Is there a way to run FreeBSD ports through port 80?
dweimer at dweimer.net
Thu Jul 12 21:17:47 UTC 2012
On 2012-07-12 15:26, Kaya Saman wrote:
> On 07/12/2012 07:54 PM, Peter Vereshagin wrote:
>> Why don't you use a portsnap? it's over http...
>> 2012/07/12 19:01:15 +0100 Kaya Saman <kayasaman at gmail.com> => To
>> Peter Vereshagin :
>> KS> I will check it out however and see if that method is best,
>> KS> CVSup would be the best way for us and I'm already looking at
>> 1. cvsup is not about comparison to ftp. cvsup is a way to obtain
>> fresh port
>> for the program distribution, ie set of patches, list of package's
>> sample configuration files for the particular program(s) those are
>> not the part
>> of the base system but supplied with taking the OS specs in mind.
>> ftp is a way to obtain a distfile, ie what the 3rd party software
>> developer use
>> to distribute. For FreeBSD ports cvsup and ftp are not competent in
>> the daiy
>> use as they have different purposes.
>> Some 3rd party software is released and published authoritatively on
>> ftp only.
>> And that is the only problem possible for you on ftp usage by
>> freebsd ports.
>> But I believe there is only a few of them you need if any at all.
>> I guess you may want to download the initial ports tree tarball, the
>> via the ftp. But it's certainly a) available over there via the http
>> and b) is
>> outdated and is needed to be updated via the portsnap and/or cvsup.
>> 2. Use csup from the base system, don't use cvsup from ports if you
>> use its
>> protocol. And, portsnap seems to be even more recommended since some
>> KS> which should be enough to get a demo up and running.
>> A Demo? Am I invited for the show? ;-)
>> Peter Vereshagin <peter at vereshagin.org> (http://vereshagin.org) pgp:
>> freebsd-questions at freebsd.org mailing list
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
> Hi Peter,
> portsnap works fine :-)
> My issues start coming into play when building the actual port
> itself. Ie. fetching the distfile, as you suggested above.
> As soon as I start running portmaster -a or a 'make install clean' on
> certain ports, the progress just bombs out totally.
> It would be really cool if I could find a way to centrally manage all
> of this. So perhaps in conjunction with CVSup.....
> Something like a Linux repo server if you will - though I mention the
> term very loosely.
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
If the volume of machines you have isn't very high I would consider
asking the Director if you could have a machine in the DMZ that would be
able to use FTP, and cvsup to get outbound. Install Squid on that, and
allow Squid to use FTP then allow only SSH from the inside systems to
that machine. From there you can use SSH on the inside systems to
tunnel the cvsup data outbound for source updates, and to tunnel the
Squid connection outbound to be able to use FTP for the port updates via
the SSH tunnel using Squids FTP connect over HTTP.
This method would eliminate the need to setup your own local cvsup
mirror, but does still allow FTP, but it doesn't leave any internal
connections possible except when intended. It doesn't open it up to any
users without SSH access into the DMZ machine so it can be controlled
who has access to it.
As the goto guy at my company for internet security I understand the
need to lock things down and sadly wish my boss would allow me to lock
down ours more than it is, though I don't see blocking outbound FTP as a
requirement (though we only allow passive). Its interesting to see this
from the side of the other guy who's stuff doesn't work due to the
restrictions in place. I deal all the time with employees trying to do
online conferences or file downloads with other companies using obscure
tools that won't work through an HTTP proxy, use some random high port
like 10000 and want me to open up the port through the firewall right
then so they can do the conference or get the file without any time to
make sure the application is actually safe. Of course the main response
to no I can't do that, is why does it work for everyone else on the
conference. Can't seem to make them understand that the other people
might not have to explain to the bank why they weren't following the PCI
(payment card industry) guidelines they signed a document stating we
would adhere to. And its my job on the line and not theirs if my
allowing the port through the firewall for them allows the security
Dean E. Weimer
More information about the freebsd-questions