External network Alias



  • I'm new to pfSense so this might be something I have missed :)

    Since I come from the MS world I would like to create a network alias like ISA servers External.

    I.E something like this (from http://technet.microsoft.com/en-us/library/bb794774.aspx)
    A predefined network that includes all IP addresses not explicitly included in any other network. Following installation, the External network includes all addresses not defined in the Internal network, the IP address of the Local Host network (127.0.0.1), and the IP address of all other network adapters on the ISA Server computer.

    I got a tip on IRC that I could create an Alias of my known networks and then use the not option when i create Rules.
    This will probobly work but the rule chains will be more complex so I was hopping for a smother way of doing this



  • on pfsense, you can create an alias called private and put in

    10.0.0.0/8
    172.16.0.0/12
    192.168.0.0/16

    In the rule, do the inverse (not = !)

    OR just any would do if you are a little more security relaxed.



  • Well that works as long as all your nets are private.
    It gets a little messier when you have 25-30 white nets that you have to do the same for.
    Therefore I would like a more dynamic way of doing it.

    Might be a feature request even :)

    Relaxing security isn't an option, If it was who would need a firewall ;)



  • Home net security != enterprise net security != small business net security

    Any works fine for me. Not sure what you mean by dynamic. That would be almost the same security as any. :p. there are dynamic stuff in there via upnp and NAT-pmp but I don't think that will do what you want.  M$ has made it a little easier there, but considering the gap in performance on the same hardware, to me it is better to go with ANYTHING else. Staticly made rules are more secure and will probably be the default on most things. Most don't change white nets that often if at all. Add to the list sure. But you can add and remove from the aliases also. Are you going to be blocking between white nets?



  • Sorry I don't do homes :) (my own is an exeption but i do got seven nets in it ….)
    For me a small business is 10-20 lan/Vlan.
    Large means three digits at least ;)

    A dynamic external object is not in any way near ANY, It's the other way around. It will always be ANY minus all local networks known to the firewall. It also always will be up to date.
    The problem with a blocklist solution is that When you add a new net you must remember to block it for all existing nets.
    If you don't you will have an allow all rule and if thats ok, why put in a firewall in the first place?

    I guess HW costs are a bigger issue for you than it is for me. in my eyes HW is cheap. A skilled admin working overtime is expensive.
    Therefore easy management is important because it saves time and it hopefully reduces the number of mistakes.
    Static rules are good as long as they are right and updated. Dynamic ones takes care of the last part on their own meaning that the admin can focus on creating good rules in the first place

    I guess you wouldn't like it in our demo/test environment. We change network setups almost every day. One setup might need a /22 for two days and when that project/demo/whatever is done it might get reused as a bunch of /28 for some testing before getting turned into some /24 for the weekned :).



  • i'm thinking you might just be that white rabbit that has strange needs ;)

    but you could allways contact http://www.bsdperimeter.com/ for a quote on that feature for dynamic alias'



  • That is interesting, but in a lab, I don't think security is all that important, so long as it is kept out of my main network. That is unless you are testing security / firewalls.

    I don't think it would be a problem to create a single alias (within the pf rules that is) similar to WAN and LAN them selves.
    Existing

    LAN = { em0 }

    So I would think you could do

    pfsensenets = { em0,em1,fxp0,fxp1 }

    or have a script that puts in the nets of those.
    so it ends up like

    pfnets = { 127.0.0.0/8,172.18.1.0/23,192.168.13.0/24,… and so on }

    to match the nets of interfaces. Though thinking about it some more, you would need to calculate the start of the net and then put it in. I am not sure if you just put in the IP/CIDR if it would pick it up automatically. This would be updated with interface changes, including VLAN interface.

    Default action is to block, so, I guess you would use such a rule in a not(!) configuration. As in source LANnet destination !pfnets. I wonder if that would break internal routing (as in a second pfsense or router) within any of the pfnets?



  • As you said it depends on what you are doing.

    If you are a larger enterprise/software vendor or something like that it's rather important to be 104% sure how your communication patterns looks like.
    hopefully you do test and eval new stuff in labs and the best way to find bad/undocumented communication is to have a Firewall that only allows exactly what the specs says.
    IF it works=spec correct, Else go fix spec or code :)

    On rather disturbing example nailed this way was a webapp that was suposed to use HTTPS. IT did, for everything exept logons ….

    Your script idea sounds about right. I'm worthless on scripting for Unix so far (guess i will have to learn).
    Default action should be block but look at the default rule for LAN. It's not block. IT's allow everything going anywhere (and thats my problem :) )

    Heper: I do got big front teeth :) I guess that my needs are a little more large scale than many but i Really would like to replace ISA:s and hw based stuff with SW based firewalls.
    Easier to deploy and upgrade



  • I have a start of the config, but I am having a little trouble on the php/web gui side. I can alter filter.inc to do:

    
    	$pfautonets = filter_get_direct_networks_list();
    	$aliases .= "pfsAutoNets = \"{ $pfautonets }\"\n";
    
    

    But I cannot get a firewall rule to load that alias. Might try something else soon.



  • I have a dream ….
    That you can make it work :)

    Ip cop does it by detecting wich trafic is bound for the external interface. I haven't seen any way to do it the same way in BSD (yet).


Log in to reply