Feature request: User/Group based firewall rules #617
Comments
|
That's a very cool feature, but just how should it be implemented? Which open source software can be used to plug this feature in? |
|
something like http://www.openbsd.org/faq/pf/authpf.html ? |
|
That's more of a captive portal. :) The NGFW user block feature ties transparently into the authentication backend (server) of the network and just "knows" users, groups and their IP addresses. I've never seen an open software solution for this. |
|
I think those companies (a can only speak for BlueCoat) realize it like that. They intercept the HTTP traffic and add an Authentication header, so the browser requests the user's credentials. Then the rules are being authorized. For non-HTTP (and HTTPS) traffic, the user needs to browse manually to a Captive Portal. |
|
Ok, so the question is what is a minimum viable feature... @ccesario can you help us out here? :) |
|
Hi everybody :) Well, I don't have many technical details, but I agree with @8191. The basic mechanism is intercept the connections and redirect to HotSpot, or through some client the user can authenticate (using this to do an transparent authentication on Hotspot system). And on Server side, after user do the "authentication" the pf acnhors/tables take care this ... Maybe the authpf suggested by @fabianfrz already do it. After this the all pf logs can be logged with IP and USERNAME Only ideas... |
|
Only to complement the idea. It intercept the the connecttion and force authentication (by captive portal), or through client. And save the user/ip/group etccc inside a embedded database and a set of script create a firewall rules (iptables based) for this. |
|
Captive portal is implemented on top of IPFW and can do all of that, but Firewall Rules are PF only, so there would be no easy fix... :( |
|
@fabianfrz Not exactly an extension, but a new concept. Where all controls/policies can be done by user too instead mac addr, ip add .. etc... Look the image attached.... maybe it is more easy understand the concept.
|
|
@fichtner @fabianfrz Look this, https://www.youtube.com/watch?v=_tqQxSwUpuI It is in pt_BR but it is easy to understand. The preview of this suggested feature. |
|
timeout |
|
still an very interesting feature |
|
Our company will unfortunately pass on using OPNSense because of this feature not existing. Why have an LDAP integration at all if we cannot create user-based policies for access. FortiGate has this and it works fine (even for non-HTTP(S) traffic). In other words, still a very nice feature to have. |
|
@hb0nes I get your point but this is off-topic if nobody is interested in funding it in the first place (and this isn't a light topic). |
|
Of course I'm unaware of the business goals of OPNSense - but seeing as they are offering appliances, I can imagine one of those goals is to compete with other brands. That's why I'm kind of surprised to hear that nobody is willing to fund this. Just wanted to give my 2c, sorry for commenting on a dead issue! |
|
If the mission is to replace e.g. a FortiGate you can calculate the cost of adding the feature to an open source project by projecting amount of devices to replace plus licensing/support costs for said project over X years and see if it makes sense. Obviously a missing feature is a missing feature, but we are in a position as an open source project where we need the drive of the customer to migrate to an open source solution that requires improvements in order to migrate. We don't have/need to throw around any venture capital in order to cannibalise an existing market. :) |
|
I guess that makes sense. Hope I understand you correctly: if we want this feature, we contribute and build it ourselves, or pick another solution? |
|
Contact sales@deciso.com to discuss what technical specifications are behind that request. It's better to sync first because adding features without coordination has us requiring to review and confirm which might also be time-consuming depending on code size. The bit about knowing which IP belongs to where is something that also depends on the source of the information. External client requirements are tricky, but sources like VPN users or LDAP are being discussed from time to time. Cheers, |
|
Zenarmor plugin should support this and might be cheaper than Forti |
|
There is also that, link drop :D |
|
Oh, that does actually seem like it supports it:
https://www.sunnyvalley.io/docs/policies/policy-management
Interesting stuff, will look into this :). Thanks guys.
Op ma 29 aug. 2022 om 12:40 schreef Franco Fichtner <
***@***.***>:
… There is also that, link drop :D
https://www.sunnyvalley.io/product
—
Reply to this email directly, view it on GitHub
<#617 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AJIOJVJ6C2AYZG5IEAQENJ3V3SHTTANCNFSM4BYDIP5A>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
It would interesting add the capability of create a firewall rule based on user/group.
And with this, control QOS / Application(Layer 7) / Webfilter based in these rules (by user/group)
Similar others products - Fortinet / Sophos / Cyberoam. Where all connections when authenticated are logged and controlled by USERNAME.
Best regards,
ccesario
The text was updated successfully, but these errors were encountered: