Shorewall users - Oct 2013 - Advise sought on strategy to allow selective web access (distribution repositories)

Hello,

I''m running shorewall 4.5.5.3 on a debian wheezy server which serves as
the
host to a number of lxc containers sequestering services (nginx, plone, 
kolab3, ...).

Http access to the containers is all managed by nginx, but for updates of 
e.g. packages the containers also may need direct web access. For debian-
based containers I have solved this issue by installing apt-cache-ng on the 
host, rendering the host the repository for all of them and thus forgoing 
web access requirements.

However, the authoritative kolab3 installation requires RH/Centos and 
package updates for centos-based containers along with things such as virus 
definition pulls by clamav require web access by the container.

I would like o button this down and restrict those containers to access to 
defined URLS only (complicated by the search for the fastest mirror yum 
seems to always do).

I''d appreciate advise on how to adapt the current setup in  
/etc/shorewall/rules
HTTP/ACCEPT   dmz    net
HTTPS/ACCEPT   dmz    net
along those lines.

Thank you for your consideration.

Sincerely, Joh


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk

Johannes Graumann wrote:
> Hello,
> 
> I''m running shorewall 4.5.5.3 on a debian wheezy server which
serves as
> the host to a number of lxc containers sequestering services (nginx,
> plone, kolab3, ...).
> 
> Http access to the containers is all managed by nginx, but for updates of
> e.g. packages the containers also may need direct web access. For debian-
> based containers I have solved this issue by installing apt-cache-ng on
> the host, rendering the host the repository for all of them and thus
> forgoing web access requirements.
> 
> However, the authoritative kolab3 installation requires RH/Centos and
> package updates for centos-based containers along with things such as
> virus definition pulls by clamav require web access by the container.
> 
> I would like o button this down and restrict those containers to access to
> defined URLS only (complicated by the search for the fastest mirror yum
> seems to always do).
> 
> I''d appreciate advise on how to adapt the current setup in
> /etc/shorewall/rules
> HTTP/ACCEPT   dmz    net
> HTTPS/ACCEPT   dmz    net
> along those lines.
Further investigation shows that apt-cache-ng actually also caches *.rpms, 
implying that the repository question vanishes, while the need for clamav-
definition updates etc. persists ...

Joh


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk

Johannes Graumann wrote:
> Johannes Graumann wrote:
> 
>> Hello,
>> 
>> I''m running shorewall 4.5.5.3 on a debian wheezy server which
serves as
>> the host to a number of lxc containers sequestering services (nginx,
>> plone, kolab3, ...).
>> 
>> Http access to the containers is all managed by nginx, but for updates
of
>> e.g. packages the containers also may need direct web access. For
debian-
>> based containers I have solved this issue by installing apt-cache-ng on
>> the host, rendering the host the repository for all of them and thus
>> forgoing web access requirements.
>> 
>> However, the authoritative kolab3 installation requires RH/Centos and
>> package updates for centos-based containers along with things such as
>> virus definition pulls by clamav require web access by the container.
>> 
>> I would like o button this down and restrict those containers to access
>> to defined URLS only (complicated by the search for the fastest mirror
>> yum seems to always do).
>> 
>> I''d appreciate advise on how to adapt the current setup in
>> /etc/shorewall/rules
>> HTTP/ACCEPT   dmz    net
>> HTTPS/ACCEPT   dmz    net
>> along those lines.
> 
> Further investigation shows that apt-cache-ng actually also caches *.rpms,
> implying that the repository question vanishes, while the need for clamav-
> definition updates etc. persists ...
Could this be as easy as:
HTTP(ACCEPT)    dmz:10.10.10.12 net:db.local.clamav.net

Any arguments against this solution?

Sincerely, Joh



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk