On 6/7/20 3:21 PM, PGNet Dev wrote: > On 6/7/20 1:47 PM, Tom Eastep wrote: >> Yes. As a general rule, address variables can be used anywhere that a >> host IP address can be used, unless documented otherwise. > > great, thx. > > that takes care of the 'local' shorewall instance's tracking etc of a dynamic > IP address. > > that 'local' IP address, when static, is explicitly allowed for admin SSH > access at a number of remote shorewall instances -- both in normal firewall > operation, and to ensure post stopped-rule 'emergency' access. > > it's worked well enough. > > once the 'local' IP address is dynamic, and potentially changed, I'd like to > accommodate change of the address in the remotes' rules. > > my first leaning was to setup a similar custom var in the remote's /init, > populating it with a > > DYN_LOCAL_IPv4_ADDRESS=$( dig A dyn-local-addr.example.com @1.1.1.1 +short > 2>/dev/null ) > > where the A record is itself dynamically updated (using `nsupdate` at my > nameserver) on IP change. > > but, I haven't forgotten your repeated admonitions to NOT use DNS hostnames > in firewall ... > > any best-practice suggestions for getting that dynamically-changed-local-IP > into the remote FWs? > > if it matters, ALL my FWs are locally managed/compiled with SW, and pushed to > the remotes ... >
Why not assign this host a static IP address via DHCP? That's what I do with my local systems. Your idea of using DNS isn't terrible if your /init file assigns a default (like the last known address) so that the firewall will at least start if DNS lookup fails. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
