On Wed, 21 Dec 2016 21:54:21 +0000 Joe <j...@jretrading.com> wrote: > On Wed, 21 Dec 2016 21:49:21 +0100 > "M.A. Perry" <mape...@zeelandnet.nl> wrote: > > > Dear People, > > A simple question for which I have so far found no > > answer in the Debian documentation. My computer > > is a domestic, Debian 8.6 AMD-64 box that uses > > apt-get and aptitude for ugrades and/or installations. > > > > We are currently writing a set of ip_tables rules for > > a default baseline -A OUTPUT DROP. Thus the rules > > will block outgoing traffic which is not specifically > > permitted. > > > > The URL specifications in /etc/apt/sources.list of > > my Debian box contain both HTTP and FTP in the URL > > for example: http://ftp.nl.debian.org/debian/ and this > > confuses me. > > > > QUESTION: > > Which data transfer protocol(s) are used for downloads > > from the Debian Repository to my desktop? Must my > > firewall ACCEPT > > -- plain HTTP (port 80) ; or > > -- is HTTPS (port 443) later involved; or > > -- active FTP (port 20) used or > > -- passive FTP (port 1024:65535) applicable ? > > Can anyone enlighten me please?? > > The URL you quote is an http one (the protocol before the ':' > determines it, everything after the '//' is just a hostname). > > This makes life easiest, just allow 80 and 443. Some mirrors will I > believe use https, there is a current thread on the subject. > > For FTP, you need the ip_conntrack and ip_conntrack_ftp modules loaded > (as FTP uses more than one port in a session) and something like this: > http://www.devops-blog.net/iptables/iptables-settings-for-outgoing-ftp >
I'd forgotten, I occasionally use FTP for uploading, my only firewall forwarding rule is: iptables -A fwd-out-OK -p tcp --dport 21 -j ACCEPT fwd-out-OK is my list of permitted outputs from the LAN. The conntrack_ftp module organises the data port permissions as required, with conntrack handling all the stateful replies on the same port as an outgoing request. -- Joe