Forum Discussion

Nimbostratus

Sep 12, 2014

iCall for DDNS?

I'm told that an iCall may be appropriate to get around the matter of firewall allows for sites that have multiple ip addresses presented for their namespace. For example, microsoft.com may well res...

Michael_Skreeno

Employee

Sep 17, 2014

Hi jeffnotcarl,

Tested working on 11.5.0 HF4. Supports multiple names in a tcl array (apparently there is no iRules class access??)

Need to add handling of CNAMEs as response, such as update.microsoft.com

First merge verify and then merge the following into your test environment with:

security firewall address-list list-microsoft.com { 
    addresses { 
        1.1.1.1 { } 
    } 
} 
security firewall address-list list-msn.com { 
    addresses { 
        1.1.1.1 { } 
    } 
} 
security firewall address-list list-update.microsoft.com { 
    addresses { 
        1.1.1.1 { } 
    } 
}

Then you can merge in the following iCall based from The Bhattman. I changed - if {$ips ne ""}. This script will run and you should see msn.com and microsoft.com update, update.microsoft.com fails because it includes the cname as part of the +short dig response.

sys icall script firewall-ddns { 
app-service none 
definition { 
    array set mylist { 
    microsoft.com list-microsoft.com 
    msn.com list-msn.com 
    update.microsoft.com list-update.microsoft.com 
    } 
    foreach {key val} [array get mylist] { 
        set ips [exec dig +short @4.2.2.1 $key A] 
        if {$ips ne ""}{ 
            tmsh::modify security firewall address-list $val addresses replace-all-with \{ $ips \} 
        } 
    } 
} 
description none 
events none 
} 
sys icall handler periodic icall_ddns { 
interval 30 
script firewall-ddns 
}

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)