Hi, How do i deal with a condition of frequently-changing IPs in a firewall? Say for example I have uploads.google.com mapped to a set of 4 IP''s and it changes after 3 weeks to a new set of IP''s. Any suggestions? Regards, Kaushal ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It''s a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
Not enough information. Describe your problem a little more. For the time
being, I''m going to assume you''re talking about rule
definitions.
Tom can correct me if I''m wrong, but I don''t think it would
work to use
domain names since the domain names gets resolved only once when shorewall
is started|restarted.. but I thought of a quick hack you could use:
#WARNING THIS IS NOT TESTED.. this is only a draft. You''ll have to work
out
the details.
You can use this in a cronjob.
Essentially this will query a domain name for it''s ip addresses; create
a
string of the ips separated by commas, then replace the current line in
shorewall/rules that has the string "#google-updates" in it with the
new
string that contains current ips.
#!/bin/bash
range=""
rulePrefix="ACCEPT net:"
ruleSuffix="All tcp 21 #google-updates"
ipList=( $(dig +short A google.com) )
# make a comma separated string of ips.
for ip in ${ipList[@]};do
range+=$ip,
done
# remove trailing comma
range=$(echo $range | sed ''$s/.$//'')
# replace the line in shorewall/rules that has a comment with the keyword
''google-updates'' in it.
#sed ''s/.*#google-updates.*/$rulePrefix$range$ruleSuffix/''
other
On Sun, Aug 18, 2013 at 11:22 PM, Kaushal Shriyan
<kaushalshriyan@gmail.com>wrote:
> Hi,
>
> How do i deal with a condition of frequently-changing IPs in a firewall?
> Say for example I have uploads.google.com mapped to a set of 4
IP''s and
> it changes after 3 weeks to a new set of IP''s.
> Any suggestions?
>
> Regards,
>
> Kaushal
>
>
>
------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It''s a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
>
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It''s a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
Hi, I like the idea, but: 1) I would put it into the ''script'' part of shorewall (for example the "init" file) 2) Add error checks: dig may fail sometime... ...and I would use ipsets. ipsets can be updated from an independent cronjob for example. Almost instant, without the need to touch the configuration. -- Regards, Igor ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It''s a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
Putting it in the shorewall-init won''t do you any good because that only gets called when Shorewall is being started|restarted. Remember Shorewall is not a daemon process, so there isn''t active monitoring going on. So if you''re having IP''s change from time to time you''re going to have to set up the monitoring solution. Cron is an obvious choice, but there are several other implementations. Thanks for the tip on Ipsets. I wasn''t familiar with it, but I took a look at it and I like it. It lead me here: This looks like the appropriate solution for you: http://www.shorewall.net/Dynamic.html On Mon, Aug 19, 2013 at 2:37 AM, Igor Sverkos <igor.sverkos@googlemail.com>wrote:> Hi, > > I like the idea, but: > > 1) I would put it into the ''script'' part of shorewall (for example the > "init" file) > > 2) Add error checks: dig may fail sometime... > > ...and I would use ipsets. > > ipsets can be updated from an independent cronjob for example. Almost > instant, without the need to touch the configuration. > > > -- > > Regards, > Igor > > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It''s a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk