Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    yum update from DMZ ?

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 605 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bgroper
      last edited by bgroper

      Hi forum
      I'm having a CentOS webserver in DMZ.
      pfSense has DMZ firewall rule to allow IPv4+6 * protocol to WAN net
      When trying to update CentOS using yum update, I gets the following error :

      # yum update
      Loaded plugins: fastestmirror
      Setting up Update Process
      Loading mirror speeds from cached hostfile
      Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=6&arch=x86_64&repo=os&infra=stock error was
      14: PYCURL ERROR 7 - "Failed to connect to 2604:1380:1001:6c00::1: Network is unreachable"
      Error: Cannot find a valid baseurl for repo: base

      I can ping mirrorlist.centos.org from server in DMZ.
      I can yum update from server/s in LAN.
      Is there something else I need to do to pfSense to enable updates from server/s in DMZ ?
      Or perhaps there's a problem with centos mirrorlist that will resolve itself with time ?

      Thanks for any tips or clues.

      I'm not a complete idiot. There's still a few pieces missing.

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Hi,

        Observe your LAN firewall rules.
        Make sure you have identical rules on your DMZ interface.
        You'll break somewhat your DMZ concept, but ... you'll be having access to the Internet from the DMZ network.
        From there, start restricting your DMZ rules, step by step.

        @bgroper said in yum update from DMZ ?:

        pfSense has DMZ firewall rule to allow IPv4+6 * protocol to WAN net

        That's not clear at all.
        One simple check somewhere that you didn't mention could "make it or break it".

        This :

        to WAN net

        That's what your have as a destination ?
        I advise you strongly to look up what WAN net actually is (noop, it's not what you think it is ;) )

        These are my final 4 rules for something that could be a DMZ zone :

        b75a6830-90e5-41cd-b715-ef26324dfc2b-image.png

        1. I don't want Portal visitors to 'do yhings' with my WAN network (as you figured out by now, that my WAN network, which isn't equivalent to 'The Internet').
          2 ) Neither have access to my LAN network.
        2. Not OPENVPN network.
        3. Still here ? then ok, go ...

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        B 1 Reply Last reply Reply Quote 0
        • B
          bgroper @Gertjan
          last edited by bgroper

          "WAN net" is the local subnet of the WAN interface, not the entire Internet.

          Thank you all for your replies but this is the one that really answered my question. I had wrongly assumed that packets passed to the WAN interface would be routed out to the internet.
          See
          https://forum.netgate.com/topic/70611/permit-traffic-from-opt1-net-to-wan-net-wan-net-in-rule-not-working

          I'm not a complete idiot. There's still a few pieces missing.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.