Is there an alternative to ftp fetching of ports?

R

razixx

Hi guys, this is my situation. I've got a vm setup out on the web and I am using PF as my firewall.

Currently I have a ruleset to allow outgoing ftp connections from tcp port >1023.

FTP-Proxy doesn't seem to be an option here and I don't really like the idea of opening all of those ports just for one silly outdated protocol in order to keep my system up to date.

1. Is there an alternative way I can set up ports to fetch through say, sftp?

2. On a production server with a public IP, would you be wary of opening all of those out ports just for ftp?

(Just in case I'm being too paranoid, if the answer is yes, I'll drop it and continue using ftp with all of those open ports.)
 
Remote pkg_add(1)() and ports system both use fetch(1)(), which is compatible with HTTP and FTP protocols. Ports have fixed URL's defined by combination of MASTER_SITES variable inside Makefile (defining directory URL), and entries inside distinfo containing filenames. So ports have fixed URLs, if you want to switch protocols you need to provide a new URL.

With packages, one can simply define a new PACKAGESITE environment variable with a new URL. Here is an example of using HTTP protocol;

# PACKAGESITE=http://ftp.ru.freebsd.org/FreeBSD/ports/amd64/packages-9-stable/Latest/ pkg_add -rv snes9x

If you'd like to limit passive FTP and HTTP outgoing port ranges, check net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast sysctl's. ip(4)().
 
Thanks Zare, this definitely gives me a place to start looking. I didn't know that about MASTER_SITES variable or the portrange sysctl's. I should be able to figure it out from here.
 
You must log in or register to reply here.
Back
Top