From owner-freebsd-questions@FreeBSD.ORG Tue Dec 13 06:42:10 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03F7916A41F for ; Tue, 13 Dec 2005 06:42:10 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (imap.infracaninophile.co.uk [81.187.76.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1A3843D46 for ; Tue, 13 Dec 2005 06:42:07 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from [IPv6:::1] (localhost [IPv6:::1]) by smtp.infracaninophile.co.uk (8.13.4/8.13.4) with ESMTP id jBD6ftb4009709; Tue, 13 Dec 2005 06:41:55 GMT (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <439E6D33.5040102@infracaninophile.co.uk> Date: Tue, 13 Dec 2005 06:41:55 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051204) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jose Borquez References: <439E5ED8.40401@sbcglobal.net> In-Reply-To: <439E5ED8.40401@sbcglobal.net> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (smtp.infracaninophile.co.uk [IPv6:::1]); Tue, 13 Dec 2005 06:41:56 +0000 (GMT) X-Virus-Scanned: ClamAV 0.87.1/1209/Mon Dec 12 15:48:01 2005 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,NO_RELAYS autolearn=ham version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on happy-idiot-talk.infracaninophile.co.uk Cc: FreeBSD Questions group Subject: Re: pkg_add blocked by IPFirewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2005 06:42:10 -0000 Jose Borquez wrote: > I am attempting to install cvsup using pkg_add -r but I keep getting > the following error: > > Error: FTP Unable to get > ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/Latest/cvsup-without-gui.tbz: > No route to host pkg_add: unable to fetch > 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/Latest/cvsup-without-gui.tbz' > by URL > > I know that it is being blocked by my firewall. What are the tcp and > udp ports that I need to open up for pkg_add to get the package? You will need to: a) set FTP_PASSIVE_MODE=yes in your environment. It should be set by default. b) Configure your firewall to allow stateful outgoing tcp connections to any IP port 21 and also to any port in the 'high ports' range. On FreeBSD by default that's 49152-65535. Other OSes differ. The 'high ports' range is configurable by modifying the net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast sysctls. That should let you use PASV or EPSV-style passive mode FTP through your firewall. It's not possible to effectively firewall active mode FTP clients (let alone FTP servers) satisfactorily without using an FTP proxy on your firewall, such as ftp-proxy(8). For a personal machine just allowing passive mode FTP will be sufficient. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW