-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I find myself in a complicated situation and would like to ask the oracle (choke!) for help. I would like to install the packages from the continuous release repo and the yum config for this repo says baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/ well, I definitely do not want to allow worldwide outgoing http so I try to find the IPs # host mirror.centos.org mirror.centos.org has address 93.113.36.66 but! wait... # host mirror.centos.org mirror.centos.org has address 88.198.211.197 dns round robin is not very helpful for me doing firewall rules. How would you solve this yum and firewall thing? - -- Kind Regards, Markus Falb -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlD1wuEACgkQYoWFBIJE9eXs9wCghBGc/naF7c0ozZqJIw9huzXy fJQAn2NLrGTz9cy06dp/HIHFufWxgv9N =m2Of -----END PGP SIGNATURE-----
> > Hi, > I find myself in a complicated situation and would like to ask the > oracle (choke!) for help. I would like to install the packages from > the continuous release repo and the yum config for this repo says > > baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/ > > well, I definitely do not want to allow worldwide outgoing http so I > try to find the IPs > > # host mirror.centos.org > mirror.centos.org has address 93.113.36.66 > > but! wait... > > # host mirror.centos.org > mirror.centos.org has address 88.198.211.197 > > dns round robin is not very helpful for me doing firewall rules. > How would you solve this yum and firewall thing? > - -- > Kind Regards, Markus FalbI think your best bet would be either 1) take a host you're more comfortable with having http access to the world, change it to run squid, perhaps putting limit rules in squid to only allow http requests to download.centos.org (or whatever), then point your more secured host to this machine as your proxy server. 2) find a likewise host that you can allow pretty much any outbout http traffic on that also has a pretty good amount of disk space free and usable, then use it to pull in a local mirror of the cent archives. and over ride DNS results with local /etc/host rules for dns results. or just live dangerously and pick one host that you're pretty sure will be up and over ride the DNS rotor with your own local dns configs/etc/hosts entries... but that's kinda riding dirty. I probably shouldn't even suggest it. but I'm far from being an oracle. not even a sybase. -- Even the Magic 8 ball has an opinion on email clients: Outlook not so good.
Markus Falb wrote:> > Hi, > I find myself in a complicated situation and would like to ask the > oracle (choke!) for help. I would like to install the packages from > the continuous release repo and the yum config for this repo says > > baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/ > > well, I definitely do not want to allow worldwide outgoing http so I > try to find the IPs > > # host mirror.centos.org > mirror.centos.org has address 93.113.36.66 > > but! wait... > > # host mirror.centos.org > mirror.centos.org has address 88.198.211.197 > > dns round robin is not very helpful for me doing firewall rules. > How would you solve this yum and firewall thing?pick a mirror that's close to you and trustworthy (ie stays up to date), and use that as your baseurl.
On 01/15/2013 02:58 PM, Markus Falb wrote:> Hi, > I find myself in a complicated situation and would like to ask the > oracle (choke!) for help. I would like to install the packages from > the continuous release repo and the yum config for this repo says > > baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/ > > well, I definitely do not want to allow worldwide outgoing http so I > try to find the IPs > > # host mirror.centos.org > mirror.centos.org has address 93.113.36.66 > > but! wait... > > # host mirror.centos.org > mirror.centos.org has address 88.198.211.197 > > dns round robin is not very helpful for me doing firewall rules. > How would you solve this yum and firewall thing?mirror.centos.org is very dynamic ... not just round robin. We add and remove machines from that name all the time and it picks a location based on GeoIP of the requester. As you can imagine, with millions of machines using that name to get updates it needs to be more than one server ... and normally we have somewhere between 25 and 40 servers that can answer as mirror.centos.org worldwide. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20130115/dc0badc2/attachment-0005.sig>
Am 15.01.2013 21:58, schrieb Markus Falb:> I would like to install the packages from > the continuous release repo and the yum config for this repo says > > baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/ > > well, I definitely do not want to allow worldwide outgoing http so I > try to find the IPs > > # host mirror.centos.org > mirror.centos.org has address 93.113.36.66 > > but! wait... > > # host mirror.centos.org > mirror.centos.org has address 88.198.211.197 > > dns round robin is not very helpful for me doing firewall rules. > How would you solve this yum and firewall thing?You'll need an application level gateway (ALG) firewall. Simple packet filtering, even stateful, is not sufficient for this purpose. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20130118/2e70694c/attachment-0005.sig>
On Fri, Jan 18, 2013 at 3:23 AM, Tilman Schmidt <t.schmidt at phoenixsoftware.de> wrote:> Am 15.01.2013 21:58, schrieb Markus Falb: >> I would like to install the packages from >> the continuous release repo and the yum config for this repo says >> >> baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/ >> >> well, I definitely do not want to allow worldwide outgoing http so I >> try to find the IPs >> >> # host mirror.centos.org >> mirror.centos.org has address 93.113.36.66 >> >> but! wait... >> >> # host mirror.centos.org >> mirror.centos.org has address 88.198.211.197 >> >> dns round robin is not very helpful for me doing firewall rules. >> How would you solve this yum and firewall thing? > > You'll need an application level gateway (ALG) firewall. > Simple packet filtering, even stateful, is not sufficient > for this purpose.If you have (or can have) a squid running somewhere that has the required outbound access, you can either configure yum to use it or just set http_proxy= and ftp_proxy= on the command line to export them. If you can't access the squid directly, but you are able to ssh from the squid host to the host that needs the update you can port-forward through ssh like: ssh -R3128:localhost:3128 root at host_needing_update and from there: http_proxy=http://localhost:3128 ftp_proxy=http://localhost:3128 yum update no permanent config changes should be needed and if you repeat it on multiple targets you might even re-use the copies that squiid will cache after you've pulled one from each mirror. -- Les Mikesell lesmikesell at gmail.com