Containerized BASH script for creating and updating a firewall rule using a domain name as the source ip for a firewall rule.
- Lower CPU/RAM consumption: Make use of Cloud Run Jobs (in Preview), remove the need to create a server listening to incoming HTTP requests.
- More efficient: Cloud Run Job containers will self-terminate immediately after completion, no waiting period for container termination.
- Greater flexibilities: Removed hardcoded configurations such as deployment location and timezone.
- This is not an officially supported Google product.
- Proper testing should be done before running this tool in production.
- Should the DNS servers being queried become exploited or not within the control of the customer, the firewall would then become at risk.
This sample code is made available under Apache 2 license. See the LICENSE file.
GCP Cloud Run Invocation and Cloud Scheduler Jobs
(Usually Free https://cloud.google.com/run/pricing#tables, https://cloud.google.com/scheduler/pricing)
-
Setup GCP SDK or use the Cloud Shell - https://cloud.google.com/sdk, https://cloud.google.com/shell
-
Initialize the SDK for the target account
gcloud init- https://cloud.google.com/sdk/docs/initializing
-
Run prerequisite.sh to create the required IAM objects and enable the required APIs.
sh prerequisite.sh
-
Set the ENV variable for the Cloud Run Service name so that N different rules can be made for different domain names.
DOMAIN_FW_NAME='openfwusingdomain'
export DOMAIN_FW_NAME -
Export the PROJECT_ID env variable to make it available for build and deploy shell scripts.
export PROJECT_ID -
Run build.sh to build a new cloud run container image.
sh build.sh
-
Update the env values and schedule frequency in the deploy.sh for your f/w rules settings.
example:
PRIORITY='1000'
RULES='tcp:80,tcp:8080,udp:8000'
DOMAIN='reddit.com'
TARGETTAGS='tags1'
NETWORK='default'
FREQUENCY='0 */1 * * *' -
Run deploy.sh to deploy to Cloud Run and create a new Cloud Scheduler Job.
sh deploy.sh