OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: Ruaben on January 02, 2019, 07:11:45 pm

Title: Filter traffic from a certain OU/group
Post by: Ruaben on January 02, 2019, 07:11:45 pm

So long story short, I need to filter traffic from a certain OU or group to access a certain IP.

After a little digging I have found this topic here of someone that had the same question but for a previous version of OPNSense(link down below).
https://forum.opnsense.org/index.php?topic=4030.0 (https://forum.opnsense.org/index.php?topic=4030.0)

I just wanted to know if this feature was implemented already and if so how do I set it up. I've looked into the wiki but without success.

So at this point any help is welcome. Thank you!

Title: Re: Filter traffic from a certain OU/group
Post by: Ruaben on January 04, 2019, 12:43:21 pm

So I've gone through all the patch notes since the original question to see if that in the mean time the feature was implemented, and I must it was quite a nice reading. Not just bug fixes(which are nice but quite boring to read) and it's nice to see it's under constant updates and not just "be happy" with the already established product.

Unfortunately I haven't seen the thing what I was looking for.

Still, I would appreciate if anyone could confirm(or deny) this to me. I could have missed what I was looking for.

Title: Re: Filter traffic from a certain OU/group
Post by: franco on January 06, 2019, 09:26:16 pm

Hi Ruaben,

If I understand correctly you want to block traffic based on user LDAP abstraction but there's no way to map users to firewall traffic (IP).

It's one of those NGFW features that are hard to implement and therefore good to sell which makes it unsuitable for OPNsense in general. And I'm not aware of a commercial plugin for it.


Cheers,
Franco

Title: Re: Filter traffic from a certain OU/group
Post by: franco on January 06, 2019, 09:27:30 pm

PS: A lot happened indeed. Thanks for noticing. And sorry for not being able to help.

Title: Re: Filter traffic from a certain OU/group
Post by: Ruaben on January 07, 2019, 10:30:24 am

No problem, I also thank you for the reply and your constant effort in developing this product.

Have a nice day!

Title: Re: Filter traffic from a certain OU/group
Post by: petrus on January 07, 2019, 08:00:24 pm

Hi,

I think Sensei is trying to achieve this, or has achieved it already. That's not open source, but free for OPNSense:
https://guide.sunnyvalley.io/sensei/ (https://guide.sunnyvalley.io/sensei/)
I'm not affiliated with them, but have seen it discussed here in the forums:
https://forum.opnsense.org/index.php?topic=9521.0 (https://forum.opnsense.org/index.php?topic=9521.0)
I didn't try it yet, but looks like quite interesting, however it's probably a bit early for productive use.

The feature is called AD Integration. There are a few approaches to this, but all bigger commercial vendors have it implemented (look for Identity Awareness). 

I disagree with your argument about being hard to implement and I think OPNSense would be the perfect project to introduce such features into the open source world!
 
One way which would be the simplest to implement is doing LDAP queries (and this is one way how the big Vendors also work).
You can get all the users names, groups and their IPs. From this you could just build a table of user > IP.
From this it does not look to be a great step to build a user >groups table (the use case for LDAP integration is not user but group based access control).

For LDAP queries there are plenty open sourced tools.
OpenLDAP/ldapsearch http://www.openldap.org/software//man.cgi?query=ldapsearch&apropos=0&sektion=1&manpath=OpenLDAP+2.4-Release&format=html (http://OpenLDAP/ldapsearch http://www.openldap.org/software//man.cgi?query=ldapsearch&apropos=0&sektion=1&manpath=OpenLDAP+2.4-Release&format=html)
 
BR Petrus

Title: Re: Filter traffic from a certain OU/group
Post by: franco on January 07, 2019, 09:46:43 pm

Active directory seems to be part of this offering so I will slightly revise my statement:

https://guide.sunnyvalley.io/sensei/#premium-subscription

I still think it's harder due to probable support requests for different directory service solutions and environments.

I'm sure an open source plugin is feasible one way or another, but it will not be part of our core mission and is therefore "harder (for us)" to implement.


Cheers,
Franco

Title: Re: Filter traffic from a certain OU/group
Post by: fabian on January 07, 2019, 10:23:16 pm

@fichtner: this should not be so hard to implement. I just need some code to map IPs to an alias and manage that from the plugin like the nginx autoban feature - just with some kind of a captive portal so this would be the first plugin for the nginx plugin ;).

Explicit support for LDAP is then very unlikely because I don't have such a server (and I don't want it at home). But X.509 and Local Database and maybe RADIUS should be definitely doable.

But only if I find some time and want to do that.

Title: Re: Filter traffic from a certain OU/group
Post by: franco on January 07, 2019, 10:31:41 pm

By all means prove me wrong. I just try to be the voice of reason...  ;D

Title: Re: Filter traffic from a certain OU/group
Post by: petrus on January 08, 2019, 09:41:00 pm

Hi Guys,

no that was not a feature request!  ;)
As for me I don't need it either for my home network, but this feature is used almost everywhere in any commercial FW install. So, just to have it as an open source as well, would be nice in itself...

Petrus
 

Title: Re: Filter traffic from a certain OU/group
Post by: fabian on January 20, 2019, 04:58:00 pm

Pull Request: https://github.com/opnsense/plugins/pull/1143

Title: Re: Filter traffic from a certain OU/group
Post by: petrus on February 05, 2019, 09:00:14 am

 :D Thanks!

Title: Re: Filter traffic from a certain OU/group
Post by: fabian on February 05, 2019, 05:38:07 pm

Doesn't look too good for the feature - Ad and Franco don't like it but with the patches of core it would already work…