pkg_add -r fails

z662

z662

Hello,

My current pf.conf is

Code: 
set skip on lo0
interface="vr0"
scrub in all
block in on $interface
pass in on $interface proto tcp from any to $interface port 2222
pass in on $interface proto tcp from any to $interface port 80
pass in on $interface proto tcp from any to $interface port 8080
pass out on $interface proto { tcp, udp, icmp } all

My question is, why can't I use pkg_add -r? (I must use pfctl -d before trying it) From my understanding the above rules would allow all outgoing connections/established connections to receive traffic. Am I wrong?
 
:r Heh, how foolish of me.... Thanks for the reminder

P.S I <3 your name
 
On second thought, can you explain to me why the last line (pass out on all...) doesnt allow ftp incoming traffic since it would be considered an established connection at that point? Am I overlooking something here? Thanks
 
Ok, I will have to wait a couple hours until I can get home, from my droid (ssh'd in) pkg_add -r -v iostat > output.txt shows everything on my console (I believe its in passive mode since it says "entering passive mode") but when I open up output.txt it does not contain the verbose messages for some reason. Of course this means I can't paste you anything, I was hoping to just open up output.txt in my browser and paste it that way....
 
It must be printing verbose message to stderr. Use:
# pkg_add -vr iostat > output.txt 2 > &1 if using (ba)sh
# pkg_add -vr iostat >& output.txt if using (t)csh
 
Thanks for the tip on redirecting output, although I had to use 2>&1 without the spaces. Anyhow, my output is:

Code: 
scheme:   [ftp]
user:     []
password: []
host:     [ftp.freebsd.org]
port:     [0]
document: [/pub/FreeBSD/ports/i386/packages-8.0-release/Latest/lynx.tbz]
---> ftp.freebsd.org:21
looking up ftp.freebsd.org
connecting to ftp.freebsd.org:21
<<< 220 Welcome to freebsd.isc.org.
>>> USER anonymous
<<< 331 Please specify the password.
>>> PASS 
<<< 230 Login successful.
>>> PWD
<<< 257 "/"
>>> CWD pub/FreeBSD/ports/i386/packages-8.0-release/Latest
<<< 250 Directory successfully changed.
>>> MODE S
<<< 200 Mode set to S.
>>> TYPE I
<<< 200 Switching to Binary mode.
binding data socket
>>> PORT 192,168,0,101,242,88
<<< 200 PORT command successful. Consider using PASV.
initiating transfer
>>> RETR lynx.tbz
<<< 425 Failed to establish connection.
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/Latest/lynx.tbz' by URL
pkg_add: 1 package addition(s) failed
Error: Unable to get [url]ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/Latest/lynx.tbz:[/url] Can't open data connection


This is why I am confused, if it can go out and do dns lookups of servers and connect to anything I tell it to, why does it fail to open up connections to the ftp server without the fw being disabled.
 
Looks like you aren't using passive mode, after all. Try running # export FTP_PASSIVE_MODE=yes and run [cmd=""]pkg_add[/cmd] again.
 
Ok I will have to read about passive mode then to get an understanding of whats going on there. Thank you. Also, I can add the export line to my rc.conf or .bashrc right?
 
The output you posted indicates that ftp in active mode is used, because your machine sends a PORT command to the server. This tells the server that he should initiate the data connection back to your server on port 62040. This second connections then will be blocked at least by your pf ruleset. FTP in passive mode means that both connections (command channel and data channel) will be initiated from the client.

Verify that the following environment variable ist set.
Code: 
FTP_PASSIVE_MODE=YES

cheers,
honk
 
I see, that makes sense. Thanks for the info. I exported that variable and verified that its loaded via 'env' However I am still unable to dl packages "Can't open data connection" Not sure why, passive mode makes sense and appears to fix the problem per the man pages.
 
Does anyone have any information on why FTP_PASSIVE_MODE would not fix my issue? Perhaps my fw rules are wrong?
 
Can you post another [cmd=]pkg_add -vr <package>[/cmd] with the FTP_PASSIVE_MODE variable set?
 
Sure, here you go.

Code: 
scheme:   [ftp]
user:     []
password: []
host:     [ftp.freebsd.org]
port:     [0]
document: [/pub/FreeBSD/ports/i386/packages-8.0-release/Latest/lynx.tbz]
---> ftp.freebsd.org:21
looking up ftp.freebsd.org
connecting to ftp.freebsd.org:21
<<< 220 Welcome to freebsd.isc.org.
>>> USER anonymous
<<< 331 Please specify the password.
>>> PASS brad@mercury
<<< 230 Login successful.
>>> PWD
<<< 257 "/"
>>> CWD pub/FreeBSD/ports/i386/packages-8.0-release/Latest
<<< 250 Directory successfully changed.
>>> MODE S
<<< 200 Mode set to S.
>>> TYPE I
<<< 200 Switching to Binary mode.
binding data socket
>>> PORT 192,168,0,101,222,107
<<< 200 PORT command successful. Consider using PASV.
initiating transfer
>>> RETR lynx.tbz
<<< 425 Failed to establish connection.
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/Latest/lynx.tbz' by URL
pkg_add: 1 package addition(s) failed
Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/Latest/lynx.tbz: Can't open data connection

I see that it appears to not be using PASV (Passive mode) however I do not know why. I added the variable to be exported per the .bashrc file and also verified that it was exported by using 'env'.
 
Can you rety the 'pkg_add' after doing this in your (well, root's) bash shell (and staying in the shell)?

[cmd=]export FTP_PASSIVE_MODE=YES[/cmd]

If that works, put the above command in /etc/profile which will apply this setting system-wide for sh and bash shells (type # echo $SHELL in your root shell to see what you're actually using).

If the root shell is not bash but csh, put this in root's .cshrc:

Code: 
setenv  FTP_PASSIVE_MODE  yes
 
Yeah no problem, I have disabled root shell on my server so I will have to wait until I can get home and try that out. I will post tonight without fail. If that works, would you be able to explain to me why .bashrc is the wrong place for it? I thought perhaps it wasn't suited for environment variables but I then remembered that I have CLICOLORS exported through .bashrc. ...Just trying to learn more about what is going on here. Thanks!
 
From a bash standpoint, .bashrc and .profile are functionally equivalent (though .profile applies to all Bourne-type shells, not just bash), but /etc/profile can be used to apply the same settings to every user's sh/bash shell in one go.

But, like I said: if the root shell is not ba(sh) but csh (the default), root's .cshrc or (system-wide) /etc/csh.cshrc is the place to make these settings using setenv.
 
Ok, thanks for the explanation. With that being said, should I expect it to work since it is 'functionally equivalent'? If it does work.... well then I guess I should ask why .bashrc didnt work?

I don't remember what shell root uses, but Ill make sure I take care of it appropriately. Thanks thus far
 
I'm assuming you did the pkg_add commands as root, i.e. in the root shell? If so, and if it is bash, it will read root's .bashrc, root's .profile, and /etc/profile (in other words: not your own .bashrc). The setting should be in one of those files. If it is not bash at all, none of these files will be used.
 
OHHHH that makes absolute sense! I am POSITIVE that will fix this issue then tonight. (Positive in caps because this has happened to me before, not the same issue but a similar one regarding sudo) I guess my problem boils down to a lack of knowledge on sudo. I have just read the man page but, I still do not entirely understand when this type of thing will happen. I.E sudo is used to elevate priveleges yet it seems that sometimes it also assumes ownership of the command and not so in other cases. If you have any additional info, please share. And a big thanks for pointing out what I should have already known.
 
Perhaps my question could have been answered by taking a closer look at the man page:
Code: 
sudo utilizes the following environment variables: EDITOR, HOME, PATH,SHELL,SUDO_PROMPT, SUDO_COMMAND, SUDO_USER, SUDO_UID, SUDO_GID, SUDO_PS1, USER, VISUAL.
I guess any command that deals with / relies on one of the following. If this is not true, please correct/edit my post.
 
Well, unfortunately I am still unable to use pkg_add -r. I enabled root shell, then opened up root's .bashrc to find that FTP_PASSIVE_MODE was already set to yes. The env. variable was also set. I double checked that mine and roots env. variables are both set to enable ftp passive mode as well as being set in the .bashrc files. I am not sure what is going on.... I will provide any output that may be needed.
 
Well, I don't know. Compare this output to yours, I guess.

Code: 
# env
SHELL=/usr/local/bin/bash
TERM=xterm
USER=toor
PAGER=less
[B]FTP_PASSIVE_MODE=YES[/B]
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin
MAIL=/var/mail/root
BLOCKSIZE=K
PWD=/root
EDITOR=vi
SHLVL=1
HOME=/root
_=/usr/bin/env

Code: 
# pkg_add -v -r lynx
scheme:   [ftp]
user:     []
password: []
host:     [ftp.freebsd.org]
port:     [0]
document: [/pub/FreeBSD/ports/amd64/packages-8.0-release/Latest/lynx.tbz]
---> ftp.freebsd.org:21
looking up ftp.freebsd.org
connecting to ftp.freebsd.org:21
<<< 220 Welcome to freebsd.isc.org.
>>> USER anonymous
<<< 331 Please specify the password.
>>> PASS #
<<< 230 Login successful.
>>> PWD
<<< 257 "/"
>>> CWD pub/FreeBSD/ports/amd64/packages-8.0-release/Latest
<<< 250 Directory successfully changed.
>>> MODE S
<<< 200 Mode set to S.
>>> TYPE I
<<< 200 Switching to Binary mode.
[B]setting passive mode
>>> PASV
<<< 227 Entering Passive Mode (204,152,184,73,49,254).[/B]
opening data connection
initiating transfer
>>> RETR lynx.tbz
<<< 150 Opening BINARY mode data connection for lynx.tbz (1722835 bytes).
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.0-release/Latest/lynx.tbz...x +CONTENTS
x +COMMENT
x +DESC
x +DISPLAY
(etcetera)
 
You must log in or register to reply here.
Back
Top