new: Add interactive firewall rule editor plugin #294
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This relates to #293 After discussing with the firewall team, it seems like automated inserting of individual firewall rules isn't a great idea; the rules are applied immediately as changes are made, and since these rules are applied in order, with the first matching rule being acted on, it's easy to accidentally set up an insecure configuration. To make matters worse, there is no good way to identify a single rule from the response; labels are not required and don't have to be unique, and no other reasonable choice for an identifier is present. As such, automated systems that manage firewall rules should, for that reason, regenerate the entire ruleset for each update; for applications that want to modify the existing rules, they should follow a fetch-update-publish model. This PR is an attempt at the latter for the CLI; a plugin that allows interactive editing of firewall rules. This is by no means perfect - there are still several TODOs in the code, and it could generally be cleaner - but it should serve as an example of what we might want.o The interface looks this like: ``` Firewall: example Status: enabled Inbound Policy: DROP Outbound Policy: DROP Inbound Rules: ind | label | protocol | action | ports | addresses -----+-------+----------+--------+-------+------------------- 0 | | TCP | ACCEPT | 80 | 192.168.12.34/32 1 | | TCP | ACCEPT | | 12.34.56.0/24 Outbound Rules: ind | label | protocol | action | ports | addresses -----+-------+----------+--------+-------+--------------- 2 | test | UDP | ACCEPT | | 12.34.56.0/24 Global: Toggle [I]nbound or [O]utbound Policy Rules: [A]dd, [R]emove, or [S]wap [W]rtie settings or [Q]uit Saving.. Rules updated successfully! ``` Feedback appreciated
lgarber-akamai
changed the title
jriddle-linode
approved these changes
Nov 29, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
📝 Description
This change adds an interactive rule editor for Linode firewalls. This is necessary as it allows users to modify their firewall from the CLI without needing to manually specify every rule on update.
✔️ How to Test
The editor can be accessed by running the following command:
linode-cli firewall-editor {firewall_id}📷 Preview
Primary View
Adding a Rule
Removing a Rule
Swapping Rules
📖 Notes
After discussing with the firewall team, it seems like automated
inserting of individual firewall rules isn't a great idea; the rules are
applied immediately as changes are made, and since these rules are
applied in order, with the first matching rule being acted on, it's easy
to accidentally set up an insecure configuration. To make matters
worse, there is no good way to identify a single rule from the response;
labels are not required and don't have to be unique, and no other
reasonable choice for an identifier is present. As such, automated
systems that manage firewall rules should, for that reason, regenerate
the entire ruleset for each update; for applications that want to modify
the existing rules, they should follow a fetch-update-publish model.
Resolves #293