I use an alias map "firehol_level3" URL table connected to a rule on my interfaces. Unfortunately, github is blocked within this Blocklist from time to time. I have therefore created an alias map "Network group" "firehol_leve3_without_exclusions" , which contains two entries:
- firehol_leve3
- firehol_exclusions
"firehol_exclusions" is a network alias map. Content is e.g:
!185.199.108.0/22, !185.199.111.133/32
The problem is that a connection to 185.199.111.133 is correctly possible, but a connection to 185.199.108.133 is blocked.
If I look at the https://github.com/opnsense/core/issues/4318 (https://github.com/opnsense/core/issues/4318) on github, this should be possible as done?
Thanks to @mimugmail here is the answer:
The exception only works for existing addresses, meaning if 185.199.108.0/22 is actually an entry in Firehol, it would be removed from there. However, there is no scripting logic that takes out the entire network and checks whether individual entries fall into this net. Handling this in a dynamic list is unfortunately difficult.