Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Aliases & logical object representation

    Development
    2
    2
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jamesoxford
      last edited by

      Hello, all! I'm new to the forums and to pfSense in general, but right off the bat I found something that kind of frustrated me, and I'm not sure if this is a comment for development, or if "General Discussions" would be more appropriate.  If I'm in the wrong place, my apologies.

      It has to do with Aliases.  Aliases allow you to create a logical object to represent hosts, networks, ports, ect., which is great; but when you go to create firewall rules they aren't incorporated into the interface at all.  It seems like it'd be easy enough to link aliases to a drop-down select box which in my opinion would make them more useful.  Right now you have to manually enter your aliased object into the firewall rule definition.  You have to go back to the alias section, see exactly how something was named, make sure it represents what you want it to represent, and then type it into the firewall rule.  Besides being inefficient, re-typing alias names seems like it introduces the unnecessary possibility for errors.  In the same respect or fashion, it seems you could include port aliases or service aliases (which I'd define as a collection of ports and protocols used by a host or network service) to the ports section.

      While I'm making suggestions, I also think it would be useful to have some way of grouping alias into some higher level object.  As it is currently designed, you can designate multiple addresses, ports, networks together in a single alias, but they are not really able to be used at any higher level than as they were defined.  For instance, you might define 3 hosts individually, and then group them into some higher level object, such as "domain controllers" or "web servers"…  "web servers" isn't only an object onto itself, but is a logical representation of 3 lower level objects.  This way you don't end up defining the same hosts multiple times.  In this example its only twice, but in a larger network the same host might be part of many different groups.  Each time you have to re-define a host it introduces an opportunity to type that host address incorrectly.  And if and when a hosts  IP address changes, making a change once is much easier than tracking down all the alias entries for which that host is in the definition.

      When it comes to ports and grouping them together logically as "services" or something similar, the benefit would likely be even greater than the ability to group hosts, networks or subnets.

      Does this make sense to anyone else?

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        I don't understand what you need that is not there already.
        In the current 2.2.* you can:
        a) Put and alias as an entry inside another alias - that lets you define a device(s) once in a small alias and then include that alias in higher-level aliases.
        b) In the Firewall Rules GUI you select source or destination address "single host or alias" and start typing the start of the alias name you want, and choose it. And similar thing in the source/destination ports.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.