Solved bsdinstall FTP Permission Denied Error

[fatihmelihozgun]

When I run bsdinstall jail <jailpath> and select a mirror I get:

Could not download
ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/13.0-RELEASE/MANIFEST


I click <restart> and and get:

Error while fetching
ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/13.0-RELEASE/base.txt
Permission denied

I tried connecting directly to ftp.freebsd.org with telnet ftp.freebsd.org 21 I get:

Trying 139.178.72.202...
Connected to ftp.geo.freebsd.org.
Escape character is '^]'.
220 This is ftp0.pkg.freebsd.org - hosted at https://www.packet.net/

So no connection issue.

I tried manually fetching that file via fetch command and still got Permission denied error

I also tried different mirrors.

I am running this command as root.

What could be the issue?

 

[T-Daemon]

Is on the system a firewall enabled, filtering incoming traffic?

Have you tried fetch(1) over https://... ?

 

[fatihmelihozgun]

Is on the system a firewall enabled, filtering incoming traffic?

Yes there was and after I disabled it, it worked, I already allowed outgoing traffic to 21 hence I am able to telnet to port 21 but I still don't know why it requires allowing incoming traffic too. My system is already behind a hardware firewall.
Anyway thanks for your help, I can now fetch the files.

 

[Emrion]

It's because the ftp protocol isn't as simple as you think. You have two TCP connections: the command one (on TCP 21) and the data one: https://www.jscape.com/blog/bid/80512/active-v-s-passive-ftp-simplified

If you already are behind a "hardware firewall", why do you enable another one on your workstation?

 

[fatihmelihozgun]

It's because the ftp protocol isn't as simple as you think. You have two TCP connections: the command one (on TCP 21) and the data one: https://www.jscape.com/blog/bid/80512/active-v-s-passive-ftp-simplified

Well, TIL that.

If you already are behind a "hardware firewall", why do you enable another one on your workstation?

My hardware firewall is just an ISP router. So I can't do much configuration nor trust its software security (It's not a widely known company)

Because of this, I harden my network's security with "What if x device gets compromised?" mindset which helps minimize damage when a device actually gets compromised. It's a low possibility but It helps me sleep peacefully at night. Until I get a pfSense firewall and don't bother with any software firewall.

 

[Emrion]

Well, I lived for years with the one included in my ISP box. Never had any problem. If I actually took a pfSense software as a substitute (and not added), it's rather because some included services (like DNS) weren't working as expected or were too limited.

If you don't have any server open to the internet, I think that there is no point to stack firewalls or use paranoid security rules. But, it's just my opinion.