Enhancement #3055

Add VPN zones to firewall rules

Added by Giacomo Sanchietti over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.6
Resolution: NEEDINFO:No

Description

Current web interface for firewall rules doesn't allow the creation of rules between VPNs and other zones.

Expand the firewall rule page with the following zones:
  • ivpn : IPSec
  • lvpn: L2TP
  • ovpn: OpenVPN

Associated revisions

Revision d9d32df1
Added by Giacomo Sanchietti over 6 years ago

Firewall library: support special vpn role. Refs #3055

Revision 9146ec82
Added by Giacomo Sanchietti over 6 years ago

Web UI: support special vpn role. Refs #3055

History

#1 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from NEW to TRIAGED
  • Target version changed from ~FUTURE to v6.6
  • % Done changed from 0 to 20

#2 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#3 Updated by Giacomo Sanchietti over 6 years ago

  • Assignee deleted (Giacomo Sanchietti)

Implemented new VPN role object, it must be referenced with this syntax: role;vpn

This role will expand to all installed vpn zones: ivpn,lvpn, ovpn.

The web interface should display this object only if at least one VPN implementation is installed. The developer can check for this conditions:
  • if openvpn key is present inside the configuration database
  • if ipsec key is present inside the configuration database

#4 Updated by Giacomo Sanchietti over 6 years ago

  • Assignee set to Giacomo Sanchietti

#5 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 30 to 60

#6 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-firewall-base-2.5.1-1.16.g9146ec8.ns6.noarch.rpm
Test case
  • On a clean machine, check the VPN role is not present
  • Install nethserver-openvpn or nethserver-ipsec packages
  • Create a new firewall rule, the VPN role must be displayed
  • Check generated rules inside the /etc/shorewall/rules file

#7 Updated by Davide Principi over 6 years ago

  • Assignee set to Davide Principi

#8 Updated by Davide Principi over 6 years ago

  • Assignee deleted (Davide Principi)
  • NEEDINFO changed from No to Yes

I've tested by installing nethserver-ipsec only: the test case is verified, but trying to uninstall nethserver-ipsec produces an error in /var/log/messages:

Apr 23 10:55:47 vm5 root: ERROR:Shorewall restart failed
Apr 23 10:55:47 vm5 esmith::event[21412]: [ERROR] Shorewall restart:    ERROR: Unknown source zone (ivpn) /etc/shorewall/rules (line 137)

#9 Updated by Giacomo Sanchietti over 6 years ago

  • NEEDINFO changed from Yes to No

I think the administrator should take care to review firewall rules each time a network package is removed.

#10 Updated by Davide Principi over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

Thanks, Giacomo to have pointed it out

VERIFIED

#11 Updated by Davide Principi over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

CLOSED

In nethserver-updates:
nethserver-firewall-base-2.6.0-1.ns6.noarch.rpm

Also available in: Atom PDF