Firewall rule sets SoT

[marioland]

Netbox could serve as a source of truth for firewall rule sets. It could be implemented as a Netbox plugin.

So the idea is to have a list of firewall rule sets. Each rule set has a list of firewall rules.
A 5-tuple firewall rule could be consist of traditional IP addresses, ranges and subnets/prefixes.
I would even prefer to use only tags in the source and destination column.

This SoT could then be used for an automation to render firewall rule sets for specific firewall platforms or Kubernetes Network policies.
Or it could also just be the basis for compliance reporting.

Under the Github topic "Netbox plugins" serveral firewall related projects can be found.

Is there any generic project in that direction that you know of?

[julianze]

I think the capirca project could be the way to go:
https://github.com/google/capirca

and there is also a NetBox plugin:
https://github.com/991jo/netbox_capirca_plugin

I haven't tested it, but it's on the todo list for evaluating.

[marioland]

This is a good input. Thanks.

I had a look at the Caprica project and the plugin and it is pretty close to this topic.

Caprica abstract:
Part 1: Create object definitions containing "network" and "service" definitions
Part 2: Create a access control policy defining the desired state of access control and referencing the object definitions together with desired firewall platforms
Part 3: Generate ACL configurations by running capirca command referencing the access control policy and the object definitions. The command triggers a generator for each of the firewall platforms.

If I translate that to an possible Netbox firewall rule sets SoT then:
Part 1: Render this objects definitions directly with native netbox data
Part 2: Create new netbox models to represent a Netbox firewall rule set (equal to Caprica pol file) and services and so on
Part 3: This part is external to the solution but could still render those vendor-specific files

The idea of the 991jo/netbox_capirca_plugin sure is a valid use case but differs widely from a firewall SoT.
The 991jo/netbox_capirca_plugin applies the caprica approach to device interfaces of Cisco switches through netbox.

The idea to have a Firewall rule sets SoT has another view: It takes that "Part 2" idea directly visible in Netbox UI.
Such a "Firewall rule sets SoT plugin" rule set would be a first-class citizen object in Netbox plugin.
It should make it easy to a user to design a Firewall rule set by re-using available tags, IPs and subnets.
The repository of Netbox objects would be the "Part 1" files in the caprico universe.
The Part 3 would be left alone to other automation projects or even caprico.

This Part 3 automation could be an Ansible playbook that somehow consumes the rule sets.
In most cases the raw data from a rule set must be pre-processed in order to be consumed:

• translate tags to IPs
• find applicable installation targets
• translate services into target objects

Would you see value to such a Firewall rule sets SoT?

If there is value in it, I would be happy to start that plugin project.
But it might be not close enough to netbox philosophy.