[Yum] can I disable FTP PASV mode for yum?
seth vidal
skvidal at fedoraproject.org
Mon Jan 12 14:43:03 UTC 2009
On Sun, 2009-01-11 at 21:51 -0500, James Antill wrote:
> Jason Haar <Jason.Haar at trimble.co.nz> writes:
>
> > Hi there
> >
> > We're getting false alarms triggering on our NIDS due to PASV-mode YUM
> > FTP sessions. This is on no account the fault of YUM, but I was
> > wondering if we could reconfigure YUM to use non-PASV (ie PORT) mode FTP
> > instead (better yet, disable FTP so that YUM only used HTTP servers). We
> > can do some NIDS whitelisting tricks for PORT-mode - as port 20 is
> > always used - which we can't do with PASV-mode.
> >
> > So YUM uses urlgrabber which in turn uses ftplib, which in turn has a
> > "set_pasv" option. But I don't seem to be able to alter that by adding
> > it to /etc/yum.conf? Can I do that, or would I actually have to fiddle
> > with ftplib to achieve what I want (I won't do that - too many
> > downstream consequences)
>
> AFAIK no, there's no way to pass that down. However you can do:
>
> . Install yum-fastestmirror, by default this prefers http over ftp
> (will only try ftp if all the http mirrors fail).
>
> . Write a plugin that just removes the ftp mirrros (looking at the
> fastestmirror code should help here).
>
This plugin prunes mirrors by a regex:
http://skvidal.fedorapeople.org/misc/prune-by-regex.py
So you can prune by ftp://.*, for example.
-sv
More information about the Yum
mailing list