Evaluate expanding group-based access control rules with source/destination port and protocol #306

Closed
opened 2025-11-20 05:09:24 -05:00 by saavagebueno · 2 comments
Owner

Originally created by @toulatip8 on GitHub (Apr 6, 2023).

Is your feature request related to a problem? Please describe.

  • I'd like to be able to allow only specific traffic on a netbird group to expose only specific services (e.g. a group for FTP, one for RDP / VNC and so on). Currently, this needs to be configured locally per-peer, but a centralized solution manageable from netbird webui could be handy.

Describe the solution you'd like

  • As per title, the access control rules could be expanded with source/destination ports and protocol.

Describe alternatives you've considered

  • I have not investigated how they are implemented so far, so I cannot estimate the effort required or if this could be the correct way to implement this feature. Peer-based firewall configuration could also be a valid alternative / appreciated feature, but the initial idea was to expand rather than writing an entirely new feature, which could be more cost-effective if the changes are not too many.

Additional context

  • Firewall rules should only be related to netbird tunnel.
  • Rules should not be able to overwrite the peer's rules, otherwise hosts firewall could be compromised by malicious rules.

PS: if this feature is available already I deeply apologized, I must have missed it entirely

Originally created by @toulatip8 on GitHub (Apr 6, 2023). **Is your feature request related to a problem? Please describe.** - I'd like to be able to allow only specific traffic on a netbird group to expose only specific services (e.g. a group for FTP, one for RDP / VNC and so on). Currently, this needs to be configured locally per-peer, but a centralized solution manageable from netbird webui could be handy. **Describe the solution you'd like** - As per title, the access control rules could be expanded with source/destination ports and protocol. **Describe alternatives you've considered** - I have not investigated how they are implemented so far, so I cannot estimate the effort required or if this could be the correct way to implement this feature. Peer-based firewall configuration could also be a valid alternative / appreciated feature, but the initial idea was to expand rather than writing an entirely new feature, which could be more cost-effective if the changes are not too many. **Additional context** - Firewall rules should only be related to netbird tunnel. - Rules should not be able to overwrite the peer's rules, otherwise hosts firewall could be compromised by malicious rules. _PS: if this feature is available already I deeply apologized, I must have missed it entirely_
Author
Owner

@mlsmaycon commented on GitHub (Jun 16, 2023):

We've added support with version 0.21.0. see https://github.com/netbirdio/netbird/releases and https://docs.netbird.io/how-to/manage-network-access for more details.

@mlsmaycon commented on GitHub (Jun 16, 2023): We've added support with version 0.21.0. see https://github.com/netbirdio/netbird/releases and https://docs.netbird.io/how-to/manage-network-access for more details.
Author
Owner

@toulatip8 commented on GitHub (Sep 17, 2023):

Thanks a lot, it's exactly the feature I was looking for. Really appreaciate that you managed to address also less visible issues among all the others, I'm closing the issue.

@toulatip8 commented on GitHub (Sep 17, 2023): Thanks a lot, it's exactly the feature I was looking for. Really appreaciate that you managed to address also less visible issues among all the others, I'm closing the issue.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#306