๐ง What Are Aliases?
In a firewall, you often need to apply the same rule to multiple IPs, networks, or ports.
Typing each one manually is tedious, error-prone, and hard to maintain.
๐ Aliases are reusable groups that let you define multiple IPs, hosts, networks, or ports under a single name.
They make your firewall rules cleaner, easier to manage, and much safer.
โ๏ธ Types of Aliases
| Type | Description |
|---|---|
| Host(s) | One or more IPs or hostnames (e.g., 192.168.1.10, mail.company.com). |
| Network(s) | One or more networks, e.g., 192.168.10.0/24. |
| Port(s) | A list of ports, e.g., 80, 443, 22. |
| URL (IPs) | Loads IPs from an external URL. |
| URL Table (IPs) | Loads large auto-updating IP lists from external feeds. |
| GeoIP | IP groups by country or region. |
| MAC Address | MAC-based grouping. |
| Dynamic DNS (FQDN) | Supports dynamic DNS domains. |
๐งฉ Practical Examples
๐น Example 1: Group Internal Servers
Alias name: LAN_SERVERS
Content:
192.168.1.10
192.168.1.11
192.168.1.12
Rule:
Source: any
Destination: LAN_SERVERS
Port: 22 (SSH)
Action: Allow
โ When a new server is added, just update the alias โ no need to touch the rule.
๐น Example 2: Common Service Port Group
Alias name: WEB_PORTS
Content:
80
443
8080
Used in rule:Allow LAN โ WAN (Port: WEB_PORTS)
๐น Example 3: Blocking Certain Countries
Alias name: BLOCK_CN_RU
Type: GeoIP
Countries: China, Russia
Rule:
Block from BLOCK_CN_RU to any
โ Useful for blocking high-risk regions or scanning activity.
๐น Example 4: Threat Intelligence Feed
Alias name: Malicious_IPs
Type: URL Table (IPs)
URL:
https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
โ OPNsense automatically updates this list to block malicious IPs.
๐งฎ Technical Principle
- Aliases are implemented as pf tables in FreeBSD, allowing high-speed IP matching.
- Updates apply instantly โ no restart required.
- URL Table and GeoIP aliases support scheduled automatic refresh.
๐งฐ Enterprise Best Practices
| Category | Strategy | Example |
|---|---|---|
| Network grouping | Define departmental subnets (e.g., HR_NET, IT_NET) | Control inter-department access |
| Cloud services | Define IP sets for AWS / Azure | Control outbound traffic scope |
| Threat control | Use threat intel feeds (URL Tables) | Auto-block malicious sources |
| Multi-site sync | Export/import alias configs | Maintain unified global policy |
| VPN policy | Define remote subnet aliases | Simplify Site-to-Site VPN rules |
โก Management Tips
1๏ธโฃ Naming Convention:
NET_ โ Networks
SRV_ โ Servers
PORT_ โ Ports
BLOCK_ โ Block lists
2๏ธโฃ Instant Update:
Alias changes take effect immediately, no reboot needed.
3๏ธโฃ View or Debug:
pfctl -t <alias_name> -T show
โ Conclusion
Aliases are one of the most powerful tools in OPNsense firewall management.
They make rules cleaner, more readable, and easier to maintain.
When combined with GeoIP and external threat feeds, Aliases can automate complex security policies.
๐ก Suggested Setup for Enterprise Environments
| Type | Alias Name | Purpose |
|---|---|---|
| Network | HQ_NET, MY_NET, VN_NET | Regional VPN subnets |
| Host | ERP_SERVER, MAIL_SERVER | Critical internal systems |
| Port | SYSADMIN_PORTS | Common admin ports: 22, 3389, 8443 |
| GeoIP | BLOCK_CN_RU | Block high-risk countries |
| URL Table | THREAT_FEED | Auto-updated malicious IP blacklist |
๐ Meta Description
Learn how to use OPNsense Aliases to simplify firewall rule management, group objects efficiently, and automate security control.