Which Directory Service do you use for your network?
None NIS LDAP LDAP + Kerberos Samba Active Directory eDirectory other ( 396 votes ~ 8 comments )
You are not currently logged in. If you do not have a user account then please consider creating one and logging in before you post your comment. This will allow you to track replies to your comment, and take part in the site much more freely.
To add your comment, fill in all the boxes below and then preview it to make sure you're happy with the way that it looks.
This is the comment you were replying to, attached to the article A short introduction to cron-apt:
#7 apt, cron-apt, and firewall issues Posted by lb (130.75.xx.xx) on Fri 21 Jul 2006 at 15:47 My firewall server settings are pretty tight, and restrict outgoing traffic to absolute minimum. In order not to pierce holes into the ruleset for apt, I created a short shellscript that dynamically opens up the firewall for outgoing traffic during the update/upgrade process, and closes the firewall again, when finished. The script analyses the /etc/apt/sources.list/ and allowes ftp and http connections. after finishing cron-apt, the newly created rules are deleted again. It basically works like this: - create a script /usr/local/sbin/my-cron-apt that calls the firewall-rules script apt-fw.sh first, then executes cron-apt, and afterwards calles apt-fw.sh again. - in /etc/cron.d/cron-apt, replace /usr/sbin/cron-apt with /usr/local/sbin/my-cron-apt The scripts are: /usr/local/sbin/my-cron-apt #!/bin/bash /usr/local/sbin/apt-fw start test -x /usr/sbin/cron-apt && /usr/sbin/cron-apt /usr/local/sbin/apt-fw stop /usr/local/sbin/apt-fw.sh #!/bin/bash IPTABLES=/sbin/iptables GREP=/bin/grep AWK=/usr/bin/awk TAIL=/usr/bin/tail CHAIN="aptChain" function d_start() { $IPTABLES -N $CHAIN $IPTABLES -A $CHAIN -p udp --dport 53 -j ACCEPT $IPTABLES -A $CHAIN -p tcp -m multiport --dport 21,80 -j ACCEPT $IPTABLES -A $CHAIN -j REJECT for APT in `$GREP ^deb /etc/apt/sources.list | $AWK '{print $2}' | uniq`; do APT=`echo $APT | $AWK '{sub (/[fht]*p:\/\//,"",$1); print}'` APT=`echo $APT | $AWK '{sub (/\/[a-zA-Z0-9\-_/]*\/?/,"",$1); print}'` $IPTABLES -A OUTPUT -d $APT -j $CHAIN done } function d_stop() { $IPTABLES -F $CHAIN I=`$IPTABLES -L OUTPUT -n --line-number | $GREP $CHAIN | $TAIL -n 1 | $AWK '{print $1}'` while [ "$I" != "" ]; do $IPTABLES -D OUTPUT $I I=`$IPTABLES -L OUTPUT -n --line-number | $GREP $CHAIN | $TAIL -n 1 | $AWK '{print $1}'` done $IPTABLES -X $CHAIN } case "$1" in start) d_start ;; stop) d_stop ;; *) echo "Usage: $0 {start|stop}" >&2 exit 1 ;; esac exit 0 The advantage of splitting the process in two seperate files is, that you can call apt-fw.sh manually, when executing aptitude update or the like. For comments, please drop me a mail. :-)
#!/bin/bash /usr/local/sbin/apt-fw start test -x /usr/sbin/cron-apt && /usr/sbin/cron-apt /usr/local/sbin/apt-fw stop
#!/bin/bash IPTABLES=/sbin/iptables GREP=/bin/grep AWK=/usr/bin/awk TAIL=/usr/bin/tail CHAIN="aptChain" function d_start() { $IPTABLES -N $CHAIN $IPTABLES -A $CHAIN -p udp --dport 53 -j ACCEPT $IPTABLES -A $CHAIN -p tcp -m multiport --dport 21,80 -j ACCEPT $IPTABLES -A $CHAIN -j REJECT for APT in `$GREP ^deb /etc/apt/sources.list | $AWK '{print $2}' | uniq`; do APT=`echo $APT | $AWK '{sub (/[fht]*p:\/\//,"",$1); print}'` APT=`echo $APT | $AWK '{sub (/\/[a-zA-Z0-9\-_/]*\/?/,"",$1); print}'` $IPTABLES -A OUTPUT -d $APT -j $CHAIN done } function d_stop() { $IPTABLES -F $CHAIN I=`$IPTABLES -L OUTPUT -n --line-number | $GREP $CHAIN | $TAIL -n 1 | $AWK '{print $1}'` while [ "$I" != "" ]; do $IPTABLES -D OUTPUT $I I=`$IPTABLES -L OUTPUT -n --line-number | $GREP $CHAIN | $TAIL -n 1 | $AWK '{print $1}'` done $IPTABLES -X $CHAIN } case "$1" in start) d_start ;; stop) d_stop ;; *) echo "Usage: $0 {start|stop}" >&2 exit 1 ;; esac exit 0
Posting Format:
Inappropriate comments will be removed.
Some help on entry formatting is available
Username:
Password:
[ Advanced Login ]
Register Account
