On Fri, Jan 18, 2013 at 3:23 AM, Tilman Schmidt <t.schmidt at phoenixsoftware.de> wrote: > Am 15.01.2013 21:58, schrieb Markus Falb: >> I would like to install the packages from >> the continuous release repo and the yum config for this repo says >> >> baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/ >> >> well, I definitely do not want to allow worldwide outgoing http so I >> try to find the IPs >> >> # host mirror.centos.org >> mirror.centos.org has address 93.113.36.66 >> >> but! wait... >> >> # host mirror.centos.org >> mirror.centos.org has address 88.198.211.197 >> >> dns round robin is not very helpful for me doing firewall rules. >> How would you solve this yum and firewall thing? > > You'll need an application level gateway (ALG) firewall. > Simple packet filtering, even stateful, is not sufficient > for this purpose. If you have (or can have) a squid running somewhere that has the required outbound access, you can either configure yum to use it or just set http_proxy= and ftp_proxy= on the command line to export them. If you can't access the squid directly, but you are able to ssh from the squid host to the host that needs the update you can port-forward through ssh like: ssh -R3128:localhost:3128 root at host_needing_update and from there: http_proxy=http://localhost:3128 ftp_proxy=http://localhost:3128 yum update no permanent config changes should be needed and if you repeat it on multiple targets you might even re-use the copies that squiid will cache after you've pulled one from each mirror. -- Les Mikesell lesmikesell at gmail.com