Currently, we just assume that virtuals should be accessible by ALL sources, by simply not filtering the source at all:
|
fmt_dnat = "%(cmd)s -t 'nat' -A 'MFWPREROUTING' -i '%(iface)s' -d '%(extaddr)s' " |
|
fmt_fltr = "%(cmd)s -t 'filter' -A 'MFWFORWARD' -i '%(iface)s' -d '%(intaddr)s' " |
This assumption does not always hold true though.
Question: Should we solve this by just adding a source column like we did in rules and just copy the same source matching code?
|
if cmd.get("srcgeo"): |
|
fmt += "-m geoip --src-cc '%(srcgeo)s' " |
|
if cmd.get("srcaddr"): |
|
fmt += "-m set --match-set '%(srcaddr)s' src " |
Or should we go with what FortiGate does, and have the user explicitly write the rules to allow traffic to the virtual IP?
This distinction is interesting when specifying a source IP, because you might want to allow multiple distinct sources (like, two separate source zones). If we added a source column, you'd need to add two virtuals entries for those, which might cause problems (unless of course we just add the source filter to both the nat and the filter table entry).
Currently, we just assume that
virtualsshould be accessible byALLsources, by simply not filtering the source at all:microfw/src/generate_setup.py
Lines 528 to 529 in 5240273
This assumption does not always hold true though.
Question: Should we solve this by just adding a source column like we did in
rulesand just copy the same source matching code?microfw/src/generate_setup.py
Lines 445 to 448 in 5240273
Or should we go with what FortiGate does, and have the user explicitly write the
rulesto allow traffic to the virtual IP?This distinction is interesting when specifying a source IP, because you might want to allow multiple distinct sources (like, two separate source zones). If we added a source column, you'd need to add two
virtualsentries for those, which might cause problems (unless of course we just add the source filter to both thenatand thefiltertable entry).