Re: Fwd: IPF (ftp - pkg_add) help requested
On Fri, Mar 02, 2007 at 09:12:31AM -0500, Don Munyak wrote: How do I set|view env for root?..., specifically FTP_PASSIVE_MODE=YES See su(1), specifically the -l option. See the man page for whatever shell you run as root. OT... Kelley, btw...Baxter is cool :) I had a Pekingese once. For Halloween, I shaved off all her hair except for a 2 mohawk head-2-tail. I'll have to find the picture to send you some day. Yeah, he's a good pup, my daughter dressed him up for the superbowl. I bet your peek wasn't real happy with you. g -- Kelly D. Grills [EMAIL PROTECTED] pgpnMiIhhf1x9.pgp Description: PGP signature
Re: Fwd: IPF (ftp - pkg_add) help requested
On 3/1/07, Kelly D. Grills [EMAIL PROTECTED] wrote: On Thu, Mar 01, 2007 at 04:10:11PM -0500, Don Munyak wrote: As I hinted at in my original response, If you'd rather keep your firewall rules tighter, pkg_add(1) says: Note: If you wish to use passive mode ftp in such transfers, set the variable FTP_PASSIVE_MODE to some value in your environment. ahh... now I see what your saying. I have my server setup to disallow root login from console. I login as user, then su to root. When I run # printenv |sort, This dispalys the env varibale for me, not root. How do I set|view env for root?..., specifically FTP_PASSIVE_MODE=YES -- OT... Kelley, btw...Baxter is cool :) I had a Pekingese once. For Halloween, I shaved off all her hair except for a 2 mohawk head-2-tail. I'll have to find the picture to send you some day. Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPF (ftp - pkg_add) help requested
I am building a FreeBSD box to function as a FAMP server (LAMP) and
hopefully replace our existing mail server. I am having an issue with
IPF that I can't seem to figure out.
*** When IPF is enabled, I can't run # pkg_add -r package name.
{...snip from local console..}
p0069# pkg_add -rv bash
looking up ftp.freebsd.org
connecting to ftp.freebsd.org:21
setting passive mode
opening data connection
Error: FTP Unable to get
ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.1-release/Latest/bash.tbz:
Network is unreachable
pkg_add: unable to fetch
'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.1-release/Latest/bash.tbz'
by URL
pkg_add: 1 package addition's) failed
{...end-snip..}
*** When I disable ipf -D, all works fine.
IPF was compiled in the kernel when I did a buildworld.
p0069# uname -a
FreeBSD p0069.bm.local 6.1-RELEASE-p12 FreeBSD 6.1-RELEASE-p12 #0: Thu
Feb 8 13:55:26 EST 2007
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/WEBSERVER i386
p0069#
When I issue ipfstat -ho, after pkg_add -r, the following lines increment
- pass out quick on em0 proto tcp from any to any port = 21 flags S keep state
- pass out quick on em0 proto udp from any to any port = 53 keep state
- block out log first quick on em0 all
# --
# /etc/ipf.rules
# logged to /var/log/firewall.log
# 02/28/2007
# --
# --
# EGRESS filtering
# --
# No restriction on Loopback Adapter
pass in quick on lo0 all
pass out quick on lo0 all
# DHCP Bootp
# pass out quick on em0 proto udp from any to any port = 67 keep state
# pass out quick on em0 proto udp from any to any port = 68 keep state
# ICMP
pass out quick on em0 proto icmp from any to any keep state
# Allow out http
pass out quick on em0 proto tcp from any to any port = 80 flags S keep state
pass out quick on em0 proto tcp from any to any port = 443 flags S keep state
# Allow ftp out
pass out quick on em0 proto tcp from any to any port = 20 flags S keep state
pass out quick on em0 proto tcp from any to any port = 21 flags S keep state
# Allow mail out
pass out quick on em0 proto tcp from any to any port = 110 flags S keep state
pass out quick on em0 proto tcp from any to any port = 143 flags S keep state
pass out quick on em0 proto tcp from any to any port = 25 flags S keep state
# Allow SSH Out
pass out quick on em0 proto tcp from any to any port = 22 flags S keep state
# Allow DNS
pass out quick on em0 proto udp from any to any port = 53 keep state
pass out quick on em0 proto tcp from any to any port = 53 flags S keep state
# Allow CVSUP
pass out quick on em0 proto tcp from any to any port = 5999 flags S keep state
# Keeping time
pass out quick on em0 proto tcp from any to any port = 37 flags S keep state
pass out quick on em0 proto tcp from any to any port = 123 flags S keep state
# Allow whois
pass out quick on em0 proto tcp from any to any port = 43 flags S keep state
# Razor Spamassasin
# more later
# Block and Log the first occurance of everything else
block out log first quick on em0 all
# -
# INGRESS Filtering
#
# Block all inbound traffic from non-routable or reserved networks
# block in quick on em0 from 192.168.0.0/16 to any
block in quick on em0 from 172.16.0.0/12 to any
block in quick on em0 from 10.0.0.0/8 to any
block in quick on em0 from 127.0.0.0/8 to any
block in quick on em0 from 0.0.0.0/8 to any
block in quick on em0 from 169.254.0.0/16 to any
# block in quick on em0 from 192.0.2.0/24 to any
block in quick on em0 from 204.153.64.0/23 to any
block in quick on em0 from 224.0.0.0/3 to any
# Block in Nasties
# stuff I don't want logged
block in quick on em0 proto icmp all icmp-type 8
block in quick on em0 all with frags
block in quick on em0 all with ipopts
block in quick on em0 all with short
# block return-rst in quick on em0 proto tcp all flags FUP
# block return-rst in quick on em0 proto tcp from any to any
# block return-icmp-as-digest(port-unr) in quick on em0 proto udp from
any to any
# Block all Netbios server. 137=name, 138=datagram, 139=session
block in log first quick on em0 proto tcp/udp from any to any port = 137
block in log first quick on em0 proto tcp/udp from any to any port = 138
block in log first quick on em0 proto tcp/udp from any to any port = 139
block in log first quick on em0 proto tcp/udp from any to any port = 81
# Allow in http/https
pass in quick on em0 proto tcp from any to any port = 80 flags S keep state
pass in quick on em0 proto tcp from any to any port = 443 flags S keep state
# allow incoming SSH
pass in quick on em0 proto tcp from any to any port = 22 flags S keep state
# SMTP/POP/IMAP
pass in quick on em0 proto tcp from any to any port = 25 flags S keep state
pass in quick on em0 proto tcp from any to any port = 110 flags S keep state
pass in quick on em0 proto tcp from any to any port = 143 flags S keep state
# Anit-Virus
# more later
# All the rest
block in log first quick on em0 all
# - EOF
Re: IPF (ftp - pkg_add) help requested
I'd start by upgrading to 6.2 Don Munyak wrote: I am building a FreeBSD box to function as a FAMP server (LAMP) and hopefully replace our existing mail server. I am having an issue with IPF that I can't seem to figure out. *** When IPF is enabled, I can't run # pkg_add -r package name. p0069# uname -a FreeBSD p0069.bm.local 6.1-RELEASE-p12 FreeBSD 6.1-RELEASE-p12 #0: Thu Feb 8 13:55:26 EST 2007 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/WEBSERVER i386 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Fwd: IPF (ftp - pkg_add) help requested
Apart from up dating to newer version, I don't see how upgrading to
6.2 will make a difference. Anyway, thanks for taking the time to
reply.
However, the solution is as follows.
Incidentally, this had nothing to do with pkg_add
And everything to do with FTP and IPFILTER.
===
Diagnosis...
{IPMON results}
# ipmon
01/03/2007 15:03:39.112348 em0 @0:17 b 192.168.222.69,63507 -
204.152.184.73,63471 PR tcp len 20 48 -S OUT
01/03/2007 15:04:09.128610 em0 @0:17 b 192.168.222.69,57187 -
62.243.72.50,59250 PR tcp len 20 48 -S OUT
01/03/2007 15:04:17.756186 em0 @0:17 b 192.168.222.69,59469 -
204.152.184.73,55984 PR tcp len 20 48 -S OUT
01/03/2007 15:04:23.832928 em0 @0:17 b 192.168.222.69,62647 -
62.243.72.50,58387 PR tcp len 20 48 -S OUT
My server was opening an additional session using ports 1024, which
I was not initially allowing. ipf was blocking outbound due to this
rule. This is a known issue with ftp client sessions using active mode
when behind a firewall.
# Block and Log the first occurance of everything else
block out log first quick on em0 all
Solution
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html
section 26.5.21.1 IPNAT Rules {or}
section 26.5.21.2 IPNAT FTP Filter Rules
I chose 26.5.21.2 for simplicity. This proabably isn't a major issue
for me, since the server will be located behind a border (LAN)
firewall. Basically changed:
# Allow ftp out
pass out quick on em0 proto tcp from any to any port = 20 flags S keep state
pass out quick on em0 proto tcp from any to any port = 21 flags S keep state
{ to...}
# Allow ftp out
pass out quick on em0 proto tcp from any to any port = 21 flags S keep state
pass out quick on em0 proto tcp from any to any port 1024 flags S keep state
{ and added }
#Allow Active mode data channel from ftp server
pass in quick on em0 proto tcp from any to any port = 20 flags S keep state
For good reading {Official IPF home page}
http://coombs.anu.edu.au/~avalon/ip-filter.html
Don
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Fwd: IPF (ftp - pkg_add) help requested
Ahh, totally makes sense.
Sorry for the misguided reply, it was late and I thought there had been
kernel changes with ipf in 6.2 but in fact that was ipfw.
Glad to hear you figured this out!
- Chris
Don Munyak wrote:
Apart from up dating to newer version, I don't see how upgrading to
6.2 will make a difference. Anyway, thanks for taking the time to
reply.
However, the solution is as follows.
Incidentally, this had nothing to do with pkg_add
And everything to do with FTP and IPFILTER.
===
Diagnosis...
{IPMON results}
# ipmon
01/03/2007 15:03:39.112348 em0 @0:17 b 192.168.222.69,63507 -
204.152.184.73,63471 PR tcp len 20 48 -S OUT
01/03/2007 15:04:09.128610 em0 @0:17 b 192.168.222.69,57187 -
62.243.72.50,59250 PR tcp len 20 48 -S OUT
01/03/2007 15:04:17.756186 em0 @0:17 b 192.168.222.69,59469 -
204.152.184.73,55984 PR tcp len 20 48 -S OUT
01/03/2007 15:04:23.832928 em0 @0:17 b 192.168.222.69,62647 -
62.243.72.50,58387 PR tcp len 20 48 -S OUT
My server was opening an additional session using ports 1024, which
I was not initially allowing. ipf was blocking outbound due to this
rule. This is a known issue with ftp client sessions using active mode
when behind a firewall.
# Block and Log the first occurance of everything else
block out log first quick on em0 all
Solution
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html
section 26.5.21.1 IPNAT Rules {or}
section 26.5.21.2 IPNAT FTP Filter Rules
I chose 26.5.21.2 for simplicity. This proabably isn't a major issue
for me, since the server will be located behind a border (LAN)
firewall. Basically changed:
# Allow ftp out
pass out quick on em0 proto tcp from any to any port = 20 flags S keep
state
pass out quick on em0 proto tcp from any to any port = 21 flags S keep
state
{ to...}
# Allow ftp out
pass out quick on em0 proto tcp from any to any port = 21 flags S keep
state
pass out quick on em0 proto tcp from any to any port 1024 flags S keep
state
{ and added }
#Allow Active mode data channel from ftp server
pass in quick on em0 proto tcp from any to any port = 20 flags S keep state
For good reading {Official IPF home page}
http://coombs.anu.edu.au/~avalon/ip-filter.html
Don
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Fwd: IPF (ftp - pkg_add) help requested
On Thu, Mar 01, 2007 at 04:10:11PM -0500, Don Munyak wrote: My server was opening an additional session using ports 1024, which I was not initially allowing. ipf was blocking outbound due to this rule. This is a known issue with ftp client sessions using active mode when behind a firewall. As I hinted at in my original response, If you'd rather keep your firewall rules tighter, pkg_add(1) says: Note: If you wish to use passive mode ftp in such transfers, set the variable FTP_PASSIVE_MODE to some value in your environment. Otherwise, the more standard ACTIVE mode may be used. If pkg_add consistently fails to fetch a package from a site known to work, it may be because you have a firewall that demands the usage of passive mode ftp. -- Kelly D. Grills [EMAIL PROTECTED] pgpzSYEkjLW0T.pgp Description: PGP signature
Re: [FreeBSD] pkg_add help
Can someone point me in the right direction. I have a package I downloaded from FreeBSD.org thru Konqueor. It ends with .tbz I could not find this package in the ports collection thru stand/sysinstall My two questions are I need to extract this file Where And then how do I install, make install didn't work. Presuming you downloaded the right version for the versin of FreeBSD you are on - .tbz files start in 5., try just putting it in /usr/local/whatever_the_name_is and doing pkg_add whatever_the_name_is.tbz jerry Thanx in advance. Later, Leon A fanatic is one who can't change his mind and won't change the subject. Sir Winston Churchill ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
[FreeBSD] pkg_add help
Can someone point me in the right direction. I have a package I downloaded from FreeBSD.org thru Konqueor. It ends with .tbz I could not find this package in the ports collection thru stand/sysinstall My two questions are I need to extract this file Where And then how do I install, make install didn't work. Thanx in advance. Later, Leon A fanatic is one who can't change his mind and won't change the subject. Sir Winston Churchill ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [FreeBSD] pkg_add help
Hi, Packages and ports are diferent. A package is already compiled aplication and you will use pkg_add - To install pkg_delete - To deinstall pkg_info - To view packages that are instaled. so, you will install it using pkg_add packagename.tbz Can someone point me in the right direction. I have a package I downloaded from FreeBSD.org thru Konqueor. It ends with .tbz I could not find this package in the ports collection thru stand/sysinstall My two questions are I need to extract this file Where And then how do I install, make install didn't work. Thanx in advance. Later, Leon A fanatic is one who can't change his mind and won't change the subject. Sir Winston Churchill ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [FreeBSD] pkg_add help
FreeBSD Handbook, Chapter 4. Read a little. On Thu, 17 Jun 2004 22:21:41 -0600, LW Ellis [EMAIL PROTECTED] wrote: Can someone point me in the right direction. I have a package I downloaded from FreeBSD.org thru Konqueor. It ends with .tbz I could not find this package in the ports collection thru stand/sysinstall My two questions are I need to extract this file Where And then how do I install, make install didn't work. Thanx in advance. Later, Leon A fanatic is one who can't change his mind and won't change the subject. Sir Winston Churchill ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Working now [FreeBSD] pkg_add help
I tried that, it kept telling me that it wasn't a package. Went back and tried again, now it works... Thanx Renato Leon - Hi, Packages and ports are diferent. A package is already compiled aplication and you will use pkg_add - To install pkg_delete - To deinstall pkg_info - To view packages that are instaled. so, you will install it using pkg_add packagename.tbz ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pkg_add help
should it be in the ports directory when running pkg_add? like usr/ports/security/packge say the package is in the security category or its ok to run in in my home directory or should it be in ports directory? thanks __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: pkg_add help
should it be in the ports directory when running pkg_add? like usr/ports/security/packge say the package is in the security category or its ok to run in in my home directory or should it be in ports directory? pkg_add can be run from anywhere, and the file.tgz can reside anywhere. I usually just fetch the package to my home dir then su and pkg_add it. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pkg_add help
If it's a port, say, /usr/ports/security/nmap, you should: # cd /usr/ports/security/nmap # make install clean This will compile nmap and install it. Regards, Augusto Jun Devegili On Sun, 2003-07-27 at 18:54, marlon corleone wrote: should it be in the ports directory when running pkg_add? like usr/ports/security/packge say the package is in the security category or its ok to run in in my home directory or should it be in ports directory? thanks ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pkg_add help
I am trying to install kde-3 via package add. I can not because /var is filling up. After a few attemps I tried: pkg_add -p /usr/tmp -t /usr/tmp/instmp.XX -r kde I can still watch /var/tmp fill up. I finally seemed to make things work by setting PKG_TMPDIR. I guess I do not understand the purpose of the -p and -t operands. Any pointers appreciated, I am quite lost on this. _ Douglas Denault [EMAIL PROTECTED] Voice: 301-469-8766 Fax: 301-469-0601 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
