"This Firewall (networks)" Alias
-
Is there a reason that there is no "This Firewall (networks)"- Alias in the drop-down list in firewall-rules?
It would be helpful, especially when it comes to interfaces which track the WAN for IPv6. The IP-configuration on those interfaces can change any time. Having that network-alias would mean I can reliably block anything local before giving internet-access.
And in good pfSense-fashion, it could include the remote static routes as well.
-
@Bob.Dig That would be all local networks…? There is already one for each so IPv6 LAN network has an alias… Maybe I need an example rule to understand the usage?
To upgrade, select your branch in System/Update/Update Settings. When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
Only install packages for your version of pfSense.
Upvote 👍 helpful posts! -
@SteveITS said in "This Firewall (networks)" Alias:
Maybe I need an example rule to understand the usage?
Would seem to be the same as like the rfc1918 alias I have. I use it to block something to any of my networks, but allow internet.
-
@johnpoz except that’s not IPv6… :)
This Firewall also includes WAN IP so this would include the WAN subnet.
To upgrade, select your branch in System/Update/Update Settings. When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
Only install packages for your version of pfSense.
Upvote 👍 helpful posts! -
@SteveITS For each there is one but not one for all. John got the idea.
Right now I have it like this (DNS and NTP are handled elsewhere):
As you can see, I have created an interface-group called GroupTrackSix. This group contains all IPv6-enabled interfaces (and there are no rules on it), I just need that "alias" to be usable elsewhere. So this works fine, but maybe one day I add another IPv6-enabled interface and forget to add it to this group? That would be sad.
Instead, why isn't there a system-alias, maybe called "This Firewall (networks)", that is doing it all for me right from the start. -
@SteveITS said in "This Firewall (networks)" Alias:
This Firewall also includes WAN IP so this would include the WAN subnet.
I think This Firewall (self) just includes the WAN-IP-address, not any subnet.
Edit: But it is a valid point, if the "This Firewall (networks)" Alias would exist, it probably shouldn't include any WAN-type-subnet. -
@Bob.Dig Right, "self" does but you wrote "(networks)" which I read as "and subnets."
I think you're looking for "all internal (non-WAN) networks on this firewall" which AFAIK pfSense doesn't have. Makes sense though, maybe a redmine feature request.
@johnpoz said in "This Firewall (networks)" Alias:
the rfc1918 alias I have
FWIW, now they are predefined.
-
@SteveITS yeah looks like it
private(4|6|46)
-
@johnpoz said in "This Firewall (networks)" Alias:
private(4|6|46)
I use the even wider version.
@SteveITS said in "This Firewall (networks)" Alias:
I think you're looking for "all internal (non-WAN) networks on this firewall" which AFAIK pfSense doesn't have.
While your name leaves no room for interpretation, it is also very bulky.
I could easily live with "This Firewall (networks)", because in my mind, WAN is not a network of my firewall.Firewall>Aliases>All>System Aliases could show those as well, with a meaningful description like yours.
Btw. would be nice if all the values there would be shown, the bigger ones are truncated. -
@Bob.Dig Well I was trying to describe it, not name it. :) The problem with This Firewall is that it includes WAN IP, so a similar name without that IP, I think, would easily be confusing.
Would concur System Aliases could show This Firewall. Vague guess, it's not stored as an actual alias? Some, but not all (?) of the system aliases are in Diagnostics > Tables.
-
The option for "This Firewall (self)" uses an internal PF special keyword
(self)which doesn't actually get expanded in a visible way like a table. Though since it's a keyword, we can't treat it like a table.However it does look like it's possible to use some modifiers with it now.
self Expands to all addresses assigned to all inter- faces. [...] Interface names and interface group names, and self can have mod- ifiers appended: :network Translates to the network(s) attached to the inter- face. :broadcast Translates to the interface's broadcast ad- dress(es). :peer Translates to the point-to-point interface's peer address(es). :0 Do not include interface aliases.So it might be possible to add that into the drop-down in future versions.
Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
However it does look like it's possible to use some modifiers with it now.
From pf.conf(5).
-
I probably would use it for blocking, even if WANs are included. I will put an allow WAN-Subnet before it, if needed ...
-
S SteveITS referenced this topic
-
P pfsjap referenced this topic
