OT(?): cpan and iptables

hesco has asked for the wisdom of the Perl Monks concerning the following question:

Hello all:

I'm working at installing a simple script on a server where I have sufficient sudo root privileges to invoke cpan and such, only to find it had not previously been configured.

The initial cpan configuration gets stuck at fetching:
ftp://ftp.perl.org/pub/CPAN/MIRRORED.BY

iptables -L includes:
DROP all -- 127.0.0.0/8 anywhere

which I'd guess would maybe drop all the lynx, wget, ftp requests perhaps. My local sandbox succeeds with a wget ftp://ftp.perl.org/pub/CPAN/MIRRORED.BY, but this client's server chokes on it, whether from inside cpan or on its own on a cli.

This is a development machine on its way to being deployed. The clients are pretty happy to have a sewn up installation. Can anyone advise me what the minimum hole in the firewall is required to run cpan and what the risks associated with opening that hole are?

If such risks are found by the client to not be warranted in a production environment, what are my alterantives to copying, building and upgrading everything from source by hand?

-- Hugh

UPDATE

Thanks Hue-Bond and Corion. That iptables command doesn't seem to move me down the road. I'm stumped by this and guess I just track dependencies for a while. Sneakernet is not really an option. There's a continent between me and this server. If I were to build a local MiniCPAN here, and then scp it onto the server, how much room would that take?

if( $lal && $lol ) { $life++; }

Comment on OT(?): cpan and iptables Download Code

Replies are listed 'Best First'.
Re: cpan and iptables by Corion (Patriarch) on Jun 25, 2006 at 20:02 UTC
The safest and sanest approach for all is to keep the network settings and burn a small copy of CPAN to a CD via CPAN::Mini, and transfer that CD by sneakernet to the machine. Otherwise, the `cpan` shell tries to use http and ftp, which use port 80 resp. port 20 and 21 outgoing. But I wouldn't risk reconfiguring (and thus malconfiguring) the firewall just for CPAN.	[reply] [d/l]
Re: cpan and iptables by Hue-Bond (Priest) on Jun 25, 2006 at 20:01 UTC
This isn't much related to Perl but anyway. You probably need to open incoming ftp-data connections. I'd recommend you to use iptables' module `state`, that will take care of those details for you: `iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT` -- David Serrano	[reply] [d/l]
Re: OT(?): cpan and iptables by shmem (Chancellor) on Jun 26, 2006 at 06:25 UTC
Opening port 21 for outgoing ftp in passive mode should do. If you have a proxy such as squid installed somewhere, you could use that setting the environment variable `ftp_proxy`. My mini-CPAN has 658 MB occupied. But DROP all for localhost? Don't do that. Specially, don't use it on lo, or your loopback isn't. This might be the source of your problem. --shmem _($_=" "x(1<<5)."?\n".q·/)Oo. G°\ / /\_¯/(q / ---------------------------- \__(m.====·.(_("always off the crowd"))."· ");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}	[reply] [d/l]
Re: OT(?): cpan and iptables by kabeldag (Hermit) on Jun 26, 2006 at 01:57 UTC
Have a read of some Iptables documentation : ) http://www.netfilter.org/documentation/index.html	[reply]