Multiple alias fw rules

  • This is a real showstopper for me, coming from commercial firewalls where I really love the rule layout and groups of host/IPs/ports.

    USD $150 per point below - I would like this (either 1 or 2) to be prioritized and included in the official version as soon as it is possible (or for me/us unofficially until next release).

    I have two really big features to ask for:

    1. Be able to add a new "row" of either "Target" or "Source" in a firewall rule (for me, the Target is the most important). It could be implemented by having a "+" sign beside either target or source header. When clicked, you get a duplicated "Target" or "Source" row (dynamically) ready to be filled in below the present Target or Source-rows still inside the rule-editor for one rule.  Once stored, it can be shown with IP, port and alias-name in fw rules (not as seperate rule). I can make a visual example if interested.

    2. Resolve (or show) IP and/or ports when you have group of aliases in rule listing. This causes a lot of work when you have several/many hosts/ports that appears in several group (you don't see the ip/port-nb unless you type it manually in description for every aliases - if you change the IP or switch the hosts name, you must manually update all description rows - painfull). Could be "easly" solved by just showing IP/port/real value (one column) in the fw rule list (like it does when you don't have a group). This one I guess is the easiest to implement. The IP/alias/values is already there, it just has to be shown in the GUI (I think).

    Either of the two above would make it considerable easier to migrate from commercial firewalls. I see that Aliases is a good start, but the duplicate storage needed when you have many hosts makes it very time consuming and difficult to get the big picture.

  • Nothing there seems unduly difficult, but I'm not clear what you're asking for which aliases aren't providing. (That's not an "it's good enough" fob-off, it's a genuine lack of clarity about the real nature of the issue/inconvenience you have in mind). A mockup or screenshot wouldn't hurt either.

    Rather than get your hopes up, I should say, this isn't a statement of intent to do it, but it sounds like it could be reasonably within my ability and interest, however it needs clarity on what's not doing it for you right now, whoever reads it now or future.

  • I just wrote a long description here, along with a picture, but the image wasn't accepted, so I lost all the text when I pushed the back button.. Great forum :(

    I'll try to write shorter this time then and hope you understand.

    The FortiGate fw way saves me from creating 100 groups to cover up for every combination of hosts (aliases) and also reduces the numbers of Rules. It just makes it so much easier to administer and to understand the rules. If you just have Aliases everywhere (and the aliases doesn't show the IP or the port when you are in Rules-mode), it reduces the user-friendlyness. To mutch of groups (aliases) or to many of Rules isn't good for the user-interface. This way, you can reduce both tables, keeping it cleaner.

    Third column has one alias per line (inside the blue row). 5th colum shows port-aliases. Note that when you have mouse over the aliases, it shows the original Host name (Alias-name) AND the IP or Port grabbed from the actual values - not from a manually updated textual description.

    Let say you have a host that is present in multiple groups (quite common in my network) - then I have to enter the IP in the Description-field for this host in EVERY group this host is member of. And if I change the IP for this host.. then I have to manually update the entry for this host everywhere. Only the Alias-name is transfered.

  • I don't quite get this (yet) - can you edit your post and clarify? This is what I get from reading your post:

    I don't know FortiGate so I don't know what "100 groups" would contain (groups of what?) and why an alias with the same contents isn't doing it for you.

    Is the point that you want to directly enter a bunch of hosts rather than name the list of hosts and use that name?  If so, you'll find quite a few people will find a rule that applies to "hosts allowed to ssh" becomes more readable than "a rule applying to john.mydomain, fred.mydomain, jane.mydomain, p1033.mydomain, p1042@mydomain" etc.  Being able to name the list should make it easier. If it isn't, then perhaps explain why?

    "Third" and "fifth" column are from a GUI that I can't see. It sounds like basic hover-and-lookup. Post a screenshot of what you want to see.

    As for hosts in multiple groups - pfSense has handled nested aliases for a long time. Suppose jane needs to be in 50 groups. You can either add jane's host (say jane.mydomain) to those 50 groups, or you can define an alias for her (Jane's IP = and add that alias to all the groups - when you change "Jane's IP" to, all the groups containing it will update as well, you don't have to change them all.  Try it, and ask for help in the "support" forum pages if you can't make it work.

Log in to reply