Remove default protocol for migrated rules policy

.github/workflows/golang-test-linux.yml

@@ -72,7 +72,7 @@ jobs:
         run: go test -c -o routemanager-testing.bin ./client/internal/routemanager/...
 
       - name: Generate Engine Test bin
-        run: go test -c -o engine-testing.bin ./client/internal/*.go
+        run: go test -c -o engine-testing.bin ./client/internal
 
       - name: Generate Peer Test bin
         run: go test -c -o peer-testing.bin ./client/internal/peer/...
@@ -89,4 +89,4 @@ jobs:
         run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1
 
       - name: Run Peer tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer  --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin  -test.timeout 5m -test.parallel 1
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer  --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin  -test.timeout 5m -test.parallel 1

client/firewall/firewall.go

@@ -39,8 +39,12 @@ const (
 // Netbird client for ACL and routing functionality
 type Manager interface {
 	// AddFiltering rule to the firewall
+	//
+	// If comment argument is empty firewall manager should set
+	// rule ID as comment for the rule
 	AddFiltering(
 		ip net.IP,
+		proto Protocol,
 		port *Port,
 		direction Direction,
 		action Action,

client/firewall/iptables/manager_linux.go

@@ -10,6 +10,7 @@ import (
 	"github.com/google/uuid"
 
 	fw "github.com/netbirdio/netbird/client/firewall"
+	log "github.com/sirupsen/logrus"
 )
 
 const (
@@ -17,17 +18,33 @@ const (
 	ChainFilterName = "NETBIRD-ACL"
 )
 
+// jumpNetbirdDefaultRule always added by manager to the input chain for all trafic from the Netbird interface
+var jumpNetbirdDefaultRule = []string{
+	"-j", ChainFilterName, "-m", "comment", "--comment", "Netbird traffic chain jump"}
+
+// pingSupportDefaultRule always added by the manager to the Netbird ACL chain
+var pingSupportDefaultRule = []string{
+	"-p", "icmp", "--icmp-type", "echo-request", "-j",
+	"ACCEPT", "-m", "comment", "--comment", "Allow pings from the Netbird Devices"}
+
+// dropAllDefaultRule in the Netbird chain
+var dropAllDefaultRule = []string{"-j", "DROP"}
+
 // Manager of iptables firewall
 type Manager struct {
 	mutex sync.Mutex
 
 	ipv4Client *iptables.IPTables
 	ipv6Client *iptables.IPTables
+
+	wgIfaceName string
 }
 
 // Create iptables firewall manager
-func Create() (*Manager, error) {
-	m := &Manager{}
+func Create(wgIfaceName string) (*Manager, error) {
+	m := &Manager{
+		wgIfaceName: wgIfaceName,
+	}
 
 	// init clients for booth ipv4 and ipv6
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
@@ -38,20 +55,23 @@ func Create() (*Manager, error) {
 
 	ipv6Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
 	if err != nil {
-		return nil, fmt.Errorf("ip6tables is not installed in the system or not supported")
+		log.Errorf("ip6tables is not installed in the system or not supported")
+	} else {
+		m.ipv6Client = ipv6Client
 	}
-	m.ipv6Client = ipv6Client
 
 	if err := m.Reset(); err != nil {
-		return nil, fmt.Errorf("failed to reset firewall: %s", err)
+		return nil, fmt.Errorf("failed to reset firewall: %v", err)
 	}
-
 	return m, nil
 }
 
 // AddFiltering rule to the firewall
+//
+// If comment is empty rule ID is used as comment
 func (m *Manager) AddFiltering(
 	ip net.IP,
+	protocol fw.Protocol,
 	port *fw.Port,
 	direction fw.Direction,
 	action fw.Action,
@@ -59,45 +79,64 @@ func (m *Manager) AddFiltering(
 ) (fw.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
-	client := m.client(ip)
-	ok, err := client.ChainExists("filter", ChainFilterName)
+
+	client, err := m.client(ip)
 	if err != nil {
-		return nil, fmt.Errorf("failed to check if chain exists: %s", err)
-	}
-	if !ok {
-		if err := client.NewChain("filter", ChainFilterName); err != nil {
-			return nil, fmt.Errorf("failed to create chain: %s", err)
-		}
-	}
-	if port == nil || port.Values == nil || (port.IsRange && len(port.Values) != 2) {
-		return nil, fmt.Errorf("invalid port definition")
-	}
-	pv := strconv.Itoa(port.Values[0])
-	if port.IsRange {
-		pv += ":" + strconv.Itoa(port.Values[1])
-	}
-	specs := m.filterRuleSpecs("filter", ChainFilterName, ip, pv, direction, action, comment)
-	if err := client.AppendUnique("filter", ChainFilterName, specs...); err != nil {
 		return nil, err
 	}
-	rule := &Rule{
-		id:    uuid.New().String(),
-		specs: specs,
-		v6:    ip.To4() == nil,
+
+	var portValue string
+	if port != nil && port.Values != nil {
+		// TODO: we support only one port per rule in current implementation of ACLs
+		portValue = strconv.Itoa(port.Values[0])
 	}
-	return rule, nil
+
+	ruleID := uuid.New().String()
+	if comment == "" {
+		comment = ruleID
+	}
+
+	specs := m.filterRuleSpecs(
+		"filter",
+		ChainFilterName,
+		ip,
+		string(protocol),
+		portValue,
+		direction,
+		action,
+		comment,
+	)
+
+	ok, err := client.Exists("filter", ChainFilterName, specs...)
+	if err != nil {
+		return nil, fmt.Errorf("check is rule already exists: %w", err)
+	}
+	if ok {
+		return nil, fmt.Errorf("rule already exists")
+	}
+
+	if err := client.Insert("filter", ChainFilterName, 1, specs...); err != nil {
+		return nil, err
+	}
+
+	return &Rule{id: ruleID, specs: specs, v6: ip.To4() == nil}, nil
 }
 
 // DeleteRule from the firewall by rule definition
 func (m *Manager) DeleteRule(rule fw.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
+
 	r, ok := rule.(*Rule)
 	if !ok {
 		return fmt.Errorf("invalid rule type")
 	}
+
 	client := m.ipv4Client
 	if r.v6 {
+		if m.ipv6Client == nil {
+			return fmt.Errorf("ipv6 is not supported")
+		}
 		client = m.ipv6Client
 	}
 	return client.Delete("filter", ChainFilterName, r.specs...)
@@ -107,11 +146,14 @@ func (m *Manager) DeleteRule(rule fw.Rule) error {
 func (m *Manager) Reset() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
+
 	if err := m.reset(m.ipv4Client, "filter", ChainFilterName); err != nil {
 		return fmt.Errorf("clean ipv4 firewall ACL chain: %w", err)
 	}
-	if err := m.reset(m.ipv6Client, "filter", ChainFilterName); err != nil {
-		return fmt.Errorf("clean ipv6 firewall ACL chain: %w", err)
+	if m.ipv6Client != nil {
+		if err := m.reset(m.ipv6Client, "filter", ChainFilterName); err != nil {
+			return fmt.Errorf("clean ipv6 firewall ACL chain: %w", err)
+		}
 	}
 	return nil
 }
@@ -125,31 +167,79 @@ func (m *Manager) reset(client *iptables.IPTables, table, chain string) error {
 	if !ok {
 		return nil
 	}
-	if err := client.ClearChain(table, ChainFilterName); err != nil {
-		return fmt.Errorf("failed to clear chain: %w", err)
+
+	specs := append([]string{"-i", m.wgIfaceName}, jumpNetbirdDefaultRule...)
+	if err := client.Delete("filter", "INPUT", specs...); err != nil {
+		return fmt.Errorf("failed to delete default rule: %w", err)
 	}
-	return client.DeleteChain(table, ChainFilterName)
+
+	return client.ClearAndDeleteChain(table, chain)
 }
 
 // filterRuleSpecs returns the specs of a filtering rule
 func (m *Manager) filterRuleSpecs(
-	table string, chain string, ip net.IP, port string,
+	table string, chain string, ip net.IP, protocol string, port string,
 	direction fw.Direction, action fw.Action, comment string,
 ) (specs []string) {
-	if direction == fw.DirectionSrc {
+	switch direction {
+	case fw.DirectionSrc:
 		specs = append(specs, "-s", ip.String())
+	case fw.DirectionDst:
+		specs = append(specs, "-d", ip.String())
+	}
+	if protocol != "" {
+		specs = append(specs, "-p", protocol)
+	}
+	if port != "" {
+		specs = append(specs, "--dport", port)
 	}
-	specs = append(specs, "-p", "tcp", "--dport", port)
 	specs = append(specs, "-j", m.actionToStr(action))
 	return append(specs, "-m", "comment", "--comment", comment)
 }
 
-// client returns corresponding iptables client for the given ip
-func (m *Manager) client(ip net.IP) *iptables.IPTables {
+// rawClient returns corresponding iptables client for the given ip
+func (m *Manager) rawClient(ip net.IP) (*iptables.IPTables, error) {
 	if ip.To4() != nil {
-		return m.ipv4Client
+		return m.ipv4Client, nil
 	}
-	return m.ipv6Client
+	if m.ipv6Client == nil {
+		return nil, fmt.Errorf("ipv6 is not supported")
+	}
+	return m.ipv6Client, nil
+}
+
+// client returns client with initialized chain and default rules
+func (m *Manager) client(ip net.IP) (*iptables.IPTables, error) {
+	client, err := m.rawClient(ip)
+	if err != nil {
+		return nil, err
+	}
+
+	ok, err := client.ChainExists("filter", ChainFilterName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to check if chain exists: %w", err)
+	}
+
+	if !ok {
+		if err := client.NewChain("filter", ChainFilterName); err != nil {
+			return nil, fmt.Errorf("failed to create chain: %w", err)
+		}
+
+		if err := client.AppendUnique("filter", ChainFilterName, pingSupportDefaultRule...); err != nil {
+			return nil, fmt.Errorf("failed to create default ping allow rule: %w", err)
+		}
+
+		if err := client.AppendUnique("filter", ChainFilterName, dropAllDefaultRule...); err != nil {
+			return nil, fmt.Errorf("failed to create default drop all in netbird chain: %w", err)
+		}
+
+		specs := append([]string{"-i", m.wgIfaceName}, jumpNetbirdDefaultRule...)
+		if err := client.AppendUnique("filter", "INPUT", specs...); err != nil {
+			return nil, fmt.Errorf("failed to create chain: %w", err)
+		}
+
+	}
+	return client, nil
 }
 
 func (m *Manager) actionToStr(action fw.Action) string {

client/firewall/iptables/manager_linux_test.go

@@ -14,7 +14,8 @@ func TestNewManager(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	manager, err := Create()
+	// just check on the local interface
+	manager, err := Create("lo")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -22,10 +23,11 @@ func TestNewManager(t *testing.T) {
 	var rule1 fw.Rule
 	t.Run("add first rule", func(t *testing.T) {
 		ip := net.ParseIP("10.20.0.2")
-		port := &fw.Port{Proto: fw.PortProtocolTCP, Values: []int{8080}}
-		rule1, err = manager.AddFiltering(ip, port, fw.DirectionDst, fw.ActionAccept, "accept HTTP traffic")
+		port := &fw.Port{Values: []int{8080}}
+		rule1, err = manager.AddFiltering(ip, "tcp", port, fw.DirectionDst, fw.ActionAccept, "accept HTTP traffic")
 		if err != nil {
 			t.Errorf("failed to add rule: %v", err)
+			return
 		}
 
 		checkRuleSpecs(t, ipv4Client, true, rule1.(*Rule).specs...)
@@ -35,13 +37,13 @@ func TestNewManager(t *testing.T) {
 	t.Run("add second rule", func(t *testing.T) {
 		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{
-			Proto:  fw.PortProtocolTCP,
 			Values: []int{8043: 8046},
 		}
 		rule2, err = manager.AddFiltering(
-			ip, port, fw.DirectionDst, fw.ActionAccept, "accept HTTPS traffic from ports range")
+			ip, "tcp", port, fw.DirectionDst, fw.ActionAccept, "accept HTTPS traffic from ports range")
 		if err != nil {
 			t.Errorf("failed to add rule: %v", err)
+			return
 		}
 
 		checkRuleSpecs(t, ipv4Client, true, rule2.(*Rule).specs...)
@@ -58,6 +60,7 @@ func TestNewManager(t *testing.T) {
 	t.Run("delete second rule", func(t *testing.T) {
 		if err := manager.DeleteRule(rule2); err != nil {
 			t.Errorf("failed to delete rule: %v", err)
+			return
 		}
 
 		checkRuleSpecs(t, ipv4Client, false, rule2.(*Rule).specs...)
@@ -66,19 +69,22 @@ func TestNewManager(t *testing.T) {
 	t.Run("reset check", func(t *testing.T) {
 		// add second rule
 		ip := net.ParseIP("10.20.0.3")
-		port := &fw.Port{Proto: fw.PortProtocolUDP, Values: []int{5353}}
-		_, err = manager.AddFiltering(ip, port, fw.DirectionDst, fw.ActionAccept, "accept Fake DNS traffic")
+		port := &fw.Port{Values: []int{5353}}
+		_, err = manager.AddFiltering(ip, "udp", port, fw.DirectionDst, fw.ActionAccept, "accept Fake DNS traffic")
 		if err != nil {
 			t.Errorf("failed to add rule: %v", err)
+			return
 		}
 
 		if err := manager.Reset(); err != nil {
 			t.Errorf("failed to reset: %v", err)
+			return
 		}
 
 		ok, err := ipv4Client.ChainExists("filter", ChainFilterName)
 		if err != nil {
 			t.Errorf("failed to drop chain: %v", err)
+			return
 		}
 
 		if ok {

client/firewall/port.go

@@ -1,14 +1,17 @@
 package firewall
 
-// PortProtocol is the protocol of the port
-type PortProtocol string
+// Protocol is the protocol of the port
+type Protocol string
 
 const (
-	// PortProtocolTCP is the TCP protocol
-	PortProtocolTCP PortProtocol = "tcp"
+	// ProtocolTCP is the TCP protocol
+	ProtocolTCP Protocol = "tcp"
 
-	// PortProtocolUDP is the UDP protocol
-	PortProtocolUDP PortProtocol = "udp"
+	// ProtocolUDP is the UDP protocol
+	ProtocolUDP Protocol = "udp"
+
+	// ProtocolICMP is the ICMP protocol
+	ProtocolICMP Protocol = "icmp"
 )
 
 // Port of the address for firewall rule
@@ -18,7 +21,4 @@ type Port struct {
 
 	// Values contains one value for single port, multiple values for the list of ports, or two values for the range of ports
 	Values []int
-
-	// Proto is the protocol of the port
-	Proto PortProtocol
 }

client/internal/engine.go

@@ -8,6 +8,7 @@ import (
 	"net/netip"
 	"reflect"
 	"runtime"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -16,6 +17,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
+	"github.com/netbirdio/netbird/client/firewall"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/proxy"
@@ -112,7 +114,9 @@ type Engine struct {
 
 	statusRecorder *peer.Status
 
-	routeManager routemanager.Manager
+	routeManager    routemanager.Manager
+	firewallManager firewall.Manager
+	firewallRules   map[string]firewall.Rule
 
 	dnsServer dns.Server
 }
@@ -219,6 +223,16 @@ func (e *Engine) Start() error {
 
 	e.routeManager = routemanager.NewManager(e.ctx, e.config.WgPrivateKey.PublicKey().String(), e.wgInterface, e.statusRecorder)
 
+	e.firewallManager, err = buildFirewallManager(wgIfaceName)
+	if err != nil {
+		log.Errorf("failed to create firewall manager, ACL policy will not work: %s", err.Error())
+	} else {
+		if err := e.firewallManager.Reset(); err != nil {
+			log.Tracef("failed to reset firewall manager on the start: %v", err.Error())
+		}
+	}
+	e.firewallRules = make(map[string]firewall.Rule)
+
 	if e.dnsServer == nil {
 		// todo fix custom address
 		dnsServer, err := dns.NewDefaultServer(e.ctx, e.wgInterface, e.config.CustomDNSAddress)
@@ -622,6 +636,7 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		log.Errorf("failed to update dns server, err: %v", err)
 	}
 
+	e.applyFirewallRules(networkMap.FirewallRules)
 	e.networkSerial = serial
 	return nil
 }
@@ -1028,6 +1043,92 @@ func (e *Engine) close() {
 		e.dnsServer.Stop()
 	}
 
+	if e.firewallManager != nil {
+		if err := e.firewallManager.Reset(); err != nil {
+			log.Warnf("failed resetting firewall: %v", err)
+		}
+	}
+}
+
+// applyFirewallRules to the local firewall manager processed by ACL policy.
+func (e *Engine) applyFirewallRules(rules []*mgmProto.FirewallRule) {
+	if e.firewallManager == nil {
+		log.Debug("firewall manager is not supported, skipping firewall rules")
+		return
+	}
+
+	for ruleID, rule := range e.firewallRules {
+		if err := e.firewallManager.DeleteRule(rule); err != nil {
+			log.Errorf("failed to delete firewall rule: %v", err)
+			continue
+		}
+		delete(e.firewallRules, ruleID)
+	}
+
+	for _, r := range rules {
+		if rule := e.protoRuleToFirewallRule(r); rule == nil {
+			log.Errorf("failed to apply firewall rule: %v", r)
+		}
+	}
+}
+
+func (e *Engine) protoRuleToFirewallRule(r *mgmProto.FirewallRule) firewall.Rule {
+	ip := net.ParseIP(r.PeerIP)
+	if ip == nil {
+		log.Error("invalid IP address, skipping firewall rule")
+		return nil
+	}
+
+	var port *firewall.Port
+	if r.Port != "" {
+		split := strings.Split(r.Port, "/")
+		// port can be empty, so ignore conversion error
+		value, _ := strconv.Atoi(split[0])
+		port = &firewall.Port{}
+		if value != 0 {
+			port.Values = []int{value}
+		}
+	}
+
+	var protocol firewall.Protocol
+	switch r.Protocol {
+	case "tcp":
+		protocol = firewall.ProtocolTCP
+	case "udp":
+		protocol = firewall.ProtocolUDP
+	case "icmp":
+		protocol = firewall.ProtocolICMP
+	}
+
+	var direction firewall.Direction
+	switch r.Direction {
+	case "src":
+		direction = firewall.DirectionSrc
+	case "dst":
+		direction = firewall.DirectionDst
+	default:
+		log.Error("invalid direction, skipping firewall rule")
+		return nil
+	}
+
+	var action firewall.Action
+	switch r.Action {
+	case "accept":
+		action = firewall.ActionAccept
+	case "drop":
+		action = firewall.ActionDrop
+	default:
+		log.Error("invalid action, skipping firewall rule")
+		return nil
+	}
+
+	rule, err := e.firewallManager.AddFiltering(ip, protocol, port, direction, action, "")
+	if err != nil {
+		log.Errorf("failed to add firewall rule: %v", err)
+		return nil
+	}
+	e.firewallRules[rule.GetRuleID()] = rule
+	return rule
 }
 
 func findIPFromInterfaceName(ifaceName string) (net.IP, error) {

client/internal/engine_test.go

@@ -6,6 +6,7 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"runtime"
 	"strings"
@@ -20,6 +21,7 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/keepalive"
 
+	"github.com/netbirdio/netbird/client/firewall"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
@@ -28,6 +30,7 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/iface"
 	mgmt "github.com/netbirdio/netbird/management/client"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
@@ -938,6 +941,139 @@ func Test_ParseNATExternalIPMappings(t *testing.T) {
 	}
 }
 
+func TestEngine_firewallManager(t *testing.T) {
+	// TODO: enable when other platform will be added
+	if runtime.GOOS != "linux" {
+		t.Skipf("firewall manager not supported in the: %s", runtime.GOOS)
+		return
+	}
+
+	if _, err := exec.LookPath("iptables"); err != nil {
+		t.Skipf("iptables not found: %v", err)
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(CtxInitState(context.Background()), 10*time.Second)
+	defer cancel()
+
+	dir := t.TempDir()
+
+	err := util.CopyFileContents("../testdata/store.json", filepath.Join(dir, "store.json"))
+	if err != nil {
+		t.Errorf("copy temporary store file: %v", err)
+	}
+
+	sigServer, signalAddr, err := startSignal()
+	if err != nil {
+		t.Errorf("start signal server: %v", err)
+		return
+	}
+	defer sigServer.GracefulStop()
+
+	mgmtServer, mgmtAddr, err := startManagement(dir)
+	if err != nil {
+		t.Errorf("start management server: %v", err)
+		return
+	}
+	defer mgmtServer.GracefulStop()
+
+	setupKey := "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"
+
+	engine, err := createEngine(ctx, cancel, setupKey, 0, mgmtAddr, signalAddr)
+	if err != nil {
+		t.Errorf("create engine: %v", err)
+		return
+	}
+	engine.dnsServer = &dns.MockServer{}
+
+	if err := engine.Start(); err != nil {
+		t.Logf("start engine: %v", err)
+		return
+	}
+
+	defer func() {
+		if err := engine.mgmClient.Close(); err != nil {
+			t.Logf("close management client: %v", err)
+		}
+
+		if err := engine.Stop(); err != nil {
+			t.Logf("stop engine: %v", err)
+		}
+	}()
+
+	// wait 2 seconds until all management and signal processing will be finished
+	time.Sleep(2 * time.Second)
+
+	if engine.firewallManager == nil {
+		t.Errorf("firewall manager is nil")
+		return
+	}
+
+	fwRules := []*mgmProto.FirewallRule{
+		{
+			PeerID:    "test",
+			PeerIP:    "10.93.0.1",
+			Direction: "dst",
+			Action:    "accept",
+			Protocol:  "tcp",
+			Port:      "80",
+		},
+		{
+			PeerID:    "test2",
+			PeerIP:    "10.93.0.2",
+			Direction: "dst",
+			Action:    "drop",
+			Protocol:  "udp",
+			Port:      "53",
+		},
+	}
+
+	// we receive one rule from the management so for testing purposes ignore it
+	engine.firewallRules = make(map[string]firewall.Rule)
+
+	t.Run("apply firewall rules", func(t *testing.T) {
+		engine.applyFirewallRules(fwRules)
+
+		if len(engine.firewallRules) != 2 {
+			t.Errorf("firewall rules not applied: %v", engine.firewallRules)
+			return
+		}
+	})
+
+	t.Run("add extra rules", func(t *testing.T) {
+		// remove first rule
+		fwRules = fwRules[1:]
+		fwRules = append(fwRules, &mgmtProto.FirewallRule{
+			PeerID:    "test3",
+			PeerIP:    "10.93.0.3",
+			Direction: "src",
+			Action:    "drop",
+			Protocol:  "icmp",
+		})
+
+		existedRulesID := map[string]struct{}{}
+		for id := range engine.firewallRules {
+			existedRulesID[id] = struct{}{}
+		}
+
+		engine.applyFirewallRules(fwRules)
+
+		// we should have one old and one new rule in the existed rules
+		if len(engine.firewallRules) != 2 {
+			t.Errorf("firewall rules not applied")
+			return
+		}
+
+		// check that old rules was removed
+		for id := range existedRulesID {
+			if _, ok := engine.firewallRules[id]; ok {
+				t.Errorf("old rule was not removed")
+				return
+			}
+		}
+	})
+}
+
 func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey string, i int, mgmtAddr string, signalAddr string) (*Engine, error) {
 	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {

client/internal/firewall.go

@@ -0,0 +1,14 @@
+//go:build !linux
+
+package internal
+
+import (
+	"fmt"
+	"runtime"
+
+	"github.com/netbirdio/netbird/client/firewall"
+)
+
+func buildFirewallManager(wgIfaceName string) (fw firewall.Manager, err error) {
+	return nil, fmt.Errorf("not implemented for this OS: %s", runtime.GOOS)
+}

client/internal/firewall_linux.go

@@ -0,0 +1,18 @@
+package internal
+
+import (
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/client/firewall/iptables"
+)
+
+// buildFirewallManager creates a firewall manager instance for the Linux
+func buildFirewallManager(wgIfaceName string) (firewall.Manager, error) {
+	fw, err := iptables.Create(wgIfaceName)
+	if err != nil {
+		log.Debugf("failed to create iptables manager: %s", err)
+		return nil, err
+	}
+	return fw, nil
+}

management/proto/management.pb.go

@@ -1,15 +1,15 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.26.0
-// 	protoc        v3.12.4
+// 	protoc        v3.21.0
 // source: management.proto
 
 package proto
 
 import (
-	timestamp "github.com/golang/protobuf/ptypes/timestamp"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
 )
@@ -611,7 +611,7 @@ type ServerKeyResponse struct {
 	// Server's Wireguard public key
 	Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
 	// Key expiration timestamp after which the key should be fetched again by the client
-	ExpiresAt *timestamp.Timestamp `protobuf:"bytes,2,opt,name=expiresAt,proto3" json:"expiresAt,omitempty"`
+	ExpiresAt *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=expiresAt,proto3" json:"expiresAt,omitempty"`
 	// Version of the Wiretrustee Management Service protocol
 	Version int32 `protobuf:"varint,3,opt,name=version,proto3" json:"version,omitempty"`
 }
@@ -655,7 +655,7 @@ func (x *ServerKeyResponse) GetKey() string {
 	return ""
 }
 
-func (x *ServerKeyResponse) GetExpiresAt() *timestamp.Timestamp {
+func (x *ServerKeyResponse) GetExpiresAt() *timestamppb.Timestamp {
 	if x != nil {
 		return x.ExpiresAt
 	}
@@ -995,6 +995,8 @@ type NetworkMap struct {
 	DNSConfig *DNSConfig `protobuf:"bytes,6,opt,name=DNSConfig,proto3" json:"DNSConfig,omitempty"`
 	// RemotePeerConfig represents a list of remote peers that the receiver can connect to
 	OfflinePeers []*RemotePeerConfig `protobuf:"bytes,7,rep,name=offlinePeers,proto3" json:"offlinePeers,omitempty"`
+	// FirewallRule represents a list of firewall rules to be applied to peer
+	FirewallRules []*FirewallRule `protobuf:"bytes,8,rep,name=FirewallRules,proto3" json:"FirewallRules,omitempty"`
 }
 
 func (x *NetworkMap) Reset() {
@@ -1078,6 +1080,13 @@ func (x *NetworkMap) GetOfflinePeers() []*RemotePeerConfig {
 	return nil
 }
 
+func (x *NetworkMap) GetFirewallRules() []*FirewallRule {
+	if x != nil {
+		return x.FirewallRules
+	}
+	return nil
+}
+
 // RemotePeerConfig represents a configuration of a remote peer.
 // The properties are used to configure WireGuard Peers sections
 type RemotePeerConfig struct {
@@ -1831,6 +1840,94 @@ func (x *NameServer) GetPort() int64 {
 	return 0
 }
 
+// FirewallRule represents a firewall rule
+type FirewallRule struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	PeerID    string `protobuf:"bytes,1,opt,name=PeerID,proto3" json:"PeerID,omitempty"`
+	PeerIP    string `protobuf:"bytes,2,opt,name=PeerIP,proto3" json:"PeerIP,omitempty"`
+	Direction string `protobuf:"bytes,3,opt,name=Direction,proto3" json:"Direction,omitempty"`
+	Action    string `protobuf:"bytes,4,opt,name=Action,proto3" json:"Action,omitempty"`
+	Protocol  string `protobuf:"bytes,5,opt,name=Protocol,proto3" json:"Protocol,omitempty"`
+	Port      string `protobuf:"bytes,6,opt,name=Port,proto3" json:"Port,omitempty"`
+}
+
+func (x *FirewallRule) Reset() {
+	*x = FirewallRule{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_management_proto_msgTypes[25]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *FirewallRule) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*FirewallRule) ProtoMessage() {}
+
+func (x *FirewallRule) ProtoReflect() protoreflect.Message {
+	mi := &file_management_proto_msgTypes[25]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use FirewallRule.ProtoReflect.Descriptor instead.
+func (*FirewallRule) Descriptor() ([]byte, []int) {
+	return file_management_proto_rawDescGZIP(), []int{25}
+}
+
+func (x *FirewallRule) GetPeerID() string {
+	if x != nil {
+		return x.PeerID
+	}
+	return ""
+}
+
+func (x *FirewallRule) GetPeerIP() string {
+	if x != nil {
+		return x.PeerIP
+	}
+	return ""
+}
+
+func (x *FirewallRule) GetDirection() string {
+	if x != nil {
+		return x.Direction
+	}
+	return ""
+}
+
+func (x *FirewallRule) GetAction() string {
+	if x != nil {
+		return x.Action
+	}
+	return ""
+}
+
+func (x *FirewallRule) GetProtocol() string {
+	if x != nil {
+		return x.Protocol
+	}
+	return ""
+}
+
+func (x *FirewallRule) GetPort() string {
+	if x != nil {
+		return x.Port
+	}
+	return ""
+}
+
 var File_management_proto protoreflect.FileDescriptor
 
 var file_management_proto_rawDesc = []byte{
@@ -1948,7 +2045,7 @@ var file_management_proto_rawDesc = []byte{
 	0x28, 0x0b, 0x32, 0x15, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
 	0x53, 0x53, 0x48, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x09, 0x73, 0x73, 0x68, 0x43, 0x6f,
 	0x6e, 0x66, 0x69, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x18, 0x04, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x22, 0xee, 0x02, 0x0a, 0x0a, 0x4e, 0x65, 0x74,
+	0x28, 0x09, 0x52, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x22, 0xae, 0x03, 0x0a, 0x0a, 0x4e, 0x65, 0x74,
 	0x77, 0x6f, 0x72, 0x6b, 0x4d, 0x61, 0x70, 0x12, 0x16, 0x0a, 0x06, 0x53, 0x65, 0x72, 0x69, 0x61,
 	0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12,
 	0x36, 0x0a, 0x0a, 0x70, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02, 0x20,
@@ -1971,7 +2068,11 @@ var file_management_proto_rawDesc = []byte{
 	0x6e, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e,
 	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x74,
 	0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0c, 0x6f, 0x66, 0x66,
-	0x6c, 0x69, 0x6e, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x22, 0x97, 0x01, 0x0a, 0x10, 0x52, 0x65,
+	0x6c, 0x69, 0x6e, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x12, 0x3e, 0x0a, 0x0d, 0x46, 0x69, 0x72,
+	0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x0b,
+	0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x46, 0x69,
+	0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x0d, 0x46, 0x69, 0x72, 0x65,
+	0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x22, 0x97, 0x01, 0x0a, 0x10, 0x52, 0x65,
 	0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1a,
 	0x0a, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
 	0x52, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x1e, 0x0a, 0x0a, 0x61, 0x6c,
@@ -2062,32 +2163,42 @@ var file_management_proto_rawDesc = []byte{
 	0x02, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x50, 0x12, 0x16, 0x0a,
 	0x06, 0x4e, 0x53, 0x54, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x4e,
 	0x53, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x03, 0x20,
-	0x01, 0x28, 0x03, 0x52, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x32, 0xf7, 0x02, 0x0a, 0x11, 0x4d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12,
-	0x45, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
-	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
-	0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73,
-	0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x46, 0x0a, 0x04, 0x53, 0x79, 0x6e, 0x63, 0x12, 0x1c,
-	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72,
-	0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d,
-	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70,
-	0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x30, 0x01, 0x12, 0x42,
-	0x0a, 0x0c, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x12, 0x11,
-	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74,
-	0x79, 0x1a, 0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53,
-	0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x22, 0x00, 0x12, 0x33, 0x0a, 0x09, 0x69, 0x73, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x79, 0x12,
-	0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70,
-	0x74, 0x79, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
-	0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x1a, 0x47, 0x65, 0x74, 0x44, 0x65,
-	0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
+	0x01, 0x28, 0x03, 0x52, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x22, 0xa4, 0x01, 0x0a, 0x0c, 0x46, 0x69,
+	0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x50, 0x65,
+	0x65, 0x72, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x50, 0x65, 0x65, 0x72,
+	0x49, 0x44, 0x12, 0x16, 0x0a, 0x06, 0x50, 0x65, 0x65, 0x72, 0x49, 0x50, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x06, 0x50, 0x65, 0x65, 0x72, 0x49, 0x50, 0x12, 0x1c, 0x0a, 0x09, 0x44, 0x69,
+	0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x44,
+	0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x16, 0x0a, 0x06, 0x41, 0x63, 0x74, 0x69,
+	0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e,
+	0x12, 0x1a, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x05, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x08, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x12, 0x0a, 0x04,
+	0x50, 0x6f, 0x72, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x50, 0x6f, 0x72, 0x74,
+	0x32, 0xf7, 0x02, 0x0a, 0x11, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53,
+	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x45, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12,
+	0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63,
+	0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79,
+	0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x46, 0x0a,
+	0x04, 0x53, 0x79, 0x6e, 0x63, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
 	0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73,
 	0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
 	0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
-	0x65, 0x22, 0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x65, 0x22, 0x00, 0x30, 0x01, 0x12, 0x42, 0x0a, 0x0c, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76,
+	0x65, 0x72, 0x4b, 0x65, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
+	0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33, 0x0a, 0x09, 0x69, 0x73, 0x48,
+	0x65, 0x61, 0x6c, 0x74, 0x68, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
+	0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
+	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x5a,
+	0x0a, 0x1a, 0x47, 0x65, 0x74, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f,
+	0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x1c, 0x2e, 0x6d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70,
+	0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e,
+	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
+	0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -2103,7 +2214,7 @@ func file_management_proto_rawDescGZIP() []byte {
 }
 
 var file_management_proto_enumTypes = make([]protoimpl.EnumInfo, 2)
-var file_management_proto_msgTypes = make([]protoimpl.MessageInfo, 25)
+var file_management_proto_msgTypes = make([]protoimpl.MessageInfo, 26)
 var file_management_proto_goTypes = []interface{}{
 	(HostConfig_Protocol)(0),               // 0: management.HostConfig.Protocol
 	(DeviceAuthorizationFlowProvider)(0),   // 1: management.DeviceAuthorizationFlow.provider
@@ -2132,7 +2243,8 @@ var file_management_proto_goTypes = []interface{}{
 	(*SimpleRecord)(nil),                   // 24: management.SimpleRecord
 	(*NameServerGroup)(nil),                // 25: management.NameServerGroup
 	(*NameServer)(nil),                     // 26: management.NameServer
-	(*timestamp.Timestamp)(nil),            // 27: google.protobuf.Timestamp
+	(*FirewallRule)(nil),                   // 27: management.FirewallRule
+	(*timestamppb.Timestamp)(nil),          // 28: google.protobuf.Timestamp
 }
 var file_management_proto_depIdxs = []int32{
 	11, // 0: management.SyncResponse.wiretrusteeConfig:type_name -> management.WiretrusteeConfig
@@ -2143,7 +2255,7 @@ var file_management_proto_depIdxs = []int32{
 	6,  // 5: management.LoginRequest.peerKeys:type_name -> management.PeerKeys
 	11, // 6: management.LoginResponse.wiretrusteeConfig:type_name -> management.WiretrusteeConfig
 	14, // 7: management.LoginResponse.peerConfig:type_name -> management.PeerConfig
-	27, // 8: management.ServerKeyResponse.expiresAt:type_name -> google.protobuf.Timestamp
+	28, // 8: management.ServerKeyResponse.expiresAt:type_name -> google.protobuf.Timestamp
 	12, // 9: management.WiretrusteeConfig.stuns:type_name -> management.HostConfig
 	13, // 10: management.WiretrusteeConfig.turns:type_name -> management.ProtectedHostConfig
 	12, // 11: management.WiretrusteeConfig.signal:type_name -> management.HostConfig
@@ -2155,28 +2267,29 @@ var file_management_proto_depIdxs = []int32{
 	21, // 17: management.NetworkMap.Routes:type_name -> management.Route
 	22, // 18: management.NetworkMap.DNSConfig:type_name -> management.DNSConfig
 	16, // 19: management.NetworkMap.offlinePeers:type_name -> management.RemotePeerConfig
-	17, // 20: management.RemotePeerConfig.sshConfig:type_name -> management.SSHConfig
-	1,  // 21: management.DeviceAuthorizationFlow.Provider:type_name -> management.DeviceAuthorizationFlow.provider
-	20, // 22: management.DeviceAuthorizationFlow.ProviderConfig:type_name -> management.ProviderConfig
-	25, // 23: management.DNSConfig.NameServerGroups:type_name -> management.NameServerGroup
-	23, // 24: management.DNSConfig.CustomZones:type_name -> management.CustomZone
-	24, // 25: management.CustomZone.Records:type_name -> management.SimpleRecord
-	26, // 26: management.NameServerGroup.NameServers:type_name -> management.NameServer
-	2,  // 27: management.ManagementService.Login:input_type -> management.EncryptedMessage
-	2,  // 28: management.ManagementService.Sync:input_type -> management.EncryptedMessage
-	10, // 29: management.ManagementService.GetServerKey:input_type -> management.Empty
-	10, // 30: management.ManagementService.isHealthy:input_type -> management.Empty
-	2,  // 31: management.ManagementService.GetDeviceAuthorizationFlow:input_type -> management.EncryptedMessage
-	2,  // 32: management.ManagementService.Login:output_type -> management.EncryptedMessage
-	2,  // 33: management.ManagementService.Sync:output_type -> management.EncryptedMessage
-	9,  // 34: management.ManagementService.GetServerKey:output_type -> management.ServerKeyResponse
-	10, // 35: management.ManagementService.isHealthy:output_type -> management.Empty
-	2,  // 36: management.ManagementService.GetDeviceAuthorizationFlow:output_type -> management.EncryptedMessage
-	32, // [32:37] is the sub-list for method output_type
-	27, // [27:32] is the sub-list for method input_type
-	27, // [27:27] is the sub-list for extension type_name
-	27, // [27:27] is the sub-list for extension extendee
-	0,  // [0:27] is the sub-list for field type_name
+	27, // 20: management.NetworkMap.FirewallRules:type_name -> management.FirewallRule
+	17, // 21: management.RemotePeerConfig.sshConfig:type_name -> management.SSHConfig
+	1,  // 22: management.DeviceAuthorizationFlow.Provider:type_name -> management.DeviceAuthorizationFlow.provider
+	20, // 23: management.DeviceAuthorizationFlow.ProviderConfig:type_name -> management.ProviderConfig
+	25, // 24: management.DNSConfig.NameServerGroups:type_name -> management.NameServerGroup
+	23, // 25: management.DNSConfig.CustomZones:type_name -> management.CustomZone
+	24, // 26: management.CustomZone.Records:type_name -> management.SimpleRecord
+	26, // 27: management.NameServerGroup.NameServers:type_name -> management.NameServer
+	2,  // 28: management.ManagementService.Login:input_type -> management.EncryptedMessage
+	2,  // 29: management.ManagementService.Sync:input_type -> management.EncryptedMessage
+	10, // 30: management.ManagementService.GetServerKey:input_type -> management.Empty
+	10, // 31: management.ManagementService.isHealthy:input_type -> management.Empty
+	2,  // 32: management.ManagementService.GetDeviceAuthorizationFlow:input_type -> management.EncryptedMessage
+	2,  // 33: management.ManagementService.Login:output_type -> management.EncryptedMessage
+	2,  // 34: management.ManagementService.Sync:output_type -> management.EncryptedMessage
+	9,  // 35: management.ManagementService.GetServerKey:output_type -> management.ServerKeyResponse
+	10, // 36: management.ManagementService.isHealthy:output_type -> management.Empty
+	2,  // 37: management.ManagementService.GetDeviceAuthorizationFlow:output_type -> management.EncryptedMessage
+	33, // [33:38] is the sub-list for method output_type
+	28, // [28:33] is the sub-list for method input_type
+	28, // [28:28] is the sub-list for extension type_name
+	28, // [28:28] is the sub-list for extension extendee
+	0,  // [0:28] is the sub-list for field type_name
 }
 
 func init() { file_management_proto_init() }
@@ -2485,6 +2598,18 @@ func file_management_proto_init() {
 				return nil
 			}
 		}
+		file_management_proto_msgTypes[25].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*FirewallRule); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@@ -2492,7 +2617,7 @@ func file_management_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_management_proto_rawDesc,
 			NumEnums:      2,
-			NumMessages:   25,
+			NumMessages:   26,
 			NumExtensions: 0,
 			NumServices:   1,
 		},

management/proto/management.proto

@@ -186,6 +186,9 @@ message NetworkMap {
 
   // RemotePeerConfig represents a list of remote peers that the receiver can connect to
   repeated RemotePeerConfig offlinePeers = 7;
+
+  // FirewallRule represents a list of firewall rules to be applied to peer
+  repeated FirewallRule FirewallRules = 8;
 }
 
 // RemotePeerConfig represents a configuration of a remote peer.
@@ -293,4 +296,14 @@ message NameServer {
   string IP = 1;
   int64  NSType = 2;
   int64  Port = 3;
-}
+}
+
+// FirewallRule represents a firewall rule
+message FirewallRule {
+  string PeerID = 1;
+  string PeerIP = 2;
+  string Direction = 3;
+  string Action = 4;
+  string Protocol = 5;
+  string Port = 6;
+}

management/server/account.go

@@ -272,7 +272,7 @@ func (a *Account) GetGroup(groupID string) *Group {
 
 // GetPeerNetworkMap returns a group by ID if exists, nil otherwise
 func (a *Account) GetPeerNetworkMap(peerID, dnsDomain string) *NetworkMap {
-	aclPeers, _ := a.getPeersByPolicy(peerID)
+	aclPeers, firewallRules := a.getPeersByPolicy(peerID)
 	// exclude expired peers
 	var peersToConnect []*Peer
 	var expiredPeers []*Peer
@@ -303,11 +303,12 @@ func (a *Account) GetPeerNetworkMap(peerID, dnsDomain string) *NetworkMap {
 	}
 
 	return &NetworkMap{
-		Peers:        peersToConnect,
-		Network:      a.Network.Copy(),
-		Routes:       routesUpdate,
-		DNSConfig:    dnsUpdate,
-		OfflinePeers: expiredPeers,
+		Peers:         peersToConnect,
+		Network:       a.Network.Copy(),
+		Routes:        routesUpdate,
+		DNSConfig:     dnsUpdate,
+		OfflinePeers:  expiredPeers,
+		FirewallRules: firewallRules,
 	}
 }
 

management/server/grpcserver.go

@@ -420,6 +420,8 @@ func toSyncResponse(config *Config, peer *Peer, turnCredentials *TURNCredentials
 
 	offlinePeers := toRemotePeerConfig(networkMap.OfflinePeers, dnsName)
 
+	firewallRules := toProtocolFirewallRules(networkMap.FirewallRules)
+
 	return &proto.SyncResponse{
 		WiretrusteeConfig:  wtConfig,
 		PeerConfig:         pConfig,
@@ -433,6 +435,7 @@ func toSyncResponse(config *Config, peer *Peer, turnCredentials *TURNCredentials
 			RemotePeersIsEmpty: len(remotePeers) == 0,
 			Routes:             routesUpdate,
 			DNSConfig:          dnsUpdate,
+			FirewallRules:      firewallRules,
 		},
 	}
 }

management/server/network.go

@@ -23,11 +23,12 @@ const (
 )
 
 type NetworkMap struct {
-	Peers        []*Peer
-	Network      *Network
-	Routes       []*route.Route
-	DNSConfig    nbdns.Config
-	OfflinePeers []*Peer
+	Peers         []*Peer
+	Network       *Network
+	Routes        []*route.Route
+	DNSConfig     nbdns.Config
+	OfflinePeers  []*Peer
+	FirewallRules []*FirewallRule
 }
 
 type Network struct {

management/server/policy.go

@@ -8,6 +8,7 @@ import (
 	"html/template"
 	"strings"
 
+	"github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/status"
 
@@ -176,6 +177,9 @@ type FirewallRule struct {
 	// Action of the traffic
 	Action string
 
+	// Protocol of the traffic
+	Protocol string
+
 	// Port of the traffic
 	Port string
 }
@@ -207,16 +211,22 @@ func (f *FirewallRule) parseFromRegoResult(value interface{}) error {
 		return fmt.Errorf("invalid Rego query eval result peer action type")
 	}
 
-	port, ok := object["Port"].(string)
-	if !ok {
-		return fmt.Errorf("invalid Rego query eval result peer port type")
+	if v, ok := object["Protocol"]; ok {
+		if protocol, ok := v.(string); ok {
+			f.Protocol = protocol
+		}
+	}
+
+	if v, ok := object["Port"]; ok {
+		if port, ok := v.(string); ok {
+			f.Port = port
+		}
 	}
 
 	f.PeerID = peerID
 	f.PeerIP = peerIP
 	f.Direction = direction
 	f.Action = action
-	f.Port = port
 
 	return nil
 }
@@ -449,3 +459,18 @@ func (am *DefaultAccountManager) savePolicy(account *Account, policy *Policy) (e
 	}
 	return
 }
+
+func toProtocolFirewallRules(update []*FirewallRule) []*proto.FirewallRule {
+	result := make([]*proto.FirewallRule, len(update))
+	for i := range update {
+		result[i] = &proto.FirewallRule{
+			PeerID:    update[i].PeerID,
+			PeerIP:    update[i].PeerIP,
+			Direction: update[i].Direction,
+			Action:    update[i].Action,
+			Protocol:  update[i].Protocol,
+			Port:      update[i].Port,
+		}
+	}
+	return result
+}