# freebsd-update and portsnap, which ports do I have to open?



## bryn1u (Apr 26, 2014)

*H*i,

I have FreeBSD 10 with PF and two jails. I blocked the possibility to download updates with freebsd-update. Which ports should *I* open to get the possibility to download updates*?*

Greet_ings_,


----------



## SirDice (Apr 26, 2014)

*Re: freebsd-update and portsnap, which ports do I have to op*

Updates are fetched over HTTP. So you need to allow outgoing connections to port 80.


----------



## bryn1u (Apr 30, 2014)

*Re: freebsd-update and portsnap, which ports do I have to op*

I don't know what *I*'m doing wrong. I can't use freebsd-update and portsnap before I don't turn off the firewall:

My rules:

```
###############################################
##### Packet Filter Firewall & NAT & JAIL #####
##### FreeBSD 10 - RELEASE		  #####
###############################################

###### Interfaces ######

ExtIf ="em0"
lo0 ="lo0"
IntIf ="lo1"

###### IP - Settings ######
### IP public ###
 public="37.187.x.x"

### Jail nr 1 - called Oksymoron ###
 oksymoron_jail="192.168.0.1"
 mysql_jail="192.168.0.2"

### Jail nr 2 - called Mysql ###
 mysql_jail="192.168.0.2"

### Net inside jails enviroment ###
 net_jail="192.168.0.0/24"

### Martians for antyspoof RC ###
 martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

### Oksymoron jails ports
 oksymoron_tcp="{ 80,443,31337,10000 }"

### Queues, States and Types ###
 IcmpPing ="icmp-type 8 code 0"
 SshQueue ="(ssh_bulk, ssh_login)"
 SynState ="flags S/SA synproxy state"
 TcpState ="flags S/SA modulate state"
 UdpState ="keep state"

### Stateful Tracking Options (STO) ###
 OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
 SmtpSTO ="(max   200, source-track rule, max-src-conn   10, max-src-nodes 256, max-src-conn-rate 200/30)"
 SshSTO  ="(max   100, source-track rule, max-src-conn   10, max-src-nodes 100, max-src-conn-rate 100/30,  overload <BLOCKTEMP> flush global)"
 WebSTO  ="(max  4096, source-track rule, max-src-conn   64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"

### Tables ###
 table <BLOCKTEMP> counters
 table <BLOCKPERM> counters file "/etc/block_permanent"
 table <spamd-white>

################ Options ######################################################
### Misc Options ###
 set skip on lo
 set debug urgent
 set block-policy drop
 set loginterface $ExtIf
 set state-policy if-bound
 set fingerprints "/etc/pf.os"
 set ruleset-optimization none

### Timeout Options ###
 set optimization normal
 set timeout { tcp.closing 60, tcp.established 7200}

################ Queueing ####################################################
# no quality of service (QOS) since it is not supported by the myricom 10gig
# mxge0 interface drivers and we would lose as much as 10% bandwidth anyways.
# for more information: https://calomel.org/pf_hfsc.html

################ Normalization ##################################################
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize-Throughput ###
 
 scrub out log on $ExtIf all random-id min-ttl 15 set-tos 0x1c fragment reassemble
 scrub in  log on $ExtIf all min-ttl 15 fragment reassemble

 nat pass on em0 from $oksymoron_jail to any -> $public
 nat pass on em0 from $mysql_jail to any -> $public 

 rdr pass on em0 proto tcp from any to $public port $oksymoron_tcp -> $oksymoron_jail
 rdr pass on em0 proto tcp from any to $public port 3306 -> $mysql_jail

### $ExtIf block abusive hosts in temp and perm tables ###
 
 block drop in  log quick on $ExtIf           from <BLOCKPERM> to any
 block drop in  log quick on $ExtIf proto udp from <BLOCKTEMP> to any
 block drop in  log quick on $ExtIf proto tcp from <BLOCKTEMP> to any port != ssh

### $ExtIf default block with drop ###
 
 block drop in log on $ExtIf
 
### $IntIf default block with return (TCP reset) ###

 block return in log on $IntIf inet

 pass in on em0 proto tcp from any to any port 22 $TcpState $SshSTO
 pass out on em0 proto tcp from any to any port 80  (should works but it doesn't)
```

`# ifconfig`

```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
        ether 00:22:4d:a9:c3:ae
        inet 37.187.97.151 netmask 0xffffff00 broadcast 37.187.97.255
        inet6 fe80::222:4dff:fea9:c3ae%em0 prefixlen 64 scopeid 0x1
        inet6 2001:41d0:a:2197::1 prefixlen 128
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 192.168.0.1 netmask 0xffffffff
        inet 192.168.0.2 netmask 0xffffffff
        inet 192.168.0.3 netmask 0xffffffff
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
```


----------



## junovitch@ (May 9, 2014)

*Re: freebsd-update and portsnap, which ports do I have to op*

What does `host update.FreeBSD.org` say?  With a ruleset that tight you aren't even allowing DNS requests out.  If you don't get anything from the host command than you need a rule for outbound DNS.


----------

