Cannot fetch some distfiles with PF enabled - Operation not permitted

[rosstimson]

I recently set up Poudriere on my small web server and all is going relatively fine expect certain distfiles fail to download when PF is enabled.

One of the many packages that failed this time round is lang/ruby19; if I try to fetch manually I get the following:

$ sudo make fetch
=> ruby-1.9.3-p448.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/ruby.
=> Attempting to fetch ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p448.tar.bz2
looking up ftp.ruby-lang.org
connecting to ftp.ruby-lang.org:21
setting passive mode
opening data connection
fetch: ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p448.tar.bz2: Operation not permitted
=> Attempting to fetch ftp://ftp.SpringDaemons.com/pub/ruby/ruby/1.9/ruby-1.9.3-p448.tar.bz2
looking up ftp.SpringDaemons.com
connecting to ftp.SpringDaemons.com:21
setting passive mode
opening data connection
fetch: ftp://ftp.SpringDaemons.com/pub/ruby/ruby/1.9/ruby-1.9.3-p448.tar.bz2: Operation not permitted

+ and so on.

I get the same 'Operation not permitted' error if I try to fetch with curl as well.

As soon as I disable PF I can fetch no problem, so there is clearly an issue with my PF configuration. My configuration can be seen in this gist.

I already have

FETCH_BEFORE_ARGS=-pv

in my /etc/make.conf.

I know I'm making a simple noob mistake here but I cannot pin this down or find any similar issues searching around.

 

[DutchDaemon]

You're only allowing out ftp. In passive mode, you need to allow the negotiated outbound port to do the actual transfer (that is the port used when 'opening data connection'). It's usually advisable to allow outbound ports over 42195 (off the top of my head). You should always turn on pflog on such a restrictive firewall, switch logging on for block rules, and run tcpdump on pflog0. That would have brought this to light immediately.

 

[wblock@]

The new PF information in the Handbook has a section just about FTP: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html#pftut-ftp.

 

[rosstimson]

Thanks for this, seems this issue is more common than I'd thought. After some more reading on FTP passive mode I've added the following rules to my pf.conf and things seem to be working now on my initial testing:

# Incoming active ftp-data (tcp port 20)
pass out quick on $ext_if inet proto tcp from any to any port >= 1024

# Allow passive FTP traffic in
pass in on $ext_if proto tcp from any to any port { ftp, 49152:65535 }

It seems a shame that I've had to open this up so much but at least it is working.

Thanks again for the pointers, much appreciated.

PS ftp-proxy looked promising but I could not use it on this VPS.

 

[rosstimson]

Just in case anyone comes across this and wonders, the comment on the first rule is wrong; it was from a previous rule I'd been trying.

 

[DutchDaemon]

The second rule is not correct. Passive FTP means that you make all the outbound connections yourself. The fact that it is now working is that the first rule allows everything over port 1024 out. Which is a bit much.

All you need for passive FTP to work is to allow FTP out, and port 42195 and up out. No incoming ports need be open.