Enhancement #3233

Firewall rules: support hosts within VPN zones

Added by Giacomo Sanchietti about 4 years ago. Updated about 4 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:<multiple packages>
Target version:v6.6
Resolution: NEEDINFO:No

Description

The firewall page has the ability to create rules involving a vpn role but there is no way to create rules for a single VPN client.
The system should be able to select the correct firewall zone using the IP address of the client.

Example:
  • enable OpenVPN roadwarrior server with network 10.0.0.0/24
  • create a host object from the "Firewall objects" page
  • create a rule with the new host object

Actual implementation will put the host inside the red zone and the rule will never match. The only workaround is to create a dedicated zone for 10.0.0.0/24 network.
The new implementation will automatically select the correct zone for the host (ovpn in this example).

Also the implementation should be modular: each VPN package must implement its own logic.

Associated revisions

Revision dc39668a
Added by Giacomo Sanchietti about 4 years ago

Firewall library: add IPsec zone callbacks. Refs #3233

Revision 2407ffda
Added by Giacomo Sanchietti about 4 years ago

Firewall library: add OpenVPN zone callbacks. Refs #3233

Revision aae3e7fb
Added by Giacomo Sanchietti about 4 years ago

Firewall library: support modular zones. Refs #3233

History

#1 Updated by Giacomo Sanchietti about 4 years ago

  • Category set to <multiple packages>
  • Status changed from NEW to TRIAGED
  • Target version set to v6.6
  • % Done changed from 0 to 20

#2 Updated by Giacomo Sanchietti about 4 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#3 Updated by Giacomo Sanchietti about 4 years ago

Given an IP address, the getZone function will search in:
  • user-defined zones
  • zones based on interfaces (roles)
    Then all registered callbacks will be executed: the first match is returned
    If no match is found, default zone will be "net".

This implementation should not have any side-effects on existing installations.

#4 Updated by Giacomo Sanchietti about 4 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#5 Updated by Giacomo Sanchietti about 4 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Packages in nethserver-testing:
  • nethserver-firewall-base-2.6.5-1.9.g888c00c.ns6.noarch.rpm
  • nethserver-ipsec-1.1.0-1.1.gdc39668.ns6.noarch.rpm
  • nethserver-openvpn-1.2.3-1.2.g2407ffd.ns6.noarch.rpm
Test case 1
  • Create an host object with IP 10.0.0.22 (make sure this is an unused network)
  • Create a firewall rules using this object
  • Check the IP is associated to net zone inside the rules files. Example:
    [root@localhost ~]# grep 10.0.0.22 /etc/shorewall/rules 
    ACCEPT:none    net:10.0.0.22    loc    all
    
  • Install nethserver-openvpn, enable the roadwarrior server and configure it with 10.0.0.0/24 network
  • Check again the rules file, the IP must be associated to the ovpn zone:
    [root@localhost ~]# grep 10.0.0.22 /etc/shorewall/rules 
    ACCEPT:none    ovpn:10.0.0.22    loc    all
    
Test case 2
  • Configure an Account (from VPN -> Account page) with an unused network
  • Create a new host object within the new network and use it inside a firewall rule
  • Check the generated rule: zone must be ovpn
Test case 3
  • Install nethserver-ipsec and configure L2TP access
  • Create a new host object within the L2TP network and use it inside a firewall rule
  • Check the generated rule: zone must be lvpn
Test case 4
  • Install nethserver-ipsec and configure a tunnel
  • Create a new host object within the network in the right side and use it inside a firewall rule
  • Check the generated rule: zone must be ivpn

#6 Updated by Filippo Carletti about 4 years ago

Test case 1:

[root@mail ~]# config getprop openvpn Network
192.168.168.0
[root@mail ~]# grep 192.168.168 /etc/shorewall/rules 
ACCEPT:none    net:192.168.168.98    loc:192.168.0.1    all
REJECT:none    net:192.168.168.98    loc    all

Update.

[root@mail ~]# grep 192.168.168 /etc/shorewall/rules 
ACCEPT:none    ovpn:192.168.168.98    loc:192.168.0.1    all
REJECT:none    ovpn:192.168.168.98    loc    all

#7 Updated by Filippo Carletti about 4 years ago

Test 4
[root@ns65 ~]# db vpn show
ipstun1=ipsec-tunnel
compress=no
dpdaction=hold
esp=auto
ike=auto
left=192.168.56.65
leftid=192.168.56.65
leftsubnets=192.168.56.0/24
pfs=yes
psk=1234567890
right=192.168.5.5
rightid=192.168.5.5
rightsubnets=192.168.7.7/24
status=enabled
[root@ns65 ~]# db hosts show ipsechost
ipsechost=host
Description=
IpAddress=192.168.7.11
Rule:
ACCEPT:none ivpn:192.168.7.11 net:192.168.5.3 all

#8 Updated by Filippo Carletti about 4 years ago

Case 3:
  1. config getprop ipsec L2tpNetwork
    192.168.78.0
    Rule:
    REJECT:none lvpn:192.168.78.5 net:192.168.5.3 tcp 7777

#9 Updated by Filippo Carletti about 4 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

Case 2:

[root@ns65 ~]# config getprop openvpn Network
192.168.59.0
[root@ns65 ~]# grep 192.168.59 /etc/shorewall/rules 
REJECT:none    ovpn:192.168.59.5    net:192.168.5.3    tcp    7777

#10 Updated by Davide Principi about 4 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates/6.6
nethserver-firewall-base-2.7.0-1.ns6.noarch.rpm
nethserver-ipsec-1.1.1-1.ns6.noarch.rpm
nethserver-openvpn-1.2.4-1.ns6.noarch.rpm

Also available in: Atom PDF