PfBlockerNG Alias
-
If you use Alias Native then you will be able to add your rule on wan with that alias as source.
-
Are there some details on these options, I would like to see the difference between permit, match, native?
-
Did you click on the blue "i" infoblock ?
Default: Disabled
-
Yes I clicked the "i" infoblock and it did not help answer my question. Here is what the info block says:
'Alias Permit' and 'Alias Match' will be saved in the Same folder as the other Permit/Match Auto-Rules 'Alias Native' lists are kept in their Native format without any modifications.So my question still stands, are there some details on these options, I would like to see the difference between permit, match, native?
-
Maybe you haven't clicked the correct 'i'.
Select the Action for Firewall Rules on lists you have selected.
Default: Disabled
'Disabled' Rules: Disables selection and does nothing to selected Alias.'Deny' Rules:
'Deny' rules create high priority 'block' or 'reject' rules on the stated interfaces. They don't change the 'pass' rules on other interfaces. Typical uses of 'Deny' rules are:
Deny Both - blocks all traffic in both directions, if the source or destination IP is in the block list
Deny Inbound/Deny Outbound - blocks all traffic in one direction unless it is part of a session started by traffic sent in the other direction. Does not affect traffic in the other direction.
One way 'Deny' rules can be used to selectively block unsolicited incoming (new session) packets in one direction, while still allowing deliberate outgoing sessions to be created in the other direction.
'Permit' Rules:
'Permit' rules create high priority 'pass' rules on the stated interfaces. They are the opposite of Deny rules, and don't create any 'blocking' effect anywhere. They have priority over all Deny rules. Typical uses of 'Permit' rules are:
To ensure that traffic to/from the listed IPs will always be allowed in the stated directions. They override almost all other Firewall rules on the stated interfaces.
To act as a whitelist for Deny rule exceptions, for example if a large IP range or pre-created blocklist blocks a few IPs that should be accessible.
'Match' Rules:
'Match' or 'Log' only the traffic on the stated interfaces. This does not Block or Reject. It just Logs the traffic.
Match Both - Matches all traffic in both directions, if the source or destination IP is in the list.
Match Inbound/Match Outbound - Matches all traffic in one direction only.
'Alias' Rules:
'Alias' rules create an alias for the list (and do nothing else). This enables a pfBlockerNG list to be used by name, in any firewall rule or pfSense function, as desired.
Options - Alias Deny, Alias Permit, Alias Match, Alias Native'Alias Deny' can use De-Duplication and Reputation Processes if configured.
'Alias Permit' and 'Alias Match' will be saved in the Same folder as the other Permit/Match Auto-Rules
'Alias Native' lists are kept in their Native format without any modifications.
Note:
When manually creating 'Alias' type firewall rules; Do not add (pfB_) to the start of the rule description, use (pfb_) (Lowercase prefix). Manually created 'Alias' rules with 'pfB_' in the description will be auto-removed by package when 'Auto' rules are defined. -
Seriously? Come on now guys.
I get that info block but that doesn't give details on Alias Permit, Alias Match, Alias Native.
Regarding Alias it states: "'Alias' rules create an alias for the list (and do nothing else). This enables a pfBlockerNG list to be used by name, in any firewall rule or pfSense function, as desired."
Ok I get that but what is the difference between Permit, Match, Native ??
-
To answer your initial question, use Alias Match.
non-alias Permit (Inbound|Outbound) would apply when you're using pfB to setup your own rules for whichever direction, same idea for Deny. Hope this helps a bit.
-
No that doesn't help.
And don't know why you are referring to "non-alias Permit" that is not what I was referring to.
You also say to use Alias Match but I tried "Alias Permit" and that seems to be working. So really this is not helpful.
And so again I ask what is the difference between "Alias Permit", "Alias Match", and "Alias Native" ?
-
When you select "Permit" it will create rules to allow traffic.
When you select "Match" it will only log the packets and nothing else.
When you select "Native" its the same as "Deny" except that there is no Suppression or Deduplication, the Feeds are downloaded and used in its native format.
There are "Auto" generated rules, and then there are "Alias" type rules. With "Alias" type rules, the pkg makes the Aliastable with the IPs, and then you have to manually create the Firewall rules according to your network needs.
-
Hi BBcan177, first of all thanks for creating and supporting pfBlockerNG.
With "Alias" type rules, the pkg makes the Aliastable with the IPs, and then you have to manually create the Firewall rules according to your network needs.
Specifically with the Alias type rules there are "Alias Permit", "Alias Match" and "Alias Native", can you elaborate what they do in the context of Alias specifically. What I mean is that I use "Alias Permit" with a rule that I created but others have recommended using "Alias Match" and even some say use "Alias Native" but what is the difference specifically in the context of Alias ??
-
When you select any of the Alias types [ Deny, Permit, Match or Native ], they do not create any Firewall rules… So in that sense there is no difference between any of those options... However, If you are going to use this Alias for a "Permit" rule, then select "Alias Permit"...
Alias Match, would be used for a rule whereby you just want to log packets that match the IPs in the list, but do not block or permit them... But selecting "Alias Match" and configuring the rule to be a "Permit" action is in essence the same.... I would recommend to use Alias Permit for permit rules, and Alias Match for Match type rules.
Alias Native is typically used instead of Alias Deny, where its used for a Block Type action, but the IPs do not go thru the Suppression or Deduplication processes... IE: they remain native as per the source of the Feed.
-
@BBcan177 thanks for the clarification that is the info I was looking for as it was not clear in the info block.
Based on your info and comparing it to the suggestions I got from others it seems they were were confused so this should help others too.
-
@bbcan177 first of all thanks for developing and supporting pfBlockerNG which is a great tool to have.
To recap the discussion, would it be correct to state the following:
- "Alias Permit", "Alias Deny", "Alias Match", and "Alias Native" do not create any rule, but they just create lists of IPs (aliases)
- There is not difference in the IP lists created by "Alias Permit", "Alias Deny", "Alias Match", and "Alias Native"
- The "Permit", "Deny", "Match", and "Native" indicates only the intended purpose of the created alias, but actually selecting one alias type versus an other would not make any difference.
This what I understood from the discussion, and would be very thankful if you kindly confirm whether this is correct.
Thanks,
Andrea
-
@aborsic said in PfBlockerNG Alias:
There is not difference in the IP lists created
I don’t think that is correct
@bbcan177 said in PfBlockerNG Alias:
Alias Native is typically used instead of Alias Deny, where its used for a Block Type action, but the IPs do not go thru the Suppression or Deduplication processes... IE: they remain native as per the source of the Feed
So while using Alias Native would have the same net effect, using it would involve more processing when updating the list but less processing while using the list.
I don’t know if the optimisation is different between the other lists.
-
@patch Thank you for the clarification
-
@patch said in PfBlockerNG Alias:
Alias Native would have the same net effect, using it would involve more processing when updating the list but less processing while using the list
Technically it would be the other way around, Alias Native does not look for duplicates.
However you should all probably read this thread which seems to have found that Alias Deny will remove IPs found in other lists which may not be the result you want, if rules for both lists are not denying the same port.
