From owner-freebsd-questions@FreeBSD.ORG Fri Mar 17 12:10:16 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64A8216A401 for ; Fri, 17 Mar 2006 12:10:16 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: from matrix.teledomenet.gr (dns1.teledomenet.gr [213.142.128.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A06843D45 for ; Fri, 17 Mar 2006 12:10:15 +0000 (GMT) (envelope-from nvass@teledomenet.gr) Received: from iris ([192.168.1.71]) by matrix.teledomenet.gr (8.12.10/8.12.10) with ESMTP id k2HCAEuq003510; Fri, 17 Mar 2006 14:10:14 +0200 From: Nikos Vassiliadis To: freebsd-questions@freebsd.org Date: Fri, 17 Mar 2006 14:05:05 +0200 User-Agent: KMail/1.8.3 References: <441A9250.10103@locolomo.org> <200603171310.42917.nvass@teledomenet.gr> <441A9D18.7060102@locolomo.org> In-Reply-To: <441A9D18.7060102@locolomo.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200603171405.06103.nvass@teledomenet.gr> Cc: Subject: Re: configuring fetch to passive mode X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Mar 2006 12:10:16 -0000 On Friday 17 March 2006 13:27, Erik Norgaard wrote: > Nikos Vassiliadis wrote: > > On Friday 17 March 2006 12:41, Erik Norgaard wrote: > >> Hi: > >> > >> This ought to be a configuration tunable, but I can't find any > >> documentaion on it: How to I force fetch to use passive mode? > >> > >> When I try "make fetch" of some port I get: > >> > >> => Attempting to fetch from \ > >> ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/. > >> fetch: \ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/file: \ > >> Operation not permitted > >> > >> It fails quickly, no sign of things timing out. > >> > >> In my firewall (pf), I have > >> > >> block in quick on $ext_if all > > > > You block everything that comes in from your external interface. > > The "quick" keyword means that the search ends there. So you > > no incoming traffic passes... > > Incomming connections yes, but I have keep state on outgoing, that's why > passive ftp should work while active fail. Otherwise I would have > problems with all kinds of traffic but I don't. You are right, traffic originated from your box would be matched by the keep-state rules. I would put them above the "block in quick all" rule though, just for clarity's sake. That's what puzzled me. And you might have reasons to do it this way(more optimized ruleset?). Anyway, your ruleset works fine. Two things I can think of 1) another active packet filter, forgotten maybe? 2) your internet provider does funky things for you. Perhaps traceroute using tcp might help(-P tcp -p 21 ftp.freebsd.org) When you use passive ftp, all the connections are initiated by you, so it's no different than HTTP, telnet, ssh, ... Hope this helps(this time), Nikos > > Thanks, Erik