Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    how to bulk import netblocks into an alias?

    Scheduled Pinned Locked Moved General pfSense Questions
    network aliasfacebookimport networksbulk import
    5 Posts 2 Posters 881 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • beerguzzleB
      beerguzzle
      last edited by

      How to bulk import a list of IP netblocks into firewall aliases, and then automate it -- akin to how pfblockerng does it?

      Short story: I want to block facebook in/out. FB tells how to get a list of their networks on their developers page, which is:

      /usr/bin/whois -h whois.radb.net -- '-i origin AS32934' | /usr/bin/grep ^route | /usr/bin/tr -s ' ' '\t' | /usr/bin/cut -f2 | /usr/bin/uniq

      This pipeline could be put into a shell script in pfSense and updated via cron, but what is an easy to pull it into the network aliases list via shell command?

      If I put php code into /usr/local/www/mydir in order to pull the list in via an alias URL, eg https://127.0.0.1:443/mydir/mycode.php will this work? Do I risk breaking the pfSense web interface? Will it survive an upgrade? Is there an easier way to do this?

      Netgate 1100 and Netgate 2100, latest pfsense+ version

      1 Reply Last reply Reply Quote 0
      • beerguzzleB
        beerguzzle
        last edited by

        I forgot to mention, I am using Netgate pfSense 22.01.

        Netgate 1100 and Netgate 2100, latest pfsense+ version

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Just use the ASN in pfBlocker directly and it does it all for you. 😉

          Screenshot from 2022-04-14 18-04-06.png

          Steve

          1 Reply Last reply Reply Quote 0
          • beerguzzleB
            beerguzzle
            last edited by

            Thank you, thank you!! After getting the whois ASN list pulled into pfblockerng, and doing a force update to get the alias list built, I got my anti-Facebook rules going in floating rules, akin to the other pfBlockerng rules. This is a beautiful thing! It is amazing how much outbound crap to FB I am now blocking -- them stalking me around the Internet that I don't want.

            Netgate 1100 and Netgate 2100, latest pfsense+ version

            beerguzzleB 1 Reply Last reply Reply Quote 1
            • beerguzzleB
              beerguzzle @beerguzzle
              last edited by

              While this system of keeping an active list of a company's netblocks works great -- beware. It can suck up memory and result in "cannot allocate memory" errors. Example: building a list for Apple (AS6185) will give you a large list of small netblocks in 17.x.x.x. However, "whois 17.0.0.0" shows that 17.0.0.0/8 is a direct allocation to Apple, so specifying a network alias with a /8 takes a lot less memory. Google is even worse with 7400+ IPv4 netblocks from the whois ASN output.

              Netgate 1100 and Netgate 2100, latest pfsense+ version

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.