Date: Fri, 17 Mar 2006 14:05:05 +0200 From: Nikos Vassiliadis <nvass@teledomenet.gr> To: freebsd-questions@freebsd.org Subject: Re: configuring fetch to passive mode Message-ID: <200603171405.06103.nvass@teledomenet.gr> In-Reply-To: <441A9D18.7060102@locolomo.org> References: <441A9250.10103@locolomo.org> <200603171310.42917.nvass@teledomenet.gr> <441A9D18.7060102@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 17 March 2006 13:27, Erik Norgaard wrote: > Nikos Vassiliadis wrote: > > On Friday 17 March 2006 12:41, Erik Norgaard wrote: > >> Hi: > >> > >> This ought to be a configuration tunable, but I can't find any > >> documentaion on it: How to I force fetch to use passive mode? > >> > >> When I try "make fetch" of some port I get: > >> > >> => Attempting to fetch from \ > >> ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/. > >> fetch: \ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/file: \ > >> Operation not permitted > >> > >> It fails quickly, no sign of things timing out. > >> > >> In my firewall (pf), I have > >> > >> block in quick on $ext_if all > > > > You block everything that comes in from your external interface. > > The "quick" keyword means that the search ends there. So you > > no incoming traffic passes... > > Incomming connections yes, but I have keep state on outgoing, that's why > passive ftp should work while active fail. Otherwise I would have > problems with all kinds of traffic but I don't. You are right, traffic originated from your box would be matched by the keep-state rules. I would put them above the "block in quick all" rule though, just for clarity's sake. That's what puzzled me. And you might have reasons to do it this way(more optimized ruleset?). Anyway, your ruleset works fine. Two things I can think of 1) another active packet filter, forgotten maybe? 2) your internet provider does funky things for you. Perhaps traceroute using tcp might help(-P tcp -p 21 ftp.freebsd.org) When you use passive ftp, all the connections are initiated by you, so it's no different than HTTP, telnet, ssh, ... Hope this helps(this time), Nikos > > Thanks, Erik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200603171405.06103.nvass>