Outgoing firewall and CNAMES

To: debian-user@lists.debian.org
Subject: Outgoing firewall and CNAMES
From: Lists <lists@coffeehabit.net>
Date: Wed, 12 Sep 2012 17:59:18 +0100
Message-id: <[🔎] 5050BF66.2050103@coffeehabit.net>

Hi guys,

I use an outgoing policy of deny on webservers, and allow explicitelywhat I need them to connect to. This has never posed a problem, untiltoday. I need to allow a website to pull in a feed from another site,hosted on amazon's elastic cloud thingy. The problem is, the DNS nameis a CNAME to a CNAME to a CNAME, like:


;; ANSWER SECTION:

api.example.com.s3.amazonaws.com. 7519 IN CNAMEs3-directional-w.amazonaws.com.s3-directional-w.amazonaws.com. 3129 IN CNAMEs3-directional-w.geo.amazonaws.com.s3-directional-w.geo.amazonaws.com. 3722 IN CNAMEs3-1-w.amazonaws.com.s3-1-w.amazonaws.com. 16 IN A207.171.163.34

The final IP varies wildly. Now, I have compiled what I think is theentire range, and I have found some lists online that more or lessmatch. But here's the problem. If I allow apache to make outboundconnections to anything hosted on Amazon, then nothing stops an attackerfrom putting his remote includes on amazon too.


The only thing I can think of is something along the lines of:

1. Add one amazon IP to /etc/hosts for api.example.com
2. Allow that IP on the OUTGOING chain

3. Script something to run the feed request against the IP and verifythat the response is what we expect. If it isn't, I can do some futherchecks to see if the feed down or if the IP has changed, or it can justalert me.


How do you guys deal with this kind of problem?

Thanks

Reply to:

Follow-Ups:
- Re: Outgoing firewall and CNAMES
  - From: Tom Grace <lists-in@deathbycomputers.co.uk>

Prev by Date: Re: Storage server
Next by Date: Re: Install Debian on a UEFI-motherboard ?
Previous by thread: Re: Missing Files Prevent Installation/Execution of Applications
Next by thread: Re: Outgoing firewall and CNAMES
Index(es):
- Date
- Thread