(Created page with "== Overview == In an ideal world you would create firewall rules that target specific source IP addresses. Unfortunately many cloud services utilize multiple large ranges of I...") |
|||
| Line 3: | Line 3: | ||
== Aliases == | == Aliases == | ||
| − | Aliases are very power | + | Aliases are very power. In addition to being able to assign friendly names to IPs, Networks, MAC Address, URLs, Domains, etc. You can also nest Aliases, and then reference the alias in your Firewall Rules. Here we will focus on 'URL Tables' which allow you to create an Alias of IPs and/or networks from a URL at a given interval. Making the Alias dynamic, and resilient to changes. |
=== URL Tables === | === URL Tables === | ||
| + | Firewall -> Aliases | ||
| + | Create (+ Icon) | ||
| + | {| class="wikitable" | ||
| + | |- | ||
| + | | Enabled || [X] | ||
| + | |- | ||
| + | | Name || CloudFlare_IPv4 | ||
| + | |- | ||
| + | | Type || Host(s) | ||
| + | |- | ||
| + | | Content || https://www.cloudflare.com/ips-v4 | ||
| + | |- | ||
| + | | Statistics || [ ] | ||
| + | |- | ||
| + | | Description || CloudFlare IPv4 Address List | ||
| + | |- | ||
| + | |} | ||
| + | |||
| + | |||
| + | {| class="wikitable" | ||
| + | |- | ||
| + | | Enabled || [X] | ||
| + | |- | ||
| + | | Name || CloudFlare_IPv6 | ||
| + | |- | ||
| + | | Type || Host(s) | ||
| + | |- | ||
| + | | Content || https://www.cloudflare.com/ips-v6 | ||
| + | |- | ||
| + | | Statistics || [ ] | ||
| + | |- | ||
| + | | Description || CloudFlare IPv6 Address List | ||
| + | |- | ||
| + | |} | ||
| + | |||
| + | |||
| + | {| class="wikitable" | ||
| + | |- | ||
| + | | Enabled || [X] | ||
| + | |- | ||
| + | | Name || CloudFlare_IPs | ||
| + | |- | ||
| + | | Type || Network(s) | ||
| + | |- | ||
| + | | Content || CloudFlare_IPv4 CloudFlare_IPv6 | ||
| + | |- | ||
| + | | Statistics || [ ] | ||
| + | |- | ||
| + | | Description || CloudFlare IP Ranges | ||
| + | |- | ||
| + | |} | ||
| + | |||
| + | The last Alias is a nested Network Alias that uses both URL Tables. Now you can reference 'CloudFlare_IPs' in your source or destination rules. | ||
| + | |||
| + | |||
| + | == Security == | ||
| + | Make sure the URL Table you reference is from a source you trust. If the URL is DNS hijacked or content modified by the attacker, they could substitute their own IP address into your firewall rules. Its highly advised to use a URL that uses HTTPS so you can verify the identity of the server and make Man-in-the-Middle attacks more difficult. | ||
Revision as of 08:30, 29 May 2021
Overview
In an ideal world you would create firewall rules that target specific source IP addresses. Unfortunately many cloud services utilize multiple large ranges of IPs that change. Which make Static Aliases a pain to manage. This article will show you how to create Dynamic IP Aliases in OPNSense.
Aliases
Aliases are very power. In addition to being able to assign friendly names to IPs, Networks, MAC Address, URLs, Domains, etc. You can also nest Aliases, and then reference the alias in your Firewall Rules. Here we will focus on 'URL Tables' which allow you to create an Alias of IPs and/or networks from a URL at a given interval. Making the Alias dynamic, and resilient to changes.
URL Tables
Firewall -> Aliases Create (+ Icon)
| Enabled | [X] |
| Name | CloudFlare_IPv4 |
| Type | Host(s) |
| Content | https://www.cloudflare.com/ips-v4 |
| Statistics | [ ] |
| Description | CloudFlare IPv4 Address List |
| Enabled | [X] |
| Name | CloudFlare_IPv6 |
| Type | Host(s) |
| Content | https://www.cloudflare.com/ips-v6 |
| Statistics | [ ] |
| Description | CloudFlare IPv6 Address List |
| Enabled | [X] |
| Name | CloudFlare_IPs |
| Type | Network(s) |
| Content | CloudFlare_IPv4 CloudFlare_IPv6 |
| Statistics | [ ] |
| Description | CloudFlare IP Ranges |
The last Alias is a nested Network Alias that uses both URL Tables. Now you can reference 'CloudFlare_IPs' in your source or destination rules.
Security
Make sure the URL Table you reference is from a source you trust. If the URL is DNS hijacked or content modified by the attacker, they could substitute their own IP address into your firewall rules. Its highly advised to use a URL that uses HTTPS so you can verify the identity of the server and make Man-in-the-Middle attacks more difficult.