Feature #2716

Custom firewall rules

Added by Giacomo Sanchietti over 5 years ago. Updated over 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.5
Resolution: NEEDINFO:No

Description

Allow creation of firewall rules to manage inter-zone traffic.

Rules are saved inside the fwrules database.

Each rule record has following fields:
  • key: numeric id
  • Src: can be a defined object like host, host-group or zone. Or a custom value like IP or CIDR
  • Dst: can be a defined object like host, host-group or zone. Or a custom value like IP or CIDR
  • Action: can be ACCEPT, DROP or REJECT
  • Service: (optional) can be a service object
  • Log: can be none or info. Default to none
  • status: can be enabled or disabled. Default is enabled
  • Description: (optional)

Example:

1=rule
     Src=host;giacomo
     Dst=192.168.1.2
     Service=service;ssh
     Action=accept
     Log=none
     status=enabled

Create a rule:

db fwrules set 1 rule Src "host;myhost" Dst "host;myserver" Service ssh Action ACCEPT Log none status enabled

The web interface should allow to:
  • create/modify/delete rules
  • sort exiting rules
  • enable/disable a rule

Related issues

Related to NethServer 6 - Feature #2705: Firewall: support custom objects CLOSED
Related to NethServer 6 - Feature #2714: Firewall: select default policy CLOSED
Related to Nethgui - Feature #2764: CIDR block validator CLOSED
Related to NethServer 6 - Enhancement #2771: Merge nethserver-shorewall and nethserver-firewall-base CLOSED
Related to NethServer 6 - Enhancement #2783: Firewall: beautify rules page CLOSED

Associated revisions

Revision 4bf11cf4
Added by Giacomo Sanchietti over 5 years ago

Libs: add Firewall lib. Refs #2716

Revision 6cb33fe1
Added by Giacomo Sanchietti over 5 years ago

template: add custom rules fragment for /etc/shorewall/rules. Refs #2716

Revision 87d5ee80
Added by Giacomo Sanchietti over 5 years ago

shorewall templates: add support for extra zones. Refs #2716

Revision 3a6589f8
Added by Giacomo Sanchietti over 5 years ago

Firewall library: truncate zone name to 5 chars. Refs #2716

Revision 8dae032e
Added by Giacomo Sanchietti over 5 years ago

Move NethServer::Firewall library to firewall-base package. Refs #2716

Revision 7587e14c
Added by Giacomo Sanchietti over 5 years ago

Move NethServer::Firewall library to firewall-base package. Refs #2716

Revision e3d5362a
Added by Giacomo Sanchietti over 5 years ago

Add NethServer::Firewall library (moved from base). Refs #2716

Revision 2f5d3620
Added by Giacomo Sanchietti over 5 years ago

Firewall.pm: fix bootproto value. Refs #2716

Revision 1e6e32e0
Added by Giacomo Sanchietti over 5 years ago

Firewall library: add tests. Refs #2716 #2705

Revision a8a768e5
Added by Giacomo Sanchietti over 5 years ago

rules: force action to uppercase. Refs #2716

Revision f87802ae
Added by Davide Principi over 5 years ago

FirewallRules completed workflow with on-the-fly objects creation. Refs #2716

Revision dd546be4
Added by Davide Principi over 5 years ago

FirewallObjects: don't signal event on create. Refs #2716

New objects are not used by firewall rules: firewall does not need to
be reconfigured.

Revision de122fc0
Added by Davide Principi over 5 years ago

FirewallObjects: move labels into one catalog. Refs #2716

To ease inclusion from FirewallRules.

Revision 20b77c40
Added by Davide Principi over 5 years ago

FirewallRules/Index: fixed empty rule set submission. Refs #2716

Revision 382018e8
Added by Giacomo Sanchietti over 5 years ago

libraries, templates: use new rule format. Refs #2716 #2740

Revision beaa795d
Added by Giacomo Sanchietti over 5 years ago

Firewall library: support 'any' keyword. Refs #2716

Revision bbf798be
Added by Davide Principi over 5 years ago

FirewallRules: fixed wiping out rules on edit case. Refs #2716

Revision 0210e22e
Added by Giacomo Sanchietti over 5 years ago

Firewall library: fix fwservices handling. Refs #2716

Revision 4b0b12ef
Added by Giacomo Sanchietti over 5 years ago

Template: fix rules output. Refs #2716

Revision 9ae58f58
Added by Davide Principi over 5 years ago

FirewallRules: POST on PickObject button click. Refs #2716

The POST causes the form state to be saved in session.

Revision 30381865
Added by Davide Principi over 5 years ago

FirewallRules: fixed creation of ghost records during create workflow. Refs #2716

Revision 878599ec
Added by Giacomo Sanchietti over 5 years ago

Web UI: add interface to zones. Refs #2705 #2716

Revision 62bf6314
Added by Giacomo Sanchietti over 5 years ago

Inline help: add firewall rules. Refs #2716

Revision 15142a9d
Added by Davide Principi over 5 years ago

Inline help: fixed RST formatting warnings. Refs #2716

Revision 9ba25cbf
Added by Davide Principi over 5 years ago

/etc/shorewall/rules: bump identifier on rule comment. Refs #2716

History

#1 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#2 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • % Done changed from 20 to 30

#3 Updated by Davide Principi over 5 years ago

  • Assignee set to Davide Principi

#4 Updated by Giacomo Sanchietti over 5 years ago

  • Description updated (diff)

#5 Updated by Davide Principi over 5 years ago

  • Subject changed from Feature: support custom rules to Custom firewall rules

#6 Updated by Davide Principi over 5 years ago

#7 Updated by Davide Principi over 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Test case

New UI module FirewallRules. Test the following workflows:
  • Creation
  • Sorting
  • Deletion
  • Edit
  • Apply changes
  • On the fly creation of firewall objects

#8 Updated by Giacomo Sanchietti over 5 years ago

  • Related to Enhancement #2771: Merge nethserver-shorewall and nethserver-firewall-base added

#9 Updated by Giacomo Sanchietti over 5 years ago

Merged on master.

#10 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70
Packages in nethserver-testing:
  • nethserver-firewall-base-1.1.0-66.0git67ac1559.ns6.noarch.rpm
  • nethserver-lsm-0.0.3-7.0gitd4a46e58.ns6.noarch.rpm
  • nethserver-squid-1.1.1-3.0git37fbdd7c.ns6.noarch.rpm (giĆ  su testing)
  • nethserver-snort-0.0.1-5.0git32850266.ns6.noarch.rpm
  • nethserver-base-2.2.1-57.0git27156ae2.ns6.noarch.rpm
  • nethserver-nethgui-1.5.0-22.0git051080ae.ns6.noarch.rpm

#11 Updated by Giacomo Sanchietti over 5 years ago

#12 Updated by Giovanni Bezicheri over 5 years ago

  • Assignee set to Giovanni Bezicheri

#13 Updated by Giacomo Sanchietti over 5 years ago

Also remember to install:
  • nethserver-lib-2.0.3-2.0gitb1246a75.ns6

#14 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from ON_QA to TRIAGED
  • Assignee deleted (Giovanni Bezicheri)
  • % Done changed from 70 to 20

See verification on #2783

#15 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#16 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#17 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70

Verification must be done on #2705

#18 Updated by Davide Principi over 5 years ago

  • Assignee set to Davide Principi

#19 Updated by Davide Principi over 5 years ago

  • Assignee deleted (Davide Principi)

In nethserver-testing:
nethserver-firewall-base-1.1.0-127.0git49766190.ns6.noarch.rpm

#20 Updated by Filippo Carletti over 5 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

#21 Updated by Davide Principi over 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-firewall-base-2.0.0-1.ns6.noarch.rpm
nethserver-base-2.3.0-1.ns6.noarch.rpm

Also available in: Atom PDF