Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to use URL table (IPs) alias?

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 3 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kj32
      last edited by

      On a Netgate SG-3100, running 21.05.2-RELEASE, I get

      "Unable to fetch usable data from URL file:///usr/local/etc/pftables.d/localtable.txt"

      when I specify

      file:///usr/local/etc/pftables.d/localtable.txt

      when trying to create a URL table alias of IP addresses.

      Note that this file works perfectly well in pf configuration as:

      table <localtable> file "/usr/local/etc/pftables.d/localtable.txt"

      and further referenced in a blocking rule via $tablelist:

      block in log quick on $bridgeifaces from any to $tablelist label "Block geolocation, local list"

      Here 'working' means that if I use nping from the nmap package to send a packet from a laptop running FreeBSD that should be blocked and logged, it is blocked and logged. (assuming that pf is enabled and using my ruleset.)

      localtable.txt contains lines that look like:

      #Comment useful to sysadmin.  These are not the real addresses
      192.168.1.7/32
      10.5.5.45/32
      ...
      #Another comment useful to sysadmin
      10.78.96.58/32
      192.168.0.9/32
      ...
      

      where "..." signifies more lines like the previous one.

      The documentation I am aware of for URL table aliases is here:

      https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html#url-table-aliases

      I would love to receive pointers to additional documentation.

      Thanks.

      S 1 Reply Last reply Reply Quote 0
      • S
        serbus
        last edited by serbus

        Hello!

        You can try relocating your table definitions to the /usr/local/www/ area and using some variation of :

        https://127.0.0.1/mytablefiles/mytable.txt

        for the alias ip table url.

        John

        Lex parsimoniae

        1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @kj32
          last edited by

          @kj32 I haven't tried using file://, I would guess maybe that isn't supported. I would expect such a file wouldn't normally be generated on/by the firewall itself? I've only used http(s)://.

          I have used pfBlockerNG-devel to read a file though. I think it added "GeoIP" as a type at one point but before that one could create a country code file using /usr/local/share/GeoIP/cc/US_v4.txt or similar, to read in the downloaded country files. I'd imagine the file has to be in an expected format though.
          cap:
          6b443ad5-68a5-4e03-b205-22984f9461d3-image.png

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 0
          • K
            kj32
            last edited by

            Well, looks like http://127.0.0.1 it will be. We will see how far I get down that path.

            (For anyone else trying this, if you experiment with switching between http and https, then you may need to delete your browser cookies in order to get off of the Web configurator login screen. The symptom is that a successful login is reported on the serial console, but the page displayed on your browser doesn't change after you enter the username and password. You can see a similar report here).

            K 2 Replies Last reply Reply Quote 0
            • K
              kj32 @kj32
              last edited by

              @kj32 said in How to use URL table (IPs) alias?:

              ...

              (For anyone else trying this, if you experiment with switching between http and https, then you may need to delete your browser cookies in order to get off of the Web configurator login screen. The symptom is that a successful login is reported on the serial console, but the page displayed on your browser doesn't change after you enter the username and password. You can see a similar report here).

              A similar symptom may manifest as being unable to reach certain pages of the configurator, because the menu links are in the wrong protocol (http vs https). So, you may also need to delete the browser's cache. Or switch to a different browser. Or use a private/incognito window.

              1 Reply Last reply Reply Quote 0
              • K
                kj32 @kj32
                last edited by

                @kj32 said in How to use URL table (IPs) alias?:

                Well, looks like http://127.0.0.1 it will be. We will see how far I get down that path.

                Using http://127.0.0.1 works, in the sense that packets that match an address in a list of one of the URL tables are dropped. That's good.

                No prize will be given for ease of configuration, however. Setting up a configuration file for pf was much easier, and had the further advantage that I could explicitly control packet logging.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.