I have a lot of firewall rules which rely on associated address lists. The firewall rules don’t change particularly often, but the address lists they rely on do. I’m trying to work out a way to distribute / update the address lists, preferably dynamically.
Clearly I could write some sort of script to connect to each of the routers, and update them, or schedule a script on the router, to fetch them from a known location periodically. Those seem like reasonable solutions, however would be somewhat event driven.
Somewhere I read that we can use a dynamic routing protocol, to distribute address lists. I cannot find this anywhere, and I was wondering if anyone had an example / howto / guide to it?
Using a routing protocol to distribute address lists, seems like a good idea, but how would you “match” on these in the firewall rules? Do they have to be transferred from a routing table to an address-list, and if so how? Would you need multiple instances of the routing protocol if you wanted to distribute more than one address-list?
Clearly I could write some sort of script to connect to each of the routers, and update them, or schedule a script on the router, to fetch them from a known location periodically. Those seem like reasonable solutions, however would be somewhat event driven.
If you modify the lists “manually” anyway, then writing an (API) application to connect to each router and update it isn’t really “event driven”, as much as it is “manual”, like the very act itself.
Or are the address lists themselves compiled dynamically (i.e. without intervention on a router)? Like say, based on firewall rules? If so, you could make an (API) application that would connect to one such router, and continuously monitor it for such modifications, at which point, it can update the rest of the routers.
Thanks for the reply. Yeah, I’m sure I could write a script hosted externally and use an API to do this. Clearly a possible solution.
I do have several “sources” for my address lists, and some would clearly lend themselves to either fetching (http with an /import) or putting (API connecting to the router), and updating them that way.
However I like the idea of using a routing protocol (BGP?, OSPF?) to distribute the address lists. After all, that’s what they’re built to do, just for a different purpose (routing). I’ve seen others mention things like this, but never seen an implementation. Being able to point the router to another host, to update it’s own rules, without having to have significant mechanics to make it work would be cool. (Ala NTP, DNS, etc.)