Re: Firewall and FreeBSD ports



On Fri, Oct 10, 2008 at 06:54:32PM +0100, RW wrote:
On Fri, 10 Oct 2008 09:51:16 -0700
Jeremy Chadwick <koitsu@xxxxxxxxxxx> wrote:

On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote:
I just set up a new server with a very restricted PF configuration.
One problem: I can no longer install software with ports (i.e,
the / usr/ports collection.) I have to disable PF to do so.
Obviously not a great solution.

Am I correct in guessing that ports uses FTP to grab source files
from mirrors? I'm trying to figure out the smallest number of ports
(the TCP/IP kind) that I need to open in my firewall. I don't want
to enable incoming FTP requests, but do want to allow outgoing ftp
requests, I believe.

Am I on the right track, here?

See the fetch(1) man page. Try this first:

sh/bash: export FTP_PASSIVE_MODE=true
csh: setenv FTP_PASSIVE_MODE true

passive ftp has been the default for long time, fetch is called
with the -p option.

Let's give the users some actual detail, not terse one-liners which will
induce more questions/confusion.

First off, libfetch (which is what fetch(1)) uses) itself DOES NOT
default to using FTP passive mode. You have to either pass the -p
option to the fetch(1) binary, or you have to set the FTP_PASSIVE_MODE
environment variable (which affects anything using libfetch).

Secondly, the ports framework (not pkg_* tools!), specifically
ports/Mk/bsd.port.mk, defines FETCH_ARGS with the -p argument to force
passive mode. This will be used for things like "make fetch". It *will
not* be used for things like "pkg_add -r" or "pkg_add ftp://...";

The addition of the -p argument to FETCH_ARGS in ports/Mk/bsd.port.mk
was applied to HEAD on 2006/09/20. HEAD at that time is what became
FreeBSD 6.2. Of course, anyone updating their ports tree after that
date would also get the change; I'm just pointing it out so people know
what the actual date was when -p was added to the default argument list.

Now let's expand a bit on FTP_PASSIVE_MODE, because I'm absolutely sure
someone will try to argue "that's also been turned on by default for a
long time"; I know how people are... :-)

FTP_PASSIVE_MODE being set by default on login shells was induced by an
addition to login.conf(5) back in late 2001 (around the time of
RELENG_6). See revision 1.45 (not 1.44!) of src/etc/login.conf in
cvsweb.

But I'll remind people that login.conf only applies to login shells;
logging in on the console, or logging in to an account via "ssh
user@host". Most people I know of *do not* SSH into their servers as
root; they SSH in as themselves and use sudo. Some use su2, and some
use su.

Let's examine the behaviours:

$ env | grep FTP
FTP_PASSIVE_MODE=YES

As you can see here, the machine I've SSH'd into as myself does apply
login.conf's defaults. But...

$ sudo -s
# env | grep FTP
# exit
$ sudo -i
# env | grep FTP
#

The above scenario (as root) fails, since the FTP_PASSIVE_MODE
environment variable isn't being handed down from the login shell (my
user account) to the root shell spawned by sudo[1].

su, on the other hand, does it a little differently:

$ su
Password:
# env | grep FTP
FTP_PASSIVE_MODE=YES

And likewise, "su -l" behaves the same way.

The OP did not disclose how he was installing ports. A lot of users
think that packages == ports, so for all we know, he could be
pkg_add'ing things while using sudo and running into this.

If "make fetch" in an actual port is timing out, then he's either doing
it on a machine with a ports tree prior to 2006/09/20 (see above), or
his outbound pf rules are so strict that the machine is absurdly
limited.

I've advocated in another thread my displeasure for filtering outbound
traffic *solely* because of this exact scenario. Network admins seem
to think that "oh, HTTP is always going to use port 80", and likewise,
"oh, FTP is always going to use ports 20-21". Bzzzt. Nothing stops
a MASTER_SITE from being http://lelele.com:9382/.

[1]: The problem with sudo can be addressed; FTP_PASSIVE_MODE needs to
be added to the env_keep list in the default sudoers file. I know the
port maintainer, so I'll take this up with him so that users (including
myself) don't keep getting bit by forgetting to set FTP_PASSIVE_MODE
after doing a sudo.

--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |

_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Fwd: Firewall and FreeBSD ports
    ... Am I correct in guessing that ports uses FTP to grab source files ... I login as a normal user, and then use sudo. ... I then wanted to install NTP: ...
    (freebsd-questions)
  • Re: Newbie question about ports.
    ... Can you do a CVSup to update your ports via http? ... Cvsup does not support http, but neither does it use ftp (see man cvsup, ... openable through your firewall. ...
    (freebsd-questions)
  • RE: FTP Server on SBS 2003
    ... When I access the ftp site ... In the properties the ftp is set to "all assigned ports" should this ... > You connect the SBS to a third party Router and forward port 21 to the SBS ... The network administrator of the server network can consult the ...
    (microsoft.public.windows.server.sbs)
  • RE: Passive FTP
    ... Some FTP servers are able to set the passive ports he can use, ... Onderwerp: Passive FTP ... Dit E-mail bericht is slechts bestemd voor de persoon aan wie het is ...
    (Security-Basics)
  • Re: Ideas on solving the file transfer problem
    ... out of the range of easy solution for the vast majority of users? ... Port 21 may be the default port for FTP, ... Given the two channel nature of FTP, NAT is a bigger problem than ... Firewalls can be configured by the end-user to open the necessary ports. ...
    (comp.programming)