Inbound firewall rule based on FQDN or grouped network accepting FQDN

Edouard_Gaulu · January 31, 2024, 3:11pm

Dear community,

This question has already been asked in 2014/2015. But since lots have changed. Iptables is still based on IP addresses, but nowadays there are multiple way to handle it.

They could be handle through grouped network, with a kind of cron updating internal ipset based on DNS results. I believe Outbound rules Policies with FQDN work a bit like this for a long time now.

The only way I see without this firmware change, would be to program it using incontrol2 API. It looks possible to modify grouped_network from this API, and then those setting are send to devices. Could anyone confirm this approach and even give a piece of code example to do it using bash, python, perl, or whatever?

Regards,

Edouard_Gaulu · January 31, 2024, 3:15pm

To implement it in the firmware solution 2 of this question domain name system - IPtables whitelist dynamic IP by hostname - Server Fault looks like a possible way to go.

Regard,s

Noah_Helterbrand · January 31, 2024, 8:50pm

I second this. Many vendors now provide us with whitelists based on FQDN’s rather than IP or subnet. This is definitely a need.