Re: cr repo and firewalling

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Fri, Jan 18, 2013 at 3:23 AM, Tilman Schmidt
<t.schmidt@xxxxxxxxxxxxxxxxxx> wrote:
> Am 15.01.2013 21:58, schrieb Markus Falb:
>> I would like to install the packages from
>> the continuous release repo and the yum config for this repo says
>>
>> baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/
>>
>> well, I definitely do not want to allow worldwide outgoing http so I
>> try to find the IPs
>>
>> # host mirror.centos.org
>> mirror.centos.org has address 93.113.36.66
>>
>> but! wait...
>>
>> # host mirror.centos.org
>> mirror.centos.org has address 88.198.211.197
>>
>> dns round robin is not very helpful for me doing firewall rules.
>> How would you solve this yum and firewall thing?
>
> You'll need an application level gateway (ALG) firewall.
> Simple packet filtering, even stateful, is not sufficient
> for this purpose.

If you have (or can have) a squid running somewhere that has the
required outbound access, you can either configure yum to use it or
just set http_proxy= and ftp_proxy= on the command line to export
them.   If you can't access the squid directly, but you are able to
ssh from the squid host to the host that needs the update you can
port-forward through ssh like:
ssh  -R3128:localhost:3128  root@host_needing_update
and from there:
http_proxy=http://localhost:3128 ftp_proxy=http://localhost:3128 yum update
no permanent config changes should be needed and if you repeat it on
multiple targets you might even re-use the copies that squiid will
cache after you've pulled one from each mirror.

-- 
   Les Mikesell
      lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux