Issue with network exclusions in alias maps

Started by derhelge, November 03, 2023, 09:25:08 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 03, 2023, 09:25:08 AM
I use an alias map "firehol_level3" URL table connected to a rule on my interfaces. Unfortunately, github is blocked within this Blocklist from time to time. I have therefore created an alias map "Network group" "firehol_leve3_without_exclusions" , which contains two entries:
- firehol_leve3
- firehol_exclusions

"firehol_exclusions" is a network alias map. Content is e.g:
!185.199.108.0/22, !185.199.111.133/32

The problem is that a connection to 185.199.111.133 is correctly possible, but a connection to 185.199.108.133 is blocked.

If I look at the https://github.com/opnsense/core/issues/4318 on github, this should be possible as done?
November 13, 2023, 08:47:47 AM #1
Thanks to @mimugmail here is the answer:

The exception only works for existing addresses, meaning if 185.199.108.0/22 is actually an entry in Firehol, it would be removed from there. However, there is no scripting logic that takes out the entire network and checks whether individual entries fall into this net. Handling this in a dynamic list is unfortunately difficult.
Print
Go Up Pages1
User actions