ALIASES¶
Aliases allow you to group ports, hosts, or networks and refer to them by name in your firewall rules, NAT configuration and traffic shaper configuration. This allows you to create significantly shorter, self- documenting, and more manageable rulesets. Any box in the web interface with a red background is alias friendly.
Alias Sizing Concerns¶
The total size of all tables must fix in roughly half the amount of Firewall Maximum Table Entries, which defaults to 200,000. If the maximum number of table entries is not large enough to contain all of your aliases, the rules may fail to load. SeeFirewall Maximum Table Entries for information on changing that value. The aliasesmust fit in twice in the total area because of the way aliases are loaded and reloaded; The new list is loaded alongside the old list and then the old one is removed. Another similar limit is the Firewall Maximum Tables setting (Firewall Maximum Tables), which controls the total number of aliases and other tables you can have. lockout tables, etc. The default is 3,000 and also has the same restriction as the previous setting, so that effectively limits you to around 1,500 tables. Both of the values can be increased as much as you like, provided that you have sufficient RAM to hold the entries. The RAM usage is similar to, but less than, the state table but it is still safe to assume 1K per entry to be on the safe side.
Alias Basics¶
Aliases are located at Firewall Aliases. The screen is divided into separate tabs for each type of alias: IP, Ports, URLs,and the All tab shows every alias in one large list. When adding an alias, you can add it to any tab and it will be sorted to the correct location based on the type chosen. The following types of aliases can be created:
Host Aliases containing single IPs or hostnames
Network Aliases containing CIDR-masked lists of networks, hostnames, IP ranges, or single IPs
Port These aliases contain lists of port numbers or ranges of ports, for TCP or UDP.
URL The alias is built from the file at the specified URL but is read only a single time, and then becomes a normal network type alias.
URL Table The alias is built from the file at the specified URL but is periodically updated from the URL. Each type is described in more detail throughout this section.
Host Aliases¶
Host aliases allow you to create groups of IP addresses. Figure Example Hosts Alias shows an example usage of a hosts alias to contain a list of public web servers.
imageput
Example Hosts Alias
Network Aliases:
Network aliases allow you to create groups of networks or IP ranges. Single hosts can also be included in network aliases by selecting a /32 network mask for IPv4 addresses and /128 for IPv6 addresses. Figure Example Network Alias shows an example of a network alias.
put image
you may use other host or network aliases to nest other aliases inside this entry. You can also use hostnames as explained previously. As described earlier, you can also use hostnames in the Network field and they will be resolved periodically and kept updated. You may also enter an IPv4 range, which will be translated to an equivalent set of IPv4 CIDR networks that will exactly contain the provided range. As you can see in Figure Example IP Range After, the range is expanded when you save, and the resulting list of IPv4 CIDR networks will match exactly the range you requested, nothing more, nothing less.
put image
Port Aliases:
Port aliases enable the grouping of ports and port ranges. The protocol is not specified in the alias, rather the firewall rule where you use the alias will define the protocol as TCP, UDP, or both. Figure Example Ports Alias shows an example of a ports alias.
put image
URL Aliases
With a URL alias, you specify a URL to a text file that contains a list of IP or CIDR masked network entries. Multiple URLs may be entered. When you press Save, up to 3,000 entries from each URL are read from the file and imported into a network type alias.
URL Table Aliases
A URL Table alias behaves quite a bit differently than the URL alias. For starters, it does not import the contents of the file into a normal alias. It downloads the contents of the file into a special place and uses the contents for what is called a persist table, also known as a file-based alias. The full contents of the alias are not directly editable in the GUI, but can be viewed in the Tables viewer (See Viewing the Contents of Tables). For a URL Table alias, the Update Freq. drop-down controls how many days may pass before the contents of the alias are re-fetched from the stored URL. When the time comes, the contents alias will be updated overnight by a script by re-fetching the URL again. URL Table aliases can be quite large, containing many thousands of entries. Some people use them to hold lists of all IP blocks in a given country or region, which can easily surpass 40,000 entries. The pfBlocker package uses this type of alias when handling country lists and other similar actions. Currently, URL Table aliases are not capable of being nested
Using Aliases¶
Any box with a red background will accept an alias. When you type the first letter of an alias into any such input box, a list of matching aliases is displayed. You can select the desired alias, or type its name out completely.
Note
Alias autocompletion is not case sensitive, as of pfSense 2.0, but it is restricted by type. For example, a Network or Host alias will be listed in autocomplete for a Network field, but a Port alias will not; A port alias can be used in a port field, but a Network alias will not be in the list. Figure Autocompletion of Hosts Alias shows how the WebServers alias configured as shown in Figure Example Hosts Alias can be used in the Destination field when adding or editing a firewall rule. Select “Single host or alias”, then type the first letter of the desired alias. Just type W and the alias appears as shown. Only aliases of the appropriate type are shown. For fields that require an IP address or subnet, only host and network aliases are shown. For fields that require ports, only ports aliases are shown. If there were multiple aliases beginning with “W”, the drop down list that appears would show all the matching aliases.
Figure Autocompletion of Ports Alias shows the autocompletion of the ports alias configured as shown in Figure Example Ports Alias. Again if multiple aliases match the letter entered, all matching aliases of the appropriate type would be listed. You can click on the desired alias to select it.