Topic: Firewall Blocking my updates

[cyberwatcher]

I have successfully added the IP addresses needed for the clam AV updates to my Firewall however what specific IP addresses do I need to add for the errors below?

The error messages that I would get for Clam  AV updates looked the same until I added the IP addresses to my filter.

Thanks in advance

Cannot open/read repomd.xml file for repository: smeaddons
failure: repodata/repomd.xml from smeaddons: [Errno 256] No more mirrors to try.
Error: failure: repodata/repomd.xml from smeaddons: [Errno 256] No more mirrors to try.

/etc/cron.daily/01-rkhunter:

Warning: Download of 'mirrors.dat' failed: Unable to determine the latest version number.
Warning: Download of 'programs_bad.dat' failed: Unable to determine the latest version number.
Warning: Download of 'backdoorports.dat' failed: Unable to determine the latest version number.
Warning: Download of 'suspscan.dat' failed: Unable to determine the latest version number.
Warning: Download of 'i18n.ver' failed: Unable to determine the latest version number.
Warning: The SSH and rkhunter configuration options should be the same:
         SSH configuration option 'PermitRootLogin': yes
         Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
/etc/cron.daily/0check4updates:

Cannot open/read repomd.xml file for repository: smeaddons
failure: repodata/repomd.xml from smeaddons: [Errno 256] No more mirrors to try.
Error: failure: repodata/repomd.xml from smeaddons: [Errno 256] No more mirrors to try.
/etc/cron.daily/sa_update:

'spamassassin' is not a valid service name

[CharlieBrady]

I have successfully added the IP addresses needed for the clam AV updates to my Firewall however what specific IP addresses do I need to add for the errors below?

This is a question for your firewall vendor or administrator.

[cyberwatcher]

Actually I am asking for the IP addresses that the SME server uses to download the updates... One would think that going to contribs would help me with my issue since this is an SME server and unless I am wrong, this forum is all about SME correct? Going to my hardware vender will point me to your direction REALLY fast. It is not their job to find me the sites that push updates to my mail server. Can you please tell me or can someone else tell me the site's address's so that I can administer my firewall to allow them through?

THANKS.

[CharlieBrady]

Actually I am asking for the IP addresses that the SME server uses to download the updates...

That depends entirely on data provided by DNS. clamav has many different mirror sites, as does sme server distribution. As has google, yahoo, etc.

Can you please tell me or can someone else tell me the site's address's so that I can administer my firewall to allow them through?

Do you really need to whitelist the IP address of every DNS, web and SMTP server your server accesses? That would be a very unusual firewall configuration.

[arne]

When doing this job (from here and on this location):

[root@sme73v4 ~]# /etc/cron.daily/01-rkhunter

This generated this outgoing traffic - external ip: 216.34.181.96 port:80

Some info here: http://216.34.181.96/

But it's true. "Normally" configured firewalls should let this trafic pass trough.

[arne]

When thinking it over .. the right ip for configuring a firewall (that should normally not need configuration) might be some other at some other location.

I used iptraf to find the ip. Installation: yum install iptraf

Then it is just to run the job and watching iptraf.

[cyberwatcher]

WOW...
I have found the IP addresses myself guys thanks for the help. In the mean time to answer CharlieBrady’s question
Quote: “Do you really need to whitelist the IP address of every DNS, web and SMTP server your server accesses? That would be a very unusual firewall configuration.”

My unusual firewall configuration as Charliebrady puts it is actually doing its job: securing my mail server. I have configured my firewall to allow only the necessary IP address allowed in folks… That is what a firewall does not just to allow any IP address in. That would be the easy way of course but the folks here at cyberwatchers might not appreciate me making Swiss cheese out of their firewall.

Maybe we are confused here? I am running a Juniper hardware appliance... It keeps my mail server safe... I just needed to know if you people could just give me directions to get data to my mail server. I could handle the revolving gateway as needed myself.

As for DNS, I have a Domain controller which is ALLOWED to serve that up for my mail server both internally and externally.
I just thought you guys might hand off a few IP addresses no big deal, allthough I did have to put my beer down and point and click a bit. I found them myself.
Regards

[Stefano]

hi

I think, my friend, that you misunderstood what Charlie said.

no-one told you to let every ip come IN.. you should permit you Sme to go OUT where it need..

making firewall rules by ip on the wan side is, IMHO, a pain.. as you've been told, clamav use many servers, and you Sme will use almost all of them.. and they could change their ip..

so, make a simple rule:
sme ip -> alll on 80 permit

my 2c
ciao
Stefano

[cyberwatcher]

That is the way I had my mail server and the result was many IP address’s that my server clearly did not need to be talking to. I have since found the URL address’s that my server needs to download updates from like http://rkhunter.sourceforge.net for instance.

I like locking my server down in both directions that way the mail server is safer from any possible threats such as relaying and so fourth. I don’t trust anyone especially behind my firewall.

I have an ANY rule on the External interface allowing SMTP in.
I have a rule that narrows down the URL address’s OUT.

As I said, I have found the URL address’s that I needed. I still do not understand why anyone would think this is out of the ordinary: blocking unnecessary traffic…

It was not that hard and if the IP address changes from any of the ftp servers that is okay because I used the URL not the IP address.

Maybe I should have just asked if anyone knew specific URL address’s instead.

Regards,

[arne]

I agree in the idea: Keep internet traffic to the required minımum that is needed for the full functionality.

After I implemented that 'idea' the system logs has been allmost empty.

Actually there has been 'nothıng' ın the log after 8 monts ınternet connectıon, and thıs ıdea ımplemented.

Filtering traffıc out can be a timeconsuming task, to make everythıng work properly, but ıf it can be done, practıcally, I thınk thıs ıs also a good idea, as well.