From owner-freebsd-questions@FreeBSD.ORG Fri Oct 10 16:51:20 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29CA31065689 for ; Fri, 10 Oct 2008 16:51:20 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA08.emeryville.ca.mail.comcast.net (qmta08.emeryville.ca.mail.comcast.net [76.96.30.80]) by mx1.freebsd.org (Postfix) with ESMTP id 095748FC13 for ; Fri, 10 Oct 2008 16:51:19 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA05.emeryville.ca.mail.comcast.net ([76.96.30.43]) by QMTA08.emeryville.ca.mail.comcast.net with comcast id R3jW1a0080vp7WLA84rJds; Fri, 10 Oct 2008 16:51:18 +0000 Received: from koitsu.dyndns.org ([69.181.141.110]) by OMTA05.emeryville.ca.mail.comcast.net with comcast id R4rH1a0052P6wsM8R4rHXR; Fri, 10 Oct 2008 16:51:18 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=rLwe9UDAkitx4A6hbK0A:9 a=ZzNSAbIko-dML5CnJ4cA:7 a=zHBKMT7uiZr0uK1fLHPf37lWQmQA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id F2A21C9419; Fri, 10 Oct 2008 09:51:16 -0700 (PDT) Date: Fri, 10 Oct 2008 09:51:16 -0700 From: Jeremy Chadwick To: John Almberg Message-ID: <20081010165116.GA37287@icarus.home.lan> References: <110C2D5E-5772-4304-9F90-FDAC5EACAE2E@identry.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <110C2D5E-5772-4304-9F90-FDAC5EACAE2E@identry.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-questions@freebsd.org Subject: Re: Firewall and FreeBSD ports X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Oct 2008 16:51:20 -0000 On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote: > I just set up a new server with a very restricted PF configuration. One > problem: I can no longer install software with ports (i.e, the / > usr/ports collection.) I have to disable PF to do so. Obviously not a > great solution. > > Am I correct in guessing that ports uses FTP to grab source files from > mirrors? I'm trying to figure out the smallest number of ports (the > TCP/IP kind) that I need to open in my firewall. I don't want to enable > incoming FTP requests, but do want to allow outgoing ftp requests, I > believe. > > Am I on the right track, here? See the fetch(1) man page. Try this first: sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true Chances are this will address the problem for you. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |