# Is there an alternative to ftp fetching of ports?



## razixx (Apr 4, 2012)

Hi guys, this is my situation.  I've got a vm setup out on the web and I am using PF as my firewall.  

Currently I have a ruleset to allow outgoing ftp connections from tcp port >1023.

FTP-Proxy doesn't seem to be an option here and I don't really like the idea of opening all of those ports just for one silly outdated protocol in order to keep my system up to date.

1.  Is there an alternative way I can set up ports to fetch through say, sftp?

2.  On a production server with a public IP, would you be wary of opening all of those out ports just for ftp?

(Just in case I'm being too paranoid, if the answer is yes, I'll drop it and continue using ftp with all of those open ports.)


----------



## Zare (Apr 4, 2012)

Remote pkg_add(1)() and ports system both use fetch(1)(), which is compatible with HTTP and FTP protocols. Ports have fixed URL's defined by combination of MASTER_SITES variable inside Makefile (defining directory URL), and entries inside distinfo containing filenames. So ports have fixed URLs, if you want to switch protocols you need to provide a new URL.

With packages, one can simply define a new PACKAGESITE environment variable with a new URL. Here is an example of using HTTP protocol;

`# PACKAGESITE=http://ftp.ru.freebsd.org/FreeBSD/ports/amd64/packages-9-stable/Latest/ pkg_add -rv snes9x`

If you'd like to limit passive FTP and HTTP outgoing port ranges, check _net.inet.ip.portrange.hifirst_ and _net.inet.ip.portrange.hilast_ sysctl's. ip(4)().


----------



## razixx (Apr 4, 2012)

Thanks Zare, this defin*i*tely gives me a place to start looking.  I didn't know that about MASTER_SITES variable or the portrange sysctl's.  I should be able to figure it out from here.


----------

