“advanced firewall” rules for RHEL licensing and updates

had a Fun experience at a customer environment where they have strict network limitations (+ have servers in rather spicy locations) so i'll just cut to the chase:

licensing

for RHEL licensing, there's two places you have to allow:

you probably noticed that i haven't given any IPs yet, there's a reason for that; i'll explain at the end.

package updates etc.

why the seperate wildcard? well,

what happens when your host is in Russia, Belarus or China?

for Russia and Belarus; first off, your Red Hat account must not be in “Export Hold”; if you are, you're short of luck from the beginning.

if your Red Hat account is not on “Export Hold” state, your requests to cdn.redhat.com from RU or BY will be magically redirected to ru-by-exceptions.cdn.redhat.com, no configuration change needed.

for China however, the entire RHEL stack goes through one place: china.cdn.redhat.com; this includes licensing as well (so double check your DNF/YUM and subscription-manager configuration, see https://access.redhat.com/solutions/5090421 (login required)).

hence the wildcard.

why no ip?

other than licensing, everything Red Hat hosts use Akamai's CDN infrastructure. given that Akamai themselves don't directly provide IP lists of their CDN nodes, its somewhat hard to limit just per-IP.

for the global cdn.redhat.com endpoint, Red Hat does provide an IP list at https://access.redhat.com/articles/1525183 (no login required). JSON formatted version also available at https://access.redhat.com/sites/default/files/cdn_redhat_com_cac.json.

IPs of subdomains designated for Russia, Belarus and China are not provided, thus you always have to resort to SNI based filtering for these.

i mean if you're using a palo alto firewall and you're doing IP based filtering, what's wrong with you


Copyright 2018-2024, linuxgemini (İlteriş Yağıztegin Eroğlu). Any and all opinions listed here are my own and not representative of my employers; future, past and present.