[CentOS] cr repo and firewalling
Les Mikesell
lesmikesell at gmail.com
Fri Jan 18 17:48:38 UTC 2013
On Fri, Jan 18, 2013 at 3:23 AM, Tilman Schmidt
<t.schmidt at phoenixsoftware.de> wrote:
> Am 15.01.2013 21:58, schrieb Markus Falb:
>> I would like to install the packages from
>> the continuous release repo and the yum config for this repo says
>>
>> baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/
>>
>> well, I definitely do not want to allow worldwide outgoing http so I
>> try to find the IPs
>>
>> # host mirror.centos.org
>> mirror.centos.org has address 93.113.36.66
>>
>> but! wait...
>>
>> # host mirror.centos.org
>> mirror.centos.org has address 88.198.211.197
>>
>> dns round robin is not very helpful for me doing firewall rules.
>> How would you solve this yum and firewall thing?
>
> You'll need an application level gateway (ALG) firewall.
> Simple packet filtering, even stateful, is not sufficient
> for this purpose.
If you have (or can have) a squid running somewhere that has the
required outbound access, you can either configure yum to use it or
just set http_proxy= and ftp_proxy= on the command line to export
them. If you can't access the squid directly, but you are able to
ssh from the squid host to the host that needs the update you can
port-forward through ssh like:
ssh -R3128:localhost:3128 root at host_needing_update
and from there:
http_proxy=http://localhost:3128 ftp_proxy=http://localhost:3128 yum update
no permanent config changes should be needed and if you repeat it on
multiple targets you might even re-use the copies that squiid will
cache after you've pulled one from each mirror.
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS
mailing list