On 30 May, 2010, at 1:55 AM, Denny White wrote:
If you're comfortable with it, you could try disabling pf just long enough to see if your ftp works without it. If so you could supply your pf.conf since there have been syntax changes and possibly you have something outdated in it. If you've got good backups you could try doing a fresh install on just one box and see what happens. If the problem goes away you'll know something got screwed up during the upgrades.
No pf here - the NAT device is actually an old WatchGuard Firefox outside of my control and choice, but it hasn't been touched in years...
I also upgraded my home machine (on a public IP) from 4.6 to 4.7 and did not run into the same problems. I can also try a fresh install of 4.7 on the work network - it won't take long. I'll also do a fresh install of 4.6, to verify that it is something that changed in the release, rather than a network- or machine-specific issue.
I've been poking around a little bit since my last E-mail, and have found that using `ftp -A` on OpenBSD 4.7 works, whereas usual `ftp` does not. This seems backwards to me as it seems like if one is going to work, it ought to be passive...
I also noticed that the working `ftp` on Debian (from netkit) is a fair bit different from the one on OpenBSD - it's man page implies that it uses active FTP by default, and needs a -p argument for passive. But whether I just do `ftp ftp.openbsd.org` or `ftp -p ftp.openbsd.org ` - from Debian, they both work. I can also manually toggle passive on and off from within netkit-ftp, and either way, I can get a directory listing without problem.
I installed tnftp on Debian, and it failed to work in either active or passive mode, so I quickly gave up on that.
I also installed wget on one of the OpenBSD machines, and it is able to happily download from FTP sites whether --passive-ftp or --no- passive-ftp is given, and it's nicely verbose about when PASV or PORT are actually used so it's not just a matter of hoping the man page is current.
HOWEVER, I did notice one difference watching tcpdump...the clients that work correctly use PASV, the ones that don't use EPSV. Indeed, tnftp on Debian had been clearly telling me that it was trying "Extended passive" and EPRT, but I didn't know that was anything different from PASV/PORT.
So apparently the E___ commands exist for IPv6 compatibility. The tnftp that Debian packages uses EPSV/EPRT per default. It supposedly falls back to PASV/PORT if the server fails to recognize the command, but I don't really know any ancient FTP servers to test with. `ftp` in OpenBSD 4.6 happily used PASV/PORT. In OpenBSD 4.7, `ftp` now uses EPSV/PORT. Strange that it's only a half-migration (an oversight or intentional?), but at least it doesn't break entirely. In theory, an old server should be gracefully handled with nice fallback to PASV/ PORT. However, since the FTP server is not saying "500 OMG WTF IS THAT", the client never falls back, and instead just times out eventually. Apparently our firewall device is too old and doesn't support NAT properly with the new E___ commands, and we're stuck with it until it dies (and then we just get a new version of the same junk). Ugh. Now let's all go read http://cr.yp.to/djbdns/ ipv6mess.html.
Unless modern web browsers still haven't implemented EPSV/EPRT, they actually work as they should, because FTP browsing and downloads are never a problem from them on this same network, so I should think this isn't too hard to fix. I wouldn't have the slightest clue how though. In the meanwhile, this should probably be added to http://www.openbsd.org/faq/upgrade47.html - because this is a surprise that's not very fun to dig around at.
Also, it's not really a bug per se, but if FTP times out after 60 seconds for any reason in general, shouldn't pkg_add say something nicer about it than "No packages in PKG_PATH"?
Cheers, -- Casey Allen Shobe ca...@shobe.info
