Enhancement #2752

Firewall: allow and deny access to local services

Added by Giacomo Sanchietti about 7 years ago. Updated almost 7 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-base
Target version:v6.5
Resolution: NEEDINFO:No

Description

Network services running on the server/firewall itself have special rules controlling the status of the firewall.

Each service has following properties:
  • access: can be public or private
  • TCPPort(s): open tcp ports
  • UDPPort (s):open udp ports
The access property will have a new value:
  • none: the access is closed from any network
  • public: the access is open from any network
  • private: the access is open only from local network
Each service can also have two new properties:
  • AllowHosts: hosts allowed to access the service. Rules are generated only if access is private or public.
  • DenyHosts: hosts denied to access the service. Rules are generated only if access is private or public.

This feature must be implemented both on lokkit and Shorewall.

Associated revisions

Revision 851e89f0
Added by Giacomo Sanchietti about 7 years ago

Rules template: support AllowHosts and DenyHosts. Refs #2752

Revision cd2b89dc
Added by Giacomo Sanchietti about 7 years ago

Template, createlinks: support AllowHosts and DenyHosts. Refs #2752

Revision a856fee8
Added by Giacomo Sanchietti about 7 years ago

Web UI: manage access to local services. Refs #2752

Revision bd97b5f3
Added by Giacomo Sanchietti about 7 years ago

Web UI: manage access to local services. Refs #2752

Revision 8a3a153b
Added by Giacomo Sanchietti about 7 years ago

Inline help: document access to local services. Refs #2752

Revision 40f12c42
Added by Giacomo Sanchietti about 7 years ago

Rules template: move AllowHosts and DenyHosts before regular rules. Refs #2752

Revision 01305938
Added by Giacomo Sanchietti about 7 years ago

Network services: fix for new Nethgui API. Refs #2752

History

#1 Updated by Giacomo Sanchietti about 7 years ago

  • Description updated (diff)

#2 Updated by Giacomo Sanchietti about 7 years ago

  • Status changed from NEW to TRIAGED
  • Target version set to v6.5
  • % Done changed from 0 to 20

#3 Updated by Giacomo Sanchietti about 7 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti about 7 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60
Modifications:
  • nethserver-base on branch b2719
  • nethserver-firewall-base on branch 2705

#5 Updated by Giacomo Sanchietti about 7 years ago

  • Assignee deleted (Giacomo Sanchietti)

Also implemented web interface and inline manual.

#6 Updated by Giacomo Sanchietti about 7 years ago

Tests following cases when nethserver-base and nethserver-firewall-base are packaged for #2719 and #2705.

Test case 1
  • Configure a server with at least one red and one green interface
  • Set httpd access to private
  • Check httpd is accessible only from local network
Test case 2
  • Configure a server with at least one red and one green interface
  • Set httpd access to public
  • Check httpd is accessible from any interface
Test case 3
  • Configure a server with at least one red and one green interface
  • Set httpd access to none
  • Check httpd is not accessible from any interface
Test case 4
  • Configure a server with at least one red and one green interface
  • Set httpd access to private
  • Fill AllowHosts property with an IP address in external zone (red)
  • Check httpd is still accessible from specified IP
Test case 5
  • Configure a server with at least one red and one green interface
  • Set httpd access to public
  • Fill DenyHosts property with an IP address in external zone (red)
  • Check httpd is not accessible from specified IP

#7 Updated by Giacomo Sanchietti about 7 years ago

Merged on master.

#8 Updated by Giacomo Sanchietti about 7 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70
Packages in nethserver-testing:
  • nethserver-firewall-base-1.1.0-66.0git67ac1559.ns6.noarch.rpm
  • nethserver-lsm-0.0.3-7.0gitd4a46e58.ns6.noarch.rpm
  • nethserver-squid-1.1.1-3.0git37fbdd7c.ns6.noarch.rpm (già su testing)
  • nethserver-snort-0.0.1-5.0git32850266.ns6.noarch.rpm
  • nethserver-base-2.2.1-57.0git27156ae2.ns6.noarch.rpm
  • nethserver-nethgui-1.5.0-22.0git051080ae.ns6.noarch.rpm

#10 Updated by Stefano Fancello about 7 years ago

  • Assignee set to Stefano Fancello

#11 Updated by Stefano Fancello about 7 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

#12 Updated by Giacomo Sanchietti about 7 years ago

  • Assignee deleted (Stefano Fancello)

#13 Updated by Davide Principi almost 7 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-base-2.3.0-1.ns6.noarch.rpm
nethserver-firewall-base-2.0.0-1.ns6.noarch.rpm

Also available in: Atom PDF