Re: Fwd: IPF (ftp - pkg_add) help requested
On Fri, Mar 02, 2007 at 09:12:31AM -0500, Don Munyak wrote: > > How do I set|view env for root?..., specifically FTP_PASSIVE_MODE=YES See su(1), specifically the -l option. See the man page for whatever shell you run as root. > OT... Kelley, btw...Baxter is cool :) I had a Pekingese once. For > Halloween, I shaved off all her hair except for a 2" mohawk > head-2-tail. I'll have to find the picture to send you some day. Yeah, he's a good pup, my daughter dressed him up for the superbowl. I bet your peek wasn't real happy with you. -- Kelly D. Grills [EMAIL PROTECTED] pgpnMiIhhf1x9.pgp Description: PGP signature
Re: Fwd: IPF (ftp - pkg_add) help requested
On 3/1/07, Kelly D. Grills <[EMAIL PROTECTED]> wrote: On Thu, Mar 01, 2007 at 04:10:11PM -0500, Don Munyak wrote: As I hinted at in my original response, If you'd rather keep your firewall rules tighter, pkg_add(1) says: Note: If you wish to use passive mode ftp in such transfers, set the variable FTP_PASSIVE_MODE to some value in your environment. ahh... now I see what your saying. I have my server setup to disallow root login from console. I login as user, then su to root. When I run # printenv |sort, This dispalys the env varibale for me, not root. How do I set|view env for root?..., specifically FTP_PASSIVE_MODE=YES -- OT... Kelley, btw...Baxter is cool :) I had a Pekingese once. For Halloween, I shaved off all her hair except for a 2" mohawk head-2-tail. I'll have to find the picture to send you some day. Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Fwd: IPF (ftp - pkg_add) help requested
On Thu, Mar 01, 2007 at 04:10:11PM -0500, Don Munyak wrote: > > My server was opening an additional session using ports > 1024, which > I was not initially allowing. ipf was blocking outbound due to this > rule. This is a known issue with ftp client sessions using active mode > when behind a firewall. > As I hinted at in my original response, If you'd rather keep your firewall rules tighter, pkg_add(1) says: Note: If you wish to use passive mode ftp in such transfers, set the variable FTP_PASSIVE_MODE to some value in your environment. Otherwise, the more standard ACTIVE mode may be used. If pkg_add consistently fails to fetch a package from a site known to work, it may be because you have a firewall that demands the usage of passive mode ftp. -- Kelly D. Grills [EMAIL PROTECTED] pgpzSYEkjLW0T.pgp Description: PGP signature
Re: Fwd: IPF (ftp - pkg_add) help requested
Ahh, totally makes sense. Sorry for the misguided reply, it was late and I thought there had been kernel changes with ipf in 6.2 but in fact that was ipfw. Glad to hear you figured this out! - Chris Don Munyak wrote: Apart from up dating to newer version, I don't see how upgrading to 6.2 will make a difference. Anyway, thanks for taking the time to reply. However, the solution is as follows. Incidentally, this had nothing to do with pkg_add And everything to do with FTP and IPFILTER. === Diagnosis... {IPMON results} # ipmon 01/03/2007 15:03:39.112348 em0 @0:17 b 192.168.222.69,63507 -> 204.152.184.73,63471 PR tcp len 20 48 -S OUT 01/03/2007 15:04:09.128610 em0 @0:17 b 192.168.222.69,57187 -> 62.243.72.50,59250 PR tcp len 20 48 -S OUT 01/03/2007 15:04:17.756186 em0 @0:17 b 192.168.222.69,59469 -> 204.152.184.73,55984 PR tcp len 20 48 -S OUT 01/03/2007 15:04:23.832928 em0 @0:17 b 192.168.222.69,62647 -> 62.243.72.50,58387 PR tcp len 20 48 -S OUT My server was opening an additional session using ports > 1024, which I was not initially allowing. ipf was blocking outbound due to this rule. This is a known issue with ftp client sessions using active mode when behind a firewall. # Block and Log the first occurance of everything else block out log first quick on em0 all Solution http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html section 26.5.21.1 IPNAT Rules {or} section 26.5.21.2 IPNAT FTP Filter Rules I chose 26.5.21.2 for simplicity. This proabably isn't a major issue for me, since the server will be located behind a border (LAN) firewall. Basically changed: # Allow ftp out pass out quick on em0 proto tcp from any to any port = 20 flags S keep state pass out quick on em0 proto tcp from any to any port = 21 flags S keep state { to...} # Allow ftp out pass out quick on em0 proto tcp from any to any port = 21 flags S keep state pass out quick on em0 proto tcp from any to any port > 1024 flags S keep state { and added } #Allow Active mode data channel from ftp server pass in quick on em0 proto tcp from any to any port = 20 flags S keep state For good reading {Official IPF home page} http://coombs.anu.edu.au/~avalon/ip-filter.html Don ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Fwd: IPF (ftp - pkg_add) help requested
Apart from up dating to newer version, I don't see how upgrading to 6.2 will make a difference. Anyway, thanks for taking the time to reply. However, the solution is as follows. Incidentally, this had nothing to do with pkg_add And everything to do with FTP and IPFILTER. === Diagnosis... {IPMON results} # ipmon 01/03/2007 15:03:39.112348 em0 @0:17 b 192.168.222.69,63507 -> 204.152.184.73,63471 PR tcp len 20 48 -S OUT 01/03/2007 15:04:09.128610 em0 @0:17 b 192.168.222.69,57187 -> 62.243.72.50,59250 PR tcp len 20 48 -S OUT 01/03/2007 15:04:17.756186 em0 @0:17 b 192.168.222.69,59469 -> 204.152.184.73,55984 PR tcp len 20 48 -S OUT 01/03/2007 15:04:23.832928 em0 @0:17 b 192.168.222.69,62647 -> 62.243.72.50,58387 PR tcp len 20 48 -S OUT My server was opening an additional session using ports > 1024, which I was not initially allowing. ipf was blocking outbound due to this rule. This is a known issue with ftp client sessions using active mode when behind a firewall. # Block and Log the first occurance of everything else block out log first quick on em0 all Solution http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html section 26.5.21.1 IPNAT Rules {or} section 26.5.21.2 IPNAT FTP Filter Rules I chose 26.5.21.2 for simplicity. This proabably isn't a major issue for me, since the server will be located behind a border (LAN) firewall. Basically changed: # Allow ftp out pass out quick on em0 proto tcp from any to any port = 20 flags S keep state pass out quick on em0 proto tcp from any to any port = 21 flags S keep state { to...} # Allow ftp out pass out quick on em0 proto tcp from any to any port = 21 flags S keep state pass out quick on em0 proto tcp from any to any port > 1024 flags S keep state { and added } #Allow Active mode data channel from ftp server pass in quick on em0 proto tcp from any to any port = 20 flags S keep state For good reading {Official IPF home page} http://coombs.anu.edu.au/~avalon/ip-filter.html Don ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"