Have you thought about using an ipset in stoppedrules to accept access? The ipset can be populated from Shorewall's init, the command line, or any bash script. You can even build a web page (protected by Apache login) to add the accessor's IP address to the ipset (for PHP, $_SERVER['REMOTE_ADDR']).
Using SEC, Simple Event Correlator http://simple-evcorr.github.io/, you can configure it to read DHCP log messages and populate the ipset. SEC uses regular expressions to parse the log file. You could key on something like host name. $ dnf search sec ============================= Name Exactly Matched: sec ========================== sec.noarch : Simple Event Correlator script to filter log file entries A while back, I wrote a PHP program to populate an ipset from a DNS lookup. It's on Shorewall's user contributed FTP. I invoke it from crontab to lookup up the IP addresses for Let's Encrypt and add them to an ipset (crontab): 10 0 * * * /usr/local/sbin/DNSlookup_ipset.php -4 -c letsencrypt.dnslookup -s letsencrypt -t 3600 2>&1 Bill On 6/8/2020 4:30 PM, Tom Eastep wrote:
On 6/8/20 1:04 PM, PGNet Dev wrote:i've set /init DYN_IP=$( dig A dyn.example.com @1.1.1.1 +short 2>/dev/null ) then use %{DYN_IP} in my SW configs, e.g. in /rules. if I want to add a fallback value, what's the correct syntax/usage? in fool_sm config, e.g., I use the form checkip=${SW_ETH0_GATEWAY:-1.2.3.4} where "SW_ETH0_GATEWAY" is an internal var. with the dynamic addressvariable, DYN_IP is it safe/valid to 'include' the fallback in the var defintion in /init as DYN_IP=${ $( dig A dyn.example.com @1.1.1.1 +short 2>/dev/null ) : -1.2.3.4 } of course, using the *right* (???) syntax ..., and continue to use just %{DYN_IP} ? or, do I need to use %{DYN_IP:-1.2.3.4} or somesuch throughout?Shorewall doesn't support the latter syntax so you will have to assign the default in /init -Tom _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
