search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
11.25k stars 517 forks source link

allow_netbird_windows.go is language dependend #1249

Closed moserpjm closed 9 months ago

moserpjm commented 1 year ago

Describe the problem Adding a firewall rule under windows to allow traffic from wireguard interface only works if the system language is set to english.

To Reproduce Steps to reproduce the behavior:

Expected behavior No error in log, firewall rule is created

The problem is the hardcoded noRulesMatchCriteria in client/firewall/uspfilter/allow_netbird_windows.go

mlsmaycon commented 1 year ago

Hello @moserpjm thanks for reporting the issue. To help us troubleshoot the can you run the following commands on your Powershell with administrator privileges and then share the output? 

netsh advfirewall firewall add rule name=Netbird dir=in enable=yes action=allow  profile=any localip=127.0.0.1
netsh advfirewall firewall show rule name=Netbird
netsh advfirewall firewall delete rule name=Netbird

We will validate in our end too with a operating system in another language.

moserpjm commented 1 year ago

Sure. Here you go: image

mlsmaycon commented 1 year ago

Thanks, can you also share the logs from your netbird client? They are located at C:\Programadata\netbird\client.log

moserpjm commented 1 year ago

That's the relevant part:


2023-10-23T19:11:18+02:00 ERRO client/internal/routemanager/manager.go:41: server router is not supported: firewall not supported on windows
2023-10-23T19:11:18+02:00 INFO client/internal/engine.go:249: using userspace bind mode 0.0.0.0:51820
2023-10-23T19:11:18+02:00 ERRO client/internal/acl/manager_create.go:23: failed to allow netbird interface traffic: exit status 1
2023-10-23T19:11:18+02:00 INFO signal/client/grpc.go:157: connected to the Signal Service stream
2023-10-23T19:11:18+02:00 INFO client/internal/connect.go:179: Netbird engine started, my IP is: 100.86.222.2/16
2023-10-23T19:11:18+02:00 INFO management/client/grpc.go:143: connected to the Management Service stream```
Fantu commented 1 year ago

I also saw issue with netsh commands in the past dependent on the operating system language. I have major of windows peers with italian system language and looking for the rule "Netbird" with: netsh advfirewall firewall show rule name=Netbird seems missed anyway netbird is working except https://github.com/netbirdio/netbird/issues/1195 on some of them (probably not related)

EDIT: I tried to do the commands of https://github.com/netbirdio/netbird/issues/1249#issuecomment-1779104655 on a windows 2019 standard italian if can be useful:

PS C:\Users\administrator.M2R> netsh advfirewall firewall add rule name=Netbird dir=in enable=yes action=allow  profile=any localip=127.0.0.1
OK.

PS C:\Users\administrator.M2R> netsh advfirewall firewall show rule name=Netbird

Nome regola:                          Netbird
----------------------------------------------------------------------
Attivata:                             Sì
Direzione:                            In
Profili:                              Dominio,Privato,Pubblico
Raggruppamento:
LocalIP:                              127.0.0.1/32
RemoteIP:                             Qualsiasi
Protocollo:                           Qualsiasi
Attraversamento confini:              No
Azione:                               Consenti
OK.

PS C:\Users\administrator.M2R> netsh advfirewall firewall delete rule name=Netbird

Regole eliminate 1.
OK.

in the client log I saw this I suppose can be related: 2023-10-25T15:44:31+02:00 ERRO client/internal/acl/manager_create.go:23: failed to allow netbird interface traffic: exit status 1

Fantu commented 1 year ago

@mlsmaycon I did a fast test and instead check the output string that change with language and with S.O. != english fails can be checked $? instead

netsh advfirewall firewall show rule name=Netbird
if($?)
{
   echo "rule found"
} else {
   echo "rule missed"
}

from a test on both missed and present seems working:

PS C:\WINDOWS\system32> netsh advfirewall firewall show rule name=Netbird

Nome regola:                          Netbird
----------------------------------------------------------------------
Attivata:                             Sì
Direzione:                            In
Profili:                              Dominio,Privato,Pubblico
Raggruppamento:
LocalIP:                              127.0.0.1/32
RemoteIP:                             Qualsiasi
Protocollo:                           Qualsiasi
Attraversamento confini:              No
Azione:                               Consenti
OK.

PS C:\WINDOWS\system32> if($?)
>> {
>>    echo "rule found"
>> } else {
>>    echo "rule missed"
>> }
rule found
PS C:\WINDOWS\system32> netsh advfirewall firewall delete rule name=Netbird

Regole eliminate 1.
OK.

PS C:\WINDOWS\system32> netsh advfirewall firewall show rule name=Netbird

Nessuna regola corrispondente al criterio specificato.

PS C:\WINDOWS\system32> if($?)
>> {
>>    echo "rule found"
>> } else {
>>    echo "rule missed"
>> }
rule missed

about the rules that try to set netbird seems to me wrong as accept any external source to any protocol and don't restrict to specific destination port or executable

mlsmaycon commented 9 months ago

I believe this has been fixed.