Old rules were not getting removed properly because of a 'copy/paste' error, it is fixed now.

Really love:

firewall-cmd --permanent --load-zone-defaults=zone

Had to add .5 second delay between rule creation because rules with ports were not getting added properly.

@black3dynamite said in PiHole for Friends and Family:

@romo

I haven't tried it myself but this command Load zone default settings or report NO_DEFAULTS error.
I got it from the firewall-cmd man page

firewall-cmd --permanent --load-zone-defaults=zone

That did it, thanks @black3dynamite

By the way is there a way in firewall-cmd to clear the rules in one pass, basically the equivalent of ubuntus ufw reset?

Finally had some time to finish working on the Fedora based rules, I used firewall-cmds rich-rules in order to work with the default zone, I think it is the best way to handle it but I am open to suggestions.

Tested the script in Fedora Server 26, but I believe it should work properly on CentOS 7 and its default python version.

# Starting default fw config
[root@localhost dns_to_ip_firewall_rules]$ firewall-cmd --list-all
FedoraServer (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens3
  sources: 
  services: ssh dhcpv6-client cockpit
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

#Fedora 26 uses by default Python 3 so using it to run the script
[root@localhost dns_to_ip_firewall_rules]$ python3 dns-to-ip-firewall-rules.py 

# Script is set to reload the firewall to make the rules permanent, checking the new rules
[root@localhost dns_to_ip_firewall_rules]# firewall-cmd --list-all
FedoraServer (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens3
  sources: 
  services: ssh dhcpv6-client cockpit
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="151.101.1.52/32" accept
	rule family="ipv4" source address="50.31.169.131/32" accept
	rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="tcp" accept
	rule family="ipv4" source address="216.58.193.206/32" port port="53" protocol="udp" accept
	rule family="ipv4" source address="104.25.47.32/32" port port="443" protocol="tcp" accept
	rule family="ipv4" source address="93.184.216.34/32" port port="53" protocol="udp" accept
	rule family="ipv4" source address="93.184.216.34/32" port port="80" protocol="tcp" accept
	rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="udp" accept
	rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="udp" accept
	rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="tcp" accept
	rule family="ipv4" source address="216.58.193.206/32" port port="80" protocol="tcp" accept
	rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="tcp" accept
	rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="udp" accept

# Rerunning script to check for new ips
[root@localhost dns_to_ip_firewall_rules]$ python3 dns-to-ip-firewall-rules.py 

# Checking to see the new ip correctly set in the firewall 
[root@localhost dns_to_ip_firewall_rules]$ firewall-cmd --list-all
FedoraServer (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens3
  sources: 
  services: ssh dhcpv6-client cockpit
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="151.101.1.52/32" accept
	rule family="ipv4" source address="50.31.169.131/32" accept
	rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="tcp" accept
	rule family="ipv4" source address="216.58.193.206/32" port port="53" protocol="udp" accept
	rule family="ipv4" source address="104.25.47.32/32" port port="443" protocol="tcp" accept
	rule family="ipv4" source address="93.184.216.34/32" port port="53" protocol="udp" accept
	rule family="ipv4" source address="93.184.216.34/32" port port="80" protocol="tcp" accept
	rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="udp" accept
	rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="udp" accept
	rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="tcp" accept
	rule family="ipv4" source address="216.58.193.206/32" port port="80" protocol="tcp" accept
	rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="tcp" accept
	rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="udp" accept
	rule family="ipv4" source address="151.101.65.52/32" accept

It appears to be working, haven't tested it too much but the configs seem to show what they must.

Current version tested in on branch firewalld-rules if any one else wants to test it.

@aaronstuder I am working on it already, haven't had time to finish it yet due to other work. Will post as soon as it is ready.

Merged branch to master, removed stoudout outputs and added ip changes to .log file

Added the allow all ports for a domain, it is also in the custom-ports branch if you wanna test it and let me know if it works properly for you. I'll merge it to master if it works ok and start removing everything that prints to stdout.

# DOMAINS TO ADD
# ---
# arstechnica - all ports
# theverge - all ports
# mangolassi.it -  53/(udp-tcp), 443/tcp
# example.com - 53/udp, 22/(udp-tcp), 80/tcp
# google.com - 53/udp, 22/(udp-tcp), 80/tcp
# ---

~/scripts/python/dns_to_ip_firewall_rules$ sudo python dns-to-ip-firewall-rules.py 

Adding to firewall
theverge.com - 151.101.65.52

Adding to firewall
arstechnica.com - 50.31.169.131

Adding to firewall
google.com - 216.58.194.142

Adding to firewall
example.com - 93.184.216.34

Adding to firewall
mangolassi.it - 104.25.47.32

# Checking firewall rules
~/scripts/python/dns_to_ip_firewall_rules$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       151.101.65.52             
Anywhere                   ALLOW       50.31.169.131             
53/udp                     ALLOW       216.58.194.142            
22                         ALLOW       216.58.194.142            
80/tcp                     ALLOW       216.58.194.142            
53/udp                     ALLOW       93.184.216.34             
22                         ALLOW       93.184.216.34             
80/tcp                     ALLOW       93.184.216.34             
53                         ALLOW       104.25.47.32              
443/tcp                    ALLOW       104.25.47.32 

# Re running script
~/scripts/python/dns_to_ip_firewall_rules$ sudo python dns-to-ip-firewall-rules.py 

Adding theverge.com ip 151.101.129.52 - removing 151.101.65.52
theverge.com - 151.101.129.52

Same ip address nothing to do
arstechnica.com - 50.31.169.131

Adding google.com ip 172.217.2.238 - removing 216.58.194.142
google.com - 172.217.2.238

Same ip address nothing to do
example.com - 93.184.216.34

Adding mangolassi.it ip 104.25.46.32 - removing 104.25.47.32
mangolassi.it - 104.25.46.32

# Final Results
~/scripts/python/dns_to_ip_firewall_rules$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       151.101.65.52             
Anywhere                   ALLOW       50.31.169.131             
53/udp                     ALLOW       93.184.216.34             
22                         ALLOW       93.184.216.34             
80/tcp                     ALLOW       93.184.216.34             
Anywhere                   ALLOW       151.101.129.52            
53/udp                     ALLOW       172.217.2.238             
22                         ALLOW       172.217.2.238             
80/tcp                     ALLOW       172.217.2.238             
53                         ALLOW       104.25.46.32              
443/tcp                    ALLOW       104.25.46.32

@aaronstuder said in PiHole for Friends and Family:

@romo said in PiHole for Friends and Family:

@aaronstuder said in PiHole for Friends and Family:

@romo I love your script! Thank you so much! Sorry I didn’t reply before somehow I missed your post

Can you make this so I can set whatever ports I want? In the example I gave before I just wanted to do DNS but now my mind is spinning with other ideas

@aaronstuder Different ports per domain or just add a list of custom ports for all domains?

@Romo Same ports all domains, but then then maybe allowing all ports since we are restricting by IP address already.

Seems like:

sudo ufw allow from 123.45.67.89

Would work?

Well that's gonna be much easier.

Just finished a custom-ports branch, that gives you the ability to specify ports and protocol (tcp/udp)

# Starting from empty firewall
~/scripts/python$ sudo ufw status
Status: active

# Running script for the first time
~/scripts/python$ sudo python dns-to-ip-firewall-rules.py 

Adding to firewall
mangolassi.it - 104.25.47.32

Adding to firewall
google.com - 172.217.1.238

Adding to firewall
example.com - 93.184.216.34 

# Verifying ips with ports and protocols are added
~/scripts/python$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
53/udp                     ALLOW       93.184.216.34             
22                         ALLOW       93.184.216.34             
80/tcp                     ALLOW       93.184.216.34             
53/udp                     ALLOW       172.217.1.238             
22                         ALLOW       172.217.1.238             
80/tcp                     ALLOW       172.217.1.238             
53                         ALLOW       104.25.47.32              
443/tcp                    ALLOW       104.25.47.32

@aaronstuder said in PiHole for Friends and Family:

@romo I love your script! Thank you so much! Sorry I didn’t reply before somehow I missed your post

Can you make this so I can set whatever ports I want? In the example I gave before I just wanted to do DNS but now my mind is spinning with other ideas

@aaronstuder Different ports per domain or just add a list of custom ports for all domains?

Finally, this is great news for ansible users.

But if you want to test is manually, I think is is working properly.

# Starting from empty firewall
~/scripts/python$ sudo ufw status
Status: active

#Running script for the first time
~/scripts/python$ sudo python dns-to-ip-firewall-rules.py 

Adding to firewall
mangolassi.it - 104.25.46.32

Adding to firewall
google.com - 172.217.12.78

Adding to firewall
theverge.com - 151.101.65.52

# Checking to see if rules were created.
~/scripts/python$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
53                         ALLOW       104.25.46.32              
53                         ALLOW       172.217.12.78             
53                         ALLOW       151.101.65.52  

# Running script againg to check for ip changes.
~/scripts/python$ sudo python dns-to-ip-firewall-rules.py 

Same ip address nothing to do
mangolassi.it - 104.25.46.32

Same ip address nothing to do
google.com - 172.217.12.78

Adding theverge.com ip 151.101.129.52 - removing 151.101.65.52
theverge.com - 151.101.129.52

# Verifying ip changes are added to the firewall, and old ip are removed.
~/scripts/python$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
53                         ALLOW       104.25.46.32              
53                         ALLOW       172.217.12.78             
53                         ALLOW       151.101.129.52 

At least for dns and Ubuntu I think it does want @aaronstuder asked for originally. The idea of custom ports could be done as well, probably just adding a list of ports you wish to open for each domain.

@nashbrydges Haven't set the script to run via cron yet. It is still is printing some strings to stdout while I fully complete it, plan to add a log file and redirect the output to it.

I'll focuse on finishing it properly for Ubuntu so you can properly test it.

@scottalanmiller said in PiHole for Friends and Family:

@romo use Ubuntu

Script updated, automatic rule creation and deletion in Ubuntu working properly. Working on Fedora and firewalld next.

@aaronstuder said in PiHole for Friends and Family:

What if I setup a dynamic DNS client on a computer, and have it update to my domain, say name.domain.com then have a script nslookup the domain name and update the firewall rules?

What OS are you going to be installing pi-hole in?

Liked the idea so just started working on the script, resolving the dynamic dns name and logging it and comparing it to the current ip is done. Just need to target your OS of choice to test the creation/destruction of the firewall rules.

https://github.com/rodrigo-hissam/dns_to_ip_firewall_rules/blob/master/dns-to-ip-firewall-rules.py

Example:

~/scripts/python$ python dns-to-ip-firewall-rules.py 

Adding to firewall - TODO
mangolassi.it - 104.25.47.32 

Adding to firewall - TODO
google.com - 172.217.1.238 

Adding to firewall - TODO
theverge.com - 151.101.65.52 

#Log files created per host to store the previous ip for the comparison.
~/scripts/python$ ls
dns-to-ip-firewall-rules.py  google.com  mangolassi.it  theverge.com

# Re running the script to compare with logged ip
~/scripts/python$ python dns-to-ip-firewall-rules.py 

Same ip address nothing to do
mangolassi.it - 104.25.47.32 

Same ip address nothing to do
google.com - 172.217.1.238 

Adding 151.101.193.52 to firewall
theverge.com - 151.101.193.52 

Just as @Tim_G suggested, your best bet would be a Starwind HyperConverged vSan setup.

https://www.starwindsoftware.com/technical_papers/StarWind-Virtual-SAN-Hyper-Converged-3-nodes-scenario-with-Hyper-V-Cluster.pdf

@eddiejennings Xubuntu

Just finished setting up 60 new linux machines for work.

@emad-r One of the main points of using configuration management tools is that when using them properly you create idempotent operations (getting the same result no matter the number of times the operation is executed).

Instead of using cmd.run to execute the install, you could as others have mentioned the chocolatey module, or if you don't want to install chocolatey on your computers you could use the win_pkg which requries a repo created on the salt-master. Both of those modules are idempotent, so once you reach the desired state no matter how many times you run them they will not make any more changes.

https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.win_pkg.html
https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.chocolatey.html

The software available in the official windows git repo.
https://github.com/saltstack/salt-winrepo-ng

Creating a windows software repository:
On your salt master run

salt-run winrepo.update_git_repos

Sync the repo on your Windows minions

salt -G 'os:windows' pkg.refresh_db

Now you can use the pkg module in your states, or adhoc commands.

//Example adhoc command (remote execution)
salt -G 'os:Windows' pkg.install salt-minion

That last command will always install the latest version of the salt-minion you could add the version parameter to specify the one you require.

@sodium