On Sun, 2009-01-11 at 21:51 -0500, James Antill wrote: > Jason Haar <Jason.Haar@xxxxxxxxxxxxx> writes: > > > Hi there > > > > We're getting false alarms triggering on our NIDS due to PASV-mode YUM > > FTP sessions. This is on no account the fault of YUM, but I was > > wondering if we could reconfigure YUM to use non-PASV (ie PORT) mode FTP > > instead (better yet, disable FTP so that YUM only used HTTP servers). We > > can do some NIDS whitelisting tricks for PORT-mode - as port 20 is > > always used - which we can't do with PASV-mode. > > > > So YUM uses urlgrabber which in turn uses ftplib, which in turn has a > > "set_pasv" option. But I don't seem to be able to alter that by adding > > it to /etc/yum.conf? Can I do that, or would I actually have to fiddle > > with ftplib to achieve what I want (I won't do that - too many > > downstream consequences) > > AFAIK no, there's no way to pass that down. However you can do: > > . Install yum-fastestmirror, by default this prefers http over ftp > (will only try ftp if all the http mirrors fail). > > . Write a plugin that just removes the ftp mirrros (looking at the > fastestmirror code should help here). > This plugin prunes mirrors by a regex: http://skvidal.fedorapeople.org/misc/prune-by-regex.py So you can prune by ftp://.*, for example. -sv _______________________________________________ Yum mailing list Yum@xxxxxxxxxxxxxxxxx http://lists.baseurl.org/mailman/listinfo/yum
