Move Service to Policy Rule about nautobot-app-firewall-models HOT 6 CLOSED

I guess the idea was to support a more advanced firewall rule that could define also the source port

from nautobot-app-firewall-models.

Yeah, we'll definitely need to maintain a way to specify source port, there are certainly many examples of needing a source port (DHCP or DNS for instance).

I think for the service relationship to move to PolicyRule that will also require adding source port to the Service model. My concern with the way it is now is that you could get a situation where your source relationship has a different IP protocol than your destination relationship.

from nautobot-app-firewall-models.

I see. Your main concern is about protocol/port consistency.
This inconsistency could be mitigated by using data validation when two services are defined in the same rule, so the protocol is validated then.

from nautobot-app-firewall-models.

I think my this is my main question: Is there a use case where a service needs to be defined as a pair of services (source and destination)? If not, we can simplify the firewall models by moving the service relationship to the policy rule and adding an optional source port field.

As it is right now, to create a rule like "permit tcp host 10.1.1.1 host 10.2.2.2 eq 22" you would need to create a service policy object with nothing in it for the source and a second service policy object for tcp/22.

from nautobot-app-firewall-models.

@abates , I was looking for some example of having a source port, and I have not been able to find one. So, it would align with your view.
Just to get more points, please ask in #ask-architecture to see if someone has other experience/idea

from nautobot-app-firewall-models.

Done

from nautobot-app-firewall-models.