[Firehol-support] Dynamic hosts (eg no-ip) and fail2ban
Tsaousis, Costa
costa at tsaousis.gr
Tue Dec 8 21:15:45 CET 2015
> So I am not sure how to actually update the ipset I have dynamically. Maybe
> I could build a second ipset and using 'ipset swap’? But it seems to be from
> the instructions below that I should use update-upsets?
update-ipsets handles everything.
> One question though is this is
> installing the head branch version. This is going to go on production
> machines... so is there any hash which is more stable than others? Or at
> least a release candidate I should be using? eg 3.0.0-rc.4 maybe? Or maybe
> even better a ppa? (I am not at all a packaging guru so don't immediately
> know how to make a ppa, but I do know it would be very nice to have the
> firewall on the production machines to be updated when our automatic
> unattended security upgrades periodically kick in...) (Of course I am
> guessing this is likely not a trivial amount of work…)
We are about to release firehol v3
(https://github.com/firehol/firehol/releases).
The master branch is stable too.
I use it on production machines. Since firehol and update-ipsets are
just scripts, there are very little to go wrong. Even if something is
wrong and we don't know it yet, a specific feature or function will
most probably fail. You can use the 'explain' mode of firehol to check
the generated iptables statements, in order to trust it.
Costa
More information about the Firehol-support
mailing list