Re: Which type of FTP transfer for apt and aptitude?
On Wed, 21 Dec 2016 21:54:21 +0000
Joe <joe@jretrading.com> wrote:
> On Wed, 21 Dec 2016 21:49:21 +0100
> "M.A. Perry" <maperry@zeelandnet.nl> wrote:
>
> > Dear People,
> > A simple question for which I have so far found no
> > answer in the Debian documentation. My computer
> > is a domestic, Debian 8.6 AMD-64 box that uses
> > apt-get and aptitude for ugrades and/or installations.
> >
> > We are currently writing a set of ip_tables rules for
> > a default baseline -A OUTPUT DROP. Thus the rules
> > will block outgoing traffic which is not specifically
> > permitted.
> >
> > The URL specifications in /etc/apt/sources.list of
> > my Debian box contain both HTTP and FTP in the URL
> > for example: http://ftp.nl.debian.org/debian/ and this
> > confuses me.
> >
> > QUESTION:
> > Which data transfer protocol(s) are used for downloads
> > from the Debian Repository to my desktop? Must my
> > firewall ACCEPT
> > -- plain HTTP (port 80) ; or
> > -- is HTTPS (port 443) later involved; or
> > -- active FTP (port 20) used or
> > -- passive FTP (port 1024:65535) applicable ?
> > Can anyone enlighten me please??
>
> The URL you quote is an http one (the protocol before the ':'
> determines it, everything after the '//' is just a hostname).
>
> This makes life easiest, just allow 80 and 443. Some mirrors will I
> believe use https, there is a current thread on the subject.
>
> For FTP, you need the ip_conntrack and ip_conntrack_ftp modules loaded
> (as FTP uses more than one port in a session) and something like this:
> http://www.devops-blog.net/iptables/iptables-settings-for-outgoing-ftp
>
I'd forgotten, I occasionally use FTP for uploading, my only firewall
forwarding rule is:
iptables -A fwd-out-OK -p tcp --dport 21 -j ACCEPT
fwd-out-OK is my list of permitted outputs from the LAN. The
conntrack_ftp module organises the data port permissions as required,
with conntrack handling all the stateful replies on the same port as
an outgoing request.
--
Joe
Reply to: