Hello,
I'm trying to restrict access to tortixd to one IP, but I have a dynamic IP address. I want to know if I can set a hostname in /etc/asl/firewall/tortixd-access-list instead of an IP?
Thanks.
tortixd acl
-
scott
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: tortixd acl
Thats something we just implemented in the asl-4.0-testing channel (v4.0.15-30.2 atm). I could actually use the feedback on the feature.
The nature of using hostnames here are that
1) the firewall will do a DNS lookup at the time the rule is loaded, and convert it to an IP address.
2) Once that is loaded, a change to the hostname wont have any effect until the firewall rules get reloaded.
3) When it is reloaded a DNS query is run and we hope that DNS server doesn't have the old IP still cached.
Nothing we can do about 1, since thats just how the IP stack works. But for item 2, what we can do is have a special rule class that reloads periodically (currently, every 24 hours), and 3 is outside the scope here. The dynamic DNS services usually set the TTL on a record pretty low to help with that.
If you want to try it out, upgrade to the latest build:
1) yum --enablerepo=asl-4.0-testing upgrade asl asl-web
2) set FW_DYN_WHITELIST="yes" in /etc/asl/config
3) add your hostname(s) to /etc/asl/dyn-whitelist
4) reload the firewall: service asl-firewall restart
The nature of using hostnames here are that
1) the firewall will do a DNS lookup at the time the rule is loaded, and convert it to an IP address.
2) Once that is loaded, a change to the hostname wont have any effect until the firewall rules get reloaded.
3) When it is reloaded a DNS query is run and we hope that DNS server doesn't have the old IP still cached.
Nothing we can do about 1, since thats just how the IP stack works. But for item 2, what we can do is have a special rule class that reloads periodically (currently, every 24 hours), and 3 is outside the scope here. The dynamic DNS services usually set the TTL on a record pretty low to help with that.
If you want to try it out, upgrade to the latest build:
1) yum --enablerepo=asl-4.0-testing upgrade asl asl-web
2) set FW_DYN_WHITELIST="yes" in /etc/asl/config
3) add your hostname(s) to /etc/asl/dyn-whitelist
4) reload the firewall: service asl-firewall restart