Forum Discussion
NimbostratusiCall for DDNS?
I'm told that an iCall may be appropriate to get around the matter of firewall allows for sites that have multiple ip addresses presented for their namespace. For example, microsoft.com may well resolve to 134.170.188.221 for the next few minutes, but rolls to 134.170.185.46 minutes later. As such, allowing 'microsoft.com' becomes a bit tricky when there is no fixed address to present to the fw rule.
I am a TOTAL iCall neophyte--consider me completely clueless. How can I go about resolving this dilema?
Best Regards!
6 Replies
- The_Bhattman
Hi Jeffnotcarl,
Here is an crude example I quickly put together. Hopefully it's a start.
sys icall script firewall-microsoft { app-service none definition { set ips [exec dig +short @4.2.2.1 microsoft.com A] if {$ips eq ""}{ tmsh::modify security firewall address-list microsoft-rule addresses replace-all-with \{ $ips \} } } description none events none } sys icall handler periodic microsoft-rule { interval 30 script firewall-microsoft }I hope this helps
jeffnotcarl_142Thanks so much for your response!! I'll give it a try.
- The_Bhattman
Keep in mind that this is completed untested. I Frankenstein'd it using the WIKI and other posts on Devcentral.
The one thing I didn't put in there is detecting when there is no resolution so that might need to be put in, but I figure this is a start. Hopefully the smart folks on this forum can jump in and help flesh it out with you.
Michael_SkreenoEmployee
Hi jeffnotcarl,
Tested working on 11.5.0 HF4. Supports multiple names in a tcl array (apparently there is no iRules class access??)
Need to add handling of CNAMEs as response, such as update.microsoft.com
First merge verify and then merge the following into your test environment with:
security firewall address-list list-microsoft.com { addresses { 1.1.1.1 { } } } security firewall address-list list-msn.com { addresses { 1.1.1.1 { } } } security firewall address-list list-update.microsoft.com { addresses { 1.1.1.1 { } } }Then you can merge in the following iCall based from The Bhattman. I changed - if {$ips ne ""}. This script will run and you should see msn.com and microsoft.com update, update.microsoft.com fails because it includes the cname as part of the +short dig response.
sys icall script firewall-ddns { app-service none definition { array set mylist { microsoft.com list-microsoft.com msn.com list-msn.com update.microsoft.com list-update.microsoft.com } foreach {key val} [array get mylist] { set ips [exec dig +short @4.2.2.1 $key A] if {$ips ne ""}{ tmsh::modify security firewall address-list $val addresses replace-all-with \{ $ips \} } } } description none events none } sys icall handler periodic icall_ddns { interval 30 script firewall-ddns }- jeffnotcarl_142
Dear Michael Skreenock,
Thank you so much for this solution. It works perfectly!! You are the most mega-awesome F5 guru on the planet!!!
Regards, JNC
If cnames are bugging you, here's a sample TCL script that will resolve cnames recursively, and a code snippet to show how to call it in place of dig:
---snip--- exec /config/resolvv.tcl $fqdn $dns_ip set xx [open /config/resolvv.txt r+] set ip_list [read $xx] close $xx Grab first IP only. Roadmap feature might be to geolocate closest server from the list returned. set ip [lindex $ip_list 0] ---snip---and here's the tcl script named resolvv.tcl. in my example, I am just saving this script to /config and making it executable.
!/usr/bin/tclsh proc resolve_this { fqdn server {answer ""} } { set l1 [exec dig +short @$server $fqdn a] foreach i $l1 { set i [string tolower $i] set x [regexp {[a-z]} $i] if { $x } { resolve_this $i $server $answer } else { set answer "$answer\n$i" } } return $answer } set final_answer [string trim [resolve_this [lindex $argv 0] [lindex $argv 1]]] set x [open /config/resolvv.txt w+] puts $x $final_answer close $x
