[Firehol-support] Dynamic hosts (eg no-ip) and fail2ban

Mon Dec 7 10:31:39 GMT 2015

Hi Jason,

It seems the welcome guide is missing a few important points. Here they are:

1. Never use hostnames with firewalls. Firewalls are started before
the machine has activated its network interfaces, so if you use
hostnames, the firewall will fail to start at boot. The same will
happen if you face a DNS problem. It is a bad dependency, so avoid it.

2. Avoid restarting the firewall too frequently. Although firehol will
gracefully manage failures (will fallback to the previously active
firewall), it is a bad practice to restart the firewall via cron.

3. Use ipsets for all IP lists that are updated frequently. Not only
the firewall will be a lot faster (less CPU resources used by kernel),
it will be a lot simpler and safer. Check this:
https://github.com/firehol/firehol/wiki/Working-with-IPSETs

At this wiki: https://github.com/firehol/blocklist-ipsets/wiki you can
find information on how to update ipsets without restarting the
firewall. You can define your IP lists too.

So the idea is:

a. At firehol use ipsets (instead of src 1.2.3.4, use src ipset:NAME,
check the docs)
b. Use a cron job to update ip lists on disk, as frequently as you
like (iprange has a parallel dns resolver in it to resolve thousands
of hostnames to IPs quickly)
c. Use firehol's update-ipsets to activate the on-disk-updated IP
lists, at the running firewall, without restarting it.

Regards,

Costa

On Sun, Dec 6, 2015 at 10:27 PM, Jason Harris <jasonh at trackabus.com> wrote:
> First off, I wanted to say thanks for firehol! The documentation and getting
> started was pretty easy! I really like the "clean" feel to it!
>
> So saying that my current issue I am facing is that I would like to
> white-list a dynamic host(s), eg if my dynamically changing host is
> jasonLaptop.No-ip.com I would like this white listed with something like:
>
> permitted_sites="jasonLaptop.No-ip.com first.server.ourdomain.com
> second.server.ourdomain.com"
>
> interface eth0 world
>
>     policy reject
>     protection strong 30/sec 40 src not "${permitted_sites}"
>
>     server http accept src "${permitted_sites}"
>     server https accept src "${permitted_sites}"
>     server ntp accept src "${permitted_sites}"
>     server ssh accept
>
> So this works on the surface.
>
> Question 1: If jasonLaptop.No-ip.com changes then I would like basically
> "firehol restart" to be called. Is there a nice way of doing that in
> firehol? Anybody written some scripts before I re-invent the wheel here?
>
> Question 2: Currently for testing I am taking the dumb approach here and
> just croning a "firehol restart" periodically several times an hour. Is this
> ok from a security point of view. (I didn't quite understand the bit in the
> documentation where it talks about the security of the firewall during the
> boot up period of firehol. I saw it somewhere in the documentation but I am
> having some trouble finding that section again.)
>
> Question 3: Instead of croning a "firehol restart" periodically, I could get
> slightly more sophisticated with this and just do a dig say every minute on
> all the permitted sites and if the results of these lookups change then
> restart firehol... (Importantly if I switch off jasonLaptop.No-ip.com then
> even if I am croning "firehol restart" preiodically then the rules won't get
> updated since the lookup on jasonLaptop.No-ip.com will fail hence the new
> configuration will not "take".) So it seems likely that I will need a
> smarter script here. I though these might be common questions or there might
> be another way to handle this so I am asking here first... Is there a better
> way to do this than rolling my own script here?
>
> Question 4: If we are restarting firehol on a semi-regular basis will this
> cause any problems with fail2ban?
>
> Thanks!
>    Jason
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support