At 16:43 28.02.2012, Jan Pazdziora wrote: >On Mon, Feb 27, 2012 at 06:50:06PM +0100, Jan Arild Lindstrøm wrote: >> >> 3) >> >> lintest3-virt(root) ~ 34# yum update >> Loaded plugins: refresh-packagekit, rhnplugin, security >> Loading mirror speeds from cached hostfile >> Error: Cannot retrieve repository metadata (repomd.xml) for repository: >> centos6-x86_64. Please verify its path and try again >> >> ( - "yum update" starts here - ) >> 14:20:33.362368 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 0 >> 14:20:33.375652 IP 10.10.30.183.8080 > 10.10.0.62.51822: tcp 0 >> 14:20:33.375852 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 0 >> 14:20:33.377344 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 627 >> 14:20:33.377522 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 1380 >> 14:20:33.378321 IP 10.10.30.183.8080 > 10.10.0.62.51822: tcp 0 >> --cut-- >> 14:20:33.402821 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 0 >> 14:20:33.402825 IP 10.10.30.183.8080 > 10.10.0.62.51822: tcp 467 >> 14:20:33.402829 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 0 >> 14:20:33.402846 IP 10.10.30.183.8080 > 10.10.0.62.51822: tcp 0 >> 14:20:33.406011 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 0 >> 14:20:33.406976 IP 10.10.30.183.8080 > 10.10.0.62.51822: tcp 0 >> 14:20:33.460341 IP 10.10.0.62.50796 > 10.10.0.60.80: tcp 0 >> 14:20:36.460258 IP 10.10.0.62.50796 > 10.10.0.60.80: tcp 0 >> 14:20:42.460278 IP 10.10.0.62.50796 > 10.10.0.60.80: tcp 0 >> --cut-- >> >> Proxy = 10.10.30.183 >> Spacewalk server = 10.10.0.62 > >Is it possible that it's actually > > Spacewalk client = 10.10.0.62 > Proxy = 10.10.30.183 > Spacewalk server 10.10.0.60 > >?
Yes, I just make sure my two test clients can not speak directly with the Spacewalk server: spacewalk01(root) ~ 1442# iptables -L -n -v Chain INPUT (policy ACCEPT 11M packets, 4471M bytes) pkts bytes target prot opt in out source destination 636 38304 DROP all -- * * 10.123.0.62 0.0.0.0/0 29538 1182K DROP all -- * * 10.123.0.61 0.0.0.0/0 --cut-- I want them to use only the proxy and not be able to shortcut it by using the Spacewalk server directly. That is because I do not want to open port 80 out from all our other VLANs. >Can you do more tcpdumping to see what are the HTTP requests that are >being sent directly? The proxy is Squid 3.1.x. Disabled iptables on the Spacewalk server while running tshark on the client. Captured: yum repolist (run after a "yum clean all"). Without "http_proxy=http://proxy-z2.mydomain.no:8080 ; export http_proxy": lintest3-virt(root) ~ 162# tshark -c 500 -R 'http' port 80 or port 8080 Running as user "root" and group "root". This could be dangerous. Capturing on eth0 0.014810 10.123.0.62 -> 10.123.30.183 HTTP/XML POST http://spacewalk01.mydomain.no/XMLRPC HTTP/1.1 0.045528 10.123.30.183 -> 10.123.0.62 HTTP/XML HTTP/1.0 200 OK 0.070893 10.123.0.62 -> 10.123.30.183 HTTP/XML POST http://spacewalk01.mydomain.no/XMLRPC HTTP/1.1 0.107598 10.123.30.183 -> 10.123.0.62 HTTP/XML HTTP/1.0 200 OK 0.155940 10.123.0.62 -> 10.123.0.60 HTTP GET /XMLRPC/GET-REQ/centos6-x86_64/repodata/repomd.xml HTTP/1.1 0.159237 10.123.0.60 -> 10.123.0.62 HTTP/XML HTTP/1.1 200 OK 0.184609 10.123.0.62 -> 10.123.0.60 HTTP GET /XMLRPC/GET-REQ/centos6-x86_64/repodata/primary.xml.gz HTTP/1.1 4.318590 10.123.0.62 -> 10.123.0.60 HTTP GET /XMLRPC/GET-REQ/centos6-x86_64-addons/repodata/repomd.xml HTTP/1.1 4.321661 10.123.0.60 -> 10.123.0.62 HTTP/XML HTTP/1.1 200 OK --cut-- It start using the Spacewalk server directly when fetching the repo stuff. With "http_proxy=http://proxy-z2.mydomain.no:8080 ; export http_proxy": lintest3-virt(root) ~ 167# tshark -c 5000 -R 'http' port 80 or port 8080 Running as user "root" and group "root". This could be dangerous. Capturing on eth0 0.004991 10.123.0.62 -> 10.123.30.183 HTTP/XML POST http://spacewalk01.mydomain.no/XMLRPC HTTP/1.1 0.028022 10.123.30.183 -> 10.123.0.62 HTTP/XML HTTP/1.0 200 OK 0.051706 10.123.0.62 -> 10.123.30.183 HTTP/XML POST http://spacewalk01.mydomain.no/XMLRPC HTTP/1.1 0.071484 10.123.30.183 -> 10.123.0.62 HTTP/XML HTTP/1.0 200 OK 0.132816 10.123.0.62 -> 10.123.30.183 HTTP GET http://spacewalk01.mydomain.no/XMLRPC/GET-REQ/centos6-x86_64/repodata/repomd.xml HTTP/1.1 0.141334 10.123.30.183 -> 10.123.0.62 HTTP/XML HTTP/1.0 200 OK 0.174648 10.123.0.62 -> 10.123.30.183 HTTP GET http://spacewalk01.mydomain.no/XMLRPC/GET-REQ/centos6-x86_64/repodata/primary.xml.gz HTTP/1.1 4.577575 10.123.0.62 -> 10.123.30.183 HTTP GET http://spacewalk01.mydomain.no/XMLRPC/GET-REQ/centos6-x86_64-addons/repodata/repomd.xml HTTP/1.1 4.587044 10.123.30.183 -> 10.123.0.62 HTTP/XML HTTP/1.0 200 OK --cut-- It never uses the Spacewalk server directly. -- Regards Jan Arild >-- >Jan Pazdziora >Principal Software Engineer, Satellite Engineering, Red Hat > >_______________________________________________ >Spacewalk-list mailing list >Spacewalk-list@redhat.com >https://www.redhat.com/mailman/listinfo/spacewalk-list _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list