Updating SAV-LINUX with limited internet access: what firewall exceptions are required?

Hello Allan Dyer,

to restrict savupdate to only attempt updates when access is available
if automatic updating is enabled it checks for updates at 60 minute intervals by default, you can't set a certain schedule with specific times. Won't recommend it but it's possible to disable automatic updates (/opt/sophos-av/bin/savconfig set EnableAutoUpdating false) and trigger updating (/opt/sophos-av/bin/savupdate) with a cron job or some other means.

For the Sophos update servers please see the CDN Migration FAQs and Sophos Central: Domains and ports required - basically the .sophosupd. URLs are required.

Christian

Thanks QC, that helped me to think through the issues.

I've decided to set up an Apache http proxy, and configure savupdate to use that.

The problem with setting firewall rules is that the .sophosupd. hosts would be resolved to IP addresses when the rules were added, but the IP address might be different when the connection is attempted, especially as there's a content delivery network. It might work for a while, but would probably fail intermittently and be difficult to troubleshoot.

I'll take your recommendation to avoid disabling automatic updates and using cron; it would work at the cost of delaying updates.

With a proxy server, I can restrict the permitted destinations using a regular expression and/or configure savupdate to authenticate itself to the proxy server for access. The rules will be evaluated when the requests are made, so no problem with IP addresses changing. I didn't want to install a proxy server just for this, but it's a superior solution.

Anyway, it's working fine so far.

Does your firewall offer the ability to create rules with objects based on a DNS-lookup?

That would solve your issue because you would be able to allow out to our IPs dynamically.

I'm using iptables, which resolves the DNS-lookup when the rule is added.

Does any firewall resolve hostnames dynamically? Logically, that would involve a DNS lookup for each packet with a new IP address (and on cache timeout), which sounds like a really good way to slow down a firewall!

The Sophos UTM offers this with the DNSHost object type. It allows for the rules to function against services offered in scaling scenarios like Azure or AWS.

So how does that affect the performance of the Sophos UTM?

Does this offer any advantages over a proxy server?

I haven't investigated the performance difference of a rule using a static host object and a DNSHost object.

The primary advantage is that the UTM (which should be on the perimeter of the network) can directly query the DNS record and make a choice on whether the rule applies - it allows for distinct web content filtering and firewall rule application.

I haven't investigated the performance difference of a rule using a static host object and a DNSHost object.

The primary advantage is that the UTM (which should be on the perimeter of the network) can directly query the DNS record and make a choice on whether the rule applies - it allows for distinct web content filtering and firewall rule application.