[Firehol-support] Dynamic hosts (eg no-ip) and fail2ban

Tsaousis, Costa costa at tsaousis.gr
Sun Dec 13 04:19:47 GMT 2015 

to disable a list in update-ipsets, just delete its .source file.
The enable command just touches it.

Regarding the conversion error, could you please post
/etc/firehol/ipsets/whitelist.source?

If you don't want to post your whitelist, this should work:

iprange </etc/firehol/ipsets/whitelist.source

it should give you the IPs of your hostnames.

Costa

On Sat, Dec 12, 2015 at 8:02 PM, Jason Harris <jason at unifiedthought.com> wrote:
>
>> On Dec 8, 2015, at 1:48 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
>>
>>> Ok. but I can use hostnames like eg sub.mydomain.com with ipsets?
>>
>> Yes, you have to resolve them first though. iprange does this.
>>
>>
>>> The link: https://github.com/ktsaou/firehol/blob/master/contrib/update-ipsets.sh on the page: https://github.com/firehol/firehol/wiki/Working-with-IPSETs is dead. I google around a bit and am sure I am just missing this but am having trouble finding this script.
>>
>> Thanks! I fixed the link.
>> However, it is installed with firehol v3 (the github version).
>>
>>
>>> So I am not sure how to actually update the ipset I have dynamically. Maybe I could build a second ipset and using 'ipset swap’? But it seems to be from the instructions below that I should use update-upsets?
>>
>> ok.
>>
>> 1. Install firehol v3 (this will also require from you to install
>> iprange). If you don't know how to do it, follow this procedure:
>> https://github.com/firehol/blocklist-ipsets/wiki/Installing-update-ipsets
>
> Ok. I got around to having some time this weekend. To build this (on latest debian jessie) in addition to your listed build steps you also need:
>
>    apt-get install autoconf build-essential curl ipset
>
> This is kind of disappointing since it loads a bunch of gunk onto a production node, (i.e. some 200MB’s of stuff just to get the small firehol firewall. I guess I could remove most of this after the build process… Still this is not so nice for eg ansible,chef, puppet, saltstack, etc which are used to provision vm’s.)
>
>> 2. Create a new file called /etc/firehol/ipsets/myhostsnames.source
>> Put there any hostnames you like.
>>
>> 3. To resolve its contents to IPs you have to configure update-ipsets
>> (https://github.com/firehol/blocklist-ipsets/wiki/Extending-update-ipsets).
>> Briefly:
>>
>> a. create the file  /etc/firehol/ipsets.d/myhostname.conf
>> b. using this content (copy and paste it):
>>
>> # update its timestamp, to force reprocessing
>> touch /etc/firehol/ipsets/myhostsnames.source
>>
>> # configuration about the list
>> update myhostnames 1 0 ipv4 ip "" hostname_resolver "category" "some
>> info about the list" "your name" "a url for info for the list"
>>
>> c. run:
>>
>> update-ipsets enable myhostnames
>
> Ok. So I followed these instructions. First there appears to be no update-ipsets disable myhostnames? (I made a mistake in one of the configurations and it would be nice to undo it…)
>
>> d. check it with (this is also the command you need to put at cron):
>>
>> update-upsets
>
> For me this fails with the following message (using update-upsets -v)
>
>                   firehol_anonymous|  DISABLED
>                                    | To enable run: update-ipsets enable firehol_anonymous
> Loading ipset definitions from: '/etc/firehol/ipsets.d'
> Loading ipset definition file: '/etc/firehol/ipsets.d/whitelist.conf'
>                                    |
>                           whitelist| parsing attributes:
>                                    | converting with 'hostname_resolver'
>                                    |  ERROR  converted file is empty.
>  ERROR : '/etc/firehol/ipsets.d/whitelist.conf' failed
> Supplied ipsets directory '/usr/share/firehol/ipsets.d' does not exist. Ignoring it.
> Supplied ipsets directory '/root/.update-ipsets/ipsets.d' does not exist. Ignoring it.
>
> Cleaning up temporary files in /tmp/update-ipsets-9B34pYTy0N.
> Completed successfully.
> [root at tester:/etc/firehol/ipsets] $ ls
>
> Any hints on what went wrong? The errors directory is empty...
>
> Thanks!
>    Jason
>
>> If successful, the file /etc/firehol/ipsets/myhostnames.ipset should
>> be there with all the IPs.
>>
>> 4. In firehol.conf use
>>
>> ipset4 MYHOSTNAMES addfile ipsets/myhostnames.ipset
>>
>> and later in server/client/nat statements: src ipset:MYHOSTNAMES
>>
>

More information about the Firehol-support mailing list