From owner-freebsd-security Sun Dec 23 17:42:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.freejpn.com (ns1.freejpn.com [211.10.156.2]) by hub.freebsd.org (Postfix) with ESMTP id 1A79037B417 for ; Sun, 23 Dec 2001 17:42:32 -0800 (PST) Received: from x9z0o0 (ppp214-160.freejpn.com [211.10.160.214]) by ns1.freejpn.com (8.9.3/FreeJpn-1.0) with SMTP id KAA10715 for FreeBSD-security@FreeBSD.org; Mon, 24 Dec 2001 10:42:30 +0900 (JST) From: yfaag@freejpn.com To: FreeBSD-security@FreeBSD.org Message-ID: <20011224.1044050535.babaq@yfaag-freejpn.com> Date: Mon, 24 Dec 2001 10:44:05 +0900 Subject: =?ISO-2022-JP?B?GyRCJCpLOyQ3JCQkSCQzJG0bKEI=?= MIME-Version: 1.0 X-Mail-Agent: BSMTP DLL Dec 17 2000 by Tatsuo Baba Content-Type: text/plain; charset=ISO-2022-JP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org $B%[!<%`%Z!<%8$r8+$5$;$FD:$$$F!"%a!<%kCW$7$^$7$?!#(B $B$b$7$+$7$?$i!";d$I$b$K5.%5%$%H$N(BPR$B!&%"%/%;%9%"%C%W$G$46(NO$5$;$F(B $BD:$1$J$$$+$H;W$$%a!<%kCW$7$^$7$?!#(B $B0lEY!"Ev%5%$%H$r$4Mw$K$J$C$FD:$1$l$P$H$*$b$$$^$9!#(B $B$*K;$7$$$H$3$mFI$s$GD:$-$"$j$,$H$&$4$6$$$^$7$?!#(B http://www.netpp.ee.mu/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 26 11:45:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from web11801.mail.yahoo.com (web11801.mail.yahoo.com [216.136.172.155]) by hub.freebsd.org (Postfix) with SMTP id 4192337B416 for ; Wed, 26 Dec 2001 11:45:13 -0800 (PST) Message-ID: <20011226194513.76507.qmail@web11801.mail.yahoo.com> Received: from [64.73.64.94] by web11801.mail.yahoo.com via HTTP; Wed, 26 Dec 2001 11:45:13 PST Date: Wed, 26 Dec 2001 11:45:13 -0800 (PST) From: X Philius Reply-To: xphilius@yahoo.com Subject: Help with ipfw rules to allow DNS queries through To: security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Security Folks, I have a stand alone server co-located on my employers T1 line. As I am behind NAT, but not behind a firewall, I have set up ipfw so I can have *some* control over what gets in and out of my machine. One more layer in the security onion! My box is set up as a web server, shoutcast server, and Darwin Quicktime Streaming Video server. I would like to add DNS to the mix so I can cheaply host domains for my friends and family, but my ipfw rules are hanging me up. All the rules below seem to work as I would expect, except for my attempt to allow DNS queries in and out. The current rule set does not even appear to allow me to access an outside DNS server (ie the server listed in my resolv.conf), much less allow my machine to be accessed by others as a DNS server. I started out with the example 'client' rule set, and added holes for SSH, Darwin and the Shoutcast servers. I do not think this is a factor (it didn't work before my upgrade either) but I originally set up this rule set under 4.1 Release, and I am now running 4.4 Release. I believe there were some changes to ipfw in the transition, but the example rc.firewall looked about the same to me, so I assume the changes were under the hood. As you can infer from my attempt to add the DNS rules below, I know there is a UDP and a TCP component to DNS queries, but apparently I do not have the full picture ;-) Can you suggest a set of rules to allow DNS queries in and out of my server? As I said, the rest of the rules *seem* to work fine as is, but if you see anything else I am not doing right I'd appreciate any tips. Thanks in advance! Jason # set these to your network and netmask and ip net="10.1.3.0" mask="255.255.255.0" ip="10.1.3.2" # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${ip} 25 setup # Allow incoming SSH requests ${fwcmd} add pass tcp from any to ${ip} 22 # Allow incoming HTTP requests ${fwcmd} add pass tcp from any to ${ip} 80 # Allow incoming FTP requests ${fwcmd} add pass tcp from any to ${ip} 21 # Allow incoming POP requests ${fwcmd} add pass tcp from any to ${ip} 110 # Allow incoming Darwin requests (also uses port 80) ${fwcmd} add pass tcp from any to ${ip} 554 ${fwcmd} add pass tcp from any to ${ip} 7070 # Allow outgoing UDP connections of Darwin media ${fwcmd} add pass udp from ${ip} to any 6970-6975 # Allow incoming Shoutcast requests ${fwcmd} add pass tcp from any to ${ip} 8008 ${fwcmd} add pass tcp from any to ${ip} 8009 ${fwcmd} add pass tcp from any to ${ip} 7007 ${fwcmd} add pass tcp from any to ${ip} 7008 # Allow DNS queries out and in ${fwcmd} add pass tcp from any to ${ip} 53 setup ${fwcmd} add pass udp from any to ${ip} 53 ${fwcmd} add pass udp from ${ip} 53 to any # Allow set up of outgoing UDP connections ${fwcmd} add pass udp from ${ip} to any setup # Allow setup of outgoing TCP connections ${fwcmd} add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 26 12:24:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (veldy-host33.dsl.visi.com [209.98.200.33]) by hub.freebsd.org (Postfix) with ESMTP id 7B9E237B50F for ; Wed, 26 Dec 2001 12:24:34 -0800 (PST) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id 26ACC1A110 for ; Wed, 26 Dec 2001 14:24:33 -0600 (CST) Message-ID: <00ea01c18e4b$19edf0c0$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: References: <20011226194513.76507.qmail@web11801.mail.yahoo.com> Subject: Re: Help with ipfw rules to allow DNS queries through Date: Wed, 26 Dec 2001 14:22:54 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Try replacing your DNS rules with this: # Allow access to our DNS ${fwcmd} add pass tcp from any to ${ip} 53 setup ${fwcmd} add pass udp from any to ${ip} 53 ${fwcmd} add pass udp from ${ip} 53 to any Straight out of /etc/rc.firewall. I don't think the first line is really necessary, and in fact, it probably allows zone transfers, so if you don't want these, don't include it. Tom Veldhouse veldy71@yahoo.com ----- Original Message ----- From: "X Philius" To: Sent: Wednesday, December 26, 2001 1:45 PM Subject: Help with ipfw rules to allow DNS queries through > Security Folks, > I have a stand alone server co-located on my employers T1 line. As I > am behind NAT, but not behind a firewall, I have set up ipfw so I can > have *some* control over what gets in and out of my machine. One more > layer in the security onion! > > My box is set up as a web server, shoutcast server, and Darwin > Quicktime Streaming Video server. I would like to add DNS to the mix so > I can cheaply host domains for my friends and family, but my ipfw rules > are hanging me up. All the rules below seem to work as I would expect, > except for my attempt to allow DNS queries in and out. The current rule > set does not even appear to allow me to access an outside DNS server > (ie the server listed in my resolv.conf), much less allow my machine to > be accessed by others as a DNS server. I started out with the example > 'client' rule set, and added holes for SSH, Darwin and the Shoutcast > servers. > > I do not think this is a factor (it didn't work before my upgrade > either) but I originally set up this rule set under 4.1 Release, and I > am now running 4.4 Release. I believe there were some changes to ipfw > in the transition, but the example rc.firewall looked about the same to > me, so I assume the changes were under the hood. > > As you can infer from my attempt to add the DNS rules below, I know > there is a UDP and a TCP component to DNS queries, but apparently I do > not have the full picture ;-) > > Can you suggest a set of rules to allow DNS queries in and out of my > server? As I said, the rest of the rules *seem* to work fine as is, but > if you see anything else I am not doing right I'd appreciate any tips. > > Thanks in advance! > > Jason > > > # set these to your network and netmask and ip > net="10.1.3.0" > mask="255.255.255.0" > ip="10.1.3.2" > > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established > > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag > > # Allow setup of incoming email > ${fwcmd} add pass tcp from any to ${ip} 25 setup > > # Allow incoming SSH requests > ${fwcmd} add pass tcp from any to ${ip} 22 > > # Allow incoming HTTP requests > ${fwcmd} add pass tcp from any to ${ip} 80 > > # Allow incoming FTP requests > ${fwcmd} add pass tcp from any to ${ip} 21 > > # Allow incoming POP requests > ${fwcmd} add pass tcp from any to ${ip} 110 > > # Allow incoming Darwin requests (also uses port 80) > ${fwcmd} add pass tcp from any to ${ip} 554 > ${fwcmd} add pass tcp from any to ${ip} 7070 > > # Allow outgoing UDP connections of Darwin media > ${fwcmd} add pass udp from ${ip} to any 6970-6975 > > # Allow incoming Shoutcast requests > ${fwcmd} add pass tcp from any to ${ip} 8008 > ${fwcmd} add pass tcp from any to ${ip} 8009 > ${fwcmd} add pass tcp from any to ${ip} 7007 > ${fwcmd} add pass tcp from any to ${ip} 7008 > > # Allow DNS queries out and in > ${fwcmd} add pass tcp from any to ${ip} 53 setup > ${fwcmd} add pass udp from any to ${ip} 53 > ${fwcmd} add pass udp from ${ip} 53 to any > > # Allow set up of outgoing UDP connections > ${fwcmd} add pass udp from ${ip} to any setup > > # Allow setup of outgoing TCP connections > ${fwcmd} add pass tcp from ${ip} to any setup > > # Disallow setup of all other TCP connections > ${fwcmd} add deny tcp from any to any setup > > # Everything else is denied by default, unless the > # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel > # config file. > ;; > > > __________________________________________________ > Do You Yahoo!? > Send your FREE holiday greetings online! > http://greetings.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 26 12:36: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from chaos.evolve.za.net (chaos.evolve.za.net [196.34.172.107]) by hub.freebsd.org (Postfix) with ESMTP id 29C0A37B419 for ; Wed, 26 Dec 2001 12:35:51 -0800 (PST) Received: from DAVE ([192.168.0.56]) by chaos.evolve.za.net (8.11.6/1.1.3) with SMTP id fBQKZhC97836; Wed, 26 Dec 2001 22:35:43 +0200 (SAST) (envelope-from dave@kill-9.za.net) Message-ID: <00cb01c18e4c$7f60e600$3800a8c0@DAVE> From: "Dave Raven" To: , References: <20011226194513.76507.qmail@web11801.mail.yahoo.com> <00ea01c18e4b$19edf0c0$3028680a@tgt.com> Subject: Re: Help with ipfw rules to allow DNS queries through Date: Wed, 26 Dec 2001 22:32:51 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The first line should be left in my opinion. Later versions of Bind (e.g) have been using tcp more and more. I assume your running bind (named). so add Thomas' firewall rules and look into this for bind (check /etc/namedb/named.conf) rather: acl lan { 192.168/16 ; 127.0.0.1 ; } ; options { directory "/etc/namedb"; query-source port 53; allow-query { any ; } ; allow-recursion { lan ; } ; allow-transfer { lan ; } ; }; query-source dictates the port to use when originating queries etc. ; this will help your firewall. (more in the named.conf file). allow-query to any will allow all people to query your server (if you intend to host dns you need this). recursion and transfers will only be allowed to 192.168.*.* and localhost. Dave. OpteqSec. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 26 12:38: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns2.robhughes.com (12-237-138-77.client.attbi.com [12.237.138.77]) by hub.freebsd.org (Postfix) with SMTP id E26E037B419 for ; Wed, 26 Dec 2001 12:37:43 -0800 (PST) Received: (qmail 69921 invoked from network); 26 Dec 2001 20:37:43 -0000 Received: from hexch01.robhughes.com (192.168.1.3) by ns2.robhughes.com with SMTP; 26 Dec 2001 20:37:43 -0000 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: Help with ipfw rules to allow DNS queries through X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3 Date: Wed, 26 Dec 2001 14:37:42 -0600 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Help with ipfw rules to allow DNS queries through Thread-Index: AcGOS2tXDe4y7/uRQx6HwjagBik4IQAAYSbg From: "Robert D. Hughes" To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If a DNS reply exceeds the maximum size of a udp datagram, it will be = sent using TCP so the rule is needed. -----Original Message----- From: Thomas T. Veldhouse [mailto:veldy@veldy.net] Sent: Wednesday, December 26, 2001 2:23 PM To: security@freebsd.org Subject: Re: Help with ipfw rules to allow DNS queries through Try replacing your DNS rules with this: # Allow access to our DNS ${fwcmd} add pass tcp from any to ${ip} 53 setup ${fwcmd} add pass udp from any to ${ip} 53 ${fwcmd} add pass udp from ${ip} 53 to any Straight out of /etc/rc.firewall. I don't think the first line is = really necessary, and in fact, it probably allows zone transfers, so if you = don't want these, don't include it. Tom Veldhouse veldy71@yahoo.com ----- Original Message -----=20 From: "X Philius" To: Sent: Wednesday, December 26, 2001 1:45 PM Subject: Help with ipfw rules to allow DNS queries through > Security Folks, > I have a stand alone server co-located on my employers T1 line. As I > am behind NAT, but not behind a firewall, I have set up ipfw so I can > have *some* control over what gets in and out of my machine. One more > layer in the security onion! >=20 > My box is set up as a web server, shoutcast server, and Darwin > Quicktime Streaming Video server. I would like to add DNS to the mix = so > I can cheaply host domains for my friends and family, but my ipfw = rules > are hanging me up. All the rules below seem to work as I would expect, > except for my attempt to allow DNS queries in and out. The current = rule > set does not even appear to allow me to access an outside DNS server > (ie the server listed in my resolv.conf), much less allow my machine = to > be accessed by others as a DNS server. I started out with the example > 'client' rule set, and added holes for SSH, Darwin and the Shoutcast > servers. >=20 > I do not think this is a factor (it didn't work before my upgrade > either) but I originally set up this rule set under 4.1 Release, and I > am now running 4.4 Release. I believe there were some changes to ipfw > in the transition, but the example rc.firewall looked about the same = to > me, so I assume the changes were under the hood. >=20 > As you can infer from my attempt to add the DNS rules below, I know > there is a UDP and a TCP component to DNS queries, but apparently I do > not have the full picture ;-) >=20 > Can you suggest a set of rules to allow DNS queries in and out of my > server? As I said, the rest of the rules *seem* to work fine as is, = but > if you see anything else I am not doing right I'd appreciate any tips. = > =20 > Thanks in advance! >=20 > Jason >=20 >=20 > # set these to your network and netmask and ip > net=3D"10.1.3.0" > mask=3D"255.255.255.0" > ip=3D"10.1.3.2" >=20 > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established >=20 > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag >=20 > # Allow setup of incoming email > ${fwcmd} add pass tcp from any to ${ip} 25 setup >=20 > # Allow incoming SSH requests > ${fwcmd} add pass tcp from any to ${ip} 22 >=20 > # Allow incoming HTTP requests > ${fwcmd} add pass tcp from any to ${ip} 80 >=20 > # Allow incoming FTP requests > ${fwcmd} add pass tcp from any to ${ip} 21 >=20 > # Allow incoming POP requests > ${fwcmd} add pass tcp from any to ${ip} 110 >=20 > # Allow incoming Darwin requests (also uses port 80) > ${fwcmd} add pass tcp from any to ${ip} 554 > ${fwcmd} add pass tcp from any to ${ip} 7070 >=20 > # Allow outgoing UDP connections of Darwin media > ${fwcmd} add pass udp from ${ip} to any 6970-6975 >=20 > # Allow incoming Shoutcast requests > ${fwcmd} add pass tcp from any to ${ip} 8008 > ${fwcmd} add pass tcp from any to ${ip} 8009 > ${fwcmd} add pass tcp from any to ${ip} 7007 > ${fwcmd} add pass tcp from any to ${ip} 7008 >=20 > # Allow DNS queries out and in > ${fwcmd} add pass tcp from any to ${ip} 53 setup > ${fwcmd} add pass udp from any to ${ip} 53 > ${fwcmd} add pass udp from ${ip} 53 to any >=20 > # Allow set up of outgoing UDP connections > ${fwcmd} add pass udp from ${ip} to any setup >=20 > # Allow setup of outgoing TCP connections > ${fwcmd} add pass tcp from ${ip} to any setup >=20 > # Disallow setup of all other TCP connections > ${fwcmd} add deny tcp from any to any setup >=20 > # Everything else is denied by default, unless the > # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel > # config file. > ;; >=20 >=20 > __________________________________________________ > Do You Yahoo!? > Send your FREE holiday greetings online! > http://greetings.yahoo.com >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 26 12:56:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from web11801.mail.yahoo.com (web11801.mail.yahoo.com [216.136.172.155]) by hub.freebsd.org (Postfix) with SMTP id 1C83A37B416 for ; Wed, 26 Dec 2001 12:56:49 -0800 (PST) Message-ID: <20011226205648.87285.qmail@web11801.mail.yahoo.com> Received: from [64.73.64.94] by web11801.mail.yahoo.com via HTTP; Wed, 26 Dec 2001 12:56:48 PST Date: Wed, 26 Dec 2001 12:56:48 -0800 (PST) From: X Philius Reply-To: xphilius@yahoo.com Subject: Re: Help with ipfw rules to allow DNS queries through To: "Thomas T. Veldhouse" , security@freebsd.org In-Reply-To: <00ea01c18e4b$19edf0c0$3028680a@tgt.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thomas (and other helpful security folks) This is exactly what I am using, and it does not seem to work. Perhaps it is NAT messing me up. I am behind a Cisco router that is doing the NAT for me, but as far as I know it is wide open between me and the net, other than a straight translation from my internal address to my external address. Hmmm. However, I can access another DNS server as a client with the default open rule set, but not with this set in place. This makes me think that NAT is *not* the problem. I would also like to get set up as a primary and/or secondary DNS server (going to set up a swap with a friend, the usual low rent DNS set up ;-), so just accessing an external name server as a client is not the ultimate goal. I would also like to allow others to access my machine as a DNS server, and to be authoratative on some domains. Any suggestions? Jason --- "Thomas T. Veldhouse" wrote: > Try replacing your DNS rules with this: > > # Allow access to our DNS > ${fwcmd} add pass tcp from any to ${ip} 53 setup > ${fwcmd} add pass udp from any to ${ip} 53 > ${fwcmd} add pass udp from ${ip} 53 to any > > Straight out of /etc/rc.firewall. I don't think the first line is > really > necessary, and in fact, it probably allows zone transfers, so if you > don't > want these, don't include it. __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 26 13:22:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from web11802.mail.yahoo.com (web11802.mail.yahoo.com [216.136.172.156]) by hub.freebsd.org (Postfix) with SMTP id 02A6D37B416 for ; Wed, 26 Dec 2001 13:22:08 -0800 (PST) Message-ID: <20011226212207.32187.qmail@web11802.mail.yahoo.com> Received: from [64.73.64.94] by web11802.mail.yahoo.com via HTTP; Wed, 26 Dec 2001 13:22:07 PST Date: Wed, 26 Dec 2001 13:22:07 -0800 (PST) From: X Philius Reply-To: xphilius@yahoo.com Subject: Re: Help with ipfw rules to allow DNS queries through To: security@freebsd.org, "Timothy S. Bowers" In-Reply-To: <5.0.2.1.2.20011226230046.01470180@nol.co.za> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Timothy and others, Nope, I have my own internal and external IP. As far as I understand it, the NAT rules are set up with a minimum of complexity, and should just translate everything in both directions between my internal and external addresses. I have a good working relationship with our IS guy who manages the router, so if I need to make a change on the router I probably can, but as far as I understand the NAT should not be interfering with anything. Jason --- "Timothy S. Bowers" wrote: > I don't think you can use DNS behind NAT. Remember all of the > internal machines behind the NAT cisco router will be using the same > 1 external IP. ...unless it was specificaly set up so that your > certain IP will get its own external IP. > > So in short.. it won't work with any ipfw settings.. you will have to > play with the cisco router! :) > > hope this helps you. > > Timothy __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 26 13:44: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from thedarkside.nl (cc31301-a.assen1.dr.nl.home.com [213.51.66.128]) by hub.freebsd.org (Postfix) with ESMTP id 48EF837B405 for ; Wed, 26 Dec 2001 13:44:00 -0800 (PST) Received: (from root@localhost) by thedarkside.nl (8.11.6/8.11.6) id fBQLhvb07480 for security@freebsd.org; Wed, 26 Dec 2001 22:43:57 +0100 (CET) (envelope-from g.p.de.boer@st.hanze.nl) Received: from kilmarnock.st.hanze.nl (kilmarnock [10.0.0.2]) by thedarkside.nl (8.11.6/8.11.6av) with ESMTP id fBQLhrH07472 for ; Wed, 26 Dec 2001 22:43:53 +0100 (CET) (envelope-from g.p.de.boer@st.hanze.nl) Message-Id: <5.1.0.14.0.20011226223958.01f4dd30@thedarkside.nl> X-Sender: 125105@pop5.st.hanze.nl X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 26 Dec 2001 22:43:50 +0100 To: security@freebsd.org From: "G.P. de Boer" Subject: Re: Help with ipfw rules to allow DNS queries through In-Reply-To: <20011226205648.87285.qmail@web11801.mail.yahoo.com> References: <00ea01c18e4b$19edf0c0$3028680a@tgt.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 21:56 26-12-2001, you wrote something I was reading your mailing and the pasted rules below, and saw two things which might form the problem->solution. You were saying you're using /etc/resolv.conf for your own lookups. This means that your lookups are NOT from source port 53. This only applies when you use your own nameserver as resolver. So the rule pass udp from ${ip} 53 to any doesn't apply, since you're using sourceport >1024. I would use pass udp from ${ip} to any 53. Hope this helps, P. de Boer >Hmmm. However, I can access another DNS server as a >client with the default open rule set, but not with this set in place. >This makes me think that NAT is *not* the problem. I would also like to >get set up as a primary and/or secondary DNS server (going to set up a >swap with a friend, the usual low rent DNS set up ;-), so just >accessing an external name server as a client is not the ultimate goal. >I would also like to allow others to access my machine as a DNS server, >and to be authoratative on some domains. Any suggestions? > > # Allow access to our DNS > > ${fwcmd} add pass tcp from any to ${ip} 53 setup > > ${fwcmd} add pass udp from any to ${ip} 53 > > ${fwcmd} add pass udp from ${ip} 53 to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 26 17:22:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from web11805.mail.yahoo.com (web11805.mail.yahoo.com [216.136.172.159]) by hub.freebsd.org (Postfix) with SMTP id 90DDC37B405 for ; Wed, 26 Dec 2001 17:22:55 -0800 (PST) Message-ID: <20011227012255.80858.qmail@web11805.mail.yahoo.com> Received: from [207.1.27.52] by web11805.mail.yahoo.com via HTTP; Wed, 26 Dec 2001 17:22:55 PST Date: Wed, 26 Dec 2001 17:22:55 -0800 (PST) From: X Philius Reply-To: xphilius@yahoo.com Subject: Re: Help with ipfw rules to allow DNS queries through To: David Wolfskill , security@freebsd.org In-Reply-To: <200112261952.fBQJqe207151@bunrab.catwhisker.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org David, I think I need to clarify the NAT setup. I have dedicated, fixed external and internal IP addresses. As far as I know our Cisco router just translates everything, without analysis, between my internal and external addresses, in both directions. I assume you were talking about the common office set up where everyone shares an internal, or an external address. Considering this, should the ruleset I posted eariler work? I am currently using an external name server for resolution, but I will be setting up named and using my own named for resolution. Jason --- David Wolfskill wrote: > You mention that you're behind NAT. > > If you're also wanting to handle master (primary) or slave > (secondary) > nameservice, natd will need to be told what should happen to an > in-bound DNS query. (You may want to think about this for a little > bit.) > > Depending on what the intended destination for incoming DNS queries > is now, > this may be challenging or nearly impossible.... > > Cheers, > david __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 26 17:47:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from web11806.mail.yahoo.com (web11806.mail.yahoo.com [216.136.172.160]) by hub.freebsd.org (Postfix) with SMTP id 5B96237B405 for ; Wed, 26 Dec 2001 17:47:09 -0800 (PST) Message-ID: <20011227014709.9820.qmail@web11806.mail.yahoo.com> Received: from [207.1.27.52] by web11806.mail.yahoo.com via HTTP; Wed, 26 Dec 2001 17:47:09 PST Date: Wed, 26 Dec 2001 17:47:09 -0800 (PST) From: X Philius Reply-To: xphilius@yahoo.com Subject: Re: Help with ipfw rules to allow DNS queries through To: "G.P. de Boer" , security@freebsd.org In-Reply-To: <5.1.0.14.0.20011226223958.01f4dd30@thedarkside.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org G.P., I am currently using an external DNS server via resolv.conf, you are correct. I would think that the generic rule to allow all internally established connections (both udp and tcp) to pass through would allow this, even without any port specific rules. Is this not correct? # Allow set up of outgoing UDP connections ${fwcmd} add pass udp from ${ip} to any setup # Allow setup of outgoing TCP connections ${fwcmd} add pass tcp from ${ip} to any setup I used to have named set up on my machine, before I upgraded to 4.4R, and I plan to set it up again. However, before I upgraded I was using this rule set, and it did not seem to allow me to access my machine as a name server from another machine. I am not 100% sure that I tested it properly though, so the general question is; should I be able to use this ruleset if I want to use my machine as a names server, ie to be accessed by an external client, and authoratative on a domain or twelve? As someone else mentioned, this is pretty much verbatim from the default rc.firewall. # Allow DNS queries out and in ${fwcmd} add pass tcp from any to ${ip} 53 setup ${fwcmd} add pass udp from any to ${ip} 53 ${fwcmd} add pass udp from ${ip} 53 to any Thanks much for your reply! I can't wait to get this working. Jason --- "G.P. de Boer" wrote: > At 21:56 26-12-2001, you wrote something > > I was reading your mailing and the pasted rules below, and > saw two things which might form the problem->solution. > > You were saying you're using /etc/resolv.conf for your own > lookups. This means that your lookups are NOT from source > port 53. This only applies when you use your own nameserver > as resolver. So the rule pass udp from ${ip} 53 to any doesn't > apply, since you're using sourceport >1024. > I would use pass udp from ${ip} to any 53. > > Hope this helps, > P. de Boer > __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 27 0:39:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id 56A0137B416 for ; Thu, 27 Dec 2001 00:39:04 -0800 (PST) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id TAA09049; Thu, 27 Dec 2001 19:38:44 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 27 Dec 2001 19:38:44 +1100 (EST) From: Ian Smith Reply-To: Ian Smith To: X Philius Cc: "G.P. de Boer" , security@FreeBSD.ORG, Dave Raven Subject: Re: Help with ipfw rules to allow DNS queries through In-Reply-To: <20011227014709.9820.qmail@web11806.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Dec 2001, X Philius wrote: > I am currently using an external DNS server via resolv.conf, you are > correct. I would think that the generic rule to allow all internally > established connections (both udp and tcp) to pass through would allow > this, even without any port specific rules. Is this not correct? > > # Allow set up of outgoing UDP connections > ${fwcmd} add pass udp from ${ip} to any setup There's no concept of 'setup' with UDP connections. You should find that ipfw (perhaps silently?) failed to add this rule, blowing away most UDP from your box, including DNS, if I'm read your ruleset rightly? Does the output of 'ipfw list' or 'ipfw show' include that UDP rule? 'ipfw -t show | less' is handy to see what's happening, as is tcpdump .. [..] > I used to have named set up on my machine, before I upgraded to 4.4R, > and I plan to set it up again. However, before I upgraded I was using > this rule set, and it did not seem to allow me to access my machine as > a name server from another machine. I am not 100% sure that I tested it !ipfw add 702 count udp from any to any setup ipfw: error: unknown argument ``setup'' usage: ipfw [options] ... > properly though, so the general question is; should I be able to use > this ruleset if I want to use my machine as a names server, ie to be > accessed by an external client, and authoratative on a domain or > twelve? Sure. Assuming your NAT etc is configured right, and the Cisco upstream is playing fair, you'd be well advised to follow up Dave Raven's message re bind setup to allow internal / deny external recursion and transfers. Of course you'll want to allow xfers as well with outside primaries and secondaries, and may need to add ipfw rules for them. We also share hosting a few domains with/for friends on lil systems, and log heaps of DNS subnet scanning and such, and the occasional poisoning attempt. man named, /signals .. 'kill -usr1 `cat /var/run/named.pid`' starts then increases by 1 the level of named logging, to /var/tmp/named.run - using Bind 4 here, adapt to suit - anyway, level 3 is pretty noisy logging of all DNS activity for as much bind self-education as you've time for .. > As someone else mentioned, this is pretty much verbatim from > the default rc.firewall. > > # Allow DNS queries out and in > ${fwcmd} add pass tcp from any to ${ip} 53 setup > ${fwcmd} add pass udp from any to ${ip} 53 > ${fwcmd} add pass udp from ${ip} 53 to any Only the comment differs from the alternatives posted :) It seems that more than DNS would be affected by a loss of outgoing UDP, if that is the case, but then you may have allowed everything else you want like quicktime and other streaming protocols (which caught my eye!) > Thanks much for your reply! I can't wait to get this working. tcpdump is your good mate. Here 'tcpdump -pen -i tun0 port 53' in a window inspires confidence when named's doing its thang. Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 27 3: 1:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from holmes.infopro.spb.su (holmes.infopro.spb.su [195.242.2.2]) by hub.freebsd.org (Postfix) with ESMTP id 7D44F37B416 for ; Thu, 27 Dec 2001 03:01:08 -0800 (PST) Received: from barrymore.peterlink.ru (barrymore.peterlink.ru [195.242.2.8]) by holmes.infopro.spb.su (8.9.1/8.9.1) with ESMTP id OAA16528 for ; Thu, 27 Dec 2001 14:01:03 +0300 (MSK) Received: from kostasoft.spb.ru (spb-4-65.dialup.peterlink.ru [195.242.19.65]) by barrymore.peterlink.ru (8.9.1/8.9.1) with ESMTP id OAA24972 for ; Thu, 27 Dec 2001 14:00:56 +0300 (MSK) Received: from adv2 [192.168.0.4] by kostasoft [127.0.0.1] with SMTP (MDaemon.v2.84.R) for ; Thu, 27 Dec 2001 12:50:44 +0300 Reply-To: From: "Yuri Muhitov" To: Subject: RE: Help with ipfw rules to allow DNS queries through Date: Thu, 27 Dec 2001 12:50:42 +0300 Message-ID: <2E8E747BA4D4994CB49D56AF57F1728208B2F7@adv.KOSTASOFT.kostasoft.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <2E8E747BA4D4994CB49D56AF57F172820F78EC@adv.KOSTASOFT.kostasoft.spb.ru> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal X-MDaemon-Deliver-To: security@FreeBSD.ORG X-Return-Path: muhitov@kostasoft.spb.ru Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of X Philius > Sent: Thursday, December 27, 2001 4:47 AM > To: G.P. de Boer; security@FreeBSD.ORG > Subject: Re: Help with ipfw rules to allow DNS queries through > Hi, Jason! UDP is connectionless transport protocol, isn't it? Just add two lines which allow you access to EXT DNS, the rest must work fine. ${fwcmd} add pass udp from ${ip} to any 53 ${fwcmd} add pass udp from any 53 to ${ip} Furthermore, You can restrict the list of DNS'es. Replace ANY by explicit addresses... Good Luck, Yuri. > I am currently using an external DNS server via resolv.conf, you are > correct. I would think that the generic rule to allow all internally > established connections (both udp and tcp) to pass through would allow > this, even without any port specific rules. Is this not correct? > > # Allow set up of outgoing UDP connections > ${fwcmd} add pass udp from ${ip} to any setup To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 27 3:34:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from dot.ru (www.dot.ru [195.14.48.5]) by hub.freebsd.org (Postfix) with ESMTP id 22ED637B416 for ; Thu, 27 Dec 2001 03:34:19 -0800 (PST) Received: from there (ugol.dot.ru [213.128.193.142]) by dot.ru (8.10.1/8.10.1) with SMTP id fBRCeii15967 for ; Thu, 27 Dec 2001 15:40:47 +0300 Content-Type: text/plain; charset="koi8-r" From: Yury XTC Reply-To: xtc@norilsk.net Organization: WDA Norilsk.NET Message-Id: <200112271424.2161@XTC.NORILSK.NET> To: security@FreeBSD.ORG Subject: Re: Help with ipfw rules to allow DNS queries through Date: Thu, 27 Dec 2001 14:33:54 +0300 X-Mailer: KMail [version 1.3.2] References: <2E8E747BA4D4994CB49D56AF57F1728208B2F7@adv.KOSTASOFT.kostasoft.spb.ru> In-Reply-To: <2E8E747BA4D4994CB49D56AF57F1728208B2F7@adv.KOSTASOFT.kostasoft.spb.ru> XTC-Mail: 3246163399 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > UDP is connectionless transport protocol, isn't it? > Just add two lines which allow you access to EXT DNS, the rest must wor= k > fine. > > ${fwcmd} add pass udp from ${ip} to any 53 > ${fwcmd} add pass udp from any 53 to ${ip} > > Furthermore, You can restrict the list of DNS'es. Replace ANY by explic= it > addresses... > Hey! You forget what DNS worked over TCP and UDP try this: add allow udp from any to ${ip} 53 in recv xl0 add allow tcp from any to ${ip} 53 setup keep-state add allow udp from any to any out As help go to http://www.onlamp.com/pub/ct/15 Read the articles: Monitoring IPFW Logs IPFW Logging BSD Firewalls: Fine-Tuning Rulesets BSD Firewalls: IPFW Rulesets BSD Firewalls: IPFW --=20 Bast regards Yury XTC Voloshin xtc@norilsk.net Info-portal of Norilsk town http://norilsk.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 27 6:21: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from web11804.mail.yahoo.com (web11804.mail.yahoo.com [216.136.172.158]) by hub.freebsd.org (Postfix) with SMTP id 5D0A537B41C for ; Thu, 27 Dec 2001 06:20:28 -0800 (PST) Message-ID: <20011227142028.13343.qmail@web11804.mail.yahoo.com> Received: from [64.73.64.94] by web11804.mail.yahoo.com via HTTP; Thu, 27 Dec 2001 06:20:28 PST Date: Thu, 27 Dec 2001 06:20:28 -0800 (PST) From: X Philius Reply-To: xphilius@yahoo.com Subject: Re: Help with ipfw rules to allow DNS queries through To: Ian Smith Cc: "G.P. de Boer" , security@FreeBSD.ORG, Dave Raven In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ian and Security Wizards, Thanks a whole heap! It looks to me that I have enough material here to get this working. I am guessing that this broken UDP rule may have been messing me up. I will put all these suggestions in place and post a note next week when I have everything humming along. Jason --- Ian Smith wrote: > On Wed, 26 Dec 2001, X Philius wrote: > > > I am currently using an external DNS server via resolv.conf, you > are > > correct. I would think that the generic rule to allow all > internally > > established connections (both udp and tcp) to pass through would > allow > > this, even without any port specific rules. Is this not correct? > > > > # Allow set up of outgoing UDP connections > > ${fwcmd} add pass udp from ${ip} to any setup > > There's no concept of 'setup' with UDP connections. You should find > that ipfw (perhaps silently?) failed to add this rule, blowing away > most > UDP from your box, including DNS, if I'm read your ruleset rightly? > > Does the output of 'ipfw list' or 'ipfw show' include that UDP rule? > 'ipfw -t show | less' is handy to see what's happening, as is tcpdump > .. > > [..] > > > I used to have named set up on my machine, before I upgraded to > 4.4R, > > and I plan to set it up again. However, before I upgraded I was > using > > this rule set, and it did not seem to allow me to access my > machine as > > a name server from another machine. I am not 100% sure that I > tested it > > !ipfw add 702 count udp from any to any setup > ipfw: error: unknown argument ``setup'' > usage: ipfw [options] ... > > > properly though, so the general question is; should I be able to > use > > this ruleset if I want to use my machine as a names server, ie to > be > > accessed by an external client, and authoratative on a domain or > > twelve? > > Sure. Assuming your NAT etc is configured right, and the Cisco > upstream > is playing fair, you'd be well advised to follow up Dave Raven's > message > re bind setup to allow internal / deny external recursion and > transfers. > > Of course you'll want to allow xfers as well with outside primaries > and > secondaries, and may need to add ipfw rules for them. We also share > hosting a few domains with/for friends on lil systems, and log heaps > of > DNS subnet scanning and such, and the occasional poisoning attempt. > > man named, /signals .. 'kill -usr1 `cat /var/run/named.pid`' starts > then > increases by 1 the level of named logging, to /var/tmp/named.run - > using > Bind 4 here, adapt to suit - anyway, level 3 is pretty noisy logging > of > all DNS activity for as much bind self-education as you've time for > .. > > > As someone else mentioned, this is pretty much verbatim from > > the default rc.firewall. > > > > # Allow DNS queries out and in > > ${fwcmd} add pass tcp from any to ${ip} 53 setup > > ${fwcmd} add pass udp from any to ${ip} 53 > > ${fwcmd} add pass udp from ${ip} 53 to any > > Only the comment differs from the alternatives posted :) > > It seems that more than DNS would be affected by a loss of outgoing > UDP, > if that is the case, but then you may have allowed everything else > you > want like quicktime and other streaming protocols (which caught my > eye!) > > > Thanks much for your reply! I can't wait to get this working. > > tcpdump is your good mate. Here 'tcpdump -pen -i tun0 port 53' in a > window inspires confidence when named's doing its thang. > > Cheers, Ian > __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 27 14:38: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-168.zoominternet.net [24.154.28.168]) by hub.freebsd.org (Postfix) with ESMTP id 50A1A37B405 for ; Thu, 27 Dec 2001 14:37:59 -0800 (PST) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id fBRMbxG01648 for ; Thu, 27 Dec 2001 17:38:00 -0500 (EST) (envelope-from behanna@zbzoom.net) Date: Thu, 27 Dec 2001 17:37:54 -0500 (EST) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: kdm grants ordinary users root access on 4.4-R In-Reply-To: <20011215132828.P59641-100000@cithaeron.argolis.org> Message-ID: <20011227173437.T93274-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 15 Dec 2001, Matt Piechota wrote: > On Sat, 15 Dec 2001, Raf Schietekat wrote: > > > [...kdm gave him a session as root instead of as himself...] > > [...snip...] > > While kcontrol *does* claim that the user is root, I don't seem to have > any rootly power to change things, such as the kdm properties. I thinking > kde2 is having problems with the freebsd passwd, although I don't know > why. I also haven't figured out why kde won't accept my password to > unlock the screen saver, of the root password so I *can* modify the kdm > settings as myself. I've been meaning to peek at the code to see why > those two bit don't work. kpasswd needs to be setuid root. There was a window during which it wasn't, and you installed KDE during that window. > As for the lack of response, I suppose that if I were very security > conscious, I wouldn't be running kde (or probably X) in the first place. > There probably aren't too many people on the list that are running kde. :) I imagine almost everyone on the list is running X on their desktops, and that a sizable percentage are running KDE. They also likely (like me) have their firewalls configured to prevent packets on ports 6000-6063 from getting out on the external interface (otherwise every single XEvent--including every single keystroke--can be sniffed). Regards, -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 27 14:48:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-168.zoominternet.net [24.154.28.168]) by hub.freebsd.org (Postfix) with ESMTP id C8E7A37B416 for ; Thu, 27 Dec 2001 14:48:48 -0800 (PST) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id fBRMmnG01712 for ; Thu, 27 Dec 2001 17:48:50 -0500 (EST) (envelope-from behanna@zbzoom.net) Date: Thu, 27 Dec 2001 17:48:44 -0500 (EST) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: Invalid self-signature (was: Re: FreeBSD Ports Security Advisory FreeBSD-SA-01:67.htdig) In-Reply-To: <20011217230335.GB658@shall.anarcat.dyndns.org> Message-ID: <20011227174727.L93274-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 17 Dec 2001, The Anarcat wrote: > Is it me or is there something wrong with the signer keys on the > keyservers? > > Mutt tells me this: > > [-- PGP output follows (current time: Mon Dec 17 18:01:10 2001) --] > gpg: Warning: using insecure memory! ^^^^^^^^^^^^^^^^^^^^^ This is itself a problem. gpg needs to be setuid root in order to lock pages in memory, so that your passphrase never makes it into the swap file. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 27 19: 2: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from ocis.ocis.net (ocis.ocis.net [209.52.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 7396A37B41A for ; Thu, 27 Dec 2001 19:02:03 -0800 (PST) Received: from localhost (vdrifter@localhost) by ocis.ocis.net (8.9.3/8.9.3) with ESMTP id TAA15674 for ; Thu, 27 Dec 2001 19:02:03 -0800 Date: Thu, 27 Dec 2001 19:02:02 -0800 (PST) From: John F Cuzzola To: security@freebsd.org Subject: ipfw by MAC Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi there, Does the latest version of FreeBSD allow you to create ipfw rules based on MAC address instead of IP? Linux's iptables have added this feature and was wondering if FreeBSD has done the same. Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 27 23:12: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from harrier.prod.itd.earthlink.net (harrier.mail.pas.earthlink.net [207.217.120.12]) by hub.freebsd.org (Postfix) with ESMTP id A182537B419 for ; Thu, 27 Dec 2001 23:12:02 -0800 (PST) Received: from dialup-209.247.139.181.dial1.sanjose1.level3.net ([209.247.139.181] helo=blossom.cjclark.org) by harrier.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16JrBR-0005G2-00; Thu, 27 Dec 2001 23:12:01 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fBS7BtF08727; Thu, 27 Dec 2001 23:11:55 -0800 (PST) (envelope-from cjc) Date: Thu, 27 Dec 2001 23:11:54 -0800 From: "Crist J . Clark" To: John F Cuzzola Cc: security@FreeBSD.ORG Subject: Re: ipfw by MAC Message-ID: <20011227231154.M2090@blossom.cjclark.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from vdrifter@ocis.ocis.net on Thu, Dec 27, 2001 at 07:02:02PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Dec 27, 2001 at 07:02:02PM -0800, John F Cuzzola wrote: > > Hi there, > > Does the latest version of FreeBSD allow you to create ipfw rules based > on MAC address instead of IP? No. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 28 8:43:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from crimelords.org (crimelords.org [199.233.213.8]) by hub.freebsd.org (Postfix) with ESMTP id 7872737B42B for ; Fri, 28 Dec 2001 08:43:49 -0800 (PST) Received: from localhost (admin@localhost) by crimelords.org (8.11.6/8.11.6) with ESMTP id fBSGcGu68878 for ; Fri, 28 Dec 2001 10:38:17 -0600 (CST) (envelope-from admin@crimelords.org) Date: Fri, 28 Dec 2001 10:38:16 -0600 (CST) From: admin To: Subject: AIDE Message-ID: <20011228103513.V68876-100000@crimelords.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone had success with installing AIDE on freeBSD 4.4 stable? I've tried it on 2 machines and recieved Seg faults just trying to create the initial database ( aide --init ). Maybe I should stick with tripwire? Can anyone suggest any other Intrusion Detection type programs I may try out? (opensource of course). --emac To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 28 8:58:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from itesec.hsc.fr (itesec.hsc.fr [192.70.106.33]) by hub.freebsd.org (Postfix) with ESMTP id C5A8237B420 for ; Fri, 28 Dec 2001 08:58:10 -0800 (PST) Received: from polom.hsc.fr (polom.hsc.fr [192.70.106.68]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "ecureuil.hsc.fr", Issuer "HSC CA" (verified OK)) by itesec.hsc.fr (Postfix) with ESMTP id AC38921778; Fri, 28 Dec 2001 17:58:09 +0100 (CET) Received: by polom.hsc.fr (Postfix, from userid 1000) id 96EFF103AA4; Fri, 28 Dec 2001 17:57:55 +0100 (CET) Date: Fri, 28 Dec 2001 17:57:55 +0100 From: Nicolas Jombart To: admin Cc: security@freebsd.org Subject: Re: AIDE Message-ID: <20011228165754.GA8937@polom.hsc.fr> References: <20011228103513.V68876-100000@crimelords.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20011228103513.V68876-100000@crimelords.org> User-Agent: Mutt/1.3.23.1i X-Operating-System: FreeBSD 5.0-CURRENT X-Organisation: =?iso-8859-1?Q?Herv?= =?iso-8859-1?Q?=E9?= Schauer Consultants - http://www.hsc.fr/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org on Fri, Dec 28, 2001 at 10:38:16AM -0600, admin wrote : > Has anyone had success with installing AIDE on freeBSD 4.4 stable? I've It works fine for me with 4.4 boxes. > tried it on 2 machines and recieved Seg faults just trying to create the > initial database ( aide --init ). Maybe I should stick with tripwire? Maybe you will have to check the configuration file aide.conf ? -- Nicolas Jombart - Hervé Schauer Consultants - http://www.hsc.fr/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 28 9:11:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from switchblade.cyberpunkz.org (switchblade.cyberpunkz.org [198.174.169.125]) by hub.freebsd.org (Postfix) with ESMTP id 60A8E37B420 for ; Fri, 28 Dec 2001 09:11:23 -0800 (PST) Received: from there (nic-118-c60-194.mn.mediaone.net [24.118.60.194]) by switchblade.cyberpunkz.org (8.12.1/CpA-TLS-1.2.12-1) with SMTP id fBSHArtg014230; Fri, 28 Dec 2001 11:10:59 -0600 (CST)?g (envelope-from rob@cyberpunkz.org)œ Posted-Date: Fri, 28 Dec 2001 11:10:53 -0600 (CST) Abuse-Contact: abuse@cyberpunkz.org Content-Type: text/plain; charset="iso-8859-1" From: Rob Andrews Reply-To: rob@cyberpunkz.org Organization: Cyberpunk Alliance Message-Id: <200112281103.55734@cyberpunkz.org> To: admin , Subject: Re: AIDE Date: Fri, 28 Dec 2001 11:10:52 -0600 X-Mailer: KMail [version 1.3.2] References: <20011228103513.V68876-100000@crimelords.org> In-Reply-To: <20011228103513.V68876-100000@crimelords.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Friday 28 December 2001 10:38, admin wrote: > Has anyone had success with installing AIDE on freeBSD 4.4 stable? I've > tried it on 2 machines and recieved Seg faults just trying to create the > initial database ( aide --init ). Maybe I should stick with tripwire? > Can anyone suggest any other Intrusion Detection type programs I may try > out? (opensource of course). Just to test it out and see I did install it and ran the db init. I had no troubles with it on my dual processor 4.4-s box. not sure what sort of trouble you're running into but it does seem to be working and built just fine from ports just minutes before I sent this email out.. Rob Andrews Cyberpunk Alliance http://cyberpunkz.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 28 10: 6:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 0535D37B416 for ; Fri, 28 Dec 2001 10:06:41 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA31078; Fri, 28 Dec 2001 10:06:24 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda31073; Fri Dec 28 10:06:20 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id fBSI67572991; Fri, 28 Dec 2001 10:06:07 -0800 (PST) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdd72989; Fri Dec 28 10:06:06 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id fBSI66l08175; Fri, 28 Dec 2001 10:06:06 -0800 (PST) Message-Id: <200112281806.fBSI66l08175@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdcm8165; Fri Dec 28 10:05:14 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: admin Cc: security@FreeBSD.ORG Subject: Re: AIDE In-reply-to: Your message of "Fri, 28 Dec 2001 10:38:16 CST." <20011228103513.V68876-100000@crimelords.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 28 Dec 2001 10:05:14 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20011228103513.V68876-100000@crimelords.org>, admin writes: > Has anyone had success with installing AIDE on freeBSD 4.4 stable? I've > tried it on 2 machines and recieved Seg faults just trying to create the > initial database ( aide --init ). Maybe I should stick with tripwire? > Can anyone suggest any other Intrusion Detection type programs I may try > out? (opensource of course). I'm not seeing any problems here under 4.5-PRE. Would you please post you aid.conf file. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC FreeBSD UNIX: cy@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 28 11:32:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from crimelords.org (crimelords.org [199.233.213.8]) by hub.freebsd.org (Postfix) with ESMTP id 8AE2637B41A for ; Fri, 28 Dec 2001 11:32:06 -0800 (PST) Received: from localhost (admin@localhost) by crimelords.org (8.11.6/8.11.6) with ESMTP id fBSJQBu69484; Fri, 28 Dec 2001 13:26:11 -0600 (CST) (envelope-from admin@crimelords.org) Date: Fri, 28 Dec 2001 13:26:11 -0600 (CST) From: admin To: Cy Schubert - ITSD Open Systems Group Cc: Subject: Re: AIDE In-Reply-To: <200112281806.fBSI66l08175@cwsys.cwsent.com> Message-ID: <20011228131939.H69449-100000@crimelords.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, I did get it working on one of the 2 boxes (both are almost identicle). I used the standard default aide.conf.sample file and it works on one, but not on the other. I ran aide --verbose=255 a few times to see if it was giving the Segmentation Fault at the same spot each time, and it appears that it is. When it gets to Opening /usr/local/lib/libltdl.so.1 for md check Segmentation fault (core dumped) Everytime it hits this (or maybe the next file) it seg faults. I'm guessing it's just something odd on this one box that I'll have to track down further, since I got it working on other systems. I'll probably change the ruleset around that dir or file and see what it changes from there. Thanks for the input, now that I know it works, I will drive myself nutz fixing the one that doesn't. --emac On Fri, 28 Dec 2001, Cy Schubert - ITSD Open Systems Group wrote: > In message <20011228103513.V68876-100000@crimelords.org>, admin writes: > > Has anyone had success with installing AIDE on freeBSD 4.4 stable? I've > > tried it on 2 machines and recieved Seg faults just trying to create the > > initial database ( aide --init ). Maybe I should stick with tripwire? > > Can anyone suggest any other Intrusion Detection type programs I may try > > out? (opensource of course). > > I'm not seeing any problems here under 4.5-PRE. Would you please post > you aid.conf file. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD > Ministry of Management Services > Province of BC > FreeBSD UNIX: cy@FreeBSD.org > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 28 11:49:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from ke7hc.net (12-225-238-179.client.attbi.com [12.225.238.179]) by hub.freebsd.org (Postfix) with ESMTP id 17C7737B41A for ; Fri, 28 Dec 2001 11:49:31 -0800 (PST) Received: (from phils@localhost) by ke7hc.net (8.11.6/8.11.6) id fBSJnSh43803 for security@FreeBSD.ORG; Fri, 28 Dec 2001 11:49:28 -0800 (PST) (envelope-from phils) Date: Fri, 28 Dec 2001 11:49:28 -0800 From: Phil Staub To: security@FreeBSD.ORG Subject: Re: ipfw by MAC Message-ID: <20011228114927.A43549@ke7hc.net> Reply-To: phils@ke7hc.net References: <20011227231154.M2090@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011227231154.M2090@blossom.cjclark.org>; from cjc@FreeBSD.ORG on Thu, Dec 27, 2001 at 11:11:54PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Dec 27, 2001 at 11:11:54PM -0800, Crist J . Clark wrote: > On Thu, Dec 27, 2001 at 07:02:02PM -0800, John F Cuzzola wrote: > > > > Hi there, > > > > Does the latest version of FreeBSD allow you to create ipfw rules based > > on MAC address instead of IP? > > No. This sort of prompts a question I've been wondering about since the @Home->attbi.com transition: Has anyone addressed the issue of configuring a firewall with a DHCP-assigned outside IP address? I had been using hard-coded IP addresses in my firewall, because even though @Home was theoretically using DHCP for IP address assignment, it never changed, and the lease timeout was set really long, (I think it was a month or more) so "pretending" to have a static IP worked ok. When I was switched to attbi.com, the DHCP lease period has been reduced to 2 days, increasing the probability that someday my link will be down when it comes time for a lease renewal, and I'm assuming that I very likely would get a different IP address when the link returns. If that happens, it means reworking the firewall rules with the new IP address. Not an incredible burden, given the generally good uptime I've experienced with the cable modem, but if it could be eliminiated or automated, I'd like to do so. I suppose that tying the firewall rules to the MAC address would be one way of doing that, but since that isn't supported, I'm curious if anyone has come up with a different way of doing it. Thanks, Phil -- Phil Staub, KE7HC phils@ke7hc.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 28 12:27:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 2028C37B423 for ; Fri, 28 Dec 2001 12:27:48 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 584981DA7; Fri, 28 Dec 2001 21:27:45 +0100 (CET) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id fBSKRXt01885; Fri, 28 Dec 2001 21:27:33 +0100 Date: Fri, 28 Dec 2001 21:27:33 +0100 From: Krzysztof Zaraska To: phils@ke7hc.net Cc: freebsd-security@freebsd.org Subject: ipfw with DHCP [was: Re: ipfw by MAC] Message-Id: <20011228212733.4dc0d79d.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <20011228114927.A43549@ke7hc.net> References: <20011227231154.M2090@blossom.cjclark.org> <20011228114927.A43549@ke7hc.net> Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 28 Dec 2001 11:49:28 -0800 Phil Staub wrote: > > On Thu, Dec 27, 2001 at 11:11:54PM -0800, Crist J . Clark wrote: > > On Thu, Dec 27, 2001 at 07:02:02PM -0800, John F Cuzzola wrote: > > > > > > Hi there, > > > > > > Does the latest version of FreeBSD allow you to create ipfw rules based > > > on MAC address instead of IP? > > > > No. > > This sort of prompts a question I've been wondering about since the > @Home->attbi.com transition: Has anyone addressed the issue of > configuring a firewall with a DHCP-assigned outside IP address? /.../ Take a look at this: http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/rules.html This setup could be a good staring point -- the author seems to be filtering mostly on interface basis so changing IP should not be a problem. Hope it helps Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 28 12:34:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from ke7hc.net (12-225-238-179.client.attbi.com [12.225.238.179]) by hub.freebsd.org (Postfix) with ESMTP id 9953937B428 for ; Fri, 28 Dec 2001 12:34:06 -0800 (PST) Received: (from phils@localhost) by ke7hc.net (8.11.6/8.11.6) id fBSKXUe43912; Fri, 28 Dec 2001 12:33:30 -0800 (PST) (envelope-from phils) Date: Fri, 28 Dec 2001 12:33:30 -0800 From: Phil Staub To: Krzysztof Zaraska Cc: freebsd-security@freebsd.org Subject: Re: ipfw with DHCP [was: Re: ipfw by MAC] Message-ID: <20011228123330.B43549@ke7hc.net> Reply-To: phils@ke7hc.net References: <20011227231154.M2090@blossom.cjclark.org> <20011228114927.A43549@ke7hc.net> <20011228212733.4dc0d79d.kzaraska@student.uci.agh.edu.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011228212733.4dc0d79d.kzaraska@student.uci.agh.edu.pl>; from kzaraska@student.uci.agh.edu.pl on Fri, Dec 28, 2001 at 09:27:33PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks, Krzysztof. I has assumed it would probably just be a matter of knowing how to get around specifying the IP addresses in the rules. This provides the examples I needed. Phil On Fri, Dec 28, 2001 at 09:27:33PM +0100, Krzysztof Zaraska wrote: > On Fri, 28 Dec 2001 11:49:28 -0800 Phil Staub wrote: > > > > > On Thu, Dec 27, 2001 at 11:11:54PM -0800, Crist J . Clark wrote: > > > On Thu, Dec 27, 2001 at 07:02:02PM -0800, John F Cuzzola wrote: > > > > > > > > Hi there, > > > > > > > > Does the latest version of FreeBSD allow you to create ipfw rules > based > > > > on MAC address instead of IP? > > > > > > No. > > > > This sort of prompts a question I've been wondering about since the > > @Home->attbi.com transition: Has anyone addressed the issue of > > configuring a firewall with a DHCP-assigned outside IP address? > /.../ > > Take a look at this: > > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/rules.html > > This setup could be a good staring point -- the author seems to be > filtering mostly on interface basis so changing IP should not be a > problem. > > Hope it helps > > Krzysztof -- Phil Staub, KE7HC phils@ke7hc.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 28 12:56:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from tenchi.dreamlabs.com (tenchi.dreamlabs.com [216.220.37.61]) by hub.freebsd.org (Postfix) with ESMTP id DC17437B422 for ; Fri, 28 Dec 2001 12:56:40 -0800 (PST) Received: (from root@localhost) by tenchi.dreamlabs.com (8.11.6/8.11.6) id fBSKuYC93051 for security@freebsd.org; Fri, 28 Dec 2001 15:56:34 -0500 (EST) (envelope-from mitayai@dreamlabs.com) Received: from cr411661a (CPE0010a4b02b1b.cpe.net.cable.rogers.com [24.43.34.41]) (authenticated) by tenchi.dreamlabs.com (8.11.6/8.11.6) with ESMTP id fBSKuTV93033 for ; Fri, 28 Dec 2001 15:56:30 -0500 (EST) (envelope-from mitayai@dreamlabs.com) Reply-To: From: "Mit Rowe" To: "security@FreeBSD. ORG" Subject: denial of service attack Date: Fri, 28 Dec 2001 15:55:55 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If i read this correctly, i'm under a denial of service attack. A few questions... 1) am i correct 2) if so, how can i trace where it is coming from? 3) how can i compensate? Dec 28 15:39:50 tenchi /kernel: Limiting icmp unreach response from 323 to 200 packets per second Dec 28 15:39:51 tenchi /kernel: Limiting icmp unreach response from 305 to 200 packets per second Dec 28 15:39:54 tenchi /kernel: Limiting icmp unreach response from 274 to 200 packets per second Dec 28 15:39:55 tenchi /kernel: Limiting icmp unreach response from 266 to 200 packets per second Dec 28 15:39:56 tenchi /kernel: Limiting icmp unreach response from 322 to 200 packets per second Dec 28 15:39:58 tenchi /kernel: Limiting icmp unreach response from 355 to 200 packets per second Dec 28 15:39:59 tenchi /kernel: Limiting icmp unreach response from 316 to 200 packets per second ___________________________________________________________ Mit Rowe (Will Mitayai Keeso Rowe) Director, Internet Services DreamLabs (a partner of Branch Media, Inc.) 260 Richmond St. East Suite 200 Toronto, Ontario M5A 1P4 Canada ph: 416.323.0840 ext. 262 / fax: 416.323.0894 email: mit@dreamlabs.com / icq: 7161728 ___________________________________________________________ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 28 12:58:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 3A19E37B41C for ; Fri, 28 Dec 2001 12:58:50 -0800 (PST) Received: (from fasty@localhost) by I-Sphere.COM (8.11.6/8.11.6) id fBSKwkA13897; Fri, 28 Dec 2001 12:58:46 -0800 (PST) (envelope-from fasty) Date: Fri, 28 Dec 2001 12:58:46 -0800 From: faSty To: Mit Rowe Cc: security@freebsd.org Subject: Re: denial of service attack Message-ID: <20011228125846.A13876@i-sphere.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mitayai@dreamlabs.com on Fri, Dec 28, 2001 at 03:55:55PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org yes.. it's relate "nuke" like ping with unreach to make your connection reseting. I have that happened in past on IRC. -trev On Fri, Dec 28, 2001 at 03:55:55PM -0500, Mit Rowe wrote: > If i read this correctly, i'm under a denial of service attack. > > A few questions... > > 1) am i correct > 2) if so, how can i trace where it is coming from? > 3) how can i compensate? > > Dec 28 15:39:50 tenchi /kernel: Limiting icmp unreach response > from 323 to 200 packets per second > Dec 28 15:39:51 tenchi /kernel: Limiting icmp unreach response > from 305 to 200 packets per second > Dec 28 15:39:54 tenchi /kernel: Limiting icmp unreach response > from 274 to 200 packets per second > Dec 28 15:39:55 tenchi /kernel: Limiting icmp unreach response > from 266 to 200 packets per second > Dec 28 15:39:56 tenchi /kernel: Limiting icmp unreach response > from 322 to 200 packets per second > Dec 28 15:39:58 tenchi /kernel: Limiting icmp unreach response > from 355 to 200 packets per second > Dec 28 15:39:59 tenchi /kernel: Limiting icmp unreach response > from 316 to 200 packets per second > > > ___________________________________________________________ > Mit Rowe > (Will Mitayai Keeso Rowe) > > Director, Internet Services > DreamLabs > (a partner of Branch Media, Inc.) > 260 Richmond St. East Suite 200 > Toronto, Ontario M5A 1P4 > Canada > ph: 416.323.0840 ext. 262 / fax: 416.323.0894 > email: mit@dreamlabs.com / icq: 7161728 > ___________________________________________________________ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Anthony's Law of Force: Don't force it; get a larger hammer. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 28 13: 8:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from niwun.pair.com (niwun.pair.com [209.68.2.70]) by hub.freebsd.org (Postfix) with SMTP id A70C037B41A for ; Fri, 28 Dec 2001 13:08:05 -0800 (PST) Received: (qmail 94912 invoked by uid 3193); 28 Dec 2001 21:08:04 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 28 Dec 2001 21:08:04 -0000 Date: Fri, 28 Dec 2001 16:08:03 -0500 (EST) From: Mike Silbersack X-Sender: To: Mit Rowe Cc: "security@FreeBSD. ORG" Subject: Re: denial of service attack In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 28 Dec 2001, Mit Rowe wrote: > If i read this correctly, i'm under a denial of service attack. > > A few questions... > > 1) am i correct > 2) if so, how can i trace where it is coming from? > 3) how can i compensate? > > Dec 28 15:39:50 tenchi /kernel: Limiting icmp unreach response > from 323 to 200 packets per second You're just being nmap'd, nothing serious. If you want to track the scan, install an IDS like nessus or something. Before you do that, though, I suggest that you upgrade to 4.4-stable; the vulnerabilities in whatever ancient version of freebsd you're running shoud worry you more than the portscan. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 28 13:10:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from tenchi.dreamlabs.com (tenchi.dreamlabs.com [216.220.37.61]) by hub.freebsd.org (Postfix) with ESMTP id 3012937B420 for ; Fri, 28 Dec 2001 13:10:18 -0800 (PST) Received: (from root@localhost) by tenchi.dreamlabs.com (8.11.6/8.11.6) id fBSLAHk94709; Fri, 28 Dec 2001 16:10:17 -0500 (EST) (envelope-from mitayai@dreamlabs.com) Received: from cr411661a (CPE0010a4b02b1b.cpe.net.cable.rogers.com [24.43.34.41]) (authenticated) by tenchi.dreamlabs.com (8.11.6/8.11.6) with ESMTP id fBSLAFV94699; Fri, 28 Dec 2001 16:10:15 -0500 (EST) (envelope-from mitayai@dreamlabs.com) Reply-To: From: "Mit Rowe" To: "Mike Silbersack" Cc: "security@FreeBSD. ORG" Subject: RE: denial of service attack Date: Fri, 28 Dec 2001 16:09:40 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ancient? ;-) i'm running the latest stable. > -----Original Message----- > From: Mike Silbersack [mailto:silby@silby.com] > Sent: December 28, 2001 16:08 > To: Mit Rowe > Cc: security@FreeBSD. ORG > Subject: Re: denial of service attack > > > > On Fri, 28 Dec 2001, Mit Rowe wrote: > > > If i read this correctly, i'm under a denial of service attack. > > > > A few questions... > > > > 1) am i correct > > 2) if so, how can i trace where it is coming from? > > 3) how can i compensate? > > > > Dec 28 15:39:50 tenchi /kernel: Limiting icmp > unreach response > > from 323 to 200 packets per second > > You're just being nmap'd, nothing serious. If you want to track the scan, > install an IDS like nessus or something. > > Before you do that, though, I suggest that you upgrade to 4.4-stable; > the vulnerabilities in whatever ancient version of freebsd you're running > shoud worry you more than the portscan. > > Mike "Silby" Silbersack > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 28 13:12:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from niwun.pair.com (niwun.pair.com [209.68.2.70]) by hub.freebsd.org (Postfix) with SMTP id 3582D37B417 for ; Fri, 28 Dec 2001 13:12:16 -0800 (PST) Received: (qmail 96073 invoked by uid 3193); 28 Dec 2001 21:12:15 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 28 Dec 2001 21:12:15 -0000 Date: Fri, 28 Dec 2001 16:12:15 -0500 (EST) From: Mike Silbersack X-Sender: To: Mit Rowe Cc: "security@FreeBSD. ORG" Subject: RE: denial of service attack In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 28 Dec 2001, Mit Rowe wrote: > ancient? ;-) > > i'm running the latest stable. Urk, I read the "limiting" message wrong. Nevermind. :) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 28 14:52:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from nms2.ggamaur.net (nms2.ggamaur.net [213.160.40.14]) by hub.freebsd.org (Postfix) with ESMTP id 9C09637B426 for ; Fri, 28 Dec 2001 14:52:42 -0800 (PST) Received: from merlin (c-213-160-32-54.customer.ggaweb.ch [213.160.32.54]) by nms2.ggamaur.net (8.11.3/8.11.3) with SMTP id fBSMqZ329961 for ; Fri, 28 Dec 2001 23:52:35 +0100 (CET) (envelope-from mail@maxlor.com) From: "Maxlor" To: Subject: RE: ipfw by MAC Date: Fri, 28 Dec 2001 23:52:31 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <20011228114927.A43549@ke7hc.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > eliminiated or automated, I'd like to do so. I suppose that tying the > firewall rules to the MAC address would be one way of doing that, but > since that isn't supported, I'm curious if anyone has come up with a > different way of doing it. Couldn't such a behaviour be achieved by using the NIC name in your rules, and the magical "me" keyword. Eg: I have my firewall configured such that it allows port 80 connections to it from the inside, but disallows them from the outside (dc0 is my outside NIC, ed0 is my inside NIC) ... ipfw add 10000 allow tcp from any to me 80 via ed0 ... ipfw add 60000 deny ip from any to any also, the "in" and "out" keywords can help shaping the traffic the way you want. Have a lot of fun, Maxlor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 28 21:57:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id F23BF37B426; Fri, 28 Dec 2001 21:57:16 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id 7DD3481E08; Fri, 28 Dec 2001 23:57:11 -0600 (CST) Date: Fri, 28 Dec 2001 23:57:11 -0600 From: Alfred Perlstein To: Tor.Egge@cvsup.no.freebsd.org Cc: security@freebsd.org, alc@freebsd.org, dillon@freebsd.org Subject: Re: (forw) Re: AIO vulnerability (from bugtraq) Message-ID: <20011228235711.A16101@elvis.mu.org> References: <20011210132621.E92148@elvis.mu.org> <20011211180713J.tegge@cvsup.no.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011211180713J.tegge@cvsup.no.freebsd.org>; from Tor.Egge@cvsup.no.freebsd.org on Tue, Dec 11, 2001 at 06:07:13PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Tor.Egge@cvsup.no.freebsd.org [011211 12:07] wrote: > > Can you look at this? > > All pending aio requests must be drained before mapping the new > vmspace. An untested suggested pach is enclosed. > > - Tor Egge This looks a bit early and could result in aio_proc_rundown() being called but returning ENOEXEC to the caller. I think it's safe to move it down a bit as it seems the interpreter is responsible for only setting up the imgp such that kern_exec.c can finish the job. Wouldn't you say it's probably safe to try this instead? I'm aiming for a generic at_exec(9) functionality so I could really use a couple of extra eyes here to make sure this is safe and proper so that other subsystems can use it. Index: kern_exec.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_exec.c,v retrieving revision 1.146 diff -1 -0 -u -r1.146 kern_exec.c --- kern_exec.c 10 Dec 2001 05:40:12 -0000 1.146 +++ kern_exec.c 29 Dec 2001 06:00:14 -0000 @@ -253,20 +253,22 @@ /* * If custom stack fixup routine present for this process * let it do the stack setup. * Else stuff argument count as first item on stack */ if (p->p_sysent->sv_fixup) (*p->p_sysent->sv_fixup)(&stack_base, imgp); else suword(--stack_base, imgp->argc); + aio_proc_rundown(p); + /* * For security and other reasons, the file descriptor table cannot * be shared after an exec. */ if (p->p_fd->fd_refcnt > 1) { struct filedesc *tmp; tmp = fdcopy(td); fdfree(td); p->p_fd = tmp; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 28 21:59:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id A5C0837B41C; Fri, 28 Dec 2001 21:59:04 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id 5A15581E0B; Fri, 28 Dec 2001 23:59:04 -0600 (CST) Date: Fri, 28 Dec 2001 23:59:04 -0600 From: Alfred Perlstein To: Tor.Egge@cvsup.no.freebsd.org Cc: security@freebsd.org, alc@freebsd.org, dillon@freebsd.org Subject: Re: (forw) Re: AIO vulnerability (from bugtraq) Message-ID: <20011228235904.B16101@elvis.mu.org> References: <20011210132621.E92148@elvis.mu.org> <20011211180713J.tegge@cvsup.no.freebsd.org> <20011228235711.A16101@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011228235711.A16101@elvis.mu.org>; from alfred@freebsd.org on Fri, Dec 28, 2001 at 11:57:11PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Alfred Perlstein [011228 23:57] wrote: > * Tor.Egge@cvsup.no.freebsd.org [011211 12:07] wrote: > > > Can you look at this? > > > > All pending aio requests must be drained before mapping the new > > vmspace. An untested suggested pach is enclosed. > > > > - Tor Egge > > This looks a bit early and could result in aio_proc_rundown() > being called but returning ENOEXEC to the caller. > > I think it's safe to move it down a bit as it seems the interpreter > is responsible for only setting up the imgp such that kern_exec.c > can finish the job. Wouldn't you say it's probably safe to try > this instead? On second thought it probably has to be right before where I put it, before the p->p_sysent->sv_fixup callback. *sigh* -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' Tax deductable donations for FreeBSD: http://www.freebsdfoundation.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 29 0:45:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mel-rto1.wanadoo.fr (smtp-out-1.wanadoo.fr [193.252.19.188]) by hub.freebsd.org (Postfix) with ESMTP id 574B937B419; Sat, 29 Dec 2001 00:45:35 -0800 (PST) Received: from amyris.wanadoo.fr (193.252.19.150) by mel-rto1.wanadoo.fr; 29 Dec 2001 09:45:34 +0100 Received: from merry-xmastoall (193.252.40.2) by amyris.wanadoo.fr; 29 Dec 2001 09:45:22 +0100 Message-ID: <3c2d82ae3cb53f4e@amyris.wanadoo.fr> (added by amyris.wanadoo.fr) From: loseweight20012000@yahoo.com To: Subject: ULTIMATE WEIGHT LOSS PRODUCT !!! Date: Sat, 29 Dec 2001 00:44:48 -0600 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_22C5_000053D7.00000DEF" X-Priority: 3 X-MSMail-Priority: Normal Reply-To: loseweight20012000@yahoo.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ------=_NextPart_000_22C5_000053D7.00000DEF Content-Type: text/html; No Way?

No Way? Yes Whey!
Introducing Our Whey of Life to A 
$50,000 - $100,000 A Year Income!
Maximize Your Lean To Fat Ratio With the Real Food Lean Maximizer Weight Loss System
  • Cut Your Grocery Bill In Half 
  • Experience Weight Loss That Stays Off. 
  • Increase Fat Loss, Increase Lean Muscle, Increase Metabolism, Increase Endurance and Strength Gain (Documented Up To 430%). 
  • Reduces Food Craving, Promotes Normal Blood Sugar Levels and Helps Support Immune System and Increases Cell Hydration. 
  • Our Products Are Safe, Effective and 100% GUARANTEED! 

Learn How our products are effective 
  • Earn Up To 42% Fast Start Commissions 
  • Earn Residual Income From 5x5 Expandable Matrix With 100% Matching Bonuses On Your Personally Sponsored. 

If you'd like to learn more about our products Call 1-800-891-4074 
Are you interested in building extra residual income? Contact us NOW!

Email us your Name, Phone Number,& Best Time to Call. Someone will call you in 24hrs. Thanks

mailto:lose30lbs2002@yahoo.com-Subject=moreinfo

 


Please discontinue advertising to me..mailto:kdsfdfss@yahoo.com?subject=Remove
To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 29 2:33:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id C2D6637B41E for ; Sat, 29 Dec 2001 02:33:28 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 72A3D1DA7; Sat, 29 Dec 2001 11:33:12 +0100 (CET) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id fBTAX2j01207; Sat, 29 Dec 2001 11:33:02 +0100 Date: Sat, 29 Dec 2001 11:33:02 +0100 From: Krzysztof Zaraska To: "Mike Silbersack" , "Mit Rowe" Cc: freebsd-security@freebsd.org Subject: Re: denial of service attack Message-Id: <20011229113302.53a862c6.kzaraska@student.uci.agh.edu.pl> In-Reply-To: References: Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 28 Dec 2001 16:08:03 -0500 (EST) Mike Silbersack wrote: > You're just being nmap'd, nothing serious. If you want to track the scan, > install an IDS like nessus or something. Like snort or something. :) Last time I checked, nessus is an assesment tool, snort is an IDS system. Regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 29 9:43:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from niwun.pair.com (niwun.pair.com [209.68.2.70]) by hub.freebsd.org (Postfix) with SMTP id ED6B837B41A for ; Sat, 29 Dec 2001 09:43:22 -0800 (PST) Received: (qmail 1253 invoked by uid 3193); 29 Dec 2001 17:43:22 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Dec 2001 17:43:22 -0000 Date: Sat, 29 Dec 2001 12:43:22 -0500 (EST) From: Mike Silbersack X-Sender: To: Krzysztof Zaraska Cc: Mit Rowe , Subject: Re: denial of service attack In-Reply-To: <20011229113302.53a862c6.kzaraska@student.uci.agh.edu.pl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 29 Dec 2001, Krzysztof Zaraska wrote: > On Fri, 28 Dec 2001 16:08:03 -0500 (EST) Mike Silbersack wrote: > > > You're just being nmap'd, nothing serious. If you want to track the > scan, > > install an IDS like nessus or something. > Like snort or something. :) Last time I checked, nessus is an assesment > tool, snort is an IDS system. > > Regards, > Krzysztof Urk, thanks. /me goes off to chew on his shoe. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 29 10:24:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from koza.acecape.com (koza2.acecape.com [66.9.36.222]) by hub.freebsd.org (Postfix) with ESMTP id 00D9137B41A for ; Sat, 29 Dec 2001 10:24:05 -0800 (PST) Received: from p65-147.acedsl.com (p65-147.acedsl.com [66.114.65.147]) by koza.acecape.com (8.10.1/8.9.3) with ESMTP id fBTINvF04724; Sat, 29 Dec 2001 13:23:58 -0500 (EST) Date: Sat, 29 Dec 2001 13:25:39 -0500 (EST) From: Francisco Reyes X-X-Sender: fran@zoraida.natserv.net To: Randy Bush Cc: freebsd-security@FreeBSD.ORG Subject: Re: crypted remote backup In-Reply-To: Message-ID: <20011229132149.M32484-100000@zoraida.natserv.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 26 Nov 2001, Randy Bush wrote: > i want to back up some large files over the net, like 40gb. i want to do > something like rsync. but i want the data crypted not only as it passes > over the net (rsync over ssh), but also as it resides on the remote disk. > any recommended practice on this? > randy Although I have not worked on it yet, I have been thinking on the topic for a few months. I don't think that the rsync algorithm is going to work. I don't know of any program which can sync/encrypt and the same time. This implies you would have to encrypt and then sync. My, very little, understanding of encryption is that any change in the file would cause large changes on the encrypted files. if that was the case the overhead of trying to sync files which have changed a lot may be larger than just copying them over. Do you have lots of files or few large files? If you had numerous files you could try keeping a second copy of the files in encrypted mode. Daily encrypt files which have changed and then sync encrypted files from source machine to target machine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 29 10:41:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 240C537B41B for ; Sat, 29 Dec 2001 10:41:34 -0800 (PST) Received: from randy by rip.psg.com with local (Exim 3.33 #1) id 16KOPm-0001wu-00; Sat, 29 Dec 2001 10:41:02 -0800 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Francisco Reyes Cc: freebsd-security@FreeBSD.ORG Subject: Re: crypted remote backup References: <20011229132149.M32484-100000@zoraida.natserv.net> Message-Id: Date: Sat, 29 Dec 2001 10:41:02 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >> i want to back up some large files over the net, like 40gb. i want to do >> something like rsync. but i want the data crypted not only as it passes >> over the net (rsync over ssh), but also as it resides on the remote disk. >> any recommended practice on this? > Do you have lots of files or few large files? a few large files To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 29 11:49:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from catalyst.sasknow.net (catalyst.sasknow.net [207.195.92.130]) by hub.freebsd.org (Postfix) with ESMTP id 8459F37B41E for ; Sat, 29 Dec 2001 11:49:48 -0800 (PST) Received: from localhost (ryan@localhost) by catalyst.sasknow.net (8.11.6/8.11.6) with ESMTP id fBTJnkX11006 for ; Sat, 29 Dec 2001 13:49:47 -0600 (CST) (envelope-from ryan@sasknow.com) X-Authentication-Warning: catalyst.sasknow.net: ryan owned process doing -bs Date: Sat, 29 Dec 2001 13:49:46 -0600 (CST) From: Ryan Thompson X-X-Sender: To: Subject: MD5 password salt calculation Message-ID: <20011229133456.J99302-100000@catalyst.sasknow.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey everybody, Is there an accepted/standard method of calculating the crypt() salt for *new* passwords with MD5? I'm looking at usr.bin/passwd/local_passwd.c, and usr.sbin/pw/pw_user.c, and see two apparently different approaches. Further, I see that the algorithm in -STABLE has changed since 3.x, and maybe it's even changed again in -CURRENT. What I'm looking for is a _portable_ MD5 algorithm that I can build in to a new application. It is likely that sysadmins will want to import their old MD5 and possibly DES passwords, and it is entirely possible they will want to EXPORT passwords from my application back to their own passwd database, so I need to retain compatibility. I suppose the initial salt can be calculated differently, and still work, but I'd still like to get it right. So, before I go hacking, hopefully someone can give me a clue to where I can look to calculate a new MD5 salt. Thanks! - Ryan -- Ryan Thompson Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 29 12:25:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from koza.acecape.com (koza2.acecape.com [66.9.36.222]) by hub.freebsd.org (Postfix) with ESMTP id 44FE737B416 for ; Sat, 29 Dec 2001 12:25:23 -0800 (PST) Received: from p65-147.acedsl.com (p65-147.acedsl.com [66.114.65.147]) by koza.acecape.com (8.10.1/8.9.3) with ESMTP id fBTKPLF20138; Sat, 29 Dec 2001 15:25:21 -0500 (EST) Date: Sat, 29 Dec 2001 15:27:04 -0500 (EST) From: Francisco Reyes X-X-Sender: fran@zoraida.natserv.net To: Randy Bush Cc: FreeBSD Security List Subject: Re: crypted remote backup In-Reply-To: Message-ID: <20011229152628.J32824-100000@zoraida.natserv.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 29 Dec 2001, Randy Bush wrote: > >> i want to back up some large files over the net, like 40gb. i want to do > >> something like rsync. but i want the data crypted not only as it passes > >> over the net (rsync over ssh), but also as it resides on the remote disk. > >> any recommended practice on this? > > Do you have lots of files or few large files? > > a few large files If they are highly compressible (are they?) then how about bzipping them and then just sending the whole files over every day? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 29 15: 0:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by hub.freebsd.org (Postfix) with ESMTP id B38CF37B41D for ; Sat, 29 Dec 2001 15:00:14 -0800 (PST) Received: from randy by rip.psg.com with local (Exim 3.33 #1) id 16KSSP-0008ty-00; Sat, 29 Dec 2001 15:00:01 -0800 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: TripleDES Cc: freebsd-security@FreeBSD.ORG Subject: Re: crypted remote backup References: <20011229132149.M32484-100000@zoraida.natserv.net> <20011229220151.24b802c4.TripleDES@eSlack.org> Message-Id: Date: Sat, 29 Dec 2001 15:00:01 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > ssh [some options] port:ip:port > > with it, you make a "ssh-tunnel", and then you can work with rsync over ssh. > > The "some options", sorry, I don't remember, but "man ssh" :^) current rsync uses ssh by default. previously, what one did was rsync --rsh=ssh ... randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 29 16: 3:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from lycos.co.kr (catv-kwangjoo-210205028145.usr2.hananet.net [210.205.28.145]) by hub.freebsd.org (Postfix) with SMTP id AD85537B41E for ; Sat, 29 Dec 2001 16:03:00 -0800 (PST) Reply-To: adfree114@lycos.co.kr From: adfree114 To: Subject: [±¤°í]¹®±¸°¡ µé¾î°£ ¸ÞÀÏÀ» 100% Â÷´ÜÇϴ¹ý !! Mime-Version: 1.0 Content-Type: text/html; charset="ks_c_5601-1987" Date: Sun, 30 Dec 2001 09:04:40 +0900 X-Priority: 3 X-Mailer: Mailtouch 1.0 Message-Id: <20011230000300.AD85537B41E@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [±¤°í]¹®±¸°¡ µé¾î°£ ¸ÞÀÏÀ» 100% Â÷´ÜÇÏ´Â ¹æ¹ý !!

[±¤°í]¹®±¸°¡ µé¾î°£ ¸ÞÀÏÀ» 100% Â÷´ÜÇϴ¹ý !!

ÄÄÀ» ¾Ë°í³ª¸é ½ºÆÔ¸ÞÀÏ °ÆÁ¤¾ÈÇÏ°í ¾ó¸¶µçÁö ¸ÞÀÏÀ» ÀÌ¿ëÇÒ ¼ö°¡ ÀÖÁö¿©~

À¥¸ÞÀÏ ¸Þ´ºÁß È¯°æ¼³Á¤À̳ª¿É¼Ç¼±Åà - ÇÊÅͼ±ÅÃÈÄ - [±¤°í]¹®±¸¸¦ ¼ö½Å°ÅºÎ¿¡ Ãß°¡ÇÏ¸é ´ÙÀ½ºÎÅÍ Á¦¸ñ¿¡ [±¤°í]¶ó´Â ¹®±¸°¡ µé¾î°£ ¸ÞÀÏ°ú ¿µ¿øÈ÷ À̺°À» ÇÒ ¼ö ÀÖ´ä´Ï´Ù..^^    (¿åÀ» Çϰųª ½Å°í¸¸À¸·Ð ÀüÇô È¿°ú°¡ ¾øÀ½)

¸ðµç À¥¸ÞÀÏ¿¡´Â ½ºÆÔÂ÷´Ü ±â´É¿Ü ½È¾îÇÏ´Â ¸ÞÀϸ¸ ¸·À» ¼ö ÀÖ´Â ±â´ÉÀÌ ÀÖÀ¸¸ç .. ¼ºÀÎ, ¼îÇÎ, CD, µ¿¿µ»ó µî... ¹Þ±â½ÈÀº ³»¿ëÀÌ µé¾î°£ °Í¸¸ °ÅºÎÇÒ ¼öµµ Àִµ¥ Á¶±Ý¸¸ ½Å°æ¾²¸é [±¤°í]¸ÞÀÏ °ÆÁ¤ ¶Ò...!! °£´ÜÇÏÁÒ...^ ^

¸¸¾à Á¦¸ñ¿¡ [±¤°í]¶ó´Â ¹®±¸°¡ ¾ø´Ù¸é º»¹®¿¡ "¼ö½Å°ÅºÎ"¶õ ¹®±¸¸¦ ÇÊÅ͸µÀ¸·Î Çغ¸¼¼¿ä ±×·³ ±¤°í¸ÞÀÏÀº ¸ø µé¾î¿À°í ÈÞÁöÅëÀ¸·Î »ç¶óÁý´Ï´Ù
 (Áï ±¤°í¸ÞÀÏÀº º»¹®¿¡ "¼ö½Å°ÅºÎ¸¦ ÇØÁÖ¼¼¿ä µî... Á˼ÛÇÕ´Ï´Ù µîÀÇ ¹®±¸°¡ ÀÖÀ¸´Ï ±× ¹®±¸¸¦ Æ÷ÇÔÇÑ °ÍÀº ¸ðµÎ ¸·¾Æ ÁÝ´Ï´Ù )

»õ·Î¿î µµ¸ÞÀÎ µî·Ï¾È³»...¹ÙÀÌ·¯½º °æ°í¾È³»...»õ·Î¿î ½Å»óÇ°À» ½Ñ °¡°Ý¿¡ ±¸ÀÔÇÒ ¼ö ÀÖ´Â ¼îÇθô...°ü±¤¾È³»...Çпø¾È³»...°¢Á¾Á¤º¸ ¼Ò½ÄÁö...¼ºÀÎ...µî...±× ¸ðµÎ¸¦ [±¤°í]¶ó°í ÇÏÁö¿ä~

±×¸®°í ¼ö½ÅÀÚµéÁß 60%°¡ ±¤°í¸ÞÀÏ¿¡ ÀÇÇØ ¼ö¸¹Àº Á¤º¸¸¦ ¾ò´Â´Ù°í ÇÕ´Ï´Ù, ¼ö¸¹Àº ±¤°íµé Áß ²À ±× Á¤º¸¸¦ ÇÊ¿ä·Î ÇÏ´Â ºÐµµ °è½Ã´Ù´Â »ç½Ç ¶§¹®¿¡ ±¤°í´Â Á¸ÀçÇÏ´Â °ÍÀÔ´Ï´Ù

±×¸®°í ÀÌ ¾î·Á¿î ½Ã´ë¿¡ »ì¾Æ³²±â À§ÇØ ¸öºÎ¸²Ä¡´Â ºÐµéÀ» À§ÇØ ÀÚ±âÁý ¹®´Ü¼ÓÀ» ÇÏ´ÂÀǹ̿¡¼­ [±¤°í] ÇÊÅ͸µ ¼±ÅÃÇϽÉÀÌ ¾î¶³·±Áö¿ä~~
±¤°íÁֵ鵵 ´õºÒ¾î »ì¾Æ°¡´Â »ç¶÷µéÀ̴ϱî¿ä

±¤°í¸¦ ÇÊ¿ä·Î ÇÏ´Â »ç¶÷¸¸ º¸±â¸¦ ¹Ù¶ó´Â ¸¶À½¿¡¼­....

¹«·á¼ºÀοµÈ­º¸±â

¹«·á¼ºÀθ¸È­º¸±â

 

  - ÃÖÈÄÀÇ Èñ¸ÁÀº ±àÁ¤ÀûÀÎ »ç°í¹æ½Ä ±×¸®°í »ç¶û... -

To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 29 20:30:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 2485337B405 for ; Sat, 29 Dec 2001 20:30:26 -0800 (PST) Received: (from rik@localhost) by pkl.net (8.9.3/8.9.3) id EAA10043; Sun, 30 Dec 2001 04:30:20 GMT Date: Sun, 30 Dec 2001 04:30:20 +0000 From: Rik To: Ryan Thompson Cc: freebsd-security@FreeBSD.ORG Subject: Re: MD5 password salt calculation Message-ID: <20011230043020.A9927@spoon.pkl.net> References: <20011229133456.J99302-100000@catalyst.sasknow.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011229133456.J99302-100000@catalyst.sasknow.net>; from ryan@sasknow.com on Sat, Dec 29, 2001 at 01:49:46PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Dec 29, 2001 at 01:49:46PM -0600, Ryan Thompson wrote: > So, before I go hacking, hopefully someone can give me a clue to where > I can look to calculate a new MD5 salt. Salt is just some randomness thrown in so that you can't just make a standard dictionary to compare hashed passwords with. All you need to do is make the relevant number of random chars. Personally, I just run the current time as a string (from strftime(3)) through the hash, and take the first couple of chars as an index into an array of allowable chars (modulo the size of the array, obviously). I'm sure someone on this list will tell us if that's a completely stupid way of generating salt... -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 29 21: 0:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from catalyst.sasknow.net (catalyst.sasknow.net [207.195.92.130]) by hub.freebsd.org (Postfix) with ESMTP id D6ED537B417 for ; Sat, 29 Dec 2001 21:00:17 -0800 (PST) Received: from localhost (ryan@localhost) by catalyst.sasknow.net (8.11.6/8.11.6) with ESMTP id fBU50CO47502; Sat, 29 Dec 2001 23:00:12 -0600 (CST) (envelope-from ryan@sasknow.com) X-Authentication-Warning: catalyst.sasknow.net: ryan owned process doing -bs Date: Sat, 29 Dec 2001 23:00:12 -0600 (CST) From: Ryan Thompson X-X-Sender: To: Rik Cc: Subject: Re: MD5 password salt calculation In-Reply-To: <20011230043020.A9927@spoon.pkl.net> Message-ID: <20011229224936.E46948-100000@catalyst.sasknow.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Rik wrote to Ryan Thompson: Hi Rik, > Salt is just some randomness thrown in so that you can't just make > a standard dictionary to compare hashed passwords with. All you > need to do is make the relevant number of random chars. Right.. I gather it's still the convention to use $1$ to differentiate between DES/MD5, in the case where both password formats are being imported. Is $1$ pretty much caught on everywhere? I've seen it in OpenBSD and NetBSD, probably even Linux, but it's been awhile since I looked. > Personally, I just run the current time as a string (from > strftime(3)) through the hash, and take the first couple of chars > as an index into an array of allowable chars (modulo the size of > the array, obviously). > > I'm sure someone on this list will tell us if that's a completely > stupid way of generating salt... :-) Well, it doesn't sound too unreasonable...(though using integer time would be faster by a mult. constant if your process is CPU bound) the approaches that I've seen use some kind of random data (like current sec+usec) passed through a char array... so I suppose that's essentially the same thing. - Ryan -- Ryan Thompson Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 29 21:17:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from rfnj.org (rfnj.org [216.239.237.194]) by hub.freebsd.org (Postfix) with ESMTP id A95B137B41B for ; Sat, 29 Dec 2001 21:17:07 -0800 (PST) Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200]) by rfnj.org (Postfix) with ESMTP id EABB0137DF; Sun, 30 Dec 2001 00:18:05 -0500 (EST) Message-Id: <5.1.0.14.0.20011230000743.00a91a80@rfnj.org> X-Sender: asym@rfnj.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 30 Dec 2001 00:16:33 -0500 To: Rik , Ryan Thompson From: Allen Landsidel Subject: Re: MD5 password salt calculation Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20011230043020.A9927@spoon.pkl.net> References: <20011229133456.J99302-100000@catalyst.sasknow.net> <20011229133456.J99302-100000@catalyst.sasknow.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 04:30 AM 12/30/2001 +0000, Rik wrote: >On Sat, Dec 29, 2001 at 01:49:46PM -0600, Ryan Thompson wrote: > > So, before I go hacking, hopefully someone can give me a clue to where > > I can look to calculate a new MD5 salt. > >Salt is just some randomness thrown in so that you can't just make a >standard dictionary to compare hashed passwords with. All you need to do >is make the relevant number of random chars. Personally, I just run the >current time as a string (from strftime(3)) through the hash, and take >the first couple of chars as an index into an array of allowable chars >(modulo the size of the array, obviously). > >I'm sure someone on this list will tell us if that's a completely stupid >way of generating salt... That's a completely stupid way of generating a salt. ;) Actually, it's probably about as bad as you can get without abandoning the salt completely. Normally using some permutation of the current time is a "bad" way to do things, but in this case it's bad for all the normal prediction reasons, and two more that are pretty hefty. First, depending on the format you pass to strftime, you may be using the same salt for *hours* at a stretch. This will make prediction much easier because of the second reason I'll mention, and also because you only have a very limited number of values to use, all of them ASCII characters in the range 0-9. Brute forcing this salt would be trivially easy just because of that. Second, If you plan to use this in any sort of daemon, system utility, or something that is otherwise logged, then there is no need to guess the salt at all : The current date/time will be at worst in the log file for the program, and at best in the last-accessed time for whatever the output file is. At this point you're probably thinking "ok wiseguy, what's a good way to generate the salt" and that goes to the very root of the problem; There really are no "good" ways (outside of some sort of biometric) to generate random numbers in a deterministic, finite-state machine like a PC. Your best bet, outside of something like "move the mouse around randomly while I read it" is to use the urandom() function, which is initialized by the system at boot and has been designed to be as close to a cryptographically secure PRNG as possible. Using urandom() not only gives you a better (less predictable) generator to draw from, but using it also affects it's output. The more things that use urandom() the better, because the more things that draw from the pool, the less predictable it will become. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 29 21:27:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id EA7F037B417 for ; Sat, 29 Dec 2001 21:27:27 -0800 (PST) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 69CF82D; Sat, 29 Dec 2001 23:27:27 -0600 (CST) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id fBU5RPb80363; Sat, 29 Dec 2001 23:27:25 -0600 (CST) (envelope-from nectar) Date: Sat, 29 Dec 2001 23:27:25 -0600 From: "Jacques A. Vidrine" To: Allen Landsidel Cc: Rik , Ryan Thompson , freebsd-security@FreeBSD.ORG Subject: Re: MD5 password salt calculation Message-ID: <20011230052725.GB80312@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Allen Landsidel , Rik , Ryan Thompson , freebsd-security@FreeBSD.ORG References: <20011229133456.J99302-100000@catalyst.sasknow.net> <20011229133456.J99302-100000@catalyst.sasknow.net> <5.1.0.14.0.20011230000743.00a91a80@rfnj.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.0.20011230000743.00a91a80@rfnj.org> User-Agent: Mutt/1.3.23.1i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Dec 30, 2001 at 12:16:33AM -0500, Allen Landsidel wrote: > At 04:30 AM 12/30/2001 +0000, Rik wrote: > >Salt is just some randomness thrown in so that you can't just make a > >standard dictionary to compare hashed passwords with. All you need to do > >is make the relevant number of random chars. Personally, I just run the > >current time as a string (from strftime(3)) through the hash, and take > >the first couple of chars as an index into an array of allowable chars > >(modulo the size of the array, obviously). > > That's a completely stupid way of generating a salt. ;) > > Actually, it's probably about as bad as you can get without abandoning the > salt completely. You are confusing salt with something that needs to be truly random. Password salts do not, and in fact in many systems the salt is a well-known transformation of the account name (e.g. see Kerberos). [snip] > Brute forcing this salt would be trivially easy just because of > that. You don't ``brute force'' salt. You have the salt. It is part of the crypted password. > Second, If you plan to use this in any sort of daemon, system utility, or > something that is otherwise logged, then there is no need to guess the salt > at all : The current date/time will be at worst in the log file for the > program, and at best in the last-accessed time for whatever the output file > is. There's no need to guess at all, because you already have it if you have the crypted password [1]. > At this point you're probably thinking "ok wiseguy, what's a good way to > generate the salt" and that goes to the very root of the problem; There > really are no "good" ways (outside of some sort of biometric) to generate > random numbers in a deterministic, finite-state machine like a PC. No, almost any method will do for salt, as long as the salt is mostly different for every username/password combination. The purpose of the salt is to prevent an attacker from precomputing the ciphertext version of a dictionary, and then just comparing the ciphertext for each word with the crypted password. For more information, see Schneier, ``Applied Cryptography 2nd Edition'', pp 52-53 or similar. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 29 21:58:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from rfnj.org (rfnj.org [216.239.237.194]) by hub.freebsd.org (Postfix) with ESMTP id DBECF37B41A for ; Sat, 29 Dec 2001 21:58:37 -0800 (PST) Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200]) by rfnj.org (Postfix) with ESMTP id D7516137DF; Sun, 30 Dec 2001 00:59:41 -0500 (EST) Message-Id: <5.1.0.14.0.20011230002742.00afd4b8@rfnj.org> X-Sender: asym@rfnj.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 30 Dec 2001 00:58:08 -0500 To: "Jacques A. Vidrine" , Allen Landsidel From: Allen Landsidel Subject: Re: MD5 password salt calculation Cc: Rik , Ryan Thompson , freebsd-security@FreeBSD.ORG In-Reply-To: <20011230052725.GB80312@madman.nectar.cc> References: <5.1.0.14.0.20011230000743.00a91a80@rfnj.org> <20011229133456.J99302-100000@catalyst.sasknow.net> <20011229133456.J99302-100000@catalyst.sasknow.net> <5.1.0.14.0.20011230000743.00a91a80@rfnj.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:27 PM 12/29/2001 -0600, Jacques A. Vidrine wrote: >On Sun, Dec 30, 2001 at 12:16:33AM -0500, Allen Landsidel wrote: > > At 04:30 AM 12/30/2001 +0000, Rik wrote: > > >Salt is just some randomness thrown in so that you can't just make a > > >standard dictionary to compare hashed passwords with. All you need to do > > >is make the relevant number of random chars. Personally, I just run the > > >current time as a string (from strftime(3)) through the hash, and take > > >the first couple of chars as an index into an array of allowable chars > > >(modulo the size of the array, obviously). > > > > That's a completely stupid way of generating a salt. ;) > > > > Actually, it's probably about as bad as you can get without abandoning the > > salt completely. > >You are confusing salt with something that needs to be truly random. >Password salts do not, and in fact in many systems the salt is a >well-known transformation of the account name (e.g. see Kerberos). That is true.. I saw "random" and "strftime" in the same region and my eyes kind of glazed over. >[snip] > > Brute forcing this salt would be trivially easy just because of > > that. > >You don't ``brute force'' salt. You have the salt. It is part of the >crypted password. Duh. I knew that. *smacks self* > > Second, If you plan to use this in any sort of daemon, system utility, or > > something that is otherwise logged, then there is no need to guess the > salt > > at all : The current date/time will be at worst in the log file for the > > program, and at best in the last-accessed time for whatever the output > file > > is. > >There's no need to guess at all, because you already have it if you >have the crypted password [1]. > > > At this point you're probably thinking "ok wiseguy, what's a good way to > > generate the salt" and that goes to the very root of the problem; There > > really are no "good" ways (outside of some sort of biometric) to generate > > random numbers in a deterministic, finite-state machine like a PC. > >No, almost any method will do for salt, as long as the salt is mostly >different for every username/password combination. The purpose of the >salt is to prevent an attacker from precomputing the ciphertext >version of a dictionary, and then just comparing the ciphertext for >each word with the crypted password. > >For more information, see Schneier, ``Applied Cryptography 2nd >Edition'', pp 52-53 or similar. The purpose of the salt (as is stated in Schneier's book) is to make it infeasible to generate a large lookup database, so the brute-force computations have to be generated every time. Using something like strftime(3) defeats this, depending on the format used in the call. If you have 256 possible salts, then an attacker may be dissuaded from generating the lookup. If you only have 24 (say strftime was called to generate a normal human-readable time, and the two characters for the hour were used) then the purpose behind the salt is entirely defeated, and may as well be left off just to make the code cleaner. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 29 22: 2:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id ED52037B419 for ; Sat, 29 Dec 2001 22:02:48 -0800 (PST) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 5FE913B; Sun, 30 Dec 2001 00:02:48 -0600 (CST) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id fBU62mZ80493; Sun, 30 Dec 2001 00:02:48 -0600 (CST) (envelope-from nectar) Date: Sun, 30 Dec 2001 00:02:48 -0600 From: "Jacques A. Vidrine" To: Allen Landsidel Cc: Rik , Ryan Thompson , freebsd-security@FreeBSD.ORG Subject: Re: MD5 password salt calculation Message-ID: <20011230060248.GA80453@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Allen Landsidel , Rik , Ryan Thompson , freebsd-security@FreeBSD.ORG References: <5.1.0.14.0.20011230000743.00a91a80@rfnj.org> <20011229133456.J99302-100000@catalyst.sasknow.net> <20011229133456.J99302-100000@catalyst.sasknow.net> <5.1.0.14.0.20011230000743.00a91a80@rfnj.org> <5.1.0.14.0.20011230002742.00afd4b8@rfnj.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.0.20011230002742.00afd4b8@rfnj.org> User-Agent: Mutt/1.3.23.1i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Dec 30, 2001 at 12:58:08AM -0500, Allen Landsidel wrote: > Using something like strftime(3) defeats this, depending on the format used > in the call. If you have 256 possible salts, then an attacker may be > dissuaded from generating the lookup. Actually, even really isn't enough salt, and is one of the several problems with the traditional UNIX crypt scheme. > If you only have 24 (say strftime > was called to generate a normal human-readable time, and the two characters > for the hour were used) then the purpose behind the salt is entirely > defeated, and may as well be left off just to make the code cleaner. Yes, that would be bad. But that's not what the original poster described. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 29 22:38:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33]) by hub.freebsd.org (Postfix) with ESMTP id F2C8937B419 for ; Sat, 29 Dec 2001 22:38:55 -0800 (PST) Received: (from bv@localhost) by bilver.wjv.com (8.11.6/8.11.6) id fBU6cta39724 for security@FreeBSD.ORG; Sun, 30 Dec 2001 01:38:55 -0500 (EST) (envelope-from bv) Date: Sun, 30 Dec 2001 01:38:54 -0500 From: Bill Vermillion To: security@FreeBSD.ORG Subject: Re: MS5 password salt calculation Message-ID: <20011230013854.A39364@wjv.com> Reply-To: bv@wjv.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from owner-freebsd-security-digest@FreeBSD.ORG on Sat, Dec 29, 2001 at 09:58:46PM -0800 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Date: Sat, 29 Dec 2001 23:00:12 -0600 (CST) > From: Ryan Thompson > Subject: Re: MD5 password salt calculation > Rik wrote to Ryan Thompson: > Hi Rik, > > Salt is just some randomness thrown in so that you can't just make > > a standard dictionary to compare hashed passwords with. All you > > need to do is make the relevant number of random chars. > Right.. I gather it's still the convention to use $1$ to differentiate > between DES/MD5, in the case where both password formats are being > imported. Is $1$ pretty much caught on everywhere? I've seen it in > OpenBSD and NetBSD, probably even Linux, but it's been awhile since I > looked. You can't say that $1$ 'caught on' as that's the way it is defined to indicate what follows. The $1$ indicates the following is an MD5. I was looking for the docs the other day, and from memory if the first characters are $5$, then that indicates that the following string would be blowfish encryption. You should also not that the next $ is the salt separator, and on my system there are typically 8 digits after $1$ and before the next $, for 2trillion+ salts. > End of security-digest V5 #390 > with unsubscribe freebsd-security-digest in the body of the message Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message