Too many IPs for an alias
-
We have an initiative working with one of our servers and connecting to google. We only want to allow our server to connect to google IP addresses, so our initial thought was to just create an alias and a rule. Come to find out, there are so many google IP addresses that it completely overwhelms an alias and they are not able to store all the IPs. We found the list of google IP addresses here https://www.gstatic.com/ipranges/goog.json and I want to see if there is any way we can use that URL as an alias somehow or some other possibility to dynamically process that json file into an allow list for a given server firewall rule.
-
@flamegate pfSense has some URL alias types but I don't think they can process JSON?
https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html#url-aliasesThe pfBlockerNG-devel package has support for ASN lookups I believe, though I've not used that myself. I've just seen other posts here about it.
System/Advanced/Firewall & NAT -> Firewall Maximum Table Entries has to be large enough to hold the table. (note: where it says "On this system the default size is..." that has a bug and is always the number you've entered)
-
pfBlockerNG and the ASN numbers, PfblockerNG will also import JSON but you can't create create a single alias with IPv4 & IPv6.
https://db-ip.com/as15169-google-llc