Perhaps a long shot, but it seems that the firewall rules (ufw) on a Debian Linux set up does not support domain names - only IP addresses. ,
Could anyone recommend or even provide a way to use the results of a ‘domain name’—> DNS node look up to update the firewall (ufw) with the resulting IP address (associated port / protocol is always 53 / udp)?
Ideally the process flow would remove the old IP rule after adding the new one ?
Maybe better to ask somewhere else as its not a Node-RED issue
Hi @cymplecy
Thanks for responding..
I totally agree, the root cause is not a Node Red issue, but that’s where the value of node Red comes in with things like the exec node etc. How best can information be gathered in one place (e.g. dns look up) and applied elsewhere (e.g template node injected into a exec node )?
Just looking to understand from the NR community the best way to plug this hole in the Linux firewall set up..
What sort of rule are you trying to setup?
I don't fully understand what you are trying to achieve, but this is what I use to update ufw with cloudflare's IP addresses, if it helps.
Sorry all if I’m not explaining this very well..
At the moment I have a locked down Virtual machine that I only want to have a very limited number of IP addresses listed in its firewall rules. (So I can ensure everything can only come/go where from where I want it) .
Currently the VM is set up to only be accessed from the LAN (192.xxx.xxx addresses) and to go out to just on external destination, known only by a specific domain name (which is a private VPN)
I'm using the following flow (using the dns node) to ’look up’ what the underlying IP address is of a particular domain name e.g google.com
When that IP is known, if it’s new (e.g.178.123.123.4) , I want to write that address into the VM’ (ufw) firewall rules,(and ideally into a log file too so there’s a record) - and if possible also remove the previous related rule.
Example of the new rule that would need to be written via a command line is below...
sudo ufw allow out to 178.123.123.4 port 53 proto udp
And to delete the old rule I think it would be this command...
sudo ufw delete 178.233.123.4 port 53 proto udp
Maybe you could tweak the script that I posted above to use the IP from the DNS node, instead of the IP's that are obtained from Cloudflare.
Hi @Paul-Reed - I did look at that script, but the difference there is that the script contains a url which list all of their IPs reasy for you. Removing the need to do any dns reverse/look ups first, to know what the IPs are.
Also, I really don’t know how to bash script, plus seeing as I can already get the IP address via the previously shared flow, it feels like my desired end state is easier to achieve via the Node Red UI ?
I’m playing with some ideas, just curious how others would go about it?
Hi; on a related to note, I’ve got the following flow, which I’ve attempted two different ways with the dns node, both going via an exec node, yet only the one using the template node works successfully? The other seems to add a space when it appends the payload - Any ideas ?
I think the way I would approach it would be to have a script that runs under sudo that reads a file and applies changes to the firewall.
Then a second script that does the lookup and writes to the file (doesn't need sudo). I'd call that script from Node-RED and let the first run on a schedule.
There are lots of ways to return an IP address from a domain name. The simplest probably being ping.
Hi,
Does anyone have any insight into this anomaly ?
@nodecentral - Please don't repost the same information, if someone had an answer, they would have replied to your original post.
Yes, that's the way I would also approach this. I did suggest using a script several posts above, but the OP seems reluctant to do so.
Hey Paul - I have taken the script idea/option onboard / although a) I’m not someone who knows how to write bash/shell scripting and b) I wasn’t aware that that was that, if I get an answer - I have to take it - the post is then closed ?!
As the OP isn’t that something I have a say in/decide ?
Also I did the repost as I didn’t want it to get lost - as I was keen to hear anyone’s feedback on how two flows (both designed to do the same thing) acted differently.
If I’m out of line around the expectations when you post on this forum - let me know..
If you posted your flow instead of a picture of your flow you might have a better change to get some help. When I see someone just paste an image of their flow I want to say that that is like going to your mechanic with a photo of your car and saying "My car doesn't work, can you tell me why?"
@zenofmud - I completely understand - sadly as an iPad user - there doesn’t seem to be an ability to extract an individual flow, as you can’t drag/select multiple items (at least I’ve not found a way) ? Hence I provided as much as I could via the image hoping that would be enough to help people with my ‘car repair’ 
You don't, but it was the only suggestion on offer 
It's up to you if you accept the advice or not.
Good look in finding a solution.
Thanks and please don’t take the fact I’m not following the current advice personally 
- I’m so grateful that this forum is here - but ultimately I try to do as much as I can using node-red’s flows & nodes (as it’s more user friendly/understandable to me) especially when writing coding in any form, is just not my thing.
That is going to make it very difficult to get help, I think you may need to get hold of a conventional machine of some sort.
on the iPad,
Hi @zenofmud, I’d tried that a while back, but my problem was that route for this particular flow is that it’s just one of many on a single tab, and those export options you point to allow either (i) a selection of nodes (but I can only select one node at a time on an ipad) , (ii) the entire flow (which is everything on a single tab ) or (iii) every flow (everything on every tab)
Sorry all - I didn’t mean to take this down a different route (on the failings of using an iOS device 
)
I’ll see if I can move that one out onto a bran new tab and then I can export it via option (ii)
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy
