Getting IP whitelist of repo servers (Ubuntu 16.04)












1















We have various Ubuntu appliances deployed throughout the US. We've run into some situations recently where we are getting requests for IP whitelists (instead of FQDN whitelists) of the repos that we need to run updates (we're trying to avoid hosting our own as that has its own challenges).



Taking a look at what the servers would reach now, I see the following:



root@VamLab-Server:/etc# dig +short $(grep -Pho '^s*[^#].*?https?://K[^/]+' /etc/apt/sources.list /etc/apt/sources.list.d/*.list | sort -u) | sort -u
91.189.88.149
91.189.88.152
91.189.88.161
91.189.88.162
91.189.91.23 <--both security and archive
91.189.91.26 <--both security and archive

root@VamLab-Server:/etc# cat /etc/apt/sources.list | grep -v "#"
deb http://us.archive.ubuntu.com/ubuntu/ xenial main restricted
deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu/ xenial universe
deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ xenial multiverse
deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu/ xenial-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu xenial-security main restricted
deb http://security.ubuntu.com/ubuntu xenial-security universe
deb http://security.ubuntu.com/ubuntu xenial-security multiverse


Is there a way to get the formal list of statics from Ubuntu? I know the recommendation is for FQDN whitelisting, but some of our customers either lack the hardware or capability to add the required FQDN rules. Sometimes it can take weeks for our customers to add firewall rules since it requires them going through their IP departments, so we're trying to see if can get ahead of those steps with customer frustration and tech support time for each.



Thanks in advance!










share|improve this question



























    1















    We have various Ubuntu appliances deployed throughout the US. We've run into some situations recently where we are getting requests for IP whitelists (instead of FQDN whitelists) of the repos that we need to run updates (we're trying to avoid hosting our own as that has its own challenges).



    Taking a look at what the servers would reach now, I see the following:



    root@VamLab-Server:/etc# dig +short $(grep -Pho '^s*[^#].*?https?://K[^/]+' /etc/apt/sources.list /etc/apt/sources.list.d/*.list | sort -u) | sort -u
    91.189.88.149
    91.189.88.152
    91.189.88.161
    91.189.88.162
    91.189.91.23 <--both security and archive
    91.189.91.26 <--both security and archive

    root@VamLab-Server:/etc# cat /etc/apt/sources.list | grep -v "#"
    deb http://us.archive.ubuntu.com/ubuntu/ xenial main restricted
    deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
    deb http://us.archive.ubuntu.com/ubuntu/ xenial universe
    deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates universe
    deb http://us.archive.ubuntu.com/ubuntu/ xenial multiverse
    deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates multiverse
    deb http://us.archive.ubuntu.com/ubuntu/ xenial-backports main restricted universe multiverse
    deb http://security.ubuntu.com/ubuntu xenial-security main restricted
    deb http://security.ubuntu.com/ubuntu xenial-security universe
    deb http://security.ubuntu.com/ubuntu xenial-security multiverse


    Is there a way to get the formal list of statics from Ubuntu? I know the recommendation is for FQDN whitelisting, but some of our customers either lack the hardware or capability to add the required FQDN rules. Sometimes it can take weeks for our customers to add firewall rules since it requires them going through their IP departments, so we're trying to see if can get ahead of those steps with customer frustration and tech support time for each.



    Thanks in advance!










    share|improve this question

























      1












      1








      1








      We have various Ubuntu appliances deployed throughout the US. We've run into some situations recently where we are getting requests for IP whitelists (instead of FQDN whitelists) of the repos that we need to run updates (we're trying to avoid hosting our own as that has its own challenges).



      Taking a look at what the servers would reach now, I see the following:



      root@VamLab-Server:/etc# dig +short $(grep -Pho '^s*[^#].*?https?://K[^/]+' /etc/apt/sources.list /etc/apt/sources.list.d/*.list | sort -u) | sort -u
      91.189.88.149
      91.189.88.152
      91.189.88.161
      91.189.88.162
      91.189.91.23 <--both security and archive
      91.189.91.26 <--both security and archive

      root@VamLab-Server:/etc# cat /etc/apt/sources.list | grep -v "#"
      deb http://us.archive.ubuntu.com/ubuntu/ xenial main restricted
      deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
      deb http://us.archive.ubuntu.com/ubuntu/ xenial universe
      deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates universe
      deb http://us.archive.ubuntu.com/ubuntu/ xenial multiverse
      deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates multiverse
      deb http://us.archive.ubuntu.com/ubuntu/ xenial-backports main restricted universe multiverse
      deb http://security.ubuntu.com/ubuntu xenial-security main restricted
      deb http://security.ubuntu.com/ubuntu xenial-security universe
      deb http://security.ubuntu.com/ubuntu xenial-security multiverse


      Is there a way to get the formal list of statics from Ubuntu? I know the recommendation is for FQDN whitelisting, but some of our customers either lack the hardware or capability to add the required FQDN rules. Sometimes it can take weeks for our customers to add firewall rules since it requires them going through their IP departments, so we're trying to see if can get ahead of those steps with customer frustration and tech support time for each.



      Thanks in advance!










      share|improve this question














      We have various Ubuntu appliances deployed throughout the US. We've run into some situations recently where we are getting requests for IP whitelists (instead of FQDN whitelists) of the repos that we need to run updates (we're trying to avoid hosting our own as that has its own challenges).



      Taking a look at what the servers would reach now, I see the following:



      root@VamLab-Server:/etc# dig +short $(grep -Pho '^s*[^#].*?https?://K[^/]+' /etc/apt/sources.list /etc/apt/sources.list.d/*.list | sort -u) | sort -u
      91.189.88.149
      91.189.88.152
      91.189.88.161
      91.189.88.162
      91.189.91.23 <--both security and archive
      91.189.91.26 <--both security and archive

      root@VamLab-Server:/etc# cat /etc/apt/sources.list | grep -v "#"
      deb http://us.archive.ubuntu.com/ubuntu/ xenial main restricted
      deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
      deb http://us.archive.ubuntu.com/ubuntu/ xenial universe
      deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates universe
      deb http://us.archive.ubuntu.com/ubuntu/ xenial multiverse
      deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates multiverse
      deb http://us.archive.ubuntu.com/ubuntu/ xenial-backports main restricted universe multiverse
      deb http://security.ubuntu.com/ubuntu xenial-security main restricted
      deb http://security.ubuntu.com/ubuntu xenial-security universe
      deb http://security.ubuntu.com/ubuntu xenial-security multiverse


      Is there a way to get the formal list of statics from Ubuntu? I know the recommendation is for FQDN whitelisting, but some of our customers either lack the hardware or capability to add the required FQDN rules. Sometimes it can take weeks for our customers to add firewall rules since it requires them going through their IP departments, so we're trying to see if can get ahead of those steps with customer frustration and tech support time for each.



      Thanks in advance!







      networking apt server repository firewall






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 25 at 15:14









      Vitaly MarkovskyVitaly Markovsky

      82




      82






















          1 Answer
          1






          active

          oldest

          votes


















          2














          The easiest way to manage this is probably to configure a private mirror, or even a private proxy server for your sites to use.



          Public mirrors may change IP at no notice, not giving you access to updates. Running your own mirror, or proxy, allows you to whitelist at the URL level on that proxy, and allow the IP of that proxy trough firewalls.



          You may want to look at apt-cache to run a caching repository, or you may run a classic proxy, such as Squid, and only allow e.g. *.ubuntu.com as destination.



          You will probably spend less time on this approach than trying to maintain a reliable list of IPs.



          While you may be able to piece together a current list of IP's, Canonical or other parties running the mirrors will probably give you zero warranty that they won't change IPs as they see fit. That's after all the reason for having DNS; Flexibility.



          That's potentially weeks without updates. In my world, that's an clearly unacceptable position to be in. Either run your own, white listed, proxy, or private mirror.






          share|improve this answer


























          • Thanks very much for the quick answer @vidarlo, I'll give the apt-cacher a try!

            – Vitaly Markovsky
            Jan 27 at 12:19











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "89"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1112821%2fgetting-ip-whitelist-of-repo-servers-ubuntu-16-04%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          2














          The easiest way to manage this is probably to configure a private mirror, or even a private proxy server for your sites to use.



          Public mirrors may change IP at no notice, not giving you access to updates. Running your own mirror, or proxy, allows you to whitelist at the URL level on that proxy, and allow the IP of that proxy trough firewalls.



          You may want to look at apt-cache to run a caching repository, or you may run a classic proxy, such as Squid, and only allow e.g. *.ubuntu.com as destination.



          You will probably spend less time on this approach than trying to maintain a reliable list of IPs.



          While you may be able to piece together a current list of IP's, Canonical or other parties running the mirrors will probably give you zero warranty that they won't change IPs as they see fit. That's after all the reason for having DNS; Flexibility.



          That's potentially weeks without updates. In my world, that's an clearly unacceptable position to be in. Either run your own, white listed, proxy, or private mirror.






          share|improve this answer


























          • Thanks very much for the quick answer @vidarlo, I'll give the apt-cacher a try!

            – Vitaly Markovsky
            Jan 27 at 12:19
















          2














          The easiest way to manage this is probably to configure a private mirror, or even a private proxy server for your sites to use.



          Public mirrors may change IP at no notice, not giving you access to updates. Running your own mirror, or proxy, allows you to whitelist at the URL level on that proxy, and allow the IP of that proxy trough firewalls.



          You may want to look at apt-cache to run a caching repository, or you may run a classic proxy, such as Squid, and only allow e.g. *.ubuntu.com as destination.



          You will probably spend less time on this approach than trying to maintain a reliable list of IPs.



          While you may be able to piece together a current list of IP's, Canonical or other parties running the mirrors will probably give you zero warranty that they won't change IPs as they see fit. That's after all the reason for having DNS; Flexibility.



          That's potentially weeks without updates. In my world, that's an clearly unacceptable position to be in. Either run your own, white listed, proxy, or private mirror.






          share|improve this answer


























          • Thanks very much for the quick answer @vidarlo, I'll give the apt-cacher a try!

            – Vitaly Markovsky
            Jan 27 at 12:19














          2












          2








          2







          The easiest way to manage this is probably to configure a private mirror, or even a private proxy server for your sites to use.



          Public mirrors may change IP at no notice, not giving you access to updates. Running your own mirror, or proxy, allows you to whitelist at the URL level on that proxy, and allow the IP of that proxy trough firewalls.



          You may want to look at apt-cache to run a caching repository, or you may run a classic proxy, such as Squid, and only allow e.g. *.ubuntu.com as destination.



          You will probably spend less time on this approach than trying to maintain a reliable list of IPs.



          While you may be able to piece together a current list of IP's, Canonical or other parties running the mirrors will probably give you zero warranty that they won't change IPs as they see fit. That's after all the reason for having DNS; Flexibility.



          That's potentially weeks without updates. In my world, that's an clearly unacceptable position to be in. Either run your own, white listed, proxy, or private mirror.






          share|improve this answer















          The easiest way to manage this is probably to configure a private mirror, or even a private proxy server for your sites to use.



          Public mirrors may change IP at no notice, not giving you access to updates. Running your own mirror, or proxy, allows you to whitelist at the URL level on that proxy, and allow the IP of that proxy trough firewalls.



          You may want to look at apt-cache to run a caching repository, or you may run a classic proxy, such as Squid, and only allow e.g. *.ubuntu.com as destination.



          You will probably spend less time on this approach than trying to maintain a reliable list of IPs.



          While you may be able to piece together a current list of IP's, Canonical or other parties running the mirrors will probably give you zero warranty that they won't change IPs as they see fit. That's after all the reason for having DNS; Flexibility.



          That's potentially weeks without updates. In my world, that's an clearly unacceptable position to be in. Either run your own, white listed, proxy, or private mirror.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Jan 25 at 18:46

























          answered Jan 25 at 15:30









          vidarlovidarlo

          10.5k52547




          10.5k52547













          • Thanks very much for the quick answer @vidarlo, I'll give the apt-cacher a try!

            – Vitaly Markovsky
            Jan 27 at 12:19



















          • Thanks very much for the quick answer @vidarlo, I'll give the apt-cacher a try!

            – Vitaly Markovsky
            Jan 27 at 12:19

















          Thanks very much for the quick answer @vidarlo, I'll give the apt-cacher a try!

          – Vitaly Markovsky
          Jan 27 at 12:19





          Thanks very much for the quick answer @vidarlo, I'll give the apt-cacher a try!

          – Vitaly Markovsky
          Jan 27 at 12:19


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Ask Ubuntu!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1112821%2fgetting-ip-whitelist-of-repo-servers-ubuntu-16-04%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          How to make a Squid Proxy server?

          Is this a new Fibonacci Identity?

          19世紀