netbox-community / netbox-acls

A NetBox plugin for Access Lists based off of the NetBox Plugin Demo
https://pypi.org/project/netbox-acls/
Apache License 2.0
90 stars 27 forks source link

[Feature]: Object-Groups #56

Open cyberndj opened 2 years ago

cyberndj commented 2 years ago

NetBox version

v3.2.7

Feature type

Add a function

Proposed functionality

Include the ability to use object-groups for use in ACLs

Use case

Have a Menu Section like "ACL Object Groups." Different types would be "network" or "service" object groups. The object groups would be a list of IP networks/hosts and service object groups would have ports/protocols.

In the ACLs, you can reference an object group in the rule entry. Example: object-group network Private-Nets 192.168.0.0 255.255.0.0 172.16.0.0/12 10.0.0.0 255.0.0.0 169.254.0.0/16

ACL: permit ip object-group Private-Nets any deny ip any any log

External dependencies

No response

ryanmerolle commented 1 year ago

Sorry for the delay here.

It feels like this is more of a firewall type of function. I guess Cisco IOS allows for this.

My only point is, should I make this be a more generalized plugin to expand to be security policies and model something like nautobot plugin firewall models?

cyberndj commented 1 year ago

Admittingly, my examples are Cisco specific and the features do seem firewall-ish (groupings are a firewall (L4+) feature). I would point out a lot of modern routers do let you add items to ACEs for header fields (ie Cisco's established (permit ip any any established)) ...and my knowledge is 90% cisco, 2% Ubiquiti, 8% others... so my other manufactures knowledge is very slim on how they do things.

The nautobot plugin looks cool and could be what configuring a firewall policy could be like with all the extra fields that a FW would need. ...but I think something general/simple like using base NetBox prefix/IPs groups and maybe NetBox Services to do the protocol/port groupings.

fansari commented 1 year ago

From my opinion everything which helps do build switch ACLs would be useful because this is our usecase.

For hosts we don't need ACLs because you can build firewall rules with "Services" in Netbox.

cs-1 commented 7 months ago

This feature would be great. Aruba CX also supports object groups under AOS CX.

ctsalidis commented 1 month ago

Hi @ryanmerolle , hi community,

Is there any conclusion yet, whether this feature is going to be supported in Netbox? Is there any schedule for the release?

Thank you in advance!