Firewall aliases ip что это
Aliases are named lists of networks, hosts or ports that can be used as one entity by selecting the alias name in the various supported sections of the firewall. These aliases are particularly useful to condense firewall rules and minimize changes.
Aliases can be added, modified and removed via Firewall ‣ Aliases .
Export / Import¶
The alias admin page ( Firewall ‣ Aliases ) contains a download and an upload button in the footer of the table, with this feature you can merge aliases into the configuration and download a json formatted list of all aliases in the system.
Since data is validated before insertion, it shouldn’t be possible to import defective data (if the import fails, a list of errors is presented).
When performing migrations, sometimes its easier to change multiple items at once in a text editor. This feature can easily be used to facilitate that, with limiting risk of a broken configuration (since items are validated equally as single item input would do).
ICMP Type¶
When ICMP is selected as the protocol, this drop-down contains all possible ICMP types to match. When passing ICMP, the best practice is to only pass the required types when feasible. The most common use case is to pass only a type of Echo Request which will allow an ICMP ping to pass.
Historically, ICMP has a bad reputation but it is generally beneficial and does not deserve the reputation on modern networks. Allowing an ICMP type of any is typically acceptable when allowing ICMP.
Hosts¶
Hosts can be entered as a single IP address, a range (separated with a minus sign, e.g. 10.0.0.1-10.0.0.10 ) or a fully qualified domain name.
When using a fully qualified domain name, the name will be resolved periodically (default is each 300 seconds).
Apply changes and look at the content of our newly created pf table.
Go to Firewall ‣ Diagnostics ‣ Aliases and select our newly created youtube table.
As you can see there are multiple IP addresses for this domain.
To change the alias domain resolve interval, go to Firewall ‣ Settings ‣ Advanced and set Aliases Resolve Interval to the number of seconds to refresh.
Hosts type Aliases can contain exclusion hosts. Exclusion addresses starts with “!” sign (eg !192.168.0.1) and can be used to exclude hosts from Network Group Aliases.
Please note thet the Flush action is not persistent!
“flush” means flush the current contents of the alias, which will be repopulated when it’s not an external type, so flush in most cases isn’t very useful.
Same behaviour applies to the API call alias_util flush
VLAN Priority (Match and Set)¶
802.1p, also known as IEEE P802.1p or Priority Code Point, is a way to match and tag packets with a specific quality of service priority. Unlike DSCP, 802.1p operates at layer 2 with VLANs. However, like DSCP, the upstream router must also support 802.1p for it to be useful.
There are two options in this section. The first will match an 802.1p field so the firewall can act on it. The second will inject an 802.1p tag into a packet as it passes through this firewall. Some ISPs may require an 802.1p tag to be set in certain areas, such as France, in order to properly handle voice/video/data on segregated VLANs at the correct priority to ensure quality.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Open with Desktop
- View raw
- Copy raw contents Copy raw contents
Copy raw contents
Copy raw contents
Using Aliases to Simplify Firewall Rules
What are Aliases?
From the pfSense® webGUI: Aliases act as placeholders for real hosts, networks or ports. They can be used to minimize the number of changes that have to be made if a host, network or port changes. The name of an alias can be entered instead of the IP address, network or port in all fields that have a red background. The alias will be resolved according to the list [on the Aliases page of the WebGUI]. If an alias cannot be resolved (e.g. because it has been deleted), the corresponding element (e.g. filter/NAT/shaper rule) will be considered invalid and skipped.
Why would I want to use Aliases?
The best example is for blocking a list of hosts considered "bad". If a rule were added for each host to block individually, the rules list would grow quite large. By adding all of these hosts to an alias, only one firewall rule is necessary.
- Create an alias called WebServers and add to it the IPs of the three web servers.
- Create an alias called WebServerPorts add add to it ports 21, 80, and 443.
- Create a firewall rule and for the destination, choose Single Host or Alias, then click in the field and type WebServers. It will autocomplete, and then click to select it. For the destination port, click in the box and type WebServerPorts.
- Click Save
Now there is a single firewall rule that would have otherwise taken 9 separate rules to accomplish!
Aliases and Hostnames
For Host and Network type aliases, a fully qualified domain name (FQDN) may be entered instead of an IP address. The FQDN will be resolved by DNS every 5 minutes (300 seconds) and updated internally. This can be useful for tracking dynamic DNS entries to identify sites or users that are unable to use a static IP.
The interval at which the resolution takes place may be adjusted under System > Advanced on the Firewall / NAT tab. Enter a new value in the Aliases Hostnames Resolve Interval field. Bear in mind that a lower interval will put a higher burden on the DNS server(s). With many hosts to resolve, the default is best. With only a few hosts, a lower value may be used such as 30 seconds.
URL Table Aliases
A URL table alias is a URL that points to a plain text file containing IP and/or CIDR masked network addresses. The URL will be periodically downloaded and refreshed. The contents of the file would look like so:
Similar to a URL table in that the file format is the same. However, the content is only requested once and is immediately turned into a traditional alias.
On the main alias screen, click |fa-upload| Import and the Bulk Import screen will be presented. A large text area on this page is used for IP address or CIDR entries. They may be entered/pasted here, one per line, to create a large alias quickly.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Using Aliases in Firewall Rules¶
Aliases can be used in firewall rules to ease administration of large lists. For instance we might need a list of remote IP addresses that should have access to certain services, when anything changes we only need to update the list.
Let’s create a simple alias to allow 3 remote IP addresses access to an ipsec server for a site to site tunnel connection:
We call our list remote_ipsec and update our firewall rules accordingly.
The list icon identifies a rule with an alias.
URL Table Aliases¶
A URL Table alias behaves in a significantly different way than the URL alias. For starters, it does not import the contents of the file into a normal alias. It downloads the contents of the URL into a special location on the firewall and uses the contents for what is called a persist table, also known as a file-based alias. The full contents of the alias are not directly editable in the GUI, but can be viewed in the Tables viewer (See Firewall Table Contents ).
For a URL Table alias, the drop-down list after the / controls how many days must pass before the contents of the alias are re-fetched from the stored URL by the firewall. When the time comes, the alias contents will be updated overnight by a script which re-fetches the data.
URL Table aliases can be quite large, containing many thousands of entries. Some customers use them to hold lists of all IP blocks in a given country or region, which can easily surpass 40,000 entries. The pfBlocker package uses this type of alias when handling country lists and other similar actions.
Currently, URL Table aliases are not capable of being nested.
If URL Table (IPs) is selected, then the URLs must contain IP address or CIDR masked network entries, and the firewall creates a network type alias from the contents.
If URL Table (Ports) is selected, then the URL must contain only port numbers or ranges, and the firewall creates a port type alias from the contents.
Network group¶
Combine different network type aliases into one, this type of alias accepts other host type aliases (networks, hosts, …). Although nesting is possible with other alias types as well, this type only displays valid aliases easing administration, functionally a Networks type alias can do the same but uses a different presentation.
Alias Settings¶
When editing an Alias entry, the following settings are available:
A Name for the alias. The name may only consist of the characters a-z , A-Z , 0-9 and _ .
A Description for the alias.
The Type for the alias, which alters the behavior of the alias and tells the firewall which types of entries can be added to the alias.
The following types are available:
Aliases containing single IP addresses or FQDN hostnames
Aliases containing CIDR-masked lists of networks, FQDN hostnames, IP address ranges, or single IP addresses
These aliases contain lists of port numbers or ranges of ports for TCP or UDP.
The alias is built from the content returned by the specified URL, but is read only a single time. Once added, it becomes a normal network or port type alias.
URL Table (IP or Port)
The alias is built from the content returned by the specified URL but is updated by fetching the list from the URL periodically.
The lower section of the alias page contains the entries for the alias. The behavior of this section varies based on the selected alias type.
The next sections describe the behavior of each type in more detail.
Tag and Tagged¶
The Tag and Tagged fields are useful in concert with floating rules, so the firewall can mark a packet with a specific string as it enters an interface, and then act differently on a matched packet on the way out with a floating rule. See Marking and Matching for more on this topic.
Dynamic IPv6 Host¶
An IPv6 Dynamic Host is used where the system is using a dynamic prefix on the LAN, a tracking interface. When the prefix changes, either due to the ISP changing the prefix at will or the prefix changes when the WAN connection is reset, any alias containing an address of a client such as a server on the LAN would no longer be valid.
For example, you obtain a prefix 2001:db8:2222:2800::/56. You have a /56 prefix and if the tracking id was set to 0 for your LAN, you would have an address range on your LAN of 2001:db8:2222:2800:: to 2001:db8:2222:2800:FFFF:FFFF:FFFF:FFFF.
You want to run a server on your LAN that is accessable from the WAN so you give it a static address of 2001:db8:2222:2800:1000:1000::1 and create a rule allowing traffic to access the server.
When your prefix changes, that static address is no longer valid, so you must use the Dynamic IPv6 Host to create an alias address for the firewall entry that automatically tracks the prefix and changes the rule.
The Dynamic Host Alias will always split on the /64 boundary, it will take the upper 64 bits from the interface you select and the lower 64 bits from the address you enter. It does not matter what size your prefix delegation is.
Create a new IPv6 Dynamic Host alias and enter only the suffix of the address, in this example, we will enter the lower 64 bits of the address, you would enter ::1000:1000:0000:1, note the ‘::’ at the start of the address, you MUST always start the address with a ‘::’. You do not need to enter a size after the address i.e. /128 as that is automatically assumed.
Select the interface you wish to use for the source of the uppper 64 bits, in this case we will select the LAN interface.
When the prefix changes, the alias address will then be updated in the firewall rules, let’s say your prefix changes to 2001:db8:2222:3200::/56 the rule updates and the entry for your server in the firewall would update automatically to be 2001:db8:2222:3200:1000:1000::1
Let’s take another example, you have a /48 prefix delegation, you have two LAN interfaces and a server on each. You would need to create two separate Dynamic IPv6 Host entries, one for each LAN. For simplicities sake we will use the same address for each server on each interface, you would enter ::aaaa:bbbb:cccc:0001 as the address.
Upper 64 bits, taken from LAN 1 Interface
Lower 64 bits - Your server address
Server 1: 2a02:1234:5678:0000
Server 1 GUA address is: 2a02:1234:5678:0000:aaaa:bbbb:cccc:0001
Upper 64 bits, taken from LAN 2 Interface
Lower 64 bits - Your server address
Server 2: 2a02:1234:5678:0001
Server 2 GUA address is: 2a02:1234:5678:0001:aaaa:bbbb:cccc:0001
The prefix changes, in this case we have a /48 prefix, so the new prefix is 2a02:1234:5679/48 our aliases would update to give us the following addresses:
LAN 1: Server 1 GUA address is:
LAN 2: Server 2 GUA address is:
You may enter multiple addresses, for example if you have several servers on the same LAN segment, just add the suffix for each one. In the example below we have three servers.
Source OS¶
One of the more unique features of pf and thus pfSense is the ability to filter by the operating system initiating a connection. For TCP rules, pf enables passive operating system fingerprinting (“p0f”) that allows rules to match based on the operating system initiating the TCP connection. The p0f feature of pf determines the OS in use by comparing characteristics of the TCP SYN packet that initiates TCP connections with a fingerprints file. Note that it is possible to change the fingerprint of an operating system to look like another OS, especially with open source operating systems such as the BSDs and Linux. This isn’t easy, but if a network contains technically proficient users with administrator or root level access to systems, it is possible.
Source¶
This field specifies the source IP address, subnet, or alias that will match this rule.
The drop-down box for source allows several different pre-defined types of sources:
Matches any address.
Single host or Alias
Matches a single IP address or alias name. When this is active, an alias name may be typed in the Source Address field.
Uses both an IP address and subnet mask to match a range of addresses.
A macro that will match traffic from the client address range for the PPPoE server if the PPPoE server is enabled.
A macro that will match traffic from the client address range for the L2TP server if the L2TP server is enabled.
An entry in this list is present for each interface on the firewall. These macros specify the subnet for that interface exactly, including any IP alias VIP subnets that differ from the defined interface subnet.
An entry in this list is present for each interface on the firewall. These macros specify the IP address configured on that interface.
The WAN Net choice for source or destination means the subnet of the WAN interface only. It does not mean “The Internet” or any remote host.
For rules matching TCP and/or UDP, the source port may also be specified by clicking the Display Advanced. The source port is hidden behind the Display Advanced button because normally the source port must remain set to any, as TCP and UDP connections are sourced from a random port in the ephemeral port range (between 1024 through 65535, the exact range used varying depending on the OS and OS version that is initiating the connection). The source port is almost never the same as the destination port, and it should never be configured as such unless the application in use is known to employ this atypical behavior. It is also safe to define a source port as a range from 1024 to 65535 .
Selecting Invert Match will negate the match so that all traffic except this source value will trigger the rule.
Networks¶
Networks are specified in Classless Inter-Domain Routing format (CIDR). Use the the correct CIDR mask for each entry. For instance a /32 specifies a single IPv4 host, or /128 specifies a single IPv6 host, whereas /24 specifies 255.255.255.0 and /64 specifies a normal IPv6 network. Network type Aliases can contain exclusion hosts or networks. Exclusion addresses starts with “!” sign (eg !192.168.0.0/24) and can be used to exclude hosts or networks from current Alias or Network Group Alias
Apart from the CIDR notation, one could also use a wildcard mask to match ranges of hosts or networks.
To match all servers ending at .1 in the 192.168.X.1 networks, use a wildcard definition like 192.168.0.1/0.0.255.0
Port Aliases¶
Port type aliases contain groups of ports and port ranges. A single port is an integer from 1-65535 . A port range is two ports separated by a colon ( : ), for example, 1194:1199 and matches the specified ports and any ports in between.
The protocol is not specified in the alias; The firewall rule where the alias is used will define the protocol as TCP, UDP, or both. Figure Example Ports Alias shows an example of a port type alias.
Example Ports Alias ¶
Enter another port-type alias name into the Port field to nest other port-type aliases inside this alias.
External¶
The contents for external alias types is not administered via our normal alias service and can be practical in scenarios where you want to push new entries from external programs. Such as specific lockout features or external tools feeding access control to your firewall.
In Firewall ‣ Diagnostics ‣ Aliases you can always inspect the current contents of the external alias and add or remove entries immediately.
When changing alias contents which are used on firewall rules with state tracking enabled, you might need to remove the specific state before the new rule turns active. (see Firewall ‣ Diagnostics ‣ States Dump )
Since external alias types won’t be touched by OPNsense, you can use pfctl directly in scripts to manage its contents. (e.g. pfctl -t MyAlias -T add 10.0.0.3 to add 10.0.0.3 to MyAlias)
Bulk Import Network Aliases¶
Another method of importing multiple entries into an alias is to use the bulk import feature.
Navigate to Firewall > Aliases
Click Import
Fill in the Alias Name and Description
Enter the alias contents into the Aliases to import text area, one entry per line.
Click Save
Common usage examples for this page include lists of IP addresses, networks, and blacklists. The list may contain IP addresses, CIDR masked networks, IP ranges, or port numbers. The firewall will attempt to determine the target alias type automatically.
The firewall imports items into a normal alias which can be edited later.
Maximum number of established connections per host¶
To limit access based on connections per host, use this setting. This value can limit a rule to a specific number of connections per source host (e.g. 10 ), instead of a specific global connection total. This option controls how many fully established (completed handshake) connections are allowed per host that match the rule. This option is only available for use with TCP connections.
Using Hostnames in Aliases¶
If the DNS query for a hostname returns multiple IP addresses, all of the IP addresses returned in the result are added to the alias.
This feature is not useful for allowing or disallowing users to large public web sites such as those served by content delivery network (CDN) providers. Such sites tend to have constantly rotating or random responses to DNS queries so the contents of the alias on the firewall do not necessarily match up with the response a user will receive when they resolve the same site name. It can work for smaller sites that have only a few servers and do not include incomplete sets of addresses in their DNS responses.
A hostname entry in a host or network type alias is periodically resolved and updated by the firewall every few minutes. The default interval is 300 seconds (5 minutes), and can be changed by adjusting the value of Aliases Hostnames Resolve Interval on System > Advanced, Firewall & NAT tab. This is useful for tracking dynamic DNS entries to allow specific users into services from dynamic IP addresses.
URL Aliases¶
With a URL type alias, each entry contains a URL which returns text content containing a list of entries. Multiple URLs may be entered.
When Save is clicked, up to 3,000 entries from each URL are read from the file and imported into a network type alias.
If URL (IPs) is selected, then the URLs must contain IP address or CIDR masked network entries, and the firewall creates a network type alias from the contents.
If URL (Ports) is selected, then the URL must contain only port numbers or ranges, and the firewall creates a port type alias from the contents.
For a URL type alias, the contents of the alias are re-fetched every 24 hours from the stored URL by the firewall.
TCP/IP Version¶
Instructs the rule to apply for IPv4, IPv6, or both IPv4+IPv6 traffic. The rules will only match and act upon packets matching the correct protocol. Aliases may be used which contain both types of IP addresses and the rule will match only the addresses from the correct protocol.
Nesting¶
For host and network alias types nesting is possibility, this can simplify management a lot since single items can be named properly and grouped into sections for administration.
For example, we define 4 servers among 2 critical using different rulesets:
The alias servers will contain all 4 addresses after configuration.
There is also a possibility to combine different Aliases with Aliases, consisting of exclusions. For example, there is Alias “FireHOL” that use extensive externl drop-list and two Aliases that contains subnet and hosts exclusions. It is possible to create Network group (combined) Alias (“FireHOL_with_exclusions”):
FireHOL_with_exclusions Alias will contain all records from FireHOL Alias excluding addresses from exclusions Aliases.
It’s always good to check if an address is included in the Alias via Firewall ‣ Diagnostics ‣ pfTable
Diffserv Code Point¶
Differentiated Services Code Point is a way for applications to indicate inside the packets how they would prefer routers to treat their traffic as it gets forwarded along its path. The most common use of this is for quality of service or traffic shaping purposes. The lengthy name is often shortened to Diffserv Code Point or abbreviated as DSCP and sometimes referred to as the TOS field.
The program or device generating the packets, for example Asterisk via its tos_sip and tos_audio configuration parameters, will set the DSCP field in the packets and then it is up to the firewall and other interim routers to match and queue or act on the packets.
To match these parameters in the firewall, use the Diffserv Code Point drop-down entry that matches the value set by the originating device. There are numerous options, each with special meaning specific to the type of traffic. Consult the documentation for the device originating the traffic for more detail on which values must be matched.
The downside of DSCP is that it assumes routers support or act on the field, which may or may not be the case. Different routers may treat the same DSCP value in unintended or mismatched ways. Worse yet, some routers will clear the DSCP field in packets entirely as it forwards them. Also, the way pf matches traffic, the DSCP value must be set on the first packet of a connection creating a state, as each packet is not inspected individually once a state has been created.
This option only reads and matches the DSCP value. It does not set a value in packets.
Maximum number of unique source hosts¶
This option specifies how many total source IP addresses may simultaneously connect for this rule. Each source IP address is allowed an unlimited number of connections, but the total number of distinct source IP addresses allowed is restricted to this value.
Other¶
Other type VIPs define additional IP addresses for use when ARP replies for the IP address are not required. The only function of adding an Other type VIP is making that address available in the NAT configuration drop-down selectors. This is convenient when the firewall has a public IP block routed to its WAN IP address, IP Alias, or a CARP VIP.
When configuring firewall rules in the pfSense® WebGUI under Firewall > Rules many options are available to control how traffic is matched and controlled. Each of these options are listed in this section.
State timeout in seconds¶
Using this field, a state timeout for traffic matching this rule may be defined, overriding the default state timeout. Any inactive connections will be closed when the connection has been idle for this amount of time. The default state timeout depends on the firewall optimization algorithm in use. The optimization choices are covered in Firewall Optimization Options
This option only controls the traffic in the inbound direction, so it is not very useful on its own. Outbound traffic for a matching connection will still have the default state timeout. To use this setting properly, a matching floating rule is also required in the outbound path taken by the traffic with a similar state timeout setting.
Action¶
This option specifies whether the rule will pass, block, or reject traffic.
A packet matching this rule will be allowed to pass through the firewall. If state tracking is enabled for the rule, a state table entry is created which allows related return traffic to pass back through. See Stateful Filtering for more information.
A packet matching this rule will be discarded.
A packet matching this rule will be discarded and for supported protocols, a message will be sent back to the originator indicating that the connection was refused.
See Block vs. Reject for a deeper description of the options and for help deciding between Block and Reject.
Exclusions¶
Disabled¶
To disable a rule without removing it from the rule list, check this box. It will still show in the firewall rules screen, but the rule will appear grayed out to indicate its disabled state.
Protocol¶
The protocol this rule will match. Most of these options are self-explanatory. TCP/UDP will match both TCP and UDP traffic. Specifying ICMP will show an additional drop down box to select the ICMP type. Several other common protocols are also available.
This field defaults to TCP for a new rule because it is a common default and it will display the expected fields for that protocol. To make the rule apply to any protocol, change this field to any. One of the most common mistakes in creating new rules is accidentally creating a TCP rule and then not being able to pass other non-TCP traffic such as ping, DNS, etc.
Add new entries using our API¶
The endpoints from the alias_util can easily be used to push new entries into an alias (or remove existing ones). In case of an external alias these items won’t be persistent over reboots, which can be practical in some use-cases (large frequent changing lists for example).
The document “ Use the API ” contains the steps needed to create an api key and secret, next you can just call the same endpoint the user interface would.
Below you see how to add 10.0.0.2 to an alias named MyAlias using an insecure connection (self-signed cert) on the host opnsense.firewall with curl . The verbose option provides more details about the data exchanged between the two machines.
Adding aliases using /api/firewall/alias_util/add/ is only supported for Host, Network and External type aliases
Using Aliases¶
When a letter is typed into an input box which supports aliases, the GUI displays a list of matching aliases. Select the desired alias from the list, or type its name out completely.
Alias autocompletion is not case sensitive but it is restricted by type. For example, a Network or Host type alias will be listed in autocomplete for a Network field, but a Port alias will not; A port alias can be used in a port field, but a Network alias will not be in the list.
Figure Autocompletion of Hosts Alias shows how the WebServers alias, configured as shown in Figure Example Hosts Alias , can be used in the Destination field when adding or editing a firewall rule.
Edit the firewall rule
Select Single host or alias
Then type the first letter of the desired alias: Enter W and the alias appears as shown.
Autocompletion of Hosts Alias ¶
Figure Autocompletion of Ports Alias shows the autocompletion of the ports alias configured as shown in Figure Example Ports Alias . If multiple aliases match the letter entered, all matching aliases of the appropriate type are listed. Click on the desired alias to select it.
Autocompletion of Ports Alias ¶
Figure Example Rule Using Aliases shows the rule created using the WebServers and WebPorts aliases. This rule is on WAN, and allows any source to the IP addresses defined in the WebServers alias when using the ports defined in the WebPorts alias.
Example Rule Using Aliases ¶
Hovering the mouse cursor over an alias on the Firewall > Rules page shows a tooltip displaying the contents of the alias with the descriptions included in the alias. Figure Hovering Shows Hosts Contents shows this for the WebServers alias and Figure Hovering Shows Ports Contents for the ports alias.
pfSense® software enables the use of multiple IP addresses in conjunction with NAT or local services through Virtual IPs (VIPs).
There are four types of Virtual IP addresses available in pfSense: IP Alias, CARP, Proxy ARP, and Other. Each is useful in different situations. In most circumstances, pfSense will need to answer ARP request for a VIP which means that IP Alias, Proxy ARP or CARP must be used. In situations where ARP is not required, such as when additional public IP addresses are routed by a service provider to the WAN IP address on the firewall, use Other type VIPs.
pfSense will not respond to pings destined to Proxy ARP and Other type VIPs regardless of firewall rule configuration. With Proxy ARP and Other VIPs, NAT must be present on the firewall, forwarding traffic to an internal host for ping to function. See Network Address Translation for more information.
Network Aliases¶
For Network type aliases, entries are specified in CIDR format for subnets or fully qualified domain names (FQDN) for single addresses.
For subnets, select the CIDR mask that pertains to each entry. /32 specifies a single IPv4 host, /128 specifies a single IPv6 host, /24 specifies 255.255.255.0 , /64 specifies a normal IPv6 network, etc.
Hostnames (FQDNs) may also be specified, using a /32 mask for IPv4 or /128 for IPv6.
Figure Example Network Alias shows an example of a network alias that is used later in this chapter.
Example Network Alias ¶
Other host or network aliases can be nested inside this entry. Hostnames may also be used as entries, as explained previously.
When an alias entry contains an IPv4 range it is automatically translated by the firewall to an equivalent set of IPv4 CIDR networks that will exactly contain the provided range. As shown in Figure Example IP Range After , the range is expanded when the alias is saved, and the resulting list of IPv4 CIDR networks will match exactly the requested range.
Example IP Range Before ¶
Example IP Range After ¶
TCP Flags¶
By default, new pass rules for TCP only check for the TCP SYN flag to be set, out of a possible set of SYN and ACK. To account for more complex scenarios, such as working around asymmetric routing or other non-traditional combinations of traffic flow, use this set of controls to change how the flags are matched by the firewall rule.
The first row controls which flags must be set to match the rule. The second row defines the list of flags that will be consulted on the packet to look for a match.
Synchronize sequence numbers. Indicates a new connection attempt.
Indicates ACKnowledgment of data. These are replies to let the sender know data was received OK.
Indicates there is no more data from the sender, closing a connection.
Connection reset. This flag is set when replying to a request to open a connection on a port which has no listening daemon. Can also be set by firewall software to turn away undesirable connections.
Indicates that data should be pushed or flushed, including data in this packet, by passing the data up to the application.
Indicates that the urgent field is significant, and this packet should be sent before data that is not urgent.
To allow TCP with any flags set, check Any Flags.
Description¶
Enter a description here for reference. This is optional, and does not affect functionality of the rule. The best practice is to enter text describing the purpose of the rule. The maximum length is 52 characters.
Nesting Aliases¶
Most aliases can be nested inside of other aliases so long as they are the same type. For example, one alias can nest an alias containing web servers, an alias containing mail servers, and a servers alias that contains both the web and mail server aliases all together in one larger Servers alias.
Ports¶
Ports can be specified as a single number or a range using a colon :. For instance to add a range of 20 to 25 one would enter 20:25 in the Port(s) section.
State Type¶
There are three options for state tracking in pfSense that can be specified on a per-rule basis:
When chosen, the firewall will create and maintain a state table entry for permitted traffic. This is the default, and the best choice in most situations.
Sloppy is a less strict means of keeping state that is intended for scenarios with asymmetric routing. When the firewall can only see half the traffic of a connection, the validity checks of the default state keeping will fail and traffic will be blocked. Mechanisms in pf that prevent certain kinds of attacks will not kick in during a sloppy state check.
This option causes pfSense to proxy incoming TCP connections. TCP connections start with a three way handshake. The first packet of a TCP connection is a SYN from source, which elicits a SYN ACK response from the destination, then an ACK in return from the source to complete the handshake. Normally the host behind the firewall will handle this on its own, but synproxy state has the firewall complete this handshake instead. This helps protect against one type of Denial of Service attack, SYN floods. This is typically only used with rules on WAN interfaces. This type of attack is best handled at the target OS level today, as every modern operating system includes capabilities of handling this on its own. Because the firewall can’t know what TCP extensions the back-end host supports, when using synproxy state, it announces no supported TCP extensions. This means connections created using synproxy state will not use window scaling, SACK, nor timestamps which will lead to significantly reduced performance in most all cases. It can be useful when opening TCP ports to hosts that do not handle network abuse well, where top performance isn’t a concern.
This option will not keep state on this rule. This is only necessary in some highly specialized advanced scenarios, none of which are covered in this documentation because they are exceedingly rare.
Setting None here only affects traffic in the inbound direction, so it is not very useful on its own since a state will still be created in the outbound direction. It must be paired with a floating rule in the outbound direction which also has the same option chosen.
Configuring Aliases¶
To add an alias:
Navigate to Firewall > Aliases
Click Add
Enter settings as described in Alias Settings
Enter the type-specific information as needed. Each type has an data field and a description field for each entry.
To add new members to an alias, click Add at the bottom of the list of entries.
To remove members from an alias, click Delete at the end of the row to remove.
When the alias is complete, click Save to store the alias contents.
Each manually entered alias is limited to 5,000 members, but some browsers have trouble displaying or using the page with more than around 3,000 entries. For large numbers of entries, use a URL Table type alias which is capable of handling larger lists.
Disable Reply-To¶
The firewall adds the reply-to keyword to rules on WAN type interfaces by default to ensure that traffic that enters a WAN will also leave via that same WAN. In certain cases this behavior is undesirable, such as when some traffic is routed via a separate firewall/router on the WAN interface. In these cases, check this option to disable reply-to only for traffic matching this rule, rather than disabling reply-to globally.
Maximum state entries this rule can create¶
This option limits the maximum number of connections, total, that can be allowed by this rule. If more connections match this rule while it is at its connection limit, this rule will be skipped in the rule evaluation. If a later rule matches, the traffic has the action of that rule applied, otherwise it hits the default deny rule. Once the number of connections permitted by this rule drops below this connection limit, traffic can once again match this rule.
Proxy ARP¶
Proxy ARP VIPs function strictly at layer 2, providing ARP replies for the specified IP address or CIDR range of IP addresses. This allows pfSense to accept traffic targeted at those addresses inside a shared subnet. For example, pfSense can forward traffic sent to an additional address inside its WAN subnet according to its NAT configuration. The address or range of addresses are not assigned to any interface on pfSense, because they don’t need to be. This means no services on pfSense itself can respond on these IP addresses.
Proxy ARP VIPs do not sync to XML-RPC Configuration Sync peers because doing so would cause an IP address conflict.
Destination¶
This field specifies the destination IP address, subnet, or alias that will match this rule. See the description of the Source option in Source for more details. There is only one additional macro:
This firewall (self)
Matches all IP addresses on all firewall interfaces.
For rules specifying TCP and/or UDP, the destination port, port range, or alias is also specified here. Unlike source, configuring a destination port is required in many cases, as it is more secure than using any and usually the destination port will be known in advance based on the protocol. Many common port values are available in the drop-down lists, or select (other) to enter a value manually or to use a port alias.
To specify a continuous range of ports, enter the lower port in the From section and the higher port value in the To section.
This box determines whether packets that match this rule will be logged to the firewall log. Logging is discussed in more detail in Logging Practices .
Advanced Options¶
Options which are less likely to be required or that have functionality confusing to new users have been tucked away in this section of the page. Click Display Advanced to show all of the advanced options. If an option in this section of the page has been set, then it will appear when the rule is loaded in the future .
Host Aliases¶
Host type aliases contain groups of IP addresses. For Host type aliases, entries are specified by IP address or fully qualified domain name (FQDN).
If an IP address range such as 192.168.1.1-192.168.1.10 or a small subnet such as 192.168.1.16/28 is entered in this field, the firewall will translate it into a list of individual IP addresses when saving the alias.
Figure Example Hosts Alias shows an example of a host type alias used to contain a list of public web servers.
Example Hosts Alias ¶
Other host type aliases can be nested inside this entry. Hostnames may also be used as entries, as explained previously.
No XML-RPC Sync¶
Checking this box prevents this rule from synchronizing to other High Availability cluster members via XMLRPC. This is covered in High Availability . This does not prevent a rule on a secondary node from being overwritten by the primary.
Maximum new connections / per second¶
This method of rate limiting helps ensure that a high TCP connection rate will not overload a server or the state table on the firewall. For example, limits can be placed on incoming connections to a mail server, reducing the burden of being overloaded by spambots. It can also be used on outbound traffic rules to set limits that would prevent any single machine from loading up the state table on the firewall or making too many rapid connections, behaviors which are common with viruses. A connection amount and a number of seconds for the time period may be configured for the rule. Any IP address exceeding the specified number of connections within the given time frame will be blocked by the firewall for one hour. Behind the scenes, this is handled by the virusprot table, named for its typical purpose of virus protection. This option is only available for use with TCP connections.
Interface¶
The Interface drop down specifies the interface receiving traffic to be controlled by this rule. Remember that on interface and group tab rules, traffic is only filtered on the interface where the traffic is initiated. Traffic initiated from the LAN destined to the Internet or any other interface on the firewall is filtered by the LAN ruleset.
Alias Sizing Concerns¶
The total size of all tables must fit in roughly half the amount of Firewall Maximum Table Entries, which defaults to 400000 . If the maximum number of table entries is not large enough to contain all of the entries, the rules may fail to load. See Firewall Maximum Table Entries for information on changing that value. The aliases must fit in twice in the total area because of the way aliases are loaded and reloaded; The new list is loaded alongside the old list and then the old one is removed.
This value can be increased as much required provided that the firewall contains sufficient RAM to hold the entries. The RAM usage is similar to, but less than, the state table but it is still safe to assume approximately 1K of memory per entry to be conservative.
MAC addresses¶
Hardware mac addresses can be specified as a (partial) hex value, such as F4:90:EA to match all addresses from Deciso or f4:90:ea:00:00:01 to match a single item (the input is case insensitive).
The way these aliases function is approximately the same as hostnames in host type aliases, they are resolved on periodic intervals from the arp and ndp tables.
Since mappings between addresses and mac addresses are resolved periodically the actual situation can differ, you can always check Firewall -> Diagnostics -> Aliases to inspect the current contents of the alias.
GeoIP¶
With GeoIP alias you can select one or more countries or whole continents to block or allow. Use the toggle all checkbox to select all countries within the given region.
To use GeoIP, you need to configure a source in the Firewall ‣ Aliases -> GeoIP settings tab, the most commonly used source is MaxMind, for which we have a how-to available : MaxMind GeoIP’s Setup
The configured url should point to a zip file containing the following csv files:
maps geo locations to iso countries
The %prefix% can be used to identify the product and/or vendor, in MaxMind’s case these files are named GeoLite2-Country-Locations-en.csv , GeoLite2-Country-Blocks-IPv4.csv , GeoLite2-Country-Blocks-IPv6.csv for example.
Geo ip lists can be rather large, especially when using IPv6. When creating rules, always try to minimize the number of addresses needed in your selection. A selection of all countries in the world not being the Netherlands can usually be rewritten as only addresses from the Netherlands for example.
If the number of items is larger than the allocated alias size, you can assign more memory to aliases. Firewall ‣ Settings ‣ Advanced : Firewall Maximum Table Entries
IP Alias¶
IP Aliases work like any other IP address on an interface, such as the actual interface IP address. They will respond to layer 2 (ARP) and can used as binding addresses by services on the firewall. They can also be used to handle multiple subnets on the same interface. pfSense will respond to ping on an IP Alias, and services on the firewall that bind to all interfaces will also respond on IP Alias VIPs unless the VIP is used to forward those ports in to another device (e.g. 1:1 NAT).
IP Alias VIPs can use Localhost as their interface to bind services using IP addresses from a block of routed addresses without specifically assigning the IP addresses to an interface. This is primarily useful in HA with CARP scenarios so that IP addresses do not need to be consumed by a CARP setup (one IP each per node, then the rest as CARP VIPs) when the subnet exists only inside the firewall (e.g. NAT or firewall services such as VPNs).
IP Aliases on their own do not synchronize to XMLRPC Configuration Synchronization peers because that would result in an IP address conflict. One exception to this is IP Alias VIPs using a CARP VIP “interface” for their interface. Those do not result in a conflict so they will synchronize. Another exception is IP Alias VIPs bound to Localhost as their interface. Because these are not active outside of the firewall itself, there is no chance of a conflict so they will also synchronize.
CARP VIPs are primarily used with High Availability redundant deployments utilizing CARP. CARP VIPs each have their own unique MAC address derived from their VHID, which can be useful even outside of a High Availability deployment.
For information on using CARP VIPs, see High Availability .
CARP VIPs may also be used with a single firewall. This is typically done in cases where the pfSense deployment will eventually be converted into an HA cluster node, or when having a unique MAC address is a requirement. In rare cases a provider requires each unique IP address on a WAN segment to have a distinct MAC address, which CARP VIPs provide.
CARP VIPs and IP Alias VIPs can be combined in two ways:
To reduce the amount of CARP heartbeats by stacking IP Alias VIPs on CARP VIPs. See Using IP Aliases to Reduce Heartbeat Traffic .
To use CARP VIPs in multiple subnets on a single interface. See High Availability .
IP Options¶
Checking this box will allow packets with defined IP options to pass. By default, pf blocks all packets that have IP options set in order to deter OS fingerprinting, among other reasons. Check this box to pass IGMP or other multicast traffic containing IP options.
Spamhaus¶
The Spamhaus Don’t Route Or Peer Lists DROP (Don’t Route Or Peer) and EDROP are advisory “drop all traffic” lists, consisting of netblocks that are “hijacked” or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). The DROP and EDROP lists are a tiny subset of the SBL, designed for use by firewalls and routing equipment to filter out the malicious traffic from these netblocks.
To setup the DROP and EDROP lists in combination with the firewall rules, read: Configure Spamhaus (E)DROP
Aliases define a group ports, hosts, or networks. Aliases can be referenced by firewall rules, port forwards, outbound NAT rules, and other places in the firewall GUI. Using aliases results in significantly shorter, self-documenting, and more manageable rulesets.
Firewall aliases are collections of entries for use by the firewall. Despite the similar names, this is different than interface IP aliases, which are a means of adding additional IP addresses to a network interface.
Aliases are located at Firewall > Aliases. The page is divided into separate tabs for each type of alias: IP, Ports, URLs, and the All tab which shows every alias in one large list. When creating an alias, add it to any tab and it will be sorted to the correct location based on the type chosen.
Maximum state entries per host¶
This setting works similar to the established count above, but it checks for state entries alone rather than tracking if a successful connection was made.
Mixing IPv4 and IPv6 Addresses in Aliases¶
IPv4 and IPv6 addresses can be mixed inside an alias. The firewall will use the appropriate type of addresses when the alias is referenced in a specific rule.
Alias Types¶
OPNsense offers the following alias types:
Single hosts by IP or Fully Qualified Domain Name or host exclusions (starts with “!” sign)
Entire network p.e. 192.168.1.1/24 or network exclusion eg !192.168.1.0/24
Port numbers or a port range like 20:30
MAC address or partial mac addresses like f4:90:ea
A table of IP addresses that are fetched once
A table of IP addresses that are fetched on regular intervals.
Select countries or whole regions
Combine different network type aliases into one
Dynamic IPv6 Host
A Host entry that will auto update on a prefixchange
Externally managed alias, this only handles the placeholder. Content is set from another source (plugin, api call, etc)
URL Tables¶
URL tables can be used to fetch a list of IP addresses from a remote server. There are several IP lists available for free, most notably are the “Don’t Route Or Peer” lists from Spamhaus.
Читайте также: