configuring fetch to passive mode
Nikos Vassiliadis
nvass at teledomenet.gr
Fri Mar 17 12:10:16 UTC 2006
On Friday 17 March 2006 13:27, Erik Norgaard wrote:
> Nikos Vassiliadis wrote:
> > On Friday 17 March 2006 12:41, Erik Norgaard wrote:
> >> Hi:
> >>
> >> This ought to be a configuration tunable, but I can't find any
> >> documentaion on it: How to I force fetch to use passive mode?
> >>
> >> When I try "make fetch" of some port I get:
> >>
> >> => Attempting to fetch from \
> >> ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/.
> >> fetch: \ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/file: \
> >> Operation not permitted
> >>
> >> It fails quickly, no sign of things timing out.
> >>
> >> In my firewall (pf), I have
> >>
> >> block in quick on $ext_if all
> >
> > You block everything that comes in from your external interface.
> > The "quick" keyword means that the search ends there. So you
> > no incoming traffic passes...
>
> Incomming connections yes, but I have keep state on outgoing, that's why
> passive ftp should work while active fail. Otherwise I would have
> problems with all kinds of traffic but I don't.
You are right, traffic originated from your box would be matched by the
keep-state rules. I would put them above the "block in quick all" rule
though, just for clarity's sake. That's what puzzled me. And you might
have reasons to do it this way(more optimized ruleset?).
Anyway, your ruleset works fine. Two things I can think of
1) another active packet filter, forgotten maybe?
2) your internet provider does funky things for you. Perhaps
traceroute using tcp might help(-P tcp -p 21 ftp.freebsd.org)
When you use passive ftp, all the connections are initiated by you, so
it's no different than HTTP, telnet, ssh, ...
Hope this helps(this time), Nikos
>
> Thanks, Erik
More information about the freebsd-questions
mailing list