Allow domains as source for firewall rules

F

fkh

Renowned Member
May 18, 2014
25
0
66
Hi

Would it be possible to not just allow IPs but also domain names in the source field of the firewall rules? I wanted to allow the OVH health check services to ping my servers as mentioned at [0] but instead of using the domain names of the OVH servers I had to use their IP instead. I don't know how often OVH is actually going to change the IPs of those services but in theory it could result in false positives. Is there a reason why only IPs are allowed?

k2m9BBx.png

ExiI5ni.png


Thx
fkh

[0] http://help.ovh.com/Firewall - Exclude and Authorize an Ip address
 
Using domain names would be dangerous, because DNS lookup is not reliable (what if DNS server is offline).
 
dietmar said:
You can also use IP sets and aliases.
Click to expand...

Hi Dietmar

Thank you for the fast response. As you can see in the 2nd screenshot I'm already using IP sets to group all OVH IPs that are related to ping/health check. But the problem remains the same with IP sets and aliases in that I cannot use domain names and must fall back to static IPs.

Wouldn't it be possible to just display a warning message that what one is about to do could potentially be dangerous but leave it up to the users themself to decide whether or not they want to take this risk. I mean I could still fire up a script that uses domain names but I prefer to do everything either in the web console or via cli/scripts and not mix configs too much.

I understand that there are certain cases that may be problematic but especially for my use case with OVH I think this would be acceptable (at least for me). If the OVH DNS are down (I didn't change them so my servers still use OVH's DNS) both OVH and I would have other problems than their servers not able to ping my servers ;)

Thx
fkh
 
fkh said:
I understand that there are certain cases that may be problematic
Click to expand...

I guess it would be possible to implement some kind of cache, and simply use values from that cache if DNS is not available. But this is not implemented.
 
Well it's not that urgent but maybe something you may consider implementing in the future. Anyways thank you for the clarification on the current state and why it was done this way. I think we can close this thread then.

Thx
fkh
 
bump. i think it'd be a really useful feature, dynamic ips tied to dns
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back