Please delete, thanks

asdffdsa1122 · September 7, 2021, 2:53pm

hello and thanks,

i find that the order of rules affect behavior.
for example, here are two policies, the same set of rules but in different order.
based on testing, seems if there are multiple rules with the same source, in this case en08, the last rule is used.
for a given source, there can only be one source and thus the need to use multiple destinations?

this policy ALLOW en08 to ssh into pi4

{ 
  "Hosts": {"en08": "100.101.234.28", "pi4": "100.102.244.119", "server02": "100.88.213.100"},
  "ACLs": [{ 
      "Action": "accept", "Users": ["server02"], "Ports": ["server02:*"],
      "Action": "accept", "Users": ["en08"], "Ports": ["pi4:22"],
    }]
}

this policy DENY en08 to ssh into pi4

{ 
  "Hosts": {"en08": "100.101.234.28", "pi4": "100.102.244.119", "server02": "100.88.213.100"},
  "ACLs": [{ 
      "Action": "accept", "Users": ["en08"], "Ports": ["pi4:22"],
      "Action": "accept", "Users": ["server02"], "Ports": ["server02:*"],
    }]
}

DGentry · September 8, 2021, 5:37pm

I don’t have a way to delete forum posts. For the benefit of anyone else following along:

  "ACLs": [
      {"Action": "accept", "Users": ["en08"], "Ports": ["pi4:22"]},
      {"Action": "accept", "Users": ["server02"], "Ports": ["server02:*"]},
    ]

would be two ACL rules. The originally stated issue has only one ACL rule, with two “Users” and two “Ports” fields. The last one wins.

We’ll look into whether the JSON parser can flag duplicate fields as an error.

darshinimashar · September 8, 2021, 5:49pm

You are missing the brackets in your ACL definition so it been treated as the, try following

{
“Hosts”:
{
“en08”: “100.101.234.28”,
“pi4”: “100.102.244.119”,
“server02”: “100.88.213.100”,
},

“ACLs”: [
{“Action”: “accept”,
“Users”: [“server02”],
“Ports”: [“server02:*”],
},

      {"Action": "accept",
       "Users": ["en08"],
       "Ports": ["pi4:22"],
      },
      ]

}

asdffdsa1122 · September 8, 2021, 6:02pm

yes, that should be flagged as an error.
thanks

asdffdsa1122 · September 8, 2021, 6:05pm

thanks, yes, since i posted, i have realized that the brackets are missing.

my concern is that might be valid json, but not a valid ts policy.
ts accepts acls policy using formatting used for hosts
ts should complain about that and refuse to save the policy.

yesterday, i posted an issue at github
https://github.com/tailscale/tailscale/issues/2807

Topic		Replies	Views
Default block still allows ping and ssh ACL (Access Control Lists)	25	3305	November 14, 2022
How do ACL s get counted?	1	382	November 24, 2022
ACL rules to exclude local networks ACL (Access Control Lists)	0	532	December 1, 2022
Hosts Grouping in ACL ACL (Access Control Lists)	5	1001	October 22, 2021
Setting ACL rules on Exit Nodes ACL (Access Control Lists)	5	3121	September 22, 2021

Please delete, thanks

Related Topics