Dynamic ip's added to firewall

lgaetz · May 16, 2019, 9:25pm

Kudos to you @BigB:

Lots of well intended folks say they will take a look (myself included unfortunately), but the number that follow thru is achingly small. And the pull request coming within a few hours puts you in a class by yourself.

BigB · May 17, 2019, 4:32am

I have created a cron job that is taking advantage of the fwconsole firewall method that @lgaetz mentioned above which made things so much easier once the bug was fixed in the module, thanks alot for pointing me in the right direction!

I would also like to thank @xrobau for answering some questions about module signing and getting me a signed copy of the firewall module with my changes so I could throw it on our production server and test it out.

Here is the script I made. https://gist.github.com/Yamaha32088/28321c070a2dcb79f630326a72e15dff
Please feel free to make any suggestions or comments, the script was made in a rush but it seems to work wonderful so far.

The script works by first requesting a copy of all the authorized IPs from a remote URL and parsing them into an array. I then compare that array to the IP’s that are already added to the desired zone and find the difference between the two. I can then delete the IP’s that are not in the remote list and add any new ones not previously added. One thing to note I found out and you should be aware of is that the fwconsole firewall script will overwrite the zone of an existing IP address. If for example you have the IP address 1.1.1.1 inside of the trusted zone and then execute fwconsole firewall add other 1.1.1.1 it will remove it from the “trusted” zone and add it to the “other” zone so be careful with that.

xrobau · May 17, 2019, 6:34am

That DOES seem overly complex. I would probably have just added them all as dynamic DNS entries and put the hostname in. But as long as it works 8)

Or, you could just add them all to an A record of some DNS host, and add that. I did actually miss the start of this, so I would have suggested a better way, but it paid off because YAY I FINALLY HAVE SOMEONE ELSE AS A SUBMITTER TO FIREWALL! 8)

lgaetz · May 17, 2019, 11:08am

Please add a line about licensing to your script. If you don’t know/care about such things just put:
GNU GPL3+

xrobau · May 18, 2019, 2:26am

This has been published to Firewall Edge (including the other pull request) in Firewall 13.0.60.2, so for anyone else looking at this from the future, that’s the minimum version you need!

system · May 25, 2019, 2:26am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.