Feature #3112

Firewall: support ip range and CIDR objects

Added by Giacomo Sanchietti over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.6
Resolution: NEEDINFO:No

Description

Add support for two new firewall objects:
  • IP range
  • CIDR
Both object types will represent a portion of an existing zone. Examples:
  • IP range: 192.168.1.2-192.168.1.10
  • CIDR: 192.168.1.2/48

IP range and CIDR object must be supported to create firewall rules.

See:

Related issues

Related to NethServer 6 - Enhancement #3119: Support IP ranges and CIDR subnets into Web Content Filt... CLOSED
Related to NethServer 6 - Feature #3121: Firewall rules (web UI): support ip range and CIDR object CLOSED

Associated revisions

Revision 6525739b
Added by Giacomo Sanchietti over 6 years ago

Firewall library: support iprange and cidr objects. Refs #3112

Revision c27c4f87
Added by Giacomo Sanchietti over 6 years ago

Web UI: add iprange and cidr objects. Refs #3112

Revision d7ebdd15
Added by Giacomo Sanchietti over 6 years ago

validators: create fwobject-cidr-delete and fwobject-iprange-delete system validators. Refs #3112

Revision 9a3e73a4
Added by Giacomo Sanchietti over 6 years ago

Translation: add CIDR subnets and IP ranges. Refs #3112

Revision 8bd943cb
Added by Giacomo Sanchietti over 6 years ago

Inline help: add CIDR subnets and IP ranges. Refs #3112

Revision a0e511cd
Added by Giacomo Sanchietti over 6 years ago

Translations: update validator labels. Refs #3112

Revision 8b98244b
Added by Giacomo Sanchietti over 6 years ago

Web UI: fix ip range type. Refs #3112

History

#1 Updated by Giacomo Sanchietti over 6 years ago

  • Target version set to v6.6

#2 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#3 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60
New iprange object is saved inside the hosts database and has following properties:
  • Start: first IP of the range
  • End: last IP of the range
  • Description: optional description

Example:

r1=iprange
    Description=My range r1
    End=192.168.5.10
    Start=192.168.5.2

New cidr object is saved inside the hosts database and has following properties:
  • Network: network in CIDR format
  • Description: optional description

Example:

c1=cidr
    Address=192.168.5.20/29
    Description=My cidr obj

#5 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-firewall-base-2.5.1-1.6.g8bd943c.ns6.noarch.rpm
  • nethserver-firewall-base-2.5.1-1.8.g8b98244.ns6.noarch.rpm
Test case 1
  • Create an ip range named r1 with some IPs from green zone
  • Create a rule using the new object:
    db fwrules set 1 rule Action drop Dst 'role;red' Log none Position 64 Service any Src 'iprange;r1' status enabled
    signal-event firewall-adjust
    
  • Check the generated rule is correct and reports the ip range inside the green zone
Test case 2
  • Create a cidr subnet named c1 with some IPs from green zone
  • Create a rule using the new object:
    db fwrules set 2 rule Action drop Dst 'role;red' Log none Position 128 Service any Src 'cidr;c1' status enabled
    signal-event firewall-adjust
    
  • Check the generated rule is correct and reports the cidr inside the green zone

#6 Updated by Giacomo Sanchietti over 6 years ago

  • Related to Enhancement #3119: Support IP ranges and CIDR subnets into Web Content Filter profiles added

#7 Updated by Giacomo Sanchietti over 6 years ago

  • Related to Feature #3121: Firewall rules (web UI): support ip range and CIDR object added

#8 Updated by Davide Principi over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

VERIFIED

All OK, but one question: why not implementing the UI interface with a single checkbox? The external system behaviour is allow/drop connections from unbinded MACs: it is a boolean state.

#9 Updated by Davide Principi over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

CLOSED

In nethserver-updates:
nethserver-firewall-base-2.6.0-1.ns6.noarch.rpm

Also available in: Atom PDF