Firewall Alias with Domainname

[normic]

Hi there,
I've enabled an IPSet "Management" in my Firewall and added some IPs (home office and company).

But my homeoffice sometimes changes the IP. Therefore I've configured all other systems, firewalls etc I need access to, to simply use a Domainname instead of the IP.
Simply said, I'm using a DynDNS service not to connect to my office, but allow my office to connect elsewhere.

I wonder how I could achieve the same with the Proxmox Firewall?
I didn't find an option to add a domain instead of an IP.

Would be glad if someone can point me in the right direction.

Regards,
Michael

 

[Rhinox]

I'm not sure if you can use domainnames in iptables (I guess no), but it is very-very bad idea. First, it would have bad impact on speed (if firewall does ip-lookup whenever rule is matched) or did not help you at all (if firewall does ip-lookup only once, when loading rules). Moreover, by hacking dns someone could defeat your firewall too...

Acceptable compromise might be some script running periodically from cron (i.e. every "x" minutes), doing ip-lookup for your domain name, and updating specific firewall-rule if necessary...

 

[normic]

Thanks for answering Rhinox.
You're right with slow firewall if it would have to lookup on every request. I thought of something I know from Sophos UTMs, there you can add a Host as "DNS Host", which will resolve the IP address a minute later and you can use it.
But I have to admit that I never investigated how this works down to iptables level

Regarding security; if you really succeed in hacking DNS, you will still have to know which domain allows access to which system(s) and of course after that you'll get password resp. certificate prompt.
The main reason for limiting access to IP addresses/domain names is not security, it's to keep the mass of scanners and bots away.

Your idea with the cron script sounds good, but as far as I've seen the is no real CLI for the firewall rules. So I would have to do a lot of regex and sed to replace old IP with new IP directly in the firewall files.

As my IP usually only switches rarely I think I'll stick with connecting from a different server (with fixed IP) and then updating it manually.

 

[dcsapak]

Your idea with the cron script sounds good, but as far as I've seen the is no real CLI for the firewall rules. So I would have to do a lot of regex and sed to replace old IP with new IP directly in the firewall files.

you can use the 'pvesh' command for accessing api calls which are not exposed in an cli tool

e.g. create a new rule

pvesh create /nodes/<NODENAME>/firewall/rules --action ACCEPT --type in --comment 'Some Rule'

or edit one

pvesh set /nodes/<NODENAME>/firewall/rules/0 --comment 'Different Comment'

 

[LnxBil]

We use knockd to authenticate hosts and it automatically adds entries to the PVE firewall itself, so it can be used together. We also implemented a cleanup-worker that's invoked by cron to automatically remove entries after a certain time to unclutter the iptables entries.

 

[normic]

Thank you both, I've learned about pvesh command, which I will use for my purpose.
And I also learned about knockd, wich I will test out and probably use in different scenarios.

 

[LnxBil]

And I also learned about knockd, wich I will test out and probably use in different scenarios.

Please have another IP ready, you would not be the first that locked itself out of its own machine :-D

 

[MarcoP]

pvesh set /nodes/<NODENAME>/firewall/rules/0 --comment 'Different Comment'

Thank you! I'm kind of a newbie with Proxmox and by reading your reply and then getting familiar with the API I came up with the following bash script:

#!/bin/bash

name=alias_name
fqn=dynamic.client.fqn
dns=dynamic.client.dns
comment=My\ dynamic \client

cidr=$(pvesh get cluster/firewall/aliases/${name} | grep -Po '([\d]{1,3}\.){3}[\d]{1,3}')
[ $? -ne 0 -o -z $cidr ] && echo 'cidr command failed' && exit 1

host=$(dig +short @${dns} ${fqn})
[ $? -ne 0 -o $cidr == $host ] && exit 0

pvesh set cluster/firewall/aliases/${name} -cidr ${host} -rename ${name} -comment "${comment}"
[ $? -eq 0 ] && echo "${fqn} IP changed from ${cidr} to ${host}" && exit 0

exit $?

Use it at your own risk, I'm not liable for any issue it may cause.
In any other case I really wish it to be of any help and, why not, worth for pve wiki.

N.B.: I had to use -rename to get rid of a warning from /usr/share/perl5/PVE/API2/Firewall/Aliases.pm because not initialised.

 

[guletz]

Hi,

A better ideea is to use a vpn(openvpn) from dynIP -> static IP !

 

[Peter_]

Hi,
I modified the script to add the ip of domains to the firewall ipset management, if it changed.
If you are remote and want validate the script, please open the ports 8006 and ssh temporarily:
In Datacender/Firewall:
Enable=True, Type=in, Protocoll=tcp, Destination port = 8006
Enable=True, Type=in, Macro=ssh

The builtin Ipset management must exists. Create it in Datacender/Firewall/Ipset:
Name: management
Comment: allows Port 8006, 5900-5999, 3128, 22

#!/bin/bash

#set -x  #uncomment to see echo of commands

checkip() {
  # parameter $1: the domain whith dynamic ip, direct or cname entry to dynamic dns
 
  cidr=$(pvesh get cluster/firewall/ipset/management | grep $1 | grep -Po '([\d]{1,3}\.){3}[\d]{1,3}')
  [ $? -ne 0 -o -z $cidr ] && echo 'cidr command failed' | systemd-cat -t pvefwmgmt && return 1

  #get host IP from $1, also if $1 is CNAME alias
  host=$(getent ahostsv4 $1 | grep STREAM | head -n 1 | cut -d ' ' -f 1)
  [ $? -ne 0 -o -z $host ] && echo 'getent command failed' | systemd-cat -t pvefwmgmt && return 1

  if [ -z "$cidr" ] ; then
    echo add firewall entry $1 to $host | systemd-cat -t pvefwmgmt
    pvesh create cluster/firewall/ipset/management -cidr ${host} -comment $1
  else
    if [ "$cidr" !=  "$host" ] ; then
      echo change firewall entry $1 to $host | systemd-cat -t pvefwmgmt
      #if exist many entries for $1 in cluster/firewall/ipset/management, every should delete
      while read -r line
      do
        pvesh delete cluster/firewall/ipset/management/${line}
      done <<< "$cidr"
      pvesh create cluster/firewall/ipset/management -cidr ${host} -comment $1
    else
      echo firewall entry $1  $host not changed
    fi
  fi
}

checkip home1.mydomain.com
checkip home2.mydomain.com
checkip phone.mydomain.com

Save it to /root/setdynfw.sh and allow execute: chmod +x setdynfw.sh

with crontab -e run the script every 5 mintute:

*/5 * * * * /bin/bash /root/setdynfw.sh > /root/setdynfw_log.txt 2>&1

/bin/bash is needed for the line: done <<< "$cidr"

A new IP is written to systemd, show with: journalctl -t pvefwmgmt

If there is nothing, see in /root/setdynfw_log.txt for other errors. To see the script echo activate set -x.

 

[FingerlessGloves]

Used the the script on my Proxmox server, as it sits on the edge in a OVH DC.

It error'd the first few times with the following error, but I'm sure its because the IPset didn't contain any IPs with the comment of a passed domain.

./setdynfw.sh: line 9: [: argument expected

Many thanks for the script ;-)

 

[Mandarine]

Thanks for the script MarcoP, very useful.

 

[jaytee129]

Does the script by @MarcoP modified by @Peter_ above still work today? I'd really like to be able to use this but I'm getting 'cidr command failed'

+ checkip myhost.mydomain.com
++ pvesh get cluster/firewall/ipset/management
++ grep myhost.mydomain.com
++ grep -Po '([\d]{1,3}\.){3}[\d]{1,3}'
+ cidr=
+ '[' 1 -ne 0 -o -z ']'
+ echo 'cidr command failed'
+ systemd-cat -t pvefwmgmt
+ return 1

Script is unchanged except that I call checkip myhost.mydomain.com at the end.

yes, the following IPSet existed at Datacenter level prior to running script, as required.



Is there anything else that needs to be enabled or set (besides firewall) that wasn't mentioned here?

Any info would be appreciated

 

[FingerlessGloves]

still working for me.

In your IPSet have you create some blank entries with the comment as the fqdn that you want to use then run the script?

 

[jaytee129]

still working for me.

In your IPSet have you create some blank entries with the comment as the fqdn that you want to use then run the script?

Thanks.

Do mean like this? (it wouldn't let me leave the name field blank)



Or like this? (it wouldn't let me leave IP/CIDR blank)



Or something else?

 

[FingerlessGloves]

View attachment 39652

Or something else?

Like this then run the script and the IP should change to the DNS record

 

[jaytee129]

that worked. thanks!

 

[SimoneGiacomelli]

Hi all,

I've created a script to help manage firewall aliases automatically via DNS entries, ensuring they stay updated with any changes.

The script is easy to install (one curl command) and can be set up to run periodically.
The configuration is done through the GUI by adding the domain name to resolve in a comment:




For those interested in using this tool, check out the GitHub repository at Proxmox Firewall Updater.

My goals writing this python script were:
- easy to configure. No configuration files, only the usual gui
- easy to install. Copy and paste the commands (so I don't need my brain on when I install a new box)
- everything is unit tested
- logging: only what it is needed. The script send to syslog only when it updates an ip
- logging: avoid the annoying cron log every 5 minutes that clog the syslog

Looking forward to your feedback!