Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Help about MediaWiki
FUTO
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Introduction to a Self Managed Life: a 13 hour & 28 minute presentation by FUTO software
(section)
Main Page
Discussion
English
Read
Edit
Edit source
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
Edit source
View history
General
What links here
Related changes
Special pages
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Lesson 1: Aliases in pfSense === <span id="what-are-aliases-in-pfsense"></span> ===== What are Aliases in pfSense? ===== Aliases in '''pfSense''' are placeholders that can represent: * IP addresses * Networks * Ports * URLs For example, instead of having to make a separate NAT & firewall rule to open port 993 for 8.8.8.8, 9.9.9.9, 10.10.10.10, etc., I can make ONE firewall rule and enter the “alias” I created into the field where I would usually put an IP. I’d create an alias for those three IPs. The cool part about this is if I ever want to add or remove one of those IPs, I don’t have to change firewall rules or delete/add firewall rules. I just change my alias. <span id="practical-example"></span> ===== Practical example: ===== <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_942c4249.png </gallery> * If you’re using a service like Freshdesk (CRM system): * Freshdesk needs to connect to your mail server * You don’t want to give Freshdesk VPN access * Freshdesk doesn’t have VPN access anyway * Here’s how you can handle this situation: * Add their IPs to your alias * Only those IPs will see your mail server * Everyone else gets blocked before even seeing the service * Using aliases this way means: * Your mail server is invisible to random internet traffic * Only trusted IPs can even attempt connection * Much more secure than opening ports to everyone <blockquote>'''IMPORTANT:''' While port 25 needs to be open to the world for receiving email, other mail-related ports (587, 993, etc.) should only be open to trusted IPs or VPN users.Let’s say I am making firewall rules to allow Freshdesk customer service software to access my email system. Can you imagine making a firewall rule for EACH of these individually </blockquote> Can you imagine having to add all of those IPs as its own separate rule, or having to update them all each time freshdesk’s IPs changed? That would be a nightmare! Aliases allow us to add all of these IP addresses to a single thing called ''“freshdesk IP addresses”'' – then, all we have to do is make a firewall rule with ''“freshdesk IP addresses”'' as the source or destination, rather than a bunch of rules for each individual IP. <span id="benefits-of-using-aliases"></span> ===== Benefits of Using Aliases ===== # '''Simplification''': Instead of entering “192.168.5.3” into a firewall rule, if I make an alias, I can just enter “mailserver”, once I have set up a “mailserver” alias that directs to the mailserver. # '''I can add to it!''' Let’s say I have 1 smart television in my house. I want to block it from going onto the internet to ''anything'' besides a single Netflix IP address, so I add a firewall rule to block it from going online to anything besides the Netflix IP address. Let’s say my family buys 3 more smart TVs… I don’t want to set up a new set of firewall rules each time. Aliases allow me to add '''''multiple IP addresses to a single alias!''''' Instead of having to make 5 new sets of rules, I can keep my existing firewall rules as they are, and simply add the new IP addresses to the alias. # '''Maintainability''': When you need to update multiple firewall rules, you can just update the alias instead of each individual rule. # '''Readability''': Aliases make firewall rules more understandable by using descriptive names instead of raw IP addresses or port numbers. <span id="wtf-openvpn-was-set-up-so-we-dont-open-ports-why-are-we-talking-about-opening-ports"></span> ===== WTF? OpenVPN was set up so we DON’T open ports; why are we talking about opening ports? ===== If you are accessing your mailserver using OpenVPN (AS YOU SHOULD), this doesn’t matter. You will be opening port 25 to the world so you can receive email, but for the rest of the ports, these are ONLY NECESSARY IF YOU WANT CLIENTS WHO ARE NOT CONNECTING TO YOUR VPN TO BE ABLE TO LOG INTO AN EMAIL ACCOUNT AND READ THEIR MAIL AND SEND MAIL ON YOUR MAILSERVER!!! Plus, the self-hosted phone system is going to require we allow some external IPs belonging to our SIP trunking provider (the thing that lets you receive & send calls to other phones outside your house) to access our server anyway, so you might as well learn about aliases now. <span id="how-to-set-up-aliases-in-pfsense"></span> ==== How to Set Up Aliases in pfSense ==== <span id="accessing-the-aliases-page"></span> ===== 5.1.1 Accessing the Aliases Page ===== # Log into the '''pfSense''' web interface. # Navigate to '''Firewall > Aliases'''. # Click '''Add''' <span id="creating-an-alias"></span> ===== 5.1.2 Creating an Alias ===== # In the Name field, enter a descriptive name for your alias (e.g., “WebServers” or “BlockedIPs”). # Select the Type of alias you want to create: #* Host: For single IP addresses #* Network: For subnets #* Port: For port numbers #* URL: For lists of IPs or networks from a URL # In the Description field, enter a brief explanation of the alias’s purpose. Here, I would enter <code>mailserver</code>. # In the Content box, enter the values for your alias: #* For IP aliases: Enter IP addresses, one per line, such as our mailserver at <code>192.168.5.2</code>. <span id="using-aliases-in-firewall-rules"></span> ===== 5.1.3 Using Aliases in Firewall Rules ===== # Go to '''Firewall > NAT'''. # Add a new rule or edit an existing one. # In the source or destination fields, you can now select your alias from the drop-down menu. # For port fields, you can select port aliases. Example rule using aliases: * '''Action''': Pass * '''Interface''': WAN * '''Source''': Any * '''Destination''': WebServers (alias) * '''Destination Port''': WebPorts (alias) This rule allows incoming traffic to the IP addresses defined in the <code>WebServers</code> alias on the ports defined in the <code>WebPorts</code> alias. <span id="using-aliases-for-secure-access"></span>
Summary:
Please note that all contributions to FUTO may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
FUTO:Copyrights
for details).
Do not submit copyrighted work without permission!
To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:
Cancel
Editing help
(opens in new window)