Feature request - System Aliases
-
I added the following feature request at https://redmine.pfsense.org/issues/14911 :
Hello,
I wish to ask for something I call "System Aliases".
At times there is a need to have a list of IPs and/or IP ranges, of different prominent services provider, but these IPs change from time to time and they are not under any unifying FQDN.
But, having them as one named object in pfSense, as a System Alias to use in the fw rulebase, will be awesome.
For example, Cloudflare, which is a large cloud CDN/Proxy/WAF, and many need to allow it access to their web server, but it has many ranges, as you can see at https://www.cloudflare.com/ips/.
It is not practical for any person or firm to manually track changes in this list and update it manually in pfSense, in a timely fashion.
But, CF also share this data in per-line, plain text, public files:
https://www.cloudflare.com/ips-v4/#
https://www.cloudflare.com/ips-v6/#I guess Netgate can have a process to read these files in a recurring schedule, either from each pfSense device, or centrally (and the pfSense devices will read it from a pfSense server, also in recurring schedule) - and make out of it a fixed System Alias objects, like Cloudflare_IPv4 , Cloudflare_IPv6 and Cloudflare_IP_All, which users will be able to add to fw rules and they will know they will always get the exact, correct and real-time updated IP ranges that CF publish, automatically.
Thank you.
-
This feature already exists with the "URL Table (IPs)" alias type.
-
Yup. See: https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html#url-table-aliases
You can also use pfBlocker for more complex feeds to create aliases.
-
@paoloposo I really was wondering what is this feature and now I know better.
Still, it will be nice if Netgate will have ready objects for user just to use, out of the box, without them needing to go look for these URL sources, it will save lots of time for them. -
There are a bunch or predefined feeds in pfBlocker but not for this purpose. That might be a feature request for the package.
-
@Wolfgangthegreat said in Feature request - System Aliases:
https://www.cloudflare.com/ips-v4/#
Just because this came up the other day, that list hasn't changed very often
Apr 8, 2021:
104.16.0.0/12 removed from ips-v4
104.16.0.0/13 added to ips-v4
104.24.0.0/14 added to ips-v4Oct 1, 2020:
IPS were confirmed, no changesJun 7, 2017:
199.27.128.0/21 removed from ips-v4 -
@johnpoz The change interval is not the point, the idea is to have an always up-to-date and update fixed object that will always include the current correct data, whenever it is changed at the source. Peace of mind is the goal... :)
-
@Wolfgangthegreat yeah I hear ya - and in that thread I went over exactly how to update the alias once a day if you want..
-
@Wolfgangthegreat I understand why you would want this feature, but I don't think that it's in the scope of the pfSense core functionality. This would be more suited for a package in my opinion.
-
@paoloposo the pfblocker alias system is for sure a step above alias built in feature.. But this has been part of pfsense since like the get go I believe. I really have never seen a firewall that did not allow you to create objects.. Be it single port or IP, or groups of them, etc.
-
@johnpoz said in Feature request - System Aliases:
@paoloposo the pfblocker alias system is for sure a step above alias built in feature.. But this has been part of pfsense since like the get go I believe. I really have never seen a firewall that did not allow you to create objects.. Be it single port or IP, or groups of them, etc.
I'm afraid I'm not sure how your reply relates to my post
-
@paoloposo your saying aliases shouldn't be a part of a firewall core features.. Every firewall I have worked on has this feature, as pfsense does.. So yeah it is part of the "core" features..
BTW - here is the post from 3 days ago where I went over exactly what the OP was asking about
-
@johnpoz Oh, I think you misunderstand. Aliases should absolutely be part of pfSense. What I mean is that I don't see Netgate maintaining a list of pre-configured aliases for common service providers like Cloudflare, AWS, Google, etc. that comes pre-installed with pfSense, which is what OP was asking about.
-
@paoloposo oh my bad - yeah read that the wrong way. Yeah I don't see pfsense maintaining lists of stuff you might want in an alias..
