From owner-freebsd-ipfw Sun Apr 15 19:58:18 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from kanga.honeypot.net (kanga.honeypot.net [216.224.193.50]) by hub.freebsd.org (Postfix) with ESMTP id 9B0E237B440 for ; Sun, 15 Apr 2001 19:58:14 -0700 (PDT) (envelope-from kirk@honeypot.net) Received: from pooh.honeypot (mail@pooh.honeypot [10.0.1.2]) by kanga.honeypot.net (8.11.3/8.11.3) with ESMTP id f3G2w3f05551 for ; Sun, 15 Apr 2001 21:58:03 -0500 (CDT) (envelope-from kirk@honeypot.net) Received: from kirk by pooh.honeypot with local (Exim 3.12 #1 (Debian)) id 14ozDH-0000Nc-00 for ; Sun, 15 Apr 2001 21:58:03 -0500 To: freebsd-ipfw@freebsd.org Subject: keep-state issues From: Kirk Strauser Date: 15 Apr 2001 21:57:51 -0500 Message-ID: <87ae5hpn4g.fsf@pooh.honeypot> Lines: 48 X-Mailer: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG My FreeBSD 4.3-RC#1 server acts as a gateway for a few LANs (which need to be firewalled from each other) to the Internet, and has a few actual services running on it (like Sendmail, Squid, etc). I have defined my firewall ruleset as a group of m4 macros. For example, these rules control TCP behavior: define(`tcp_incoming', `add $1 allow tcp from $2 to $3 $4 setup in recv $5 keep-state') define(`tcp_outgoing', `add $1 allow tcp from $2 to $3 $4 setup out xmit $5 keep-state') define(`tcp_passthrough', `add $1 allow tcp from $2 to $3 $4 setup out recv $5 xmit $6 keep-state') I'll use the following definitions for my examples: ADDR_SERVER : The IP of this server ADDR_LAN : The netblock of the main LAN INT_WAN : The interface directly connected to the Internet INT_LAN : The interface connected to the main LAN These rules are used like: tcp_incoming(1000, ADDR_LAN, ADDR_SERVER, 3128, INT_LAN) tcp_outgoing(1010, ADDR_SERVER, any, http, INT_WAN) tcp_passthrough(1020, ADDR_LAN, any, ssh, INT_LAN, INT_WAN) which expand to: add 500 check-state ... add 1000 allow tcp from ADDR_LAN to ADDR_SERVER 3128 setup \ in recv INT_LAN keep-state add 1010 allow tcp from ADDR_SERVER to any http setup \ out xmit INT_WAN keep-state add 1020 allow tcp from ADDR_LAN to any ssh setup out recv INT_LAN \ xmit INT_WAN keep-state The tcp_incoming and tcp_outgoing rules work exactly as expected. However, the tcp_passthrough rule has me flummoxed. It seems as though I have a choice of either specifying both recv and xmit interfaces *or* using keep-state. Is this correct? Am I just being nearsighted and missing something obvious? If I am correct, can anyone recommend a replacement set of rules that would emulate what I'm trying to acheive with tcp_passthrough? Thanks, -- Kirk Strauser To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Apr 16 12:16:13 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from radius.wavefire.com (radius.wavefire.com [139.142.95.252]) by hub.freebsd.org (Postfix) with SMTP id 42DDF37B43E for ; Mon, 16 Apr 2001 12:16:10 -0700 (PDT) (envelope-from darcy@ok-connect.com) Received: (qmail 7325 invoked from network); 16 Apr 2001 19:24:40 -0000 Received: from ccliii.caniserv.com (HELO dbitech) (darcyb@139.142.95.253) by radius.wavefire.com with SMTP; 16 Apr 2001 19:24:40 -0000 Message-Id: <3.0.32.20010416121609.0427dcc8@mail.ok-connect.com> X-Sender: darcyb@mail.ok-connect.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 16 Apr 2001 12:16:09 -0700 To: freebsd-ipfw@freebsd.org From: Darcy Buskermolen Subject: log setup Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG If there any specific reason why the following ipfw rule can not be used ? ipfw add 65533 allow log logamount 10000 ip from any to any setup To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Apr 16 12:34: 4 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from photon.laurand.net (ATours-101-1-1-184.abo.wanadoo.fr [193.252.49.184]) by hub.freebsd.org (Postfix) with ESMTP id 6470837B424 for ; Mon, 16 Apr 2001 12:34:01 -0700 (PDT) (envelope-from pfz@laurand.ath.cx) Received: from fury (fury.laurand.net [192.168.1.101]) by photon.laurand.net (8.11.1/8.11.1) with SMTP id f3GJlQ747213; Mon, 16 Apr 2001 21:47:27 +0200 (CEST) (envelope-from pfz@laurand.ath.cx) Message-ID: <028301c0c6ab$f3431160$6501a8c0@fury> From: =?iso-8859-1?Q?Pierre-Fran=E7ois_LAURAND?= To: , "Darcy Buskermolen" References: <3.0.32.20010416121609.0427dcc8@mail.ok-connect.com> Subject: Re: log setup Date: Mon, 16 Apr 2001 21:32:17 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > If there any specific reason why the following ipfw rule can not be used ? > > ipfw add 65533 allow log logamount 10000 ip from any to any setup setup works with tcp, not with ip ! -- Pierre-François LAURAND To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 18 8: 3:19 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mip.co.za (puck.mip.co.za [209.212.106.44]) by hub.freebsd.org (Postfix) with ESMTP id 6478637B42C for ; Wed, 18 Apr 2001 08:03:12 -0700 (PDT) (envelope-from patrick@mip.co.za) Received: from patrick (patrick.mip.co.za [10.3.13.181]) by mip.co.za (8.9.3/8.9.3) with SMTP id RAA73660; Wed, 18 Apr 2001 17:03:03 +0200 (SAST) (envelope-from patrick@mip.co.za) From: "Patrick O'Reilly" To: , "Darcy Buskermolen" Subject: RE: log setup Date: Wed, 18 Apr 2001 17:03:03 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 In-Reply-To: <028301c0c6ab$f3431160$6501a8c0@fury> Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Yes. By way of clarification: 'ip' includes tcp, udp, and potentially whatever else might come down the line. SETUP applies to tcp only, so the rule should read: ipfw add 65533 allow log logamount 10000 tcp from any to any setup Patrick -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Pierre-François LAURAND Sent: 16 April 2001 21:32 To: freebsd-ipfw@FreeBSD.ORG; Darcy Buskermolen Subject: Re: log setup > If there any specific reason why the following ipfw rule can not be used ? > > ipfw add 65533 allow log logamount 10000 ip from any to any setup setup works with tcp, not with ip ! -- Pierre-François LAURAND To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 18 9:30:59 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from spiv.fnal.gov (spiv.fnal.gov [131.225.124.126]) by hub.freebsd.org (Postfix) with ESMTP id 135C037B423 for ; Wed, 18 Apr 2001 09:30:55 -0700 (PDT) (envelope-from neswold@spiv.fnal.gov) Received: (from neswold@localhost) by spiv.fnal.gov (8.9.3/8.9.3) id LAA35054 for freebsd-ipfw@freebsd.org; Wed, 18 Apr 2001 11:30:54 -0500 (CDT) (envelope-from neswold) Date: Wed, 18 Apr 2001 11:30:54 -0500 From: Rich Neswold To: freebsd-ipfw@freebsd.org Subject: Protecting IPFW kernel variables... Message-ID: <20010418113053.A34196@spiv.fnal.gov> Reply-To: neswold@fnal.gov Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" X-Mailer: Mutt 1.0.1i Organization: Fermi National Accelerator Laboratory X-PGP-RSAfprint: 0A C8 A5 76 DF 8E E1 B3 F3 97 BE 73 DA CD 4B C9 X-PGP-RSAkey: ftp://ftp.mcs.net/mcsnet.users/rneswold/pub.key X-Operating-System: FreeBSD 3.4-STABLE Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hello, I have a couple of machines that connect to the Internet via a FreeBSD box running ipfw. My firewall rules haven't been changed in quite a while, so I decided to run the box using secure level 3 (firewall rules can't get changed.) I noticed, however, that even at this secure level, I can still open my firewall by using sysctl! The following patch corrects this: RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.131.2.23 diff -r1.131.2.23 ip_fw.c 100c100 < SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, --- > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECU= RE, The CTLFLAG_SECURE flag doesn't allow the variable to be changed when securelevel >=3D 0, so it is more strict than it needs to be. Should I submit this? (Please CC: me in any response. I'm subscribed to -questions, -hackers, and -stable, but not -ipfw.) --=20 Rich =20 ------------------------------------------------------------------------ Richard Neswold, Beams Division / Controls Dept | neswold@fnal.gov Fermilab, PO Box 500, MS 360, Batavia, IL 60510 | voice 1.630.840.3454 | fax 1.630.840.3093 --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOt3BPNyo48HBVqoBAQHXhQP9FdylX6sDKCpsy03KpmDscmRcvR+93ZC6 mOf42C1DyVBLtuxCppKvdDG9CP2hp2FFwwLPdbpcFQtVhV8TSmrREwakSz5hLmk1 Or1vltDM1TURdHs27BAzT1jzoQlRCN+ZxrXQbC7bx+FdNpg8Mf9CKmq/fZ6LyCmb s75fbyBmVpU= =ObUi -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 18 11:33:26 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 645C937B422 for ; Wed, 18 Apr 2001 11:33:23 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id UAA49728; Wed, 18 Apr 2001 20:31:45 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200104181831.UAA49728@info.iet.unipi.it> Subject: Re: Protecting IPFW kernel variables... In-Reply-To: <20010418113053.A34196@spiv.fnal.gov> from Rich Neswold at "Apr 18, 2001 11:30:54 am" To: neswold@fnal.gov Date: Wed, 18 Apr 2001 20:31:45 +0200 (CEST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Hello, > > I have a couple of machines that connect to the Internet via a FreeBSD box > running ipfw. My firewall rules haven't been changed in quite a while, so I > decided to run the box using secure level 3 (firewall rules can't get > changed.) I noticed, however, that even at this secure level, I can still > open my firewall by using sysctl! > > The following patch corrects this: > > RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v > retrieving revision 1.131.2.23 > diff -r1.131.2.23 ip_fw.c > 100c100 > < SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, > --- > > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE, > > The CTLFLAG_SECURE flag doesn't allow the variable to be changed when > securelevel >= 0, so it is more strict than it needs to be. > > Should I submit this? i think it is a bit late for 4.3 also given that CTLFLAG_SECURE is not used anywhere. This reminds me that i had some patches (which i did not commit) to extend the CTLFLAG_SECURE thing so that it would let you specify a level L, so the variable could be modified if securelevel<=L and not otherwise. I think i even posted them to the -security mailing list some time between dec.2000 and feb.2001 cheers luigi > (Please CC: me in any response. I'm subscribed to -questions, -hackers, and > -stable, but not -ipfw.) > > -- > Rich > > ------------------------------------------------------------------------ > Richard Neswold, Beams Division / Controls Dept | neswold@fnal.gov > Fermilab, PO Box 500, MS 360, Batavia, IL 60510 | voice 1.630.840.3454 > | fax 1.630.840.3093 [application/pgp-signature is not supported, skipping...] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 18 11:36:53 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id B0DFC37B422 for ; Wed, 18 Apr 2001 11:36:48 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id UAA49757; Wed, 18 Apr 2001 20:35:17 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200104181835.UAA49757@info.iet.unipi.it> Subject: Re: Protecting IPFW kernel variables... In-Reply-To: <200104181831.UAA49728@info.iet.unipi.it> from Luigi Rizzo at "Apr 18, 2001 08:31:45 pm" To: Luigi Rizzo Date: Wed, 18 Apr 2001 20:35:17 +0200 (CEST) Cc: neswold@fnal.gov, freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > i think it is a bit late for 4.3 also given that CTLFLAG_SECURE > is not used anywhere. This reminds me that i had some > patches (which i did not commit) to extend the CTLFLAG_SECURE > thing so that it would let you specify a level L, so > the variable could be modified if securelevel<=L and not > otherwise. > > I think i even posted them to the -security mailing list some > time between dec.2000 and feb.2001 here they are... cheers luigi Index: sys/sysctl.h =================================================================== RCS file: /home/ncvs/src/sys/sys/sysctl.h,v retrieving revision 1.81.2.3 diff -u -r1.81.2.3 sysctl.h --- sys/sysctl.h 2000/09/25 12:09:20 1.81.2.3 +++ sys/sysctl.h 2001/02/09 18:02:40 @@ -79,9 +79,19 @@ #define CTLFLAG_RW (CTLFLAG_RD|CTLFLAG_WR) #define CTLFLAG_NOLOCK 0x20000000 /* XXX Don't Lock */ #define CTLFLAG_ANYBODY 0x10000000 /* All users can set this var */ -#define CTLFLAG_SECURE 0x08000000 /* Permit set only if securelevel<=0 */ +#define CTLFLAG_SECURE 0x08000000 /* Permit set only if securelevel<0 */ #define CTLFLAG_PRISON 0x04000000 /* Prisoned roots can fiddle */ #define CTLFLAG_DYN 0x02000000 /* Dynamic oid - can be freed */ + +#define CTLFLAG_NORAISE 0x01000000 /* cannot be raised */ +#define CTLFLAG_NOLOWER 0x00800000 /* cannot be lowered */ +#define CTLFLAG_S_MASK 0x000f0000 /* max securelevel to change */ +#define CTLFLAG_S_MASK_OFS 16 /* rightmost 1 in above */ +/* + * cannot modify variable if (securelevel >= i) + */ +#define CTLFLAG_SECURELEVEL(i) \ + ( (((i)<newptr && (!(oid->oid_kind & CTLFLAG_WR) || - ((oid->oid_kind & CTLFLAG_SECURE) && securelevel > 0))) - return (EPERM); + if (req->newptr) { + if (!(oid->oid_kind & CTLFLAG_WR)) + return EPERM ; + if (oid->oid_kind & CTLFLAG_SECURE) { + int i = (oid->oid_kind & CTLFLAG_S_MASK) >> CTLFLAG_S_MASK_OFS; + if (securelevel >= i) + return (EPERM); + } + } /* Most likely only root can write */ if (!(oid->oid_kind & CTLFLAG_ANYBODY) && To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 18 12:24:30 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from spiv.fnal.gov (spiv.fnal.gov [131.225.124.126]) by hub.freebsd.org (Postfix) with ESMTP id 747CF37B42C for ; Wed, 18 Apr 2001 12:24:27 -0700 (PDT) (envelope-from neswold@spiv.fnal.gov) Received: (from neswold@localhost) by spiv.fnal.gov (8.9.3/8.9.3) id OAA36377; Wed, 18 Apr 2001 14:24:20 -0500 (CDT) (envelope-from neswold) Date: Wed, 18 Apr 2001 14:24:20 -0500 From: Rich Neswold To: Luigi Rizzo Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Protecting IPFW kernel variables... Message-ID: <20010418142420.A36221@spiv.fnal.gov> Reply-To: neswold@fnal.gov References: <200104181831.UAA49728@info.iet.unipi.it> <200104181835.UAA49757@info.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200104181835.UAA49757@info.iet.unipi.it>; from luigi@info.iet.unipi.it on Wed, Apr 18, 2001 at 08:35:17PM +0200 Organization: Fermi National Accelerator Laboratory X-PGP-RSAfprint: 0A C8 A5 76 DF 8E E1 B3 F3 97 BE 73 DA CD 4B C9 X-PGP-RSAkey: ftp://ftp.mcs.net/mcsnet.users/rneswold/pub.key X-Operating-System: FreeBSD 3.4-STABLE Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG If memory serves, didn't Luigi Rizzo say: > > i think it is a bit late for 4.3 also given that CTLFLAG_SECURE > > is not used anywhere. I wasn't interested in getting the patch applied to 4.3. I just wondered if anyone else thought this was a loophole in security. If the consensus is that this needs to be fixed, I'll submit a patch. I'm in no rush to push this in the current release (this -- along with your sysctl patches -- are already in my local source tree!) > > I think i even posted them to the -security mailing list some > > time between dec.2000 and feb.2001 > > here they are... Thanks! I've added them to my source tree... -- Rich ------------------------------------------------------------------------ Richard Neswold, Beams Division / Controls Dept | neswold@fnal.gov Fermilab, PO Box 500, MS 360, Batavia, IL 60510 | voice 1.630.840.3454 | fax 1.630.840.3093 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message