Comments (6)
cc @conectado @bmanifold @AndrewDryga
This is going to need a fix before we roll out #4743 I think... wondering if this is the easiest way to solve the issue.
Trying to avoid making the user create a Resource for all combinations of ports/protocols they want to limit for each Group, which is the current way you can solve the issue now.
from firezone.
Maybe the simpler approach is to move the traffic_filters
to policies
instead, since that is where the admin is linking a Group to a Resource, and they can define which traffic is allowed for the particular Group at the time of policy creation.
from firezone.
I think the use case here is weird, what you should do is define two resources:
- gitlab.company.com:80,443 with access to everyone
- gitlab.company.com:22 with access to devops
Then the client/gateway must differentiate between those two, if they do not - it's a bug. Plus there are many other reasons why two separate ports on the same hosts can have different resources. Moving this to policy is trying to hide the problem without solving it.
from firezone.
@AndrewDryga That won't work. DNS resolution doesn't take ports into account, so when a user who has access to both resolves the name, the client won't know which one is the one to use until traffic flows, at which point it's too late.
The other option is to send all traffic restrictions from the portal down to a gateway for a all Resources with the same address that the user has access to. I.e. to authorize based on address and not ResourceId.
We would need major changes to the way DNS is resolved and mappings handled to pick the right set of traffic filters to use.
I'm not seeing a better approach that won't require onerous refactoring?
from firezone.
Hm yeah, actually -- adding this to Policies won't solve the issue because the wrong policy could still be used to resolve access to the Resource.
For example, the Everyone
policy granting access to the tcp/443
Resource could still be picked for the DevOps
user who's trying to access tcp/22
.
Need to think through this more. This means that Everyone
policies can cause issues when tied to Resources with overlapping addresses, since there isn't a way to remove a Group from a policy definition.
from firezone.
Based on the above it seems that the fix here to have the client select all Resources that match a particular address seen, and use all of them in the allow access request.
The portal would then need to resolve all policies for the matched Resources and send them all down to Gateway, coalescing the traffic restrictions for that particular Peer.
from firezone.
Related Issues (20)
- Refactor DNS resources HOT 1
- Usage docs for Windows
- Usage docs for Linux GUI HOT 1
- Update usage docs for Linux headless
- Usage docs for Android / ChromeOS
- Usage docs for macOS
- Usage docs for iOS
- "Deploy more Gateways for high availability" on Sites show
- build(gui-client): set deb section to `net` HOT 1
- Create a default Site on all new accounts
- bug(gui-client): the tray icon has poor contrast against the default dark Ubuntu task bar
- ux(gui-client): Welcome screen doesn't show if you run the GUI twice but have never signed in
- bug(gui-client/linux): cancelling keyring unlock bails out of the entire Firezone GUI Client HOT 1
- Finish refactoring from #4978
- Disable/Delete linked policy from Resource page
- Add space after Group and OrgUnit HOT 1
- Communicate how often sync job runs on average
- Initial sign-in takes 30 seconds on Windows Server VM
- Linux GUI client disconnected right after connecting. HOT 1
- Allow selecting multiple resources when creating a policy
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from firezone.