search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
10.94k stars 494 forks source link

Access control policies don't work #1718

Open sisumara opened 7 months ago

sisumara commented 7 months ago

Describe the problem

Today I've deployed a new setup which has separated IDP based on Zitadel and Netbird which I've configured using advanced configuration guide. I have one server in a cloud which has docker installation with couple of services and netbird agent installed in the same network with docker services. I've deleted default access policy rule and added custom one, which allows the only UDP traffic.

Screenshot 2024-03-15 at 4 54 41 PM

I've added a new route with peer and the docker network.

Screenshot 2024-03-15 at 4 56 58 PM

And traffic began to flow from User peer to OracleDC peer, but not the traffic which is limited by the access policy rule, but any traffic. So, in this case I allowed the only UDP traffic, but I can ping hosts in remote network and access to the services on 80,443/tcp ports.

To Reproduce

Steps to reproduce the behavior:

  1. Deploy a new service
  2. Add some peers to different groups.
  3. Create network route which sits behind one of the peers.
  4. Delete default access policy and create a new one which limits the access to the peers with network routes.
  5. Feel free to access to any resources in the route without limitations of created access policy.

Expected behavior

Limited traffic according to created Access Policy.

Are you using NetBird Cloud?

self-host NetBird's control plane.

NetBird version

0.26.3

Thank you

braginini commented 7 months ago

Hey @sisumara This is a know limitation. The access control rule you have set up is applied to the routing peer but not the machines behind it. We are working on enhancing the access control to apply port and protocol restrictions on the machines behind the router.

Do you want to limit ports and protocols for the whole network behind the router or individual resources?

sisumara commented 7 months ago

Hey @sisumara This is a know limitation. The access control rule you have set up is applied to the routing peer but not the machines behind it. We are working on enhancing the access control to apply port and protocol restrictions on the machines behind the router.

So, I can limit traffic flow with access policies the only to the peers, right?

Do you want to limit ports and protocols for the whole network behind the router or individual resources?

I have couple of cases and in some of them it needs to limit the whole network in some of them just certain hosts in the network.

barto95100 commented 7 months ago

YEs the same, test to accept juste in TCP port 32400 (plex) and the host with netbird agent havec access to connecte on SSH : explain flow

host peer agent ----> host routing peer -----> server plex

I want to block the host peer agent just right access on port 32400 and not all port in host beinhind routing peer