Re: Check Update, Update and Port Blocking

To: debian-user@lists.debian.org
Cc: bill.wood@acm.org
Subject: Re: Check Update, Update and Port Blocking
From: Joe <joe@jretrading.com>
Date: Wed, 5 Mar 2014 18:53:05 +0000
Message-id: <[🔎] 20140305185305.721ab429@jretrading.com>
In-reply-to: <[🔎] 1394038167.2579.4.camel@bills-debian>
References: <1392690508.5535.6.camel@bills-debian> <5302D3D7.9020905@paulscrap.com> <20140220085001.GE22609@sid.nuvreauspam> <5305F077.2020001@paulscrap.com> <[🔎] 1394038167.2579.4.camel@bills-debian>

On Wed, 05 Mar 2014 10:49:27 -0600
Bill Wood <william.wood3@comcast.net> wrote:

> On Thu, 2014-02-20 at 07:09 -0500, PaulNM wrote:
>    . . .
> > On second though, I just re-read the OP's message.  He's talking
> > about the firewall on the Comcast modem/router.  It's really rare
> > for those types of devices to have outgoing filtering.
> > 
> > However, according to:
> > http://media2.comcast.net/anon.comcastonline2/support/userguides/Wireless_Gateway_User_Guide_030811.pdf
> > 
> > It does filter outgoing, but high *does* allow 80, 443, and a bunch
> > of common ports.  I really suspect dns/mirror issues, but it would
> > probably be worth the OP's time to try dropping the firewall level
> > and test again.
> 
> I've done a couple of such tests and I *think* check update works at
> the lowest firewall level.  I do have a much more focused question:
> Does either Check Update or Download Updates require FTP?  I have a
> suspicion that Port 21 may be blocked at the higher firewall levels.
> 

From your last post:

Failed to fetch
ftp://ftp.us.debian.org/debian/dists/squeeze/contrib/i18n/Translation-en.bz2
Could not connect passive socket. [IP: 64.50.233.100 21] Failed to fetch
ftp://ftp.us.debian.org/debian/dists/squeeze/contrib/i18n/Translation-en_US.bz2
Could not connect passive socket. [IP: 64.50.233.100 21] Failed to fetch
ftp://ftp.us.debian.org/debian/dists/squeeze/main/i18n/Translation-en.bz2
Could not connect passive socket. [IP: 64.50.233.100 21] Some index
files failed to download, they have been ignored, or old ones used
instead.

The 'ftp:' at the beginning of the URL shows that it is indeed
attempting to connect by FTP, as does the reference to 'passive
socket' and the '21' after the IP address.

FTP uses separate control and data channels, in one of two different
ways, and either way, any firewall in between the ends must know enough
to associate the two channels. Hence the ftp_conntrack module (or
whatever it is called these days) in iptables to do this very job.

Change the ftp://ftp.us.... in all of your /etc/apt/sources.list
entries to http://ftp.us.... and all will probably be well. Note that
the site hostname still begins 'ftp', but it's the part before the colon
that matters.

-- 
Joe

Reply to:

Follow-Ups:
- Re: Check Update, Update and Port Blocking
  - From: Bill Wood <william.wood3@comcast.net>

References:
- Re: Check Update, Update and Port Blocking
  - From: Bill Wood <william.wood3@comcast.net>

Prev by Date: Re: Check Update, Update and Port Blocking
Next by Date: Re: gnutls security breach
Previous by thread: Re: Check Update, Update and Port Blocking
Next by thread: Re: Check Update, Update and Port Blocking
Index(es):
- Date
- Thread