Outbound Firewall Rules/URLs required for ISPConfig

Discussion in 'Installation/Configuration' started by Graeme, Feb 25, 2021.

  1. Graeme

    Graeme New Member

    I am going to be setting up a new Ubuntu server with ISPconfig on. It will be in a local DMZ behind a strict firewall (default block).

    I can setup the inbound rules for the sites I'll be hosting easily but I don't know what outbound access ISPconfig needs. That is the URLs it will need access to to download and install itself and the URLs (possibly the same) it will need to access to get updates. eg download servers and any custom repos it will access?

    Looks like the install script is hosted on ispconfig.org so I will permit "*.ispconfig.org" this but I don't know if this is all?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    For ISPConfig, allowing https access to *.ispconfig.org should be enough as the version check, ispconfig software download and also the news feed are located on ispconfig.org. In general, you should also allow access to the package servers of the Linux distribution that you use, and general things like outgoing dns. If this server is a mail system, then you might have to allow ClamAV to update its signatures as well and there might be e.g. Blacklists that are accessed by Amavis/Rspamd.
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Good for you, it's a fair bit of detective work to figure these out, but it's the right way to do it. So many things access http(s) for updates it's a chore, and I sometimes just grant temporary "access any http/https" access to do some task (and hope to remove that later <-- not foolproof), so I'm surely missing some things.

    In addition to what @till said:
    - check for other package repositories (commonly packages.sury.org for php and deb.goaccess.io for goaccess)
    - sometimes the package systems use "mirrors" which download a list of current mirrors and contact those for updates - try to undo any such setups, or you have to allow access to the mirror servers
    - either acme.sh (get.acme.sh, github.com and raw.githubusercontent.com - yikes! on the latter 2) or certbot installation sources; also acme.sh will try to update itself, and certbot may if you installed manually (not from an OS package)
    - letsencrypt certificate requests need to contact their servers; I haven't looked into specific url's
    - https://olivier.sessink.nl/ is needed for jailkit source (or just build the package and put it in a local repository)
    - files.phpmyadmin.net for the latest phpmyadmin (if you don't install from OS package)
    - I don't know that amavis itself downloads any url's, but clamav does - I have these sources listed, and that may well be incomplete: clamav.securiteinfo.com database.clamav.net db.local.clamav.net current.cvd.clamav.net
    - spamassassin runs a nightly sa-update that pulls updates from somewhere(s)
    - rpsamd mainly requests from rspamd.com, but a quick search also finds https://www.openphish.com/feed.txt and there could be more (I don't have rspamd using a proxy yet)
    - I believe (not 100% positive) I've seen packages which periodically update a geoip database
    - I haven't setup roundcube this way (yet?), but it probably needs unrestricted http/https in order to load images for html emails and similar
    - customer websites access all manner of urls for cms/theme/package updates and functionality (eg. a firewall plugin may download geoip database, rbl/ip white and black lists, etc.; premium packages will access random url's to verify licenses and update; many load from github.com or wordpress.org or ....)

    And there's surely more. Watch proxy logs for what is denied, and firewall logs for blocked outgoing connections then try to work backwards into what is doing that.
    Th0m and till like this.

Share This Page