From owner-freebsd-questions@FreeBSD.ORG Sat Mar 11 13:52:11 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A459516A41F for ; Sat, 11 Mar 2006 13:52:11 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C2DA43D53 for ; Sat, 11 Mar 2006 13:52:10 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 614715CF7; Sat, 11 Mar 2006 08:52:09 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 49276-10; Sat, 11 Mar 2006 08:52:08 -0500 (EST) Received: from [192.168.1.3] (pool-68-161-129-91.ny325.east.verizon.net [68.161.129.91]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 6350D5C17; Sat, 11 Mar 2006 08:52:08 -0500 (EST) Message-ID: <4412D609.1090806@mac.com> Date: Sat, 11 Mar 2006 08:52:09 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: David Robillard References: <226ae0c60603101111r75775ea9n3c791d933c5954da@mail.gmail.com> In-Reply-To: <226ae0c60603101111r75775ea9n3c791d933c5954da@mail.gmail.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: FreeBSD Questions Mailing List Subject: Re: Local portaudit server. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Mar 2006 13:52:11 -0000 David Robillard wrote: > We use the port security/portaudit on all of our FreeBSD servers. > Currently, every machine has to out on the internet to download the > portaudit vulnerability database from the FreeBSD server. If your internal machines need to talk to the web, and you wish to control or restrict that behavior, the canonical solution is to setup a proxy server and firewall which blocks Internet access for everything except the proxy. > Since all of the machines are downloading the exact same file, we > would like to setup a local portaudit server. This server would fetch > the vulnerabilty file and all the rest of our servers would fetch it > from the local portaudit server. > > Has anyone done this setup? Any help/pointers would be great. You could also use rsync to copy /var/db/portaudit from the external server to your internal machines on a daily basis via a cron job. -- -Chuck