Aliases and Groups



  • Hello,
    We are searching for a firewall to replace an old VPN-1 of CheckPoint, so I'm testing some software solutions.
    I really appreciate the pfSense, it is a great product. Unfortunately, there are some negative points I saw. I would like to know if there are any plans to change them.

    The most important thing pfSense cannot do is grouping the objects. For example, I would like to create some aliases and add them to a group usable in the firewall rules. So I would like to know if this functionality is supposed to be added in the future versions or can be added as a patch by modifying Web GUI files (maybe the problem is deeper than GUI, I don't know).

    Another question - why there is no list of aliases when I add a firewall rule? I can use an alias but I should enter it manually. The same question - could it be changed?

    And the third question, the most interesting - can I disable the firewall management by Web GUI and use another tool to manage it (I think about fwbuilder). Sure, I would like to use Web GUI to manage all another parameters (VPN, CARP etc.)

    Best regards,
    Peter



  • @Peter2121:

    The most important thing pfSense cannot do is grouping the objects. For example, I would like to create some aliases and add them to a group usable in the firewall rules. So I would like to know if this functionality is supposed to be added in the future versions or can be added as a patch by modifying Web GUI files (maybe the problem is deeper than GUI, I don't know).

    Alias is a group of ips/ports/nets, do you need group of groups?
    why?

    @Peter2121:

    Another question - why there is no list of aliases when I add a firewall rule? I can use an alias but I should enter it manually. The same question - could it be changed?

    when you start to type the alias you will see a list of aliases that matches your type.
    Use only firefox or chrome to access gui.

    @Peter2121:

    And the third question, the most interesting - can I disable the firewall management by Web GUI and use another tool to manage it (I think about fwbuilder). Sure, I would like to use Web GUI to manage all another parameters (VPN, CARP etc.)

    until 2.0 most features are in gui.



  • Thanks for your answer, marcelloc.

    Alias is a group of ips/ports/nets, do you need group of groups?
    why?

    Yes, I need to group some groups. Our rulebase is complex, the logic is the same as in MS Active Directory - we group the stations and networks due to the location and logical functions and then we put these groups in another groups, used in rules. So we have some logical groups used in different rules together with other logical groups.
    For example, there are logical groups Account, Comm, R_and_D. And we have the rules Grp_Web to Any service HTTP and Grp_Mail_In to Any service IMAP. We put R_and_D and Comm in Grp_Web, we put Account and R_and_D in Grp_Mail_In. When I need to give some rights to a new station - I just add this station to the group Account for example, I should not think about rules.

    when you start to type the alias you will see a list of aliases that matches your type.

    Yes, I saw the names appeared when I begin to type. It's better then nothing but I would prefer a listbox or drop-down box.

    until 2.0 most features are in gui.

    Sorry, I don't understand you.



  • …as about fwbuilder - the software knows to manage OpenBSD pf using OS scripts. It seems that pfSense uses pf as the firewall backend, so it should work. The problem - possible conflicts between the configuration imported from fwbuilber and WebGUI de pfsense. I still need WebGUI to manage the rest of pfsense.



  • @Peter2121:

    Alias is a group of ips/ports/nets, do you need group of groups?
    why?

    Yes, I need to group some groups. Our rulebase is complex, the logic is the same as in MS Active Directory - we group the stations and networks due to the location and logical functions and then we put these groups in another groups, used in rules. So we have some logical groups used in different rules together with other logical groups.
    For example, there are logical groups Account, Comm, R_and_D. And we have the rules Grp_Web to Any service HTTP and Grp_Mail_In to Any service IMAP. We put R_and_D and Comm in Grp_Web, we put Account and R_and_D in Grp_Mail_In. When I need to give some rights to a new station - I just add this station to the group Account for example, I should not think about rules.

    +1. Grouping aliases would be a productivity and administrative boost.



  • This is a very old topic…

    Since 2.0 it's possible to use aliases inside aliases (groups of groups).


Locked