Firewall - Aliases

Aliases are a way to define a group of network objects, such as IP addresses (in CIDR notation) and ports, and give them a name that can be used in firewall rules.

IP Aliases

Let’s explore aliases through 2 examples, one where we define a manual alias and another where we take a look at automated aliases.

  • Manual Aliases: This type of alias is where you specify the IP Address in CIDR notation (or ports in the case of a ports alias) yourself.
  • Automated Aliases: This type of alias is where you specify a list that is present in the system and the system automatically updates the list in a timely manner.

Manual Aliases

Okay now let’s explore manual aliases through an example. Imagine we have 3 VPS’s that are hosted outside the confines of our internal network. And they have the following IPv4 and IPv6 addresses respectively:

67.21.121.241/32
68.21.121.242/32
69.21.121.243/32

2a01:4f9:c012:623e::123/128
2a01:4f9:c012:623e::456/128
2a01:4f9:c012:623e::789/128

Now obviously you can create 6 different firewall rules for all 6 of these addresses or you could group these addresses into just 2 aliases and use them within 2 different rules.

Warning

You cannot have a mix of IPv4 and IPv6 addresses in an alias, they have to be separate and they must be written in CIDR notation.

Now first we go about creating our alias for the IPv4 addresses and then for the IPv6 ones.

After you’ve created them they should show up in the table like this:

Now if you try to add or edit a rule in Traffic Rules, you should see the aliases show up in the source and destination address sections.

Automated Aliases

Error

When you’ve never had an internet connection on your device, the lists may show up as empty.

Now for automated aliases, underneath it works pretty much the same way manual aliases do. But instead of the user painstakingly adding each IP for a region for instance they could use a list that is pre-made that are updated in a timely manner by Difuse itself without any need for intervention.

Now if we want to make a list that includes all the IPs that are associated with the country Afghanistan for instance, we could just select the type of alias as Automatic and select the list Afghanistan. You can select multiple countries as well.

Multiple country list selection would look something like this:

You can click on the Update Lists button if you want to manually run an update on the lists that exists on the system.

Note

Running an update will update all the lists not just the ones selected.

Now once an alias has been created with one of the automated lists, it should look like this in the table:

They can also be used in the firewall in the same way as shown for manual aliases.

Note

It should be clear in the particular traffic rule whether it is of the family IPv4 or the family IPv6 if you’re using an automated list. You can pick the family of a traffic rule in the form.

Ports Aliases

Ports Aliases also works in a similar way to that of IP Aliases. The key difference being that there isn’t a way to select an automated list.

Now for instance if you have a bunch of HTTP services that you run within your office and home you might want to enable the ports 80, 443 and maybe even 8080 for each of those IPs. You could just create an alias as shown below.

Once you create the alias it should show up in the table like this:

It’s imperative to note that you should NOT use aliases or traffic rules to block specific websites on the LAN, instead the Content Filtering & Adblock service should be used. Due to advent of services like cloudflare (which incidentally a lot of websites use) multiple hundreds or even thousands websites may share the same IP address, which makes it very hard to just block one or two websites with traffic rules.