Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: User/Group based firewall rules #617

Closed
ccesario opened this issue Jan 7, 2016 · 13 comments

Comments

Projects
None yet
5 participants
@ccesario
Copy link

commented Jan 7, 2016

It would interesting add the capability of create a firewall rule based on user/group.
And with this, control QOS / Application(Layer 7) / Webfilter based in these rules (by user/group)

Similar others products - Fortinet / Sophos / Cyberoam. Where all connections when authenticated are logged and controlled by USERNAME.

Best regards,
ccesario

@fichtner

This comment has been minimized.

Copy link
Member

commented Jan 8, 2016

That's a very cool feature, but just how should it be implemented? Which open source software can be used to plug this feature in?

@fabianfrz

This comment has been minimized.

Copy link
Member

commented Jan 8, 2016

@fichtner

This comment has been minimized.

Copy link
Member

commented Jan 8, 2016

That's more of a captive portal. :) The NGFW user block feature ties transparently into the authentication backend (server) of the network and just "knows" users, groups and their IP addresses. I've never seen an open software solution for this.

@8191

This comment has been minimized.

Copy link
Member

commented Jan 8, 2016

I think those companies (a can only speak for BlueCoat) realize it like that. They intercept the HTTP traffic and add an Authentication header, so the browser requests the user's credentials. Then the rules are being authorized.

For non-HTTP (and HTTPS) traffic, the user needs to browse manually to a Captive Portal.

@fichtner

This comment has been minimized.

Copy link
Member

commented Jan 8, 2016

Ok, so the question is what is a minimum viable feature... @ccesario can you help us out here? :)

@ccesario

This comment has been minimized.

Copy link
Author

commented Jan 8, 2016

Hi everybody :)

Well, I don't have many technical details, but I agree with @8191. The basic mechanism is intercept the connections and redirect to HotSpot, or through some client the user can authenticate (using this to do an transparent authentication on Hotspot system).

And on Server side, after user do the "authentication" the pf acnhors/tables take care this ... Maybe the authpf suggested by @fabianfrz already do it.

After this the all pf logs can be logged with IP and USERNAME

Only ideas...

@ccesario

This comment has been minimized.

Copy link
Author

commented Jan 8, 2016

Only to complement the idea.
I noticed that Sophos product works similar with the talked above ^.

It intercept the the connecttion and force authentication (by captive portal), or through client. And save the user/ip/group etccc inside a embedded database and a set of script create a firewall rules (iptables based) for this.

@fabianfrz

This comment has been minimized.

Copy link
Member

commented Jan 8, 2016

@fichtner I think @ccesario wants an extension of the captive portal to use the authentication in firewall rules.

@fichtner

This comment has been minimized.

Copy link
Member

commented Jan 8, 2016

Captive portal is implemented on top of IPFW and can do all of that, but Firewall Rules are PF only, so there would be no easy fix... :(

@ccesario

This comment has been minimized.

Copy link
Author

commented Jan 8, 2016

@fabianfrz Not exactly an extension, but a new concept. Where all controls/policies can be done by user too instead mac addr, ip add .. etc...
And all access logs can contain the identify of user (when autehnticated of course)

Look the image attached.... maybe it is more easy understand the concept.

fw_rule

@fichtner fichtner added this to the Future milestone Feb 16, 2016

@ccesario

This comment has been minimized.

Copy link
Author

commented Aug 29, 2016

@fichtner @fabianfrz Look this, https://www.youtube.com/watch?v=_tqQxSwUpuI

It is in pt_BR but it is easy to understand. The preview of this suggested feature.

@fabianfrz

This comment has been minimized.

Copy link
Member

commented Aug 30, 2016

@fichtner @ccesario This looks like a table in pf where the captive portal injects an ip address when the user authenticates on the captive portal. The table is used as the source in the pf rule.

@AdSchellevis

This comment has been minimized.

Copy link
Member

commented Oct 12, 2016

timeout

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.