From owner-freebsd-current@FreeBSD.ORG Fri Mar 7 21:55:47 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5F17E308 for ; Fri, 7 Mar 2014 21:55:47 +0000 (UTC) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1AEBA2C6 for ; Fri, 7 Mar 2014 21:55:46 +0000 (UTC) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost.zedat.fu-berlin.de (Exim 4.82) with esmtp (envelope-from ) id <1WM2k3-0044XB-Fp>; Fri, 07 Mar 2014 22:55:43 +0100 Received: from e179133143.adsl.alicedsl.de ([85.179.133.143] helo=thor.walstatt.dyndns.org) by inpost2.zedat.fu-berlin.de (Exim 4.82) with esmtpsa (envelope-from ) id <1WM2k3-0042pl-AZ>; Fri, 07 Mar 2014 22:55:43 +0100 Date: Fri, 7 Mar 2014 22:55:37 +0100 From: "O. Hartmann" To: Allan Jude Subject: Re: ipfw: fetch doesn't reach ftp://fttp.sites.foo Message-ID: <20140307225537.3c672d34.ohartman@zedat.fu-berlin.de> In-Reply-To: <531A2D23.30907@allanjude.com> References: <20140307195719.654653c9.ohartman@zedat.fu-berlin.de> <531A2D23.30907@allanjude.com> Organization: FU Berlin X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; amd64-portbld-freebsd11.0) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/J+znIwIzI6+HxnpVE3+ZH3n"; protocol="application/pgp-signature" X-Originating-IP: 85.179.133.143 X-ZEDAT-Hint: A Cc: freebsd-current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2014 21:55:47 -0000 --Sig_/J+znIwIzI6+HxnpVE3+ZH3n Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Fri, 07 Mar 2014 15:33:39 -0500 Allan Jude wrote: > On 2014-03-07 13:57, O. Hartmann wrote: > >=20 > > Recently I swaitched from pf to ipfw on some CURRENT boxes and for conv= enience I used > > the "workstation" predefinition of FreeBSD. But with that change, all a= ccess of ports > > via fetch located at ftp-sites stopped passing the filter. > >=20 > > Even switching to "open" doesn't help and this is confusing me. > >=20 > > The CURRENT box in question is passing its traffic within a LAN through= a gateway > > running also FreeBSD CURRENT, but with pf. The gateway is performing NA= T. As long as > > the failing client behind the gateway system is using pf as the filter,= the traffic > > for ftp seems to pass through. On the gateway with pf as the default fi= lter, the > > ports fetching via ftp-site their sources perform without problems. > >=20 > > What is up with IPFW? > >=20 > > Is their a solution? I tried to search google for "freebsd ipfw ftp" bu= t I didn't find > > anything suitable targeting my problem or any problem of that kind. > >=20 > >=20 > > Thanks in adavance, > >=20 > > Oliver=20 > >=20 >=20 > What error does fetch give? Is it having problems with DNS, connection > to the FTP site, or just making the FTP DATA connection? Have you tried > with 'passive' mode on/off? >=20 The box doesn't have problems contacting any DNS. Fetch gives the shown "errors" or simple timeouts. Either manually or via = portmaster to update ports like the one shown below. The very same port has no problems on the system having pf instead of ipfw. I will switch back to pf on the box in question to check whether the choice= of firewall really makes the difference. This is what I get when seeting passive mode (it doesn't change anything fr= om "active" mode): root@thor: [pciids] setenv FTP_PASSIVE_MODE YES root@thor: [pciids] make fetch =3D=3D=3D> License BSD3CLAUSE GPLv2 GPLv3 accepted by the user =3D=3D=3D> pciids-20140301 depends on file: /usr/local/sbin/pkg - found =3D> pciids-20140301.tar.xz doesn't seem to exist in /usr/ports/distfiles/. =3D> Attempting to fetch http://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-201= 40301.tar.xz fetch: http://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-201= 40301.tar.xz: Not Found =3D> Attempting to fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-2014= 0301.tar.xz fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-2014= 0301.tar.xz: No route to host =3D> Attempting to fetch ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-2= 0140301.tar.xz fetch: ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-2= 0140301.tar.xz: No route to host =3D> Attempting to fetch ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-2= 0140301.tar.xz fetch: ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-2= 0140301.tar.xz: No route to host =3D> Attempting to fetch ftp://ftp.ru.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-2= 0140301.tar.xz fetch: transfer timed out --Sig_/J+znIwIzI6+HxnpVE3+ZH3n Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQEcBAEBAgAGBQJTGkBeAAoJEOgBcD7A/5N8zXUH/1GJqx+rhUsjB8J6UkJkxyrI DWVRXYhvrJqCSYC18J4zn12Prn6YmtReOpWjBKuEd3gChfoHRXA/jN/9tfmBU/wX V39ER7jnsEpRJLtSgiJ6EWuyi7sP3ejqv2vb9UMtgSPWDS8YGwzh5nF3I5G4KViy C34YDravufW9+4BECMx+hwz+hCvRh4Ba2D76OUrCW8RgOuC7XQYCw42YpJ1nOV6v W8/SY2wNyzIAn0IMAaFPMyRieAkSdG1k1A2u6U9vaFd9ZxFgXPYPpj/tLSd3hL7e ZbRIYIYmaU+KK8FCJUWNCZy6yatsUpMI4cuPVTKYJXJfmg391DGPt1j90ljQk5g= =9l5o -----END PGP SIGNATURE----- --Sig_/J+znIwIzI6+HxnpVE3+ZH3n--