IPFW application hosted in amazon the IP changes from time to time

[brenoro]

Hello,
I need to release an application that accesses the amazon.
With each ping in the URL of the application hosted in amazon the IP changes from time to time.
The local application does not support proxy.
I use freebsd / ipfw.

Example ping return:
app.example.net -> a.a.a.b
app.example.net -> a.a.a.x
app.example.net -> a.c.a.d

What is the best way to handle this, free IP and URL-based ports?
Thank you.

 

[SirDice]

I need to release an application that accesses the amazon.

The amazon? The river in South-America? Ok, I get that you meant Amazon, the internet company, but can you be a little bit more specific? Amazon is a really, really big company with loads of services. If we know what you need to access we can provide better answers.

 

[brenoro]

Hi, thanks for the feedback.
I have a locally installed third-party application that accesses Amazon services (aws / ec2) and the local firewall constantly blocks this access, due to AWS / ec2 constant IP exchange. This local application connects to aws using a URL and each access is a different IP.

 

[SirDice]

Is the AWS service under your control? AWS has so-called 'elastic IP addresses' specifically for this purpose.

Elastic IP addresses - Amazon Elastic Compute Cloud

Understand the key concepts, benefits, and behavior for Elastic IP addresses.

docs.aws.amazon.com

 

[brenoro]

It is not under our control. We are the "customer" part. The software used here locally that connects to AWS. As for AWS we do not have anything that can be done, we have no management. At each unsuccessful connection I have to ping the URL and release the returned IP.

 

[SirDice]

Fair enough. Do you have contact with the actual owners of that service? You could ask them for the IP addresses. You can't really do this dynamically with just one or two firewall rules. The only way to adequately solve this is by adding every required IP address to the firewall. So it would help if they can provide those addresses.

You can use hostnames in rules but if you add a rule like allow from me to exthost.example.com, the resolving only takes place when the rule is added. It doesn't work "dynamically". Even if it did work dynamically there could still be a problem if they use DNS round-robin (simple load-balancing technique). The first query from the client would resolve to 1.1.1.1 for example, the next query from the firewall could result in 2.2.2.2 and thus the traffic would still get blocked.

 

[brenoro]

Okay, I'll check if they can provide me the IPs. But I confess I thought there would already be some way to handle this dynamically, where each new request the firewall would dynamically create a URL-based rule. For example: ipfw add allow all from me to app.example.net every time I get this in the kernel it would "understand" and check the existing rule and resolve the URL address and create the rule dynamically. I have tried to handle this in another way in cron. Thank you for the feedback and I will contact the app administrators. Thank you.

 

[SirDice]

But I confess I thought there would already be some way to handle this dynamically, where each new request the firewall would dynamically create a URL-based rule. For example: ipfw add allow all from me to app.example.net every time I get this in the kernel it would "understand" and check the existing rule and resolve the URL address and create the rule dynamically.

Firewalls are generally pretty "stupid" devices. At least the host based firewalls on FreeBSD or Linux are, they simply work on layer 3 (only IP) and are not aware of whats happening on layer7 (web browsing, HTTP). This is more the realm of so-called application firewalls.