Skip to content

Fix inter-VLAN isolation audit to check inbound access directionally #167

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tvancott42 merged 1 commit into from
Jan 29, 2026
Merged

Fix inter-VLAN isolation audit to check inbound access directionally #167

tvancott42 merged 1 commit into from
Jan 29, 2026

Conversation

@tvancott42
Copy link
Collaborator

@tvancott42 tvancott42 commented Jan 29, 2026

Summary

  • Fix isolation audit to properly check inbound access to sensitive networks (Management, Security)
  • Account for firewall rule ordering when evaluating isolation and access rules
  • Add connection state validation to detect rules that only block INVALID connections

Changes

Isolation Direction Fix

UniFi's "Network Isolation" feature only blocks outbound traffic from isolated networks - it does NOT block inbound access. This PR fixes the audit to:

  • Check inbound access to Management/Security networks from all other networks
  • Only skip source networks with isolation enabled (they can't initiate connections)
  • Properly report missing isolation rules for inbound protection

Rule Ordering Support

Firewall rules are processed by index (lower = higher priority). A block rule can be eclipsed by an allow rule with lower index. Added:

  • FirewallRuleEvaluator utility class for evaluating rules with proper ordering
  • Eclipsing detection for management access checks (UniFi, AFC, NTP, 5G modem)
  • Zone matching validation in rule evaluation

Connection State Validation

Rules that only block INVALID connection state don't provide isolation - they only clean up stale connections. Added:

  • ConnectionStateType and ConnectionStates properties to FirewallRule model
  • BlocksNewConnections() method to validate rules actually block new connections

Test Plan

  • All 2779 audit tests pass
  • New tests for FirewallRuleEvaluator (421 tests)
  • New tests for BlocksNewConnections model method (175 tests)
  • Tested on NAS and Mac deployments
  • Verified no false positives for UniFi/AFC/NTP access on isolated management networks

@tvancott42
Fix inter-VLAN isolation audit to check inbound access directionally
b7c1517 
UniFi's "Network Isolation" only blocks OUTBOUND traffic from isolated networks.
It does NOT block INBOUND traffic to them. This fix ensures Management and
Security networks are protected from inbound access regardless of their own
isolation setting.

Key changes:
- Check inbound access to Management/Security from all relevant networks
- Add FirewallRuleEvaluator to account for rule ordering (lower index = higher priority)
- Validate connection state - rules only blocking INVALID don't provide isolation
- Detect when allow rules eclipse block rules
- Add zone matching to rule evaluation
- Update recommendation messages to mention rule ordering

Tests: 2779 passing (including 596 new tests)
@tvancott42 tvancott42 force-pushed the feature/isolation-inbound branch from 0d8ba4c to b7c1517 Compare January 29, 2026 04:14
@tvancott42 tvancott42 merged commit 98ed505 into main Jan 29, 2026
1 check passed
@tvancott42 tvancott42 deleted the feature/isolation-inbound branch January 29, 2026 04:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tvancott42