Allow user-defined rules to be applied before built-in rules
There is a strong need to be able to prevent access to several protocols that have proxies implemented in ASL (e.g. SMTP).
Currently, the fact that built-in rules are always applied before user-defined ones has the following consequences:
- It is impossible to prevent access to one of these proxied services alone. The only option is use blackhole routing (which prevents all trafic from and to the targeted networks).
- It is very much unclear to the user why a given rule isn't applied. Instinctively, an explicit "deny" rule should always apply before any and all "allow" rules. This rather common security practice is not followed by ASL, causing frustration and potential misconfiguration.
- Limiting the access to a proxied service to a given address range is only possible if the proxy service itself implements some limitation. It is NOT the case for all proxies (e.g. SMTP)
Several solutions for this problems are possible:
- Best (more formal) solution: follow the established standards and make explicit deny rules apply before everything else. Problem: this might change exhisting behavior and might be too risky.
- Optionally allow user-defined rules to apply before the built-in rules (default to false). This should not change existing behavior while still allowing for the creation of proper firewall rules.
- Make sure all internal proxy and listeners have clear and simple allow/deny network lists (at IP level) and a way to specify what default action to take (allow/deny). This might be the most user-friendly option but requires more work.