korgano
commented
4 days ago This would solve my current issue (#8012), so I'm bumping this to urge the devs to prioritize this feature as critical functionality.
Open tunloop opened 2 months ago
korgano
commented
4 days ago This would solve my current issue (#8012), so I'm bumping this to urge the devs to prioritize this feature as critical functionality.
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Is your feature request related to a problem? Please describe.
Currently, there are many automatically generated firewall rules for things like IPv6 ICMPv6, DHCP, CARP, local outbound, anti-lockout, and state violation traffic.
Some of these rules can be turned off by their respective services, like DHCPv6, other rules like ICMPv6 cannot be removed/modified in the GUI without turning off IPv6 as a whole (for an extremely niche example, the ICMPv6 auto rules could be too open because ULAs, in practice, could take over the functions of a Link Local address).
I completely agree that these auto rules are very useful and in many cases required. I do NOT think the default behaviour of creating these rules should change, this existing behaviour of creating these rules should stay in place.
However... OPNsense is a platform for power users and enthusiasts, an open source firewall that allows the user to really customize their network. To that end, I think it is counter to this philosophy to not include a way to easily (from the web gui) disable the more stubborn automatic firewall rules.
Going in to
filter.lib.incand commenting out lines of php script and reloading the firewall rules is not a very good way of permanently making these changes. This file is not a config file, and might very well get blown away on an update.Describe the solution you like
A simple check/multiple checks buried under Firewall -> Settings -> Advanced (or elsewhere in a settings menu) with a pop-up dialog asking for confirmation and explaining the risks.
This would be an excellent way of maintaining out-of-the-box basic functionality and allowing power users to break it all and make the rules themselves. You could even hide it under an advanced toggle on the page if necessary.
I would think this is fairly easy change (I'm no professional developer) in the code base, based on how easy it is to disable in the backend with terminal access, but making it official in the GUI not only allows for proper persistence through major upgrades but also easy backup and restore of the setting through the main config.
Describe alternatives you considered
As mentioned above, the current way of getting rid of these automatic rules is to edit
/usr/local/etc/inc/filter.lib.incand comment out the corresponding lines of the auto rules you wish to delete, then go into the web gui and force and interface reload to eliminate the rules from pf.Not a great solution for the reasons mentioned above.
Additional context
There was discussion on this subject here https://github.com/opnsense/core/issues/7127 but not much came out of that ticket. And there was a request to make rules before the auto rules here https://github.com/opnsense/core/issues/6502
But despite those conversations, I still think an open platform like Opnsense should have the ability somewhere in the GUI to disable the stubborn auto rules.
I would like to reiterate, I am not asking to eliminate this automatic functionality, but just to allow the user to choose. Integration in the GUI is the proper way to give the user a choice. Modifying backend PHP Scripts is not giving the user a choice, it is the user making the choice available by force.
Thank you for your time and consideration of this feature request.