Aliases allow you to group ports, hosts, or networks into named entities that you can refer to in firewall rules, NAT rules, and in traffic-shaping. Judicious use of aliases will enable you to make changes in IP addresses, ports, and/or networks without making multiple configuration changes.
You cannot use aliases everywhere within the pfSense web GUI, but you will always know when you can: an edit box that is alias-friendly will have a red background. If you start to type the alias name into such a box, the autocomplete functionality built into pfSense will complete the name for you.
To begin creating aliases, navigate to Firewall | Aliases. The main Aliases page has four separate tabs. There is IP, Ports, URLs, and All. Clicking on one of these tabs will show a table with all of the already-created aliases for that category. If you want to create an alias of a certain type, you can click on the appropriate tab and click on the Add button under the table.
In reality, however, clicking on the right tab is not necessary, because you can create an alias for any supported type from any tab. This is because you can change the type of the alias being created by changing the value in the Type drop-down box on the Alias Edit page.
The first section on the Edit page is Properties; the name of the second section depends on what type you select in the Type drop-down box. The first option is Name, where you enter the name pfSense will use to identify the alias; as with schedule names, it may only consist of letters, numbers, and the underscore character. You may enter a brief description in the Description field. The Type option is where you specify the type of alias. There are several options, some obvious and some less so:
- Host(s): This enables you to enter one or more hosts, which are denoted by either their IP address or hostname. If you specify the hostname, it will be re-re solved and updated on a regular basis. For IP addresses, you can specify an IP range or subnet.
- Network(s): With this option, you can specify a network, by specifying the network prefix and CIDR.
- Port(s): This option allows you to specify one or more ports. You can specify a range of ports by separating the first and last ones with a colon.
- URL (IPs): With this, you can specify one or more URLs that, in turn, point to text lists of IP addresses. You can enter more than one URL. Each file should be limited to 3,000 IP addresses or ranges.
- URL (Ports): Similar to URL (IPs), but allows you to specify lists of ports. Again, each file should have no more than 3,000 entries.
- URL Table (IPs): Similar to URL (IPs), except you can only specify a single URL, but the list pointed to by the URL will be downloaded and refreshed periodically. Longer lists are allowed.
The second section of the page is where you enter information about what the alias stands for–it will be either a hostname (actually, a Fully Qualified Domain Name (FQDN)), and IP address/range, a port/range of ports, or a URL. For all types except the two URL Table options, multiple entries are allowed, and you add more than one entry by clicking on the green Add button at the bottom of the page after you define an entry. When you are done adding entries for the alias, click on the Save button, and then when the page reloads, click on the Apply Changes button.
There is another method of generating aliases that can be helpful in some cases. Assume you want to block a website that uses multiple IP addresses (such as YouTube). Creating a rule or rules to block such sites can be cumbersome, but if we could create an alias for all IP addresses the site uses, it would be helpful. We can do this somewhat automatically in pfSense.
First, we navigate to Diagnostics | DNS Lookup. On the DNS Lookup page, enter the hostname in the Hostname field (for example, www.youtube.com) and then click on the Lookup button. When the results of the lookup appear, there should be a new button labeled Add Alias. Click on the button, and an alias should be created with the same name as the hostname, except that any dots should be converted to underscores (for example, www_youtube_com). Navigate back to Firewall | Aliases, and the new alias should be listed there.
Keep in mind that this method is not necessarily a foolproof method for creating aliases for sites that use multiple IP addresses. Sites such as YouTube are constantly adding to the pool of IP addresses they use, and you will find that if you use an alias created in this way for such a site, it will work immediately after the alias was created, but will soon become outdated–within days, if not hours. There are other ways to block such sites, which we will discuss later in this book.