Setting up an alias.
-
I have a SFTP server in my windows environment that is setup to filter by IP addresses. To add extra layer of security I want to create an alias with the list of external IP addresses that are filtered by the SFTP server and apply it my NAT or firewall rule.
I am not sure what is best way to do this is, and if when I create the alias do I just add the IPs or do I need to put a /## onto it?
Also what's the best way to create the rule?
Thanks,
-
@smoothrunnings Here is what I do, if you are talking about people accessing your server from the WAN.
No allow / deny list on the sftp server, allow anything.
An alias for the server:-
NAT rule:-
Firewall rule on the WAN interface, currently disabled:-
I basically use pfBlocker to create an alias to just allow hosts from the UK.
You can use either the IP addresses or the subnet followed by the mask.
-
I think maybe you miss understood something?
I want to only allow certain public IP addresses to my STFP server. At work our Cisco engineers are able to do this, as we have clients who have STFP servers that allow certain IPs on their firewalls into port 22 and at the server itself add in second layer of security.
Thanks,
-
@smoothrunnings Create the alias with the list of allowed IPs and use that as the Source on the NAT rule.
-
@smoothrunnings said in Setting up an alias.:
I think maybe you miss understood something?
My alias on the WAN allows all UK ip addresses access, just put the IP addresses you require in your own alias in the same style.
My SFTP server blocks failed multiple try IP addresses using pf as its running FreeBSD.
-
Hello.
I think the OP asked for specifically an "allow list" at firewall level additionnaly to the win SFTP server whitelist.
Then it means to me he want to know how best to make an alias in pfSense with multiple IP that are already whitelisted SFTP side.@Smoothrunnings If you want/can do it manually, you set up an alias with CIDR adresses as you want (either /32, or whateever mask you need, sometimes a whole subnet is preferable, sometimes not depending on your case).
Or if you want to automate it, you can use URL aliases (URL link to an automated generated text file with all IP/CIDR in it, generated by SFP server or something and made accessible trough a internal/minimal web server for exemple)
You can check here the full doc as they are more possibilities :
https://docs.netgate.com/pfsense/en/latest/firewall/aliases.htmlAnd when your Aliases are ready, you just need to specify them in "Source address" for your port forward rules to the SFTP server.