Firewall Alias (external) and VERY BIG table file.

[ezraimanuel]

Hello, i see Firewall alias that has type "external", what is it and how to use it? i see no documentation for it..

1 more thing... i have this list of blocked IPs which i want to load (I used to do this in FreeBSD using table <blockip> persist file "/path/to/file" ... containing more than 150K IPs with 2MB size... i tried to load it in opnsense and timeout from web browser..... is there anyway i can do this from terminal?

thanks!

[franco]

Hi,

External means you can fill it via API, won't be touched otherwise. There is no documentation, because it's an internal feature that you can use, but we cannot make guarantees about breaking its behaviour in the future.

IPv6 bogons are big, yes.

% ls -lah /usr/local/etc/bogons*
-rw-r--r--  1 root  wheel    48K Nov  3 12:40 /usr/local/etc/bogons
-rw-r--r--  1 root  wheel   132B Sep 23 10:24 /usr/local/etc/bogons.sample
-rw-r--r--  1 root  wheel   1.6M Nov  3 12:40 /usr/local/etc/bogonsv6
-rw-r--r--  1 root  wheel   860B Sep 23 10:24 /usr/local/etc/bogonsv6.sample

You can disable bogon usage under "Interfaces: [WAN]".


Cheers,
Franco

[ezraimanuel]

thank you for your reply

about "External means you can fill it via API", how can i do this? thanks

[franco]

Docs are pending on the alias endpoints. I am not sure if anyone will write a tutorial, but there is a powershell tool
that is/will be supporting it:

https://forum.opnsense.org/index.php?topic=6813.0

Docs link for future reference:

https://docs.opnsense.org/development/api.html

In addition to that, the Nginx-Plugin is using the external alias in its own code if you want to look for programmatic inspirations:

https://github.com/opnsense/plugins/tree/master/www/nginx


Cheers,
Franco

[ezraimanuel]

thank you! i will look into it

[ezraimanuel]

by the way,

https://repo.polkam.go.id/firehol/attacks.netset
https://repo.polkam.go.id/firehol/malware.netset

those are my list of backlisted IPs, when i try to load it as alias in OPNsense from web gui it always give me timeout... please try it adding it from web gui

in my old FreeBSD i just put those as table <tablename> persist file "/path/to/file" .. and it's done. (current OPN has no option to load alias from file, i think this is important)

PS: python2.7 bumped to 100% CPU usage if i add those into alias

thank you!

[ezraimanuel]

[AdSchellevis]

can you try https://github.com/opnsense/core/commit/08bd6c717751f3ce1c4b160fed7b747a5fa7da6f ?

Code: [Select]

opnsense-patch 08bd6c7

When deduplicating the retrieved addresses, the lookup was less performant it seemed.

[ezraimanuel]

can you try https://github.com/opnsense/core/commit/08bd6c717751f3ce1c4b160fed7b747a5fa7da6f ?

Code: [Select]

opnsense-patch 08bd6c7

When deduplicating the retrieved addresses, the lookup was less performant it seemed.

hello, I got this instead:

nothing shown on Type and any other selection fields. i already restart the webgui

[AdSchellevis]

Can't be related, the code in the patch has no relation the the ui. You can inspect the request/response in your browser, maybe that sheds some light on your issue.