Getting IP whitelist of repo servers (Ubuntu 16.04)
We have various Ubuntu appliances deployed throughout the US. We've run into some situations recently where we are getting requests for IP whitelists (instead of FQDN whitelists) of the repos that we need to run updates (we're trying to avoid hosting our own as that has its own challenges).
Taking a look at what the servers would reach now, I see the following:
root@VamLab-Server:/etc# dig +short $(grep -Pho '^s*[^#].*?https?://K[^/]+' /etc/apt/sources.list /etc/apt/sources.list.d/*.list | sort -u) | sort -u
91.189.88.149
91.189.88.152
91.189.88.161
91.189.88.162
91.189.91.23 <--both security and archive
91.189.91.26 <--both security and archive
root@VamLab-Server:/etc# cat /etc/apt/sources.list | grep -v "#"
deb http://us.archive.ubuntu.com/ubuntu/ xenial main restricted
deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu/ xenial universe
deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ xenial multiverse
deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu/ xenial-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu xenial-security main restricted
deb http://security.ubuntu.com/ubuntu xenial-security universe
deb http://security.ubuntu.com/ubuntu xenial-security multiverse
Is there a way to get the formal list of statics from Ubuntu? I know the recommendation is for FQDN whitelisting, but some of our customers either lack the hardware or capability to add the required FQDN rules. Sometimes it can take weeks for our customers to add firewall rules since it requires them going through their IP departments, so we're trying to see if can get ahead of those steps with customer frustration and tech support time for each.
Thanks in advance!
networking apt server repository firewall
add a comment |
We have various Ubuntu appliances deployed throughout the US. We've run into some situations recently where we are getting requests for IP whitelists (instead of FQDN whitelists) of the repos that we need to run updates (we're trying to avoid hosting our own as that has its own challenges).
Taking a look at what the servers would reach now, I see the following:
root@VamLab-Server:/etc# dig +short $(grep -Pho '^s*[^#].*?https?://K[^/]+' /etc/apt/sources.list /etc/apt/sources.list.d/*.list | sort -u) | sort -u
91.189.88.149
91.189.88.152
91.189.88.161
91.189.88.162
91.189.91.23 <--both security and archive
91.189.91.26 <--both security and archive
root@VamLab-Server:/etc# cat /etc/apt/sources.list | grep -v "#"
deb http://us.archive.ubuntu.com/ubuntu/ xenial main restricted
deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu/ xenial universe
deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ xenial multiverse
deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu/ xenial-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu xenial-security main restricted
deb http://security.ubuntu.com/ubuntu xenial-security universe
deb http://security.ubuntu.com/ubuntu xenial-security multiverse
Is there a way to get the formal list of statics from Ubuntu? I know the recommendation is for FQDN whitelisting, but some of our customers either lack the hardware or capability to add the required FQDN rules. Sometimes it can take weeks for our customers to add firewall rules since it requires them going through their IP departments, so we're trying to see if can get ahead of those steps with customer frustration and tech support time for each.
Thanks in advance!
networking apt server repository firewall
add a comment |
We have various Ubuntu appliances deployed throughout the US. We've run into some situations recently where we are getting requests for IP whitelists (instead of FQDN whitelists) of the repos that we need to run updates (we're trying to avoid hosting our own as that has its own challenges).
Taking a look at what the servers would reach now, I see the following:
root@VamLab-Server:/etc# dig +short $(grep -Pho '^s*[^#].*?https?://K[^/]+' /etc/apt/sources.list /etc/apt/sources.list.d/*.list | sort -u) | sort -u
91.189.88.149
91.189.88.152
91.189.88.161
91.189.88.162
91.189.91.23 <--both security and archive
91.189.91.26 <--both security and archive
root@VamLab-Server:/etc# cat /etc/apt/sources.list | grep -v "#"
deb http://us.archive.ubuntu.com/ubuntu/ xenial main restricted
deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu/ xenial universe
deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ xenial multiverse
deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu/ xenial-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu xenial-security main restricted
deb http://security.ubuntu.com/ubuntu xenial-security universe
deb http://security.ubuntu.com/ubuntu xenial-security multiverse
Is there a way to get the formal list of statics from Ubuntu? I know the recommendation is for FQDN whitelisting, but some of our customers either lack the hardware or capability to add the required FQDN rules. Sometimes it can take weeks for our customers to add firewall rules since it requires them going through their IP departments, so we're trying to see if can get ahead of those steps with customer frustration and tech support time for each.
Thanks in advance!
networking apt server repository firewall
We have various Ubuntu appliances deployed throughout the US. We've run into some situations recently where we are getting requests for IP whitelists (instead of FQDN whitelists) of the repos that we need to run updates (we're trying to avoid hosting our own as that has its own challenges).
Taking a look at what the servers would reach now, I see the following:
root@VamLab-Server:/etc# dig +short $(grep -Pho '^s*[^#].*?https?://K[^/]+' /etc/apt/sources.list /etc/apt/sources.list.d/*.list | sort -u) | sort -u
91.189.88.149
91.189.88.152
91.189.88.161
91.189.88.162
91.189.91.23 <--both security and archive
91.189.91.26 <--both security and archive
root@VamLab-Server:/etc# cat /etc/apt/sources.list | grep -v "#"
deb http://us.archive.ubuntu.com/ubuntu/ xenial main restricted
deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu/ xenial universe
deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ xenial multiverse
deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu/ xenial-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu xenial-security main restricted
deb http://security.ubuntu.com/ubuntu xenial-security universe
deb http://security.ubuntu.com/ubuntu xenial-security multiverse
Is there a way to get the formal list of statics from Ubuntu? I know the recommendation is for FQDN whitelisting, but some of our customers either lack the hardware or capability to add the required FQDN rules. Sometimes it can take weeks for our customers to add firewall rules since it requires them going through their IP departments, so we're trying to see if can get ahead of those steps with customer frustration and tech support time for each.
Thanks in advance!
networking apt server repository firewall
networking apt server repository firewall
asked Jan 25 at 15:14
Vitaly MarkovskyVitaly Markovsky
82
82
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The easiest way to manage this is probably to configure a private mirror, or even a private proxy server for your sites to use.
Public mirrors may change IP at no notice, not giving you access to updates. Running your own mirror, or proxy, allows you to whitelist at the URL level on that proxy, and allow the IP of that proxy trough firewalls.
You may want to look at apt-cache to run a caching repository, or you may run a classic proxy, such as Squid, and only allow e.g. *.ubuntu.com as destination.
You will probably spend less time on this approach than trying to maintain a reliable list of IPs.
While you may be able to piece together a current list of IP's, Canonical or other parties running the mirrors will probably give you zero warranty that they won't change IPs as they see fit. That's after all the reason for having DNS; Flexibility.
That's potentially weeks without updates. In my world, that's an clearly unacceptable position to be in. Either run your own, white listed, proxy, or private mirror.
Thanks very much for the quick answer @vidarlo, I'll give the apt-cacher a try!
– Vitaly Markovsky
Jan 27 at 12:19
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1112821%2fgetting-ip-whitelist-of-repo-servers-ubuntu-16-04%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The easiest way to manage this is probably to configure a private mirror, or even a private proxy server for your sites to use.
Public mirrors may change IP at no notice, not giving you access to updates. Running your own mirror, or proxy, allows you to whitelist at the URL level on that proxy, and allow the IP of that proxy trough firewalls.
You may want to look at apt-cache to run a caching repository, or you may run a classic proxy, such as Squid, and only allow e.g. *.ubuntu.com as destination.
You will probably spend less time on this approach than trying to maintain a reliable list of IPs.
While you may be able to piece together a current list of IP's, Canonical or other parties running the mirrors will probably give you zero warranty that they won't change IPs as they see fit. That's after all the reason for having DNS; Flexibility.
That's potentially weeks without updates. In my world, that's an clearly unacceptable position to be in. Either run your own, white listed, proxy, or private mirror.
Thanks very much for the quick answer @vidarlo, I'll give the apt-cacher a try!
– Vitaly Markovsky
Jan 27 at 12:19
add a comment |
The easiest way to manage this is probably to configure a private mirror, or even a private proxy server for your sites to use.
Public mirrors may change IP at no notice, not giving you access to updates. Running your own mirror, or proxy, allows you to whitelist at the URL level on that proxy, and allow the IP of that proxy trough firewalls.
You may want to look at apt-cache to run a caching repository, or you may run a classic proxy, such as Squid, and only allow e.g. *.ubuntu.com as destination.
You will probably spend less time on this approach than trying to maintain a reliable list of IPs.
While you may be able to piece together a current list of IP's, Canonical or other parties running the mirrors will probably give you zero warranty that they won't change IPs as they see fit. That's after all the reason for having DNS; Flexibility.
That's potentially weeks without updates. In my world, that's an clearly unacceptable position to be in. Either run your own, white listed, proxy, or private mirror.
Thanks very much for the quick answer @vidarlo, I'll give the apt-cacher a try!
– Vitaly Markovsky
Jan 27 at 12:19
add a comment |
The easiest way to manage this is probably to configure a private mirror, or even a private proxy server for your sites to use.
Public mirrors may change IP at no notice, not giving you access to updates. Running your own mirror, or proxy, allows you to whitelist at the URL level on that proxy, and allow the IP of that proxy trough firewalls.
You may want to look at apt-cache to run a caching repository, or you may run a classic proxy, such as Squid, and only allow e.g. *.ubuntu.com as destination.
You will probably spend less time on this approach than trying to maintain a reliable list of IPs.
While you may be able to piece together a current list of IP's, Canonical or other parties running the mirrors will probably give you zero warranty that they won't change IPs as they see fit. That's after all the reason for having DNS; Flexibility.
That's potentially weeks without updates. In my world, that's an clearly unacceptable position to be in. Either run your own, white listed, proxy, or private mirror.
The easiest way to manage this is probably to configure a private mirror, or even a private proxy server for your sites to use.
Public mirrors may change IP at no notice, not giving you access to updates. Running your own mirror, or proxy, allows you to whitelist at the URL level on that proxy, and allow the IP of that proxy trough firewalls.
You may want to look at apt-cache to run a caching repository, or you may run a classic proxy, such as Squid, and only allow e.g. *.ubuntu.com as destination.
You will probably spend less time on this approach than trying to maintain a reliable list of IPs.
While you may be able to piece together a current list of IP's, Canonical or other parties running the mirrors will probably give you zero warranty that they won't change IPs as they see fit. That's after all the reason for having DNS; Flexibility.
That's potentially weeks without updates. In my world, that's an clearly unacceptable position to be in. Either run your own, white listed, proxy, or private mirror.
edited Jan 25 at 18:46
answered Jan 25 at 15:30
vidarlovidarlo
10.5k52547
10.5k52547
Thanks very much for the quick answer @vidarlo, I'll give the apt-cacher a try!
– Vitaly Markovsky
Jan 27 at 12:19
add a comment |
Thanks very much for the quick answer @vidarlo, I'll give the apt-cacher a try!
– Vitaly Markovsky
Jan 27 at 12:19
Thanks very much for the quick answer @vidarlo, I'll give the apt-cacher a try!
– Vitaly Markovsky
Jan 27 at 12:19
Thanks very much for the quick answer @vidarlo, I'll give the apt-cacher a try!
– Vitaly Markovsky
Jan 27 at 12:19
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1112821%2fgetting-ip-whitelist-of-repo-servers-ubuntu-16-04%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown