[Firehol-support] Recommended method to re-resolve domain names
Mitch Claborn
mitch_ml at claborn.net
Thu Aug 2 17:27:25 BST 2018
Yeah - I don't really need to resolve at boot time, the previous file is
good enough until the next cron run.
Here is a description of my working solution.
Below is my script for preparing the file, resolving the host names to
ip address, then calling firehol to do the update. The "final" file is
saved in /etc/firehol so that it can be read at the next reboot or
firehol start.
ipsets.conf is included in firehol.conf
ipsets.conf contains:
setup() {
ipv4 ipset create $1 hash:ip timeout 0 comment
ipset addfile $1 ip $1.ipset.final
}
setup fred
I've put my "prepare_ipsets.sh update" into cron for every 15 minutes.
Setting up a new ipset collection is a bit cumbersome, but it works:
1. Update ipsets.conf with new collection name
2. Run firehol start to create the new collection and make it "managed"
by firehol
3. Run prepare_ipsets.sh to put the content in the ipset
Since "firehol ipset_update_from_file" requires that the ipset
collection be managed by firehol, it would be nice to have a mode of
firehol execution that ONLY did the ipset work but didn't touch the
firewall. This is needed when the ipset is first created. Let me know
if that makes sense and I'll create an issue for it.
------
#!/bin/bash
#
# prepare_ipsets.sh
#
# prepare ipset files by reading the base file and resolving the host names
# anything in a file that is a comment is ignored
# anything that is not an IP address is assumed to be a host name and
# we attempt to resolve it.
# The first node of the filename is assumed to be the ipset name
BASE=/etc/firehol
ipv_match="^[0-9a-fA-F\.:/\-]+$"
comment_match="^#.*$"
do_file() {
FILE=$1
SET=${FILE%.*}
FINAL=$FILE.final
if [ -f $FINAL ]
then
rm $FINAL
fi
while read -r line || [[ -n "$line" ]]; do
# echo "Text read from file: $line"
if [[ $line =~ $ipv_match ]]; then
# echo IP address - writing to output
echo $line >> $FINAL
elif [[ $line =~ $comment_match ]]; then
# echo comment - writing to output
echo $line >> $FINAL
else
# echo hostname - attempting to resolve
ip=`dig +short A $line`
# echo ip=[$ip]
if [ /$ip/ != // ]; then
# echo writing to output
echo $ip >> $FINAL
else
echo Warning - could not resolve $line
fi
fi
done < "$FILE"
if [ /$2/ == /update/ ]; then
/usr/sbin/firehol ipset_update_from_file $SET ip $FINAL
fi
}
cd $BASE
for F in `ls *.ipset`
do
do_file $F $1
done
Mitch
On 08/02/2018 12:56 AM, Phil Whineray wrote:
> Yes, the firehol config is just a bash script, so you can call external
> commands.
>
> A note of caution though: ideally your firewall will come up before your
> network interfaces, so that you are protected from the outset. This
> means you cannot reliably resolve DNS entries.
>
> Do you need it to re-resolve at boot time? i.e. is loading the last set
> before reboot not sufficient, or will the host be down for extended periods?
>
> Cheers
> Phil
>
More information about the Firehol-support
mailing list