Paul 'Baloo' Johnson wrote:
> On Tue, 30 Oct 2001, Frederico.S.Muñoz wrote:
> > AFAIK either the HTTP, the FTP, or both; it depends on what you
define in
> > your sources.line.
> >
> > If you only define http sites you would only need the http port
open, the
> > same with the ftp.
>
> 2 things:
>
> 1) If you're blocking connections anal retentively, non-passive FTP
may
> break anyway.
>
> 2) Why are you blocking *outgoing* connections, anyway? If you don't
> trust people inside your network to make an outbound connection, do
they
> really need to be on the network at all?
I am not an expert, anyhow, I think the *outgoing* connections are
allowed. See below:
# Output rules
#
# ipfwadm -O -l
IP firewall output rules, default policy: deny
type prot source destination ports
acc ALL X.X.X.0/25 0.0.0.0/0 n/a
acc ALL 0.0.0.0/0 X.X.X.0/25 n/a
And the machine which has the issue has the below allowed:
# Input rules
#
# ipfwadm -I -l | grep 5
acc TCP 0.0.0.0/0 X.X.X.5 * -> 80
acc TCP 0.0.0.0/0 X.X.X.5 80,443 -> 1024:65535
acc TCP 0.0.0.0/0 X.X.X.5 119,81,20,21 -> 1024:65535
^
^
The X.X.X.5 host is behind the firewall. Why pointing apt-get to
ftp.de.debian.org raises a "Connection time out" message after
Login-Connecting successfully?. The "Packages" file is not downloaded
any byte (0%). Note: I can use "lynx" and "ftp" rightly on the X.X.X.5
host. I can even download the "Packages" file using the "ftp" command.
Uhmm, ... Is it needed enable the UDP protocol to use "apt-get"?.
# ipfwadm -I -l | grep 5
acc TCP 0.0.0.0/0 X.X.X.5 * -> 80
acc TCP 0.0.0.0/0 X.X.X.5 80,443 -> 1024:65535
acc TCP 0.0.0.0/0 X.X.X.5 119,81,20,21 -> 1024:65535
^
^
Do you know any SMTP, FTP, firewall, DNS, POP3, ... server which uses
Debian and "apt-get update ; apt-get upgrade" in cron to fix the
security bugs automatically?. Is it usual?.
Davi
