Portmaster permission denied after running pkg autoremove

Aknot

Aknot

After I ran pkg autoremove to temporary free up some space, updating with portmaster -a gives me permission denied (I also emtied /usr/ports/distfiles).

If I download the ports manually into /usr/ports/distfiles, everything works.
I have no idea what's wrong.

Example:

Code: 
=> Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/help2man-1.49.3.tar.xz
fetch: http://distcache.FreeBSD.org/ports-distfiles/help2man-1.49.3.tar.xz: Permission denied
=> Couldn't fetch it - please try to retrieve this
=> port manually into /usr/ports/distfiles// and try again.
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/misc/help2man
*** Error code 1

Stop.
make: stopped in /usr/ports/misc/help2man

===>>> make build failed for misc/help2man
===>>> Aborting update

===>>> Update for misc/help2man failed
===>>> Aborting update

===>>> Update for print/texinfo failed
===>>> Aborting update

===>>> Update for security/gnutls failed
===>>> Aborting update

===>>> The following actions were performed:
        Installation of devel/p5-Locale-gettext (p5-Locale-gettext-1.07)

===>>> You can restart from the point of failure with this command line:
       portmaster <flags> ...

This command has been saved to ~/portmasterfail.txt
 
Then I don't know whats causing this, maybe there's something wrong with the fetch command?
Now I see that I can't even run "gitup ports" (no route to host) nor "fetch" manually (permission denied), even to other directories :-/

Everything else seems to be working, like Apache etc...
 
What are the permissions? And are you running portmaster(8) as root?

ls -adl /usr/ports/distfiles /usr/ports/distfiles/help2man-1.49.3.tar.xz
 
The problem seems to be related to security/fail2ban , I'm not sure why, as far as I know, outbound traffic should be allowed in pf.
If I issue a service fail2ban stop , everything is working from inside to the outside world :-/
 
Ran fail2ban-client reload and everything is back to normal. This was the first, never had any issues like this before, in a year, at least.
 
Here are the current pf config:

Code: 
ext_if="vmx0"
me="123.123.123.123"
good_tcp_ports="{44234,443,80,8080,8443}"

### REASSEMBLE FRAGMENTET PACKETS
scrub in on $ext_if all fragment reassemble

set skip on lo0

### RESET ALL RULES
block in all
block out all

### BLOCK SPOOKS
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in quick log on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### SSH GUARD
table <sshguard> persist
block in quick from <sshguard>

### BLOCK ALL IPV6
block in quick inet6 all
block out quick inet6 all

### BLOCK IN AND OUT ON PORT 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### BANNED IP ADDRESSES - USING SSH GUARD INSTEAD
table <blockedips> persist file "/usr/local/etc/pf.blacklist"
block drop in log (all) quick on $ext_if from <blockedips> to any

### OPEN TCP SERVER SERVICES
pass in quick on $ext_if inet proto tcp from any to $me port $good_tcp_ports

### Fail2ban
anchor "f2b/*"

### RUN ALL RULES
pass out quick on $ext_if inet proto { tcp, udp, icmp } from $me to any modulate state
 
Can you lookup the IP address of the distcache.FreeBSD.org mirror with host distcache.FreeBSD.org and then check if the IP address or subnet is not blocked in f2b table using pfctl -t fail2ban -T show

Also check the log file /var/log/fail2ban.log

Then try manually to fetch the file to see if you are able to connect and download it, lets say in your home directory.
fetch http://distcache.FreeBSD.org/ports-distfiles/help2man-1.49.3.tar.xz

The error of "Permission denied" could be because you don't have write access to the destination download folder. This may happen if you are not running portmaster as root.
 
No I can't find that IP address, nor mine, in PF or fail2ban.
This is super strange, I need to disable fail2ban completely for now, as I have no idea at all what's causing this.

This is what I have on top of fail2bans jail.local:

Code: 
# Default for all filters
[DEFAULT]
banaction = pf[actiontype=<allports>]
maxretry  = 2
bantime   = 24h
findtime  = 30m
ignoreip  = 79.132.0.0/16 127.0.0.1

I always su before running gitup or portmaster etc.

Note that I have not made any changes, I had some minor problem moving to latest Perl (using info in UPDATING).
That's all, I think.

It also blocks the eu mirror (all of them)
 
If you comment out the "anchor "f2b/*"" in your pf.conf and reload the pf did it work? This basically will disable the fail2ban table.
 
Tested, yes, everything works when commenting out f2b/* from pf.conf.

For some reason, these two lines in pf.conf was not commented out, and this caused the problem.
The file pf.blacklist is even empty, to add more to the mystery :oops:

Anyway, thank you all, everything works now and fail2ban is banning again :beer:

Code: 
### BANNED IP ADDRESSES - REM - USING SSH GUARD INSTEAD ###
### Rem 2024-07-03 as these lines stops fail2ban to work from the inside. ###
#table <blockedips> persist file "/usr/local/etc/pf.blacklist"
#block drop in log (all) quick on $ext_if from <blockedips> to any
 
You can check what's inside the /usr/local/etc/pf.blacklist and remove the subnet or ip address of the host distcache.FreeBSD.org
 
You must log in or register to reply here.
Back
Top