Skip to content

Commit 8f5ec97

Browse files
defguard-communitygitbook-bot
authored andcommitted
GITBOOK-416: merging ACL destination addrs networks
1 parent 18a0276 commit 8f5ec97

1 file changed

Lines changed: 29 additions & 2 deletions

File tree

enterprise/all-enteprise-features/access-control-list/firewall-internals.md

Lines changed: 29 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,10 @@
22
icon: user-shield
33
---
44

5-
# Access Control List: Implementation Details
5+
# Implementation Details
66

77
{% hint style="info" %}
8-
See Examples section in [Access Control List](README.md) documentation as they relate to details described below.
8+
See Examples section in [Access Control List](./) documentation as they relate to details described below.
99
{% endhint %}
1010

1111
## Firewall Interaction
@@ -162,3 +162,30 @@ block drop in log on wg0 all flags S/SA keep state
162162
pass in log quick on wg0 inet from 10.100.200.155 to 10.1.1.0/24 flags S/SA label "ACL 132 - Staff access Berlin DENY"
163163
pass in log quick on wg0 inet from 10.100.200.156 to 10.1.1.0/24 flags S/SA label "ACL 132 - Staff access Berlin DENY"
164164
```
165+
166+
## Merging destination IP addresses
167+
168+
Destination IPs for a given ACL can be configured in multiple ways:
169+
170+
* single IP
171+
* range of IPs
172+
* IP subnet using CIDR notation
173+
* list containing arbitrary combination of the above
174+
* destination aliases
175+
* component aliases
176+
177+
It is therefore possible to configure some overlapping destinations, for example a 10.0.20.0/24 subnet and then a specific IP like 10.0.20.17 in some alias. 
178+
179+
When generating firewall rules we have to be mindful of following limitations regarding our specific implementation:
180+
181+
* `nft` rejects overlapping destinations
182+
* `pf` does not handle IP ranges, so each IP in range is put in a separate rule
183+
184+
To avoid those issues when creating firewall rules we pre-process destination addresses in a following way:
185+
186+
* combine all destinations - manually configured, aliases, ranges etc into a single list
187+
* convert all types of destination (single IPs, ranges, subnets) into IP ranges
188+
* merge all those ranges into the smallest possible list of non-overlapping ranges
189+
* extract all possible subnets (with at least 2 IPs) from ranges
190+
191+
This means that our approach is biased towards finding subnets, so the destinations you see in the firewall rules on the gateway itself might differ significantly (in notation, not the content itself) from those you configured in your ACLs.

0 commit comments

Comments
 (0)