UFW - deny outbound except for apt-get updates?

Solution 1

^{My answer is for a more general case, not only for apt-get.}

To deny all outgoing IPs except one IP

sudo ufw default deny outgoing
sudo ufw allow out to 11.22.33.44

To quickly revert, allow again all outgoing IPs

sudo ufw default allow outgoing

To deny all outgoing except HTTP and HTTPS on one IP

You can be more restrictive:

sudo ufw default deny outgoing
sudo ufw allow out to 11.22.33.44 port http   # TCP 80
sudo ufw allow out to 11.22.33.44 port https  # TCP 443

The above two rules allow TCP only, you do need to specify the protocol (tcp or udp). You can even be more restrictive specifying the interface as eth0, for example to avoid using the WiFi... But I think this is not useful...

Check/Clean your UFW rules

If another IP is still accessible, the origin may be some residual rules. It is a good practice, to check the current UFW rules:

sudo ufw status numbered

You may have to delete some polluting rules:

sudo ufw delete 3   # Attention:
sudo ufw delete 2   # 2 and 3 are examples

Also allow DNS

Your software may use domain name instead of numeral IP address.

As UFW uses numeral IP address, the following manual example should be scripted to be easily performed again when IPs change.

Retrieve your DNS IP

$ resolvectl status | grep -2 'DNS Server'
      DNSSEC setting: no
    DNSSEC supported: no   Current DNS Server: 22.22.22.20
         DNS Servers: 22.22.22.20
                      22.22.22.21
                      2b01:a00::2

Allow DNS (TCP and UDP) for only your DNS servers

$ sudo ufw allow out to 22.22.22.20 port 53
Rule added
$ sudo ufw allow out to 22.22.22.21 port 53
Rule added

Allow DNS (TCP and UDP) for only your DNS servers

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 11.22.33.44 443/tcp        ALLOW OUT   Anywhere     (log, out)
[ 3] 22.22.22.20 53             ALLOW OUT   Anywhere     (out)
[ 4] 22.22.22.21 53             ALLOW OUT   Anywhere     (out)

Solution 2

I don't usually use ufw. I use iptables directly.

Ubuntu usually gets updates using http protocol. So, you need to have outbound HTTP port open. If you want to restrict your rules on specific hosts, you need to figure out the Ubuntu repositories IPs /etc/apt/sources.list.

A better solution is to redirect HTTP traffic to web proxy and allow only specific domains/URLs. This is more accurate than resolving names to IPs to block them using firewall.

Solution 3

Expanding on Khaled's answer with a brief example:...

Python program to list the IP addresses associated with software updates:

#!/usr/bin/env python
import re, subprocess
re1 = re.compile("deb http://(.+?)/")
re2 = re.compile("Address:\s*(\d+\.\d+\.\d+\.\d+)")
IPv4 = {}
with open("/etc/apt/sources.list") as f:
  for line1 in f:
    m1 = re1.match(line1)
    if(m1):
      url = m1.group(1)
      p = subprocess.Popen(["nslookup", url], stdout=subprocess.PIPE)
      out,err = p.communicate()

      # Parse the output of nslookup:
      next_line_is_address = False
      for line2 in out.split("\n"):
        if(line2.startswith("Name:")):
          next_line_is_address = True
        elif(next_line_is_address):
          m2 = re2.match(line2)
          if(m2):
            IPv4[m2.group(1)] = True
          next_line_is_address = False

print "\n".join(sorted(IPv4.keys()))
# or call "ufw allow..." to allow port 80 outbound to these addresses

Sample output (as of January 2014):

user@pc:~$ ./ubuntu_servers.py 
194.169.254.10
91.189.91.13
91.189.91.14
91.189.91.15
91.189.92.156
91.189.92.190
91.189.92.200
91.189.92.201

whois 91.189.92.201 says that 91.189.91.0/24 belongs to Canonical, so if we're configuring a firewall then that might be a useful address-range to remember.

Related videos on Youtube