Jason Haar <Jason.Haar@xxxxxxxxxxxxx> writes: > Hi there > > We're getting false alarms triggering on our NIDS due to PASV-mode YUM > FTP sessions. This is on no account the fault of YUM, but I was > wondering if we could reconfigure YUM to use non-PASV (ie PORT) mode FTP > instead (better yet, disable FTP so that YUM only used HTTP servers). We > can do some NIDS whitelisting tricks for PORT-mode - as port 20 is > always used - which we can't do with PASV-mode. > > So YUM uses urlgrabber which in turn uses ftplib, which in turn has a > "set_pasv" option. But I don't seem to be able to alter that by adding > it to /etc/yum.conf? Can I do that, or would I actually have to fiddle > with ftplib to achieve what I want (I won't do that - too many > downstream consequences) AFAIK no, there's no way to pass that down. However you can do: . Install yum-fastestmirror, by default this prefers http over ftp (will only try ftp if all the http mirrors fail). . Write a plugin that just removes the ftp mirrros (looking at the fastestmirror code should help here). . Sync a local mirror (or use IntelligentMirror) and register it with MirrorManager as http only. -- James Antill -- james@xxxxxxx _______________________________________________ Yum mailing list Yum@xxxxxxxxxxxxxxxxx http://lists.baseurl.org/mailman/listinfo/yum
