Feature #2740

Firewall: rules to divert traffic via specific provider

Added by Giacomo Sanchietti almost 6 years ago. Updated over 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.5
Resolution: NEEDINFO:No

Description

In a multi-ISP scenario is a common need to route certain traffic using a specific provider.

The firewall should be able to manage mangle rules. A rule can be something like this inside the tc database:

1=rule
    Src=host;myhost
    Dst=0.0.0.0/0
    Service=service;ssh
    Provider=provider;myadsl
    status=enabled
    Description=

Where:
  • key: numeric id
  • Src: can be a host, an IP or CIDR
  • Dst: can be a host, an IP or CIDR
  • Provider: provider name to use for this kind of traffic
  • Service: (optional) can be a service object
  • status: can be enabled or disabled. Default is enabled
  • Description: (optional)

Related issues

Related to NethServer 6 - Feature #2809: Firewall: web interface for policy routing CLOSED

Associated revisions

Revision d53e1919
Added by Giacomo Sanchietti almost 6 years ago

Firewall.pm, template: route traffic via specifc provider. Refs #2740

Revision 4eb4c8b6
Added by Giacomo Sanchietti almost 6 years ago

tcrules: add zones support. Refs #2740

Revision 382018e8
Added by Giacomo Sanchietti almost 6 years ago

libraries, templates: use new rule format. Refs #2716 #2740

History

#1 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#2 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#3 Updated by Giacomo Sanchietti almost 6 years ago

  • Description updated (diff)

#4 Updated by Giacomo Sanchietti almost 6 years ago

  • Assignee deleted (Giacomo Sanchietti)

Template-only implementation on branch 2705.

#5 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#6 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70
Packages in nethserver-testing:
  • nethserver-firewall-base-1.1.0-66.0git67ac1559.ns6.noarch.rpm
  • nethserver-lsm-0.0.3-7.0gitd4a46e58.ns6.noarch.rpm
  • nethserver-squid-1.1.1-3.0git37fbdd7c.ns6.noarch.rpm (giĆ  su testing)
  • nethserver-snort-0.0.1-5.0git32850266.ns6.noarch.rpm
  • nethserver-base-2.2.1-57.0git27156ae2.ns6.noarch.rpm
  • nethserver-nethgui-1.5.0-22.0git051080ae.ns6.noarch.rpm

#7 Updated by Giacomo Sanchietti over 5 years ago

  • Related to Feature #2809: Firewall: web interface for policy routing added

#8 Updated by Giacomo Sanchietti over 5 years ago

Test case

  • Configure two providers
  • Create a rule to divert the traffic on a custom port to a specific provider
  • Verify that a rule is created inside /etc/shorewall/tcrules file
  • Get the third field of the /etc/shorewall/providers for the selected provider, then check the value (something like 0x10000) matches the first field of generated rules in /etc/shorewall/tcrules

#9 Updated by Filippo Carletti over 5 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90
# db tc show 5
5=rule
    Description=Force Nagios over fweb
    Dst=0.0.0.0/0
    Position=5
    Provider=provider;fweb
    Service=5666
    Src=192.168.5.0/24
    status=enabled

# grep -A 1 Nagios /etc/shorewall/tcrules 
?COMMENT Force Nagios over fweb
0x10000:P    192.168.5.0/24    0.0.0.0/0    udp    5666
--
?COMMENT Force Nagios over fweb
0x10000:P    192.168.5.0/24    0.0.0.0/0    tcp    5666

#10 Updated by Davide Principi over 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-firewall-base-2.0.0-1.ns6.noarch.rpm

Also available in: Atom PDF