[Firehol-support] Dynamic hosts (eg no-ip) and fail2ban

Jason Harris jason at unifiedthought.com
Tue Dec 8 19:56:26 GMT 2015


> On Dec 8, 2015, at 1:48 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> 
>> Ok. but I can use hostnames like eg sub.mydomain.com with ipsets?
> 
> Yes, you have to resolve them first though. iprange does this.

Ok.



>> The link: https://github.com/ktsaou/firehol/blob/master/contrib/update-ipsets.sh on the page: https://github.com/firehol/firehol/wiki/Working-with-IPSETs is dead. I google around a bit and am sure I am just missing this but am having trouble finding this script.
> 
> Thanks! I fixed the link.
> However, it is installed with firehol v3 (the github version).

Ahh. I had just been using the distributions apt-get install version.
 

>> So I am not sure how to actually update the ipset I have dynamically. Maybe I could build a second ipset and using 'ipset swap’? But it seems to be from the instructions below that I should use update-upsets?
> 
> ok.
> 
> 1. Install firehol v3 (this will also require from you to install
> iprange). If you don't know how to do it, follow this procedure:
> https://github.com/firehol/blocklist-ipsets/wiki/Installing-update-ipsets

Ahh. So those instructions are clear! Thanks! One question though is this is installing the head branch version. This is going to go on production machines... so is there any hash which is more stable than others? Or at least a release candidate I should be using? eg 3.0.0-rc.4 maybe? Or maybe even better a ppa? (I am not at all a packaging guru so don't immediately know how to make a ppa, but I do know it would be very nice to have the firewall on the production machines to be updated when our automatic unattended security upgrades periodically kick in...) (Of course I am guessing this is likely not a trivial amount of work…)
> 2. Create a new file called /etc/firehol/ipsets/myhostsnames.source
> Put there any hostnames you like.
> 
> 3. To resolve its contents to IPs you have to configure update-ipsets
> (https://github.com/firehol/blocklist-ipsets/wiki/Extending-update-ipsets).
> Briefly:
> 
> a. create the file  /etc/firehol/ipsets.d/myhostname.conf
> b. using this content (copy and paste it):
> 
> # update its timestamp, to force reprocessing
> touch /etc/firehol/ipsets/myhostsnames.source
> 
> # configuration about the list
> update myhostnames 1 0 ipv4 ip "" hostname_resolver "category" "some
> info about the list" "your name" "a url for info for the list"
> 
> c. run:
> 
> update-ipsets enable myhostnames
> 
> d. check it with (this is also the command you need to put at cron):
> 
> update-ipsets
> 
> If successful, the file /etc/firehol/ipsets/myhostnames.ipset should
> be there with all the IPs.
> 
> 4. In firehol.conf use
> 
> ipset4 MYHOSTNAMES addfile ipsets/myhostnames.ipset
> 
> and later in server/client/nat statements: src ipset:MYHOSTNAMES
> 

Thanks!
   Jason


More information about the Firehol-support mailing list