Firewall/ACL rules #11804

New Issue

Closed

opened 2025-12-29 21:50:03 +01:00 by adam · 4 comments

adam commented 2025-12-29 21:50:03 +01:00

Owner

Copy Link

Originally created by @alexrsagen on GitHub (Nov 3, 2025).

NetBox version

v4.4.5

Feature type

Data model extension

Proposed functionality

• Add data type: IPAM -> IP Addresses -> IP Lists (or IP Groups), with the following data model:
  • IP Addresses (one-to-many relation)
  • IP Ranges (one-to-many relation)
  • Prefixes (one-to-many relation)
  • IP Lists (one-to-many relation)
  • Hostnames (static list?)
• Add data type: IPAM -> Other -> ACL Rules, with the following data model:
  • Chain:
    • Input
    • Output
    • Forward
    • Other (any user specified name, used with Jump/Return action)
  • Source address: Can be any of: IP List, IP Address, IP Range, Prefix, Hostname
  • Destination address: Same as source address
  • Protocol: See IPAM/Application Services and the suggestion to extend with additional protocols in this issue. A single 8-bit unsigned integer.
  • Source port: See IPAM/Application Services. A single 16-bit unsigned integer or a list/range of several ports, only applicable to the following protocols:
    • TCP/UDP (convenience option)
    • TCP
    • UDP
    • DCCP
    • SCTP
    • UDP-Lite
  • Destination port: Same as source port
  • Input interface: Any device interface, with option to select multiple interfaces
  • Output interface: Same as input interface
  • Connection state (for stateful firewalls): Invalid, Established, Related, New, Untracked
  • Action:
    • Accept
    • Drop
    • Reject
    • Jump (with a selection for which Chain to jump to)
    • Return (to previous chain, does not have to be specified, as multiple chains can jump to another chain)
  • Open to discussion: Should the data model be extended with additional advanced properties, such as layer 7 filtering options, MAC address, IPsec policy, packet size, TCP flags, ICMP options, IPv4 options, TTL, etc?
• Extend IPAM/Application Services with additional protocols. Some of the most common protocols are listed here:
  • TCP/UDP (convenience option, as these protocols are commonly used together, for example in the case of DNS and HTTP/QUIC)
  • ICMP (1)
  • IGMP (2)
  • GGP (3)
  • IPv4 encapsulation (4)
  • ST (5)
  • EGP (8)
  • PUP (12)
  • HMP (20)
  • XNS-IDP (22)
  • RDP (27)
  • ISO-TP4 (29)
  • DCCP (33)
  • XTP (36)
  • DDP (37)
  • IDPR-CMTP (38)
  • IPv6 encapsulation (41)
  • RSVP (46)
  • GRE (47)
  • IPsec-ESP (50)
  • IPsec-AH (51)
  • RSPF/CPHB (73)
  • VMTP (81)
  • OSPF (89)
  • IPIP (94)
  • ETHERIP (97)
  • ENCAP (98)
  • PIM (103)
  • VRRP (112)
  • L2TP (115)
  • UDP-Lite (136)
  • Other (enter protocol number)

NAT rules could also be useful to document, but they behave differently and should have a different data model. As such I believe it should be a separate issue.

Use case

Useful for documenting firewall rules or L3 switch ACL rules.

Database changes

No response

External dependencies

No response

Originally created by @alexrsagen on GitHub (Nov 3, 2025). ### NetBox version v4.4.5 ### Feature type Data model extension ### Proposed functionality - Add data type: **IPAM -> IP Addresses -> IP Lists** (or **IP Groups**), with the following data model: - IP Addresses (one-to-many relation) - IP Ranges (one-to-many relation) - Prefixes (one-to-many relation) - IP Lists (one-to-many relation) - Hostnames (static list?) - Add data type: **IPAM -> Other -> ACL Rules**, with the following data model: - Chain: - Input - Output - Forward - Other (any user specified name, used with Jump/Return action) - Source address: Can be any of: IP List, IP Address, IP Range, Prefix, Hostname - Destination address: Same as source address - Protocol: See **IPAM/Application Services** and the suggestion to extend with additional protocols in this issue. A single 8-bit unsigned integer. - Source port: See **IPAM/Application Services**. A single 16-bit unsigned integer or a list/range of several ports, only applicable to the following protocols: - TCP/UDP (convenience option) - TCP - UDP - DCCP - SCTP - UDP-Lite - Destination port: Same as source port - Input interface: Any device interface, with option to select multiple interfaces - Output interface: Same as input interface - Connection state (for stateful firewalls): Invalid, Established, Related, New, Untracked - Action: - Accept - Drop - Reject - Jump (with a selection for which Chain to jump to) - Return (to previous chain, does not have to be specified, as multiple chains can jump to another chain) - **Open to discussion:** Should the data model be extended with additional advanced properties, such as layer 7 filtering options, MAC address, IPsec policy, packet size, TCP flags, ICMP options, IPv4 options, TTL, etc? - Extend IPAM/Application Services with [additional protocols](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Some of the most common protocols are listed here: - TCP/UDP (convenience option, as these protocols are commonly used together, for example in the case of DNS and HTTP/QUIC) - ICMP (1) - IGMP (2) - GGP (3) - IPv4 encapsulation (4) - ST (5) - EGP (8) - PUP (12) - HMP (20) - XNS-IDP (22) - RDP (27) - ISO-TP4 (29) - DCCP (33) - XTP (36) - DDP (37) - IDPR-CMTP (38) - IPv6 encapsulation (41) - RSVP (46) - GRE (47) - IPsec-ESP (50) - IPsec-AH (51) - RSPF/CPHB (73) - VMTP (81) - OSPF (89) - IPIP (94) - ETHERIP (97) - ENCAP (98) - PIM (103) - VRRP (112) - L2TP (115) - UDP-Lite (136) - Other (enter protocol number) NAT rules could also be useful to document, but they behave differently and should have a different data model. As such I believe it should be a separate issue. ### Use case Useful for documenting firewall rules or L3 switch ACL rules. ### Database changes _No response_ ### External dependencies _No response_

adam added the type: featureplugin candidatenetbox labels 2025-12-29 21:50:03 +01:00

adam closed this issue 2025-12-29 21:50:03 +01:00

adam commented 2025-12-29 21:50:03 +01:00

Author

Owner

Copy Link

@cruse1977 commented on GitHub (Nov 3, 2025):

Have you considered https://github.com/andy-shady-org/netbox-security - as a number of features are already within this plugin

@cruse1977 commented on GitHub (Nov 3, 2025): Have you considered https://github.com/andy-shady-org/netbox-security - as a number of features are already within this plugin

adam commented 2025-12-29 21:50:04 +01:00

Author

Owner

Copy Link

@alexrsagen commented on GitHub (Nov 3, 2025):

Thanks for the mention @cruse1977, I will check it out.

Not sure what is the Netbox approach to feature requests and development, when a plugin exists. I'd like to keep the feature request up if possible.

I did try to look around a bit for any Netbox firewall documentation solutions, and all I was able to find quickly was a fork of Netbox.

I believe that either having the feature built into Netbox or perhaps maintaining a list of endorsed plugins would help with discoverability.

@alexrsagen commented on GitHub (Nov 3, 2025): Thanks for the mention @cruse1977, I will check it out. Not sure what is the Netbox approach to feature requests and development, when a plugin exists. I'd like to keep the feature request up if possible. I did try to look around a bit for any Netbox firewall documentation solutions, and all I was able to find quickly was a fork of Netbox. I believe that either having the feature built into Netbox or perhaps maintaining a list of endorsed plugins would help with discoverability.

adam commented 2025-12-29 21:50:05 +01:00

Author

Owner

Copy Link

@DanSheps commented on GitHub (Nov 3, 2025):

Not sure what is the Netbox approach to feature requests and development, when a plugin exists. I'd like to keep the feature request up if possible.

I can't speak for every maintainer, but my view would be this is outside of the scope of the NetBox core (and in-scope for a plugin)

@DanSheps commented on GitHub (Nov 3, 2025): > Not sure what is the Netbox approach to feature requests and development, when a plugin exists. I'd like to keep the feature request up if possible. I can't speak for every maintainer, but my view would be this is outside of the scope of the NetBox core (and in-scope for a plugin)

adam commented 2025-12-29 21:50:05 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Nov 3, 2025):

Agreed; this has been proposed before but is not something we would take on as part of the core product. @alexrsagen you find a list of commercially supported NetBox plugins here.

@jeremystretch commented on GitHub (Nov 3, 2025): Agreed; this has been proposed before but is not something we would take on as part of the core product. @alexrsagen you find a list of commercially supported NetBox plugins [here](https://netboxlabs.com/plugins/).

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label netbox plugin candidate type: feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#11804