netbird icon indicating copy to clipboard operation
netbird copied to clipboard

Published 20 hours ago verified publisher icon netbirdio

Allow Range of ports - or ALL ports in the AC Policies

Open zzecool opened this issue 1 year ago • 12 comments

Allow us to set range of ports in the Access Control Policies or even set the whole ports as ALL for example.

This way we can easily for example make a policy that will allow in one direction full access to every port from

PRIVATE -----> CLOUD allow ALL ports let say.

zzecool avatar May 16 '24 15:05 zzecool

I used Nebula before, but today when I switched to Netbird, I encountered a surprising issue: Netbird does not support specifying a range of ports. If I need to open a range of ports, I have to list them out one by one.

QZAiXH avatar May 30 '24 09:05 QZAiXH

Access Control Policies should allow adding multiple ports (individually and port ranges) of different types (UDP/TCP/ICMP). You could design it similar to FortiGate's "Services" and simply show a drop-down for the port type, then a start and end of the port number range, with the ability to add new lines with their own drop-down for the port type, and range start and end.

However it's designed, this functionality is crucial to making this a viable product. Without this, we'll likely have to create potentially hundreds of additional policies.

gspacestuart avatar Jul 08 '24 02:07 gspacestuart

Yes this is a major drawback. Please add this essential feature

fti7 avatar Jul 15 '24 14:07 fti7

https://tailscale.com/kb/1337/acl-syntax#access-rules

Take a look how Tailscale did this feature. Maybe we can specify port range like this: "1000-2000" . And no serious UI improvements

alexcupertme avatar Sep 06 '24 15:09 alexcupertme

Duplicate of #1328

JonTheNiceGuy avatar Oct 17 '24 22:10 JonTheNiceGuy

Hmm, the API documentation is stating, that port RANGES can be specified. see: Api-docu which states elemnts of "port_ranges - start - end' So if there is urgent need, using the API might help (Note: I did not tried the API for this until now. If anyone will have success. pleas report back here and/or in related Issues #1328 and #2320)

ThHirsch avatar Nov 23 '24 17:11 ThHirsch

Hmmm - I tried creating a policy to allow all TCP ports (one-way) via the API, but received what seems to be an unrelated error - It may not be implemented server-side either (unless my API request is malformed).

Attempted request (redacted):

curl -X POST https://<management_server>:33073/api/policies \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H 'Authorization: Token <token>' \
--data-raw '{
  "name": "full-tunnel-egress",
  "description": "Allows one-way tcp egress from full-tunnel members",
  "enabled": true,
  "rules": [
    {
      "name": "full-tunnel-egress-tcp",
      "description": "Allows one-way tcp egress from full-tunnel members (tcp)",
      "enabled": true,
      "action": "accept",
      "bidirectional": false,
      "protocol": "tcp",
      "port_ranges": [
        {
          "start": 1,
          "end": 65535
        }
      ],
      "sources": [
        "cun7g2j3jkfs73co2r20"
      ],
      "destinations": [
        "cun7lhr3jkfs73co2r3g"
      ]
    }
  ]
}'

Received response:

{"message":"for all or icmp protocol type flow can be only bi-directional","code":422}

luehm avatar Feb 13 '25 23:02 luehm

No, that's correct. They only allow the full port range for bi-directional ICMP or "Anything". There is a work-around, which is instead of specifying

"port_ranges": [{"start": 1, "end": 65535}]

You instead change that to:

"ports": [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,........{and so on}....,65535]

However, when I tried this, it does work, but it makes the Web UI crash.

JonTheNiceGuy avatar Feb 14 '25 10:02 JonTheNiceGuy