No proxy for apt-get

gabsik · 01-30-2007, 12:28 PM

I have an iptables redirecting all http traffic to squid port . I want to exclude from this , apt-get.I usually do this by owner match but apt-get is owned by root like many others progs.anyone a better idea ? Thanks !!!

runnerfrog · 01-31-2007, 07:59 AM

I don't know how to do that exact thing you want, in my case I just solve the thing the easiest way possible, I make apt go through the proxy modifying /etc/apt/apt.conf and defining an http_proxy environment variable in the system profile.

e.g.,
in apt.conf:

Quote:

Acquire::http::Proxy "http://user

assword@domain_or_host

ort/";

in profile:

Quote:

HTTP_PROXY=http://host

ort
HTTPS_PROXY=http://host

ort
FTP_PROXY=God knows what you want there

Cheers.

gabsik · 01-31-2007, 08:51 AM

No i don't want apt-get to use the proxy at all or to be redirected to squid's port by iptables .

nx5000 · 01-31-2007, 09:04 AM

Probably that with ipqueue from James Morris you could do this:
http://www.cs.princeton.edu/~nakao/libipq.htm

You will need to program it that's the thing

Here is one example of what can be done:
http://www.nufw.org/-English-.html

With nufw, you can restrict one application or one user to traverse the firewall. Maybe by looking at the documentation you can turn nufw into what you want to do.

It's a rough rough idea, just wanted to point out my first impression.

nx5000 · 02-01-2007, 01:14 AM

actually, it's dangerous what you are trying to do.
How would you identify the application?
By inode? By some sort of public private key mechanism?

gabsik · 02-01-2007, 02:20 AM

Well by iptables'owner match for example ... i should make apt-get being owned by an unique owner . --uid-owner , --gid-owner , --pid-owner , --sid-owner . I would point your attention on these last two , could they be a solution ? Pid changes anytime the prog restarts isn't it ? So it's useless . What about the sid ? What is sid ?

nx5000 · 02-01-2007, 02:33 AM

ah!!! I thought your iptables was not on the machine which is a bit more secure and where nufw shows its advantage. The client talks to a remote authentication module that drives a remote firewall (the client + 2 machines are needed then). But even with nufw, when the machine is compromised then an application can act like an authorized application. Its the current limitation of nufw.

You can always modify apt-get so that you first get its pid and add a rule at the same time. or rename apt-get to apt-get-orig and put the script in apt-get which modifies iptables and then calls apt-get-orig. Seems possible?
Changing uid of apt-get is not easy because apt-get needs to have full access to the machine..

gabsik · 02-01-2007, 09:08 PM

How many applications accessing the gateway are owned by root?Not so many isn't it?I'm trying to figure out ... the browser is mine and so all other clients like, gaim ,xchat,gftp,skype . I can't think of any other application apart from apt-get owned by root ... nmap , i use it on the gateway machine ... any other i can't think of ?