Is there a way to run FreeBSD ports through port 80?

dweimer dweimer at
Thu Jul 12 21:17:47 UTC 2012

On 2012-07-12 15:26, Kaya Saman wrote:
> On 07/12/2012 07:54 PM, Peter Vereshagin wrote:
>> Hello.
>> Why don't you use a portsnap? it's over http...
>> 2012/07/12 19:01:15 +0100 Kaya Saman <kayasaman at> => To 
>> Peter Vereshagin :
>> KS> I will check it out however and see if that method is best, 
>> however
>> KS> CVSup would be the best way for us and I'm already looking at 
>> this:
>> KS>
>> KS> 
>> 1. cvsup is not about comparison to ftp. cvsup is a way to obtain 
>> fresh port
>> for the program distribution, ie set of patches, list of package's 
>> files,
>> sample configuration files for the particular program(s) those are 
>> not the part
>> of the base system but supplied with taking the OS specs in mind.
>> ftp is a way to obtain a distfile, ie what the 3rd party software 
>> developer use
>> to distribute. For FreeBSD ports cvsup and ftp are not competent in 
>> the daiy
>> use as they have different purposes.
>> Some 3rd party software is released and published authoritatively on 
>> ftp only.
>> And that is the only problem possible for you on ftp usage by 
>> freebsd ports.
>> But I believe there is only a few of them you need if any at all.
>> I guess you may want to download the initial ports tree tarball, the 
>> ports.tgz,
>> via the ftp. But it's certainly a) available over there via the http 
>> and b) is
>> outdated and is needed to be updated via the portsnap and/or cvsup.
>> 2. Use csup from the base system, don't use cvsup from ports if you 
>> use its
>> protocol. And, portsnap seems to be even more recommended since some 
>> days.
>> KS> which should be enough to get a demo up and running.
>> A Demo? Am I invited for the show? ;-)
>> --
>> Peter Vereshagin <peter at> ( pgp: 
>> A0E26627
>> _______________________________________________
>> freebsd-questions at mailing list
>> To unsubscribe, send any mail to 
>> "freebsd-questions-unsubscribe at"
> Hi Peter,
> portsnap works fine :-)
> My issues start coming into play when building the actual port
> itself. Ie. fetching the distfile, as you suggested above.
> As soon as I start running portmaster -a or a 'make install clean' on
> certain ports, the progress just bombs out totally.
> It would be really cool if I could find a way to centrally manage all
> of this. So perhaps in conjunction with CVSup.....
> Something like a Linux repo server if you will - though I mention the
> term very loosely.
> Regards,
> Kaya
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at"

If the volume of machines you have isn't very high I would consider 
asking the Director if you could have a machine in the DMZ that would be 
able to use FTP, and cvsup to get outbound.  Install Squid on that, and 
allow Squid to use FTP then allow only SSH from the inside systems to 
that machine.  From there you can use SSH on the inside systems to 
tunnel the cvsup data outbound for source updates, and to tunnel the 
Squid connection outbound to be able to use FTP for the port updates via 
the SSH tunnel using Squids FTP connect over HTTP.

This method would eliminate the need to setup your own local cvsup 
mirror, but does still allow FTP, but it doesn't leave any internal 
connections possible except when intended.  It doesn't open it up to any 
users without SSH access into the DMZ machine so it can be controlled 
who has access to it.

As the goto guy at my company for internet security I understand the 
need to lock things down and sadly wish my boss would allow me to lock 
down ours more than it is, though I don't see blocking outbound FTP as a 
requirement (though we only allow passive).  Its interesting to see this 
from the side of the other guy who's stuff doesn't work due to the 
restrictions in place.  I deal all the time with employees trying to do 
online conferences or file downloads with other companies using obscure 
tools that won't work through an HTTP proxy, use some random high port 
like 10000 and want me to open up the port through the firewall right 
then so they can do the conference or get the file without any time to 
make sure the application is actually safe.  Of course the main response 
to no I can't do that, is why does it work for everyone else on the 
conference.  Can't seem to make them understand that the other people 
might not have to explain to the bank why they weren't following the PCI 
(payment card industry) guidelines they signed a document stating we 
would adhere to.  And its my job on the line and not theirs if my 
allowing the port through the firewall for them allows the security 

    Dean E. Weimer

More information about the freebsd-questions mailing list