Firewall Alias (external) and VERY BIG table file.

Started by ezraimanuel, November 06, 2018, 10:07:50 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 06, 2018, 10:07:50 PM
Hello, i see Firewall alias that has type "external", what is it and how to use it? i see no documentation for it..

1 more thing... i have this list of blocked IPs which i want to load (I used to do this in FreeBSD using table <blockip> persist file "/path/to/file" ... containing more than 150K IPs with 2MB size... i tried to load it in opnsense and timeout from web browser..... is there anyway i can do this from terminal?

thanks!
November 06, 2018, 10:51:57 PM #1
Hi,

External means you can fill it via API, won't be touched otherwise. There is no documentation, because it's an internal feature that you can use, but we cannot make guarantees about breaking its behaviour in the future.

IPv6 bogons are big, yes.

% ls -lah /usr/local/etc/bogons*
-rw-r--r--  1 root  wheel    48K Nov  3 12:40 /usr/local/etc/bogons
-rw-r--r--  1 root  wheel   132B Sep 23 10:24 /usr/local/etc/bogons.sample
-rw-r--r--  1 root  wheel   1.6M Nov  3 12:40 /usr/local/etc/bogonsv6
-rw-r--r--  1 root  wheel   860B Sep 23 10:24 /usr/local/etc/bogonsv6.sample

You can disable bogon usage under "Interfaces: [WAN]".


Cheers,
Franco
November 07, 2018, 08:07:55 AM #2
thank you for your reply :)

about "External means you can fill it via API", how can i do this? thanks :)
November 07, 2018, 12:11:28 PM #3
Docs are pending on the alias endpoints. I am not sure if anyone will write a tutorial, but there is a powershell tool
that is/will be supporting it:

https://forum.opnsense.org/index.php?topic=6813.0

Docs link for future reference:

https://docs.opnsense.org/development/api.html

In addition to that, the Nginx-Plugin is using the external alias in its own code if you want to look for programmatic inspirations:

https://github.com/opnsense/plugins/tree/master/www/nginx


Cheers,
Franco
November 07, 2018, 02:53:07 PM #4
thank you! i will look into it :)
November 07, 2018, 04:14:59 PM #5 Last Edit: November 07, 2018, 04:20:19 PM by ezraimanuel
by the way,

https://repo.polkam.go.id/firehol/attacks.netset
https://repo.polkam.go.id/firehol/malware.netset

those are my list of backlisted IPs, when i try to load it as alias in OPNsense from web gui it always give me timeout... please try it adding it from web gui

in my old FreeBSD i just put those as table <tablename> persist file "/path/to/file" .. and it's done. (current OPN has no option to load alias from file, i think this is important)

PS: python2.7 bumped to 100% CPU usage if i add those into alias

thank you!
November 07, 2018, 04:52:41 PM #6

November 08, 2018, 01:46:27 PM #7
can you try https://github.com/opnsense/core/commit/08bd6c717751f3ce1c4b160fed7b747a5fa7da6f ?

Code Select

opnsense-patch 08bd6c7


When deduplicating the retrieved addresses, the lookup was less performant it seemed.
November 09, 2018, 06:50:05 AM #8
Quote from: AdSchellevis on November 08, 2018, 01:46:27 PM
can you try https://github.com/opnsense/core/commit/08bd6c717751f3ce1c4b160fed7b747a5fa7da6f ?

Code Select

opnsense-patch 08bd6c7


When deduplicating the retrieved addresses, the lookup was less performant it seemed.

hello, I got this instead:

nothing shown on Type and any other selection fields. i already restart the webgui
November 09, 2018, 09:03:45 AM #9
Can't be related, the code in the patch has no relation the the ui. You can inspect the request/response in your browser, maybe that sheds some light on your issue.
Print
Go Up Pages1
User actions