Hosts Grouping in ACL

Hello community,

Does anyone know if it is possible to group hosts and/or networks? This would come in handy when creating certain ACL’s.

Can you describe more about what you are asking about?

Each ACL supports arrays for the Users and Ports properties so you can add multiple items for each of them. If you wanted to “group” access to hostA, hostB and subnet then the ACL could be set something like:

  "Action": "accept",
  "Users": [ "group:some-group" ],
  "Ports": [ "hostA:*" , "hostB:*", "*" ]

Not sure if that’s what you’re asking for though.

Thank you for the response that certainly helps simplify the rules a bit.

On a side note I have setup tags on the hosts on my network and since doing that I have two hosts with the tag “synology” that for some reason will not talk to each other with the ACL’s I currently have in-place. Any ideas?

The only thing I could think of causing the issue is that Iosafe device has multiple tags that could be causing the issue?

Multiple tags don’t remove access, they are additive so a node has grants available to all of the tags assigned. (At least until they implement a “deny” action anyway, which I don’t know if they’re planning on doing.)

Are you sure you are using the right names/IPs when you are trying to connect to each other? The rules that you show there seem fine.

It must be an issue with the Synology client implementation.

I can SSH from my desktop with a tag of chris (Windows) to a Synology (bunas .27.107), however I can’t SSH from Synology with a tag of synology (leightnas) to bunas (.27.107).

However everything was working fine prior to this morning when I implemented the synology tag and disabled the default allow all ACL.

Just to update this thread. The issue has been resolved, per the attached article traffic from the Synology wasn’t allowed in DSM7. Not sure why things were working prior to setting tags but none the less.