Multiple alias in fw rule

  • Hi.

    Is there any way to allow multiple IPs (alias) in one fw rule? I'm about to switch to pfSense after using a commercial fw for years and have purchased a hardware unit. But I was disappointed when I found out I can't have multiple IPs/alias on each fw-rule. At least I have not found a way to do this (having an alias with ip-range doesn't help as the IPs is not in a spesific order). And I can only list one alias on target-host on each fw rule.

    Why would I want this? Because we have many webservers with same setup. Those I want in one rule. And the same servers can have email as well, those are in another group with a email-port-alias.

    Now I have to configure 100 rules to do the same web-ports and it will become very messy. If I want to change something on the web-rules (for instance turn on/off logging), I have to do the same clicking 100 times. And another 100 rules (or whatever number) for email etc.

  • you can easily define an alias with multiple hosts or networks.
    just use the "+" button to add more…

  • I see that you can add a description beside each IP and that helps. It does however force you to make a lot of lists/groups. If you have just a few exception to a rule in the firewall (for some hosts in that alias-group), you must create a totally new alias group and type the clients name (alias for that IP) again many times. So it creates extra work to maintain when you have many IPs/hosts and increases the chances of doing errors and forgetting to update them all.

    This would be solved by having the same + for each destination row in the fw rules (that's how the commercial fws that I'm used to do it).

  • perhaps you could use nested aliases. (an alias inside an alias)

  • That would help a lot. But is that possible in the interface? Im using v2.3. I don't see any documentation on how to do that.

  • yes, you should be able to add multiple aliases inside another alias.
    just type the alias names in the IP field.
    (use 1 row per alias entry, add with +)

    you will also see that the name will be autocompleted while typing…
    you can click on that to accept it.

  • I see that it kind of works, but it still creates a lot of double typing. When you create alias of any type, you hide the original value - like IP in my case (but same goes for ports!). So if you see a log entry of a certain IP and wonder where/what host it is, you can't just hoover over the alias-group to quickly isolate/find the host. Alias is often a good way to help find Host Alias->IP, but the interface ignores the other way, IP->Host alias.

    The hoover should contain the alias value as well, like IP, port or whatever the original value is. A work-around is to enter the IP in the alias, but this creates a possible difference in real value vs textual description and a lot of extra work/confusion.

    Hope this is fixed in later versions.

    Another usefull feature developers could implement, is the number of referenced IP, hosts etc. in the fw rules, from Aliases. This is how Fortigate does it (if an alias is used three times, it has a link with number 3 that leads to fw-rules).

Log in to reply