From LedHed's Wiki
Revision as of 08:39, 29 May 2021 by Ledhed (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Overview

In an ideal world you would create firewall rules that target specific source IP addresses. Unfortunately many cloud services utilize multiple large ranges of IPs that change. Which make Static Aliases a pain to manage. This article will show you how to create Dynamic IP Aliases in OPNSense.

Aliases

Aliases are very power. In addition to being able to assign friendly names to IPs, Networks, MAC Address, URLs, Domains, etc. You can also nest Aliases, and then reference the alias in your Firewall Rules. Here we will focus on 'URL Tables' which allow you to create an Alias of IPs and/or networks from a URL at a given interval. Making the Alias dynamic, and resilient to changes.

URL Tables

Firewall -> Aliases
Create (+ Icon)

Enabled [X]
Name CloudFlare_IPv4
Type Host(s)
Content https://www.cloudflare.com/ips-v4
Statistics [ ]
Description CloudFlare IPv4 Address List


Enabled [X]
Name CloudFlare_IPv6
Type Host(s)
Content https://www.cloudflare.com/ips-v6
Statistics [ ]
Description CloudFlare IPv6 Address List


Enabled [X]
Name CloudFlare_IPs
Type Network(s)
Content CloudFlare_IPv4 CloudFlare_IPv6
Statistics [ ]
Description CloudFlare IP Ranges

The last Alias is a nested Network Alias that uses both URL Tables. Now you can reference 'CloudFlare_IPs' in your source or destination rules.


Security

Make sure the URL Table you reference is from a source you trust. If the URL is DNS hijacked or content modified by the attacker, they could substitute their own IP address into your firewall rules. Its highly advised to use a URL that uses HTTPS so you can verify the identity of the server and make Man-in-the-Middle attacks more difficult.


Reference

https://docs.opnsense.org/manual/how-tos/edrop.html

https://www.cloudflare.com/ips/