4. 2.3 Firewall -> Aliases Hosts(s) subnet broken

2.3 Firewall -> Aliases Hosts(s) subnet broken

  • S

    In 2.3 when trying to add an Alias of type "Host(s)" , the text reads

    "Enter as many hosts as desired. Hosts must be specified by their IP address or fully qualified domain name (FQDN). FQDN hostnames are periodically re-resolved and updated. If multiple IPs are returned by a DNS query, all are used. An IP range such as 192.168.1.1-192.168.1.10 or a small subnet such as 192.168.1.16/28 may also be entered and a list of individual IP addresses will be generated."

    However, if I enter in a form like 192.168.0.0/24 , I get a pop up message "Please match the requested format" when I click save.
    The actual dropdown is greyed out at "32" and does not allow you to change value.

    Using 192.168.0.1-192.168.0.254 does work.

    As a side note, if entering an alias for a 'subnet' … is it possible to have the 'values' shown as 192.168.0.0/24 vs listing out 254 ips ?

    Shane

    0
  • LAYER 8 Global Moderator

    if you want aliases that are networks use the networking type for aliases


    0
  • S

    But if I make a "network" type, then I can not add to another alias that is host(s).

    ie
    Host Alias:      sam
    Host Alias:      joe
    Network Alias: dr_network

    Host Alias:  trusted  (that includes sam, joe, dr_network ).

    If indeed that is not the intended functionality, at the very least the text should be corrected, ie

    " An IP range such as 192.168.1.1-192.168.1.10 or a small subnet such as 192.168.1.16/28 may also be entered and a list of individual IP addresses will be generated"

    0
  • LAYER 8 Global Moderator

    huh?

    Here is an alias that has a specific IP, a fqdn and a network in it..


    0
  • S

    That is an alias that has 3 hardcoded types

    I want an alias that contains other aliases.

    Try this, create 2 aliases:

    1. type = host(s)
          name = sam
          ip = 192.168.1.22

    2. type = network
          name = backup_net
          ip = 10.10.1.0/24

    3. type = host(s)
          name = trusted
          ip = sam
          ip = backup_net

    As you type "sa" , the autocomplete fills out sam
    As you type "test" , the autocomplete never fills out

    You can fully type in test and hit enter, and appear to save , but have to set up a test network to see if actually respecting the alias in the config even though did not appear to be a valid value according to the autocomplete

    0
  • S

    Ok, I was able to set up a test network and rules and it does work if you manually type it.

    But still I believe it is a bug in the autocomplete functionality which I believe is giving me a list of all 'valid' aliases that I can enter (and the network one doesn't present) … that and the text in the type=host(s) should be changed if you in fact should not be able to enter a subnet.

    0
  • P

    That input field in 2.2.6 allowed "free text" to be entered. Then the validation code parsed and checked it, reporting any errors it found. The parsing automagically took apart lists of IP addresses, IP ranges, converting a (small) range into a list of individual addresses (for the hosts type case) etc. - like in the help text.

    The parsing code is still all there, patiently waiting for any input like that. But now with "bootstrap" there is real-time validation being done in the front-end. So you can't actually input text in those formats.

    If the front-end validation is changed to just allow "free text" input (or some interesting more complex repeating pattern), then the back-end validation can take over again.

    0
  • P

    Redmine issue https://redmine.pfsense.org/issues/6322
    Pull request https://github.com/pfsense/pfsense/pull/2937

    I tested a bunch of variations of entering network/CIDR and IP address ranges and the back-end code is still expanding them OK. Allowing the extended forms of input at the front-end (as per the pull request) is all that is needed.

    0
  • B

    @sforsythe:

    Ok, I was able to set up a test network and rules and it does work if you manually type it.

    But still I believe it is a bug in the autocomplete functionality which I believe is giving me a list of all 'valid' aliases that I can enter (and the network one doesn't present) … that and the text in the type=host(s) should be changed if you in fact should not be able to enter a subnet.

    I am seeing the same issue, if I create a new alias with type Host, when I type an existing alias the autofill only shows Host aliases. If I were to choose alias type network the autofill will only show network aliases. If we want to create a group alias of both existing host and network aliases the autofill is not useful. I am trusting above that manually typing a mixture of host and network aliases into a new network alias will still consider IPs for the child aliases in question.

    Some clarification on this matter would be very much appreciated.

    I second this is a bug that should be fixed.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy