# Change Request — CR-YYYY-NNN

| Field            | Value |
|------------------|-------|
| **CR ID**        | CR-YYYY-NNN |
| **Requestor**    | |
| **Date submitted** | YYYY-MM-DD |
| **Target window** | YYYY-MM-DD HH:MM UTC |
| **Priority**     | Low / Medium / High |
| **Status**       | Draft / Approved / Implemented / Closed / Withdrawn |

---

## 1. Description

<!-- One paragraph. What rule is being added, modified, or removed, and why?
     Be specific: interface, direction, protocol, source, destination, port. -->

## 2. Scope

| Attribute       | Value |
|-----------------|-------|
| Interface(s)    | |
| Source          | |
| Destination     | |
| Protocol        | tcp / udp / icmp / any |
| Port(s)         | |
| Direction       | inbound / outbound / both |
| Action          | pass / block / log |

## 3. Justification

<!-- Business or operational reason. Reference incident report or ticket if applicable.
     If adding a rule, explain what breaks without it.
     If removing a rule, confirm the flow is no longer needed. -->

## 4. Rule diff

```pf
# BEFORE (paste current rule, or "n/a — new rule")


# AFTER
```

## 5. Risk assessment

| Question | Answer |
|----------|--------|
| If denied, what breaks? | |
| If permitted, what is the increased attack surface? | |
| Is the destination host/service hardened? | |
| Compensating controls | (e.g., Suricata rule, rate limit, logging) |

## 6. Test plan

1. Confirm the target flow passes after the change (specific source IP, destination, tool used — e.g., `nc`, `curl`, `ssh`).
2. Confirm adjacent flows that should remain blocked are still blocked.
3. Verify the new label appears in pfSense firewall log within 2 minutes of applying.

## 7. Rollback plan

If the change causes unintended behaviour, revert within 5 minutes:

```pf
# Rollback: remove or revert the rule below
# pfSense GUI: Firewall → Rules → [interface] → delete/revert rule CR-YYYY-NNN
# CLI: pfctl -f /cf/conf/backup/config-YYYY-MM-DD-pre-cr.xml && pfctl -f /etc/pf.conf
```

Configuration backup location: `/cf/conf/backup/config-YYYY-MM-DD-HHMM-pre-CRYYYYNNN.xml`

## 8. Verification checklist

- [ ] Rule tested in maintenance window
- [ ] Label confirmed present in firewall log (`/var/log/filter.log`)
- [ ] No unexpected flows opened (checked via `pfctl -s state | grep <source-ip>`)
- [ ] Suricata alert rate checked post-change (no new signatures triggered)
- [ ] Ruleset backed up before and after
- [ ] CR marked closed in this document

**Implemented by:** ___  
**Verified by:** ___  
**Closed date:** YYYY-MM-DD