Help us help you make aliases better.



  • I would like to open the forum for suggestions on how to make aliases better for 1.1 (yes, 1.1).

    So far I added a new option to download URL's and apply the contents to aliases.  An example of this usage would be to download a bogons list, country lists, etc that you would like to apply to aliases.  An example list can be found here: http://www.cymru.com/Documents/bogon-bn-nonagg.txt

    At any rate, how can Aliases be improved to make admining of your firewall(s) easier?  Have any killer ideas that you would like to see?  I am actively working on aliases and other minor areas this weekend so let the knowledge flow.



  • I have a UI suggestion concerning the aliases.

    On the aliases page, it would be much more clear if you could group hosts/networks/ports on seperate tab's, especially when you have lots of aliases this could make thinks more organized.

    Also, on the firewall rules page, if you choose the option host/alias, it would be nice to get a dropdownbox of the available aliases (so, no port aliases in the source/destination dropdownboxes)
    At the port range you should add "alias" I think, or change "other" to "other/alias" and a dropdown box would also be great here!

    Greetz,
    MickeyByte



  • @mickeybyte:

    Also, on the firewall rules page, if you choose the option host/alias, it would be nice to get a dropdownbox of the available aliases (so, no port aliases in the source/destination dropdownboxes)
    At the port range you should add "alias" I think, or change "other" to "other/alias" and a dropdown box would also be great here!

    This already exists.  Define an alias and start typing the name of the alias in one of the red box.  It will auto complete.



  • Yes, I know, but if you have lots of aliases, it could happen you forget one's name…



  • Maybe a small button to lookup aliases behind aliasfields that creates a popup with aliases sorted by type and alphabetical would be nice. Clicking one of the aliases then could close the popup and write it back to the field from where it was started (just like the calendar-popup for a captive portal user does). I agree that you might forget an aliasname if you have a lot of aliases and some of them are not used very frequently. However a kind of naming convention should make the job to remember even a lot of aliases easier.

    Another thing might be to add groups of aliases. Think of a multicustomer installation for example where you have several webservers of customer a and several webservers of customer b behind your pfsense. You could setup something like "webservers" as aliasgroup to group a bunch of "webservers customer a" and "webservers customer b". If you stop business with customer b you just have to delete "webservers customer b"  and not delete machine by machine from the list.



  • or perhaps a dropdown list in the rules setup where the aliases are chosen



  • Defining one alias (Service, Host, …) and then the possibility to add those pre-defined-aliases info alias-groups

    For the definition of Service aliases: The port numbers and the therefore used protocol (like the predefined protocols SMTP, HTTP, ...)



  • Chained aliases :)  It'd be nice to have an alias bill, another alias scott, and then an alias assholes that includes both.

    –Bill



  • @billm:

    Chained aliases :)  It'd be nice to have an alias bill, another alias scott, and then an alias assholes that includes both.

    –Bill

    lol add me there too  ;D



  • I am a Network Security Engineer so I am dealing with firewalls on a daily basis. Things like Cisco's, watchguard's, sonicwall's, etc. I know pfSense is not going to be like that, but based upon my experience in the firewall arena I have come up with a list. This list is just what I am used to working with in retail firewalls. I feel like if these items were added they would make pfSense much more configurable. Here is some of my advice:

    1. Make it so when an error occurs with the data entered, the previous data is not cleared. If you make a mistake as of 1.0beta, all previous data is cleared when the error message is displayed.
    2. Make it so you can enter ranges. IE everytime I tried to enter 1500-4999, I got an error. I know I can just create a seperate rule for this range but it would be nice to be able to have it in an alias.
    3. A drop down list of the aliases. This feature is how it is done in Watchguards and Sonicwalls. Maybe it could be a seperate box, or just appended to the end of the current drop down list when creating a rule. Either way it is extremely helpful.
    4. The ability to create an alias from the firewall rule creation page. It would be nice if you were writing a rule and decided you needed to create a new alias and you could do it from that page. A popup page to create a new alias would be nice.
    5. Expand the port field box in the firewall rule creation page. When you use an alias in that box, the name will not display fully if its too long.
    6. I know this is possible, other firewalls do it. When you hover over the text of an alias, have it show the alias data in a popup dialog box similar to the <alt img="">that you would use for an image on a webpage.
    7. Alias groups. They help a ton. It may not sound like they do, but trust me they do.

    If I think of anything else I'll pass it along. I have been using pfSense for only a few hours now and I love it. You all have done a great job, but there is still a lot of progress to be made. All in all, I love it. Thanks for the great work!

    Scott</alt>



  • When this new URL feature comes available, would there be a limit on how many hosts can be imported into an alias?

    Reason im asking, can I load an huge list of Spyware sites, then block them using the firewall. Almost like the Spyware Baracuda would?



  • @Zharvek:

    When this new URL feature comes available, would there be a limit on how many hosts can be imported into an alias?

    Reason im asking, can I load an huge list of Spyware sites, then block them using the firewall. Almost like the Spyware Baracuda would?

    It would accept a lot of hosts depending on the firewall hardware speed, I would imagine.



  • a way to use this ip block list:
    http://test.blocklist.org/



  • updated to use hosts file like this?
    http://www.hosts-file.net



  • DNSForwarder and friend already uses that.  This is at a different level.



  • @sullrich:

    DNSForwarder and friend already uses that.  This is at a different level.

    (oot)
    but there at least few thousands hosts in the list.
    how can i make the update automatic?



  • @rexster:

    @sullrich:

    DNSForwarder and friend already uses that.  This is at a different level.

    (oot)
    but there at least few thousands hosts in the list.
    how can i make the update automatic?

    Please un-hijack this thread and start a new one.  I really have no idea how we are now talking abotu DNS Forwarder in the ALIAS thread!


Locked