ns-objects
This package manages the firewall objects and users.
Users
Databases
The /etc/config/users
UCI configuration manage manages the configuration of user databases.
It implements 2 kind of database:
- local UCI database
- remote LDAP (OpenLDAP or Active Directory) database
A local database has:
- a name which is the UCI section name
- type set to
local
- an optional
description
field
Example:
config local 'main'
option description 'Local users database'
A remote ldap database has:
- a name which is the UCI section name
- type set to
ldap
- an optional
description
field
It also has the following fields:
uri
: LDAP URItls_reqcert
: enable or disable certificate validation, see valid values forTLS_REQCERT
inside OpenLDAP documentationbase_dn
: LDAP base DNuser_dn
: LDAP user DN; if not present, default is equal asbase_dn
user_attr
: user attribute to identify the user; usually iscn
for Active Directory anduid
for OpenLDAPuser_cn
: user attribute that contains the user complete namestarttls
: can be0
or1
, if set to1
enable StartTLS
OpenLDAP example:
config ldap 'ldap1'
option description 'Remote OpenLDAP server'
option uri 'ldaps://192.168.100.234'
option tls_reqcert 'never'
option base_dn 'dc=directory,dc=nh'
option user_dn 'ou=People,dc=directory,dc=nh'
option user_attr 'uid'
option user_cn 'cn'
option starttls '0'
option schema 'rfc2307'
Active Directory example:
config ldap 'ad1'
option description 'Remote AD server'
option uri 'ldap://ad.nethserver.org'
option tls_reqcert 'always'
option base_dn 'dc=ad,dc=nethserver,dc=org'
option user_dn 'cn=users,dc=ad,dc=nethserver,dc=org'
option user_attr 'cn'
option user_cn 'cn'
option starttls '0'
option schema 'ad'
Users and groups
A user is a dynamic entity representing a user with all physical and virtual devices belonging to a person like PCs, mobile phones or VPN road warrior accesses. The user can connect to local services like VPNs.
A group is a dynamic entity representing a list of users.
Users and groups are saved inside the /etc/config/users
UCI configuration file with the following types:
user
for usersgroup
for groups
User and group objects are identified by a random section name, but they both contain:
- a field named
database
which is a reference to the associated database, likemain
- a special field named
name
which must be unique inside the associated database
Local users and groups
Local users and groups are the ones associated to a database of type local
.
For local users, the name
field must also meet the following requirements
- have a maximum length of 12 characters (nft set name must be 16 characters or less, 4 chars are reserved for future use)
The local user
object can have the following non-mandatory options:
description
: a longer label for the user, like “Name Surname”macaddr
: list of MAC addresses belonging to the user’s devicesipaddr
: list of IP addressesdomain
: list of DNS names resolved to IP address, each DNS name is adomain
record inside thedhcp
databasehost
: list of DHCP reservations resolved to IP addresses, each reservation is ahost
record inside thedhcp
databasepassword
: shadow password hash, shadow format:$<alg>$<salt>$<hash>
, wherealg
is always set to6
(SHA-512)openvpn_ipaddr
: an OpenVPN RoadWarrior IP address reserved for the useropenvpn_enabled
: can be0
or1
, if set to0
the user can’t authenticate itself inside OpenVPNopenvpn_2fa
: it’s a string containing the secret for OpenVPN OTP authentication
The local group
object can have the following non-mandatory options:
description
: a longer label for the group, like “Tech people”user
: a list ofuser
objects
Example of local users:
config user 'ns_rand123'
option name "goofy"
option database "main"
option description 'Goofy Doe'
list macaddr '52:54:00:9d:3d:e5'
list ipaddr '192.168.100.23'
list domain 'ns_goofy_name'
list host 'ns_goofy_pc'
config user 'ns_rand456'
option name "Daisy"
option database "main"
option label "Daisy White"
list ipaddr '192.168.100.22'
list ipaddr '2001:db8:3333:4444:5555:6666:7777:8888'
Example of local user with OpenVPN access and a reserved IP:
config user
option name "john"
option database "main"
option label "John Doe"
option openvpn_ipaddr "10.10.10.22"
option openvpn_enabled "1"
option openvpn_2fa "3PGEK5B7RBSODTUW6KAQUMED7ZAJ4ZEJ"
option password "$6$o5l7kWSclhvn5HM5$hRN60ONxiKnb1RZJP14M1oTXYICFS4G998tCasf04j7Gm60p5G9Jkmewqa0LKAcdWwiIijPwowSlA78wx/kP3Q=="
Example of a local group:
config group
option name 'vip'
option database "main"
option description 'Very Important People'
list user 'goofy'
list user 'daisy'
Remote users
Remote users and groups are the ones associated to a database of type ldap
.
Each user represent a users inside a remote LDAP database.
The remote user
object can have the following non-mandatory options:
macaddr
: list of MAC addresses belonging to the user’s devicesipaddr
: list of IP addressesdomain
: list of DNS names resolved to IP address, each DNS name is adomain
record inside thedhcp
databasehost
: list of DHCP reservations resolved to IP addresses, each reservation is ahost
record inside thedhcp
databaseopenvpn_ipaddr
: an OpenVPN RoadWarrior IP address reserved for the useropenvpn_enabled
: can be0
or1
, if set to0
the user can’t authenticate itself inside OpenVPNopenvpn_2fa
: it’s a string containing the secret for OpenVPN OTP authentication
Example of a remote user with OpenVPN access and a reserved IP:
config user
option name "john"
option database "ldap1"
option openvpn_ipaddr "10.10.10.22"
option openvpn_enabled "1"
option openvpn_2fa "3PGEK5B7RBSODTUW6KAQUMED7ZAJ4ZEJ"
Hosts
Objects of type host
are used only as labels inside the UI to display details on firewall rules source and destinations.
If the user changes the IP address of an host object, such change is not propagated to any configuration file.
Example of /etc/config/objects
:
config host 'myhost'
option description 'Myhost'
list ipaddr '192.168.100.24'