[Firehol-support] Dynamic hosts (eg no-ip) and fail2ban
jason at unifiedthought.com
Mon Dec 14 00:18:59 GMT 2015
I just spun up a new instance as an example on here. There is nothing else but a stock install of debian 8.2 hosted on digital ocean.
I apt-get installed: git sudo python-pip autoconf build-essential curl ipset
Then ran the script at: https://github.com/firehol/blocklist-ipsets/wiki/Installing-update-ipsets
I’ll send you the login detail in a separate email. But here is the output of `update-ipsets -v` with the contents of the files following:
| To enable run: update-ipsets enable firehol_anonymous
Loading ipset definitions from: '/etc/firehol/ipsets.d'
Loading ipset definition file: '/etc/firehol/ipsets.d/mywhitelist.conf'
mywhitelist| parsing attributes:
| converting with 'hostname_resolver'
| ERROR converted file is empty.
ERROR : '/etc/firehol/ipsets.d/mywhitelist.conf' failed
Supplied ipsets directory '/usr/share/firehol/ipsets.d' does not exist. Ignoring it.
Supplied ipsets directory '/root/.update-ipsets/ipsets.d' does not exist. Ignoring it.
Cleaning up temporary files in /tmp/update-ipsets-O3Z0xZFOWe.
root at testfirehol:/etc/firehol/ipsets# cd ..
root at testfirehol:/etc/firehol# ls
firehol.conf.example fireqos.conf.example ipsets ipsets.d services
root at testfirehol:/etc/firehol# more ipsets/*
*** ipsets/errors: directory ***
*** ipsets/history: directory ***
root at testfirehol:/etc/firehol# more ipsets.d/*
# update its timestamp, to force reprocessing
# configuration about the list
update mywhitelist 1 0 ipv4 ip "" hostname_resolver "category" "a whitelist for me" "Jason Harris" "a url for info for the list"
root at testfirehol:/etc/firehol#
> On Dec 13, 2015, at 5:19 AM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> to disable a list in update-ipsets, just delete its .source file.
> The enable command just touches it.
> Regarding the conversion error, could you please post
> If you don't want to post your whitelist, this should work:
> iprange </etc/firehol/ipsets/whitelist.source
> it should give you the IPs of your hostnames.
> On Sat, Dec 12, 2015 at 8:02 PM, Jason Harris <jason at unifiedthought.com> wrote:
>>> On Dec 8, 2015, at 1:48 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
>>>> Ok. but I can use hostnames like eg sub.mydomain.com with ipsets?
>>> Yes, you have to resolve them first though. iprange does this.
>>>> The link: https://github.com/ktsaou/firehol/blob/master/contrib/update-ipsets.sh on the page: https://github.com/firehol/firehol/wiki/Working-with-IPSETs is dead. I google around a bit and am sure I am just missing this but am having trouble finding this script.
>>> Thanks! I fixed the link.
>>> However, it is installed with firehol v3 (the github version).
>>>> So I am not sure how to actually update the ipset I have dynamically. Maybe I could build a second ipset and using 'ipset swap’? But it seems to be from the instructions below that I should use update-upsets?
>>> 1. Install firehol v3 (this will also require from you to install
>>> iprange). If you don't know how to do it, follow this procedure:
>> Ok. I got around to having some time this weekend. To build this (on latest debian jessie) in addition to your listed build steps you also need:
>> apt-get install autoconf build-essential curl ipset
>> This is kind of disappointing since it loads a bunch of gunk onto a production node, (i.e. some 200MB’s of stuff just to get the small firehol firewall. I guess I could remove most of this after the build process… Still this is not so nice for eg ansible,chef, puppet, saltstack, etc which are used to provision vm’s.)
>>> 2. Create a new file called /etc/firehol/ipsets/myhostsnames.source
>>> Put there any hostnames you like.
>>> 3. To resolve its contents to IPs you have to configure update-ipsets
>>> a. create the file /etc/firehol/ipsets.d/myhostname.conf
>>> b. using this content (copy and paste it):
>>> # update its timestamp, to force reprocessing
>>> touch /etc/firehol/ipsets/myhostsnames.source
>>> # configuration about the list
>>> update myhostnames 1 0 ipv4 ip "" hostname_resolver "category" "some
>>> info about the list" "your name" "a url for info for the list"
>>> c. run:
>>> update-ipsets enable myhostnames
>> Ok. So I followed these instructions. First there appears to be no update-ipsets disable myhostnames? (I made a mistake in one of the configurations and it would be nice to undo it…)
>>> d. check it with (this is also the command you need to put at cron):
>> For me this fails with the following message (using update-upsets -v)
>> firehol_anonymous| DISABLED
>> | To enable run: update-ipsets enable firehol_anonymous
>> Loading ipset definitions from: '/etc/firehol/ipsets.d'
>> Loading ipset definition file: '/etc/firehol/ipsets.d/whitelist.conf'
>> whitelist| parsing attributes:
>> | converting with 'hostname_resolver'
>> | ERROR converted file is empty.
>> ERROR : '/etc/firehol/ipsets.d/whitelist.conf' failed
>> Supplied ipsets directory '/usr/share/firehol/ipsets.d' does not exist. Ignoring it.
>> Supplied ipsets directory '/root/.update-ipsets/ipsets.d' does not exist. Ignoring it.
>> Cleaning up temporary files in /tmp/update-ipsets-9B34pYTy0N.
>> Completed successfully.
>> [root at tester:/etc/firehol/ipsets] $ ls
>> Any hints on what went wrong? The errors directory is empty...
>>> If successful, the file /etc/firehol/ipsets/myhostnames.ipset should
>>> be there with all the IPs.
>>> 4. In firehol.conf use
>>> ipset4 MYHOSTNAMES addfile ipsets/myhostnames.ipset
>>> and later in server/client/nat statements: src ipset:MYHOSTNAMES
More information about the Firehol-support