How can I use "bogons" as an alias?



  • Hello,

    I'm trying to set up a rule which utilizes the contents of the "bogons" table. In the rule I used "Single host or alias" and in the "Address" line below I put in "bogons".

    When I want to save I get the following message:
    The following input errors were detected: bogons is not a valid destination IP address or alias.

    Is there a workaround for this? In pf it seems to be a normal table so it should work exactly the same way as a self-created alias but somehow I can't add it to my rules.


  • Banned

    No. Create your own.

    https://files.pfsense.org/lists/fullbogons-ipv4.txt
    https://files.pfsense.org/lists/fullbogons-ipv6.txt

    Certainly NOT recommended to use as-is anywhere on LAN interfaces, at least while things like all the RFC1918, 0.0.0.0/0 or 8000::/1 are there.



  • Thank you!
    Since a modified file (without private addresses) is sitting in /etc/bogons is there a way to use the contents of this file in an alias?





  • @KOM:

    Look at URL table aliases.

    Thank you, I know the URL table aliases and I frequently use them.
    But… How can I access the local file in the /etc folder?


  • Banned

    It works in pfBlockerNG. Other than that, if file:// does not work, then kindly use the URLs provided, instead of local files.


  • Moderator



  • Great.  Download them twice and keep two copies.  Plus if I'm not mistake the download copy will need to be modified if private networks are not acceptable to block on the interface it's used on.

    Don't get the inclusion of private space in bogons list.  Private space is pretty well defined and static.  It shouldn't be in a dynamic bogons list.



  • The name "bogons" is already banned as an ordinary alias name. So there will be no installs that have a user-created alias called "bogons".
    Thus there should be no problem in principle to make "bogons" a pseudo-alias that is not in the user-created alias list, but does appear in the alias names matching list when making rules… that can use an alias.
    Then the back-end code just has to know about "pseudo-aliases" like that and make the rules concerned refer to the "bogons" table that is already made.

    Same logic also applies to IPv6 bogons, if anyone cares.

    I wonder how hard that would be to code?...



  • @phil.davis:

    I wonder how hard that would be to code?…

    Go for it.  Though keep in mind that the bogons list as-is contains the local identification networks (0.0.0.0/8) which will impact DHCP if the list is used to block LAN In bound based on source.  Though that would seem sort of silly to need to block bogons sources on your LAN.

    I've made a patch that adds an option to alias types url and urltable to exclude the private space ( IPv4: 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 ) ( IPv6: fc00::/7 ) and/or local identification space ( IPv4: 0.0.0.0/8 ) (0.0.0.0 used for DHCP discover/request source).

    ![Firewall Aliases Edit.png](/public/imported_attachments/1/Firewall Aliases Edit.png)
    ![Firewall Aliases Edit.png_thumb](/public/imported_attachments/1/Firewall Aliases Edit.png_thumb)