Page MenuHomeVyOS Platform
Create Task
Maniphest T970

Hostname Support in NAT and Firewall Rules
Needs testing, NormalPublicFEATURE REQUEST
Actions

Description

One thing that keeps me from using VyOS in some environments is the lack of support for host names in firewall groups and rules and nat rules. It would be great if hostnames could be used for rules as not everyone has static IPs, but setting up dynamic DNS is easy. I can tell you this works great in pfSense, OpenSense, and Juniper SRX devices.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects

Event Timeline

Rhongomiant created this task.Nov 6 2018, 3:40 PM
syncer triaged this task as Low priority.Nov 7 2018, 4:58 PM
rps added a subscriber: rps.Dec 5 2018, 2:40 AM

I agree this is becoming increasingly necessary as vendors turn to AWS for hosting services and IP addressing becomes less static for services.

Supporting a hostname typically results in a DNS lookup at the time of rule creation and then no change until the rule is reloaded. As a work-around to this some distributions reload hostname-based rules every 5 min while others do so daily.

This still has some caveats however: In one example a DNS record which is more dynamic has makes use of a low TTL may change more frequently than the update interval. In another a lookup which returns multiple A records presumably would be expected to generate multiple firewall rules while many implementations may only select the first response. There are other assumptions made on behavior by the user (how are CNAMEs handled?).

To implement this in VyOS the right way would be non-trivial and require a bit of development. I would suggest the use of VyOS-generated address-group (ipset) which is populated and updated by a background process which keeps track of TTL values.

Syntax-wise this could be placed under the umbrella of a new firewall group type e.g. "name-group". Members of a name-group would be a FQDN. A daemon (or routine cron) handle resolving the FQDN(s) into the IP(s) associated while also tracking the TTL. On update new entries would be added but old entries would not be removed until their TTL expired.

Configuration would look something like:

set firewall group name-group NAME-EXAMPLE name 'www.example.com'
set firewall group name-group NAME-EXAMPLE name 'example.com'

set firewall name LAN-OUT rule 100 destination group name-group NAME-EXAMPLE

This would allow name-based functionality to be implemented in the way users often assume is the case despite known caveats and limitations typically encountered in other implementations.

Other enhancements could include DNSSEC support where one a key is learned it is added to the group configuration and enforced unless overridden.

A mock-up of this has been on my to-do list but unfortunately I have not had the time. Is anyone familiar with an existing project which might already do this or something similar?

olivier.hault awarded a token.Dec 16 2018, 9:32 PM
pasik added a subscriber: pasik.Mar 12 2019, 6:09 PM
olivier.hault added a subscriber: olivier.hault.Mar 23 2019, 4:05 PM
syncer renamed this task from Hostname Support to Hostname Support in NAT and Firewall Rules.Mar 1 2020, 9:56 PM
syncer set Is it a breaking change? to Unspecified (possibly destroys the router).
jjakob mentioned this in T2198: Rewrite NAT in new XML/Python style.May 1 2020, 11:06 AM
cgb added a subscriber: cgb.Sep 7 2020, 6:09 PM
masterit added a subscriber: masterit.Feb 19 2021, 4:56 PM
mpueschel added a subscriber: mpueschel.May 25 2021, 10:04 AM
dmbaturin added a project: VyOS 1.4 Sagitta.Jul 29 2021, 1:20 PM
olivier.hault added a comment.Aug 25 2021, 8:15 AM

+1 for 1.4

erkin set Issue type to Feature (new functionality).Sep 1 2021, 10:50 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:25 AM
adestis added a subscriber: adestis.Dec 14 2021, 3:21 PM
adestis awarded a token.Dec 14 2021, 3:24 PM
syncer changed the task status from Open to In progress.Dec 25 2021, 11:35 PM
syncer raised the priority of this task from Low to High.
syncer moved this task from Need Triage to Backlog on the VyOS 1.4 Sagitta board.
syncer added a subscriber: syncer.

this requires a helper that will be responsible for the DNS resolution and update of the corresponding rules
each DNS resolution will refresh IPs every 15 seconds or in smart mode will rely on DNS TTL for records and will do a lookup on TTL expire (and update firewall if required)

emes added a subscriber: emes.Feb 1 2022, 8:30 PM
christian added a subscriber: christian.Mar 10 2022, 7:16 PM
Viacheslav added a subscriber: Viacheslav.EditedMay 17 2022, 10:04 PM

PR https://github.com/vyos/vyos-1x/pull/1327

set firewall group domain-group DOMAINS address 'example.com'
set firewall group domain-group DOMAINS address 'example.org'
set firewall name FOO default-action 'accept'
set firewall name FOO rule 10 action 'drop'
set firewall name FOO rule 10 source group domain-group 'DOMAINS'
set interfaces ethernet eth0 firewall local name 'FOO'
janegil added a subscriber: janegil.May 18 2022, 10:58 PM
steku added a subscriber: steku.May 23 2022, 5:26 AM
Viacheslav changed the task status from In progress to Needs testing.Jun 9 2022, 4:58 PM
Viacheslav lowered the priority of this task from High to Normal.Jun 9 2022, 5:01 PM
Viacheslav added a comment.Jun 10 2022, 11:39 AM

Fix smoketest https://github.com/vyos/vyos-1x/pull/1352

Viacheslav added a comment.EditedJun 10 2022, 12:35 PM
  1. Some domains can't be added, for example dns.google
[email protected]# set firewall group domain-group DOMAINS address dns.google

  
  
  Invalid value
  Value validation failed
  Set failed

[edit]
[email protected]# 

[email protected]# set firewall group domain-group DOMAINS address dns.google.com
[edit]
[email protected]#
  1. Set Domain group without address Fails
[email protected]# set firewall group domain-group DOMAIN
[edit]
[email protected]# commit
[ firewall ]
VyOS had an issue completing a command.

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/firewall.py", line 458, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/firewall.py", line 426, in apply
    for address in group_config['address']:
KeyError: 'address'



[[firewall]] failed
Commit failed
[edit]
[email protected]#
Viacheslav added a comment.Jun 10 2022, 3:14 PM

Fix Regex for addresses and python ckecks https://github.com/vyos/vyos-1x/pull/1354

steku removed a subscriber: steku.Jul 11 2022, 2:41 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:06 AM
tioan added a subscriber: tioan.Oct 16 2022, 11:52 AM
olivier.hault added a comment.Oct 29 2022, 9:49 AM

Still on track for 1.4 ?

sdev added a subscriber: sdev.Nov 1 2022, 12:47 PM

PR: https://github.com/vyos/vyos-1x/pull/1633

Adds firewall node rule N source/destination fqdn domain.com for single domains per rule and refactors resolver daemon.

DerEnderKeks added a subscriber: DerEnderKeks.Nov 4 2022, 11:39 AM
marc_s added a subscriber: marc_s.Mar 19 2023, 8:31 PM
olivier.hault added a comment.Fri, May 26, 6:56 AM

How far are we in the testing of this important feature ?

Viacheslav added a comment.Sat, May 27, 7:57 AM
In T970#149229, @olivier.hault wrote:

How far are we in the testing of this important feature ?

Try it with groups

set firewall group domain-group domains address example.com
set nat source rule 100 destination group domain-group domains