[Firehol-support] Dynamic hosts (eg no-ip) and fail2ban

Jason Harris jason at unifiedthought.com
Sat Dec 12 18:02:58 GMT 2015

> On Dec 8, 2015, at 1:48 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
>> Ok. but I can use hostnames like eg sub.mydomain.com with ipsets?
> Yes, you have to resolve them first though. iprange does this.
>> The link: https://github.com/ktsaou/firehol/blob/master/contrib/update-ipsets.sh on the page: https://github.com/firehol/firehol/wiki/Working-with-IPSETs is dead. I google around a bit and am sure I am just missing this but am having trouble finding this script.
> Thanks! I fixed the link.
> However, it is installed with firehol v3 (the github version).
>> So I am not sure how to actually update the ipset I have dynamically. Maybe I could build a second ipset and using 'ipset swap’? But it seems to be from the instructions below that I should use update-upsets?
> ok.
> 1. Install firehol v3 (this will also require from you to install
> iprange). If you don't know how to do it, follow this procedure:
> https://github.com/firehol/blocklist-ipsets/wiki/Installing-update-ipsets

Ok. I got around to having some time this weekend. To build this (on latest debian jessie) in addition to your listed build steps you also need:

   apt-get install autoconf build-essential curl ipset

This is kind of disappointing since it loads a bunch of gunk onto a production node, (i.e. some 200MB’s of stuff just to get the small firehol firewall. I guess I could remove most of this after the build process… Still this is not so nice for eg ansible,chef, puppet, saltstack, etc which are used to provision vm’s.)

> 2. Create a new file called /etc/firehol/ipsets/myhostsnames.source
> Put there any hostnames you like.
> 3. To resolve its contents to IPs you have to configure update-ipsets
> (https://github.com/firehol/blocklist-ipsets/wiki/Extending-update-ipsets).
> Briefly:
> a. create the file  /etc/firehol/ipsets.d/myhostname.conf
> b. using this content (copy and paste it):
> # update its timestamp, to force reprocessing
> touch /etc/firehol/ipsets/myhostsnames.source
> # configuration about the list
> update myhostnames 1 0 ipv4 ip "" hostname_resolver "category" "some
> info about the list" "your name" "a url for info for the list"
> c. run:
> update-ipsets enable myhostnames

Ok. So I followed these instructions. First there appears to be no update-ipsets disable myhostnames? (I made a mistake in one of the configurations and it would be nice to undo it…)

> d. check it with (this is also the command you need to put at cron):
> update-upsets

For me this fails with the following message (using update-upsets -v)

                  firehol_anonymous|  DISABLED  
                                   | To enable run: update-ipsets enable firehol_anonymous
Loading ipset definitions from: '/etc/firehol/ipsets.d'
Loading ipset definition file: '/etc/firehol/ipsets.d/whitelist.conf'
                          whitelist| parsing attributes: 
                                   | converting with 'hostname_resolver'
                                   |  ERROR  converted file is empty.
 ERROR : '/etc/firehol/ipsets.d/whitelist.conf' failed
Supplied ipsets directory '/usr/share/firehol/ipsets.d' does not exist. Ignoring it.
Supplied ipsets directory '/root/.update-ipsets/ipsets.d' does not exist. Ignoring it.

Cleaning up temporary files in /tmp/update-ipsets-9B34pYTy0N.
Completed successfully.
[root at tester:/etc/firehol/ipsets] $ ls

Any hints on what went wrong? The errors directory is empty...


> If successful, the file /etc/firehol/ipsets/myhostnames.ipset should
> be there with all the IPs.
> 4. In firehol.conf use
> ipset4 MYHOSTNAMES addfile ipsets/myhostnames.ipset
> and later in server/client/nat statements: src ipset:MYHOSTNAMES

More information about the Firehol-support mailing list