I want to lock down my centos box using iptables so that it can only make http connections to a valid centos mirror - my concern is that the IPs for the mirror sites is likely to change.
My ISP provides a FTP mirror which contains GNU/Linux distributions as well as local update caches. Bandwidth from this server is not part of my monthly allowance.
Check if your ISP has a public mirror and if they have a local copy of the Centos yum cache.
NOTE: This assumes server running in your SOHO and not hosted.
iptables won't let you do hostname lookups so as the other commenter suggested, I would setup a proxy which syncs with the master servers and then create a custom repo file to access only your proxy.
Not really more secure though as you're still copying over whatever was on the master servers the proxy was syncing with.
If someone gains enough access to change your repo then you're already hosed because they probably have root or are able to redirect your traffic (arp spoofing). I'd make sure everything else is secure and keep the repos the way they are.
My ISP provides a FTP mirror which contains GNU/Linux distributions as well as local update caches. Bandwidth from this server is not part of my monthly allowance.
Check if your ISP has a public mirror and if they have a local copy of the Centos yum cache.
NOTE: This assumes server running in your SOHO and not hosted.
iptables won't let you do hostname lookups so as the other commenter suggested, I would setup a proxy which syncs with the master servers and then create a custom repo file to access only your proxy.
Not really more secure though as you're still copying over whatever was on the master servers the proxy was syncing with.
If someone gains enough access to change your repo then you're already hosed because they probably have root or are able to redirect your traffic (arp spoofing). I'd make sure everything else is secure and keep the repos the way they are.