Firewall/ACL rules #928

New Issue

MrUnknownDE · 2026-04-05T18:55:32+02:00

MrUnknownDE commented

2026-04-05 18:55:32 +02:00

Originally created by @alexrsagen on 11/3/2025

NetBox version

v4.4.5

Feature type

Data model extension

Proposed functionality

Add data type: IPAM -> IP Addresses -> IP Lists (or IP Groups), with the following data model:
- IP Addresses (one-to-many relation)
- IP Ranges (one-to-many relation)
- Prefixes (one-to-many relation)
- IP Lists (one-to-many relation)
- Hostnames (static list?)
Add data type: IPAM -> Other -> ACL Rules, with the following data model:
- Chain:
  - Input
  - Output
  - Forward
  - Other (any user specified name, used with Jump/Return action)
- Source address: Can be any of: IP List, IP Address, IP Range, Prefix, Hostname
- Destination address: Same as source address
- Protocol: See IPAM/Application Services and the suggestion to extend with additional protocols in this issue. A single 8-bit unsigned integer.
- Source port: See IPAM/Application Services. A single 16-bit unsigned integer or a list/range of several ports, only applicable to the following protocols:
  - TCP/UDP (convenience option)
  - TCP
  - UDP
  - DCCP
  - SCTP
  - UDP-Lite
- Destination port: Same as source port
- Input interface: Any device interface, with option to select multiple interfaces
- Output interface: Same as input interface
- Connection state (for stateful firewalls): Invalid, Established, Related, New, Untracked
- Action:
  - Accept
  - Drop
  - Reject
  - Jump (with a selection for which Chain to jump to)
  - Return (to previous chain, does not have to be specified, as multiple chains can jump to another chain)
- Open to discussion: Should the data model be extended with additional advanced properties, such as layer 7 filtering options, MAC address, IPsec policy, packet size, TCP flags, ICMP options, IPv4 options, TTL, etc?
Extend IPAM/Application Services with additional protocols. Some of the most common protocols are listed here:
- TCP/UDP (convenience option, as these protocols are commonly used together, for example in the case of DNS and HTTP/QUIC)
- ICMP (1)
- IGMP (2)
- GGP (3)
- IPv4 encapsulation (4)
- ST (5)
- EGP (8)
- PUP (12)
- HMP (20)
- XNS-IDP (22)
- RDP (27)
- ISO-TP4 (29)
- DCCP (33)
- XTP (36)
- DDP (37)
- IDPR-CMTP (38)
- IPv6 encapsulation (41)
- RSVP (46)
- GRE (47)
- IPsec-ESP (50)
- IPsec-AH (51)
- RSPF/CPHB (73)
- VMTP (81)
- OSPF (89)
- IPIP (94)
- ETHERIP (97)
- ENCAP (98)
- PIM (103)
- VRRP (112)
- L2TP (115)
- UDP-Lite (136)
- Other (enter protocol number)

NAT rules could also be useful to document, but they behave differently and should have a different data model. As such I believe it should be a separate issue.

Use case

Useful for documenting firewall rules or L3 switch ACL rules.

Database changes

No response

External dependencies

No response

*Originally created by @alexrsagen on 11/3/2025* ### NetBox version v4.4.5 ### Feature type Data model extension ### Proposed functionality - Add data type: **IPAM -> IP Addresses -> IP Lists** (or **IP Groups**), with the following data model: - IP Addresses (one-to-many relation) - IP Ranges (one-to-many relation) - Prefixes (one-to-many relation) - IP Lists (one-to-many relation) - Hostnames (static list?) - Add data type: **IPAM -> Other -> ACL Rules**, with the following data model: - Chain: - Input - Output - Forward - Other (any user specified name, used with Jump/Return action) - Source address: Can be any of: IP List, IP Address, IP Range, Prefix, Hostname - Destination address: Same as source address - Protocol: See **IPAM/Application Services** and the suggestion to extend with additional protocols in this issue. A single 8-bit unsigned integer. - Source port: See **IPAM/Application Services**. A single 16-bit unsigned integer or a list/range of several ports, only applicable to the following protocols: - TCP/UDP (convenience option) - TCP - UDP - DCCP - SCTP - UDP-Lite - Destination port: Same as source port - Input interface: Any device interface, with option to select multiple interfaces - Output interface: Same as input interface - Connection state (for stateful firewalls): Invalid, Established, Related, New, Untracked - Action: - Accept - Drop - Reject - Jump (with a selection for which Chain to jump to) - Return (to previous chain, does not have to be specified, as multiple chains can jump to another chain) - **Open to discussion:** Should the data model be extended with additional advanced properties, such as layer 7 filtering options, MAC address, IPsec policy, packet size, TCP flags, ICMP options, IPv4 options, TTL, etc? - Extend IPAM/Application Services with [additional protocols](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Some of the most common protocols are listed here: - TCP/UDP (convenience option, as these protocols are commonly used together, for example in the case of DNS and HTTP/QUIC) - ICMP (1) - IGMP (2) - GGP (3) - IPv4 encapsulation (4) - ST (5) - EGP (8) - PUP (12) - HMP (20) - XNS-IDP (22) - RDP (27) - ISO-TP4 (29) - DCCP (33) - XTP (36) - DDP (37) - IDPR-CMTP (38) - IPv6 encapsulation (41) - RSVP (46) - GRE (47) - IPsec-ESP (50) - IPsec-AH (51) - RSPF/CPHB (73) - VMTP (81) - OSPF (89) - IPIP (94) - ETHERIP (97) - ENCAP (98) - PIM (103) - VRRP (112) - L2TP (115) - UDP-Lite (136) - Other (enter protocol number) NAT rules could also be useful to document, but they behave differently and should have a different data model. As such I believe it should be a separate issue. ### Use case Useful for documenting firewall rules or L3 switch ACL rules. ### Database changes _No response_ ### External dependencies _No response_

MrUnknownDE closed this issue

2026-04-05 18:55:32 +02:00

Sign in to join this conversation.

Branches Tags

main

21455-sql-indexes-audit

21357-register-model-actions

feature

20924-plugin-ui-components

21766-improve-test-coverage-for-sortable-table-columns

21157-export-template-public-models

21025-pre-render-config-contexts

21364-swagger

feature-ip-prefix-link

20911-dropdown-3

fix_module_substitution

21160-filterset

20911-dropdown-2

20044-elevation-stuck-lightmode

7604-filter-modifiers-v3

20660-script-load

19724-graphql

14884-script

19720-macaddress-interface-generic-relation

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

No Label netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox plugin candidate plugin candidate type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature type: feature

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/netbox#928