ipfw: fetch doesn't reach ftp://fttp.sites.foo
Allan Jude
freebsd at allanjude.com
Fri Mar 7 22:51:17 UTC 2014
On 2014-03-07 16:55, O. Hartmann wrote:
> On Fri, 07 Mar 2014 15:33:39 -0500
> Allan Jude <freebsd at allanjude.com> wrote:
>
>> On 2014-03-07 13:57, O. Hartmann wrote:
>>>
>>> Recently I swaitched from pf to ipfw on some CURRENT boxes and for convenience I used
>>> the "workstation" predefinition of FreeBSD. But with that change, all access of ports
>>> via fetch located at ftp-sites stopped passing the filter.
>>>
>>> Even switching to "open" doesn't help and this is confusing me.
>>>
>>> The CURRENT box in question is passing its traffic within a LAN through a gateway
>>> running also FreeBSD CURRENT, but with pf. The gateway is performing NAT. As long as
>>> the failing client behind the gateway system is using pf as the filter, the traffic
>>> for ftp seems to pass through. On the gateway with pf as the default filter, the
>>> ports fetching via ftp-site their sources perform without problems.
>>>
>>> What is up with IPFW?
>>>
>>> Is their a solution? I tried to search google for "freebsd ipfw ftp" but I didn't find
>>> anything suitable targeting my problem or any problem of that kind.
>>>
>>>
>>> Thanks in adavance,
>>>
>>> Oliver
>>>
>>
>> What error does fetch give? Is it having problems with DNS, connection
>> to the FTP site, or just making the FTP DATA connection? Have you tried
>> with 'passive' mode on/off?
>>
> The box doesn't have problems contacting any DNS.
>
> Fetch gives the shown "errors" or simple timeouts. Either manually or via portmaster to
> update ports like the one shown below.
>
> The very same port has no problems on the system having pf instead of ipfw.
>
> I will switch back to pf on the box in question to check whether the choice of firewall
> really makes the difference.
>
> This is what I get when seeting passive mode (it doesn't change anything from "active"
> mode):
>
> root at thor: [pciids] setenv FTP_PASSIVE_MODE YES
>
> root at thor: [pciids] make fetch
> ===> License BSD3CLAUSE GPLv2 GPLv3 accepted by the user
> ===> pciids-20140301 depends on file: /usr/local/sbin/pkg - found
> => pciids-20140301.tar.xz doesn't seem to exist in /usr/ports/distfiles/.
> => Attempting to fetch
> http://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz
> fetch:
> http://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz:
> Not Found => Attempting to fetch
> ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz
> fetch:
> ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz:
> No route to host => Attempting to fetch
> ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz
> fetch:
> ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz:
> No route to host => Attempting to fetch
> ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz
> fetch:
> ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz:
> No route to host => Attempting to fetch
> ftp://ftp.ru.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/sunpoet/pciids-20140301.tar.xz
> fetch: transfer timed out
>
'no route to host' suggests it might be trying to do ipv6
--
Allan Jude
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20140307/f698f69c/attachment.sig>
More information about the freebsd-current
mailing list