Aliases/Firewall Log Easy Rule Block Host….
The feature to be able to click on the little X when perusing the firewall log, to have the corresponding host added to an alias that's used in a block list, is great.
However, as I use this feature more, I notice that there would be a few relatively minor improvements that would make things a lot more useful:
a) I have multiple WAN ports, so I really want an offending host added to all ports' block list, not just to the one where the offending host happened to attack on at the moment, so either we'd need a way to have these lists per network interface type (WAN, LAN, DMZ, etc.) rather than per actual interface instance, or we need a way to import one alias into an other, such that with a few clicks several aliases can import from other aliases whatever hosts are not in their list.
b) Often entire subnets are used to launch attacks. Each time on adds a host, a /32 "net" is added to the alias. Because the hosts are simply appended, that makes it rather difficult to spot offending subnets that could e.g. bundles with a /24 or so CIDR.
So if we had an option to sort such an alias' host/net list by IP address, that would be useful. Then just visually going over the list would make such nets visible.
c) if the maintainers of the SNORT package would be adding a similar feature such that one could add hosts also from the SNORT alert list, that would be also great.
I would agree about it being nice to be able to sort the IPs in an alias.
Not to hijack your thread but, on the firewall log screen, I was wondering about the reason for having two different ways of doing the reverse lookup of the IP address.
Also I thought that an easy block(pass) rule seemed a bit pointless if the traffic had been blocked(passed) in the first place. Could the icon just be in a new "easy rule" column at the end and be a block if the traffic had been passed or vice versa?
I realize it would have to put the easy rule above the one that caused the log entry in the first place. That may not be possible.