Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting up an alias.

    Scheduled Pinned Locked Moved NAT
    6 Posts 4 Posters 490 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Smoothrunnings
      last edited by

      I have a SFTP server in my windows environment that is setup to filter by IP addresses. To add extra layer of security I want to create an alias with the list of external IP addresses that are filtered by the SFTP server and apply it my NAT or firewall rule.

      I am not sure what is best way to do this is, and if when I create the alias do I just add the IPs or do I need to put a /## onto it?

      Also what's the best way to create the rule?

      Thanks,

      NogBadTheBadN 1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad @Smoothrunnings
        last edited by NogBadTheBad

        @smoothrunnings Here is what I do, if you are talking about people accessing your server from the WAN.

        No allow / deny list on the sftp server, allow anything.

        An alias for the server:-
        Screenshot 2021-03-15 at 21.19.43.png

        NAT rule:-
        Screenshot 2021-03-15 at 21.22.31.png

        Firewall rule on the WAN interface, currently disabled:-
        Screenshot 2021-03-15 at 21.20.24.png

        I basically use pfBlocker to create an alias to just allow hosts from the UK.

        You can use either the IP addresses or the subnet followed by the mask.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        S 1 Reply Last reply Reply Quote 0
        • S
          Smoothrunnings @NogBadTheBad
          last edited by

          @NogBadTheBad

          I think maybe you miss understood something?

          I want to only allow certain public IP addresses to my STFP server. At work our Cisco engineers are able to do this, as we have clients who have STFP servers that allow certain IPs on their firewalls into port 22 and at the server itself add in second layer of security.

          Thanks,

          S NogBadTheBadN 2 Replies Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @Smoothrunnings
            last edited by

            @smoothrunnings Create the alias with the list of allowed IPs and use that as the Source on the NAT rule.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @Smoothrunnings
              last edited by

              @smoothrunnings said in Setting up an alias.:

              @NogBadTheBad

              I think maybe you miss understood something?

              My alias on the WAN allows all UK ip addresses access, just put the IP addresses you require in your own alias in the same style.

              My SFTP server blocks failed multiple try IP addresses using pf as its running FreeBSD.

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • A
                AdamMarie
                last edited by

                Hello.

                I think the OP asked for specifically an "allow list" at firewall level additionnaly to the win SFTP server whitelist.
                Then it means to me he want to know how best to make an alias in pfSense with multiple IP that are already whitelisted SFTP side.

                @Smoothrunnings If you want/can do it manually, you set up an alias with CIDR adresses as you want (either /32, or whateever mask you need, sometimes a whole subnet is preferable, sometimes not depending on your case).
                Or if you want to automate it, you can use URL aliases (URL link to an automated generated text file with all IP/CIDR in it, generated by SFP server or something and made accessible trough a internal/minimal web server for exemple)
                You can check here the full doc as they are more possibilities :
                https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html

                And when your Aliases are ready, you just need to specify them in "Source address" for your port forward rules to the SFTP server.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.