Azure/Amazon IP Ranges
Good Day All
Is there a way to add into "Firewall Aliases URLs" the range of IPs from an Azure xml file. This is also an issue with Office365. What would be the best practice for this? This file is updated weekly https://www.microsoft.com/en-us/download/details.aspx?id=41653 and so is the IP list for Office365. Is there a tool that would convert the xml file and then insert it into the Aliases of pfSesne? Or can I reference the file directly?
I have the very same issue with Amazon (AWS).
I have searched the Forums and I have seen many topics about URL Aliases but none that addresses it with the file in an XML format.
To my knowledge, there is no tool which does this. You can find the settings for your firewall in /cf/conf/config.xml. As the name implies, the config file is an XML. You can open this to examine the structure. A section of this, marked <aliases>, is where you'll see existing alias entries. You could write a Perl or bash script which could format the downloaded Azure IP list, manipulate it into the correct format for the PFS config file and insert them into it. Once done, you can then run /etc/rc.reload_all to update the firewall with the changes just made. I've not done something like this myself, so you'd be best advised to try this on a test firewall first. There is also the matter of downloading the list from Microsoft automatically. I would normally advise using wget, but I don't know if there's a direct link to allow the file to be pulled down in this way.</aliases>
There is not a direct link… I will look at what you suggested... although it is not the ideal solution for this.
I see that this Firewall -> Aliases -> Bulk import is a possible solution to copy and paste the list of IP addresses…
Anyone know how it will manage updates?
You can download this file from the shell and parse the IPs with shell script, or use pfBlockerNG…
[ MScsv ] Downloading update .. 200 OK. completed .. Aggregation Stats: ------------------ Original Final ------------------ 2568 1865 ------------------
However, they don't provide a static download address, since the file name has a date:
FYI, the file is also broken down into Regions…