Alias Features and Limitations¶

Administrators have a lot of flexibility when defining aliases. These abilities are a large part of how aliases can make firewall rulesets easier to manage.

Alias Sizing Concerns¶

When the firewall loads alias data it copies the contents into internal tables which it uses to quickly perform address matches.

The total size of all aliases/tables must fit in roughly half the amount of Firewall Maximum Table Entries, which defaults to 400000.

See Firewall Maximum Table Entries for more information on this behavior.

Nested Aliases¶

Most aliases can be nested inside other aliases of similar types to collect entries into larger groups. For example, one Servers alias can nest an alias containing web servers, an alias containing mail servers, and an alias containing database servers all together.

To nest, aliases must be either the same or compatible types. For example, Network Aliases cannot nest Port Aliases since they are not the same type of alias. However, Host Aliases and Network Aliases can nest each other since they are compatible. URL Table Aliases can nest other URL table aliases, and URL Aliases can nest other URL aliases.

Hostnames in Aliases¶

Host and network type aliases support entries consisting of fully qualified domain name (FQDN) style hostnames (e.g. host.example.com) in regular or IDN format.

Tip

This feature is also useful for tracking dynamic DNS entries to allow users to access services from dynamic IP addresses.

For these entries to function, the firewall must be able to resolve hostnames using A or AAAA type DNS queries. This means that the firewall must have working DNS, the FQDN must exist, and the firewall must be able to resolve these hostnames using the DNS servers present in its configuration.

Warning

This feature only supports forward name resolution of FQDNs using A and AAAA records such as host.example.com.

Aliases do not support pattern matches, wildcard matches (e.g. *.example.com), SRV record lookups, or any other style of record comparison.

If a DNS query for a hostname returns multiple IP addresses, the firewall adds all of the IP addresses in the result at the time of the query to the alias.

Warning

This feature is not useful for controlling access to hostnames for large public web sites such as those served by content delivery network (CDN) providers. Such sites tend to have round-robin, localized, or randomized responses to DNS queries so the contents of the alias on the firewall do not necessarily match the response a client receives when it resolves the same hostname. This feature can work for smaller sites which have single addresses or sites which always return complete sets of addresses in their DNS responses.

The firewall periodically resolves and updates hostname entries in host or network type aliases. The default interval is 300 seconds (5 minutes). This behavior can be changed by adjusting the Aliases Hostnames Resolve Interval.

Mixing IPv4 and IPv6 Addresses in Aliases¶

IPv4 and IPv6 addresses can coexist inside the same alias. The firewall uses the appropriate type of addresses from the alias content as needed when a rule references the alias. This allows a single alias to function in IPv4 rules, IPv6 rules, and even IPv4+IPv6 rules.

Uses Beyond Firewall and NAT Rules¶

pfSense® software allows the use of aliases in several places outside of firewall and NAT rules. For example, they can be used with certain fields in OpenVPN and in static routes. GUI pages will indicate if and when a feature supports aliases.