Newbie - cannot upgrade packages from FTP sites

kbsd kimlor at shaw.ca
Wed Sep 26 21:53:48 PDT 2007 

I am new to FreeBSD 6.2 and am having problems upgrading packages from FTP
sites. Ports build fine from http but I prefer to use packages if possible.

I have not found any clear information on setting up PF rules for FTP with
only one interface.
Please check my rules and tell me if I am missing something.

Thanks

Example of upgrade failure:

[Updating the pkgdb <format:bdb_btree> in /var/db/pkg ... - 491 packages
found (-0 +1) . done]
--->  Checking for the latest package of 'audio/libmtp'
--->  Fetching the package(s) for 'libmtp-0.2.1' (audio/libmtp)
--->  Fetching libmtp-0.2.1
fetch:
ftp://packageftp.desktopbsd.net/pub/FreeBSD/ports/i386/packages-6-stable/All/libmtp-0.2.1.tbz:
Operation not permitted
** The command returned a non-zero exit status: 1
** Failed to fetch
ftp://packageftp.desktopbsd.net/pub/FreeBSD/ports/i386/packages-6-stable/All/libmtp-0.2.1.tbz
fetch:
ftp://packageftp.desktopbsd.net/pub/FreeBSD/ports/i386/packages-6-stable/All/libmtp-0.2.1.tgz:
Operation not permitted
** The command returned a non-zero exit status: 1
** Failed to fetch
ftp://packageftp.desktopbsd.net/pub/FreeBSD/ports/i386/packages-6-stable/All/libmtp-0.2.1.tgz
** Failed to fetch libmtp-0.2.1
** Listing the failed packages (*:skipped / !:failed)
        ! libmtp-0.2.1  (fetch error)
--->  Packages processed: 0 done, 0 ignored, 0 skipped and 1 failed
** Could not find the latest version (0.2.1)
--->  Using the port instead of a package

These are my filter rules:

ext_if = "sis0"

# Macros

tcp_pass = "{ 53, 80, 25, 110, 123, 443, 631, 20, 21, 8080 }"
udp_pass = "{ 53, 110, 443, 631, 20, 21, 8080 }"

# Options: tune the behavior of pf, default values are given.

set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"

# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.

scrub in all

# antispoof

antispoof for $ext_if

# firewall default block all

block all

pass quick on lo0 all

# tcp

pass in on $ext_if inet proto tcp from any to $ext_if port 20 keep state
pass in on $ext_if inet proto tcp from any to $ext_if port 21 keep state
pass in on $ext_if inet proto tcp from any to $ext_if port > 49151 keep
state
pass out on $ext_if inet proto tcp to any port $tcp_pass flags S/SA keep
state

# udp

pass in on $ext_if inet proto udp from any to $ext_if port 20 keep state
pass in on $ext_if inet proto udp from any to $ext_if port 21 keep state
pass out on $ext_if inet proto udp to any port $udp_pass keep state

# end rules
-- 
View this message in context: http://www.nabble.com/Newbie---cannot-upgrade-packages-from-FTP-sites-tf4526399.html#a12914823
Sent from the freebsd-pf mailing list archive at Nabble.com.

More information about the freebsd-pf mailing list