Page MenuHomePhabricator

Hostname Support
Open, LowPublicFEATURE REQUEST

Description

One thing that keeps me from using VyOS in some environments is the lack of support for host names in firewall groups and rules and nat rules. It would be great if hostnames could be used for rules as not everyone has static IPs, but setting up dynamic DNS is easy. I can tell you this works great in pfSense, OpenSense, and Juniper SRX devices.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

syncer triaged this task as Low priority.Nov 7 2018, 4:58 PM
rps added a subscriber: rps.Dec 5 2018, 2:40 AM

I agree this is becoming increasingly necessary as vendors turn to AWS for hosting services and IP addressing becomes less static for services.

Supporting a hostname typically results in a DNS lookup at the time of rule creation and then no change until the rule is reloaded. As a work-around to this some distributions reload hostname-based rules every 5 min while others do so daily.

This still has some caveats however: In one example a DNS record which is more dynamic has makes use of a low TTL may change more frequently than the update interval. In another a lookup which returns multiple A records presumably would be expected to generate multiple firewall rules while many implementations may only select the first response. There are other assumptions made on behavior by the user (how are CNAMEs handled?).

To implement this in VyOS the right way would be non-trivial and require a bit of development. I would suggest the use of VyOS-generated address-group (ipset) which is populated and updated by a background process which keeps track of TTL values.

Syntax-wise this could be placed under the umbrella of a new firewall group type e.g. "name-group". Members of a name-group would be a FQDN. A daemon (or routine cron) handle resolving the FQDN(s) into the IP(s) associated while also tracking the TTL. On update new entries would be added but old entries would not be removed until their TTL expired.

Configuration would look something like:

set firewall group name-group NAME-EXAMPLE name 'www.example.com'
set firewall group name-group NAME-EXAMPLE name 'example.com'

set firewall name LAN-OUT rule 100 destination group name-group NAME-EXAMPLE

This would allow name-based functionality to be implemented in the way users often assume is the case despite known caveats and limitations typically encountered in other implementations.

Other enhancements could include DNSSEC support where one a key is learned it is added to the group configuration and enforced unless overridden.

A mock-up of this has been on my to-do list but unfortunately I have not had the time. Is anyone familiar with an existing project which might already do this or something similar?

pasik added a subscriber: pasik.Mar 12 2019, 6:09 PM