Allowing AWS inbound using IPV4 Alias



  • Firstly, what an awesome firewall pfsense is and BlockerNG is just unreal! I've managed to create an IPV4 alias that reads the AWS json file to allow inbound traffic from AWS.

    My question is, I can see the alias there, but do I still need my AWS firewall rule? I had created a specific one where I was matching the source IP range and just adding ranges as they were blocked. It was tedious. I see no way to tie the blockerNG Alias to the rule, so I assume I dont need to.

    I want to allow the AWS traffic only to a specific IP

    Just a little confused as to how I do this.

    Thanks


  • Moderator

    @automate said in Allowing AWS inbound using IPV4 Alias:

    Firstly, what an awesome firewall pfsense is and BlockerNG is just unreal! I've managed to create an IPV4 alias that reads the AWS json file to allow inbound traffic from AWS.
    My question is, I can see the alias there, but do I still need my AWS firewall rule? I had created a specific one where I was matching the source IP range and just adding ranges as they were blocked. It was tedious. I see no way to tie the blockerNG Alias to the rule, so I assume I dont need to.
    I want to allow the AWS traffic only to a specific IP
    Just a little confused as to how I do this.
    Thanks

    Amazon includes all of its IPs for the different Regions and services in one source file:
    https://ip-ranges.amazonaws.com/ip-ranges.json

    Unfortunately, pfBlockerNG will read this file and pull out all of the IPs regardless of the Region or Service. So if adding all of the IPs is ok for your needs, then goto the IPv4/6 Tab, and create a new IP Alias, In the Source Field, add the link above and add a Header/Label.

    Then you can either use "Auto" rules which will automatically create the rules or use "Alias type" which you will need to manually create the firewall rules and associate this AWS Aliastable to it.
    If you choose the "Auto Rule" Action setting, then you can also use the Adv. Inbound/Outbound firewall rule settings to add the specifics for this single host. Click on the blue infoblock Icon for the Action setting, for more details on how to select the Action settings.

    Alternatively, there is a reddit thread that has some instructions on pulling the AWS IPs into a txt format:
    https://www.reddit.com/r/pfBlockerNG/comments/9vwkmm/ip_ranges_for_amazon_aws/

    But you would have to either script something to update the Alias, or manually add these IPs to the Custom list that is at the bottom of any IP Alias (such as the one created above).



  • Thank you BBCan177, great package

    I've got the Alias working. If i choose Alias type, I assume my existing firewall rule can be updated with its source Alias to be this new alias i create.

    Ive got it updating the JSON every week, I assume the updates would populate into the Alias and theres no further work to be done if AWS make changes to their IP ranges.

    The entire list is fine for my purpose.

    Thankyou


  • Moderator

    @automate Yes that sounds like it will update once a week to keep the Alias updated. So either an Auto type or Alias type would work, since pfBlockerNG will keep the Aliastable updated.



  • @BBcan177 Fantastic thank you!


Log in to reply