ports/96088: Ports .mk files do not run fetch in passive FTP mode by default.

Darren Pilgrim darren.pilgrim at bitfreak.org
Thu Apr 20 07:40:15 UTC 2006 

>Number:         96088
>Category:       ports
>Synopsis:       Ports .mk files do not run fetch in passive FTP mode by default.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 20 07:40:14 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Darren Pilgrim
>Release:        RELENG_6_0
>Organization:
>Environment:
FreeBSD 6.0-RELEASE-p1 FreeBSD 6.0-RELEASE-p1 #0: Mon Apr 3 00:47:01 PDT 2006 i386
>Description:
When a port needs to download a file, the ports .mk files use FETCH_CMD, which is "/usr/bin/fetch -ARr" by default.  Fetch will use passive FTP by default if the -p parameter is specified, but -p is missing from FETCH_CMD.  With fetch running in "active" FTP, downloads will fail with "Can't open data connection" errors if the server doesn't force passive mode and the machine running fetch is behind a firewall that doesn't punch holes back through for active FTP data connections.  

Since inbound hole-punching is generally considered a Bad Idea(tm) for overall security, common firewall configurations routinely block active FTP data connections while simultaneously having no problem passing passive FTP data connections.

The issue is pervasive enough that passive FTP is the default for most FTP client and web browsers.
>How-To-Repeat:
With a pf (or other) ruleset that blocks all incoming TCP connection start-ups, compare the success rates of `fetch` and `fetch -p` on a list of FTP sites.
>Fix:
Applying the following patch (diff against ports/Mk/bsd.port.mk v1.529):

--- ports/Mk/bsd.port.mk-orig	Wed Apr 19 23:53:13 2006
+++ ports/Mk/bsd.port.mk	Wed Apr 19 23:54:10 2006
@@ -1924,7 +1924,7 @@
 .endif
 
 .if exists(/usr/bin/fetch)
-FETCH_CMD?=		/usr/bin/fetch -ARr
+FETCH_CMD?=		/usr/bin/fetch -ApRr
 FETCH_REGET?=	1
 .if ${OSVERSION} >= 480000 && !defined(DISABLE_SIZE)
 # Avoid -S for 4.7 and earlier since it causes fetch errors

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list