View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Can not install packages after enabling Cloud firewall
Log in to Ask a Question

Can not install packages after enabling Cloud firewall

I've enabled Cloud firewall on my linode using this guide but now I can't install packages like apt install net-tools. They fail with a timeout. ping google.com also does the same so basically my outbound connections are blocked.

I'm able to install packages once I disable the firewall so I know for sure its the cause of this. So my question is which ports do I need to open to accomplish this task. My current rules are

Incoming
Accept 22
Accept 80
Accept 443
Default Drop

Outgoing
Accept 22
Accept 80
Accept 443
Default Drop

4 Replies

You don't say whether theses ports are TCP or UDP. I'll assume they are all TCP. You should have port 53 for UDP and TCP (DNS) enabled for both directions.

-- sw

  1. I can run apt install net-tools now. However ping google.com still doesn't work. Not that I need that but just FYI.
  2. This is just for my curious mind but why do I need to allow DNS port on incoming direction? Is there a back and forth communication on these ports?

I can run apt install net-tools now. However ping google.com still doesn't work. Not that I need that but just FYI.

Your cloud or system firewall (iptables) obviously blocks ICMP echo (aka ping).

Since the cloud firewall is (IMHO) pretty dumb about ICMP, you should leave it unrestricted in the cloud firewall and put some reasonable (according to your needs) restrictions on it in your system firewall. There is some important ICMP traffic to which your Linode needs to respond (esp if you use IPv6 -- e.g., ICMP6 router discovery and ICMP6 neighbor discovery).

This is just for my curious mind but why do I need to allow DNS port on incoming direction? Is there a back and forth communication on these ports?

The entries in the files in /etc/apt/sources.d (which is what apt-get uses to do it's job) contain domain names…not IP addresses. When a domain is resolved, a request is sent by your Linode to a name server (outbound traffic). The name server responds with the IP address corresponding to the name (inbound traffic). Since UDP is connectionless, inbound traffic comes on UDP port 53.

Almost everything related to the internet in a networked system depends on DNS. You should always have port 53 open. DNS usually operates on UDP…however, there are scenarios when DNS will use TCP so both UDP and TCP port 53 need to be open. See:

https://networkinterview.com/when-does-dns-use-tcp-or-udp/

If you don't like this scenario, leave port 53 unrestricted in your cloud firewall and restrict which name servers can talk to your Linode using your system firewall. This is what I do.

-- sw

Thanks for the detailed answer.

Based on Linode support's suggestion, I added ICMP to the firewall to allow and now ping works as well :)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct