I'm running a border router/firewall, switched from a static IP -> a
dynamically changing IP.
I'm interested in best-practice (among many options) for tracking that IP
change and pushing it to 'all' the places that need it -- particularly
shorewall.
Sure, It's 'doable' many ways -- I'd like to hear what 'you' use and why.
My OS is
opensuse/64 v13.2
with these pkgs installed
shorewall 4.6.9
ddclient version 3.8.2
wicked 0.6.18
systemd 210
kernel 4.0.4
iproute2 4.0
iptables v1.4.21
bind 9.10.2
nsupdate 9.10.2
The IP is dynamically assigned from my ISP.
I want to track & detect IP changes, and update the IP address to
current/correct value in all the places it's used.
With the collection of pkgs above there are a variety of ways of tracking that
IP change: shorewall's "lsm", wicked's if-up/-down scripts, ddclient, DIY
scripts, etc.
My current inclination is to use ddclient's "use=web, web=checkip.dyndns.com"
remote IP check, scheduled for a check every 5-10m.
ddlcient then updates services with that new IP, including an nsupdate of a
hostname's short-ttl 'A' record on my bind9 server, which authoritative for the
zone.
This seems to work well enough.
With shorewall in the mix, however, and the need to update it as well,
(1) Is there any good reason to NOT use ddclient to drive the updates, and use
shorewall's "lsm" script instead?
I'm well aware of 'lsm'
Link Status Monitor (LSM)
http://shorewall.net/MultiISP.html#lsm
LSM - Link Status Monitor
http://lsm.foobar.fi/
and the claims/admonitions that
-- it performs more sophisticated monitoring than the simple
SWPING script that preceded it
-- Like many Open Source products, LSM is poorly documented.
OTOH ddclient is well documented, and widely available with distro's packaging
...
(2) if ddclient is used, the current IP is passable from within the
ddclient.conf as an argument to a "postscript=" script that can be called to
execute on each/any IP change. What's the correct way to get that IP value
"into" shorewall and usable as a parameter value? Does shorewall need to be
restarted, or can that data be dynamically pushed into it?
(3) Since shorewall is launched/controlled by systemd, as is the system's
wicked network stack, in what order should
(a) ddlcient detection/push of IP change
(b) shorewall detection of IP change, or restart
(c) wicked if-down, if-up or ip addr change
be done, & should those actions be driven by the tools 'natively', or through
systemd's control?
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
