Quico/update-firewall-source
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
update-firewall-source/README.md

5.3 KiB
Raw Blame History

update-firewall-source

Update a firewall rule that relies on dynamic DNS names

What

  • This script assumes exclusive ownership of the firewalld direct rules file /etc/firewalld/direct.xml or whereever configured

  • List of address can be empty, direct file will then be removed

  • After every execution script will trigger systemd firewalld service restart

  • No subnet, will simply not be validated

  • Include example systemd unit file and install instructions

  • firewall-cmd --check-config

  • default location for config file and default name for config file

  • we should deduplicate list

  • is intended to help with just docker-user

  • man page https://ipset.netfilter.org/iptables.man.html we do iptables

  • added in order

  • related, established? needed?

Config structure

Package configuration happens via a config.ini file that follows INI-style syntax. Copy examples/config.ini.example to config.ini to get started:

[DEFAULT]
target = ACCEPT
addr =
ports = 80, 443
proto = tcp

[anyone-can-access-website]

[these-guys-can-dns]
addr = google.li, 142.251.36.195, lowendbox.com, 2606:4700:20::ac43:4775
ports = 53
proto = tcp, udp

[maybe-a-webserver]
addr = 2606:4700:20::681a:804, lowendtalk.com
ports = 80, 443

[allow-anyone-to-access-mail-services]
ports = 143, 993, 110, 995, 25, 465, 587

[deny-all]
target = DENY
addr =
ports =
proto =

Layout

A config file can have an optional [DEFAULT] section and must have at least one [section] other than [DEFAULT]. Any [DEFAULT] option that's undefined retains its default value. Feel free to delete the entire [DEFAULT] section from your file.

A setting changed in [DEFAULT] section affects all sections. A setting changed only in a custom [section] overwrites it for only the section.

Custom sections such as [maybe-a-webserver] in above example file are treated as organizational helper constructs. You can but don't have to group IP address rules by sections. Technically nothing's stopping you from adding all IP allow list entries into a single section.

Example explanation

In above example file note that [anyone-can-access-website] makes [maybe-a-webserver] irrelevant, the latter one could easily be deleted. [anyone-can-access-website] does not overwrite defaults, it's an empty section. With it firewalld will create a rule that - following all default settings - allows access from any source address on TCP ports 80 and 443. In section [maybe-a-webserver] we do the same and additionally limit source addresses. Rules are added in config.ini order so the first rule permitting access to TCP ports 80 and 443 from anywhere makes the second one irrelevant.

We strongly recommend you do keep the very last example section:

[deny-all]
target = DENY
addr =
ports =
proto =

If a packet has traversed rules this far without being accepted it will be dropped.

Options

A custom [section] has the following options all of which are optional.

  • target, optional, defaults to ACCEPT: A string specifying the fate of a packet that matched this rule. By default matching packets are accepted. See "TARGETS" section in iptables man page. You'll most likely want to stick to either ACCEPT or DROP.

  • addr, optional: A comma-separated list of any combination of IPv4 addresses, IPv6 addresses and domain names. When update-firewall-source.py constructs firewalld rules these addresses are allowed to access the server. If left undefined addr defaults to an empty list meaning rules apply to any arbitrary source address.

    Subnets are unsupported, both as subnet masks (142.251.36.195/255.255.255.248) and in CIDR notation (142.251.36.195/29). Do not single- nor double-quote list entries. Do feel free to separate entries with comma-space instead of just a comma.

  • ports, optional, defaults to 80, 443: A comma-separated list of ports that should be accessible from addr. If overwritten to an empty option addr may access all ports.

  • proto, optional, defaults to tcp: A protocol that should be allowed for addr on ports. If undefined this defaults to tcp being allowed. Since firewalld direct rules use iptables syntax the list of possible protocol names is largely identical to what the iptables man page says about its --protocol argument:

    The specified protocol can be one of tcp, udp, udplite, icmp, icmpv6, esp, ah, sctp, mh or the special keyword all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A ! argument before the protocol inverts the test. The number zero is equivalent to all.

    Your mileage may vary depending on which specific OS flavor and version you're running.