Date: Fri, 07 Mar 2014 17:51:11 -0500 From: Allan Jude <freebsd@allanjude.com> To: "O. Hartmann" <ohartman@zedat.fu-berlin.de> Cc: freebsd-current@freebsd.org Subject: Re: ipfw: fetch doesn't reach ftp://fttp.sites.foo Message-ID: <531A4D5F.9080401@allanjude.com> In-Reply-To: <20140307225537.3c672d34.ohartman@zedat.fu-berlin.de> References: <20140307195719.654653c9.ohartman@zedat.fu-berlin.de> <531A2D23.30907@allanjude.com> <20140307225537.3c672d34.ohartman@zedat.fu-berlin.de>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On 2014-03-07 16:55, O. Hartmann wrote: > On Fri, 07 Mar 2014 15:33:39 -0500 > Allan Jude <freebsd@allanjude.com> wrote: > >> On 2014-03-07 13:57, O. Hartmann wrote: >>> >>> Recently I swaitched from pf to ipfw on some CURRENT boxes and for convenience I used >>> the "workstation" predefinition of FreeBSD. But with that change, all access of ports >>> via fetch located at ftp-sites stopped passing the filter. >>> >>> Even switching to "open" doesn't help and this is confusing me. >>> >>> The CURRENT box in question is passing its traffic within a LAN through a gateway >>> running also FreeBSD CURRENT, but with pf. The gateway is performing NAT. As long as >>> the failing client behind the gateway system is using pf as the filter, the traffic >>> for ftp seems to pass through. On the gateway with pf as the default filter, the >>> ports fetching via ftp-site their sources perform without problems. >>> >>> What is up with IPFW? >>> >>> Is their a solution? I tried to search google for "freebsd ipfw ftp" but I didn't find >>> anything suitable targeting my problem or any problem of that kind. >>> >>> >>> Thanks in adavance, >>> >>> Oliver >>> >> >> What error does fetch give? Is it having problems with DNS, connection >> to the FTP site, or just making the FTP DATA connection? Have you tried >> with 'passive' mode on/off? >> > The box doesn't have problems contacting any DNS. > > Fetch gives the shown "errors" or simple timeouts. Either manually or via portmaster to > update ports like the one shown below. > > The very same port has no problems on the system having pf instead of ipfw. > > I will switch back to pf on the box in question to check whether the choice of firewall > really makes the difference. > > This is what I get when seeting passive mode (it doesn't change anything from "active" > mode): > > root@thor: [pciids] setenv FTP_PASSIVE_MODE YES > > root@thor: [pciids] make fetch > ===> License BSD3CLAUSE GPLv2 GPLv3 accepted by the user > ===> pciids-20140301 depends on file: /usr/local/sbin/pkg - found > => pciids-20140301.tar.xz doesn't seem to exist in /usr/ports/distfiles/. > => Attempting to fetch > http://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz > fetch: > http://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz: > Not Found => Attempting to fetch > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz > fetch: > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz: > No route to host => Attempting to fetch > ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz > fetch: > ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz: > No route to host => Attempting to fetch > ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz > fetch: > ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz: > No route to host => Attempting to fetch > ftp://ftp.ru.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz > fetch: transfer timed out > 'no route to host' suggests it might be trying to do ipv6 -- Allan Jude [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTGk1iAAoJEJrBFpNRJZKf3p0QALZg58bEcH5jtd8NPU43dB31 trD1nQlMZMurDKpSfdxKM9Z0FMsQY2IywZumYb+UCrB84LD5IHrmZX0KZ4bqFD8V DEZKXFmLuD82UCVTMVeVziVTm1Yf/918EfKVYgpoXLdnhMc4oCnp+jUzlrALLMYL nqdYecJp9dTHwTr23xzn1Xtep+G1OSGX3M/p2TjFqQJFAKVtvTHF+ZaD+CZfJ9Pi o2AvsDMvGp1po27m5ZjhyBUUERWlkbDEQ8VwxFynlt7NKX+wANm5pQvzjI2lqyJM r1Y59bt/muDDNc/r5OPrnEvnw7IwNo3gmVJ8h23jHjKAVhHv7pfCStI0cQR5MQY5 F2siqk7i91zat7eUTAigRahlQ9RY4KFan6EYv6n3uwpf8FosVueKAlGzy7rrVLN7 A8gJ1sGL5DTejeDkcx1t9jkQVa89ttuwiMZBpjdSIt2pWZjlQrhNHUEpOCnEYkd8 poiaqxtMJGGnFxBkbxaSS0jDBq0d7k0SGbdXT1mCItPYmMDcTciDYwivo16iAaxz RIjSbuKPJwqyYaY/lNA75kUd9VOK0XVt/Pso6jXtY9VcqUGKUMW9XL0Y15qRepiD HHNahsPIvxXtDxUPRB7u1alMRFiRxdneEPHs4rhskhHMrNqJiQ1qXBb40NvZIUL6 WVJXzlBaimGmJlWZyRDa =lM+D -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?531A4D5F.9080401>