[Firehol-support] Recommended method to re-resolve domain names

Mitch Claborn mitch_ml at claborn.net
Thu Aug 2 17:27:25 BST 2018

Yeah - I don't really need to resolve at boot time, the previous file is 
good enough until the next cron run.

Here is a description of my working solution.

Below is my script for preparing the file, resolving the host names to 
ip address, then calling firehol to do the update. The "final" file is 
saved in /etc/firehol so that it can be read at the next reboot or 
firehol start.

ipsets.conf is included in firehol.conf

ipsets.conf contains:
setup() {
   ipv4 ipset create $1 hash:ip timeout 0 comment
   ipset addfile     $1 ip $1.ipset.final
setup fred

I've put my "prepare_ipsets.sh update" into cron for every 15 minutes.

Setting up a new ipset collection is a bit cumbersome, but it works:
1. Update ipsets.conf with new collection name
2. Run firehol start to create the new collection and make it "managed" 
by firehol
3. Run prepare_ipsets.sh to put the content in the ipset

Since "firehol ipset_update_from_file" requires that the ipset 
collection be managed by firehol, it would be nice to have a mode of 
firehol execution that ONLY did the ipset work but didn't touch the 
firewall.  This is needed when the ipset is first created. Let me know 
if that makes sense and I'll create an issue for it.


# prepare_ipsets.sh
# prepare ipset files by reading the base file and resolving the host names
# anything in a file that is a comment is ignored
# anything that is not an IP address is assumed to be a host name and
# we attempt to resolve it.
# The first node of the filename is assumed to be the ipset name


do_file() {

	if [ -f $FINAL ]
	  rm $FINAL
	while read -r line || [[ -n "$line" ]]; do
	    # echo "Text read from file: $line"
	    if [[ $line =~ $ipv_match ]]; then
	      # echo IP address - writing to output
	      echo $line >> $FINAL
	    elif [[ $line =~ $comment_match ]]; then
	      # echo comment - writing to output
	      echo $line >> $FINAL
	      # echo hostname - attempting to resolve
	      ip=`dig +short A $line`
	      # echo ip=[$ip]
	      if [ /$ip/ != // ]; then
	        # echo writing to output
	        echo $ip >> $FINAL
	        echo Warning - could not resolve $line
	done < "$FILE"
	if [ /$2/ == /update/ ]; then
	   /usr/sbin/firehol ipset_update_from_file $SET ip $FINAL

cd $BASE

for F in `ls *.ipset`
	do_file $F $1


On 08/02/2018 12:56 AM, Phil Whineray wrote:
> Yes, the firehol config is just a bash script, so you can call external
> commands.
> A note of caution though: ideally your firewall will come up before your
> network interfaces, so that you are protected from the outset. This
> means you cannot reliably resolve DNS entries.
> Do you need it to re-resolve at boot time? i.e. is loading the last set
> before reboot not sufficient, or will the host be down for extended periods?
> Cheers
> Phil

More information about the Firehol-support mailing list