[Firehol-support] Dynamic hosts (eg no-ip) and fail2ban

Jason Harris jasonh at trackabus.com
Sun Dec 6 20:27:44 GMT 2015 

First off, I wanted to say thanks for firehol! The documentation and 
getting started was pretty easy! I really like the "clean" feel to it!

So saying that my current issue I am facing is that I would like to 
white-list a dynamic host(s), eg if my dynamically changing host is 
jasonLaptop.No-ip.com I would like this white listed with something like:

permitted_sites="jasonLaptop.No-ip.com first.server.ourdomain.com 
second.server.ourdomain.com"

interface eth0 world

     policy reject
     protection strong 30/sec 40 src not "${permitted_sites}"

     server http accept src "${permitted_sites}"
     server https accept src "${permitted_sites}"
     server ntp accept src "${permitted_sites}"
     server ssh accept

So this works on the surface.

Question 1: If jasonLaptop.No-ip.com changes then I would like basically 
"firehol restart" to be called. Is there a nice way of doing that in 
firehol? Anybody written some scripts before I re-invent the wheel here?

Question 2: Currently for testing I am taking the dumb approach here and 
just croning a "firehol restart" periodically several times an hour. Is 
this ok from a security point of view. (I didn't quite understand the 
bit in the documentation where it talks about the security of the 
firewall during the boot up period of firehol. I saw it somewhere in the 
documentation but I am having some trouble finding that section again.)

Question 3: Instead of croning a "firehol restart" periodically, I could 
get slightly more sophisticated with this and just do a dig say every 
minute on all the permitted sites and if the results of these lookups 
change then restart firehol... (Importantly if I switch off 
jasonLaptop.No-ip.com then even if I am croning "firehol restart" 
preiodically then the rules won't get updated since the lookup on 
jasonLaptop.No-ip.com will fail hence the new configuration will not 
"take".) So it seems likely that I will need a smarter script here. I 
though these might be common questions or there might be another way to 
handle this so I am asking here first... Is there a better way to do 
this than rolling my own script here?

Question 4: If we are restarting firehol on a semi-regular basis will 
this cause any problems with fail2ban?

Thanks!
    Jason

More information about the Firehol-support mailing list