I can't get portupgrade to work properly on my FreeBSD server because of the ipfilter table running on it.
The solution sounds simple enough, to just change the table, but it doesn't seem that simple.
Portupgrade downloads various source code tarballs off the internet when various ports get upgraded. Portupgrade does this by using either ftp or http. Now here's the problem: I opened port 80 on the out -> in port, and packages that are fetched by http are getting in.
Here's the rule:- (xxx is just there to hide my global IP address)
pass out quick proto tcp from xxx.xxx.xxx.xxx/32 to any port = 80 keep state group 250
Now, when I make a similar rule to allow ftp:-
pass out quick proto tcp from xxx.xxx.xxx.xxx/32 to any port = 21 keep state group 250
FTP still fails.
A look at tcpdump shows that the server is actually connecting to the freebsd ftp servers using weird destination ports in the 1024+ range, but they are all random. No sight of port 21 to be seen. What's going on there?
I still managed to get portupgrade to work by simply disabling the packet filtering, but this isn't an optimal solution.
Can anyone tell me how I can adjust my ipfilter settings to make portupgrade go seamlessly without dropping packet filtering entirely?