Score:0

How to allow outbound connections only for updates

fr flag

I have a network with a number of VMs hosting applications mainly for internal use, but they are also exposed to the internet via Traefik. Because there is a chance one of them will be hacked eventually, it looks like a good idea to block direct outbound connections for VMs. But, I want to be able to run updates, so I need a way to allow outbound connections for updates. My current idea is to install a proxy server (Squid probably), configure VMs to use this proxy for updates, and forbid all direct outbound connections for VMs in the firewall. Because I am not an IT professional I would like to get some feedback on this idea. Thank you.

cn flag
Bob
That is indeed a common infrastructure security pattern and completely viable.
djdomi avatar
za flag
just remove the default gateway. moreover id its debian based distribution, you can use apt-cacher-ng and set it as proxy. this is how i do.
Score:1
tr flag

What you need to do is:

  1. Gather a list of websites or domains that the servers needs to communicate with.
  2. Install Squid, configure its ACL to only accept connection from your servers AND to the list of websites you already gathered.
  3. Configure your servers to communicate with Squid and deny direct internet access for them.
  4. Monitor Squid logs for other websites that the servers might be trying to communicate with but you missed to add them to the list.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.