2
0
mirror of https://github.com/opnsense/docs synced 2024-11-03 09:40:27 +00:00
opensense-docs/source/manual/aliases.rst

166 lines
5.5 KiB
ReStructuredText

=============
Using Aliases
=============
Aliases are named lists of networks, hosts or ports that can be used as one entity
by selecting the alias name in the various supported sections of the firewall.
These aliases are particularly useful to condense firewall rules and minimize
changes.
Aliases can be added, modified and removed via :menuselection:`Firewall --> Aliases`.
-----------
Alias Types
-----------
OPNsense offers the following alias types:
+------------+------------------------------------------------------+
| Type | Description |
+============+======================================================+
| Hosts | Single hosts by IP or Fully Qualified Domain Name |
+------------+------------------------------------------------------+
| Networks | Entire network p.e. 192.168.1.1/24 |
+------------+------------------------------------------------------+
| Ports | Port numbers or a port range like 20:30 |
+------------+------------------------------------------------------+
| URL Tables | A table of IP addresses that can be fetched |
+------------+------------------------------------------------------+
| GeoIP | Select countries or whole regions |
+------------+------------------------------------------------------+
-----
Hosts
-----
Hosts can be entered as a single IP address or a fully qualified domain name.
When using a fully qualified domain name, the name will we resolved periodically
(default is each 300 seconds).
Sample
Let's say we want to create an alias table for **www.youtube.com**
.. image:: images/aliases_host.png
:width: 100%
**Apply changes** and look at the content of our newly created pf table.
Go to :menuselection:`Firewall --> Diagnostics --> pfTables` and select our newly created youtube table.
.. image:: images/pftable_youtube.png
:width: 100%
As you can see there are multiple IP addresses for this domain.
--------
Networks
--------
Networks are specified in Classless Inter-Domain Routing format (CIDR). Use the
the correct CIDR mask for each entry. For instance a /32 specifies a single IPv4 host,
or /128 specifies a single IPv6 host, whereas /24 specifies 255.255.255.0 and
/64 specifies a normal IPv6 network.
-----
Ports
-----
Ports can be specified as a single number or a range using a colon **:**.
For instance to add a range of 20 to 25 one would enter 20:25 in the **Port(s)**
section.
----------
URL Tables
----------
URL tables can be used to fetch a list of IP addresses from a remote server.
There are several IP lists available for free, most notably are the "Don't Route
Or Peer" lists from Spamhaus.
.. _aliases-geoip:
-----
GeoIP
-----
With GeoIP alias you can select one or more countries or whole continents to block
or allow. Use the *toggle all* checkbox to select all countries within the given
region.
This feature was reworked with 17.7.7 and supersedes the GeoIP blocking via IPS.
.. image:: images/firewall_geoip_alias.png
:width: 100%
--------------
Import Feature
--------------
To quickly add a list of aliases OPNsense also offers an import feature, where
you can paste or enter a list in text format.
Common examples are lists of IPs, networks, blacklists, etc.
The list may contain IP addresses, with or without CIDR prefix, IP ranges,
blank lines (ignored) and an optional description after each IP. e.g.:
.. code::
172.16.1.2
172.16.0.0/24
10.11.12.100-10.11.12.200
192.168.1.254 Home router
10.20.0.0/16 Office network
10.40.1.10-10.40.1.19 Managed switches
Spamhaus
--------
The Spamhaus Don't Route Or Peer Lists
DROP (Don't Route Or Peer) and EDROP are advisory "drop all traffic" lists,
consisting of netblocks that are "hijacked" or leased by professional spam or
cyber-crime operations (used for dissemination of malware, trojan downloaders,
botnet controllers). The DROP and EDROP lists are a tiny subset of the SBL,
designed for use by firewalls and routing equipment to filter out the malicious
traffic from these netblocks.
*Source :* https://www.spamhaus.org/drop/
Downloads
* `DROP list <https://www.spamhaus.org/drop/drop.txt>`__
* `EDROP list <https://www.spamhaus.org/drop/edrop.txt>`__
----------------------------------
Using Aliases in pf Firewall Rules
----------------------------------
Aliases can be used in the firewall rules to make administration of large lists
easy. For instance we could have a list of remote IPs that should have access to
certain services, when anything changes we only need to update the list.
Let's create a simple alias list and assume we have 3 remote IPs that may access
the ipsec server for a site to site tunnel connection:
* 192.168.100.1
* 192.168.200.2
* 192.168.300.3
.. image:: images/alias_remote_ipsec.png
:width: 100%
We call our list remote_ipsec and update our firewall rules accordingly.
.. image:: images/alias_firewall_rules.png
:width: 100%
Notice the list icon to identify a rule with an alias (list).
--------
Advanced
--------
For hosts it is possible to use lists in lists. Per example you could have:
* critical_servers {10.0.1.1 , 10.0.1.2}
* other_servers {10.0.1.100 , 10.0.1.200}
Then concatenate both by defining a new list:
* servers { critical_servers , other_servers}.
The end result will be a list with all IP addresses in one alias list (servers).
------------------------------
Configure DROP and EDROP lists
------------------------------
To setup the DROP and EDROP lists in combination with the firewall rules, read:
:doc:`how-tos/edrop`