From owner-freebsd-current@FreeBSD.ORG Fri Mar 7 22:51:17 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 614CB309 for ; Fri, 7 Mar 2014 22:51:17 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id 384E7981 for ; Fri, 7 Mar 2014 22:51:15 +0000 (UTC) Received: from [10.1.1.1] (S01060001abad1dea.hm.shawcable.net [50.70.146.73]) (Authenticated sender: allan.jude@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 3EEF464157; Fri, 7 Mar 2014 22:51:13 +0000 (UTC) Message-ID: <531A4D5F.9080401@allanjude.com> Date: Fri, 07 Mar 2014 17:51:11 -0500 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: "O. Hartmann" Subject: Re: ipfw: fetch doesn't reach ftp://fttp.sites.foo References: <20140307195719.654653c9.ohartman@zedat.fu-berlin.de> <531A2D23.30907@allanjude.com> <20140307225537.3c672d34.ohartman@zedat.fu-berlin.de> In-Reply-To: <20140307225537.3c672d34.ohartman@zedat.fu-berlin.de> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FpvHUAfiUBHcPDonESDRpwD1nSVscG3Nl" Cc: freebsd-current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2014 22:51:17 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --FpvHUAfiUBHcPDonESDRpwD1nSVscG3Nl Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 2014-03-07 16:55, O. Hartmann wrote: > On Fri, 07 Mar 2014 15:33:39 -0500 > Allan Jude wrote: >=20 >> On 2014-03-07 13:57, O. Hartmann wrote: >>> >>> Recently I swaitched from pf to ipfw on some CURRENT boxes and for co= nvenience I used >>> the "workstation" predefinition of FreeBSD. But with that change, all= access of ports >>> via fetch located at ftp-sites stopped passing the filter. >>> >>> Even switching to "open" doesn't help and this is confusing me. >>> >>> The CURRENT box in question is passing its traffic within a LAN throu= gh a gateway >>> running also FreeBSD CURRENT, but with pf. The gateway is performing = NAT. As long as >>> the failing client behind the gateway system is using pf as the filte= r, the traffic >>> for ftp seems to pass through. On the gateway with pf as the default = filter, the >>> ports fetching via ftp-site their sources perform without problems. >>> >>> What is up with IPFW? >>> >>> Is their a solution? I tried to search google for "freebsd ipfw ftp" = but I didn't find >>> anything suitable targeting my problem or any problem of that kind. >>> >>> >>> Thanks in adavance, >>> >>> Oliver=20 >>> >> >> What error does fetch give? Is it having problems with DNS, connection= >> to the FTP site, or just making the FTP DATA connection? Have you trie= d >> with 'passive' mode on/off? >> > The box doesn't have problems contacting any DNS. >=20 > Fetch gives the shown "errors" or simple timeouts. Either manually or = via portmaster to > update ports like the one shown below. >=20 > The very same port has no problems on the system having pf instead of i= pfw. >=20 > I will switch back to pf on the box in question to check whether the ch= oice of firewall > really makes the difference. >=20 > This is what I get when seeting passive mode (it doesn't change anythin= g from "active" > mode): >=20 > root@thor: [pciids] setenv FTP_PASSIVE_MODE YES >=20 > root@thor: [pciids] make fetch > =3D=3D=3D> License BSD3CLAUSE GPLv2 GPLv3 accepted by the user > =3D=3D=3D> pciids-20140301 depends on file: /usr/local/sbin/pkg - fou= nd > =3D> pciids-20140301.tar.xz doesn't seem to exist in /usr/ports/distfil= es/. > =3D> Attempting to fetch > http://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids= -20140301.tar.xz > fetch: > http://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids= -20140301.tar.xz: > Not Found =3D> Attempting to fetch > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-= 20140301.tar.xz > fetch: > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-= 20140301.tar.xz: > No route to host =3D> Attempting to fetch > ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pcii= ds-20140301.tar.xz > fetch: > ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pcii= ds-20140301.tar.xz: > No route to host =3D> Attempting to fetch > ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pcii= ds-20140301.tar.xz > fetch: > ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pcii= ds-20140301.tar.xz: > No route to host =3D> Attempting to fetch > ftp://ftp.ru.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pcii= ds-20140301.tar.xz > fetch: transfer timed out >=20 'no route to host' suggests it might be trying to do ipv6 --=20 Allan Jude --FpvHUAfiUBHcPDonESDRpwD1nSVscG3Nl Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTGk1iAAoJEJrBFpNRJZKf3p0QALZg58bEcH5jtd8NPU43dB31 trD1nQlMZMurDKpSfdxKM9Z0FMsQY2IywZumYb+UCrB84LD5IHrmZX0KZ4bqFD8V DEZKXFmLuD82UCVTMVeVziVTm1Yf/918EfKVYgpoXLdnhMc4oCnp+jUzlrALLMYL nqdYecJp9dTHwTr23xzn1Xtep+G1OSGX3M/p2TjFqQJFAKVtvTHF+ZaD+CZfJ9Pi o2AvsDMvGp1po27m5ZjhyBUUERWlkbDEQ8VwxFynlt7NKX+wANm5pQvzjI2lqyJM r1Y59bt/muDDNc/r5OPrnEvnw7IwNo3gmVJ8h23jHjKAVhHv7pfCStI0cQR5MQY5 F2siqk7i91zat7eUTAigRahlQ9RY4KFan6EYv6n3uwpf8FosVueKAlGzy7rrVLN7 A8gJ1sGL5DTejeDkcx1t9jkQVa89ttuwiMZBpjdSIt2pWZjlQrhNHUEpOCnEYkd8 poiaqxtMJGGnFxBkbxaSS0jDBq0d7k0SGbdXT1mCItPYmMDcTciDYwivo16iAaxz RIjSbuKPJwqyYaY/lNA75kUd9VOK0XVt/Pso6jXtY9VcqUGKUMW9XL0Y15qRepiD HHNahsPIvxXtDxUPRB7u1alMRFiRxdneEPHs4rhskhHMrNqJiQ1qXBb40NvZIUL6 WVJXzlBaimGmJlWZyRDa =lM+D -----END PGP SIGNATURE----- --FpvHUAfiUBHcPDonESDRpwD1nSVscG3Nl--