Network Objects/Groups

Chris11891 · 01-27-2012, 07:21 PM

I have been playing around with Untangle 9 and thinking about switching but there is one feature of my current firewall that I am not seeing on Untangle. The curent feature is Network Objects which allow me to assign names to single IP addresses, groups of IP addresses or ranges of IP addresses. I use this to allow certain people access to specific resources. This makes it much easier to update an external IP when it IP changes becuase it is a dynamic address.

I like everythign that I've seen to this point but it seems like this might be a deal breaker as I've only seen IP address ranges in firewall policies and there doesn't appear to be any naming association.

I just wanted to be certain this was not hiding anywhere before I invested more time researching. If I need to submit this to feature requests, I would be happy to do so.

dwasserman · 01-27-2012, 07:40 PM

Each UTM handles this with their own metaphors, in Untangle you can do this with the policy manager if I understand well your request.

hs-admin · 01-27-2012, 07:53 PM

Policy manager will do that for you.
I use it on a school campus with students and teachers getting different online resources. Creating various subnets for locations on campus also helps keep the resource access organized and easy to identify which group (student/teacher) or location (computer lab/library) gets what access rights. Each subnet gets its own "rack" which controls those access rights. Such as teachers have access to you tube student computers do not.
You can set mac address association to be sure each machine gets the IP which corresponds to the proper access rights.
Hope this helps.

sky-knight · 01-27-2012, 08:07 PM

No, Untangle doesn't have the feature he's requesting... and I really wish it did.

What he wants is the ability to define an IP address, or list of IP addresses to a variable, so that variable can be referenced in a rule set. Some firewalls call this "services".

This would be the same feature that would allow you to define a given external address as "webserver" and another as "mailserver" and instead of forwarding tcp 80 destined to w.x.y.z to the web server's LAN address, you'd forward stuff destined to "webserver". Same deal for TCP 25 to the mail server.

This could be further expanded to allow interfaces to be assigned to a name other than the virtual name already present. So you could create an "alias" of sorts for "dmz" that calls it "Wan2" if you needed.

The Policy Manager + Directory Connector can do this sort of, when it comes to building a list of usernames to IP addresses. So you can make rules based on user name and group name instead of addresses. While this functionality is an alias of sorts, it's dynamically defined and not what is being asked for in the OP.

01-27-2012, 07:21 PM	#1 (permalink)
Chris11891 Newbie Join Date: Jan 2012 Posts: 1	Network Objects/Groups I have been playing around with Untangle 9 and thinking about switching but there is one feature of my current firewall that I am not seeing on Untangle. The curent feature is Network Objects which allow me to assign names to single IP addresses, groups of IP addresses or ranges of IP addresses. I use this to allow certain people access to specific resources. This makes it much easier to update an external IP when it IP changes becuase it is a dynamic address. I like everythign that I've seen to this point but it seems like this might be a deal breaker as I've only seen IP address ranges in firewall policies and there doesn't appear to be any naming association. I just wanted to be certain this was not hiding anywhere before I invested more time researching. If I need to submit this to feature requests, I would be happy to do so.

01-27-2012, 07:40 PM	#2 (permalink)
dwasserman Join Date: Jun 2008 Location: Argentina URLs submitted: 57 Posts: 3,634	Each UTM handles this with their own metaphors, in Untangle you can do this with the policy manager if I understand well your request. __________________ The world is divided into 10 kinds of people, who know binary and those not

01-27-2012, 08:07 PM	#4 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,454	No, Untangle doesn't have the feature he's requesting... and I really wish it did. What he wants is the ability to define an IP address, or list of IP addresses to a variable, so that variable can be referenced in a rule set. Some firewalls call this "services". This would be the same feature that would allow you to define a given external address as "webserver" and another as "mailserver" and instead of forwarding tcp 80 destined to w.x.y.z to the web server's LAN address, you'd forward stuff destined to "webserver". Same deal for TCP 25 to the mail server. This could be further expanded to allow interfaces to be assigned to a name other than the virtual name already present. So you could create an "alias" of sorts for "dmz" that calls it "Wan2" if you needed. The Policy Manager + Directory Connector can do this sort of, when it comes to building a list of usernames to IP addresses. So you can make rules based on user name and group name instead of addresses. While this functionality is an alias of sorts, it's dynamically defined and not what is being asked for in the OP. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

Protect

Filter

Perform

Connect

Manage

Add-Ons

01-27-2012, 07:53 PM	#3 (permalink)
hs-admin Untangler Join Date: Oct 2009 Location: N. AZ Posts: 66	Policy manager will do that for you. I use it on a school campus with students and teachers getting different online resources. Creating various subnets for locations on campus also helps keep the resource access organized and easy to identify which group (student/teacher) or location (computer lab/library) gets what access rights. Each subnet gets its own "rack" which controls those access rights. Such as teachers have access to you tube student computers do not. You can set mac address association to be sure each machine gets the IP which corresponds to the proper access rights. Hope this helps.