Filtering firewall rules description and Tracking ID

[s0p4LiN]

Hello @a3ilson

I have one question/idea about the firewall rules, last year I opened an issue but that was not an issue.

1. 35-rules-desc.conf

Can we change the behaviour to lookup for firewall rules UUID (tracker ID) instead of rules ruleset (Rule Number) ?

pfsense doc raw filter

--> I noticed the rule tacking number is random and not associated to a specific rule but associated to different rules depending of how is read the rules.
The rule UUID is associated to one specific rules and is never associated to another rule.

I tried to to modify your pfctl command, in order to extract rule descriptions with associated uuid number of the rule (and not tracking number) but I did not succeeded

Original command:
pfctl -vv -sr | grep label | sed -r 's/@([[:digit:]]+).*(label "|label "USER_RULE: )(.*)".*/"\1","\3"/g' | sort -V -u | awk 'NR==1{$0="\"Rule\",\"Label\""RS$0}7'

It will look like this for the rule-names.csv file

"Rule","Label"
"0","null"
"1618910855","Allow VPN Clients requests DNS"
"1625066523","Allow Ping"
"1619510752","All VPN - Access to ZCentral"
"1620657014","All VPN - Access to NoMachine"
"1621236230","All VPN - Access to Inventory"
"1621495694","All VPN - Access to Gitlab"
"1622187269","All VPN - Access to WIKI"
"1623249511","VPN 01 - Allow access to VNC"
"1623683682","VPN 06 - Allow access to SMB"
"1623684779","VPN 06 - Allow GPO and AD ports"
"1624014322","VPN 06 - Allow Ranchers"

If you have some time, it will simplify everything and will not false the logs in ELK.

Thank you !!

[a3ilson]

@n4rkip0d - I agree!

@ShagoY was the creator of these scripts...hopefully he can update. It's on my list but it'll have to wait until I have more time.

https://github.com/orgs/pfelk/projects/3/views/1

[s0p4LiN]

If you could do same for pfSense, it would be awesome ! (I use pfSense at work)

[a3ilson]

Issue #347

Slowly getting around to troubleshooting this one.

[s0p4LiN]

do you have any updates on this ? thanks !

[s0p4LiN]

Hello @a3ilson

I talked with a colleague and he is a regex expert and find the right regex to list all UUID rules (tracking ID) instead of the ruleset.

Here's:

pfctl -vv -sr | grep label | sed -r 's/@([[:digit:]]+).*(label "|label "USER_RULE: )(.*)" ridentifier ([[:digit:]]+)/"\4","\3"/g' | sort -t ' ' -k 1,1 -u

[a3ilson]

Thanks @s0p4LiN

I haven't had much time with this project for the past year or so due to work/training. Feel free to submit a PR, if not it's also related to issue #347 and I'll eventually get around to it. I've also seen lots of progress within the Elastic Stack integrations but this is one of those items in which it does not support.

Thanks again for your contribution and apologize for the delay with this project.