topic Re: Implementing a rule for access to ever changing Mirror/Repository FQDNs, is it possible? in Firewall and Security Management

Implementing a rule for access to ever changing Mirror/Repository FQDNs, is it possible?

Parabol — Thu, 09 Nov 2023 11:33:18 GMT

Hi all,

We had a request to permit a system access to centos and dell mirror/repositories. The FQDN objects .centos.org and .dell.com were added to the destination of the rule.

The rule matched a lot of traffic, but it was evident that when the system pulled its updates, it was contacting a whole bunch of different mirror FQDN's that do not even contain relevant words.

And so this made me think an FQDN-object based rule is not possible for this scenario. And likely the IP's and FQDNs will continually change for such mirrors over time.

And so, other than changing the destination to permit all internet access, I cannot think of a more restrictive way to manage this access. Does such a way exist?

Thanks!

Re: Implementing a rule for access to ever changing Mirror/Repository FQDNs, is it possible?

Erling_Strand — Thu, 09 Nov 2023 12:01:35 GMT

Hi,

CentOS uses YUM, there is an object for that. Have you tried allowing based on application object in AppCtrl instead?

Erling

Re: Implementing a rule for access to ever changing Mirror/Repository FQDNs, is it possible?

Parabol — Thu, 09 Nov 2023 12:50:05 GMT

Hi Erling! Would the Yum AppCtrl object essentially permit any repository/mirror downloads, regardless of FQDN/IP, as long as it's initiated in the Yum utility? This could be viable if so..