Skip to content

This script facilitates automatic updates to firewall aliases based on DNS entries, enabling dynamic FQDN firewall rules in Proxmox environments. It's designed to ensure that firewall configurations remain synchronized with DNS changes, enhancing security and network management.

License

Notifications You must be signed in to change notification settings

simonegiacomelli/proxmox-firewall-updater

Repository files navigation

Proxmox Firewall Updater

The Proxmox Firewall Updater is a Python script designed to automate the process of updating firewall aliases based on DNS entries. This ensures that firewall configurations remain synchronized with DNS changes, enhancing security and network management in Proxmox environments.

The configuration of the firewall aliases to update is done by adding a comment to the alias with the domain name to resolve.

For example, an alias with the comment #resolve: example.com will be updated with the IP address of example.com.

image

You can also add a comment, like in the image above.

The script only updates an alias if the IP address of the corresponding domain name changes in order to minimize logging.

Installation

To get the script on your Proxmox server, run the following command in your pve shell:

curl https://raw.githubusercontent.com/simonegiacomelli/proxmox-firewall-updater/main/update_firewall_aliases.py -o update_firewall_aliases.py

Scheduling with Cron

You can add a cron job to run the script every 5 minutes:

(crontab -l 2>/dev/null; echo "*/5 * * * * /usr/bin/env python3 $(pwd)/update_firewall_aliases.py 2>&1 | logger -t update_firewall_aliases.py") | crontab -

The cron daemon will log the execution of the script to the system log which is usually too verbose. If you want to avoid this, you can use the scheduling explained in the next section.

Scheduling without Cron

If you prefer to avoid verbose cron job logs, you can create a bash script with a loop that runs the python script every 5 minutes. To activate this script, add it to the @reboot cron job:

echo "while true; do (python3 $(pwd)/update_firewall_aliases.py | logger -t update_firewall_aliases.py); sleep 300; done" > firewall_aliases_updater_forever.sh
chmod +x firewall_aliases_updater_forever.sh
(crontab -l 2>/dev/null; echo "@reboot /bin/bash -c $(pwd)/firewall_aliases_updater_forever.sh &") | crontab -

Beware that the above will take effect at every reboot. The first time, to avoid rebooting the server, you can run the bash script manually:

/bin/bash -c ./firewall_aliases_updater_forever.sh &

Command Line Options

The script supports two optional command line options:

  • --dry-run: Executes the script without making any changes. This is useful for testing and debugging.
  • --verbose: Provides detailed logging of operations, which can aid in understanding the script's behavior and troubleshooting.

You can use both options together for a detailed dry run:

python3 update_firewall_aliases.py --dry-run --verbose

In this mode, the script will print detailed logs of its intended actions without actually making any changes.

Internal Workings

Automated Tests

This project includes comprehensive automated tests to ensure its reliability and correctness. These tests cover various scenarios and edge cases, providing a robust safety net for ongoing development.

The tests are written using Python's built-in unittest module, and they thoroughly test the functionality of the script, including the DNS resolution and the updating of firewall aliases.

To run the tests, clone the repo and use the following command:

python3 -m unittest update_firewall_aliases_test.py

Proxmox API

The script uses pvesh commands to get, create, and set Proxmox VE firewall aliases. For more details, refer to the Proxmox VE API documentation.

pvesh get

Get aliases:

pvesh get cluster/firewall/aliases --output-format json

Example output:

[{"cidr":"1.2.3.4","comment":"comment foo #resolve: example.com","digest":"48ba54e4cabe338b1cb490bb9c5b617f61bd4212","ipversion":4,"name":"alias_example_com"},{"cidr":"0.0.0.0","comment":"comment bar #resolve: example.net","digest":"48ba54e4cabe338b1cb490bb9c5b617f61bd4212","ipversion":4,"name":"alias_example_net"}]

pvesh set

pvesh set cluster/firewall/aliases/alias_example_com -cidr 1.2.3.4 -comment "comments are kept as is"

Relevant Proxmox Forum Thread

For more information, check out this Proxmox Forum thread on firewall aliases with domain names.

About

This script facilitates automatic updates to firewall aliases based on DNS entries, enabling dynamic FQDN firewall rules in Proxmox environments. It's designed to ensure that firewall configurations remain synchronized with DNS changes, enhancing security and network management.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages