RE: Firewall and FreeBSD ports
On Behalf Of RW > I don't normally do this as Watson is usually less impressed when > Holmes reveals his working, but the clues were there. He wrote: > >"install software with ports (i.e, the >/usr/ports collection.)" > > and > >"FTP to grab source files from mirrors" > > If you combine that with crediting the poster with enough common sense > to mention he was using a version before 6.2, then it seemed unlikely > to be a problem with active FTP. > > BTW neither of us actually answered the question. I know I forgot as I > was in a hurry. I'm pretty sure you didn't either, but I don't have the > time to read all of your reply in detail. > > The answer is: enable outgoing tcp connections to port 21 and to all > ports above 1023. Is there a way to set up any firewall so that while there is an active outgoing connection on port 21, allow any incoming connections from the same IP address? Bob McConnell ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall and FreeBSD ports
sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true First off, this did solve the problem. Thank you, Jeremy. Now, as to the why... That's odd, because if you are running 7.x with a default settings, FTP_PASSIVE_MODE should be irrelevant to fetching distfiles - even if it's set to "no". Do you have any FETCH_* variables defined? No What happens if you cd to a port directory and type: make -V FETCH_CMD ? [EMAIL PROTECTED]:~]> cd /usr/ports/shells/zsh '[EMAIL PROTECTED]:zsh]> make -V FETCH_CMD /usr/bin/fetch -ApRr [EMAIL PROTECTED]:zsh]> I then wanted to install NTP: cd /usr/ports/net/ntp make config; make install clean This failed because the mirrors were not accessible. I just tried this port myself and it failed on all four servers configured in the Makefile, only succeeding on the fallback Freebsd server, (Freebsd's own cache for package building). Unless you turn-up something odd for FETCH_CMD, I think there's a good chance that you never had an FTP firewall problem in the first place, and that the file has simply been added to ftp.freebsd.org since you got the original failure. I just removed the FTP_PASSIVE_MODE variable from .bash_profile, logged out, and logged back in. I then tried to install another port and it installed without problem. -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Fwd: Firewall and FreeBSD ports
On Fri, 10 Oct 2008 16:16:29 -0400 John Almberg <[EMAIL PROTECTED]> wrote: > On Oct 10, 2008, at 2:41 PM, Jeremy Chadwick wrote: > > >>> See the fetch(1) man page. Try this first: > >>> > >>> sh/bash: export FTP_PASSIVE_MODE=true > >>> csh: setenv FTP_PASSIVE_MODE true > > First off, this did solve the problem. Thank you, Jeremy. > > Now, as to the why... That's odd, because if you are running 7.x with a default settings, FTP_PASSIVE_MODE should be irrelevant to fetching distfiles - even if it's set to "no". Do you have any FETCH_* variables defined? What happens if you cd to a port directory and type: make -V FETCH_CMD ? > I believe I am using ports. In this case, I had just installed and > configured PF (the first thing I do, now, when building a new > machine.) > > I then wanted to install NTP: > > cd /usr/ports/net/ntp > make config; make install clean > > This failed because the mirrors were not accessible. I just tried this port myself and it failed on all four servers configured in the Makefile, only succeeding on the fallback Freebsd server, (Freebsd's own cache for package building). Unless you turn-up something odd for FETCH_CMD, I think there's a good chance that you never had an FTP firewall problem in the first place, and that the file has simply been added to ftp.freebsd.org since you got the original failure. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall and FreeBSD ports
On Fri, 10 Oct 2008 11:41:40 -0700 Jeremy Chadwick <[EMAIL PROTECTED]> wrote: > On Fri, Oct 10, 2008 at 06:54:32PM +0100, RW wrote: > > On Fri, 10 Oct 2008 09:51:16 -0700 > > Jeremy Chadwick <[EMAIL PROTECTED]> wrote: > > passive ftp has been the default for long time, fetch is called > > with the -p option. > > Let's give the users some actual detail, not terse one-liners which > will induce more questions/confusion. < Snip some facts used as a blunt instrument > > The OP did not disclose how he was installing ports. A lot of users > think that packages == ports, I don't normally do this as Watson is usually less impressed when Holmes reveals his working, but the clues were there. He wrote: "install software with ports (i.e, the /usr/ports collection.)" and "FTP to grab source files from mirrors" If you combine that with crediting the poster with enough common sense to mention he was using a version before 6.2, then it seemed unlikely to be a problem with active FTP. BTW neither of us actually answered the question. I know I forgot as I was in a hurry. I'm pretty sure you didn't either, but I don't have the time to read all of your reply in detail. The answer is: enable outgoing tcp connections to port 21 and to all ports above 1023. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Fwd: Firewall and FreeBSD ports
sh/bash: export FTP_PASSIVE_MODE=true Ah... because in passive mode, the client (my server) sets the data port, and my PF rules allow return data on the port used for the request. Okay... that makes sense, I think... (little by little, it sinks in...) -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Fwd: Firewall and FreeBSD ports
On Oct 10, 2008, at 2:41 PM, Jeremy Chadwick wrote: On Fri, Oct 10, 2008 at 06:54:32PM +0100, RW wrote: On Fri, 10 Oct 2008 09:51:16 -0700 Jeremy Chadwick <[EMAIL PROTECTED]> wrote: On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote: I just set up a new server with a very restricted PF configuration. One problem: I can no longer install software with ports (i.e, the / usr/ports collection.) I have to disable PF to do so. Obviously not a great solution. Am I correct in guessing that ports uses FTP to grab source files from mirrors? I'm trying to figure out the smallest number of ports (the TCP/IP kind) that I need to open in my firewall. I don't want to enable incoming FTP requests, but do want to allow outgoing ftp requests, I believe. Am I on the right track, here? See the fetch(1) man page. Try this first: sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true First off, this did solve the problem. Thank you, Jeremy. Now, as to the why... passive ftp has been the default for long time, fetch is called with the -p option. Let's give the users some actual detail, not terse one-liners which will induce more questions/confusion. First off, libfetch (which is what fetch(1)) uses) itself DOES NOT default to using FTP passive mode. You have to either pass the -p option to the fetch(1) binary, or you have to set the FTP_PASSIVE_MODE environment variable (which affects anything using libfetch). Secondly, the ports framework (not pkg_* tools!), specifically ports/Mk/bsd.port.mk, defines FETCH_ARGS with the -p argument to force passive mode. This will be used for things like "make fetch". It *will not* be used for things like "pkg_add -r" or "pkg_add ftp://..."; The addition of the -p argument to FETCH_ARGS in ports/Mk/bsd.port.mk was applied to HEAD on 2006/09/20. HEAD at that time is what became FreeBSD 6.2. Of course, anyone updating their ports tree after that date would also get the change; I'm just pointing it out so people know what the actual date was when -p was added to the default argument list. Now let's expand a bit on FTP_PASSIVE_MODE, because I'm absolutely sure someone will try to argue "that's also been turned on by default for a long time"; I know how people are... :-) FTP_PASSIVE_MODE being set by default on login shells was induced by an addition to login.conf(5) back in late 2001 (around the time of RELENG_6). See revision 1.45 (not 1.44!) of src/etc/login.conf in cvsweb. But I'll remind people that login.conf only applies to login shells; logging in on the console, or logging in to an account via "ssh [EMAIL PROTECTED]". Most people I know of *do not* SSH into their servers as root; they SSH in as themselves and use sudo. Some use su2, and some use su Root ssh access is disabled on this machine. I login as a normal user, and then use sudo. The only time I use su is when sudo does not work (another question for another day!) Let's examine the behaviours: $ env | grep FTP FTP_PASSIVE_MODE=YES As you can see here, the machine I've SSH'd into as myself does apply login.conf's defaults. But... $ sudo -s # env | grep FTP # exit $ sudo -i # env | grep FTP # H'mmm... yes. This is true on my machine, too. The above scenario (as root) fails, since the FTP_PASSIVE_MODE environment variable isn't being handed down from the login shell (my user account) to the root shell spawned by sudo[1]. su, on the other hand, does it a little differently: $ su Password: # env | grep FTP FTP_PASSIVE_MODE=YES And likewise, "su -l" behaves the same way. Yes... although I must say I'm confused by this behavior... In fact, it's the exact opposite of what I'd expect... from the su man pages -l Simulate a full login. The environment is discarded except for HOME, SHELL, PATH, TERM, and USER. HOME and SHELL are modified as above. USER is set to the target login. PATH is set to ``/bin:/usr/bin''. So why isn't the FTP environment variable discarded? The OP did not disclose how he was installing ports. A lot of users think that packages == ports, so for all we know, he could be pkg_add'ing things while using sudo and running into this. I believe I am using ports. In this case, I had just installed and configured PF (the first thing I do, now, when building a new machine.) I then wanted to install NTP: cd /usr/ports/net/ntp make config; make install clean This failed because the mirrors were not accessible. If "make fetch" in an actual port is timing out, then he's either doing it on a machine with a ports tree prior to 2006/09/20 (see above), or his outbound pf rules are so strict that the machine is absurdly limited. The machine has Production Release 7.0 My outbound PF rules are fairly loose. Inbound are very tight. This is going to be a database server with 1 user. It's going to be running one Ruby application that will accept new dat
Re: Firewall and FreeBSD ports
problem: I can no longer install software with ports (i.e, the /usr/ports collection.) I have to disable PF to do so. Obviously not a great solution. Am I correct in guessing that ports uses FTP to grab source files from FTP or HTTP. if you have http proxy like squid in your network do export http_proxy=http://yourproxy:port export ftp_proxy=http://yourproxy:port ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall and FreeBSD ports
On Fri, Oct 10, 2008 at 06:54:32PM +0100, RW wrote: > On Fri, 10 Oct 2008 09:51:16 -0700 > Jeremy Chadwick <[EMAIL PROTECTED]> wrote: > > > On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote: > > > I just set up a new server with a very restricted PF configuration. > > > One problem: I can no longer install software with ports (i.e, > > > the / usr/ports collection.) I have to disable PF to do so. > > > Obviously not a great solution. > > > > > > Am I correct in guessing that ports uses FTP to grab source files > > > from mirrors? I'm trying to figure out the smallest number of ports > > > (the TCP/IP kind) that I need to open in my firewall. I don't want > > > to enable incoming FTP requests, but do want to allow outgoing ftp > > > requests, I believe. > > > > > > Am I on the right track, here? > > > > See the fetch(1) man page. Try this first: > > > > sh/bash: export FTP_PASSIVE_MODE=true > > csh: setenv FTP_PASSIVE_MODE true > > passive ftp has been the default for long time, fetch is called > with the -p option. Let's give the users some actual detail, not terse one-liners which will induce more questions/confusion. First off, libfetch (which is what fetch(1)) uses) itself DOES NOT default to using FTP passive mode. You have to either pass the -p option to the fetch(1) binary, or you have to set the FTP_PASSIVE_MODE environment variable (which affects anything using libfetch). Secondly, the ports framework (not pkg_* tools!), specifically ports/Mk/bsd.port.mk, defines FETCH_ARGS with the -p argument to force passive mode. This will be used for things like "make fetch". It *will not* be used for things like "pkg_add -r" or "pkg_add ftp://..."; The addition of the -p argument to FETCH_ARGS in ports/Mk/bsd.port.mk was applied to HEAD on 2006/09/20. HEAD at that time is what became FreeBSD 6.2. Of course, anyone updating their ports tree after that date would also get the change; I'm just pointing it out so people know what the actual date was when -p was added to the default argument list. Now let's expand a bit on FTP_PASSIVE_MODE, because I'm absolutely sure someone will try to argue "that's also been turned on by default for a long time"; I know how people are... :-) FTP_PASSIVE_MODE being set by default on login shells was induced by an addition to login.conf(5) back in late 2001 (around the time of RELENG_6). See revision 1.45 (not 1.44!) of src/etc/login.conf in cvsweb. But I'll remind people that login.conf only applies to login shells; logging in on the console, or logging in to an account via "ssh [EMAIL PROTECTED]". Most people I know of *do not* SSH into their servers as root; they SSH in as themselves and use sudo. Some use su2, and some use su. Let's examine the behaviours: $ env | grep FTP FTP_PASSIVE_MODE=YES As you can see here, the machine I've SSH'd into as myself does apply login.conf's defaults. But... $ sudo -s # env | grep FTP # exit $ sudo -i # env | grep FTP # The above scenario (as root) fails, since the FTP_PASSIVE_MODE environment variable isn't being handed down from the login shell (my user account) to the root shell spawned by sudo[1]. su, on the other hand, does it a little differently: $ su Password: # env | grep FTP FTP_PASSIVE_MODE=YES And likewise, "su -l" behaves the same way. The OP did not disclose how he was installing ports. A lot of users think that packages == ports, so for all we know, he could be pkg_add'ing things while using sudo and running into this. If "make fetch" in an actual port is timing out, then he's either doing it on a machine with a ports tree prior to 2006/09/20 (see above), or his outbound pf rules are so strict that the machine is absurdly limited. I've advocated in another thread my displeasure for filtering outbound traffic *solely* because of this exact scenario. Network admins seem to think that "oh, HTTP is always going to use port 80", and likewise, "oh, FTP is always going to use ports 20-21". Bzzzt. Nothing stops a MASTER_SITE from being http://lelele.com:9382/. [1]: The problem with sudo can be addressed; FTP_PASSIVE_MODE needs to be added to the env_keep list in the default sudoers file. I know the port maintainer, so I'll take this up with him so that users (including myself) don't keep getting bit by forgetting to set FTP_PASSIVE_MODE after doing a sudo. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall and FreeBSD ports
On Fri, 10 Oct 2008 09:51:16 -0700 Jeremy Chadwick <[EMAIL PROTECTED]> wrote: > On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote: > > I just set up a new server with a very restricted PF configuration. > > One problem: I can no longer install software with ports (i.e, > > the / usr/ports collection.) I have to disable PF to do so. > > Obviously not a great solution. > > > > Am I correct in guessing that ports uses FTP to grab source files > > from mirrors? I'm trying to figure out the smallest number of ports > > (the TCP/IP kind) that I need to open in my firewall. I don't want > > to enable incoming FTP requests, but do want to allow outgoing ftp > > requests, I believe. > > > > Am I on the right track, here? > > See the fetch(1) man page. Try this first: > > sh/bash: export FTP_PASSIVE_MODE=true > csh: setenv FTP_PASSIVE_MODE true > passive ftp has been the default for long time, fetch is called with the -p option. If you have access to an http-proxy that supports ftp requests over http, fetch can use that. Alternately you can probably avoid ftp altogether by setting: MASTER_SORT_REGEX?= ^http: in make.conf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall and FreeBSD ports
On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote: > I just set up a new server with a very restricted PF configuration. One > problem: I can no longer install software with ports (i.e, the / > usr/ports collection.) I have to disable PF to do so. Obviously not a > great solution. > > Am I correct in guessing that ports uses FTP to grab source files from > mirrors? I'm trying to figure out the smallest number of ports (the > TCP/IP kind) that I need to open in my firewall. I don't want to enable > incoming FTP requests, but do want to allow outgoing ftp requests, I > believe. > > Am I on the right track, here? See the fetch(1) man page. Try this first: sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true Chances are this will address the problem for you. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Firewall and FreeBSD ports
I just set up a new server with a very restricted PF configuration. One problem: I can no longer install software with ports (i.e, the / usr/ports collection.) I have to disable PF to do so. Obviously not a great solution. Am I correct in guessing that ports uses FTP to grab source files from mirrors? I'm trying to figure out the smallest number of ports (the TCP/IP kind) that I need to open in my firewall. I don't want to enable incoming FTP requests, but do want to allow outgoing ftp requests, I believe. Am I on the right track, here? Thanks: John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"