[SOLVED] Are Aliases names translated to pf.conf MACRO names when saving config?

Started by skatopn, March 05, 2024, 05:55:15 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 05, 2024, 05:55:15 AM Last Edit: March 08, 2024, 04:09:34 AM by skatopn
Further to this post: https://forum.opnsense.org/index.php?topic=38501.msg188471#msg188471

I want to understand exactly why we cannot have more flexible Alias names that would match firewall object name formats found in many other enterprise firewall and network security systems (like Juniper SRX, Cisco FP/ASA, CheckPoint Firewalls, Fortigate Firewalls).

It makes no sense to me from a firewall rule/policy perspective that I can't use the period (.) or the hyphen ('-') characters in Alias names such that I could properly mimic a Fully Qualified Domain Name in the Alias name. It is common practise amongst professional firewall and network security engineers do use hostnames, IP addresses, FQDNs or a combination of those separated by underscores, periods and/or hyphens as the name of the object that is referred to in the policy.

The only thing I can conclude is, 'yes', Alias names become PF Macro names under the hood.

Someone correct me if I am wrong.
March 05, 2024, 07:31:36 AM #1
See https://forum.opnsense.org/index.php?topic=38501.0 and please stop opening threads for the same topic.


Cheers,
Franco
March 05, 2024, 08:45:40 AM #2
This was my final question of clarification on the matter, which I don't have an answer to:

"Does an Alias name get used as a pf MACRO name under the hood?"
- is that a Yes or a No?

I have raised the question in the FreeBSD forum, as I have deduced that the pf module in FreeBSD is what is leveraged underneath OPNsense.

I do appreciate your point on the business case. But although other's have claimed in this forum that OPNsense is really a professional product, I would argue it is not in the same league as Cisco, Juniper, CheckPoint, Fortinet, PaloAlto (having worked on these platforms for over 2 decades).

I am by no means an expert developer, but I do understand networking, firewalls, firewall technologies and firewall principles.

I like OPNsense, and I would like to help make it better. I just don't have the coding knowledge to do so, so I am doing what I can - making suggestions that, as a professional network security engineer, I believe would lift OPNsense to the same level as those other players.

I hope you can see that my intentions are for the benefit of all users.
March 05, 2024, 12:07:51 PM #3 Last Edit: March 05, 2024, 02:54:52 PM by Patrick M. Hausen
Aliases in the UI create tables in pf. I could not find and explicit statement on what is allowed as a table name but the documentation says this about macros:

QuoteMacro names must start with a letter, and may contain letters, digits and underscores.

and this about tables:

QuoteTables can be defined with any of the following pfctl(8 ) mechanisms.  As with macros, reserved words may not be used as table names.

So I suspect the same rules apply.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 05, 2024, 02:26:15 PM #4
>- is that a Yes or a No?

Yes. If my hint to pf.conf wasn't clear enough the first time I'm sorry.


Cheers,
Franco
March 06, 2024, 12:33:55 AM #5
Thank you for clarifying, franco. I do appreciate that.
I apologize for not immediately understanding that earlier.

And thank you Peter Hausen also for your input. It is much appreciated.
Print
Go Up Pages1
User actions