Allowed format for alias host lists?



  • Using the v102-beta, I see the support for Firewall Aliases.

    Reading the forum, I understand that an alias can refer to a list of hosts.  Realizing it's a new feature, I have not yet found documentation.

    What are the allowed formats for entries in such host lists?  I presume IP_Addresses.

    Ranges as well?  If so, in which formats?

    a.b.c.d - w.x.y.z
      a.b.c.d/cidr
      a.b.c.d/m.a.s.k

    ?

    How about RBLDNSd format data files?  e.g. any of the formats @ http://blackholes.us/zones/countries/ ?

    And are comments allowed in the host files?  standalone and/or inline?

    Thanks.



  • host(s)-aliases are just single IPs without subnetmask.
    network(s)-aliases are subnets (subnet-ID/subnetmask; note that you can use an IP with /32 subnetmask to make this a mixed hosts/networks alias).
    port(s)-aliases are just a list of portnumbers (independent of protocol, this will be determined by the referencing firewallrule).

    In our HEAD code we already support adding external lists like in your example as alias. This most likely won't be found in pfSense before Version 2.0 though.



  • Hi hoba,

    @hoba:

    host(s)-aliases are just single IPs without subnetmask.
    network(s)-aliases are subnets (subnet-ID/subnetmask; note that you can use an IP with /32 subnetmask to make this a mixed hosts/networks alias).
    port(s)-aliases are just a list of portnumbers (independent of protocol, this will be determined by the referencing firewallrule).

    In our HEAD code we already support adding external lists like in your example as alias. This most likely won't be found in pfSense before Version 2.0 though.

    Thanks for the info.

    I'm still not clear … even though "external" lists won't likely appear until 2.0 (although, this is a very valuable feature, from our perspective), we can make do with "local" lists.

    But, lists, not just single entries.

    How do I use the capability, in v102 beta, to access lists?  Looking at the interface in the gui, i can only create/specify one entry at a time.

    E.g., I keep a list of 25+ DNS servers that are allowed secondaries and AXFR clients to my primaries.  That should be dealt with by one rule, namely:

    if (address is in list) then (allow)

    Am I missing something?

    Thanks.



  • Create a hosts alias "DNSServers" and add IPs of these 25+ Servers to it.
    Then create a firewallrule: pass, udp, source lan subnet, destination single host or alias "DNSServers", port 53, gateway default.

    If you add/delete/modify the IPs of the alias later it will update the firewallrule as well. All inputfields with red background can be used with aliases.



  • @hoba:

    Create a hosts alias "DNSServers" and add IPs of these 25+ Servers to it.
    Then create a firewallrule: pass, udp, source lan subnet, destination single host or alias "DNSServers", port 53, gateway default.

    If you add/delete/modify the IPs of the alias later it will update the firewallrule as well. All inputfields with red background can be used with aliases.

    Ok.  I think I see the problem with my question/presumption …

    What I'd like to do, is list those 25+ servers in a text file: "dns_secondaries.iplist", 'scp' the file to the soekris' HDD, and then link the host_alias to that file.  One multi-addresss file <-> One 'alias' <-> one FW rule.

    Is that not currently possible?  Perhaps that is, also, considered an 'external' file?

    I realize that that would require the presence of a text parser.



  • No, this is not implemented atm. The alias feature in the HEAD version looks like this btw: http://pfsense.org/~sullrich/pics/SampleAlias.PNG



  • @hoba:

    No, this is not implemented atm. The alias feature in the HEAD version looks like this btw: http://pfsense.org/~sullrich/pics/SampleAlias.PNG

    Yes, I'd seen that … and had thought/hoped that that was in the v102 "next version".  My mistake.  I understand now that it's now targetd for v2.0.

    Completely ignorant of the internals, is there any way to prod/vote for getting that particular feature earlier?

    For our smaller firewall implementations, the gui-entry is not that much of an issue.  But, for the mid-to-larger implementations, which will be migrating in some cases from to pfSense from FirewallBuilder-managed pf firewalls, including exactly this list-management capability (might be worth looking at their open-source code).

    Another option is to script via cmd line.  Since I've only been "at" pfsense ~3-4 days now, I've not yet stumbled on a CLI.  IS there one in/for pfSense?



  • There is no CLI. The idea is to get basic config done from the shellmenu and get up the access to the webgui. Everything else is done from there. Also be aware that any changes that you manually do to config files manually will be lost sooner or later or on reboot as everything is generated dynamically from the config.xml (diagnostics>backup/restore if you want to look at it or manually edit it).

    Somebody mentioned in another thread lately that he has written a tool to generate config.xml's. Not sure if it covers what you are asking for or could easily be expanded. Search and get in contact with him, maybe this can become something like firewallbuilder for pfSense (though he said, it's just for his needs so far).

    Other option is always to add a bounty for a specific feature in the bounty section of this forum.



  • @hoba:

    everything is generated dynamically from the config.xml (diagnostics>backup/restore if you want to look at it or manually edit it)

    I think, then, that that is where I need to focus for now.


Log in to reply