[Ferm] @ipfilter on FQDNs or so

Kiss Gabor (Bitman) kissg at ssg.ki.iif.hu
Thu Jun 13 14:43:10 CEST 2013 

Dear folks,

> Add support for ferm to automatically apply @ipfilter on constructs
> such as:
>     domain (ip ip6) chain INPUT {
>         saddr (192.0.2.5 2001:db8::5) proto tcp dport ssh ACCEPT;
>     }
> and do the obvious.

BTW.

I often use FQDNs instead of IP addresses. Ferm passes them unchanged
to iptables/ip6tables that do the actual work of resolving names.
So I have to keep in mind which hosts have AAAA record instead of
writing
    domain (ip ip6) chain INPUT {
	saddr (host1.example.com host2.example.com) proto tcp dport ssh ACCEPT;
    }

A more realistic example from my practice:
domain ip {
    @def $is_ipv4 = 1;
    table filter {
	@include 'monitor.ferm';
	chain INPUT {
		# monitoring
		jump ACCEPT_MONITOR;
...
	}
...
    }
}

domain ip6 {
    @def $is_ipv6 = 1;
    table filter {
	@include 'monitor.ferm';
	chain INPUT {
		# monitoring
		jump ACCEPT_MONITOR;
...
	}
...
    }
}

File monitor.ferm:
# Common ip/ip6 include

chain ACCEPT_MONITOR {
    ACCEPT saddr (host1.example.com host2.example.com) {
	proto tcp mod multiport destination-ports (munin 5666);
	proto udp mod multiport destination-ports (ntp snmp);
    }
    @if "$is_ipv4"  ACCEPT saddr (host3.example.com) {
	proto tcp mod multiport destination-ports (munin 5666);
	proto udp mod multiport destination-ports (ntp snmp);
    }
}

It would be lovely if ferm did type checking (A vs. AAAA records)
before generating input for iptables/ip6tables.

I wonder if somebody could implement this feature.


A flaw of ip6tables related to FQDNs also inspires a workaround in Ferm.
Iptables generates multiple rules if host has multiple A records.
Meanwhile ip6tables (as of version 1.4.8) does not follow this practice
but inserts a single rule even if host has several AAAA records.
(Note: having lot of addresses on an interface is natural in IPv6
world rather than in IPv4. :-)

So it would the very satisfing solution if Ferm could resolve names itself.
(On demand of course. Not breaking existing scripts.)

What is your opinion?

Regards

Gabor

More information about the Ferm mailing list