this post was submitted on 09 Sep 2023
4 points (100.0% liked)

Linux

81 readers
12 users here now

A community for everything relating to the linux operating system

Also check out !linux_memes@programming.dev

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 1 year ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
4
How do I whitelist a dynamically changing application sync server IP ? (programming.dev)
submitted 1 year ago* (last edited 1 year ago) by mathiuscov@programming.dev to c/linux@programming.dev
4 comments fedilink hide all child comments
 

cross-posted from: https://programming.dev/post/2768533

I have a vm for which I have s specific whitelist only firewall. It is supposed to only allow connections to the IPs an app connects to when syncing.

I first got the sync server IP's listening to tcpdump, then when I had the IP's I activated the whitelist.

This worked perfectly for some time, but now it appears that the IP's have changed. I could do the same thing again but repeating the process regularly is annoying and defeats the whole purpose of only ever allowing network connections to specific whitelisted serves.

Alternatively, I could set up a process to only allow network traffic from that app somewhat.

Using debian-11 btw.

Any help is appreceated !!!

EDIT: I don't own the sync servers, my app simply connects them, so I can get the updated state from my other devices

top 4 comments
sorted by: hot top controversial new old
[–] vzq@lemmy.blahaj.zone 4 points 1 year ago* (last edited 1 year ago) (1 children)

IP white lists are, as you have found out, essentially dead. You should just do proper authorization.

Alternatively, look into a wire guard vpn or something like tailscale.

[–] mathiuscov@programming.dev 1 points 1 year ago

wym look into a vpn? How would that work?

[–] Nath@aussie.zone 3 points 1 year ago

There's no tidy way to do it. You can configure a dynamicDNS from the dynamic IP, then set up a cron from the server to check that record every hour or so. Update the whitelist accordingly.

The other way to do it is to have an intermediate jump point and whitelist that.

Both have their drawbacks. I'd personally go the dyndns route. But I'd be sure a had a static IP I could ssh from as a fallback in case I had problems. You don't want to lock yourself out.

[–] SteveTech@programming.dev 1 points 1 year ago

Could you explain what the app is?

You could maybe find the company's IP range and whitelist that, or just whitelist the port it's using.

But as you've seen from the replies, the information you've given is very vague.