From owner-freebsd-questions@FreeBSD.ORG Thu Jul 12 21:17:47 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D0E26106566C for ; Thu, 12 Jul 2012 21:17:47 +0000 (UTC) (envelope-from dweimer@dweimer.net) Received: from webmail.dweimer.net (24-240-198-187.static.stls.mo.charter.com [24.240.198.187]) by mx1.freebsd.org (Postfix) with ESMTP id 7FD7A8FC12 for ; Thu, 12 Jul 2012 21:17:47 +0000 (UTC) Received: from www.dweimer.net (webmail.dweimer.net [192.168.5.1]) by webmail.dweimer.net (8.14.5/8.14.5) with ESMTP id q6CLHeRm087233 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 12 Jul 2012 16:17:40 -0500 (CDT) (envelope-from dweimer@dweimer.net) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 12 Jul 2012 16:17:40 -0500 From: dweimer To: Organization: dweimer.net Mail-Reply-To: In-Reply-To: <4FFF32EE.2030700@gmail.com> References: <44k3y83nib.fsf@be-well.ilk.org> <20120712174139.GA10822@external.screwed.box> <20120712185400.GB10822@external.screwed.box> <4FFF32EE.2030700@gmail.com> Message-ID: <0c416ad2fc639e984ad7a0f95f3ade10@dweimer.net> X-Sender: dweimer@dweimer.net User-Agent: Roundcube Webmail/0.8-rc Subject: Re: Is there a way to run FreeBSD ports through port 80? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dweimer@dweimer.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2012 21:17:47 -0000 On 2012-07-12 15:26, Kaya Saman wrote: > On 07/12/2012 07:54 PM, Peter Vereshagin wrote: >> Hello. >> >> Why don't you use a portsnap? it's over http... >> >> 2012/07/12 19:01:15 +0100 Kaya Saman => To >> Peter Vereshagin : >> KS> I will check it out however and see if that method is best, >> however >> KS> CVSup would be the best way for us and I'm already looking at >> this: >> KS> >> KS> >> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html >> >> 1. cvsup is not about comparison to ftp. cvsup is a way to obtain >> fresh port >> for the program distribution, ie set of patches, list of package's >> files, >> sample configuration files for the particular program(s) those are >> not the part >> of the base system but supplied with taking the OS specs in mind. >> >> ftp is a way to obtain a distfile, ie what the 3rd party software >> developer use >> to distribute. For FreeBSD ports cvsup and ftp are not competent in >> the daiy >> use as they have different purposes. >> >> Some 3rd party software is released and published authoritatively on >> ftp only. >> And that is the only problem possible for you on ftp usage by >> freebsd ports. >> But I believe there is only a few of them you need if any at all. >> >> I guess you may want to download the initial ports tree tarball, the >> ports.tgz, >> via the ftp. But it's certainly a) available over there via the http >> and b) is >> outdated and is needed to be updated via the portsnap and/or cvsup. >> >> 2. Use csup from the base system, don't use cvsup from ports if you >> use its >> protocol. And, portsnap seems to be even more recommended since some >> days. >> >> KS> which should be enough to get a demo up and running. >> >> A Demo? Am I invited for the show? ;-) >> >> -- >> Peter Vereshagin (http://vereshagin.org) pgp: >> A0E26627 >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" > > Hi Peter, > > portsnap works fine :-) > > My issues start coming into play when building the actual port > itself. Ie. fetching the distfile, as you suggested above. > > > As soon as I start running portmaster -a or a 'make install clean' on > certain ports, the progress just bombs out totally. > > > It would be really cool if I could find a way to centrally manage all > of this. So perhaps in conjunction with CVSup..... > > > Something like a Linux repo server if you will - though I mention the > term very loosely. > > > Regards, > > > Kaya > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" If the volume of machines you have isn't very high I would consider asking the Director if you could have a machine in the DMZ that would be able to use FTP, and cvsup to get outbound. Install Squid on that, and allow Squid to use FTP then allow only SSH from the inside systems to that machine. From there you can use SSH on the inside systems to tunnel the cvsup data outbound for source updates, and to tunnel the Squid connection outbound to be able to use FTP for the port updates via the SSH tunnel using Squids FTP connect over HTTP. This method would eliminate the need to setup your own local cvsup mirror, but does still allow FTP, but it doesn't leave any internal connections possible except when intended. It doesn't open it up to any users without SSH access into the DMZ machine so it can be controlled who has access to it. As the goto guy at my company for internet security I understand the need to lock things down and sadly wish my boss would allow me to lock down ours more than it is, though I don't see blocking outbound FTP as a requirement (though we only allow passive). Its interesting to see this from the side of the other guy who's stuff doesn't work due to the restrictions in place. I deal all the time with employees trying to do online conferences or file downloads with other companies using obscure tools that won't work through an HTTP proxy, use some random high port like 10000 and want me to open up the port through the firewall right then so they can do the conference or get the file without any time to make sure the application is actually safe. Of course the main response to no I can't do that, is why does it work for everyone else on the conference. Can't seem to make them understand that the other people might not have to explain to the bank why they weren't following the PCI (payment card industry) guidelines they signed a document stating we would adhere to. And its my job on the line and not theirs if my allowing the port through the firewall for them allows the security breach. -- Thanks, Dean E. Weimer http://www.dweimer.net/