How to use URL table (IPs) alias?
-
On a Netgate SG-3100, running 21.05.2-RELEASE, I get
"Unable to fetch usable data from URL file:///usr/local/etc/pftables.d/localtable.txt"
when I specify
file:///usr/local/etc/pftables.d/localtable.txt
when trying to create a URL table alias of IP addresses.
Note that this file works perfectly well in pf configuration as:
table <localtable> file "/usr/local/etc/pftables.d/localtable.txt"
and further referenced in a blocking rule via $tablelist:
block in log quick on $bridgeifaces from any to $tablelist label "Block geolocation, local list"
Here 'working' means that if I use nping from the nmap package to send a packet from a laptop running FreeBSD that should be blocked and logged, it is blocked and logged. (assuming that pf is enabled and using my ruleset.)
localtable.txt contains lines that look like:
#Comment useful to sysadmin. These are not the real addresses 192.168.1.7/32 10.5.5.45/32 ... #Another comment useful to sysadmin 10.78.96.58/32 192.168.0.9/32 ...where "..." signifies more lines like the previous one.
The documentation I am aware of for URL table aliases is here:
https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html#url-table-aliases
I would love to receive pointers to additional documentation.
Thanks.
-
Hello!
You can try relocating your table definitions to the /usr/local/www/ area and using some variation of :
https://127.0.0.1/mytablefiles/mytable.txt
for the alias ip table url.
John
-
@kj32 I haven't tried using file://, I would guess maybe that isn't supported. I would expect such a file wouldn't normally be generated on/by the firewall itself? I've only used http(s)://.
I have used pfBlockerNG-devel to read a file though. I think it added "GeoIP" as a type at one point but before that one could create a country code file using /usr/local/share/GeoIP/cc/US_v4.txt or similar, to read in the downloaded country files. I'd imagine the file has to be in an expected format though.
cap:
-
Well, looks like http://127.0.0.1 it will be. We will see how far I get down that path.
(For anyone else trying this, if you experiment with switching between http and https, then you may need to delete your browser cookies in order to get off of the Web configurator login screen. The symptom is that a successful login is reported on the serial console, but the page displayed on your browser doesn't change after you enter the username and password. You can see a similar report here).
-
@kj32 said in How to use URL table (IPs) alias?:
...
(For anyone else trying this, if you experiment with switching between http and https, then you may need to delete your browser cookies in order to get off of the Web configurator login screen. The symptom is that a successful login is reported on the serial console, but the page displayed on your browser doesn't change after you enter the username and password. You can see a similar report here).
A similar symptom may manifest as being unable to reach certain pages of the configurator, because the menu links are in the wrong protocol (http vs https). So, you may also need to delete the browser's cache. Or switch to a different browser. Or use a private/incognito window.
-
@kj32 said in How to use URL table (IPs) alias?:
Well, looks like http://127.0.0.1 it will be. We will see how far I get down that path.
Using http://127.0.0.1 works, in the sense that packets that match an address in a list of one of the URL tables are dropped. That's good.
No prize will be given for ease of configuration, however. Setting up a configuration file for pf was much easier, and had the further advantage that I could explicitly control packet logging.