Comments (10)
Thoughts on using original_src
and translated_src
pattern for the attr names over before/after?
from nautobot-app-firewall-models.
NAT Model Proposition
This should be able to cover
- DNAT
- SNAT
- PAT
for all the use cases I was able to think of.
Similar to the pattern for Any
in the AddressObject
and ServiceObject
realm None
means no change in this case.
Model
I want to introduce two new models to this plugin, NATPolicy
as an equivalent to Policy
and NATPolicyRule
as an equivalent to PolicyRule
:
NATPolicy
should have all the fields thatPolicy
has, just withnat_rules
instead ofpolicy_rules
NATPolicyRule
should have all the fields thatPolicyRule
has, except that all the following fields are duplicated for before/after - they will however still all be foreign keys - ...source_service
source_service_group
destination_service
destination_service_group
source_address
source_address_group
destination_address
destination_address_group
- ...and the following fields are removed
action
- For the
AddressObject
instances that can go into thoseNATRule
fields, forbidFQDN
type objects?
Example JSON
The following are quick example JSON files of only those fields that changed in comparison to the non-NAT models and are interesting to the specific example.
Example 1
This model describes a NAT policy that
- PATs the source IP address behind 10.10.10.10/32
{
"nat_policies":
{
"nat_rules": [
{
"source_service_before": null,
"source_service_after": null,
"destination_service_before": null,
"destination_service_after": null,
"source_before": "10.0.0.0/24 (FK to AddressObject)",
"source_after": "10.10.10.10/32 (FK to AddressObject)",
"destination_before": null,
"destination_after": null
}
]
}
}
Example 2
This model describes a NAT policy that
- DNATs the destination IP address from 1.1.1.1 to 172.16.1.1
- Swaps the destination port of 80/TCP with 8080/TCP
{
"nat_policies":
{
"nat_rules": [
{
"source_service_before": null,
"source_service_after": null,
"destination_service_before": "80/TCP (FK to ServiceObject)",
"destination_service_after": "8080/TCP (FK to ServiceObject)",
"source_before": null,
"source_after": null,
"destination_before": "1.1.1.1/32 (FK to AddressObject)",
"destination_after": "172.16.1.1/32 (FK to AddressObject)"
}
]
}
}
Example 3
This model describes a NAT policy that
- PATs the source IP addresses from a group behind 10.10.10.10/32
{
"nat_policies":
{
"nat_rules": [
{
"source_service_before": null,
"source_service_after": null,
"destination_service_before": "80/TCP (FK to ServiceObject)",
"destination_service_after": "8080/TCP (FK to ServiceObject)",
"source_group_before": "Internal_Network (FK to AddressObjectGroup)",
"source_after": "1.1.1.1/32 (FK to AddressObject)",
"destination_before": null,
"destination_after": null
}
]
}
}
Open questions
- Do use cases exist that warrant explicitly changing a source port?
- This is specifically interesting, because for the use case of many (private) source addresses mapping to few (public) source addresses the source port is implicitly changed, omitting the
source_service
field family could make this clearer
- This is specifically interesting, because for the use case of many (private) source addresses mapping to few (public) source addresses the source port is implicitly changed, omitting the
- Is there a point in having the
ServiceGroup
field families? I imagine if you will do a destination port translation, then only 1-to-1 - Do we want a mode field to distinguish between static mappings and dynamic mappings? Probably this can be deduced from comparing the before/after counts, but then sometimes maybe you want the mapping to be random?
Happy to hear your thoughts.
from nautobot-app-firewall-models.
@ozmusic - we actually have NAT modelling in 1.1.0 now so you can check it out, its already on the demo. To your first question: In the actual implementation there are two fields, NATPolicyRule.translated_destination_addresses
and NATPolicyRule.translated_destination_address_groups
, both of which are ManyToManyField
instances, meaning that you can assign as many AddressObject
/AddressObjectGroup
instances as you need.
from nautobot-app-firewall-models.
@davidmclintock Is interested in tracking PAT as well.
from nautobot-app-firewall-models.
+1 for PAT
from nautobot-app-firewall-models.
Some random thoughts...
On point 1 (source port)
Even though I cannot think of a specific use case, most (all?) vendors do support this feature. Also, to bind this with your third point about modes, in Cisco configuration this specific use-case is called "overload".
On point 2 (ServiceGroup)
I've seen this used multiple times as a filter of sorts. You add an original service to tell the firewall to perform NAT only if the requests is towards a specific set of ports. These ports remain un-translated.
from nautobot-app-firewall-models.
@Kircheneer looking at example 2 and destination_after, is there scope in that for destination_after to be a list or is this covered by an address object group?
Something that would be nice to see as well is the addition of a healthcheck field, we could handle that with a custom field for a basic version as the model for a healthcheck may be scope creep here.
from nautobot-app-firewall-models.
@whitej6 I believe this can be closed as the feature is implemented.
from nautobot-app-firewall-models.
@Kircheneer the permissions for the demo user need to be updated to include the nat policies, I'll upgrade our lab instance and check it out there :)
from nautobot-app-firewall-models.
@nniehoff we beed to update permissions for demo
from nautobot-app-firewall-models.
Related Issues (20)
- Firewall plugin HOT 1
- Offer a rule policy existence checker HOT 2
- Add the "Tenant" field to the "Address Object" model.
- Sorting by Prefix in Address Object view results in error
- `service_objects` Isn't Documented in Swagger/OpenAPI Spec for Service Object Groups Create/POST
- Allow policy rules to have a souce_zone and destination_zone filter field
- Include IP protocol number in IP-based service objects HOT 1
- v2 migration failure
- Wrong URL field in API for Application Object Group
- Use Netutils libmapper for capirca platform.
- Add Aerleon support for generating rules HOT 2
- Docs: Incorrect documentation around slugs in admin install and configure guide
- firewall plugins - capirca policies - Missing views for action(s) add
- default job "Generate FW Config via Capirca" issue
- server error on device after running "Generate FW Config via Capirca" job
- another server error on device after running "Generate FW Config via Capirca" job
- AttributeError in running Generate FW Config via Capirca job
- Add M2M pre_change signal to `Policy.policy_rules` & signal for `PolicyRule.index` to enforce uniqueness on index of rules in a single policy
- More flexibly link zones to addresses/subnet/prefixes
- Server Error on policy when assigned to dynamic group
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nautobot-app-firewall-models.