# pkg_add -r fails



## z662 (Jan 8, 2010)

Hello,

My current pf.conf is 


```
set skip on lo0
interface="vr0"
scrub in all
block in on $interface
pass in on $interface proto tcp from any to $interface port 2222
pass in on $interface proto tcp from any to $interface port 80
pass in on $interface proto tcp from any to $interface port 8080
pass out on $interface proto { tcp, udp, icmp } all
```

My question is, why can't I use pkg_add -r? (I must use pfctl -d before trying it)  From my understanding the above rules would allow all outgoing connections/established connections to receive traffic.  Am I wrong?


----------



## Beastie (Jan 8, 2010)

`# pkg_add -r` connects through FTP.


----------



## z662 (Jan 8, 2010)

:r Heh, how foolish of me.... Thanks for the reminder

P.S   I <3 your name


----------



## z662 (Jan 8, 2010)

On second thought, can you explain to me why the last line (pass out on all...) doesnt allow ftp incoming traffic since it would be considered an established connection at that point?  Am I overlooking something here? Thanks


----------



## crsd (Jan 8, 2010)

Paste output of `# pkg_add -v -r ...`. Are you using passive mode?


----------



## z662 (Jan 8, 2010)

Ok, I will have to wait a couple hours until I can get home, from my droid (ssh'd in) pkg_add -r -v iostat > output.txt shows everything on my console (I believe its in passive mode since it says "entering passive mode") but when I open up output.txt it does not contain the verbose messages for some reason. Of course this means I can't paste you anything, I was hoping to just open up output.txt in my browser and paste it that way....


----------



## crsd (Jan 8, 2010)

It must be printing verbose message to stderr. Use:
`# pkg_add -vr iostat > output.txt 2 > &1` if using (ba)sh
`# pkg_add -vr iostat >& output.txt` if using (t)csh


----------



## z662 (Jan 8, 2010)

Thanks for the tip on redirecting output, although I had to use 2>&1 without the spaces.  Anyhow, my output is: 


```
scheme:   [ftp]
user:     []
password: []
host:     [ftp.freebsd.org]
port:     [0]
document: [/pub/FreeBSD/ports/i386/packages-8.0-release/Latest/lynx.tbz]
---> ftp.freebsd.org:21
looking up ftp.freebsd.org
connecting to ftp.freebsd.org:21
<<< 220 Welcome to freebsd.isc.org.
>>> USER anonymous
<<< 331 Please specify the password.
>>> PASS 
<<< 230 Login successful.
>>> PWD
<<< 257 "/"
>>> CWD pub/FreeBSD/ports/i386/packages-8.0-release/Latest
<<< 250 Directory successfully changed.
>>> MODE S
<<< 200 Mode set to S.
>>> TYPE I
<<< 200 Switching to Binary mode.
binding data socket
>>> PORT 192,168,0,101,242,88
<<< 200 PORT command successful. Consider using PASV.
initiating transfer
>>> RETR lynx.tbz
<<< 425 Failed to establish connection.
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/Latest/lynx.tbz' by URL
pkg_add: 1 package addition(s) failed
Error: Unable to get [url]ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/Latest/lynx.tbz:[/url] Can't open data connection
```


This is why I am confused, if it can go out and do dns lookups of servers and connect to anything I tell it to, why does it fail to open up connections to the ftp server without the fw being disabled.


----------



## crsd (Jan 8, 2010)

Looks like you aren't using passive mode, after all. Try running `# export FTP_PASSIVE_MODE=yes` and run [cmd=""]pkg_add[/cmd] again.


----------



## z662 (Jan 8, 2010)

Ok I will have to read about passive mode then to get an understanding of whats going on there.  Thank you.  Also, I can add the export line to my rc.conf or .bashrc right?


----------



## crsd (Jan 8, 2010)

Did it help?
I'm not sure about bash as I don't use it, but ~/.bashrc sounds correct.


----------



## honk (Jan 8, 2010)

The output you posted indicates that ftp in active mode is used, because your machine sends a PORT command to the server. This tells the server that he should initiate the data connection back to your server on port 62040. This second connections then will be blocked at least by your pf ruleset. FTP in passive mode means that both connections (command channel and data channel) will be initiated from the client.

Verify that the following environment variable ist set.

```
FTP_PASSIVE_MODE=YES
```

cheers,
honk


----------



## z662 (Jan 8, 2010)

I see, that makes sense.  Thanks for the info.  I exported that variable and verified that its loaded via 'env' However I am still unable to dl packages "Can't open data connection"  Not sure why, passive mode makes sense and appears to fix the problem per the man pages.


----------



## z662 (Jan 11, 2010)

Does anyone have any information on why FTP_PASSIVE_MODE would not fix my issue?  Perhaps my fw rules are wrong?


----------



## DutchDaemon (Jan 11, 2010)

Can you post another [cmd=]pkg_add -vr <package>[/cmd] with the FTP_PASSIVE_MODE variable set?


----------



## z662 (Jan 11, 2010)

Sure, here you go.


```
scheme:   [ftp]
user:     []
password: []
host:     [ftp.freebsd.org]
port:     [0]
document: [/pub/FreeBSD/ports/i386/packages-8.0-release/Latest/lynx.tbz]
---> ftp.freebsd.org:21
looking up ftp.freebsd.org
connecting to ftp.freebsd.org:21
<<< 220 Welcome to freebsd.isc.org.
>>> USER anonymous
<<< 331 Please specify the password.
>>> PASS brad@mercury
<<< 230 Login successful.
>>> PWD
<<< 257 "/"
>>> CWD pub/FreeBSD/ports/i386/packages-8.0-release/Latest
<<< 250 Directory successfully changed.
>>> MODE S
<<< 200 Mode set to S.
>>> TYPE I
<<< 200 Switching to Binary mode.
binding data socket
>>> PORT 192,168,0,101,222,107
<<< 200 PORT command successful. Consider using PASV.
initiating transfer
>>> RETR lynx.tbz
<<< 425 Failed to establish connection.
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/Latest/lynx.tbz' by URL
pkg_add: 1 package addition(s) failed
Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/Latest/lynx.tbz: Can't open data connection
```

I see that it appears to not be using PASV (Passive mode) however I do not know why.  I added the variable to be exported per the .bashrc file and also verified that it was exported by using 'env'.


----------



## DutchDaemon (Jan 11, 2010)

Can you rety the 'pkg_add' after doing this in your (well, root's) bash shell (and staying in the shell)?

[cmd=]export FTP_PASSIVE_MODE=YES[/cmd]

If that works, put the above command in /etc/profile which will apply this setting system-wide for *sh* and *bash* shells (type `# echo $SHELL` in your root shell to see what you're actually using). 

If the root shell is not *bash* but *csh*, put this in root's .cshrc:


```
setenv  FTP_PASSIVE_MODE  yes
```


----------



## z662 (Jan 11, 2010)

Yeah no problem, I have disabled root shell on my server so I will have to wait until I can get home and try that out.  I will post tonight without fail.  If that works, would you be able to explain to me why .bashrc is the wrong place for it?  I thought perhaps it wasn't suited for environment variables but I then remembered that I have CLICOLORS exported through .bashrc.   ...Just trying to learn more about what is going on here.  Thanks!


----------



## DutchDaemon (Jan 11, 2010)

From a bash standpoint, .bashrc and .profile are functionally equivalent (though .profile applies to _all_ Bourne-type shells, not just bash), but /etc/profile can be used to apply the same settings to every user's sh/bash shell in one go. 

But, like I said: if the root shell is not ba(sh) but csh (the default), root's .cshrc or (system-wide) /etc/csh.cshrc is the place to make these settings using setenv.


----------



## z662 (Jan 11, 2010)

Ok, thanks for the explanation.  With that being said, should I expect it to work since it is 'functionally equivalent'?  If it does work.... well then I guess I should ask why .bashrc didnt work? 

I don't remember what shell root uses, but Ill make sure I take care of it appropriately.  Thanks thus far


----------



## DutchDaemon (Jan 11, 2010)

I'm assuming you did the pkg_add commands as root, i.e. in the root shell? If so, and if it is bash, it will read root's .bashrc, root's .profile, and /etc/profile (in other words: not _your own_ .bashrc). The setting should be in one of those files. If it is _not_ bash at all, none of these files will be used.


----------



## z662 (Jan 11, 2010)

OHHHH that makes absolute sense!  I am POSITIVE that will fix this issue then tonight.  (Positive in caps because this has happened to me before, not the same issue but a similar one regarding sudo)  I guess my problem boils down to a lack of knowledge on sudo.  I have just read the man page but, I still do not entirely understand when this type of thing will happen.  I.E sudo is used to elevate priveleges yet it seems that sometimes it also assumes ownership of the command and not so in other cases.  If you have any additional info, please share.  And a big thanks for pointing out what I should have already known.


----------



## z662 (Jan 11, 2010)

Perhaps my question could have been answered by taking a closer look at the man page:  
	
	



```
sudo utilizes the following environment variables: EDITOR, HOME, PATH,SHELL,SUDO_PROMPT, SUDO_COMMAND, SUDO_USER, SUDO_UID, SUDO_GID, SUDO_PS1, USER, VISUAL.
```
   I guess any command that deals with / relies on one of the following.  If this is not true, please correct/edit my post.


----------



## z662 (Jan 11, 2010)

Well, unfortunately I am still unable to use pkg_add -r.  I enabled root shell, then opened up root's .bashrc to find  that FTP_PASSIVE_MODE was already set to yes.  The env. variable was also set.  I double checked that mine and roots env. variables are both set to enable ftp passive mode as well as being set in the .bashrc files.  I am not sure what is going on....  I will provide any output that may be needed.


----------



## DutchDaemon (Jan 12, 2010)

Well, I don't know. Compare this output to yours, I guess.


```
# env
SHELL=/usr/local/bin/bash
TERM=xterm
USER=toor
PAGER=less
[B]FTP_PASSIVE_MODE=YES[/B]
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin
MAIL=/var/mail/root
BLOCKSIZE=K
PWD=/root
EDITOR=vi
SHLVL=1
HOME=/root
_=/usr/bin/env
```


```
# pkg_add -v -r lynx
scheme:   [ftp]
user:     []
password: []
host:     [ftp.freebsd.org]
port:     [0]
document: [/pub/FreeBSD/ports/amd64/packages-8.0-release/Latest/lynx.tbz]
---> ftp.freebsd.org:21
looking up ftp.freebsd.org
connecting to ftp.freebsd.org:21
<<< 220 Welcome to freebsd.isc.org.
>>> USER anonymous
<<< 331 Please specify the password.
>>> PASS #
<<< 230 Login successful.
>>> PWD
<<< 257 "/"
>>> CWD pub/FreeBSD/ports/amd64/packages-8.0-release/Latest
<<< 250 Directory successfully changed.
>>> MODE S
<<< 200 Mode set to S.
>>> TYPE I
<<< 200 Switching to Binary mode.
[B]setting passive mode
>>> PASV
<<< 227 Entering Passive Mode (204,152,184,73,49,254).[/B]
opening data connection
initiating transfer
>>> RETR lynx.tbz
<<< 150 Opening BINARY mode data connection for lynx.tbz (1722835 bytes).
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.0-release/Latest/lynx.tbz...x +CONTENTS
x +COMMENT
x +DESC
x +DISPLAY
(etcetera)
```


----------



## SIFE (Jan 12, 2010)

ftp use tow ports one for communication 21 and the other for data transfer ,it chose it randomly ,and all ports under 1023 required root access ,so you must make it up 1023 as written in the second rule .

```
# pass in ftp traffic 
pass in on $interface proto tcp from any to $interface port 21
# pass out ftp trafic
pass out on $interface inet proto tcp from any to any port > 1023
```


----------



## z662 (Jan 13, 2010)

```
pass out on $interface proto { tcp, udp, icmp } all
```

Is my rule, that should take care of the ftp traffic, the issue seems to be pkg_add not switching to passive mode properly.  

I checked and double checked my env and pkg_add -r output....everything is the same other than the part about PASV mode of course.  My output is the same as it was the first time I posted it (hence why I didn't repost it) and my env shows passive mode enabled for both myself and root.....I have absolutely no idea why it refuses to work.  Thanks for everyone's help though, I think I am just gonna let this one go, however if anyone has any other suggestions I would be happy to try


----------



## SIFE (Jan 14, 2010)

```
pass out on $interface [B]inet[/B] proto tcp from any to any port > 1023
```
this rule apply fro ip v4 ,don't forget that ftp chose randome port to do transfer .


----------

