UFW - deny outbound except for apt-get updates?
Solution 1
My answer is for a more general case, not only for apt-get
.
To deny all outgoing IPs except one IP
sudo ufw default deny outgoing
sudo ufw allow out to 11.22.33.44
To quickly revert, allow again all outgoing IPs
sudo ufw default allow outgoing
To deny all outgoing except HTTP and HTTPS on one IP
You can be more restrictive:
sudo ufw default deny outgoing
sudo ufw allow out to 11.22.33.44 port http # TCP 80
sudo ufw allow out to 11.22.33.44 port https # TCP 443
The above two rules allow TCP only, you do need to specify the protocol (tcp or udp). You can even be more restrictive specifying the interface as eth0, for example to avoid using the WiFi... But I think this is not useful...
Check/Clean your UFW rules
If another IP is still accessible, the origin may be some residual rules. It is a good practice, to check the current UFW rules:
sudo ufw status numbered
You may have to delete some polluting rules:
sudo ufw delete 3 # Attention:
sudo ufw delete 2 # 2 and 3 are examples
Also allow DNS
Your software may use domain name instead of numeral IP address.
As UFW uses numeral IP address, the following manual example should be scripted to be easily performed again when IPs change.
Retrieve your DNS IP$ resolvectl status | grep -2 'DNS Server'
DNSSEC setting: no
DNSSEC supported: no Current DNS Server: 22.22.22.20
DNS Servers: 22.22.22.20
22.22.22.21
2b01:a00::2
Allow DNS (TCP and UDP) for only your DNS servers
$ sudo ufw allow out to 22.22.22.20 port 53
Rule added
$ sudo ufw allow out to 22.22.22.21 port 53
Rule added
Allow DNS (TCP and UDP) for only your DNS servers
$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 11.22.33.44 443/tcp ALLOW OUT Anywhere (log, out)
[ 3] 22.22.22.20 53 ALLOW OUT Anywhere (out)
[ 4] 22.22.22.21 53 ALLOW OUT Anywhere (out)
Solution 2
I don't usually use ufw. I use iptables directly.
Ubuntu usually gets updates using http protocol. So, you need to have outbound HTTP port open. If you want to restrict your rules on specific hosts, you need to figure out the Ubuntu repositories IPs /etc/apt/sources.list
.
A better solution is to redirect HTTP traffic to web proxy and allow only specific domains/URLs. This is more accurate than resolving names to IPs to block them using firewall.
Solution 3
Expanding on Khaled's answer with a brief example:...
Python program to list the IP addresses associated with software updates:
#!/usr/bin/env python
import re, subprocess
re1 = re.compile("deb http://(.+?)/")
re2 = re.compile("Address:\s*(\d+\.\d+\.\d+\.\d+)")
IPv4 = {}
with open("/etc/apt/sources.list") as f:
for line1 in f:
m1 = re1.match(line1)
if(m1):
url = m1.group(1)
p = subprocess.Popen(["nslookup", url], stdout=subprocess.PIPE)
out,err = p.communicate()
# Parse the output of nslookup:
next_line_is_address = False
for line2 in out.split("\n"):
if(line2.startswith("Name:")):
next_line_is_address = True
elif(next_line_is_address):
m2 = re2.match(line2)
if(m2):
IPv4[m2.group(1)] = True
next_line_is_address = False
print "\n".join(sorted(IPv4.keys()))
# or call "ufw allow..." to allow port 80 outbound to these addresses
Sample output (as of January 2014):
user@pc:~$ ./ubuntu_servers.py
194.169.254.10
91.189.91.13
91.189.91.14
91.189.91.15
91.189.92.156
91.189.92.190
91.189.92.200
91.189.92.201
whois 91.189.92.201
says that 91.189.91.0/24 belongs to Canonical, so if we're configuring a firewall then that might be a useful address-range to remember.
Related videos on Youtube
OJW
Updated on September 18, 2022Comments
-
OJW over 1 year
What combination of UFW rules would deny all outbound connections except for those which are required to install Ubuntu security updates?
-
Roland Pihlakas over 3 yearsNote that you may need to do
apt-get install dnsutils
before running this.