[Firehol-support] Dynamic hosts (eg no-ip) and fail2ban
Jason Harris
jason at unifiedthought.com
Sat Dec 12 19:02:58 CET 2015
> On Dec 8, 2015, at 1:48 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
>
>> Ok. but I can use hostnames like eg sub.mydomain.com with ipsets?
>
> Yes, you have to resolve them first though. iprange does this.
>
>
>> The link: https://github.com/ktsaou/firehol/blob/master/contrib/update-ipsets.sh on the page: https://github.com/firehol/firehol/wiki/Working-with-IPSETs is dead. I google around a bit and am sure I am just missing this but am having trouble finding this script.
>
> Thanks! I fixed the link.
> However, it is installed with firehol v3 (the github version).
>
>
>> So I am not sure how to actually update the ipset I have dynamically. Maybe I could build a second ipset and using 'ipset swap’? But it seems to be from the instructions below that I should use update-upsets?
>
> ok.
>
> 1. Install firehol v3 (this will also require from you to install
> iprange). If you don't know how to do it, follow this procedure:
> https://github.com/firehol/blocklist-ipsets/wiki/Installing-update-ipsets
Ok. I got around to having some time this weekend. To build this (on latest debian jessie) in addition to your listed build steps you also need:
apt-get install autoconf build-essential curl ipset
This is kind of disappointing since it loads a bunch of gunk onto a production node, (i.e. some 200MB’s of stuff just to get the small firehol firewall. I guess I could remove most of this after the build process… Still this is not so nice for eg ansible,chef, puppet, saltstack, etc which are used to provision vm’s.)
> 2. Create a new file called /etc/firehol/ipsets/myhostsnames.source
> Put there any hostnames you like.
>
> 3. To resolve its contents to IPs you have to configure update-ipsets
> (https://github.com/firehol/blocklist-ipsets/wiki/Extending-update-ipsets).
> Briefly:
>
> a. create the file /etc/firehol/ipsets.d/myhostname.conf
> b. using this content (copy and paste it):
>
> # update its timestamp, to force reprocessing
> touch /etc/firehol/ipsets/myhostsnames.source
>
> # configuration about the list
> update myhostnames 1 0 ipv4 ip "" hostname_resolver "category" "some
> info about the list" "your name" "a url for info for the list"
>
> c. run:
>
> update-ipsets enable myhostnames
Ok. So I followed these instructions. First there appears to be no update-ipsets disable myhostnames? (I made a mistake in one of the configurations and it would be nice to undo it…)
> d. check it with (this is also the command you need to put at cron):
>
> update-upsets
For me this fails with the following message (using update-upsets -v)
firehol_anonymous| DISABLED
| To enable run: update-ipsets enable firehol_anonymous
Loading ipset definitions from: '/etc/firehol/ipsets.d'
Loading ipset definition file: '/etc/firehol/ipsets.d/whitelist.conf'
|
whitelist| parsing attributes:
| converting with 'hostname_resolver'
| ERROR converted file is empty.
ERROR : '/etc/firehol/ipsets.d/whitelist.conf' failed
Supplied ipsets directory '/usr/share/firehol/ipsets.d' does not exist. Ignoring it.
Supplied ipsets directory '/root/.update-ipsets/ipsets.d' does not exist. Ignoring it.
Cleaning up temporary files in /tmp/update-ipsets-9B34pYTy0N.
Completed successfully.
[root at tester:/etc/firehol/ipsets] $ ls
Any hints on what went wrong? The errors directory is empty...
Thanks!
Jason
> If successful, the file /etc/firehol/ipsets/myhostnames.ipset should
> be there with all the IPs.
>
> 4. In firehol.conf use
>
> ipset4 MYHOSTNAMES addfile ipsets/myhostnames.ipset
>
> and later in server/client/nat statements: src ipset:MYHOSTNAMES
>
More information about the Firehol-support
mailing list