Updating SAV-LINUX with limited internet access: what firewall exceptions are required?

I have SAV-LINUX on a machine behind a firewall that restricts internet access at most times. Unsurprisingly, I get frequent errors when savupdate is unable to reach the update source:

Failed to replicate from sdds:SOPHOS
Failed to replicate from all update sources

I would like to solve this by adding a firewall rule to permit access to the Sophos update servers at all times.

What access does savupdate require?

Alternatively, is there a way to restrict savupdate to only attempt updates when access is available?

Or is there another solution I haven't thought of?

  • Hello Allan Dyer,

    to restrict savupdate to only attempt updates when access is available
    if automatic updating is enabled it checks for updates at 60 minute intervals by default, you can't set a certain schedule with specific times. Won't recommend it but it's possible to disable automatic updates (/opt/sophos-av/bin/savconfig set EnableAutoUpdating false) and trigger updating (/opt/sophos-av/bin/savupdate) with a cron job or some other means.

    For the Sophos update servers please see the CDN Migration FAQs and Sophos Central: Domains and ports required - basically the .sophosupd. URLs are required.

    Christian

  • In reply to QC:

    Thanks QC, that helped me to think through the issues.

    I've decided to set up an Apache http proxy, and configure savupdate to use that.

    The problem with setting firewall rules is that the .sophosupd. hosts would be resolved to IP addresses when the rules were added, but the IP address might be different when the connection is attempted, especially as there's a content delivery network. It might work for a while, but would probably fail intermittently and be difficult to troubleshoot.

    I'll take your recommendation to avoid disabling automatic updates and using cron; it would work at the cost of delaying updates.

    With a proxy server, I can restrict the permitted destinations using a regular expression and/or configure savupdate to authenticate itself to the proxy server for access. The rules will be evaluated when the requests are made, so no problem with IP addresses changing. I didn't want to install a proxy server just for this, but it's a superior solution.

    Anyway, it's working fine so far.

  • In reply to Allan Dyer:

    Does your firewall offer the ability to create rules with objects based on a DNS-lookup?

    That would solve your issue because you would be able to allow out to our IPs dynamically.

  • In reply to RichardP:

    I'm using iptables, which resolves the DNS-lookup when the rule is added.

    Does any firewall resolve hostnames dynamically? Logically, that would involve a DNS lookup for each packet with a new IP address (and on cache timeout), which sounds like a really good way to slow down a firewall!

  • In reply to Allan Dyer:

    The Sophos UTM offers this with the DNSHost object type. It allows for the rules to function against services offered in scaling scenarios like Azure or AWS.

  • In reply to RichardP:

    So how does that affect the performance of the Sophos UTM?

    Does this offer any advantages over a proxy server?

  • In reply to Allan Dyer:

    I haven't investigated the performance difference of a rule using a static host object and a DNSHost object.

    The primary advantage is that the UTM (which should be on the perimeter of the network) can directly query the DNS record and make a choice on whether the rule applies - it allows for distinct web content filtering and firewall rule application.