Access Control: possibility to create not bidirectional rules (one direction) & port ranges in ACLs #1088

Closed
opened 2025-11-20 05:23:50 -05:00 by saavagebueno · 21 comments
Owner

Originally created by @florian-obradovic on GitHub (Jul 24, 2024).

Dear Team,

as an admin I want to create one-way / not bidirectional ACLs where I am allowed to:

  1. ICMP ping everyone (I want to ping all machines but they shouldn't be allowed to ping all admin machines) < this works with stateful firewalls
  2. access all machines with all ports for all protocols / or two rules for each proto (UDP / TCP)
  3. define port ranges in ACL like 1433-1438 or 1-65535

CleanShot 2024-07-24 at 22 56 47@2x

Best regards, Flo.

Originally created by @florian-obradovic on GitHub (Jul 24, 2024). Dear Team, as an admin I want to create one-way / not bidirectional ACLs where I am allowed to: 1. ICMP ping everyone (I want to ping all machines but they shouldn't be allowed to ping all admin machines) < this works with stateful firewalls 2. access all machines with all ports for all protocols / or two rules for each proto (UDP / TCP) 3. define port ranges in ACL like 1433-1438 or 1-65535 ![CleanShot 2024-07-24 at 22 56 47@2x](https://github.com/user-attachments/assets/45207a79-46da-4163-97e7-0e424612468f) Best regards, Flo.
saavagebueno added the feature-request label 2025-11-20 05:23:50 -05:00
Author
Owner

@Gauss23 commented on GitHub (Sep 3, 2024):

+1 from my side. That's really an important feature.

@Gauss23 commented on GitHub (Sep 3, 2024): +1 from my side. That's really an important feature.
Author
Owner

@JonTheNiceGuy commented on GitHub (Oct 17, 2024):

Partial-duplicate of #1328

@JonTheNiceGuy commented on GitHub (Oct 17, 2024): Partial-duplicate of #1328
Author
Owner

@ThHirsch commented on GitHub (Nov 6, 2024):

+1, otherwise following best practices in 'least privilege' setup is a faaar too tedious task.

@ThHirsch commented on GitHub (Nov 6, 2024): +1, otherwise following best practices in 'least privilege' setup is a faaar too tedious task.
Author
Owner

@ThHirsch commented on GitHub (Nov 23, 2024):

Hmm, the API documentation is stating, that port RANGES can be specified.
see: Api-docu which states elemnts of "port_ranges - start - end'
So is this just a missing piece int the current UI and we could create port-ranges for TCP and UDP by API already?
Are there any plans to to have it in the UI soon?

@ThHirsch commented on GitHub (Nov 23, 2024): Hmm, the API documentation is stating, that port RANGES can be specified. see: [Api-docu](https://docs.netbird.io/api/resources/policies#create-a-policy) which states elemnts of "port_ranges - start - end' So is this just a missing piece int the current UI and we could create port-ranges for TCP and UDP by API already? Are there any plans to to have it in the UI soon?
Author
Owner

@mad73923 commented on GitHub (Jan 20, 2025):

Hmm, the API documentation is stating, that port RANGES can be specified. see: Api-docu which states elemnts of "port_ranges - start - end' So is this just a missing piece int the current UI and we could create port-ranges for TCP and UDP by API already? Are there any plans to to have it in the UI soon?

I tried to set a policy via API with the following payload:

{
    "name": "Admin Common Ports to All",
    "description": "",
    "enabled": true,
    "query": "",
    "rules": [
        {
            "bidirectional": false,
            "description": "",
            "name": "Admin Common Ports to All",
            "action": "accept",
            "protocol": "tcp",
            "enabled": true,
            "sources": [
                "ctpbua196f2c73bgvc40"
            ],
            "destinations": [
                "ctp6us196f2c73bgvc00"
            ],
            "port_ranges": [
                {
                    "start": 1,
                    "end": 65535
                }
            ]
        }
    ],
    "source_posture_checks": []
}

Got the following answer:
{"message":"for all or icmp protocol type flow can be only bi-directional","code":422}
It seems like the UI isn't the blocker.

@mad73923 commented on GitHub (Jan 20, 2025): > Hmm, the API documentation is stating, that port RANGES can be specified. see: [Api-docu](https://docs.netbird.io/api/resources/policies#create-a-policy) which states elemnts of "port_ranges - start - end' So is this just a missing piece int the current UI and we could create port-ranges for TCP and UDP by API already? Are there any plans to to have it in the UI soon? I tried to set a policy via API with the following payload: ``` { "name": "Admin Common Ports to All", "description": "", "enabled": true, "query": "", "rules": [ { "bidirectional": false, "description": "", "name": "Admin Common Ports to All", "action": "accept", "protocol": "tcp", "enabled": true, "sources": [ "ctpbua196f2c73bgvc40" ], "destinations": [ "ctp6us196f2c73bgvc00" ], "port_ranges": [ { "start": 1, "end": 65535 } ] } ], "source_posture_checks": [] } ``` Got the following answer: `{"message":"for all or icmp protocol type flow can be only bi-directional","code":422}` It seems like the UI isn't the blocker.
Author
Owner

@JonTheNiceGuy commented on GitHub (Jan 20, 2025):

So, I was talking to someone who was a project member, but isn't any more, who suggested doing instead of like @mad73923 wrote, do this instead:

{
    "name": "Admin Common Ports to All",
    "description": "",
    "enabled": true,
    "query": "",
    "rules": [
        {
            "bidirectional": false,
            "description": "",
            "name": "Admin Common Ports to All",
            "action": "accept",
            "protocol": "tcp",
            "enabled": true,
            "sources": [
                "ctpbua196f2c73bgvc40"
            ],
            "destinations": [
                "ctp6us196f2c73bgvc00"
            ],
            "ports": [
                1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
                ........
                65535
            ]
        }
    ],
    "source_posture_checks": []
}

OK, so listing all 64454 ports does work from a policy perspective, but what it also does do is crash the web UI.

If you are entirely managing your policy using the API, it's fine, but as soon as you try to use the webUI for it, it's no longer fine!

@JonTheNiceGuy commented on GitHub (Jan 20, 2025): So, I was talking to someone who *was* a project member, but isn't any more, who suggested doing instead of like @mad73923 wrote, do this instead: ``` { "name": "Admin Common Ports to All", "description": "", "enabled": true, "query": "", "rules": [ { "bidirectional": false, "description": "", "name": "Admin Common Ports to All", "action": "accept", "protocol": "tcp", "enabled": true, "sources": [ "ctpbua196f2c73bgvc40" ], "destinations": [ "ctp6us196f2c73bgvc00" ], "ports": [ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, ........ 65535 ] } ], "source_posture_checks": [] } ``` OK, so listing all 64454 ports *does* work from a policy perspective, but what it also does do is crash the web UI. If you are entirely managing your policy using the API, it's fine, but as soon as you try to use the webUI for it, it's no longer fine!
Author
Owner

@mad73923 commented on GitHub (Jan 20, 2025):

Hi @JonTheNiceGuy
alright, seems like a feasible hack. But a crashing webUI is no option for me.
BR

@mad73923 commented on GitHub (Jan 20, 2025): Hi @JonTheNiceGuy alright, seems like a feasible hack. But a crashing webUI is no option for me. BR
Author
Owner

@the-project-group commented on GitHub (Jan 20, 2025):

I've heard rumors that a feature addressing this is in the making.
@mlsmaycon is that true?

@the-project-group commented on GitHub (Jan 20, 2025): I've heard rumors that a feature addressing this is in the making. @mlsmaycon is that true?
Author
Owner

@Blackclaws commented on GitHub (May 6, 2025):

So I've also just run into this and this would be very important to have as right now manually adding a huge list of ports isn't really feasible.

@Blackclaws commented on GitHub (May 6, 2025): So I've also just run into this and this would be very important to have as right now manually adding a huge list of ports isn't really feasible.
Author
Owner

@YellowSnowman23 commented on GitHub (Jun 21, 2025):

I was making the switch from Tailscale to NetBird today, and I also ran into this.

This is unfortunately causing me to revert back to Tailscale for the time being. I have high hopes for NetBird.

@YellowSnowman23 commented on GitHub (Jun 21, 2025): I was making the switch from Tailscale to NetBird today, and I also ran into this. This is unfortunately causing me to revert back to Tailscale for the time being. I have high hopes for NetBird.
Author
Owner

@flotpg commented on GitHub (Jun 21, 2025):

Both features have been addressed in the latest release IIRC.
I didn’t test it yet.

@flotpg commented on GitHub (Jun 21, 2025): Both features have been addressed in the latest release IIRC. I didn’t test it yet.
Author
Owner

@YellowSnowman23 commented on GitHub (Jun 21, 2025):

Image

This policy results in "Any peer in "ALL" group can connect to any peer with "Admin" group"

Here is an example peer with just the "All" group

Image

Edit: To add, I was on the peer with just the "All" group and i could RDP (Port 3389 obv) to WS-Arlis machine with the "Admin" group. Despite there being no policy to allow that (Yes the default policy is deleted as well)

@YellowSnowman23 commented on GitHub (Jun 21, 2025): ![Image](https://github.com/user-attachments/assets/e6d3c2d3-c47f-400c-98e2-ae741f846545) This policy results in "Any peer in "ALL" group can connect to any peer with "Admin" group" Here is an example peer with just the "All" group ![Image](https://github.com/user-attachments/assets/e1db1e34-6f36-4416-82c7-d429611c2999) Edit: To add, I was on the peer with just the "All" group and i could RDP (Port 3389 obv) to WS-Arlis machine with the "Admin" group. Despite there being no policy to allow that (Yes the default policy is deleted as well)
Author
Owner

@PatrLind commented on GitHub (Jun 23, 2025):

Maybe the latest release v0.48.0 fixes this issue?

@PatrLind commented on GitHub (Jun 23, 2025): Maybe the latest release [v0.48.0](https://github.com/netbirdio/netbird/releases/tag/v0.48.0) fixes this issue?
Author
Owner

@artemklevtsov commented on GitHub (Jun 23, 2025):

On the netbird.io:
Image

@artemklevtsov commented on GitHub (Jun 23, 2025): On the netbird.io: ![Image](https://github.com/user-attachments/assets/12fb6aba-f3c9-412a-be19-c7d8a5ce1af0)
Author
Owner

@YellowSnowman23 commented on GitHub (Jun 23, 2025):

Maybe the latest release v0.48.0 fixes this issue?

Yeah, everything other than iOS is on v0.48.0. Problem still persists

@YellowSnowman23 commented on GitHub (Jun 23, 2025): > Maybe the latest release [v0.48.0](https://github.com/netbirdio/netbird/releases/tag/v0.48.0) fixes this issue? Yeah, everything other than iOS is on v0.48.0. Problem still persists
Author
Owner

@zsmith009 commented on GitHub (Jun 29, 2025):

Again, I was switching to netbird, but I saw this issue not fixed. Opened more than a year ago. The dashboard clearly doesn't seem to work. This should have been a high priority issue.

@zsmith009 commented on GitHub (Jun 29, 2025): Again, I was switching to netbird, but I saw this issue not fixed. Opened more than a year ago. The dashboard clearly doesn't seem to work. This should have been a high priority issue.
Author
Owner

@the-project-group commented on GitHub (Jul 6, 2025):

Is unidirectional still missing for all and ICMP ?

@mlsmaycon
https://github.com/netbirdio/netbird/pull/3826 < is this addressing my use case?

@the-project-group commented on GitHub (Jul 6, 2025): Is unidirectional still missing for all and ICMP ? @mlsmaycon https://github.com/netbirdio/netbird/pull/3826 < is this addressing my use case?
Author
Owner

@nazarewk commented on GitHub (Sep 11, 2025):

I am not 100% sure when exactly it was implemented on the frontend, but it's possible to create unidirectional rules for all kinds of traffic using the web dashboard for a few days/weeks already.

Image
@nazarewk commented on GitHub (Sep 11, 2025): I am not 100% sure when exactly it was implemented on the frontend, but it's possible to create unidirectional rules for all kinds of traffic using the web dashboard for a few days/weeks already. <img width="1542" height="1332" alt="Image" src="https://github.com/user-attachments/assets/4fa4f304-5ea6-46d7-a202-5afa7bfe11b5" />
Author
Owner

@the-project-group commented on GitHub (Sep 11, 2025):

Thanks, works!

@the-project-group commented on GitHub (Sep 11, 2025): Thanks, works!
Author
Owner

@flotpg commented on GitHub (Oct 8, 2025):

@mlsmaycon, @bcmmbaga, @pascal-fischer
I think I found a bug (v0.59.3), probably related to https://github.com/netbirdio/netbird/pull/3826 ?

I have a unidirectional policy which allows peers which are member of Netbird-Admins to access all others.
This doesn't work if the target peer is in the same Netbird-Admins group:

Image

It works if I:
a) set the group to bidirectional
b) add a policy to which allows admins -> admins and disable the admins -> all:

Image
@flotpg commented on GitHub (Oct 8, 2025): @mlsmaycon, @bcmmbaga, @pascal-fischer I think I found a bug (v0.59.3), probably related to https://github.com/netbirdio/netbird/pull/3826 ? I have a unidirectional policy which allows peers which are member of Netbird-Admins to access **all** others. This doesn't work if the target peer is in the same Netbird-Admins group: <img width="3420" height="3652" alt="Image" src="https://github.com/user-attachments/assets/2183893d-6e63-4d62-9515-e1c3a40ba2eb" /> It works if I: a) set the group to bidirectional b) add a policy to which allows admins -> admins and disable the admins -> all: <img width="2234" height="306" alt="Image" src="https://github.com/user-attachments/assets/44913903-3838-4599-9fe6-b89cb8145bc7" />
Author
Owner

@bcmmbaga commented on GitHub (Oct 9, 2025):

Hi @flotpg,

Thanks for reporting this! We’re able to reproduce the issue and are already working on a fix.

@bcmmbaga commented on GitHub (Oct 9, 2025): Hi @flotpg, Thanks for reporting this! We’re able to reproduce the issue and are already working on a fix.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#1088