Further to this post: https://forum.opnsense.org/index.php?topic=38501.msg188471#msg188471 (https://forum.opnsense.org/index.php?topic=38501.msg188471#msg188471)
I want to understand exactly why we cannot have more flexible Alias names that would match firewall object name formats found in many other enterprise firewall and network security systems (like Juniper SRX, Cisco FP/ASA, CheckPoint Firewalls, Fortigate Firewalls).
It makes no sense to me from a firewall rule/policy perspective that I can't use the period (.) or the hyphen ('-') characters in Alias names such that I could properly mimic a Fully Qualified Domain Name in the Alias name. It is common practise amongst professional firewall and network security engineers do use hostnames, IP addresses, FQDNs or a combination of those separated by underscores, periods and/or hyphens as the name of the object that is referred to in the policy.
The only thing I can conclude is, 'yes', Alias names become PF Macro names under the hood.
Someone correct me if I am wrong.
See https://forum.opnsense.org/index.php?topic=38501.0 and please stop opening threads for the same topic.
Cheers,
Franco
This was my final question of clarification on the matter, which I don't have an answer to:
"Does an Alias name get used as a pf MACRO name under the hood?"
- is that a Yes or a No?
I have raised the question in the FreeBSD forum, as I have deduced that the pf module in FreeBSD is what is leveraged underneath OPNsense.
I do appreciate your point on the business case. But although other's have claimed in this forum that OPNsense is really a professional product, I would argue it is not in the same league as Cisco, Juniper, CheckPoint, Fortinet, PaloAlto (having worked on these platforms for over 2 decades).
I am by no means an expert developer, but I do understand networking, firewalls, firewall technologies and firewall principles.
I like OPNsense, and I would like to help make it better. I just don't have the coding knowledge to do so, so I am doing what I can - making suggestions that, as a professional network security engineer, I believe would lift OPNsense to the same level as those other players.
I hope you can see that my intentions are for the benefit of all users.
Aliases in the UI create tables in pf. I could not find and explicit statement on what is allowed as a table name but the documentation says this about macros:
QuoteMacro names must start with a letter, and may contain letters, digits and underscores.
and this about tables:
QuoteTables can be defined with any of the following pfctl(8 ) mechanisms. As with macros, reserved words may not be used as table names.
So I suspect the same rules apply.
>- is that a Yes or a No?
Yes. If my hint to pf.conf wasn't clear enough the first time I'm sorry.
Cheers,
Franco
Thank you for clarifying, franco. I do appreciate that.
I apologize for not immediately understanding that earlier.
And thank you Peter Hausen also for your input. It is much appreciated.