[Firehol-support] Dynamic hosts (eg no-ip) and fail2ban

Jason Harris jason at unifiedthought.com
Sun Dec 6 20:32:22 GMT 2015 

First off, I wanted to say thanks for firehol! The documentation and getting started was pretty easy! I really like the "clean" feel to it! 

So saying that my current issue I am facing is that I would like to white-list a dynamic host(s), eg if my dynamically changing host is jasonLaptop.No-ip.com I would like this white listed with something like: 

permitted_sites="jasonLaptop.No-ip.com first.server.ourdomain.com second.server.ourdomain.com" 

interface eth0 world 

    policy reject 
    protection strong 30/sec 40 src not "${permitted_sites}" 

    server http accept src "${permitted_sites}" 
    server https accept src "${permitted_sites}" 
    server ntp accept src "${permitted_sites}" 
    server ssh accept 

So this works on the surface. 

Question 1: If jasonLaptop.No-ip.com changes then I would like basically "firehol restart" to be called. Is there a nice way of doing that in firehol? Anybody written some scripts before I re-invent the wheel here? 

Question 2: Currently for testing I am taking the dumb approach here and just croning a "firehol restart" periodically several times an hour. Is this ok from a security point of view. (I didn't quite understand the bit in the documentation where it talks about the security of the firewall during the boot up period of firehol. I saw it somewhere in the documentation but I am having some trouble finding that section again.) 

Question 3: Instead of croning a "firehol restart" periodically, I could get slightly more sophisticated with this and just do a dig say every minute on all the permitted sites and if the results of these lookups change then restart firehol... (Importantly if I switch off jasonLaptop.No-ip.com then even if I am croning "firehol restart" preiodically then the rules won't get updated since the lookup on jasonLaptop.No-ip.com will fail hence the new configuration will not "take".) So it seems likely that I will need a smarter script here. I though these might be common questions or there might be another way to handle this so I am asking here first... Is there a better way to do this than rolling my own script here? 

Question 4: If we are restarting firehol on a semi-regular basis will this cause any problems with fail2ban? 

Thanks! 
   Jason

More information about the Firehol-support mailing list