Unifi zone based rules .... what irks me

Networking & Firewalls
1

Many years ago i had a unifi gateway and switched it out for pfsense, and then i used opnsense, probably for over 5 years now. most of what i did and learnt was based on videos from Tom. Following Toms video about zone based firewalls and seeing that some other issues around DNS are now resolved I have made the switch back to unifi. But it keeps me up at night …

Im curious if these pet peeves are shared …

  1. i still much prefer a system where no rules means nothing is happening. implicit block, if you like, It should all be red. if I want to allow all I should have to add that rule.

  2. if there must be a default rule, i should at least be allowed to change this to block all. I mean this just upsets me :

image
image380×259 15.9 KB

what should be one rule is now 5. I’ll grant you 2 if you include the default block rule.

  1. i have a default rule to block (not my choice) but I want to allow all. instead of being a nice obvious green it says, 2 policies. same is true the other way round when i expect it to be red.

image
image1509×519 77.8 KB

  1. similarly for this where I have default block but allow return traffic. it shows 2 polciies instead of that nice blue color …

image
image847×502 56 KB

  1. I dont understand this , block should mean that, so why do i need a block invalid. what function is this rule having? Otherwise this would be a nice blue “allow return traffic”

image
image629×543 44.9 KB

  1. if there is a default block all rule and I add a “allow return traffic” rule. the UI doesn’t recognise this, it says 2 policies instead of being blue. this seems to be an issue whether it is a custom or system rule in some cases.

image
image629×543 44.1 KB

  1. please please make profiles easier to manage. why not use the info already in unifi, or at least let me add a custom name. I cant remember what IPs are when i come back to these things.

image
image696×319 13.5 KB

None of these are major issues, they just take the shine off for me. i would be so much happier replacing pfsense with unifi, and knowing that the UI is all nice and its blocked unless I say so would help me sleep at night :joy:

that said, i do feel it has come a very long way since I first used it. VPNs, DNS, etc. just work for me now.

4 Likes
2

I just configured a relatively simple firewall for my home with this, having seen a couple of videos from Tom and other guy whose youtube handle is Ethernet blueprint or something like that.

  1. is obvious from a sysadmin/security guy, however, the UniFi line is kinda rooted on power home users to whom your average tp-link or linksys is too restrictive, but don’t actually understand fully how packets flow through a gateway/firewall. The default rules can be seen as plug-and-play for your average user (that is, you can still buy a UCG-Ultra and pretend it is a tp-link, plug everything, see it working and then start fiddling with stuff.
  2. I’m with you.
  3. through 6. You’re completely right. This is a GUI problem that should be addressed… the rule parser that generates the table should be made smarter in order to detect this stuff. As of now, all the RED/GREEN/BLUE boxes are from default non-modified rules. I hope that a future UniFi Network version will have a smart rule parser that autmatically turns red all boxes where “drop all” is the first rule (maybe adding some marking in order to see that it is modified from the default).

as for 7. it’d be nice if on that field you could (optionally) navigate the networks you defined (obviously, there must be some kind of free form input, since you can add external networks and addresses here).