Rules with multiple IP aliases

fmaxwell

I've created multiple aliases of IP addresses, some through pfBlockerNG and some manually. Some I want to have no access to mail. Some I wish to have no access to FTP. Some I want to have no access to any service.

As I understand it (and have implemented it), if I have eight IP aliases that I want to deny access to my mail server, I have to create eight rules, each specifying a source of "Single Host or Alias" with one alias.

I don't want eight rules. I want one rule with eight IP aliases for source addresses. Or I want a virtual IP alias that gathers together multiple IP aliases into one logical bundle that can be treated as a single alias (e.g. All_IPs_Prohibited_From_Email).

Is either feature present and I just don't understand how to access it? Or is this just another brilliant idea from me? (note: "Neither" is not an appropriate answer. ;D )

Derelict

You can generally make an alias of aliases. Just type the alias name where it says Host or FQDN. Then make your rule using that "group" alias.

fmaxwell

I've tried making an IP "Aliases_of_Aliases" using a type setting of "Host(s)" and then one of "Network(s)".

While both types let me enter existing IP alias names, or even a random "junk" string, using the new alias in a rule doesn't seem to work. I can hover over the alias and see the strings I typed in, including the junk string, and it doesn't expand out into IP addresses.

Another thing that makes me believe it's not working is that it doesn't provide an auto-complete when I start typing in an alias name.

Maybe I'm not understanding how to do this.

jahonix

@fmaxwell:

I've tried making an IP "Aliases_of_Aliases" using a type setting of "Host(s)" and then one of "Network(s)".

Try with both as "Hosts".

nested_alias.png_thumb

fmaxwell

Thanks. I think that the problem stems from some of the aliases being from pfBlockerNG, which are URL-based. I'm guessing that's what's bothering it (see first attachment).

I've provided a sample rule for rejecting traffic to my mail server. I have to create one per continent (Africa, Asia, Europe, North America, Oceania, South America), one for Proxy & Satellite, and one for my manually maintained email abusers IP alias. Then I have to create a similar number for my FTP server, though not identical.

That's why it would be so nice to have an <or>function for a source IP address. Then I could have one rule for my email that included all of the IP aliases. If I wanted to go from blocking to rejecting, logging or not logging, etc., it's all in one rule.

![Screenshot 2016-05-19 15.02.32.png](/public/imported_attachments/1/Screenshot 2016-05-19 15.02.32.png)
![Screenshot 2016-05-19 15.02.32.png_thumb](/public/imported_attachments/1/Screenshot 2016-05-19 15.02.32.png_thumb)
![Screenshot 2016-05-19 15.06.58.png](/public/imported_attachments/1/Screenshot 2016-05-19 15.06.58.png)
![Screenshot 2016-05-19 15.06.58.png_thumb](/public/imported_attachments/1/Screenshot 2016-05-19 15.06.58.png_thumb)</or>

fireix

In my install in 2.3.1, the first box with dropdown only lists one single pre-made alias when starting typing. For some reason, clicking + Add on that same page and starting typing in the next text-box solves it for the second and all the rest of the boxes where all aliases appear.

But I wonder if this alias of alias really work now (as you mention as well), as it doesn't resolve/show the IP when mouse-over in fw rule (haven't been able to test with load yet).