Support Protocol Specific parameters #313
Description
Environment
- Nautobot version: 2.4.7
- nautobot-firewall-models version: 2.2.1
Proposed Functionality
Add support for protocol-specific fields in firewall policy rules within the nautobot-firewall-models plugin. This would include fields such as:
- ICMP type and code (e.g., allow
time-exceeded,echo-request, or specific return codes) - TCP flags (e.g.,
SYN,ACK, etc.)
Use Case
As a firewall administrator modeling security policy in Nautobot, I want to define a rule that allows ICMP Time Exceeded messages from any source to any destination. Today, the firewall policy model only allows me to specify that I’m permitting "ICMP" but doesn’t give me a way to define ICMP type 11 (Time Exceeded) specifically.
This lack of granularity prevents accurate modeling of real-world firewall configurations and introduces a gap between what's defined in Nautobot and what's actually enforced on the firewall.
With support for protocol-specific parameters, I could model:
- Allowing only
icmp echo-request(type 8) outbound - Denying
icmp redirect(type 5) - Matching TCP rules with specific flags (e.g., allowing only initial
SYNpackets)
Adding this functionality would improve accuracy, auditability, and validation of firewall rules in Nautobot, especially in highly regulated or security-conscious environments.