Script to update firewall rules

gotsprings · November 27, 2012, 12:37am

/ip firewall nat set 4,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 dst-address=[:resolve example.homeip.net]

I have a a bunch of firewall rules that need to update when the IP address changes or when failover occurs.

That rule is supposed to get the current IP of the system then plug the IP into the dts-address of rules 4,10-28. This is so internal devices can reach devices that are port forwarded from the WAN. (IP cameras with the iPad can use the same address from inside or outside the network.)

Any input?

Is there a better way to do it?

boen_robot · November 27, 2012, 1:52am

In place of literally putting the numbers, you can use the “find” command, to grab any matching rules, like:

/ip firewall nat set [/ip firewall nat find where dst-address=$oldIp] dst-address=[:resolve example.homeip.net]

(assuming the rules are actually matched by this criteria)

This has a (negligible!) performance penalty, since all firewall rules need to be verified by “find”, before they are included as part of the “set” command. However, this way is a lot more maintainable, since you can move and add firewall rules around freely, and always know what’s expected to be matched, and what not.

c0d3rSh3ll · November 27, 2012, 2:13am

or find by comment like “dstnat”

/ip firewall nat set [find comment="dstnat"] dst-address=[:resolve host.com]

gotsprings · November 27, 2012, 11:59am

boen_robot:

In place of literally putting the numbers, you can use the “find” command, to grab any matching rules, like:
/ip firewall nat set [/ip firewall nat find where dst-address=$oldIp] dst-address=[:resolve example.homeip.net]
(assuming the rules are actually matched by this criteria)

This has a (negligible!) performance penalty, since all firewall rules need to be verified by “find”, before they are included as part of the “set” command. However, this way is a lot more maintainable, since you can move and add firewall rules around freely, and always know what’s expected to be matched, and what not.

Cool will check that out.

Thanks.

Would that look for a comment “dstnat”? Would I have to label/comment all my rules “dstnat” or would “dstnat something” work too?

boen_robot · November 27, 2012, 1:21pm

gotsprings:

c0d3rSh3ll:
or find by comment like “dstnat”
/ip firewall nat set [find comment="dstnat"] dst-address=[:resolve host.com]
Would that look for a comment “dstnat”? Would I have to label/comment all my rules “dstnat” or would “dstnat something” work too?

That particular condition will only work for exactly the comment “dstnat” and nothing else.

If you want to match any rules that contain “dstnat” anywhere in the comment, you can use (extended POSIX) regular expressions, like:

/ip firewall nat set [find comment~="dstnat"] dst-address=[:resolve host.com]

gotsprings · November 27, 2012, 5:18pm

boen_robot:

gotsprings:
c0d3rSh3ll:
or find by comment like “dstnat”
/ip firewall nat set [find comment="dstnat"] dst-address=[:resolve host.com]
Would that look for a comment “dstnat”? Would I have to label/comment all my rules “dstnat” or would “dstnat something” work too?
That particular condition will only work for exactly the comment “dstnat” and nothing else.

If you want to match any rules that contain “dstnat” anywhere in the comment, you can use (extended POSIX) regular expressions, like:
/ip firewall nat set [find comment~="dstnat"] dst-address=[:resolve host.com]

The first rule worked perfect.

The second did not.
“missing value for where (line 1 column 36)”

BUT THANK YOU! A slight edit to that line added to my dyndns updater works great.

boen_robot · November 27, 2012, 5:25pm

Opps. My bad. It’s without the “=”, so:

/ip firewall nat set [find comment~"dstnat"] dst-address=[:resolve host.com]

gotsprings · November 27, 2012, 5:59pm

Nailed it! Thanks!

That Runs on even part of a comment word.

i.e.

Comment =“Whatever dstnat”
Comment = “notdtsnat”