Comments (3)
NHAS
commented on June 16, 2024
1
Hi there, definitely agree there should be the ability to make deny/negation rules in wag!
Unfortunately on the redirection side of things. Thats a limitation of the technology, there isnt a way to do this effectively with xdp as I'd have to write my own stack then also do TLS in that, it just isnt feasible to do.
from wag.
NHAS
commented on June 16, 2024
This is on unstable now. Give it a shot:
"group:nerds": {
"Mfa": [
"192.168.3.4/32",
"10.0.0.0/24",
"thing.internal 443/tcp icmp"
],
"Allow": [
"192.168.3.5/32"
],
"Deny": [
"10.0.0.5/32"
]
}from wag.
NHAS
commented on June 16, 2024
Its important to note that the most specific rule effectively creates a new rule "bucket", so if you do something like:
"group:nerds": {
"Allow": [
"10.0.0.0/24 443/tcp"
],
"Deny": [
"10.0.0.5/32 22/tcp"
]
}Your clients will not be able to access 10.0.0.5/32 443/tcp, as the only rule in the /32 "bucket" is a deny rule. You can solve this by adding the following:
"group:nerds": {
"Allow": [
"10.0.0.0/24 443/tcp"
"10.0.0.5/32 22/tcp"
],
"Deny": [
"10.0.0.5/32 22/tcp"
]
}or
"group:nerds": {
"Allow": [
"10.0.0.0/24 443/tcp"
],
"Deny": [
"10.0.0.0/24 22/tcp"
]
}As then you're adding the deny rule to the /24 "bucket"
from wag.
Related Issues (20)
- Default value of NAT in config is null HOT 2
- Generated Peer Config Lacks Port
- [Bug] MFA details are revealed in server log (admin access only)
- [Bug] Locking/Resetting MFA not deauthorising device HOT 1
- [Bug] Resetting MFA doesnt change MFA HOT 1
- [Bug] Unable to logout 8.0.0-beta2
- [Bug] Event Errors should not be bytes
- [Bug] Failing to initalise one MFA method disables all other methods
- [Bug] OIDC reports "unsupported protocol"
- BGP for Route Distribution HOT 4
- Websocket liveness check
- Wag check fails to report error
- Oidc set user groups fails if user has no memebership
- External State Management HOT 4
- OIDC `preferred_username` HOT 8
- Re-open issue
- Issues over mobile hotspot HOT 2
- Access to the ManagementUI HOT 11
- Register device has error HOT 1
- Membership information missing for newly created user
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wag.