[SOLVED] Alias exclusions

Started by Fright, September 01, 2020, 12:01:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 01, 2020, 12:01:21 PM Last Edit: September 06, 2020, 09:41:25 PM by Fright
Hi!
suppose I want to use FireHOL list with exceptions (i need some subnets due to creepy network configuration). Is there a OOB solution for this or i need to make crutches? I haven't found anything and it doesn't seem like it was.
thanks!
September 02, 2020, 02:31:23 AM #1
I would also like to see that as THE OTHER FW has that feature in the firewall NG package - override a dynamic list IP.

What I have done is create pass rule with some aliases and put it in front of the firehol block rule.  Yes, normally you want all blocks first, but this is the way to override a block.  Make sure the rules are set with QUICK otherwise it will go to the last rule in the chain.  This works good is you use firehol1 on the internetwork as RFC1918 is in that ruleset.  But firehol2 and 3 do not have RFC1918.


September 02, 2020, 07:54:24 AM #2
yes, you always can place "pass" rule befor "block" to "whitelist" something.
But it makes configuration more complex.
I dont want allow "everything" to this subnets\hosts, so i must take into account and remember all the protocols with which I deal and write the appropriate "whitelist" rules
September 02, 2020, 09:02:33 AM #3 Last Edit: September 02, 2020, 09:06:11 AM by Fright
the fact is that pf supports exceptions in tables (the "!" sign before the address). I checked (slightly changed alias.py and filter_tables.conf) and I managed to make a combined ("Network group") Alias (FireHOL URLTables(IP) + Exclusions Alias). and it works.
The question is whether many people need it and whether the core team will agree to make such changes
(and changes in GUI)
September 02, 2020, 10:34:41 AM #4
I would really welcome that solution.
Example: You want to use FireHOL List 1 today as a block all rule, you always have to be veeeeery careful to not shoot yourself in the foot because it also blocks any private IP ranges, which is not always desired.

+1 from my end

Cheers
Juri
September 03, 2020, 08:34:28 AM #5 Last Edit: September 03, 2020, 10:49:05 AM by Fright
for future references:
https://github.com/opnsense/core/issues/4318
Ad Schellevis replied that "no promises, but it's something we might add in a future version."
for myself, I made changes in 3 files (AliasContentField.php, alias.py, update_tables.py). everything works as expected.
i made two aliases: hosts_exclude (our remote branches public IPs etc)  and subnets_exclude (some private subnets that we are using) .
made "Network group" type alias and include FireHOL_Level1, hosts_exclude and subnets_exclude aliases in it. everything is working.
only one issue: the Find Reference button in Diagnostics-pfTables no longer works. I'm too lazy to rewrite find_table_references.py right now to work with pfctl (now it manualy inspects strings in all tables). I am finding references through SSH.
upd. edit find_table_references.py
IP<->tables references search in GUI works again and displays the results correctly
no issues

September 06, 2020, 09:40:03 PM #6
Good news!
Ad Schellevis has already made changes and added Alias exclusions feature.
Thanks again for quick responses and patience  :)
September 07, 2020, 09:21:03 AM #7
Yay, I finally can replace then my FireHOL List 3 with List 1, without having to create a super complicated firewall rule set.

Thanks @AdSchellevis  :)
Print
Go Up Pages1
User actions