Packages of Aliases (Port + IP's + company AC) for easy administrating

Sergei_Shablovsky

Hi, folks!

Main idea are to make network security administrator work a little easy: give ability to easy create and manage firewall rules, routing and shaping for devices in company (or even home, IT professionals, for advanced users, or tech nerds).

Better to explain this on simple (but common) situation:

• have a lot of Apple iOS devices in company/home and need to quickly add rules to pfSence after You buy new appliance from Netgate;
• company buy a software product that need to communicate with outside servers on a developer side;
• company buy a new hardware (servers (like IBM IMM service, Dell/HP have similar) , email antivirus DPI inspector, etc...), that need to communicate with outside servers on a developer side;
• blocking using social networks (we all need that our stuff pay attention on work neither spent working hours on instagram, tinder, facebook, twitter...)
• ... (add yours)

So, in both cases network admin need spend time to collect all needed info from manufacturer documents and guides, spend hours with techsupport in call center, read web, etc, etc...

Instead of this better and easy way go to, let's to say "Firewall -> Aliases -> IP/Port/URLs Packages" and in one click installing IPs assigned to software, appliances or servers, even blocks of AC belongs to certain company.

As for example Apple hardware/software there are TCP and UDP ports used by Apple software products and Apple Push Notification Service, Barracuda have Port Usage, Required Outbound Connections for Barracuda Appliances, etc, etc, etc

P.S. Or may be this is a question to "Bounties" part of forum? :)

Sergei_Shablovsky

Another one Important thing that I forgot to write:

• better usability (admins need less work for same result) means increasing popularity of pfSense that mean more secured end users, more sales of great NetGate network appliance, end even more admins improve professional skills to secure & manage networks;
• better co-living with other brand's products also mean more pfSense support & hardware sales, win-win situation, more companies become to friendly to pfSense firewall;

stephenw10

Are you suggesting we could maintain a database of these ports? That is a pretty onerous task!

Or have some way to import and group that data from some other location?

Steve

Sergei_Shablovsky

@stephenw10 said in Packages of Aliases (Port + IP's + company AC) for easy administrating:

Are you suggesting we could maintain a database of these ports? That is a pretty onerous task!

I thinking more than double twice before writing this post.
Because, as You point on, “onerous task”, let me to write “HUGE piece of work”.

Or have some way to import and group that data from some other location?

Steve
So sorry, Steve, a without standards here, each hardware / software manufacturer strongly doing the way they prefer.

In addition to this, You need to understanding that inside each manufacturer some “restructurisation processes” happened from time to time:

• web portals redesign and how information represent;
• internal grow/change hardware infrastructure that means new FQDN, IPs, ports;
• new services for end users come in order (ports, IPs, FQDN added or changed);
  ...

I know that only huge (Apple, IBM, Dell, SuperMicro, Juniper, F5, CISCO, Extreme, Windows, Wheatstone...) or common-well-known home appliance brands (D-link, TP-link, Hikwision, cameras/tv/smart audio, Siemens, ....) have so-so well organized and structured information.

But anyway, the power of OpenSource is about not one man doing this. Even if only 100 people’s make some effort - sure, we have a beautiful result.

Just step by step (for example):

1. Most used IT appliance and software
2. Most used home appliance
3. Less known IT appliance
4. Less known home applience

Sergei_Shablovsky

@stephenw10 said in Packages of Aliases (Port + IP's + company AC) for easy administrating:

Are you suggesting we could maintain a database of these ports?
Steve

Another one example: a lot of scandals in 2019 according Remote access to home appliance, - smart tv, sound devices, climate control systems, in-home cameras...

In this case pfSense may receive additional benefit, if “allow remote access to devices only from manufacturer side, or secured connection from user side” (we all from time to time goes to vacation;). And refuse connection from others.

At least for first 2 NetGate hardware devises in product line, as they are intended for ordinary end users with no-IT knowledge.

Because security for private house and devices pointed as most valuable and phenomenal increasing trend in 2019 and of course 2020.

Security for ordinary non-IT people’s become more and more valuable in life. For everyone, from housewife to senators.

And the product, that may say “I doing this easy “out of the box”, just buy me and connect wires. I am well known, well reputable in IT world at last 15 years, and serve more then 600.000+ customers, from small homes like Yours to big Internet and Audio/Video Content providers” - this product really eating another one big piece of money on a whole market.

Because right now a lot of well-known companies doing routers, a lot of companies doing router software. But only few of them doing the solution that “just work” and talk with end customers on a language that customer well understand. ;)

Like Apple with their “ecosystem”, like Amazon with “Alexa-devices”. For end users all of this “just work”: buy, unbox, connect cables, working with no problem :)

Sergei_Shablovsky

By the way, after some seeking this forum, I see a lot of issues like this Cloudflare.

And situation like this happened frequently in past 3-4 years, may be this is influence of cloud SaS come closer to us, and more services we doing ourselves today just delegated to most stable and bullet-proof SaS services.

Anyway, earlier of sooner, ability to having "Packages of Aliases" build in pfSense become must-have.

Sergei_Shablovsky

Another example: most well-known, reputable and valuable professional VPN services, like Golden Frog VyprVPN, VPN Tracker or Proton VPN.

Sergei_Shablovsky

And also the example from this NetGate forum Amazon AWS servers.

Official Amazon AWS servers list.

Official Amazon EC2 Reachability Test list

Sergei_Shablovsky

Next example - RIPE Atlas Probe / Anchor

Of course, network administrators know how to connect the device, but from any point of view - better for all to save time on setup anything, and doing job 'in one click'

viktor_g

@Sergei_Shablovsky said in Packages of Aliases (Port + IP's + company AC) for easy administrating:

have a lot of Apple iOS devices in company/home and need to quickly add rules to pfSence after You buy new appliance from Netgate;
company buy a software product that need to communicate with outside servers on a developer side;
company buy a new hardware (servers (like IBM IMM service, Dell/HP have similar) , email antivirus DPI inspector, etc...), that need to communicate with outside servers on a developer side;

Every appliance uses it own list of ports, that can be changed
It is better to check this information with the vendor

blocking using social networks (we all need that our stuff pay attention on work neither spent working hours on instagram, tinder, facebook, twitter...)

You can block it with the pfBlockerNG-devel / DNSBL Category

You can also find/add some specific DNSBL/IP lists there,
Most cloud providers have these lists,
check https://github.com/joetek/aws-ip-ranges-json
https://forum.netgate.com/topic/147716/stun-public-email-providers-and-some-feeds-from-secops
etc..

gcu_greyarea

Sergei,

I think you are looking for a UTM style solution where you can point and click on a service to block or shape.
This functionality is not only based on ports, ip-adresses and hostnames.
They use a combination of above plus SNORT like features such as App Identification (Open App-ID).

You have these features in pfsense as add-on packages, but they aren't as heavily integrated as some of the closed source vendors' products. An example would be Sophos UTM.

Either way- these vendors employ and pay many people to maintain and curate these "signatures" that you have to pay for on a monthly basis.

I would love to see such features in pfSense, too. However I expect the amount of work required to be huge.
So, surely you may achieve a community maintained list of well known ports and IP ranges but I'm not sure if you will see all the bells & whistles features you want anytime soon.

Sergei_Shablovsky

@viktor_g said in Packages of Aliases (Port + IP's + company AC) for easy administrating:

@Sergei_Shablovsky said in Packages of Aliases (Port + IP's + company AC) for easy administrating:

have a lot of Apple iOS devices in company/home and need to quickly add rules to pfSence after You buy new appliance from Netgate;
company buy a software product that need to communicate with outside servers on a developer side;
company buy a new hardware (servers (like IBM IMM service, Dell/HP have similar) , email antivirus DPI inspector, etc...), that need to communicate with outside servers on a developer side;

Every appliance uses it own list of ports, that can be changed
It is better to check this information with the vendor

May be 5 or 7 years ago I was agree with You, because there are a huge bunch of SaaS services and the pool of IPs cannot able to be collected in reasonable timeslot.
BUT now in 2020 exist only 30-100 SaaS services that used by MOST OF USERS: Amazon AWS, Google ~Servises, Apple, 5 email services (Google, Yahoo, ...), and around 10 most-usable hardware vendors (Dlink, TPlink, Amazon devices, Google devices, ...)

Sorry, I need to repeat again:

The main question are the most users just need "push button and all working well" solution. Just look at this NetGate forum - more than 80% are about something described in official doc, or more than one time appear on forum. But same questions popup again and again, again and again, countless.
Even pinned on top of official pfBlockerNG part of this forum Bypassing DNSBL for specific IPs have words like CloudFlare. Rock... :)

And from point of view of ordinary users if something goes wrong, each user clime the "NetGate pfSense router" rather himself for not setup pfSense correctly. You may see on this forum even sysadmins of small organization are to lazy to correctly setup the pfBlockerNG-devel. This is reality of our life.

So at the bottom line are: if some solution exist on level "push button - and we do the rest" - more than 80% of users are happy with this. And buy more and more of pfSense devices, and recommend to others. NetGate are open source but not source of donation, this is "open source / business" balance.

And my proposition also about increase the power of this "open source / business" balance.

blocking using social networks (we all need that our stuff pay attention on work neither spent working hours on instagram, tinder, facebook, twitter...)

You can block it with the pfBlockerNG-devel / DNSBL Category

You can also find/add some specific DNSBL/IP lists there,
Most cloud providers have these lists,
check https://github.com/joetek/aws-ip-ranges-json
https://forum.netgate.com/topic/147716/stun-public-email-providers-and-some-feeds-from-secops
etc..

Thank You for source! Appreciate Your attention and time!

kijaretg9

This post is deleted!