We are coming from pfSense and use the URL Tables feature to keep a centrally managed list of IP addresses for use in firewall rules. For example, we have one that defines the public IP addresses that can access the web UI for administration purposes and another that defines Microsoft Azure IP addresses.
What is the best way to replicate this centrally managed approach across dozens of firewalls so that, with each IP change, we don’t need to update each firewall manually. Looking to minimize administrative overhead.
This does seem like 80% of the solution. Any way you’re aware of to consume web-accessible IP lists to update these groups? The part that I am missing is how to effectively “sync” or otherwise control these groups centrally for dozens of firewalls across many customer sites, including for highly dynamic lists that may change every couple days.
These group settings are stored in plain text files, have a look at /var/ipfire/fwhosts.
Theoretically it should be possible to write a script that converts your IP lists to IPFire’s internal format and triggers a firewall rule update.
Browsing trough /srv/web/ipfire/cgi-bin/fwhosts.cgi might be a good starting point to find out how these files are created. I’d also recommend to include a version check (e.g. against /opt/pakfire/db/core/mine) as these file formats might change over time.
