Project

General

Profile

Actions

Feature #1205

closed

VPN: User-based / Group-based firewall rules

Added by Mark Laagland almost 14 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Very Low
Assignee:
-
Category:
User Manager / Privileges
Target version:
-
Start date:
01/19/2011
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

Firewall rules on a per-user or per-group basis would be very helpfull.
This means we could limit acces to certain servers on a per-user or per-group basis.

At the moment, this is already possible by setting a specific IP address per user. However, this feels like a dirty hack. Appart from that, it also means only one user can be connected using a specific account at any one time.

True user/group based firewall rules would bring pfSense one step closer to the big guys like Microsoft, which uses a very nice policy system for this.

Actions #1

Updated by al all over 10 years ago

+1
some could say that it can be done using more than one openvpn server instances with different client ip settings and different firewall rules applying at each. But the idea of having firewall rules grouped and applied in a per user group basis seems to be very helpful (despite of the fact that some of it can be approached using Aliases).
This feature also seems to have the same goal with #3156

Actions #2

Updated by Ermal Luçi over 10 years ago

The user based rules are supported if they come from radius.

Locally to pfSense they still need to be implemented.

Actions #3

Updated by Steffen Wagner almost 10 years ago

+1
I even have that in my local ZyXEL router... it's a must have do define firewall rules by LDAP / local groups and users.

Actions #4

Updated by Adrien Carlyle over 7 years ago

Ermal Luçi wrote:

The user based rules are supported if they come from radius.

Locally to pfSense they still need to be implemented.

Can you give me a brief description of where I need to look to set up radius user based rules today?

Actions #5

Updated by Jim Pingle over 7 years ago

  • Status changed from New to Closed

This has been in place since pfSense 2.1. It uses the same syntax as cisco inacl/outacl, for example "permit tcp from any to any", and if you use subnet masks they need to be wildcard style.

Actions #6

Updated by Jim Pingle over 5 years ago

  • Target version deleted (Future)
Actions #7

Updated by Christoph Haas over 4 years ago

Jim Pingle wrote:

This has been in place since pfSense 2.1. It uses the same syntax as cisco inacl/outacl, for example "permit tcp from any to any", and if you use subnet masks they need to be wildcard style.

What exactly has been in place since 2.1? I have never seen anything user-based in the firewall section.

Actions #9

Updated by Jim Pingle over 4 years ago

It has also seen some recent fixes and has some pending enhancements: #9206 #10454

Actions #10

Updated by Mikhail Makhin over 4 years ago

I think it must be something like https://conexti.com.br/userauth/
I personally need such features for provide network (vlan) access to my users by their groups (for OpenVPN).
For example:
Group A -> access to VLAN 10
Group B -> access to VLAN 11
I add user to groups A and B in LDAP, and he automatically obtain access to VLANs 10 and 11.
For now I must provide static IP for every single user and create firewall rules for each IP individually.

Actions #11

Updated by Viktor Gurov over 4 years ago

see also #8836

Actions

Also available in: Atom PDF