From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 21 06:00:25 2014 Return-Path: Delivered-To: ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 35F75E92 for ; Sun, 21 Sep 2014 06:00:25 +0000 (UTC) Received: from mail.allbsd.org (gatekeeper.allbsd.org [IPv6:2001:2f0:104:e001::32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.allbsd.org", Issuer "RapidSSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3B7F1D9B for ; Sun, 21 Sep 2014 06:00:21 +0000 (UTC) Received: from alph.d.allbsd.org ([IPv6:2001:2f0:104:e010:862b:2bff:febc:8956]) (authenticated bits=56) by mail.allbsd.org (8.14.9/8.14.8) with ESMTP id s8L5xulj039418 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sun, 21 Sep 2014 15:00:07 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost (localhost [IPv6:::1]) (authenticated bits=0) by alph.d.allbsd.org (8.14.8/8.14.8) with ESMTP id s8L5xsfH011449 for ; Sun, 21 Sep 2014 14:59:56 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Sun, 21 Sep 2014 14:58:12 +0900 (JST) Message-Id: <20140921.145812.325633000583440554.hrs@allbsd.org> To: ipfw@FreeBSD.org Subject: net.inet{,6}.fw.enable in /etc/rc From: Hiroki Sato X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 6.6 on Emacs 24.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart0(Sun_Sep_21_14_58_12_2014_336)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.4 at gatekeeper.allbsd.org X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (mail.allbsd.org [IPv6:2001:2f0:104:e001::32]); Sun, 21 Sep 2014 15:00:15 +0900 (JST) X-Spam-Status: No, score=-97.9 required=13.0 tests=CONTENT_TYPE_PRESENT, RDNS_NONE,SPF_SOFTFAIL,USER_IN_WHITELIST autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on gatekeeper.allbsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Sep 2014 06:00:25 -0000 ----Security_Multipart0(Sun_Sep_21_14_58_12_2014_336)-- Content-Type: Multipart/Mixed; boundary="--Next_Part(Sun_Sep_21_14_58_12_2014_119)--" Content-Transfer-Encoding: 7bit ----Next_Part(Sun_Sep_21_14_58_12_2014_119)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi, I would like your comments about the attached patch to /etc/rc. The problem I want to fix by this patch is as follows. net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW kernel module is loaded or statically compiled into a kernel. And by default IPFW has only a "deny ip from any to any" rule if it is compiled without IPFIREWALL_DEFAULT_TO_ACCEPT option. In this case, the default-deny rule can prevent rc.d scripts before rc.d/ipfw from working as described in the patch. To fix this, the patch turns IPFW off before running rc.d scripts at boot time, and enables it again in rc.d/ipfw script. I think most of users use GENERIC kernel + ipfw kernel module. In that case, IPFW is not activated before rc.d/ipfw script regardless of this patch, so there is no user-visible change. This patch affects only a combination of a kernel with IPFW compiled and rc.d scripts running before rc.d/ipfw. The behavior will be almost the same as GENERIC kernel + ipfw kernel module's. Please let me know if I am missing something. -- Hiroki ----Next_Part(Sun_Sep_21_14_58_12_2014_119)-- Content-Type: Text/X-Patch; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="rc_ipfw.20140921-1.diff" Index: etc/rc =================================================================== --- etc/rc (revision 271853) +++ etc/rc (working copy) @@ -87,6 +87,17 @@ fi fi +# Clear *.fw.enable sysctls. At boot time, some of network initialization +# before rc.d/ipfw script requires network communications (e.g. DHCP and +# IPv6 Duplicate Address Detection). When *.fw.enable=1 and "default deny" +# policy was applied---this can happen when IPFW is complied into the kernel +# or ipfw kernel module is loaded by loader before rc.d/ipfw runs, those +# comminucations are blocked. To prevent this, set *.fw.enable=0 before +# calling rc.d scripts. The rc.d/ipfw script set this to 1 after +# configuration. +/sbin/sysctl -q net.inet.ip.fw.enable=0 +/sbin/sysctl -q net.inet6.ip6.fw.enable=0 + # If the firstboot sentinel doesn't exist, we want to skip firstboot scripts. if ! [ -e ${firstboot_sentinel} ]; then skip_firstboot="-s firstboot" ----Next_Part(Sun_Sep_21_14_58_12_2014_119)---- ----Security_Multipart0(Sun_Sep_21_14_58_12_2014_336)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEABECAAYFAlQeaPQACgkQTyzT2CeTzy2GSgCgvpjesyjBQRPKYB/07xS6vSXw zHsAoKCXXLYQn2OkdgogQqn0o0fjmog3 =c4CS -----END PGP SIGNATURE----- ----Security_Multipart0(Sun_Sep_21_14_58_12_2014_336)---- From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 21 08:52:32 2014 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2F9A5BDA; Sun, 21 Sep 2014 08:52:32 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6A1BEE65; Sun, 21 Sep 2014 08:52:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s8L8qHsL025249; Sun, 21 Sep 2014 18:52:18 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 21 Sep 2014 18:52:17 +1000 (EST) From: Ian Smith To: Hiroki Sato Subject: Re: net.inet{,6}.fw.enable in /etc/rc In-Reply-To: <20140921.145812.325633000583440554.hrs@allbsd.org> Message-ID: <20140921182650.X61666@sola.nimnet.asn.au> References: <20140921.145812.325633000583440554.hrs@allbsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <20140921182651.K61666@sola.nimnet.asn.au> Cc: ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Sep 2014 08:52:32 -0000 On Sun, 21 Sep 2014 14:58:12 +0900, Hiroki Sato wrote: > Hi, > > I would like your comments about the attached patch to /etc/rc. > > The problem I want to fix by this patch is as follows. > net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW > kernel module is loaded or statically compiled into a kernel. And by > default IPFW has only a "deny ip from any to any" rule if it is > compiled without IPFIREWALL_DEFAULT_TO_ACCEPT option. In this case, > the default-deny rule can prevent rc.d scripts before rc.d/ipfw from > working as described in the patch. > > To fix this, the patch turns IPFW off before running rc.d scripts at > boot time, and enables it again in rc.d/ipfw script. > > I think most of users use GENERIC kernel + ipfw kernel module. In > that case, IPFW is not activated before rc.d/ipfw script regardless > of this patch, so there is no user-visible change. This patch > affects only a combination of a kernel with IPFW compiled and rc.d > scripts running before rc.d/ipfw. The behavior will be almost the > same as GENERIC kernel + ipfw kernel module's. > > Please let me know if I am missing something. > > -- Hiroki Sounds like a very good idea .. may explain some old bootup mysteries .. > +# Clear *.fw.enable sysctls. At boot time, some of network initialization > +# before rc.d/ipfw script requires network communications (e.g. DHCP and > +# IPv6 Duplicate Address Detection). When *.fw.enable=1 and "default deny" > +# policy was applied---this can happen when IPFW is complied into the kernel > +# or ipfw kernel module is loaded by loader before rc.d/ipfw runs, those > +# comminucations are blocked. To prevent this, set *.fw.enable=0 before Typo trivia: communications > +# calling rc.d scripts. The rc.d/ipfw script set this to 1 after > +# configuration. > +/sbin/sysctl -q net.inet.ip.fw.enable=0 > +/sbin/sysctl -q net.inet6.ip6.fw.enable=0 These OIDs only exist on systems with ipfw loaded or in-kernel. Use either 'sysctl -iq .. ', or add '|| true' to both of those? cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 22 18:03:19 2014 Return-Path: Delivered-To: ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ADD9A247; Mon, 22 Sep 2014 18:03:19 +0000 (UTC) Received: from forward5l.mail.yandex.net (forward5l.mail.yandex.net [IPv6:2a02:6b8:0:1819::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6676CDFC; Mon, 22 Sep 2014 18:03:19 +0000 (UTC) Received: from smtp19.mail.yandex.net (smtp19.mail.yandex.net [95.108.252.19]) by forward5l.mail.yandex.net (Yandex) with ESMTP id 19B97C40EAE; Mon, 22 Sep 2014 22:03:15 +0400 (MSK) Received: from smtp19.mail.yandex.net (localhost [127.0.0.1]) by smtp19.mail.yandex.net (Yandex) with ESMTP id AE59CBE03BB; Mon, 22 Sep 2014 22:03:14 +0400 (MSK) Received: from 84.201.166.31-vpn.dhcp.yndx.net (84.201.166.31-vpn.dhcp.yndx.net [84.201.166.31]) by smtp19.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id slB1giwR6s-3EFe3fFB; Mon, 22 Sep 2014 22:03:14 +0400 (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client certificate not present) X-Yandex-Uniq: 299b6d13-9dc2-440d-acbc-4c795caefb86 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1411408994; bh=Twfn9izl0SoQ/wJYA/xOIzi5re1H8XRN+3ZqYOXtIq0=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:Subject: References:In-Reply-To:X-Enigmail-Version:Content-Type: Content-Transfer-Encoding; b=RIKdTI1rGnGlEoDep1HoYGUrNyzC5dAGXiaZc71j3BGuIKsEH8VbW2Ob/XmtiFpjn aolOV5j2+TcJbr8z6IxZNIEUjd8sAlSoMOkoiD2JDNvisP+x9E66CLFIcSAJ3Xh9Ui diFISVDg2GaEZVT2j9qYZj4lwpbunVqVr2QbPQ/o= Authentication-Results: smtp19.mail.yandex.net; dkim=pass header.i=@yandex.ru Message-ID: <542063F3.8080600@yandex.ru> Date: Mon, 22 Sep 2014 22:01:23 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Hiroki Sato , ipfw@FreeBSD.org Subject: Re: net.inet{,6}.fw.enable in /etc/rc References: <20140921.145812.325633000583440554.hrs@allbsd.org> In-Reply-To: <20140921.145812.325633000583440554.hrs@allbsd.org> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2014 18:03:19 -0000 On 21.09.2014 09:58, Hiroki Sato wrote: > Hi, > > I would like your comments about the attached patch to /etc/rc. > > The problem I want to fix by this patch is as follows. > net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW > kernel module is loaded or statically compiled into a kernel. And by > default IPFW has only a "deny ip from any to any" rule if it is > compiled without IPFIREWALL_DEFAULT_TO_ACCEPT option. In this case, > the default-deny rule can prevent rc.d scripts before rc.d/ipfw from > working as described in the patch. > > To fix this, the patch turns IPFW off before running rc.d scripts at > boot time, and enables it again in rc.d/ipfw script. Hi, I think this should be configurable, the change can be an unexpected for someone. -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 23 11:14:17 2014 Return-Path: Delivered-To: ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 18674CCF; Tue, 23 Sep 2014 11:14:17 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id DED1A9EF; Tue, 23 Sep 2014 11:14:16 +0000 (UTC) Received: from Julian-MBP3.local (ppp121-45-249-73.lns20.per2.internode.on.net [121.45.249.73]) (authenticated bits=0) by vps1.elischer.org (8.14.9/8.14.9) with ESMTP id s8NBEBk2035878 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 23 Sep 2014 04:14:13 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <542155FB.9020801@freebsd.org> Date: Tue, 23 Sep 2014 19:14:03 +0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: "Andrey V. Elsukov" , Hiroki Sato , ipfw@FreeBSD.org Subject: Re: net.inet{,6}.fw.enable in /etc/rc References: <20140921.145812.325633000583440554.hrs@allbsd.org> <542063F3.8080600@yandex.ru> In-Reply-To: <542063F3.8080600@yandex.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Sep 2014 11:14:17 -0000 On 9/23/14, 2:01 AM, Andrey V. Elsukov wrote: > On 21.09.2014 09:58, Hiroki Sato wrote: >> Hi, >> >> I would like your comments about the attached patch to /etc/rc. >> >> The problem I want to fix by this patch is as follows. >> net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW >> kernel module is loaded or statically compiled into a kernel. And by >> default IPFW has only a "deny ip from any to any" rule if it is >> compiled without IPFIREWALL_DEFAULT_TO_ACCEPT option. In this case, >> the default-deny rule can prevent rc.d scripts before rc.d/ipfw from >> working as described in the patch. >> >> To fix this, the patch turns IPFW off before running rc.d scripts at >> boot time, and enables it again in rc.d/ipfw script. > Hi, > > I think this should be configurable, the change can be an unexpected for > someone. it does open a window where there is networking but no firewalling. given that a reboot is remotely detectable. (ping stops responding etc.) there is a possibility that a targeted attack could include "use exploit ABC to cause a crash of the target and then strike with exploit XYZ after target system reboots while the firewall is disabled". I have not evaluated the danger of this window. From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 26 17:35:19 2014 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C5F905B6 for ; Fri, 26 Sep 2014 17:35:19 +0000 (UTC) Received: from nm18-vm1.bullet.mail.gq1.yahoo.com (nm18-vm1.bullet.mail.gq1.yahoo.com [98.136.217.216]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 87A1ABBE for ; Fri, 26 Sep 2014 17:35:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1411752766; bh=Zq/y+47DWzMS3T12+dcFSr02sUOrVhlsc1qG8PVeP00=; h=Received:Received:Received:X-Yahoo-Newman-Id:Message-ID:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:From:Subject:To:Content-Type:MIME-Version:Reply-To:Date:From:Subject; b=F5v9IMw/o4th2o7VpLRWyZG9NngsT6LX1cWKjC3xuxaA67X/b9oKFG13/zDJsM3wnB7GTsfwuiaVIemwNHqYbnf28RhRXuXmMv7CTymijo8Z79fHF2EHdgcnJMG9NHrXjUphFueMTzzOdb8EXOvgaq4+30AOznlZUJHm9ayPADOZCTsEZ1qeqow+djxufTTsyIim4YY0jSirKonYGzA3UPk2OajAVg5g4anzmvk8Ev+tO6rsYuogDS89cmfh5WoIwWXcAFVFDOyBkexHVqdDwyrODcaI35WZwMGUwrXftXF9yGsX2PnTkRNa67rKH5rdpRjNmOGcpopRaXx0tmRmAQ== DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=yahoo.com; b=skRounRvbMOVLUmqaFcvV1AStD+xVFj1SC2ZIg/IHphdEk2pyyPR/tdEQMlbzw/2VBOTg3kYvZQA67pVF1wDcC5YSQtWOsF0k+0t+1Ef7kAMt2OacE/o/Li0dEvjugnmfADAHN2rR0qd/gaUkZ2vKqjjLrB8VLguz5d4dh21gYrStzZdiPa5u1xTbSiaVyKV7gxgjhS9Yu4XEh1e83XPCLpDwpbYdU5vtb0CI6Ou8ahUZuF0zbLGMHOorADW4oSgtQ7f5TmJ918wL8HvjTzSWdA9UeCGkrU/PSN60cDLCMAlifZLl8ymSHx3w//BsUtFheK6JuCnfr2T/hlSjhJohA==; Received: from [98.137.12.60] by nm18.bullet.mail.gq1.yahoo.com with NNFMP; 26 Sep 2014 17:32:46 -0000 Received: from [208.71.42.205] by tm5.bullet.mail.gq1.yahoo.com with NNFMP; 26 Sep 2014 17:32:46 -0000 Received: from [127.0.0.1] by smtp216.mail.gq1.yahoo.com with NNFMP; 26 Sep 2014 17:32:46 -0000 X-Yahoo-Newman-Id: 249708.68099.bm@smtp216.mail.gq1.yahoo.com Message-ID: <249708.68099.bm@smtp216.mail.gq1.yahoo.com> X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: m801VvsVM1nCh_KsEQlKydGILGJk51eg0gRT_FQV0TmWTH8 NtpIr5.re73rpIqTtc7autnSLtj3nLZ01EmY4htV55.5FY8NsDxvnUT93k5D my327J4mJilgR68CZ6csGM6ILL38l77.YfMyr_DTOFJ1TafRAJiPamKfgigw srhy2yNamk22a6N6wAR2UlOT3ly5XP_PbJhI9m6mJSlLR8fRiPo2179iZOdG Xi1U3cmDRs6urOI5QL8WhFBiMTaP0V1ii18.sXVMCAw61EhF_pA_hYq7k6iL U48mwhtBZ0HfVF9u8B743YJs5pgkPDoytl9GanDNbYIDm_tPImfBHEPHzOYL 9Sf0rkPtr6RUhB6Csd6CGRf2RFcrVGZi77QOnQGUsDzUa969fyQcSDGT2y36 qd4dY44TN2fMOLluWrHMFDduVwJ1r.uyfXUpL7R_aIJNjs3R1TJOG_zgx1FK AmPzwHFyoXvFMK0EJsDaZuVkq5LxT64qY6b1LBlAQplalHuJK7X779YW1kNG dddKo4_xumSIuiAINWIeFWTKNyCZiJmnv1K5R2DKIlrtfeOdkOEX7r1qK4Aw BtTijfGDkPHjMxJmqDQEcA3QptYmgj9zMsB0p7qbnOM79B8ccGlrjvV4U5R8 Bsvr2XpHX1KI- X-Yahoo-SMTP: hGgPbF6swBAlWp1yb4JJJurNfnI0Kbvn1VyGYCSJvEJmTOiLEqeI From: "Sahar alGhrarri" Subject: I await your response To: "freebsd-ipfw" MIME-Version: 1.0 Reply-To: "Sahar alGhrarri" Date: Fri, 26 Sep 2014 18:32:44 +0100 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 17:35:19 -0000 =EF=BB=BFGreetings, I am Mrs. Sahar alGhrarri, the only surviving member of a family that = was crushed in a bomb-blast during the war in Libya. Currently, I am b= attling with a (partial stroke) which resulted from the shock gotten f= rom the incident. Please view the below link for details: http://www.= wsws.org/articles/2011/jun2011/liby-j20.shtml When my husband whom was a crude oil merchant was alive, we had plans = to use the last days of our lives to disburse part of our resources to= charity organization and several unknown individuals because when we = were much younger in life as a couple, we received financial help from= an unknown individual whom we have not met till this day. The impact = we got from such gesture made us want to do same. Unfortunately, my husband is not alive today to do this with me and my= health is deteriorating so fast; hence I have decided it on our behal= f. Having donated to several individuals and charity organization from= our savings, I have decided to anonymously donate the last of our fam= ily savings to you. Irrespective of your previous financial status, please do accept this = kind and peaceful offer on behalf of my beloved family. Please acknowl= edge Mrs. Sahar Email: sahar-alghram102@gmx.com May war and pains never come close to your dwelling place. Regards Mrs. Sahar alGhrarri