|
2 | 2 | icon: user-shield |
3 | 3 | --- |
4 | 4 |
|
5 | | -# Access Control List: Implementation Details |
| 5 | +# Implementation Details |
6 | 6 |
|
7 | 7 | {% hint style="info" %} |
8 | | -See Examples section in [Access Control List](README.md) documentation as they relate to details described below. |
| 8 | +See Examples section in [Access Control List](./) documentation as they relate to details described below. |
9 | 9 | {% endhint %} |
10 | 10 |
|
11 | 11 | ## Firewall Interaction |
@@ -162,3 +162,30 @@ block drop in log on wg0 all flags S/SA keep state |
162 | 162 | pass in log quick on wg0 inet from 10.100.200.155 to 10.1.1.0/24 flags S/SA label "ACL 132 - Staff access Berlin DENY" |
163 | 163 | pass in log quick on wg0 inet from 10.100.200.156 to 10.1.1.0/24 flags S/SA label "ACL 132 - Staff access Berlin DENY" |
164 | 164 | ``` |
| 165 | + |
| 166 | +## Merging destination IP addresses |
| 167 | + |
| 168 | +Destination IPs for a given ACL can be configured in multiple ways: |
| 169 | + |
| 170 | +* single IP |
| 171 | +* range of IPs |
| 172 | +* IP subnet using CIDR notation |
| 173 | +* list containing arbitrary combination of the above |
| 174 | +* destination aliases |
| 175 | +* component aliases |
| 176 | + |
| 177 | +It is therefore possible to configure some overlapping destinations, for example a 10.0.20.0/24 subnet and then a specific IP like 10.0.20.17 in some alias.  |
| 178 | + |
| 179 | +When generating firewall rules we have to be mindful of following limitations regarding our specific implementation: |
| 180 | + |
| 181 | +* `nft` rejects overlapping destinations |
| 182 | +* `pf` does not handle IP ranges, so each IP in range is put in a separate rule |
| 183 | + |
| 184 | +To avoid those issues when creating firewall rules we pre-process destination addresses in a following way: |
| 185 | + |
| 186 | +* combine all destinations - manually configured, aliases, ranges etc into a single list |
| 187 | +* convert all types of destination (single IPs, ranges, subnets) into IP ranges |
| 188 | +* merge all those ranges into the smallest possible list of non-overlapping ranges |
| 189 | +* extract all possible subnets (with at least 2 IPs) from ranges |
| 190 | + |
| 191 | +This means that our approach is biased towards finding subnets, so the destinations you see in the firewall rules on the gateway itself might differ significantly (in notation, not the content itself) from those you configured in your ACLs. |
0 commit comments