Feature #2705
Firewall: support custom objects
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.5 | |||
Resolution: | NEEDINFO: | No |
Description
Firewall should implement a simple way to describe reusable objects.
Firewall module uses these system objects:- Host
- Group of host
- Zone
- Service
A host is an already defined entry inside the hosts
db, or a new key of type host
:
name=host IpAddress=IP Description=
A host-group
is a group of hosts inside the hosts
db. A host-group
db entry can be something like:
name=host-group Members=host1,host2
A zone represents a network zone which can be associated to an interface or a set of IP address. A zone
entry in networks
database can be something like:
name=zone Network=CIDR Interface=ethX
A configured network interface is automatically a zone.
A service can have a protocol and one or more ports. A service
entry in fwservices
database can be something like:
name=fwservice Protocol=TCP/UDP/TCPUDP/ICMP Ports=port/port range
Related issues
Associated revisions
Web interface: first implementation of firewall objects. Refs #2705
Events: add firewall-objects-modify event. Refs #2705
Web interface: ad controller for firewall objects. Refs #2705
Web UI: zones can contain only CIDR network. Refs #2705
.spec.in: fixed dependency name. Refs #2705
Firewall library: use fwservices. Refs #2705
Firewall library: support interface objects. Refs #2705
Firewall library: fix zone detection. Refs #2705
Web UI: add firewall objects validators. Refs #2705
FirewallRules UI implementation. Refs #2705
- Based on CollectionController.
Firewall objects: remove support for MAC address. Refs #2705
Web UI: change validator for host objects. Refs #2705
Templates: expand custom zones. Refs #2705
Web UI: add Zone module. Refs #2705
Web UI: fix inline creation of host-group. Refs #2705
Web UI: add CSS for disabled rules. Refs #2705
Inline help: add firewall objects. Refs #2705
FirewallObjects/Services: Removed ESP protocol support. Refs #2705
Removed ESP, ICMP, GRE protocols support. Refs #2705
completes commit:6f85adb
FirewallObjects/Zones: use Modify class for "delete" case. Refs #2705
FirewallObjects: show Description column in tabular view. Refs #2705
FirewallObjects, FirewallRules: strict name checks for Hosts and Host Groups objects. Refs #2705
FirewallObjects, FirewallRules: fixed translation labels. Refs #2705
FirewallRules/CreateHostGroup: enforce strict members key check. Refs #2705
FirewallObjects/Services: mark Ports field as NON-EMPTY. Refs #2705
FirewallObjects/Services: use Modify class for "delete" case. Refs #2705
FirewallObjects: run event as a detached task. Refs #2705
FirewallObjects: check if object exists on validate(). Refs #2705
Firewall.pm (getZone): sanitize IP list syntax. Refs #2705
FirewallObjects/Hosts: validate host-group Members prop consitency. Refs #2705
History
#1 Updated by Giacomo Sanchietti over 7 years ago
- Target version set to ~FUTURE
#2 Updated by Giacomo Sanchietti over 7 years ago
- Description updated (diff)
#3 Updated by Giacomo Sanchietti over 7 years ago
- Description updated (diff)
#4 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
#5 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from TRIAGED to ON_DEV
- Target version changed from ~FUTURE to v6.5
- % Done changed from 20 to 30
#6 Updated by Giacomo Sanchietti over 7 years ago
- Assignee set to Giacomo Sanchietti
#7 Updated by Giacomo Sanchietti over 7 years ago
- Subject changed from Firewall: support new objects to Firewall: support custom objects
#8 Updated by Giacomo Sanchietti over 7 years ago
- Description updated (diff)
#9 Updated by Giacomo Sanchietti over 7 years ago
- Description updated (diff)
#10 Updated by Giacomo Sanchietti over 7 years ago
- Assignee deleted (
Giacomo Sanchietti)
Web interface lacks for validators.
#11 Updated by Giacomo Sanchietti about 7 years ago
- Assignee set to Giacomo Sanchietti
#12 Updated by Giacomo Sanchietti about 7 years ago
- Description updated (diff)
#13 Updated by Giacomo Sanchietti about 7 years ago
- Description updated (diff)
#14 Updated by Giacomo Sanchietti about 7 years ago
- Assignee deleted (
Giacomo Sanchietti)
#15 Updated by Davide Principi about 7 years ago
- Related to Feature #2764: CIDR block validator added
#16 Updated by Giacomo Sanchietti about 7 years ago
- Related to Enhancement #2771: Merge nethserver-shorewall and nethserver-firewall-base added
#17 Updated by Giacomo Sanchietti about 7 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#18 Updated by Giacomo Sanchietti about 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
- nethserver-firewall-base-1.1.0-66.0git67ac1559.ns6.noarch.rpm
- nethserver-lsm-0.0.3-7.0gitd4a46e58.ns6.noarch.rpm
- nethserver-squid-1.1.1-3.0git37fbdd7c.ns6.noarch.rpm (già su testing)
- nethserver-snort-0.0.1-5.0git32850266.ns6.noarch.rpm
- nethserver-base-2.2.1-57.0git27156ae2.ns6.noarch.rpm
- nethserver-nethgui-1.5.0-22.0git051080ae.ns6.noarch.rpm
#19 Updated by Giacomo Sanchietti about 7 years ago
- Status changed from ON_QA to TRIAGED
- % Done changed from 70 to 20
- no interface associated: the interface is necessary to compile
/etc/shorewall/hosts
file - custom zones are not expanded in
/etc/shorewall/zones
file
Make sure to add the network interface selection even in object picker from firewall rules.
#20 Updated by Giacomo Sanchietti about 7 years ago
- Status changed from TRIAGED to MODIFIED
- % Done changed from 20 to 60
#21 Updated by Giacomo Sanchietti about 7 years ago
Other notes from QA of #2783
Bugs discovered:- when creating a zone as origin or destination of a rule, the zone is not written on shorewall configuration files after that apply changes button was pressed,
- the green net is reported as "loc" in the shorewall configuration files but "loc" is not defined.
- it is not clear whether a rule is enabled or not in the rule list view,
- it is not possible to dynamically add members of a hosts group when setting the options about origin and destination of a rule.
#22 Updated by Giacomo Sanchietti about 7 years ago
- Assignee set to Giacomo Sanchietti
#23 Updated by Giacomo Sanchietti about 7 years ago
- Description updated (diff)
#24 Updated by Giacomo Sanchietti about 7 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-firewall-base-1.1.0-78.0gitc7fa3c22.ns6.noarch.rpm
- nethserver-lsm
- nethserver-lib
- nethserver-base
- nethserver-nethgui
Test case
Test the following workflows:- Creation
- Sorting
- Deletion
- Edit
- Apply changes
- On the fly creation of firewall objects
#25 Updated by Davide Principi about 7 years ago
- Assignee set to Davide Principi
#26 Updated by Davide Principi about 7 years ago
Tested Firewall Rules¶
Case 1
Firewall Rules > Create rule at bottom
- Set Source, created new host OTF
- Set description and LOG
- Saved, Edit again
- Set Destination, created new host-group and zone OTF
- Set Service, created new service OTF
Missing labelServices_CreateService_label
- Save, APPLY CHANGES:
Event firewall-adjust SUCCESS
OK, missing label
Case 2
Firewall Rules > Edit existing rules
- Changed Source/Destination
- Changed description
- Changed LOG
OK
Case 3
Firewall Rules > Delete rule
OK, rule dropped
Notes
- capital letters are not allowed on fwobjects keys (?)
- Module header is "Firewall rules [beta]": time to remove
[beta]
?? - Missing labels
Host_key_exists_message
, @Services_CreateService_label - The rules index view shows the label "all" instead of "Any"
#27 Updated by Davide Principi about 7 years ago
Tested Firewall objects¶
Case 1 FAILED
Edit host-group members
Inconsistent validation of Members field in host-groups tab
Upper case letters are not allowed in member key.
Case 2 FAILED
Edit host, to change IP address
Inconsistent validation of host key in hosts tab:
If host was created OTF with upper-case letter, validation fails.
Case 3 OK
Edit service record, to change service port
Case 4 OK
Edit zone record, to change network address or interface
Case 5 FAILED
Delete host object, referenced by an existing rule.
Shorewall restart silently fails; in messages:
Restarting shorewall: ERROR: Unknown destination zone (tcp) /etc/shorewall/rules (line 77)
In /etc/shorewall/rules (with line numbers):
73 # 74 # RULE role;green -> host;Birro 75 # 76 ?COMMENT SMTP to g1 77 DROP:none loc tcp 12135 --------------------------------^ missing destination field
Case 6 FAILED
Delete zone object, referenced by an existing rule
Shorewall restart silently fails; in messges:
Restarting shorewall: ERROR: Unknown source zone (neth) /etc/shorewall/rules (line 83)
Case 7 OK but..
Delete service object, referenced by existing rule.
Shorewall restart is OK, but the rule is not outputted at all in /etc/shorewall/rules:
Is it the expected behaviour?
#28 Updated by Davide Principi about 7 years ago
- Status changed from ON_QA to TRIAGED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 20
#29 Updated by Davide Principi about 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#30 Updated by Davide Principi about 7 years ago
- Related to Enhancement #2835: Firewall rules: preserve references to other DB records added
#31 Updated by Davide Principi about 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
Test again, paying particular attention to previously FAILED test cases.
A separate enhancement #2835 was opened, to address issues with DB references.
#32 Updated by Davide Principi about 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-firewall-base-1.1.0-127.0git49766190.ns6.noarch.rpm
#33 Updated by Filippo Carletti about 7 years ago
- Status changed from ON_QA to TRIAGED
- % Done changed from 70 to 20
Updated:
nethserver-firewall-base.noarch 0:1.1.0-127.0git49766190.ns6
One remaining issue:
deleting an host from a two hosts group leaves an invalid rules syntax like ",ip_of_remaining_host".
#34 Updated by Davide Principi about 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#35 Updated by Davide Principi almost 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
Deleting an host object which is a member of an host-group is now forbidden.
#36 Updated by Davide Principi almost 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-firewall-base-1.1.0-129.0git324e5493.ns6.noarch.rpm
#37 Updated by Filippo Carletti almost 7 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
Deleted an host which is a member of a group resulted in a shorewall error.
Updated to nethserver-firewall-base-1.1.0-130.0git21b4db71.ns6.noarch.rpm, did the same operation and the resulting shorewall/rules synatx was correct.
No errors reported.
#38 Updated by Davide Principi almost 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-firewall-base-2.0.0-1.ns6.noarch.rpm
nethserver-base-2.3.0-1.ns6.noarch.rpm