Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Aliases/Firewall Log Easy Rule Block Host….

    Scheduled Pinned Locked Moved
    2.1 Snapshot Feedback and Problems - RETIRED
    2
    2
    2.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • rcfaR
      rcfa
      last edited by

      The feature to be able to click on the little X when perusing the firewall log, to have the corresponding host added to an alias that's used in a block list, is great.

      However, as I use this feature more, I notice that there would be a few relatively minor improvements that would make things a lot more useful:

      a) I have multiple WAN ports, so I really want an offending host added to all ports' block list, not just to the one where the offending host happened to attack on at the moment, so either we'd need a way to have these lists per network interface type (WAN, LAN, DMZ, etc.) rather than per actual interface instance, or we need a way to import one alias into an other, such that with a few clicks several aliases can import from other aliases whatever hosts are not in their list.

      b) Often entire subnets are used to launch attacks. Each time on adds a host, a /32 "net" is added to the alias. Because the hosts are simply appended, that makes it rather difficult to spot offending subnets that could e.g. bundles with a /24 or so CIDR.
      So if we had an option to sort such an alias' host/net list by IP address, that would be useful. Then just visually going over the list would make such nets visible.

      c) if the maintainers of the SNORT package would be adding a similar feature such that one could add hosts also from the SNORT alert list, that would be also great.

      1 Reply Last reply Reply Quote 0
      • B
        biggsy
        last edited by

        I would agree about it being nice to be able to sort the IPs in an alias.

        Not to hijack your thread but, on the firewall log screen, I was wondering about the reason for having two different ways of doing the reverse lookup of the IP address.

        Also I thought that an easy block(pass) rule seemed a bit pointless if the traffic had been blocked(passed) in the first place.  Could the icon just be in a new "easy rule" column at the end and be a block if the traffic had been passed or vice versa?

        I realize it would have to put the easy rule above the one that caused the log entry in the first place.  That may not be possible.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.