From owner-freebsd-questions@freebsd.org Mon Mar 27 18:48:30 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D826AD20D48 for ; Mon, 27 Mar 2017 18:48:30 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from inet08.hamilton.harte-lyne.ca (inet08.hamilton.harte-lyne.ca [216.185.71.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "inet08.hamilton.harte-lyne.ca", Issuer "CA_HLL_ISSUER_2016" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9CB0F2FF for ; Mon, 27 Mar 2017 18:48:30 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from localhost (localhost [127.0.0.1]) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP id 1410662260 for ; Mon, 27 Mar 2017 14:48:23 -0400 (EDT) X-Virus-Scanned: amavisd-new at harte-lyne.ca Received: from inet08.hamilton.harte-lyne.ca ([127.0.0.1]) by localhost (inet08.hamilton.harte-lyne.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jbbdoVeRyTxp for ; Mon, 27 Mar 2017 14:48:12 -0400 (EDT) Received: from webmail.harte-lyne.ca (inet04.hamilton.harte-lyne.ca [216.185.71.24]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTPSA id 036BB621BE for ; Mon, 27 Mar 2017 14:48:11 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=harte-lyne.ca; s=dkim_hll; t=1490640492; bh=Dd5q5GKI1+nJnQPV8NO3AGbPKOhEZDcDMaRXAyCsmOE=; h=Date:Subject:From:To:Reply-To; b=TIu8odwFXSDyA9rpfIgxmw0uw3oJK1QY8Emvn3HjRfzjyO22Je4fpc1XBHAF59OwW A7V5sNMIJAe6iXjjdbVfmktJG47ghlfa5hPqPl1xKnrAIVzjuQRRAD4+QUOTQ60NZ2 23tdIW7/E32L1s7s627tzlF0tEWFf00t3zDMVhizt8Y6UvwZk0/Uv7TKAeX/Rlkjtp oN0s0v/+XZxJ4PgiSOqZHVHPe42eO1gPuOUSudcnGWW1IVM5Czsf2OLTwopjMdMDEJ DdwgQw3e84ibGUwZziPYEiZs4QNHlLfP+BSoBHe6RClpt+lyFqwqB9yCWZFCJGq34x Ii71q3RVg0hdg== Received: from 216.185.71.44 (SquirrelMail authenticated user byrnejb_hll) by webmail.harte-lyne.ca with HTTP; Mon, 27 Mar 2017 14:48:12 -0400 Message-ID: Date: Mon, 27 Mar 2017 14:48:12 -0400 Subject: Reconfigure ezjail to use https From: "James B. Byrne" To: freebsd-questions@freebsd.org Reply-To: byrnejb@harte-lyne.ca User-Agent: SquirrelMail/1.4.22-4.el6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Mar 2017 18:48:30 -0000 I am having a problem with ezjail's choice of ftp as its default mechanism for obtaining FreeBSD install and update data. Specifically with our pf firewall blocking it. I have attempted to get the ftp-proxy solution working but, as usual, the documentation ceases to be helpful before a working solution is arrived at. pass out proto tcp from $proxy to any port ftp where $proxy expands to the address the proxy daemon is bound to. The difficulty being that the example previously has shown this: nat-anchor "ftp-proxy/*" rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 with nary a mention of $proxy. It would have been a LOT clearer had the example done something like this instead (if indeed this is what is meant): proxy = 127.0.0.1 nat-anchor "ftp-proxy/*" rdr pass on $int_if proto tcp from any to any port ftp -> $proxy port 8021 Which would at least have been consistent. However, I cannot get this to work either. In any case ftp is no what I would prefer to use. However, the documentation respecting changing /usr/local/etc/ezjail.conf so that the protocol used is likewise either misleading or wrong. If I do this: ezjail-admin install -h https://download.freebsd.org/ftp/releases/amd64/11.0-RELEASE Then I see this: Could not fetch base from https://download.freebsd.org/ftp/releases/amd64/11.0-RELEASE. Maybe your release (11.0-RELEASE) is specified incorrectly or the host download.freebsd.org/ftp/releases/amd64/11.0-RELEASE does not provide that release build. Use the -r option to specify an existing release or the -h option to specify an alternative ftp server. However, if I do this: wget https://download.freebsd.org/ftp/releases/amd64/11.0-RELEASE/base.txz Then I see this: --2017-03-27 14:46:01-- https://download.freebsd.org/ftp/releases/amd64/11.0-RELEASE/base.txz Resolving download.freebsd.org (download.freebsd.org)... 96.47.72.72, 2610:1c1:1:606c::15:0 Connecting to download.freebsd.org (download.freebsd.org)|96.47.72.72|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 96364744 (92M) [application/octet-stream] Saving to: 'base.txz' Clearly https://download.freebsd.org/ftp/releases/amd64/11.0-RELEASE is a valid protocol, host and path. Why then does ezjail not use it? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3