I'm doing some testing in a lab which is isolated from the rest of my network (DMZ). I'm doing both inbound and outbound filtering at the firewall (CentOS +iptables).
What protocols, ports and destination IP addresses does yum use to identify updates, and then actually go get them for installation?
Looking at yum.conf and wireshark data, yum appears to go to a central site, look up the closest mirrors, then query the mirrors for the latest updates.
Using wireshark it appears that http and tcp are used, but the addresses are all over the place (many mirrors).
Is there a way to restrict the outbound traffic to a small number of mirrors? In other words, can I force yum to only check certain sites?
If that is not so easy, I should be able to restrict the outbound traffic to a small set of addresses (yes/no?).
DaveM
On Wed, Nov 17, 2010 at 7:36 AM, David McGuffey davidmcguffey@verizon.net wrote:
I'm doing some testing in a lab which is isolated from the rest of my network (DMZ). I'm doing both inbound and outbound filtering at the firewall (CentOS +iptables).
What protocols, ports and destination IP addresses does yum use to identify updates, and then actually go get them for installation?
Looking at yum.conf and wireshark data, yum appears to go to a central site, look up the closest mirrors, then query the mirrors for the latest updates.
Using wireshark it appears that http and tcp are used, but the addresses are all over the place (many mirrors).
Is there a way to restrict the outbound traffic to a small number of mirrors? In other words, can I force yum to only check certain sites?
If that is not so easy, I should be able to restrict the outbound traffic to a small set of addresses (yes/no?).
You can comment out "mirrorlist" and uncomment "baseurl" and set it to your preferred mirror in the files in "/etc/yum.repos.d".
On 11/17/10 7:25 AM, Tom H wrote:
On Wed, Nov 17, 2010 at 7:36 AM, David McGuffey davidmcguffey@verizon.net wrote:
I'm doing some testing in a lab which is isolated from the rest of my network (DMZ). I'm doing both inbound and outbound filtering at the firewall (CentOS +iptables).
What protocols, ports and destination IP addresses does yum use to identify updates, and then actually go get them for installation?
Looking at yum.conf and wireshark data, yum appears to go to a central site, look up the closest mirrors, then query the mirrors for the latest updates.
Using wireshark it appears that http and tcp are used, but the addresses are all over the place (many mirrors).
Is there a way to restrict the outbound traffic to a small number of mirrors? In other words, can I force yum to only check certain sites?
If that is not so easy, I should be able to restrict the outbound traffic to a small set of addresses (yes/no?).
You can comment out "mirrorlist" and uncomment "baseurl" and set it to your preferred mirror in the files in "/etc/yum.repos.d".
Also, if you have a squid or similar proxy that has unrestricted outbound access you can set it in /etc/conf or simply export http_proxy= and ftp_proxy= values before running yum.
-
David McGuffey -
Les Mikesell -
Tom H