Firewall rule using destination/source hostname (and not IP)


#1

Hi,
after defining static-host-mapping in VyOS is it possible to use a hostname in a firewall rule?

Currently I’m using this syntax to define a firewall rule:
set firewall name DMZ-IN rule 100 source address '10.0.0.4'

If I could use a hostname here instead of IP, I could easily adapt a single static-host-mapping instead of modifying all applicable rules with a new IP in case the relevant service is running on a different host with another IP.

THX


#2

There is such a feature request already in fabricator: https://phabricator.vyos.net/T1097


#3

OK.
This means this function is not available with current release.


#4

exactly
(and now I need to fill the minimum 20characters for this post :-))


#5

I started that phabricator request, and that’s not really the same thing.

That static-host-mapping thing just makes an /etc/hosts entry. I do believe that iptables does allow hostname entries, but it still basically does it by IP, and just does some flipping around when you enter/display the rule. I don’t think the rule changes if the hostname were to point to a different IP unless you reentered the rule.

The end result is it’s probably a bad idea. While in your scenario it would probably be okay, in other scenarios where the DNS resolution comes from an external source, this would be a massive exploit.

You are better off using firewall groups to accomplish what you want.