Deny Rule for Specific IPs in Network Access Control

[marcportabellaclotet-mt]

Feature Request: Deny Rule for Specific IPs in Network Access Control

Description:
We are currently using Netbird to manage network access and have a question about network access control. We would like to grant a user access to a broader network range (e.g., 10.10.0.0/16) but restrict access to a specific endpoint within that range (e.g., 10.10.3.4/32).

Currently, there doesn't seem to be an option to add a deny rule or similar mechanism that would allow us to achieve this more granular control. We believe that having the ability to define deny rules in the access control settings would be beneficial in scenarios like ours, where we need to restrict certain resources while still granting access to others within the same network range.

Proposed Solution:

• Add the ability to create deny rules in the access control settings, allowing users to deny access to specific IP addresses or ranges even when a broader range is allowed.
• These deny rules would take precedence over allow rules, ensuring that specific endpoints can be restricted even when a network range is permitted.

Use Case:

• We want to grant a user access to the 10.10.0.0/16 range but restrict access to the endpoint 10.10.3.4/32.
• With deny rules, we could grant access to the entire network range while ensuring that sensitive endpoints remain inaccessible.

Benefit:
This feature would provide more granular control over network access, helping users secure specific endpoints within broader network ranges. It would also reduce the need to create overly specific allow rules that might be cumbersome to manage in complex network setups.

Thank you for considering this feature!