[Firehol-support] Dynamic hosts (eg no-ip) and fail2ban

Jason Harris jason at unifiedthought.com
Mon Dec 7 17:05:09 GMT 2015

> On Dec 7, 2015, at 11:31 AM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> Hi Jason,
> It seems the welcome guide is missing a few important points. Here they are:
> 1. Never use hostnames with firewalls. Firewalls are started before
> the machine has activated its network interfaces, so if you use
> hostnames, the firewall will fail to start at boot. The same will
> happen if you face a DNS problem. It is a bad dependency, so avoid it.

Ok. but I can use hostnames like eg sub.mydomain.com with ipsets?

> 2. Avoid restarting the firewall too frequently. Although firehol will
> gracefully manage failures (will fallback to the previously active
> firewall), it is a bad practice to restart the firewall via cron.

Ahh. Thanks!

> 3. Use ipsets for all IP lists that are updated frequently. Not only
> the firewall will be a lot faster (less CPU resources used by kernel),
> it will be a lot simpler and safer. Check this:
> https://github.com/firehol/firehol/wiki/Working-with-IPSETs
> At this wiki: https://github.com/firehol/blocklist-ipsets/wiki you can
> find information on how to update ipsets without restarting the
> firewall. You can define your IP lists too.

The link: https://github.com/ktsaou/firehol/blob/master/contrib/update-ipsets.sh on the page: https://github.com/firehol/firehol/wiki/Working-with-IPSETs is dead. I google around a bit and am sure I am just missing this but am having trouble finding this script.

So I am not sure how to actually update the ipset I have dynamically. Maybe I could build a second ipset and using 'ipset swap’? But it seems to be from the instructions below that I should use update-upsets?

> So the idea is:
> a. At firehol use ipsets (instead of src, use src ipset:NAME,
> check the docs)

Yes. Reading about this feature this seems to be exactly what I want.

> b. Use a cron job to update ip lists on disk, as frequently as you
> like (iprange has a parallel dns resolver in it to resolve thousands
> of hostnames to IPs quickly)

So that is updating the list by dig or something to take a list of hosts, sub1.mydomain.com, sub2.mydomain.com, sub3.otherdomain.com to a dotted list of ips?

> c. Use firehol's update-ipsets to activate the on-disk-updated IP
> lists, at the running firewall, without restarting it.
> Regards,
> Costa

That is really helpful!

Thanks! Jason

> On Sun, Dec 6, 2015 at 10:27 PM, Jason Harris <jasonh at trackabus.com> wrote:
>> First off, I wanted to say thanks for firehol! The documentation and getting
>> started was pretty easy! I really like the "clean" feel to it!
>> So saying that my current issue I am facing is that I would like to
>> white-list a dynamic host(s), eg if my dynamically changing host is
>> jasonLaptop.No-ip.com I would like this white listed with something like:
>> permitted_sites="jasonLaptop.No-ip.com first.server.ourdomain.com
>> second.server.ourdomain.com"
>> interface eth0 world
>>    policy reject
>>    protection strong 30/sec 40 src not "${permitted_sites}"
>>    server http accept src "${permitted_sites}"
>>    server https accept src "${permitted_sites}"
>>    server ntp accept src "${permitted_sites}"
>>    server ssh accept
>> So this works on the surface.
>> Question 1: If jasonLaptop.No-ip.com changes then I would like basically
>> "firehol restart" to be called. Is there a nice way of doing that in
>> firehol? Anybody written some scripts before I re-invent the wheel here?
>> Question 2: Currently for testing I am taking the dumb approach here and
>> just croning a "firehol restart" periodically several times an hour. Is this
>> ok from a security point of view. (I didn't quite understand the bit in the
>> documentation where it talks about the security of the firewall during the
>> boot up period of firehol. I saw it somewhere in the documentation but I am
>> having some trouble finding that section again.)
>> Question 3: Instead of croning a "firehol restart" periodically, I could get
>> slightly more sophisticated with this and just do a dig say every minute on
>> all the permitted sites and if the results of these lookups change then
>> restart firehol... (Importantly if I switch off jasonLaptop.No-ip.com then
>> even if I am croning "firehol restart" preiodically then the rules won't get
>> updated since the lookup on jasonLaptop.No-ip.com will fail hence the new
>> configuration will not "take".) So it seems likely that I will need a
>> smarter script here. I though these might be common questions or there might
>> be another way to handle this so I am asking here first... Is there a better
>> way to do this than rolling my own script here?
>> Question 4: If we are restarting firehol on a semi-regular basis will this
>> cause any problems with fail2ban?
>> Thanks!
>>   Jason
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.firehol.org
>> http://lists.firehol.org/mailman/listinfo/firehol-support
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support

More information about the Firehol-support mailing list