Hi,
after defining static-host-mapping in VyOS is it possible to use a hostname in a firewall rule?
Currently I’m using this syntax to define a firewall rule:
set firewall name DMZ-IN rule 100 source address '10.0.0.4'
If I could use a hostname here instead of IP, I could easily adapt a single static-host-mapping instead of modifying all applicable rules with a new IP in case the relevant service is running on a different host with another IP.
THX
There is such a feature request already in fabricator: ⚓ T1097 Make firewall groups work everywhere that's appropropriate
OK.
This means this function is not available with current release.
exactly
(and now I need to fill the minimum 20characters for this post :-))
I started that phabricator request, and that’s not really the same thing.
That static-host-mapping thing just makes an /etc/hosts entry. I do believe that iptables does allow hostname entries, but it still basically does it by IP, and just does some flipping around when you enter/display the rule. I don’t think the rule changes if the hostname were to point to a different IP unless you reentered the rule.
The end result is it’s probably a bad idea. While in your scenario it would probably be okay, in other scenarios where the DNS resolution comes from an external source, this would be a massive exploit.
You are better off using firewall groups to accomplish what you want.