Delegated Firewall Rules

Work is being done to allow delegation of firewall rule control. This is useful, for example with colo facilities, where they could give customers a login to edit their firewall rules directly.

Approaches

Possibly the easiest way to accomplish this is to allow in and out rules on each interface.

Other possibilities include anchors?

In and Out Rules

Allowing in and out rules for each interface would provide for an easy means of assigning these rights. The user would be assigned rights to only their interface, and could control both egress and ingress traffic with the in and out rules. Without the ability to configure in both directions, users would have to be assigned limited rights to edit the WAN rules. This could be prone to bugs causing privilege escalation issues, and would be painful to implement.

This mode would be off by default, maintaining our current filtering mechanism of only applying rules to traffic inbound to each interface. It could be enabled to allow selection of traffic direction on each rule, but would not be recommended for most installs because of the added complexity.

This also addresses several user requests for this functionality. In some circumstances, it makes sense to put egress rules as outbound rules on the WAN, rather than inbound on every internal interface.