Firewall objects - Githubissues

NethServer / nethsecurity

NethSecurity image and build environment

Other

82 stars 6 forks source link

Why is this feature being requested?

The need for enhanced firewall management through organized and structured IP and domain sets.
To simplify and automate the handling of firewall rules, port forwards, multiwan rules, and DPI rules by using predefined objects.
To improve security and ease of administration by using object-based configurations that expand dynamically based on their definitions.

Proposed Solution Implement firewall objects as described in the documentation. This includes two main types of objects: host set and domain set, with each supporting both IPv4 and IPv6 addresses. These objects will be used within firewall rules and other configurations to reference sets of IP addresses or DNS names. DHCP reservations, DNS records and OpenVPN users with a reservation are parts of the objects.

Key Elements:

Host Sets:
- Represent sets of IP addresses.
- Can include single IPs, CIDR networks, ranges, DHCP reservations, domain names, and VPN users.
- Support both IPv4 and IPv6.
Domain Sets:
- Represent sets of DNS names resolved to IP addresses.
- Include a timeout for DNS resolution.
- Support both IPv4 and IPv6.
Usage in Rules:
- Firewall rules, port forwards, multiwan rules, and DPI rules can reference these objects.
- Fields such as ns_src and ns_dst will be used to specify source and destination objects.
- Automatically update and manage IP sets based on object definitions. Additional Context
- Known limitations of fw4:
  1. A rule can only use one ipset for either source or destination, not both.
  2. Ipsets cannot contain entries with different timeouts.
  3. Rules cannot match both an IP address and a MAC address simultaneously.

1. Cron Job for Domain Sets

[ ] Test Case 1.1: Verify cron job runs at the specified interval.

2. Manage Objects APIs

[ ] Test Case 2.1: Verify creating a domain set.
[ ] Test Case 2.2: Verify editing a domain set.
[ ] Test Case 2.3: Verify deleting a domain set.
[ ] Test Case 2.4: Verify creating a host set.
[ ] Test Case 2.5: Verify editing a host set.
[ ] Test Case 2.6: Verify deleting a host set.

3. Validate Nested Host-Set

[ ] Test Case 3.1: Verify validation of nested host-set to avoid recursion.

4. MultiWAN and Redirects Regressions

[ ] Test Case 4.1: Verify creating a rule inside MultiWAN page is still functional.
[ ] Test Case 4.2: Verify creating a rule inside redirect page is still functional.

5. Prevent Deletion if Used

[ ] Test Case 5.1: Verify prevention of deletion if domain/host set is in use.
[ ] Test Case 5.2: Verify prevention of deletion if DHCP/domain record is in use.
[ ] Test Case 5.3: Verify prevention of deletion if VPN user is in use.
[ ] Test Case 5.4: Verify prevention of deletion of objects used inside host sets.

6. Host Set

[ ] Test Case 6.1: Verify IPv4 host set with single IP.
[ ] Test Case 6.2: Verify IPv4 host set with CIDR network.
[ ] Test Case 6.3: Verify IPv4 host set with IP range.
[ ] Test Case 6.4: Verify IPv4 host set with DHCP reservation.
[ ] Test Case 6.5: Verify IPv4 host set with DNS name.
[ ] Test Case 6.6: Verify IPv4 host set with VPN user.
[ ] Test Case 6.7: Verify IPv6 host set with single IP.
[ ] Test Case 6.8: Verify IPv6 host set with CIDR network.

7. Domain Set

[ ] Test Case 7.1: Verify creating domain set with DNS names.
[ ] Test Case 7.2: Verify domain set DNS resolution timeout.

8. Rules and Objects

[ ] Test Case 8.1: Verify using domain set in firewall rule as ns_src.
[ ] Test Case 8.2: Verify using domain set in firewall rule as ns_dst.
[ ] Test Case 8.3: Verify using host set in firewall rule as ns_dst.
[ ] Test Case 8.4: Verify using host set in firewall rule as ns_src.
[ ] Test Case 8.5: Verify using static lease in firewall rule.
[ ] Test Case 8.6: Verify using DNS name in firewall rule.
[ ] Test Case 8.7: Verify using VPN user in firewall rule.