Portmaster and port filtering

[jdn06]

I would like to enhance my server's security by cleaning up PF's rules which don't seem precise enough. But I have a problem with a rule I added to make Portmaster work:

pass out on $interface proto tcp from $localnet to any port > 1023

If I erase it, I have an error with fetch when using portmaster:

fetch: ftp://ftp.FreeeBSD.org/pub/FreeBSD/Ports/distfiles/...: Operation not permitted
=> Couldn't fetch it - please try to retrieve this

On my side, I am not using any FTP on my server. So, is there a way:

• not to use FTP when fetching a distfile for portmaster?
• or to force FTP fetch to use a precise port, to close most of this big hole in my firewall? (But something else than the pain of an FTP proxy with anchors configuration.) I saw for example a fetch -U option in the man page, but I don't know how to set it in a configuration file or in an environment variable.

I use FreeBSD 9.1 with old style packages, but everything is built locally with Portmaster.

As the solution I would prefer is on the Portmaster side, I put this in the Ports & Packages topics.

 

[kpa]

Passive mode FTP uses a secondary connection to a random unprivileged > 1023 TCP port for transferring the data. I'm not aware of any fetch(1) replacement that would both allow you to force active mode FTP and specify the listening port(s) for the active mode data connection. The fetch(1) command that comes with the system can do the first but not the second so just forcing active mode FTP not suitable solution for a system with a strict firewall.