Firewall rule simulator: GUI tool to test which rule(s) match a synthetic packet (by interface, src/dst IP and port, protocol)

[2tqkfqv2yy-cmyk]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [ yes] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [ yes] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

As firewall rules become increasingly intricate, it becomes more challenging to discern which rule may be triggered by specific packet activity. Consequently, a simulator would be beneficial, enabling the testing of simulated packets alongside the rules to verify based on source, destination, interface, and communication type, with output indicating which rule was triggered. In the past, I was involved in developing a similar feature for a Third Brigade product as an internal UX designer.

Describe the solution you like

A GUI tab dedicated to all firewall rules enables users to specify the source port, source IP address, destination port, destination IP address, and protocol. This tab also displays which rule(s) are triggered (if it is the first match or multiple matches). The results are similar to how unbound allows users to simulate whether a URL triggers a policy. Ideally, there should be a link on the page for users with the appropriate ACLs.

Describe alternatives you considered

Firewall → Automation → Filter → Inspect (view rules as applied)
Diagnostics → pfctl (or view /tmp/rules.debug) to see the compiled PF ruleset and ordering

Additional context

The objective of this approach is to facilitate the identification of potential issues with a ruleset’s triggering mechanism by simulating data flow.