search

netbirdio / netbird

Connect your devices into a single secure private WireGuard®-based mesh network with SSO/MFA and simple access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
9.83k stars 425 forks source link

Minimum client version posture check issue #2111

Closed JonathanManass closed 2 weeks ago

JonathanManass commented 3 weeks ago

Describe the problem

I noticed that when adding a posture check requiring a certain version of the client, this would only block if both clients were under the required version.

If we have 3 clients, with one not at the minimum version of the posture check, it will still be able to connect to the other ones, if two clients are below the minimum version, they won't be able to communicate with each other.

It seems like it would be more useful to have the option of completely blocking access for a client not having the required version

To Reproduce

  1. Add a posture check requiring the netbird client to be in version 0.27.10
  2. Have three peers, one in version 0.27.9, two in 0.27.10
  3. All of them will be able to communicate

Expected behavior

As said, I would rather have it that if one peer is below the posture check required version and the two others are compliant, those two should communicate to each other, but not with the third non compliant peer

Are you using NetBird Cloud?

No, I'm selfhosting it.

NetBird version

0.27.10

bcmmbaga commented 2 weeks ago

Hello @JonathanManass, posture checks are applied only to policy source groups. This means that the source can only communicate with the destination if it meets the required rule.

Could you confirm if the peer with a version below the minimum required belongs to the source or destination group in the policy?

JonathanManass commented 2 weeks ago

Hi @bcmmbaga, that was is. I had three groups as both source and destination in the same policy. By moving them into seperate policies and only putting each group on only one of either side of the policy I got to the result I wanted. Thanks for that, I would say however that specifying somewhere that posture checks are only applied to source groups might be worth it. Except if I missed it, it does not seem specified on the console when adding them or in the documentation specified on that page.

bcmmbaga commented 2 weeks ago

Hi @bcmmbaga, that was is. I had three groups as both source and destination in the same policy. By moving them into seperate policies and only putting each group on only one of either side of the policy I got to the result I wanted. Thanks for that, I would say however that specifying somewhere that posture checks are only applied to source groups might be worth it. Except if I missed it, it does not seem specified on the console when adding them or in the documentation specified on that page.

Thanks for confirming that the solution worked!. We will include this clarification in the documentation. For now, I will close this issue.

Thanks again for your feedback!