11

I was considering deploying my web application on a Debian virtual machine. However, I want to lock it down as tight as possible (i.e. traffic in/out). I was wondering which, if any, port I needed to leave open to allow for updates.

Christopher Bottoms
  • 1,731
  • 5
  • 17
  • 39
  • 1
    Also important: A firewall keeps track of tcp connections. So it recognizes reply packets from a request sent with tcp packets. https://superuser.com/questions/923937/how-does-my-computers-firewall-work-like-inbound-rule-outbound-rule-reply – Charles Holbrow Sep 12 '17 at 15:28

2 Answers2

14

All a default Debian install needs for updates is DNS traffic for name->address lookups (though you can remove this requirement by having the relevant names in your /etc/hosts file) and HTTP traffic to the servers listed in your sources.list file.

David Spillett
  • 23,420
  • 1
  • 49
  • 69
  • 4
    Thanks! I'll rephrase that for anyone (like me) that might not have caught all of that on the first read . . . Two ports are necessary for a default Debian install to get updates: the DNS lookup port (typically 53) and the HTTP port (typically 80). However, you can also disable the DNS lookup port if you put any needed domain names with their IP addresses in your /etc/hosts file. – Christopher Bottoms Mar 16 '10 at 22:09
4

Just about all apt-get sources use http, check your /etc/apt/sources.list.

You can also check the ruleset of iptables or ipchains to see if there is a rule that affects apt-gets usage.

DataPimp
  • 371
  • 1
  • 5