[CentOS] yum update and iptables

Wed Nov 17 13:36:24 UTC 2010
Les Mikesell <lesmikesell at gmail.com>

On 11/17/10 7:25 AM, Tom H wrote:
> On Wed, Nov 17, 2010 at 7:36 AM, David McGuffey
> <davidmcguffey at verizon.net>  wrote:
>> I'm doing some testing in a lab which is isolated from the rest of my
>> network (DMZ). I'm doing both inbound and outbound filtering at the
>> firewall (CentOS +iptables).
>> What protocols, ports and destination IP addresses does yum use to
>> identify updates, and then actually go get them for installation?
>> Looking at yum.conf and wireshark data, yum appears to go to a central
>> site, look up the closest mirrors, then query the mirrors for the latest
>> updates.
>> Using wireshark it appears that http and tcp are used, but the addresses
>> are all over the place (many mirrors).
>> Is there a way to restrict the outbound traffic to a small number of
>> mirrors? In other words, can I force yum to only check certain sites?
>> If that is not so easy, I should be able to restrict the outbound
>> traffic to a small set of addresses (yes/no?).
> You can comment out "mirrorlist" and uncomment "baseurl" and set it to
> your preferred mirror in the files in "/etc/yum.repos.d".

Also, if you have a squid or similar proxy that has unrestricted outbound access 
you can set it in /etc/conf or simply export http_proxy= and ftp_proxy= values 
before running yum.

   Les Mikesell
     lesmikesell at gmail.com