Expand Access Control List section

Author: Adam Ciarciński

.gitbook/assets/image (17).png

@@ -4,52 +4,70 @@ icon: user-shield
 
 # Access Control List
 
-The ACL (Access Control List) functionality in Defguard allows administrators to define and manage who can access specific network resources. It provides a clear and centralized way to control access based on users, groups, or devices, ensuring that only authorized entities can reach sensitive systems or services. 
+{% hint style="info" %}
+Access Control List feature is available in Defguard Core v1.3.0 and Defgaurd Gateway v1.3.0.
 
-{% hint style="warning" %}
-Access Control is an [enterprise feature](../../license.md). To use it you'll need to [purchase a license](../../license.md#purchasing-the-license) or ensure your deployment does not [exceed the limits](../../license.md#enterprise-is-free-up-to-certain-limits).
+Defguard Gateway v1.3.0 supports Linux machines with [NFTables](https://nftables.org/).
+Defguard Gateway v1.4.0 supports FreeBSD, NetBSD, and macOS machines with Packet Filter (PF).
+{% endhint %}
 
-Access Control is available in Defguard version ≥ 1.3.0 and Gateway version ≥ 1.3.0
+The ACL (Access Control List) functionality in Defguard allows administrators to define and manage who can access specific network resources. It provides a clear and centralized way to control access based on users, groups, or devices, ensuring that only authorized entities can reach sensitive systems or services.
+
+{% hint style="warning" %}
+Access Control is an [enterprise feature](../../license.md). To be able to use it, it is requireed to [purchase a license](../../license.md#purchasing-the-license), or ensure your deployment does not [exceed the limits](../../license.md#enterprise-is-free-up-to-certain-limits).
 {% endhint %}
 
-## How to enable Access Control List functionality
+### How to enable Access Control List functionality
 
-Access Control is enabled / disabled for each location individually. To enable it, go to location settings (you'll find the ![](<../../../.gitbook/assets/image (15).png>) button on the [network overview](../../../admin-and-features/features-and-configuration/wireguard/network-overview.md) page).
+Access Control can be enabled for each location individually. To enable it:
 
-There are two relevant options in the **"Location configuration"** section:
+1. Navigate to **VPN Overview** > **Edit Location settings**
+2. In **Location configuration** section select **Enable ACL for this location**.
+3. Click on **Save changes**.
 
 <figure><img src="../../../.gitbook/assets/image (17).png" alt=""><figcaption></figcaption></figure>
 
-Select the checkbox to enable ACL for the location.
+**You should also set the default ACL policy for the location** (see below).
+
+## Default Access Control List Policy
 
-**You should also set the default ACL policy for the location.**
+Default policy defines how to treat network traffic (with regarding to resources) that was not explicitly specified in ACL rules:
 
-Default policy defines what happens with traffic to resources that were not explicitly specified in your ACL rules:
+* **Allow** - users and devices connected to a location will be able to access all resources within the network, if the resource access is not modified by one of ACL rules.
+* **Deny** - all traffic to network resources that is not regulated by one of the ACL rules will be blocked.
 
-* Allow - users / devices connected to the location will be able to access all resources within the network if the resource access is not modified by one of your ACL rules.
-* Deny - all traffic to network resources that is not regulated by one of the ACL rules will be dropped
+### How to define the default ACL Policy
+
+Make sure ACL has been enabled (see above), otherwise the policy setting will not be inactive.
+
+1. Navigate to **VPN Overview** > **Edit Location settings**
+2. In **Location configuration** choose the desired option under **Default ACL Policy**.
+3. Click on **Save changes**.
+
+<figure><img src="../../../.gitbook/assets/image (17).png" alt=""><figcaption></figcaption></figure>
 
 ## List of ACL rules
 
 <figure><img src="../../../.gitbook/assets/image (18).png" alt=""><figcaption></figcaption></figure>
 
-**Access Control List** view displays all the rules defined in your system. The list is split into two sections.&#x20;
+**Access Control List** view displays all the rules defined in your system. The list is split into two sections.
 
-**"Deployed Rules"** section displays the rules that were already applied. Those rules should be in effect on relevant locations if the gateway-core connection is intact.
+**Deployed Rules** section displays the rules that have already been applied. Those rules should be in effect on relevant locations if the Gateway–Core connection is intact.
 
 {% hint style="warning" %}
-Defguard does not track rule application status per location. In the event of network connectivity issues between gateway and core components, rule propagation is not immediate. The system guarantees **eventual consistency** _-_ rules will be applied once the connection is restored.
+Defguard does not track rule application status per location. In the event of network connectivity issues between Gateway and Core components, rule propagation is not immediate. The system guarantees **eventual consistency**, meaning rules will be applied once the connection is restored.
 {% endhint %}
 
-**"Pending Changes"** section displays all the rules that have not yet been applied to locations. This includes:
+**Pending Changes** section displays all the rules that have not yet been applied to locations. This includes:
 
 * new rules
 * modified rules
 * deleted rules
 
-Use the ![](<../../../.gitbook/assets/image (5).png>) button to apply all the rules from **"Pending Changes"** section.
+Use the ![](<../../../.gitbook/assets/image (5).png>) button to apply all the rules from **Pending Changes** section.
 
 {% hint style="info" %}
+
 ## Batch rule application
 
 Defguard’s ACL functionality is designed to allow users to apply access control rules in batches. This approach minimizes the risk of transient network issues that could occur when deploying rules individually. By grouping changes and deploying them together, the system reduces the likelihood of connectivity hiccups or firewall disruptions.
@@ -61,7 +79,7 @@ The ACL list view also allows rule filtering by name, locations and other attrib
 
 ## How to add and modify ACL rules
 
-To create a new rule, use the ![](<../../../.gitbook/assets/image (6).png>) button in the [ACL List View](./#list-of-acl-rules).&#x20;
+To create a new rule, use the ![](<../../../.gitbook/assets/image (6).png>) button in the [ACL List View](./#list-of-acl-rules).
 
 You can edit an existing rule by using the ![](<../../../.gitbook/assets/image (12).png>) context menu and selecting **"Edit"** in the [ACL List View](./#list-of-acl-rules)**.**
 
@@ -73,7 +91,7 @@ You can edit an existing rule by using the ![](<../../../.gitbook/assets/image (
 
 The ACL form consists of three main sections:
 
-#### **Basic rule configuration**
+#### Basic rule configuration
 
 * rule name
 * locations where the rule should be applied
@@ -83,18 +101,18 @@ The ACL form consists of three main sections:
 Each rule in Defguard can be **enabled** or **disabled** individually. When a rule is disabled, it remains stored in the system but is not applied to any locations, meaning it has no effect on access control until re-enabled. This allows administrators to temporarily deactivate rules without deleting them, making it easy to toggle access policies as needed.
 {% endhint %}
 
-#### **Destination**
+#### Destination
 
 This section is meant to define the resource to which access should be granted or restricted. Think of this section as the **"destination"** part of a firewall rule.
 
 * IP addresses (IPv4 or IPv6) of the resources for which access will be granted or restricted. The addresses can be specified individually, by CIDR addresses (with a mask) or as a range. You can specify multiple comma-separated addresses. Examples of valid values for this field include:
   * `10.1.1.10, 10.1.2.0/24`
-  * `10.2.1.10-10.2.2.100, fd00:1000::/64, fd00:1000::f0`&#x20;
+  * `10.2.1.10-10.2.2.100, fd00:1000::/64, fd00:1000::f0`
   * etc.
 * Ports - TCP/UDP ports and port ranges
 * Protocols that will be affected by the rule. All by default. Defguard ACL currently supports TCP, UDP and ICMP protocols.
 
-#### **Allowed and Denied sources**
+#### Allowed and Denied sources
 
 This section lets you define which traffic sources should be granted or denied access - essentially the **"source"** side of a firewall rule.
 
@@ -107,31 +125,31 @@ In Defguard, sources can be defined as one of three object types:
 Each ACL rule in Defguard is intended to fully define access to a specific resource, you must therefore always include at least one allowed source.
 
 {% hint style="warning" %}
-This setting is independent from the default location-level [**Allowed groups**](../../../admin-and-features/features-and-configuration/wireguard/create-your-vpn-network.md#allowed-groups) configuration.&#x20;
+This setting is independent from the default location-level [**Allowed groups**](../../../admin-and-features/features-and-configuration/wireguard/create-your-vpn-network.md#allowed-groups) configuration.
 
 If you give a user access to some resource through an ACL rule, but they do not have access to a given location, they still won't be able to access it, because they'll be unable to establish a VPN connection with the gateway.
 {% endhint %}
 
 ### How to define your ACL ruleset
 
-Access Control List (ACL) rules in Defguard are used to manage **who can access specific resources** across your network. Think of each rule as a clear instruction that says: _“These users or devices are allowed to reach this resource - and optionally, these others are not.”_
+Access Control List (ACL) rules in Defguard are used to manage **who can access specific resources** across your network. Think of each rule as a clear instruction that says: _These users or devices are allowed to reach this resource – and optionally, these others are not._
 
 #### Key Concepts:
 
 * Each rule connects **who** (users, groups, or devices) to **what** (a resource address).
 * At least one "allowed" source must always be specified - this defines who gets access.
 * Optionally, you can **exclude** specific users, groups, or devices using the "denied" section.
 * You can use this combination to create flexible rules, such as:\
-  &#xNAN;_&#x41;llow everyone in the “Remote Workers” group except a few individuals access to specific office network._
+  _Allow everyone in the “Remote Workers” group except a few individuals access specific office network._
 
-This setup helps you control access clearly and safely without worrying about lower-level network and firewall behavior.
+This setup helps controlling access clearly and safely without worrying about lower-level network and firewall behavior.
 
 #### Details
 
-* ACL rules are **self-contained -** they fully define access for their target resource, are interpreted identically across all gateways and are unaffected by the **"default policy"** location setting.
-* **Default policy setting** at a location level does not affect traffic covered by ACL rules. It applies only to traffic targeting addresses not matched by any ACL rule.
-* A **destination address** is required in each rule - specifying only ports and/or protocols is not allowed.
-* **Ports and protocols** are optional. If specified, traffic is allowed _only_ on those ports/protocols—everything else will be blocked.
+* ACL rules are **self-contained** – they fully define access for their target resource, are interpreted identically across all Gateways and are unaffected by the **default policy** location setting.
+* **Default policy setting** at location level does not affect traffic covered by ACL rules. It applies only to traffic targeting addresses not matched by any ACL rule.
+* A **destination address** is required in each rule – specifying only ports and/or protocols that are not allowed.
+* **Ports and protocols** are optional. If specified, traffic is allowed _only_ on those ports/protocols; everything else is blocked.
 * Each ACL results in two firewall rules:
   * An **ALLOW** rule for the allowed sources.
   * A **DENY** rule to block all other traffic to that destination.
@@ -140,27 +158,33 @@ This setup helps you control access clearly and safely without worrying about lo
 
 #### Allowing access for specific users
 
-In this scenario we will allow specific users to access the 10.1.1.0/24 network if they are connecting via the **"office-berlin"** location.
+In this scenario we will allow specific users to access the 10.1.1.0/24 network, assuming the users connect through _Office-Berlin_ location.
 
-Do do this you will add new rule with:
+To do this, the following new rules have to be added:
 
-* office-berlin location selected in the **"Locations"** input
-* **"10.1.1.0/24"** CIDR in the destination input
-* Appropriate users in the **"Allowed Users/Groups/Devices->Users"** input
+* Navigate to **Access Control**.
+* Click on **Add new** button.
+* Name the rule under **Rule Name**: _Staff access Berlin_.
+* Select _Office-Berlin_ in the **Locations** input.
+* Under **Manual Input** > **IPv4/v6 CIDR range or adderess**, enter: _10.1.1.0/24_.
+* Add desired users in the **"Allowed Users/Groups/Devices** > **Users**.
+* Click on the **Submit** button.
 
 <figure><img src="../../../.gitbook/assets/image (71).png" alt=""><figcaption></figcaption></figure>
 
-Hit the ![](<../../../.gitbook/assets/image (72).png>) button. You will be redirected back to the [ACL List View](./#list-of-acl-rules) and the new rule should now be in the **"Pending Changes"** section.
+You will be redirected back to the [ACL List View](./#list-of-acl-rules) and the new rule should now be in the **Pending Changes** section.
 
 <figure><img src="../../../.gitbook/assets/image (73).png" alt=""><figcaption></figcaption></figure>
 
-Now just hit the ![](<../../../.gitbook/assets/image (74).png>) button and the rule should be applied on the **"office-berlin"** location.
+Now, click on **Deploy pending changes (1)** button. After that, the rule should be applied on the _Office-Berlin_ location.
 
 <figure><img src="../../../.gitbook/assets/image (75).png" alt=""><figcaption></figcaption></figure>
 
-**Under the hood**
+#### Implementation details
+
+##### Linux
 
-You just deployed the rule to gateway. This means that the firewall on the gateway that handles the **"office-berlin"** location should contain appropriate nftables rules that implement the requirements you specified. Let's see what this looks like in practice. Below is the `nftables list ruleset` output:
+All applied rules are deployed to Defguard Gateway. This means that the firewall on the Gateway that handles the _Office-Berlin_ location should contain appropriate [NFTables](https://nftables.org/) rules that implement the specified requirements. Let's see how this looks like in practice. Below is the `nftables list ruleset` output:
 
 ```
 ...
@@ -175,11 +199,11 @@ table inet DEFGUARD {
 ...
 ```
 
-As you can see, Defguard has created a new inet-type table. This is to make sure Defguard's configuration won't interfere with your existing nftables.&#x20;
+As you can see, Defguard has created a new inet-type table. This is to make sure Defguard's configuration won't interfere with your existing nftables.
 
 The FORWARD chain specifies our rules. First you can see the `policy drop` default, which is a result of setting the **"default Deny"** policy in the location settings. Then the `established,related` line to skip reevaluation of established connections.
 
-Finally the two lines that directly deal with our requirement to allow the two users into the network.&#x20;
+Finally the two lines that directly deal with our requirement to allow the two users into the network.
 
 ```
 ip saddr { 10.100.200.155-10.100.200.156 } ip daddr { 10.1.1.0/24 } counter packets 0 bytes 0 accept comment "ACL 132 - Office access Berlin ALLOW"
@@ -270,4 +294,4 @@ chain FORWARD {
 }
 ```
 
-By default this chain has the priority of `filter` (0). You can edit the priority by setting the `DEFGUARD_FW_PRIORITY` environment variable (or `fw_priority` config option) to chosen number, e.g. 1. The higher the priority, the later the chain runs in regard to your other forward chains.&#x20;
+By default this chain has the priority of `filter` (0). You can edit the priority by setting the `DEFGUARD_FW_PRIORITY` environment variable (or `fw_priority` config option) to chosen number, e.g. 1. The higher the priority, the later the chain runs in regard to your other forward chains.