Adding a host with dynamical IP address to firewall objects

NethServer Version: v7
Module: shorewall

I would like to add a host to the firewall objects. However, the host has only a dynamic IP address. It is accessible by a ddns account, i.e. it has a (sub)domain which is accessible from the internet (for example test.mooo.com - I know that this url doesn’t exist. it is only an example).

The problem is that I can only enter an IP address to define a host as a firewall object and not a domain name.

Is there any other possibility for that? or a workaround via the configuration files?

The problem with trying to use a domain name in any firewall is that it’s IP would only be looked up as the firewall is loaded. If it subsequently changes then the firewall would not see that change.

A possible way around this would be a script, running via cron, or similar, which verifies the IP and if it changes updates one of the Shorewall files in the template system and signals firewall-adjust.

Cheers.

OK I understand…

however, I have no experience with scripts running via cron… Would it be too much effort for you to write such a script for me? Of course I could adjust it…

Hi @phonon112358
You can try this:
creates a host object “myhost” (or another name) and assigns a random ip

from shell creates a script checkip.sh

cd /root
mkdir script
vi checkip.sh

and copy the following:

myhost='www.nethserver.it'
myhostip=`nslookup $myhost | awk '/^Address: / { print $2 ; exit }'`
db hosts setprop myhost IpAddress $myhostip
signal-event firewall-objects-modify

Replace www.nethserver.it with your host (test.moo.com)
Make the script executable with

chmod + x checkip.sh

Scheduled to run every hour the script with cron

crontab -e

an empty file will appear and add

0 * * * * /root/script/checkip.sh

I have not tried

You will also need this at the end of the script to force a reload of the firewall.

/sbin/e-smith/signal-event firewall-adjust

Cheers.

@EddieA you’re right.
I had forgotten a line in the script.
I think it’s enough

signal-event-objects-modify firewall

(Edited previous answer)

Initially I was going to ask what the difference is between “signal-event-objects-modify firewall” and “signal-event firewall-adjust”, but after a little research, my question now becomes:

What is “signal-event-objects-modify” as there is no script/executable with that name.

Cheers.

It’s like nethserver-firewall-base-save at least, but modules (webfilter, proxy…) can extend this event with additional actions.

ll /etc/e-smith/events/firewall-objects-modify
total 0
lrwxrwxrwx 1 root root 40 Feb 24 22:29 S90nethserver-firewall-base-save -> ../actions/nethserver-firewall-base-save

What I was referring to was the last post from @enzoturri where he says the command is: “signal-event-objects-modify firewall”.

I didn’t notice previously, but it looks like he correctly updated his first post: “signal-event firewall-objects-modify”.

So maybe now I ask the original question that sprung to mind: What’s the difference between the events: “firewall-objects-modify” and “firewall-adjust”, as the doc here uses “firewall-adjust”.

Cheers.

Thanks a lot!!!

I have added a if condition that checks whether the IP of the host has changed at all.
Here is my code:myhostip=$(dig +short test.mooo.com) old=$(db hosts getprop myhost IpAddress) if [ "$old" != "$myhostip" ] then db hosts setprop myhost IpAddress $myhostip signal-event firewall-objects-modify fi

It works really great for me!

this code looks logically correct but syntacticly a little shakey - ive updated it to the following - add your hostname

myhost=‘my hostname’
myhostip=$(dig +short myhost) old=(db hosts getprop myhost IpAddress)
if [ “$old” != “$myhostip” ]
then db hosts setprop $myhost IpAddress $myhostip
echo signal-event firewall-objects-modify
fi