Re: Fwd: IPF (ftp - pkg_add) help requested
On Fri, Mar 02, 2007 at 09:12:31AM -0500, Don Munyak wrote: How do I set|view env for root?..., specifically FTP_PASSIVE_MODE=YES See su(1), specifically the -l option. See the man page for whatever shell you run as root. OT... Kelley, btw...Baxter is cool :) I had a Pekingese once. For Halloween, I shaved off all her hair except for a 2 mohawk head-2-tail. I'll have to find the picture to send you some day. Yeah, he's a good pup, my daughter dressed him up for the superbowl. I bet your peek wasn't real happy with you. g -- Kelly D. Grills [EMAIL PROTECTED] pgpnMiIhhf1x9.pgp Description: PGP signature
Re: Fwd: IPF (ftp - pkg_add) help requested
On 3/1/07, Kelly D. Grills [EMAIL PROTECTED] wrote: On Thu, Mar 01, 2007 at 04:10:11PM -0500, Don Munyak wrote: As I hinted at in my original response, If you'd rather keep your firewall rules tighter, pkg_add(1) says: Note: If you wish to use passive mode ftp in such transfers, set the variable FTP_PASSIVE_MODE to some value in your environment. ahh... now I see what your saying. I have my server setup to disallow root login from console. I login as user, then su to root. When I run # printenv |sort, This dispalys the env varibale for me, not root. How do I set|view env for root?..., specifically FTP_PASSIVE_MODE=YES -- OT... Kelley, btw...Baxter is cool :) I had a Pekingese once. For Halloween, I shaved off all her hair except for a 2 mohawk head-2-tail. I'll have to find the picture to send you some day. Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Fwd: IPF (ftp - pkg_add) help requested
Ahh, totally makes sense.
Sorry for the misguided reply, it was late and I thought there had been
kernel changes with ipf in 6.2 but in fact that was ipfw.
Glad to hear you figured this out!
- Chris
Don Munyak wrote:
Apart from up dating to newer version, I don't see how upgrading to
6.2 will make a difference. Anyway, thanks for taking the time to
reply.
However, the solution is as follows.
Incidentally, this had nothing to do with pkg_add
And everything to do with FTP and IPFILTER.
===
Diagnosis...
{IPMON results}
# ipmon
01/03/2007 15:03:39.112348 em0 @0:17 b 192.168.222.69,63507 -
204.152.184.73,63471 PR tcp len 20 48 -S OUT
01/03/2007 15:04:09.128610 em0 @0:17 b 192.168.222.69,57187 -
62.243.72.50,59250 PR tcp len 20 48 -S OUT
01/03/2007 15:04:17.756186 em0 @0:17 b 192.168.222.69,59469 -
204.152.184.73,55984 PR tcp len 20 48 -S OUT
01/03/2007 15:04:23.832928 em0 @0:17 b 192.168.222.69,62647 -
62.243.72.50,58387 PR tcp len 20 48 -S OUT
My server was opening an additional session using ports 1024, which
I was not initially allowing. ipf was blocking outbound due to this
rule. This is a known issue with ftp client sessions using active mode
when behind a firewall.
# Block and Log the first occurance of everything else
block out log first quick on em0 all
Solution
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html
section 26.5.21.1 IPNAT Rules {or}
section 26.5.21.2 IPNAT FTP Filter Rules
I chose 26.5.21.2 for simplicity. This proabably isn't a major issue
for me, since the server will be located behind a border (LAN)
firewall. Basically changed:
# Allow ftp out
pass out quick on em0 proto tcp from any to any port = 20 flags S keep
state
pass out quick on em0 proto tcp from any to any port = 21 flags S keep
state
{ to...}
# Allow ftp out
pass out quick on em0 proto tcp from any to any port = 21 flags S keep
state
pass out quick on em0 proto tcp from any to any port 1024 flags S keep
state
{ and added }
#Allow Active mode data channel from ftp server
pass in quick on em0 proto tcp from any to any port = 20 flags S keep state
For good reading {Official IPF home page}
http://coombs.anu.edu.au/~avalon/ip-filter.html
Don
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Fwd: IPF (ftp - pkg_add) help requested
On Thu, Mar 01, 2007 at 04:10:11PM -0500, Don Munyak wrote: My server was opening an additional session using ports 1024, which I was not initially allowing. ipf was blocking outbound due to this rule. This is a known issue with ftp client sessions using active mode when behind a firewall. As I hinted at in my original response, If you'd rather keep your firewall rules tighter, pkg_add(1) says: Note: If you wish to use passive mode ftp in such transfers, set the variable FTP_PASSIVE_MODE to some value in your environment. Otherwise, the more standard ACTIVE mode may be used. If pkg_add consistently fails to fetch a package from a site known to work, it may be because you have a firewall that demands the usage of passive mode ftp. -- Kelly D. Grills [EMAIL PROTECTED] pgpzSYEkjLW0T.pgp Description: PGP signature
