mirror of
https://github.com/netbirdio/docs.git
synced 2026-04-18 00:16:36 +00:00
Describe new limitations in ACL rules by direction, traffic and port
This commit is contained in:
Givi Khojanashvili
@@ -1,18 +1,14 @@
|
||||
|
||||
# Manage network access
|
||||
NetBird allows administrators to restrict access to resources (peers) by creating access rules and
|
||||
defining what peer groups are permitted to establish connections with one another.
|
||||
|
||||
<div className="videowrapper">
|
||||
|
||||
<iframe src="https://www.youtube.com/embed/WvbkACjdsHA" allow="accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture; fullscreen;" style={{boxShadow: '0 4px 8px 0 rgba(0, 0, 0, 0.2), 0 6px 20px 0 rgba(0, 0, 0, 0.19)'}}></iframe>
|
||||
|
||||
</div>
|
||||
defining what peer groups are permitted to establish connections with one another. Rule can allow connections
|
||||
by specific protocol and ports.
|
||||
|
||||
## Introduction
|
||||
A NetBird account comes with a `Default` rule that allows all peers of the account to connect to each other forming a full mesh network.
|
||||
In most cases, this is the desired state for a small network or network that has low-security requirements.
|
||||
When you need to restrict access to certain resources that belong to specific users or services within your organization, you can create rules that dictate who can access what.
|
||||
A NetBird account comes with a `Default` rule that allows all peers of the account to connect to each other by all protocols,
|
||||
forming a full mesh network. In most cases, this is the desired state for a small network or network that has low-security requirements.
|
||||
When you need to restrict access to certain resources that belong to specific users or services within your organization,
|
||||
you can create rules that dictate who can access what.
|
||||
|
||||
Access control rules make use of groups to control connections between peers; these groups can be added as `Source` or `Destination` of a rule and will be evaluated when the Management service distributes the list of peers across your network.
|
||||
|
||||
@@ -35,13 +31,16 @@ Some characteristics of groups:
|
||||
|
||||
### The All Group
|
||||
The `All` group is a default group to which every peer in your network is automatically added to. This group cannot be modified or deleted.
|
||||
|
||||
### Rules
|
||||
Rules are lists of `Source` and `Destination` groups of peers that can communicate with each other.
|
||||
Rules are defined as sets of Source and Destination peer groups, which specify the allowable communication between them.
|
||||
Depending on the rule configuration, this communication can be either bidirectional or unidirectional.
|
||||
Rules are processed when the Management service distributes a network map to all peers of your account. Because you can only create ALLOW rules, there is no processing
|
||||
order or priority, so the decision to distribute peer information is based on its association with a group belonging to an existing rule.
|
||||
|
||||
Currently, the communication between lists of groups in source and destination lists of a rule is bidirectional,
|
||||
meaning that destinations can also initiate connections to a group of peers listed in the source field of the rule.
|
||||
Currently, the communication between lists of groups in source and destination lists of a rule for ALL and ICMP protocols,
|
||||
and for TCP and UDP when you don't define limitation by port, it is bidirectional, meaning that destinations can also
|
||||
initiate connections to a group of peers listed in the source field of the rule.
|
||||
|
||||
The behavior of a network without any rules is to deny traffic. No peers will be able to communicate with each other.
|
||||
|
||||
@@ -59,14 +58,19 @@ control over your network, it is recommended that you delete this rule and creat
|
||||
</Note>
|
||||
|
||||
### Multiple Mesh Networks
|
||||
As mentioned above, rules are bidirectional, which is basically the control of how your network will behave as a mesh network.
|
||||
As mentioned above, rules by default are bidirectional which is basically the control of how your network will behave as a mesh network.
|
||||
But for TCP and UDP protocols, if you define ports in the rule, rule can be unidirectional.
|
||||
|
||||
There is a `Default` rule, which configures a Default mesh connection between all peers of your network. With rules,
|
||||
you can define smaller mesh networks by grouping peers and adding these groups to `Source` and `Destination` lists.
|
||||
Also you can create unidierectional rules to restrict traffic between groups for TCP and UDP protocols if you define ports.
|
||||
|
||||
There is a `Default` rule, which configures a Default mesh connection between all peers of your network. With rules, you can define smaller mesh networks by grouping peers and adding these groups to `Source` and `Destination` lists.
|
||||
## Managing Rules
|
||||
|
||||
### Creating Rules
|
||||
After accessing the `Access Control` tab, you can click on the `Add Rule` button to create a new rule. This will open a screen
|
||||
where you need to name the rule, set its status, and add groups to the source and destination lists.
|
||||
where you need to name the rule, set its status, and add groups to the source and destination lists. For TCP and UDP protocols,
|
||||
if you define ports, you also can set the direction of the traffic.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/overview/create-rule.png" alt="high-level-dia" width="300" className="imagewrapper"/>
|
||||
@@ -87,6 +91,10 @@ Once you are done configuring the rule, click the `Create` button to save it. Yo
|
||||
Because of its permissiveness, new rules will take effect once you remove the `Default` rule.
|
||||
</Note>
|
||||
|
||||
<Note>
|
||||
Protocol type All or ICMP must be bi-directional. Also unidirectional traffic for TCP and UDP protocol requires at least one port to be defined.
|
||||
</Note>
|
||||
|
||||
### Adding peers to groups
|
||||
If you create a new group when defining a rule, you will need to associate peers with this group.
|
||||
You can do it by accessing the `Peers` tab and clicking the `Groups` column of any peer you want to associate with the new group.
|
||||
@@ -101,9 +109,12 @@ You can do it by accessing the `Peers` tab and clicking the `Groups` column of a
|
||||
|
||||
### Updating Rules
|
||||
To update a rule, you can click on the rule's `Name` or on either `Sources` and `Destinations` columns. You could also click the menu
|
||||
button of a rule and select `View`. This will open the same screen where you can update rule groups, description, or status.
|
||||
button of a rule and select `View`. This will open the same screen where you can update rule groups, description, and status or change allowed
|
||||
traffic direction and protocols with ports.
|
||||
|
||||
### Disabling Rules
|
||||
To disable a rule, you should follow the steps of [updating rules](#updating-rules) changing its status, and then click on Save.
|
||||
|
||||
### Deleting Rules
|
||||
To delete a rule, you should click on the rule's menu and choose `Delete`. A confirmation window will pop up.
|
||||
|
||||
@@ -113,4 +124,4 @@ To delete a rule, you should click on the rule's menu and choose `Delete`. A con
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/overview/delete-rule-popup.png" alt="high-level-dia" width="300" className="imagewrapper"/>
|
||||
</p>
|
||||
</p>
|
||||
|
||||
Reference in New Issue
Block a user