Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
Filter traffic from a certain OU/group
« previous
next »
Print
Pages: [
1
]
Author
Topic: Filter traffic from a certain OU/group (Read 8136 times)
Ruaben
Newbie
Posts: 3
Karma: 1
Filter traffic from a certain OU/group
«
on:
January 02, 2019, 07:11:45 pm »
So long story short, I need to filter traffic from a certain OU or group to access a certain IP.
After a little digging I have found this topic here of someone that had the same question but for a previous version of OPNSense(link down below).
https://forum.opnsense.org/index.php?topic=4030.0
I just wanted to know if this feature was implemented already and if so how do I set it up. I've looked into the wiki but without success.
So at this point any help is welcome. Thank you!
Logged
Ruaben
Newbie
Posts: 3
Karma: 1
Re: Filter traffic from a certain OU/group
«
Reply #1 on:
January 04, 2019, 12:43:21 pm »
So I've gone through all the patch notes since the original question to see if that in the mean time the feature was implemented, and I must it was quite a nice reading. Not just bug fixes(which are nice but quite boring to read) and it's nice to see it's under constant updates and not just "be happy" with the already established product.
Unfortunately I haven't seen the thing what I was looking for.
Still, I would appreciate if anyone could confirm(or deny) this to me. I could have missed what I was looking for.
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Filter traffic from a certain OU/group
«
Reply #2 on:
January 06, 2019, 09:26:16 pm »
Hi Ruaben,
If I understand correctly you want to block traffic based on user LDAP abstraction but there's no way to map users to firewall traffic (IP).
It's one of those NGFW features that are hard to implement and therefore good to sell which makes it unsuitable for OPNsense in general. And I'm not aware of a commercial plugin for it.
Cheers,
Franco
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Filter traffic from a certain OU/group
«
Reply #3 on:
January 06, 2019, 09:27:30 pm »
PS: A lot happened indeed. Thanks for noticing. And sorry for not being able to help.
Logged
Ruaben
Newbie
Posts: 3
Karma: 1
Re: Filter traffic from a certain OU/group
«
Reply #4 on:
January 07, 2019, 10:30:24 am »
No problem, I also thank you for the reply and your constant effort in developing this product.
Have a nice day!
Logged
petrus
Newbie
Posts: 29
Karma: 1
Re: Filter traffic from a certain OU/group
«
Reply #5 on:
January 07, 2019, 08:00:24 pm »
Hi,
I think Sensei is trying to achieve this, or has achieved it already. That's not open source, but free for OPNSense:
https://guide.sunnyvalley.io/sensei/
I'm not affiliated with them, but have seen it discussed here in the forums:
https://forum.opnsense.org/index.php?topic=9521.0
I didn't try it yet, but looks like quite interesting, however it's probably a bit early for productive use.
The feature is called AD Integration. There are a few approaches to this, but all bigger commercial vendors have it implemented (look for Identity Awareness).
I disagree with your argument about being hard to implement and I think OPNSense would be the perfect project to introduce such features into the open source world!
One way which would be the simplest to implement is doing LDAP queries (and this is one way how the big Vendors also work).
You can get all the users names, groups and their IPs. From this you could just build a table of user > IP.
From this it does not look to be a great step to build a user >groups table (the use case for LDAP integration is not user but group based access control).
For LDAP queries there are plenty open sourced tools.
OpenLDAP/ldapsearch http://www.openldap.org/software//man.cgi?query=ldapsearch&apropos=0&sektion=1&manpath=OpenLDAP+2.4-Release&format=html
BR Petrus
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Filter traffic from a certain OU/group
«
Reply #6 on:
January 07, 2019, 09:46:43 pm »
Active directory seems to be part of this offering so I will slightly revise my statement:
https://guide.sunnyvalley.io/sensei/#premium-subscription
I still think it's harder due to probable support requests for different directory service solutions and environments.
I'm sure an open source plugin is feasible one way or another, but it will not be part of our core mission and is therefore "harder (for us)" to implement.
Cheers,
Franco
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Filter traffic from a certain OU/group
«
Reply #7 on:
January 07, 2019, 10:23:16 pm »
@fichtner: this should not be so hard to implement. I just need some code to map IPs to an alias and manage that from the plugin like the nginx autoban feature - just with some kind of a captive portal so this would be the first plugin for the nginx plugin
.
Explicit support for LDAP is then very unlikely because I don't have such a server (and I don't want it at home). But X.509 and Local Database and maybe RADIUS should be definitely doable.
But only if I find some time and want to do that.
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Filter traffic from a certain OU/group
«
Reply #8 on:
January 07, 2019, 10:31:41 pm »
By all means prove me wrong. I just try to be the voice of reason...
Logged
petrus
Newbie
Posts: 29
Karma: 1
Re: Filter traffic from a certain OU/group
«
Reply #9 on:
January 08, 2019, 09:41:00 pm »
Hi Guys,
no that was not a feature request!
As for me I don't need it either for my home network, but this feature is used almost everywhere in any commercial FW install. So, just to have it as an open source as well, would be nice in itself...
Petrus
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Filter traffic from a certain OU/group
«
Reply #10 on:
January 20, 2019, 04:58:00 pm »
Pull Request:
https://github.com/opnsense/plugins/pull/1143
Logged
petrus
Newbie
Posts: 29
Karma: 1
Re: Filter traffic from a certain OU/group
«
Reply #11 on:
February 05, 2019, 09:00:14 am »
Thanks!
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Filter traffic from a certain OU/group
«
Reply #12 on:
February 05, 2019, 05:38:07 pm »
Doesn't look too good for the feature - Ad and Franco don't like it but with the patches of core it would already work…
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
Filter traffic from a certain OU/group