It appears that some of the automatic aliases offered via the GUI when
creating firewall rules can be misleading or incorrect under certain
circumstances.
For example:
If I create an OpenVPN server (say, a remote access type), and assign it
to an interface called, say, VPN_BYOD, I'll see (as expected) aliases
called VPN_BYOD_net and VPN_BYOD_address. However, in this example, the
alias does not actually correspond to the interface's true subnet.
Since I'm being offered an alias for VPN_BYOD in the GUI, I'd expect it
to be correct, and expect it to correspond to the tunnel subnet
configured per OpenVPN server. It doesn't, and this is perhaps
unsurprising considering that the aliases values are probably generated
by the values explicitly assigned to the interface (static/DHCP
subnet/address) rather than divining them via the underlying service.
In my example, OpenVPN is indeed assigned to an interface, but the 'tab'
configuration is set to 'None' (even though the subnet is configured
elsewhere). This may therefore be expected behavior.
However, It seems like it would be much better behavior for the GUI to
(simply) NOT show a subnet alias if the subnet can not be determined
(for example, if the interface subnet is explicitly set to 'None').
This would avoid the situation where someone creates a firewall rule for
that subnet, only to realize that the source is undefined, or totally
wrong. In my case, I had to shell out, and interrogate PF directly to
determine that the alias was incorrect. That seems like bad default
behavior to me. Any opinions on this?
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
