Firewall rules: support hosts within VPN zones
The firewall page has the ability to create rules involving a vpn role but there is no way to create rules for a single VPN client.
The system should be able to select the correct firewall zone using the IP address of the client.
- enable OpenVPN roadwarrior server with network 10.0.0.0/24
- create a host object from the "Firewall objects" page
- create a rule with the new host object
Actual implementation will put the host inside the red zone and the rule will never match. The only workaround is to create a dedicated zone for 10.0.0.0/24 network.
The new implementation will automatically select the correct zone for the host (ovpn in this example).
Also the implementation should be modular: each VPN package must implement its own logic.
#3 Updated by Giacomo Sanchietti about 6 years ago
- user-defined zones
- zones based on interfaces (roles)
Then all registered callbacks will be executed: the first match is returned
If no match is found, default zone will be "net".
This implementation should not have any side-effects on existing installations.
#5 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
- % Done changed from 60 to 70
- Create an host object with IP 10.0.0.22 (make sure this is an unused network)
- Create a firewall rules using this object
- Check the IP is associated to net zone inside the rules files. Example:
[root@localhost ~]# grep 10.0.0.22 /etc/shorewall/rules ACCEPT:none net:10.0.0.22 loc all
- Install nethserver-openvpn, enable the roadwarrior server and configure it with 10.0.0.0/24 network
- Check again the rules file, the IP must be associated to the ovpn zone:
[root@localhost ~]# grep 10.0.0.22 /etc/shorewall/rules ACCEPT:none ovpn:10.0.0.22 loc all
- Configure an Account (from VPN -> Account page) with an unused network
- Create a new host object within the new network and use it inside a firewall rule
- Check the generated rule: zone must be ovpn
- Install nethserver-ipsec and configure L2TP access
- Create a new host object within the L2TP network and use it inside a firewall rule
- Check the generated rule: zone must be lvpn
- Install nethserver-ipsec and configure a tunnel
- Create a new host object within the network in the right side and use it inside a firewall rule
- Check the generated rule: zone must be ivpn
#6 Updated by Filippo Carletti about 6 years ago
Test case 1:
[root@mail ~]# config getprop openvpn Network 192.168.168.0 [root@mail ~]# grep 192.168.168 /etc/shorewall/rules ACCEPT:none net:192.168.168.98 loc:192.168.0.1 all REJECT:none net:192.168.168.98 loc all
[root@mail ~]# grep 192.168.168 /etc/shorewall/rules ACCEPT:none ovpn:192.168.168.98 loc:192.168.0.1 all REJECT:none ovpn:192.168.168.98 loc all
#7 Updated by Filippo Carletti about 6 years ago
[root@ns65 ~]# db vpn show
[root@ns65 ~]# db hosts show ipsechost
ACCEPT:none ivpn:192.168.7.11 net:192.168.5.3 all