yum+squid+whitelist

takayama · 04-19-2011, 07:35 AM

Hello
Im trying to whitelist the url:s on the internet that my server subnet can reach. Its basicly just supposed to be possible to do a yum update.

My whitelist looks like this http://pastebin.com/e1HLx1Ga

The changes i made to squid.conf (from the defaults) is this

acl our_networks src 172.28.3.0/24
acl whitelist dstdomain "/etc/squid/whitelist"
http_access allow all whitelist

Still i get this when trying to do yum updatehttp://pastebin.com/xBDGQUU0

Any ideas?

T3RM1NVT0R · 04-19-2011, 02:36 PM

Apart from making changes in squid did you check the local firewall setting to allow http request? Because it doesn't matter whether the sites are in whitelist or not yum will check local firewall whether it is a allowed to make http request.

takayama · 04-19-2011, 03:13 PM

Yes the iptable rules are flushed on both machines.

T3RM1NVT0R · 04-19-2011, 03:16 PM

iptables -F will not work for YUM.

You have to check the system-config-security level settings, I am explaining this in context of Redhat not sure which OS you are using but as you said yum it appears that you might be using some rebuild of that category.

takayama · 04-19-2011, 03:38 PM

yeah centos (sorry my bad, should have told you that) do you care to explain why iptables -F dont work?

T3RM1NVT0R · 04-19-2011, 04:29 PM

Sure

iptables -F will be used to flush any deny request or any chain/rules that are mentioned in /etc/sysconfig/iptables.

Now if you have enabled your local system firewall and set selinux to enforcing but you have not select HTTP to be the trusted service then what iptables -F will do? Since there is no deny rule (and no allow rule for allowing http traffic) in /etc/sysconfig/iptables for denying HTTP traffic then obviously iptables -F will not going to create one!

Usually iptables -F is used to override any deny rules set in there as far as I know. But if there is no allow (not denying the traffic here but also not allowing, see the difference) rule then?

I hope you got your answer.

takayama · 04-19-2011, 05:20 PM

Cool now i learned something new, but squid still is the same problem with

T3RM1NVT0R · 04-19-2011, 05:57 PM

Please paste the output of cat /etc/yum.conf

Also can you try this in squid (not really sure but worth giving a try) put first three URLs like this:

http://url/*/*

T3RM1NVT0R · 04-19-2011, 06:13 PM

Your question related to iptables -F was a good one. I dig more deeper in that direction and yes iptables -F can be used to flush all firewall rules in case you are unaware about how to customize the firewall. Not sure how it integrates with sElinux.

The issue that you explained here I was also getting the same issue and trying iptables -F for like 2-3 times didnt work for me. Then when I was sitting clueless I thought of checking firewall settings and sElinux settings using system-config-securitylevel and as soon as I disabled both firewall and sElinux yum worked in one shot.

As far as my explanation goes I think it does make sense ;-) I mean if we are not allowing any service and that service is also not in deny list then by default it should be denied.

takayama · 04-19-2011, 06:19 PM

I figured it out (removed my default squid.conf and wrote a new basic one) dont really know what the problem was.

Now im gonna look into caching of the rpms on the squid server so i dont have to dl them every time.

T3RM1NVT0R · 04-19-2011, 06:27 PM

It always feel good when things work as they are expected to :-)

Please put the thread to solved if the issue has been resolved.