Feature #2705

Firewall: support custom objects

Added by Giacomo Sanchietti over 5 years ago. Updated about 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.5
Resolution: NEEDINFO:No

Description

Firewall should implement a simple way to describe reusable objects.

Firewall module uses these system objects:
  • Host
  • Group of host
  • Zone
  • Service

A host is an already defined entry inside the hosts db, or a new key of type host:

   name=host
       IpAddress=IP
       Description=

A host-group is a group of hosts inside the hosts db. A host-group db entry can be something like:

    name=host-group
        Members=host1,host2

A zone represents a network zone which can be associated to an interface or a set of IP address. A zone entry in networks database can be something like:

    name=zone
       Network=CIDR
       Interface=ethX

A configured network interface is automatically a zone.

A service can have a protocol and one or more ports. A service entry in fwservices database can be something like:

    name=fwservice
       Protocol=TCP/UDP/TCPUDP/ICMP
       Ports=port/port range


Related issues

Related to NethServer 6 - Feature #2716: Custom firewall rules CLOSED
Related to Nethgui - Feature #2764: CIDR block validator CLOSED
Related to NethServer 6 - Enhancement #2771: Merge nethserver-shorewall and nethserver-firewall-base CLOSED
Related to NethServer 6 - Enhancement #2835: Firewall rules: preserve references to other DB records CLOSED

Associated revisions

Revision d723409a
Added by Giacomo Sanchietti over 5 years ago

Web interface: first implementation of firewall objects. Refs #2705

Revision 5c0a3235
Added by Giacomo Sanchietti over 5 years ago

Events: add firewall-objects-modify event. Refs #2705

Revision eeec08b8
Added by Giacomo Sanchietti over 5 years ago

Web interface: ad controller for firewall objects. Refs #2705

Revision 5f65f498
Added by Giacomo Sanchietti over 5 years ago

Web UI: zones can contain only CIDR network. Refs #2705

Revision 7d2c912c
Added by Davide Principi over 5 years ago

.spec.in: fixed dependency name. Refs #2705

Revision 1e6e32e0
Added by Giacomo Sanchietti over 5 years ago

Firewall library: add tests. Refs #2716 #2705

Revision dbaa0019
Added by Giacomo Sanchietti over 5 years ago

Firewall library: use fwservices. Refs #2705

Revision 67f76a58
Added by Giacomo Sanchietti over 5 years ago

Firewall library: support interface objects. Refs #2705

Revision d218d59d
Added by Giacomo Sanchietti over 5 years ago

Firewall library: fix zone detection. Refs #2705

Revision 08bb326d
Added by Giacomo Sanchietti over 5 years ago

Web UI: add firewall objects validators. Refs #2705

Revision 6a5b6e5b
Added by Davide Principi over 5 years ago

FirewallRules UI implementation. Refs #2705

- Based on CollectionController.

Revision 67ac1559
Added by Giacomo Sanchietti over 5 years ago

Firewall objects: remove support for MAC address. Refs #2705

Revision 8e4bab08
Added by Giacomo Sanchietti over 5 years ago

Web UI: change validator for host objects. Refs #2705

Revision 878599ec
Added by Giacomo Sanchietti over 5 years ago

Web UI: add interface to zones. Refs #2705 #2716

Revision 2b69c561
Added by Giacomo Sanchietti over 5 years ago

Templates: expand custom zones. Refs #2705

Revision 009bc40d
Added by Giacomo Sanchietti over 5 years ago

Web UI: add Zone module. Refs #2705

Revision 35a850d3
Added by Giacomo Sanchietti over 5 years ago

Web UI: fix inline creation of host-group. Refs #2705

Revision c7fa3c22
Added by Giacomo Sanchietti over 5 years ago

Web UI: add CSS for disabled rules. Refs #2705

Revision 94bf3038
Added by Giacomo Sanchietti over 5 years ago

Inline help: add firewall objects. Refs #2705

Revision 6f85adb5
Added by Davide Principi over 5 years ago

FirewallObjects/Services: Removed ESP protocol support. Refs #2705

Revision 60f1df33
Added by Davide Principi over 5 years ago

Removed ESP, ICMP, GRE protocols support. Refs #2705

completes commit:6f85adb

Revision 65c631bd
Added by Davide Principi about 5 years ago

FirewallObjects/Zones: use Modify class for "delete" case. Refs #2705

Revision 19b698ee
Added by Davide Principi about 5 years ago

FirewallObjects: show Description column in tabular view. Refs #2705

Revision c0f19e47
Added by Davide Principi about 5 years ago

FirewallObjects, FirewallRules: strict name checks for Hosts and Host Groups objects. Refs #2705

Revision c28bc671
Added by Davide Principi about 5 years ago

FirewallObjects, FirewallRules: fixed translation labels. Refs #2705

Revision 8c8b95fc
Added by Davide Principi about 5 years ago

FirewallRules/CreateHostGroup: enforce strict members key check. Refs #2705

Revision 58de44c5
Added by Davide Principi about 5 years ago

FirewallObjects/Services: mark Ports field as NON-EMPTY. Refs #2705

Revision 989ba763
Added by Davide Principi about 5 years ago

FirewallObjects/Services: use Modify class for "delete" case. Refs #2705

Revision 11f4a4bc
Added by Davide Principi about 5 years ago

FirewallObjects: run event as a detached task. Refs #2705

Revision 4a0c68a0
Added by Davide Principi about 5 years ago

FirewallObjects: check if object exists on validate(). Refs #2705

Revision 74f4db66
Added by Davide Principi about 5 years ago

Firewall.pm (getZone): sanitize IP list syntax. Refs #2705

Revision 324e5493
Added by Davide Principi about 5 years ago

FirewallObjects/Hosts: validate host-group Members prop consitency. Refs #2705

History

#1 Updated by Giacomo Sanchietti over 5 years ago

  • Target version set to ~FUTURE

#2 Updated by Giacomo Sanchietti over 5 years ago

  • Description updated (diff)

#3 Updated by Giacomo Sanchietti over 5 years ago

  • Description updated (diff)

#4 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#5 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Target version changed from ~FUTURE to v6.5
  • % Done changed from 20 to 30

#6 Updated by Giacomo Sanchietti over 5 years ago

  • Assignee set to Giacomo Sanchietti

#7 Updated by Giacomo Sanchietti over 5 years ago

  • Subject changed from Firewall: support new objects to Firewall: support custom objects

#8 Updated by Giacomo Sanchietti over 5 years ago

  • Description updated (diff)

#9 Updated by Giacomo Sanchietti over 5 years ago

  • Description updated (diff)

#10 Updated by Giacomo Sanchietti over 5 years ago

  • Assignee deleted (Giacomo Sanchietti)

Web interface lacks for validators.

#11 Updated by Giacomo Sanchietti over 5 years ago

  • Assignee set to Giacomo Sanchietti

#12 Updated by Giacomo Sanchietti over 5 years ago

  • Description updated (diff)

#13 Updated by Giacomo Sanchietti over 5 years ago

  • Description updated (diff)

#14 Updated by Giacomo Sanchietti over 5 years ago

  • Assignee deleted (Giacomo Sanchietti)

#15 Updated by Davide Principi over 5 years ago

#16 Updated by Giacomo Sanchietti over 5 years ago

  • Related to Enhancement #2771: Merge nethserver-shorewall and nethserver-firewall-base added

#17 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#18 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70
Packages in nethserver-testing:
  • nethserver-firewall-base-1.1.0-66.0git67ac1559.ns6.noarch.rpm
  • nethserver-lsm-0.0.3-7.0gitd4a46e58.ns6.noarch.rpm
  • nethserver-squid-1.1.1-3.0git37fbdd7c.ns6.noarch.rpm (giĆ  su testing)
  • nethserver-snort-0.0.1-5.0git32850266.ns6.noarch.rpm
  • nethserver-base-2.2.1-57.0git27156ae2.ns6.noarch.rpm
  • nethserver-nethgui-1.5.0-22.0git051080ae.ns6.noarch.rpm

#19 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from ON_QA to TRIAGED
  • % Done changed from 70 to 20
Zones have following problems:
  • no interface associated: the interface is necessary to compile /etc/shorewall/hosts file
  • custom zones are not expanded in /etc/shorewall/zones file

Make sure to add the network interface selection even in object picker from firewall rules.

#20 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from TRIAGED to MODIFIED
  • % Done changed from 20 to 60

#21 Updated by Giacomo Sanchietti over 5 years ago

Other notes from QA of #2783

Bugs discovered:
  • when creating a zone as origin or destination of a rule, the zone is not written on shorewall configuration files after that apply changes button was pressed,
  • the green net is reported as "loc" in the shorewall configuration files but "loc" is not defined.
Some notes:
  • it is not clear whether a rule is enabled or not in the rule list view,
  • it is not possible to dynamically add members of a hosts group when setting the options about origin and destination of a rule.

#22 Updated by Giacomo Sanchietti over 5 years ago

  • Assignee set to Giacomo Sanchietti

#23 Updated by Giacomo Sanchietti over 5 years ago

  • Description updated (diff)

#24 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-firewall-base-1.1.0-78.0gitc7fa3c22.ns6.noarch.rpm
Make sure to update following packages from testing:
  • nethserver-lsm
  • nethserver-lib
  • nethserver-base
  • nethserver-nethgui

Test case

Test the following workflows:
  • Creation
  • Sorting
  • Deletion
  • Edit
  • Apply changes
  • On the fly creation of firewall objects

#25 Updated by Davide Principi about 5 years ago

  • Assignee set to Davide Principi

#26 Updated by Davide Principi about 5 years ago

Tested Firewall Rules

Case 1

Firewall Rules > Create rule at bottom

  • Set Source, created new host OTF
  • Set description and LOG
  • Saved, Edit again
  • Set Destination, created new host-group and zone OTF
  • Set Service, created new service OTF
    Missing label Services_CreateService_label
  • Save, APPLY CHANGES:
    Event firewall-adjust SUCCESS

OK, missing label

Case 2

Firewall Rules > Edit existing rules

  • Changed Source/Destination
  • Changed description
  • Changed LOG

OK

Case 3

Firewall Rules > Delete rule

OK, rule dropped

Notes

  • capital letters are not allowed on fwobjects keys (?)
  • Module header is "Firewall rules [beta]": time to remove [beta]??
  • Missing labels Host_key_exists_message, @Services_CreateService_label
  • The rules index view shows the label "all" instead of "Any"

#27 Updated by Davide Principi about 5 years ago

Tested Firewall objects

Case 1 FAILED
Edit host-group members

Inconsistent validation of Members field in host-groups tab
Upper case letters are not allowed in member key.

Case 2 FAILED
Edit host, to change IP address

Inconsistent validation of host key in hosts tab:
If host was created OTF with upper-case letter, validation fails.

Case 3 OK
Edit service record, to change service port

Case 4 OK
Edit zone record, to change network address or interface

Case 5 FAILED
Delete host object, referenced by an existing rule.

Shorewall restart silently fails; in messages:

Restarting shorewall:    ERROR: Unknown destination zone (tcp) /etc/shorewall/rules (line 77)

In /etc/shorewall/rules (with line numbers):

    73    #
    74    # RULE role;green -> host;Birro 
    75    #
    76    ?COMMENT SMTP to g1
    77    DROP:none    loc        tcp    12135
--------------------------------^ missing destination field

Case 6 FAILED
Delete zone object, referenced by an existing rule

Shorewall restart silently fails; in messges:

Restarting shorewall:    ERROR: Unknown source zone (neth) /etc/shorewall/rules (line 83)

Case 7 OK but..
Delete service object, referenced by existing rule.

Shorewall restart is OK, but the rule is not outputted at all in /etc/shorewall/rules:
Is it the expected behaviour?

#28 Updated by Davide Principi about 5 years ago

  • Status changed from ON_QA to TRIAGED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 20

#29 Updated by Davide Principi about 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#30 Updated by Davide Principi about 5 years ago

  • Related to Enhancement #2835: Firewall rules: preserve references to other DB records added

#31 Updated by Davide Principi about 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Test again, paying particular attention to previously FAILED test cases.

A separate enhancement #2835 was opened, to address issues with DB references.

#32 Updated by Davide Principi about 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-firewall-base-1.1.0-127.0git49766190.ns6.noarch.rpm

#33 Updated by Filippo Carletti about 5 years ago

  • Status changed from ON_QA to TRIAGED
  • % Done changed from 70 to 20

Updated:
nethserver-firewall-base.noarch 0:1.1.0-127.0git49766190.ns6

One remaining issue:
deleting an host from a two hosts group leaves an invalid rules syntax like ",ip_of_remaining_host".

#34 Updated by Davide Principi about 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#35 Updated by Davide Principi about 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Deleting an host object which is a member of an host-group is now forbidden.

#36 Updated by Davide Principi about 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-firewall-base-1.1.0-129.0git324e5493.ns6.noarch.rpm

#37 Updated by Filippo Carletti about 5 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

Deleted an host which is a member of a group resulted in a shorewall error.
Updated to nethserver-firewall-base-1.1.0-130.0git21b4db71.ns6.noarch.rpm, did the same operation and the resulting shorewall/rules synatx was correct.
No errors reported.

#38 Updated by Davide Principi about 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-firewall-base-2.0.0-1.ns6.noarch.rpm
nethserver-base-2.3.0-1.ns6.noarch.rpm

Also available in: Atom PDF