commented
Will we also be able to see the triggered (automatic packet filter) rule number in the livelog after implementing this? That would be really good for troubleshooting!
-
Alphavil
commented
That are good news, I like :)
-
xorxy
commented
I'd like to extend this issue because same issue applies if you activate features such as SSL-scanning, which obviously generates a SNAT rule in the USR_POST chain, as i had to learn the hard way. There is nothing wrong in checking rules on the console, but certainly does not fit the GUI-concept that ASG is all about.
Thus: ALL active rules should be visible in the GUI, and having those automatically or implicitly generated rules displayed read-only is a brilliant idea in my opinion, while having them editable may cause trouble, when interfering with subordinated requirements connected with the feature which activation actually generated the respective rule, and therefore is possibly NOT that much of a good idea...
-
Anonymous
commented
Yes please this would be great to have!
-
Raggamax
commented
absolutey essential and on my personal "wishlist" since ages!!!
-
Gert Hansen
commented
Hi Andrew,
the missing rule sorting by number is a bug which we will fix in the next up2date.
Regards
Gert -
Andrew S.
commented
In addition, I'd request the simple ability to sort the packet filter rules by the rule number. That is not currently an option and it's amazingly frustrating.
-
Patrick
commented
It could be implemented as an option. If you like it on turn display auto generated packet filters on,if not leave it off. Everyone wins. Would also help to not always show them only when debugging.
Might as wel add a menu to tools called debugging imp,ementing multiple switchboxes for other questions like this. -
Alphavil
commented
I think its easier for most admins when they see the Auto Packet Filter Rules. At least I get that feedback
-
Sindbad Sailor commented
Just use the CLI
iptables -L -nv
iptables -L -nv -t nat
iptables -L -nv -t mangle
iptables -L -nv -t ips
iptables-save(here come the AUTO PF)
:AUTO_FORWARD
:AUTO_INPUT
:AUTO_OUTPUT -
sjohnston@harrisonpensa.com
commented
I hate it when I create a rule to do something specific only to find out I have been defeated by an automatic/implied rule that I can't see. Then you can spend quite a while trying to figure it all out.
-
Sebastian Eichinger
commented
In my opinion it would also be great if these rules could be audited and viewed.
-
Bob Alfson
commented
I agree, William, but we usually only are interested in an implied packet filter rule when we're looking at a DNAT/SNAT, VPN or proxy. It would help debugging to have a place to see the implied rules along with the explicit ones, even if that is only in the configuration report coming in V8.
-
Craig
commented
-
wingman
commented
This is a important feature.
-
William Warren
commented
there's ane asy way to defeat this..don't use autogenerate rules.
-
ehart
commented
I would also like to see rules that get auto generated by via the various GUI sections of the ASG. ex. when configuring SMTP, clicking the allow pings check box, etc
-
Oxiel Contreras
commented
Indeed, livelog showing DNAT/SNAT very needed, every time we've to debug traffic, we've to recreate the DNAT/SNAT rules in PF and disable the originals, in order to watch livelog, after the changes are done, the complete reverse process, a lot of work .......
-
Afdeling Systeembeheer
commented
Also would be nice if the option for livelog is available with DNAT/SNAT
-
Bob Alfson
commented
To illustrate. If you have a "large-ish" organization with multiple subnets behind an Astaro, it is easy to manage unproxied traffic between them with traffic selectors in packet filter, NAT and Routing rules.
The same is not true in the proxies. The NAT and Routing rules in a proxy all apply to all traffic regardless of subnet source, and these rules are applied before any explicit PF, NAT or routes are considered.
