Filter netbird status -d based on ACLs

[ndziuba]

For machines to connect they have to see and know each other but if ACL rules are in place that is forbidding them to connect then they should also not show up in the netbird status -d command. As it will leak the machine to the peer.

This would enable to set up a group like traditional-vpn where users are just connecting to infrastructure machines but can't connect to each other and most importantly see each other, as this would leak for example user activity to peers and colleagues.

Describe the solution you'd like Filter the peer list with ACL rules in netbird status -d based on reachability.

[pascal-fischer]

Hi @ndziuba,

this should already be the case. The peer only receives a network map with peers when there is at least 1 port allowed to be accessed from the peer. Can you double-check your policies to make sure none of them is allowing access to that peer?

[ndziuba]

Yes, you are correct. I got the result because my User was in a source and destination group.

But a problem that we still face is that the destination server can view all peers and we would like to hide them from machines that are accessed and managed by users.

[ndziuba]

812 i found the following issue describing a similar feature

[pascal-fischer]

Ok got you point. Yes for a directional ACL the destination peer also sees all the information about the connected peers. We need to check how we can propagate this information to the client if a peer is accessing or being accessed by another peer to hide it from the status response.