Alias: Problem/Suggestion
-
First, my suggestion:
In the Firewall-Aliases page it would be helpful to add a column showing the alias type, possibly between the 'Name' and 'Values' columns.
This would be useful when creating nested aliases, to ensure all the aliases are of the same type.Second, my problem:
When creating an alias, it does not always appear in Diagnostics-Tables.
If I create an alias of type 'Network', and use only FQDNs, the alias is displayed in Tables.
If I create an alias of type 'Network', and only use CIDRs, the alias in not displayed in Tables.
If I create an alias of type 'Network', and use both FQDNs and CIDRs, the alias in not displayed in Tables.How do I know if the CIDR alias is working??ย Is there a command I can run in shell to return all the IPs of a table?
-
Crosslinking with this thread
http://forum.pfsense.org/index.php/topic,53953And the Redmine ticket
http://redmine.pfsense.org/issues/2988 -
List the tables that pf knows about:
pfctl -s TablesShow the contents of a table:
pfctl -t bogons -T show -
So it looks like aliases are broken.ย The same tables don't display in the GUI don't display in the shell.
-
A table is only created when it's needed. Not all aliases have to be tables.
-
For aliases that do not create tables, what is the best way to verify that the alias is working properly and contains all the expected IPs?
Is there a command that can be run from the shell?The reason I am asking is it appears the Snort package has discovered some problems with the pfSense API filter_expand_alias()
Essentially the Snort whitelist is not populated with IPs when the alias uses FQDNs because filter_expand_alias() returns inconsistent results.http://forum.pfsense.org/index.php/topic,59976.msg335381.html#msg335381
-
Look in /tmp/rules.debug
-
OK, I have a couple of different aliases
alias01 is of type network and consists of FQDNs but displays no IPs in /tmp/rules.debug, rather it shows persist
alias02 is of type network and consists of CIDRs and does display CIDRs in /tmp/rules.debug
alias03 is of type network and is a nested alias of alias01 and alias02 and only displays the info from alias02 and nothing from alias01 in /tmp/rules.debugDoes this mean alias03 is not really acting as a nested alias?
-
Without seeing your actual aliases config.xml section and the full /tmp/rules.debug, it's difficult to say.
-
Thanks jimp, you've got a PM!
-
OK. Hostnames will never show up in /tmp/rules.debug, nor will their IPs show up there. They are handled via filterdns, and the results of the DNS resolution are fed into the table dynamically once they have been resolved.
I didn't see anything unusual in the info you sent, though seeing /var/etc/filterdns.conf would probably also be helpful in showing what tables will be used when resolving certain hostnames.
-
jimp,
I just sent you a pm with the contents of my filterdns.conf file.
edit: Somehow these domain names are not making their way from pfSense into snort.
-
It just has the same two lines a bunch of timesโฆ Not sure why it's repeated so much. And the table it is referencing isn't even in your alias list, and the hostnames in the alias config aren't in there.
So either somehow that's the wrong filterdns.conf, or there is something else wrong on that box.
-
Just one more question to this topic:
I have an alias defined via WebGUI which shows up as a table in /tmp/rules.debug. It is just one username for one IP.
This table does not show in Diagnostics and does not show on the CLI when doing
# pfctl -t table -T show ```It says that table does not exist. How do I have pfsense create this table as "persist"? Do I have to edit /etc/inc/filter.inc? Regards, Sebastian
