Traffic filtering #2030
Comments
jamilbk
added
kind/feature
jamilbk
removed
the
business_value/critical
jamilbk
added
the
kind/feedback
|
Time to make this happen :-) Todo:
|
jamilbk
added
business_value/high
|
Edge case with DNS Resources: If DNS resources map to the same IP and you want to allow access to port 80 but not port 8080 for a User, this runs into an issue where the user would be allowed both. |
|
We should explain that traffic filters work on IP level, so they apply after DNS name is resolved and then merged per dest up. Resource A: a.mycorp.com:80 On Gateway: On client: |
|
Possible solution? (involves lots of refactoring though):
Gateway: Resource: { Peer: { CGNAT IP -> ResourceId1 { |
Current approach to DNS resources
Drawback(regarding to traffic filtering)The problem is that when 2 different DNS resources resolve to the same real IP, we can't distinguish traffic between them, so the Gateway must apply the rules only based on IPs. New approach(proposed by @jamilbk )SummaryThe idea is to have the gateway do the packet mangling, the client would only ever see the cgnat ips. Then, on the gateway, the translation is made between CGNAT and real IPs, however the translation would be made but not only ip would be translated but also, a new sport would be picked. Then incoming traffic can be uniquely distinguished by the tuple DrawbacksThe problem still is that an attacker, can use the And this requires a big refactor and a lot more state tracking on the gateway. In general it seems impossible to apply rules meant for layer 5 to the traffic we see in layer 3 |
|
Would this solution work for two DNs resources with the same port filters for both of them? And what if port filter rule for those is more than half of the port range or partially overlapping large port ranges? For example, active FTP port range is 20, 60000-65535. |
The approach is independent of the port filtering itself, is just a way to be able to distinguish between resources in the gateway. |
|
But how do you distinguish when two port ranges overlap for the same IP but different resources? |
If they are different resources the daddr would be different, so we apply rules only meant for that ip. Or you mean for incoming traffic? I think we do only egress filtering |
Also, I think we're not going to go with this approach for the reasons explained here:
|
|
Seems like the portal is currently not sending ICMP filtering rules cc @AndrewDryga |
|
Same for "Permit All" the We could assume that an empty filter means "allow all" but doesn't seem like the best way to go. |
|
@conectado I understand that I pushed a fix for ICMP filters. |
I was thinking that if you will use |
|
|
Continuing the discussion here #4779 (comment) Let's say there are 2 overlapping CIDR resources on the client with different port filter rules Right now the client has no information about port filtering and the So the resource And without changes to the control protocol this can't be fixed. |
|
The first implementation will be naive and simply have this problem, it will be solved with #4789 Ideally, we can add a warning when there are overlapping resources in the portal cc @AndrewDryga |
|
@conectado Yeah actually, thinking more about it, I'm not sure I'm right about the user expectation on this one. I think we should get it out there and get feedback on it before going down the difficult path of resolving filters across all overlapping CIDRs. Just documenting well how this works is probably good enough for a good UX here. |
|
@jamilbk yeah, that's why we decided not to do client filtering right away. It feels like a pretty rare edge case that we already know how to solve (add filtering on the client too). So all we have to do is to keep an issue open for it in case we need to come back and implement it later. |
|
Adding note here after discussing with @conectado -- This would be required if we were to do the filtering on the Client as well, which we can save for later on, perhaps for #949. That would add another layer of security, since an attacker would need to compromise both the Gateway and Client in order to tamper with logged traffic. |
) This came up while working on #2030 and thinking about testing `Peer`. Not entirely convinced of taking both `Instant` and `DateTime<Utc>` but unless we convert the expiration to an instant, which would bring a bunch of new problems, I don't see another way to do this.
|
@AndrewDryga I just realized that now we can get some filters with messages "all", does it still mean that empty filters means allow all or allow none? |
It should be permit all. Deny all is what happens when there's no policy. |
If that's the case I rhink we should remove the "all" value for filters. Having 2 ways to express the same onlu makes things more complex. |
Yeah, it might be confusing if Can discuss this issue at standup. I think this could be solved by making |
This implements traffic filtering on the gateway. Filters are set on the
portal, per-resource, in an allow-list manner.
If no filters exist for a given resource all packets are allowed,
otherwise only packets that matches port/protocol for the filters are
allowed, otherwise they are dropped.
Filters can be either TCP, UDP or ICMP. For the first 2 multiple ports
can be given. Furthermore, multiple filters can exists for the same
resource.
To be able to add and remove filters with the same IP/CIDR we keep
around the whole list of filters for any given peer using an ID map and
recalculate the IP each time something is added is removed.
This allows us to remove filters and simply recalculate the allowlist
for each IP.
Furthermore, for any IP, all rules apply, meaning if there are multiple
IPs that apply for a resource all port/protocol combinations for that IP
will apply.
This works well right now for DNS resources, since access is requested
by DNS name, then the resource for that DNS name will arrive at the
gateway, and the port filtering will apply given that resource(and any
other resource with the same IP).
However, since the client has no idea of the filters, it can't request
the resource access based on the port/protocol combination and we are
still using the most specific("longest match") IP. This will mean that
for overlapping CIDR resources, only the rules for the most specific
will be used, even if the gateway supports applying them all, since it
will not have the other resources. This will be solved in #4789.
It can also lead to some weirdness, let's say that you have 10.0.0.0/24
-> TCP/80 and 10.0.0.0/16 -> TCP/443 for your user.
The user tries to access 10.0.0.1, and will then only be allowed port
80. At some point the user might access 10.1.0.1 and it will be allowed
port 443. But from that point on, the user will be allowed to access 80
and 443 in 10.0.0.1 because the rules correctly work on the gateway, the
problem is the client side. Again, #4789 will fix this.
Left for next PRs (in tentative order!):
- #4792
- #4789
Depends on: #4773.
Resolves #2030.
Resolves #4791.
---------
Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com>
The text was updated successfully, but these errors were encountered: