From owner-freebsd-security Sun Dec 27 07:12:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA01530 for freebsd-security-outgoing; Sun, 27 Dec 1998 07:12:02 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mtiwmhc02.worldnet.att.net (mtiwmhc02.worldnet.att.net [204.127.131.37]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA01508 for ; Sun, 27 Dec 1998 07:11:55 -0800 (PST) (envelope-from gryphon@healer.com) Received: from healer.com ([12.77.217.29]) by mtiwmhc02.worldnet.att.net (InterMail v03.02.05 118 121 101) with ESMTP id <19981227151139.ENBN23130@healer.com>; Sun, 27 Dec 1998 15:11:39 +0000 Message-ID: <36867B6A.6EC8A84C@healer.com> Date: Sun, 27 Dec 1998 10:24:42 -0800 From: Coranth Gryphon X-Mailer: Mozilla 4.05 [en] (Win95; U) MIME-Version: 1.0 To: Roger Marquis CC: security@FreeBSD.ORG Subject: Re: Do I really need inetd? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > to run an ftpd on say 12 specific IPs, you'll need to run 12 inetds. > It would be cleaner if either one -a understood multiple IPs: There are a set of patches to wu-ftpd that allows it to run virtual hosts and to run as a daemon (not thru inetd). Unfortunately, they are for b13... I've been updating then to beta18 (the latest) and making them a little more secure: sprintf -> snprintf, etc... Anyone know who the port maintainer for wu-ftp is and how to go about submitting these updated patches? -coranth ------------------------------------------+---------------------------- Coranth Gryphon | Phone: 877-6-INTECH http://www.intech.net | #include ------------------------------------------+---------------------------- There is nothing impossible to anyone impervious to reason. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 27 08:40:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA09128 for freebsd-security-outgoing; Sun, 27 Dec 1998 08:40:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gaja.ipan.lublin.pl (gaja.ipan.lublin.pl [193.59.19.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA09123 for ; Sun, 27 Dec 1998 08:40:18 -0800 (PST) (envelope-from wojtek@gaja.ipan.lublin.pl) Received: (from wojtek@localhost) by gaja.ipan.lublin.pl (8.8.8/8.8.5) id RAA14129 for freebsd-security@freebsd.org; Sun, 27 Dec 1998 17:54:53 +0100 (CET) Date: Sun, 27 Dec 1998 17:54:53 +0100 (CET) From: Wojtek Sobczuk Message-Id: <199812271654.RAA14129@gaja.ipan.lublin.pl> To: freebsd-security@FreeBSD.ORG Subject: christmas login bug Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello ! While setting up my host I have found a strange feature in login distributed with 3.0-RELEASE. As we all know login is invoked by getty with uid and gid 0. In line 555 (v 1.39) it sets it's euid to the uid of the user who is logging in. After that it checks if it can chdir to the user's home directory. It comes out that if wheel doesn't have execute access to the given directory (or one above it) then chdir fails and login spits out a bunch of errors setting HOME to "/". This happens for example when user test tries to log in. Here are test's parameters: lite# grep test /etc/passwd test:*:1003:1002:Konto Testowe:/usr/home/clients/test:/usr/local/bin/tcsh lite# ls -ald /usr /usr/home /usr/home/clients /usr/home/clients/test drwxr-xr-x 20 root wheel 512 Dec 26 21:20 /usr/ drwxr-xr-x 4 root wheel 512 Dec 26 20:51 /usr/home/ drwxr-x--- 3 root clients 512 Dec 26 20:51 /usr/home/clients/ drwx------ 2 test clients 512 Dec 26 20:59 /usr/home/clients/test/ Below You can find a simple patch, which fixes this (if You consider it a bug). I have one question though: why isn't uid 0 enough to view any directory on the system (from login's behaviour I deduct that euid 0 is needed...) ? sopel p.s. should I setgid instead of setegid (BOTH variants work) ?? ====== cut here ============================================================== --- login.c.orig Sat Dec 26 21:22:44 1998 +++ login.c Sat Dec 26 21:24:11 1998 @@ -552,6 +552,7 @@ main(argc, argv) #else quietlog = 0; #endif + (void)setegid(pwd->pw_gid); (void)seteuid(rootlogin ? 0 : pwd->pw_uid); if (!*pwd->pw_dir || chdir(pwd->pw_dir) < 0) { #ifdef LOGIN_CAP ====== cut here ============================================================== [ install really shouldn't hang when doing 'install /kernel /' ] [ Wojtek 'sopel' Sobczuk - sysadm. e-mail: sopel@hack.dk ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 27 09:56:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA16733 for freebsd-security-outgoing; Sun, 27 Dec 1998 09:56:52 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from guepardo.vicosa.com.br (guepardo.tdnet.com.br [200.236.148.6]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA16713; Sun, 27 Dec 1998 09:56:47 -0800 (PST) (envelope-from grios@netshell.vicosa.com.br) Received: from netshell.vicosa.com.br [200.236.148.202] by guepardo.vicosa.com.br with ESMTP (SMTPD32-4.03) id A671CAB0102; Sun, 27 Dec 1998 15:03:29 +03d00 Message-ID: <36867456.FF8875BD@netshell.vicosa.com.br> Date: Sun, 27 Dec 1998 15:54:30 -0200 From: Gustavo Vieira G C Rios X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Questions , FreeBSD Security Subject: cucipop Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, i wanted to increase my system security, so i decided to install cucipop for pop3d connection. But when i tried to compile it, i got no success. Did anybody here hada had the same problem? Reading the README file, it tells i need Berkeley DB 2 Database Lib! Where can i get it? I don't wanna go throw ports (i hate any automatic proccess to install software, so i love things like: ./configure, vi config.h , make , make check, .......,make install). Thank for anything you. -- +-------------------------------------------------------------------+ " ... Overall we've found FreeBSD to excel in performace, stability, technical support, and of course price. Two years after discovering FreeBSD, we have yet to find a reason why we switch to anything else" -David Filo, Yahoo! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 28 02:53:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA16573 for freebsd-security-outgoing; Mon, 28 Dec 1998 02:53:36 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotmail.com (f266.hotmail.com [207.82.251.157]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id CAA16550 for ; Mon, 28 Dec 1998 02:53:31 -0800 (PST) (envelope-from madrapour@hotmail.com) Received: (qmail 12831 invoked by uid 0); 28 Dec 1998 10:53:10 -0000 Message-ID: <19981228105310.12830.qmail@hotmail.com> Received: from 208.218.169.84 by www.hotmail.com with HTTP; Mon, 28 Dec 1998 02:53:09 PST X-Originating-IP: [208.218.169.84] From: "N. N.M" To: freebsd-security@FreeBSD.ORG Subject: An IPFW rule with the rule number -1 Date: Mon, 28 Dec 1998 02:53:09 PST Mime-Version: 1.0 Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi everybody, I found the following sentence in /var/log/messages (in a firewall machine): /kernel: ipfw: -1 Refuse TCP X.X.X.X:20 Y.Y.Y.Y:1118 in via ed1 where ed1 is the out interface and Y.Y.Y.Y is the ip address of one of our custoers who connects to us via leased line. I don't have any rule with number -1. what it can be? Thanks, Nazila N. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 28 09:15:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA20757 for freebsd-security-outgoing; Mon, 28 Dec 1998 09:15:36 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.vr.IN-Berlin.DE (gnu.in-berlin.de [192.109.42.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA20751; Mon, 28 Dec 1998 09:15:32 -0800 (PST) (envelope-from nortobor.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: from uriela.in-berlin.de (IDENT:root@servicia.in-berlin.de [192.109.42.145]) by mail.vr.IN-Berlin.DE (8.9.1a/8.9.1) with ESMTP id SAA26342; Mon, 28 Dec 1998 18:15:13 +0100 (CET) (envelope-from nortobor.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: by uriela.in-berlin.de (Smail-3.2.0.101 1997-Dec-17 #1) id m0zuhLp-000VTmC; Mon, 28 Dec 1998 19:25:09 +0100 (CET) Received: (from ripley@localhost) by nortobor.nostromo.in-berlin.de (8.8.7/8.8.7) id CAA15133; Mon, 28 Dec 1998 02:39:27 +0100 (CET) (envelope-from ripley) Date: Mon, 28 Dec 1998 02:39:26 +0100 From: "H. Eckert" To: Gustavo Vieira G C Rios Cc: FreeBSD Questions , FreeBSD Security Subject: Re: cucipop Message-ID: <19981228023926.B14858@nortobor.nostromo.in-berlin.de> References: <36867456.FF8875BD@netshell.vicosa.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.95i In-Reply-To: <36867456.FF8875BD@netshell.vicosa.com.br>; from Gustavo Vieira G C Rios on Sun, Dec 27, 1998 at 03:54:30PM -0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoting Gustavo Vieira G C Rios (grios@netshell.vicosa.com.br): > Hi, i wanted to increase my system security, so i decided to install > cucipop for pop3d connection. But when i tried to compile it, i got no > success. Did anybody here hada had the same problem? No. *We* would have been using the ports system. > Reading the README file, it tells i need Berkeley DB 2 Database Lib! > Where can i get it? The port's Makefile doesn't list any dependencies. So my guess would be it comes with the basic FreeBSD system. In fact it is probably the dbm database package that is used for the password database. > I don't wanna go throw ports (i hate any automatic proccess to install > software, so i love things like: ./configure, vi config.h , make , make > check, .......,make install). Yeah, I won't throw them (away that is), too. I try to go through the ports system if possible. Now, if you don't trust them to do the work automatically, at least take a look at the contents of it to find out what had to be changed to the original source package to build it under FreeBSD. Browsing through patches/patch-aa I find a lot of adaptions to the Makefile. Apparently lots of things the original configure script didn't understand about FreeBSD. You seem to suffer from a strong instance of NIH-symdrome... My advice would be to cure it by doing a cvsup/make world cycle. Greetings, Ripley -- H. Eckert, 10777 Berlin, Germany, http://www.in-berlin.de/User/nostromo/ ISO 8859-1: Ä=Ae, Ö=Oe, Ü=Ue, ä=ae, ö=oe, ü=ue, ß=sz. "(Technobabbel)" (Jetrel) - "Müssen wir uns diesen Schwachsinn wirklich anhören?" (Neelix) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 28 09:15:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA20919 for freebsd-security-outgoing; Mon, 28 Dec 1998 09:15:55 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.vr.IN-Berlin.DE (gnu.in-berlin.de [192.109.42.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA20759 for ; Mon, 28 Dec 1998 09:15:36 -0800 (PST) (envelope-from nortobor.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: from uriela.in-berlin.de (IDENT:root@servicia.in-berlin.de [192.109.42.145]) by mail.vr.IN-Berlin.DE (8.9.1a/8.9.1) with ESMTP id SAA26349 for ; Mon, 28 Dec 1998 18:15:15 +0100 (CET) (envelope-from nortobor.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: by uriela.in-berlin.de (Smail-3.2.0.101 1997-Dec-17 #1) id m0zuhLw-000VTEC; Mon, 28 Dec 1998 19:25:16 +0100 (CET) Received: (from ripley@localhost) by nortobor.nostromo.in-berlin.de (8.8.7/8.8.7) id CAA15150 for freebsd-security@FreeBSD.ORG; Mon, 28 Dec 1998 02:49:52 +0100 (CET) (envelope-from ripley) Date: Mon, 28 Dec 1998 02:49:51 +0100 From: "H. Eckert" To: "freebsd-security@FreeBSD.ORG" Subject: Re: Magic Message-ID: <19981228024951.C14858@nortobor.nostromo.in-berlin.de> References: <36855859.5D0BD741@acc.am> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.95i In-Reply-To: <36855859.5D0BD741@acc.am>; from Casper on Sun, Dec 27, 1998 at 01:42:49AM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoting Casper (casper@acc.am): > What about include in some secure level facility to disable read of > any file if it begins with magic by user (may be by any user, > including root) ? It will disable read of these files .... of course > intruder can bruteforce by changing megic of file & looking to > response :) ... but itlll take a lot of time ... This is not as easy as it may sound. Denying read access is done by proper chmod permissions (which are observed by the kernel already). Doing this inside the kernel itself, probably in some generic read() function, is difficult because system calls have to be able to load the code (provided execution permission is granted and this is checked on opening the file, before any of its contents are known). If such a change is broken you may either have a very complicated NOP or you may end up with a system where *everybody* including root during startup is locked out from running programs. Greetings, Ripley -- H. Eckert, 10777 Berlin, Germany, http://www.in-berlin.de/User/nostromo/ ISO 8859-1: Ä=Ae, Ö=Oe, Ü=Ue, ä=ae, ö=oe, ü=ue, ß=sz. "(Technobabbel)" (Jetrel) - "Müssen wir uns diesen Schwachsinn wirklich anhören?" (Neelix) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 28 13:32:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA24288 for freebsd-security-outgoing; Mon, 28 Dec 1998 13:32:48 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from guepardo.vicosa.com.br (guepardo.tdnet.com.br [200.236.148.6]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA24264 for ; Mon, 28 Dec 1998 13:32:41 -0800 (PST) (envelope-from grios@netshell.vicosa.com.br) Received: from netshell.vicosa.com.br [200.236.148.194] by guepardo.vicosa.com.br with ESMTP (SMTPD32-4.03) id AA81DAD00B0; Mon, 28 Dec 1998 18:39:13 +03d00 Message-ID: <3687F79C.42FEFA64@netshell.vicosa.com.br> Date: Mon, 28 Dec 1998 19:26:52 -0200 From: Gustavo Vieira G C Rios X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Security Subject: xinetd Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would like to increment my system secutity, so i decided to install xinetd, so i got version 2.1.8.5, but it simply don't compile, Does anybody here have the same problem with this version ? My FreeBSD version is: 2.2.8-Stable Thank you for your time and cooperation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 28 14:56:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA06934 for freebsd-security-outgoing; Mon, 28 Dec 1998 14:56:16 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pobox.com (narn-2-28.mdm.mke.execpc.com [169.207.134.156]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA06921 for ; Mon, 28 Dec 1998 14:56:09 -0800 (PST) (envelope-from hamilton@pobox.com) Message-Id: <199812282256.OAA06921@hub.freebsd.org> Received: (qmail 27914 invoked from network); 28 Dec 1998 16:55:42 -0600 Received: from localhost (HELO pobox.com) (127.0.0.1) by localhost with SMTP; 28 Dec 1998 16:55:42 -0600 To: Gustavo Vieira G C Rios cc: FreeBSD Security Subject: Re: xinetd In-reply-to: Your message of "Mon, 28 Dec 1998 19:26:52 -0200." <3687F79C.42FEFA64@netshell.vicosa.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 28 Dec 1998 16:55:42 -0600 From: Jon Hamilton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <3687F79C.42FEFA64@netshell.vicosa.com.br>, Gustavo Vieira G C Rios wrote: } I would like to increment my system secutity, so i decided to install } xinetd, so i got version 2.1.8.5, but it simply don't compile, Does } anybody here have the same problem with this version ? } My FreeBSD version is: 2.2.8-Stable Why not use the port? It compiles fine, and is a newer version (2.2.1) to boot. -- Jon Hamilton hamilton@pobox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 28 22:39:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA27479 for freebsd-security-outgoing; Mon, 28 Dec 1998 22:39:56 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id WAA27474 for ; Mon, 28 Dec 1998 22:39:54 -0800 (PST) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0zusoU-0006Tz-00; Mon, 28 Dec 1998 23:39:30 -0700 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.1/8.8.3) with ESMTP id XAA23821; Mon, 28 Dec 1998 23:37:38 -0700 (MST) Message-Id: <199812290637.XAA23821@harmony.village.org> To: Casper Subject: Re: About chroot Cc: "freebsd-security@FreeBSD.ORG" In-reply-to: Your message of "Tue, 22 Dec 1998 20:47:48 +0400." <367FCD34.FE3CF78F@acc.am> References: <367FCD34.FE3CF78F@acc.am> Date: Mon, 28 Dec 1998 23:37:38 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <367FCD34.FE3CF78F@acc.am> Casper writes: : Are there any way to change back to the / , when logged in chroot-ed : environment? Yes. Many are floating around and depend on doing another chroot and having a reference to a file outside the newly chroot'd area. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 29 12:01:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA04490 for freebsd-security-outgoing; Tue, 29 Dec 1998 12:01:29 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail-gw2.pacbell.net (mail-gw2.pacbell.net [206.13.28.53]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA04485 for ; Tue, 29 Dec 1998 12:01:28 -0800 (PST) (envelope-from dean@thegrid.net) Received: from thegrid.net (ppp-206-170-2-237.sntc01.pacbell.net [206.170.2.237]) by mail-gw2.pacbell.net (8.8.8/8.7.1+antispam) with ESMTP id MAA23863 for ; Tue, 29 Dec 1998 12:01:10 -0800 (PST) Message-ID: <368933F6.CEB82066@thegrid.net> Date: Tue, 29 Dec 1998 11:56:39 -0800 From: Dean X-Mailer: Mozilla 4.04 [en] (Win95; U) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: ipfw and DNS Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello all, I am setting up my first packet filtering gateway to protect a small lan from the Internet and I'd like to block everything that isn't necessary. I am interested in hearing other people's input on how they get around the problem of getting DNS queries from the inside to the outside. I'd rather not accept any old udp packet with a source port of 53. I have read Cheswick & Bellovin's Firewalls book and they offer a solution, but I am interested in hearing other solutions. I am not subscribed to this mailing list (though I should be), so please include me in your replies. Thanks for your help, Dean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 29 12:04:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA04983 for freebsd-security-outgoing; Tue, 29 Dec 1998 12:04:58 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail-gw2.pacbell.net (mail-gw2.pacbell.net [206.13.28.53]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA04976 for ; Tue, 29 Dec 1998 12:04:57 -0800 (PST) (envelope-from dean@thegrid.net) Received: from thegrid.net (ppp-206-170-2-237.sntc01.pacbell.net [206.170.2.237]) by mail-gw2.pacbell.net (8.8.8/8.7.1+antispam) with ESMTP id MAA24966 for ; Tue, 29 Dec 1998 12:04:39 -0800 (PST) Message-ID: <368934C7.18C17F62@thegrid.net> Date: Tue, 29 Dec 1998 12:00:08 -0800 From: Dean X-Mailer: Mozilla 4.04 [en] (Win95; U) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: ipfw and ftp Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello again, I am setting up a packet filtering gateway between a small LAN and the Internet. I am interested in hearing how people have solved the problem of getting ftp out from the inside. I assume that I will have to set up ftp on the gateway machine and anyone who wants to ftp out will have to do a two-part ftp. The lan is small enough that this isn't too much of a problem. Thanks for the input, Dean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 29 12:45:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA10092 for freebsd-security-outgoing; Tue, 29 Dec 1998 12:45:54 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from inet.chip-web.com (c1003518-a.plstn1.sfba.home.com [24.1.82.47]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id MAA10079 for ; Tue, 29 Dec 1998 12:45:51 -0800 (PST) (envelope-from ludwigp@bigfoot.com) Received: (qmail 19180 invoked from network); 29 Dec 1998 20:45:32 -0000 Received: from speedy.chip-web.com (HELO speedy) (172.16.1.1) by inet.chip-web.com with SMTP; 29 Dec 1998 20:45:32 -0000 Message-Id: <4.1.19981229124521.00a6bc20@mail-r> X-Sender: ludwigp2@mail-r X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 29 Dec 1998 12:45:28 -0800 To: Dean , freebsd-security@FreeBSD.ORG From: Ludwig Pummer Subject: Re: ipfw and ftp In-Reply-To: <368934C7.18C17F62@thegrid.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:00 PM 12/29/98 , Dean wrote: >Hello again, > I am setting up a packet filtering gateway between a small LAN and >the Internet. I am interested in hearing how people have solved the >problem of getting ftp out from the inside. I assume that I will have >to set up ftp on the gateway machine and anyone who wants to ftp out >will have to do a two-part ftp. The lan is small enough that this isn't >too much of a problem. >Thanks for the input, >Dean take a look at the different pre-written rule sets in /etc/rc.firewall, as I believe they do the sort of stuff you want to do. --Ludwig Pummer ( ludwigp@bigfoot.com ) ICQ UIN: 692441 ( ludwigp@email.com ) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 29 12:45:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA10093 for freebsd-security-outgoing; Tue, 29 Dec 1998 12:45:54 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from inet.chip-web.com (c1003518-a.plstn1.sfba.home.com [24.1.82.47]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id MAA10080 for ; Tue, 29 Dec 1998 12:45:51 -0800 (PST) (envelope-from ludwigp@bigfoot.com) Received: (qmail 19179 invoked from network); 29 Dec 1998 20:45:31 -0000 Received: from speedy.chip-web.com (HELO speedy) (172.16.1.1) by inet.chip-web.com with SMTP; 29 Dec 1998 20:45:31 -0000 Message-Id: <4.1.19981229124430.00a43cf0@mail-r> X-Sender: ludwigp2@mail-r X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 29 Dec 1998 12:45:19 -0800 To: Dean , freebsd-security@FreeBSD.ORG From: Ludwig Pummer Subject: Re: ipfw and DNS In-Reply-To: <368933F6.CEB82066@thegrid.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:56 AM 12/29/98 , Dean wrote: >Hello all, > I am setting up my first packet filtering gateway to protect a small >lan from the Internet and I'd like to block everything that isn't >necessary. I am interested in hearing other people's input on how they >get around the problem of getting DNS queries from the inside to the >outside. I'd rather not accept any old udp packet with a source port of >53. I have read Cheswick & Bellovin's Firewalls book and they offer a >solution, but I am interested in hearing other solutions. > I am not subscribed to this mailing list (though I should be), so >please include me in your replies. >Thanks for your help, >Dean take a look at the different pre-written rule sets in /etc/rc.firewall, as I believe they do the sort of stuff you want to do. --Ludwig Pummer ( ludwigp@bigfoot.com ) ICQ UIN: 692441 ( ludwigp@email.com ) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 29 14:47:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA23438 for freebsd-security-outgoing; Tue, 29 Dec 1998 14:47:29 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA23432 for ; Tue, 29 Dec 1998 14:47:27 -0800 (PST) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.9.1/RDY&DVV) id OAA66134; Tue, 29 Dec 1998 14:47:08 -0800 (PST) Message-Id: <199812292247.OAA66134@burka.rdy.com> Subject: Re: ipfw and ftp In-Reply-To: <368934C7.18C17F62@thegrid.net> from Dean at "Dec 29, 1998 12: 0: 8 pm" To: dean@thegrid.net (Dean) Date: Tue, 29 Dec 1998 14:47:08 -0800 (PST) Cc: freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dean writes: > Hello again, > I am setting up a packet filtering gateway between a small LAN and > the Internet. I am interested in hearing how people have solved the > problem of getting ftp out from the inside. I assume that I will have > to set up ftp on the gateway machine and anyone who wants to ftp out > will have to do a two-part ftp. The lan is small enough that this isn't > too much of a problem. I have this: ruleadd(`pass tcp from any 20 to any 30000-63000 via NETIF setup') ruleadd(`pass tcp from any 20 to any 1024-4096 via NETIF setup') Or alternatively, you can use passive ftp only. In this case you won't need any of these. > Thanks for the input, > Dean > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 29 16:45:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA06175 for freebsd-security-outgoing; Tue, 29 Dec 1998 16:45:26 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from byteme.com (022-crchtx.icsi.net [208.2.33.22] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA06167; Tue, 29 Dec 1998 16:45:24 -0800 (PST) (envelope-from kkeiip@byteme.com) From: kkeiip@byteme.com Message-Id: <199812300045.QAA06167@hub.freebsd.org> Date: 12/29/98 2:23:26 PM Pacific Daylight Time Reply-To: kkeiip@byteme.com To: kkeiip@byteme.com Subject: List your Adult Website with Us - FREE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ByteMe Online - Adult Link Engine We are now accepting links from adult webmasters, webmistresses, men, women and most others (over 18, of course) for submission into our adult link engine. List your adult website, services, or other adult related material for FREE and increase your exposure. http://search.byteme.com/add.cgi List your site now! There is always a FREE promotion for those listing their site with ByteMe. Stop by and see what we're giving away this time. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 30 19:31:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA12183 for freebsd-security-outgoing; Wed, 30 Dec 1998 19:31:42 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail-gw.pacbell.net (mail-gw.pacbell.net [206.13.28.25]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA12176 for ; Wed, 30 Dec 1998 19:31:41 -0800 (PST) (envelope-from dean@thegrid.net) Received: from thegrid.net (ppp-207-214-213-28.sntc01.pacbell.net [207.214.213.28]) by mail-gw.pacbell.net (8.8.8/8.7.1+antispam) with ESMTP id TAA29846; Wed, 30 Dec 1998 19:31:18 -0800 (PST) Message-ID: <368AEEF5.B48E42D6@thegrid.net> Date: Wed, 30 Dec 1998 19:26:45 -0800 From: Dean X-Mailer: Mozilla 4.04 [en] (Win95; U) MIME-Version: 1.0 To: Scott Ullrich , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and ftp References: <47C8D349258FD211B59B00A0C95531F31360@newman.cre8.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Scott Ullrich wrote: > FTP's work transparently through the firewall without any problems. The > problem is incoming FTP, especially when you want to publish to an > inside machine. If you are only worried about ftping from your network > then you should not have any problems. I don't think that this is the case. FTP requires two data connections. Let's suppose that I'm on the inside of a packet filtering gateway and want to make an outgoing ftp connection to somehost.com. My client would initiate a tcp connection to port 21 on somehost and give the ftp server a random non-privileged port. The somehost would then INITIATE a tcp connection from port 20 to that random port on my internal machine. If I want to run a strict filtering gateway, then this connection should be denied and the ftp would fail. There is a passive mode where the client instructs the server to pick a port and then the client will initiate the outgoing connection. Unfortunately, not all clients support the pasv command and not all servers understand it. I will probably run some form of proxy server on the gateway machine. Dean > > As far as DNS is concerned, I run 2 dns boxes. The FIREWALL box is my > outside DNS and a 386 is being used for inside queries. > > I have all of the client machines resolving to the inside DNS server > which in turn forwards to the outside box if it cannot come up with the > answer. This setup has worked flawlessly for 2 years and I highly > recommend it. If you have any questions, I can be reached at > sullrich@in-net.net. > > Take care and happy BSD'n! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 30 19:52:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA13812 for freebsd-security-outgoing; Wed, 30 Dec 1998 19:52:00 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail-gw2.pacbell.net (mail-gw2.pacbell.net [206.13.28.53]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA13807 for ; Wed, 30 Dec 1998 19:51:59 -0800 (PST) (envelope-from dean@thegrid.net) Received: from thegrid.net (ppp-207-214-213-28.sntc01.pacbell.net [207.214.213.28]) by mail-gw2.pacbell.net (8.8.8/8.7.1+antispam) with ESMTP id TAA00198; Wed, 30 Dec 1998 19:49:58 -0800 (PST) Message-ID: <368AF355.F8AA6397@thegrid.net> Date: Wed, 30 Dec 1998 19:45:25 -0800 From: Dean X-Mailer: Mozilla 4.04 [en] (Win95; U) MIME-Version: 1.0 To: Mike Holling , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and DNS References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Holling wrote: > I have the same question you do about DNS. One of my clients is using a > machine to IP masquerade his LAN onto the Internet via DSL link. His > provider believes they will be able to successfully keep people from > "running servers" by monitoring traffic and probing connected machines. > Thus, they state that if they detect a DNS server running on his machine > they will charge him $500/mo extra. Right now the machine is running a > local caching server for the LAN, and I can't think of any good way to > keep external machines from querying it while still allowing responses > from other DNS servers back in. Please let me know if you get any good > answers. > > Thanks, > > - Mike That is pretty strange. I can't think of any way to keep the dns server secret from the network provider. I have an idea about keeping malicious packets from a dns server. I have a machine with a ppp connection to my service provider (tun0) and a ethernet on the inside (ed0). Suppose I ran a dns server on my gateway. I could block port 53 on the tun0 side, but allow them on the ed0 side. The only udp packets to let through are those originating from 53. I know that this isn't the greatest solution because udp packets with a source port of 53 aren't necessarily from a dns server. Any input on this scheme? Thanks, Dean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 30 21:17:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA21179 for freebsd-security-outgoing; Wed, 30 Dec 1998 21:17:26 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from obie.softweyr.com ([204.68.178.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA21170 for ; Wed, 30 Dec 1998 21:17:20 -0800 (PST) (envelope-from wes@softweyr.com) Received: from softweyr.com (zaphod.softweyr.com [204.68.178.35]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id WAA06797; Wed, 30 Dec 1998 22:14:41 -0700 (MST) (envelope-from wes@softweyr.com) Message-ID: <368B0840.96FC6A6C@softweyr.com> Date: Wed, 30 Dec 1998 22:14:40 -0700 From: Wes =?iso-8859-1?Q?Peters=D4?==?iso-8859-1?Q?=40=21=EA?= =?iso-8859-1?Q?=80?==?iso-8859-1?Q?=EA?==?iso-8859-1?Q?=80=DD=E7?= =?iso-8859-1?Q?=805=EA?==?iso-8859-1?Q?=C0?==?iso-8859-1?Q?=EA?= Organization: Softweyr llc X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.0-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Dean CC: Mike Holling , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and DNS References: <368AF355.F8AA6397@thegrid.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dean wrote: > > Mike Holling wrote: > > > I have the same question you do about DNS. One of my clients is using a > > machine to IP masquerade his LAN onto the Internet via DSL link. His > > provider believes they will be able to successfully keep people from > > "running servers" by monitoring traffic and probing connected machines. > > Thus, they state that if they detect a DNS server running on his machine > > they will charge him $500/mo extra. Right now the machine is running a > > local caching server for the LAN, and I can't think of any good way to > > keep external machines from querying it while still allowing responses > > from other DNS servers back in. Please let me know if you get any good > > answers. > > > > Thanks, > > > > - Mike > > That is pretty strange. I can't think of any way to keep the dns server > secret from the network provider. The DSL interface is probably on ethernet. If your friend is using natd on a dedicated machine, he could try natd -deny_incoming, which discards packets bound to the natd machine itself. Another solution would be to install ipfw and deny inbound connections to DNS. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 31 01:50:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA12984 for freebsd-security-outgoing; Thu, 31 Dec 1998 01:50:06 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ppc1.cybertime.ch (ppc1.cybertime.ch [194.191.120.136]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id BAA12979 for ; Thu, 31 Dec 1998 01:50:04 -0800 (PST) (envelope-from pajarola@cybertime.ch) Received: from gw1usr6.cybertime.ch by ppc1.cybertime.ch (AIX 4.1/UCB 5.64/4.03) id AA15170; Thu, 31 Dec 1998 10:49:40 +0100 Message-Id: <3.0.32.19981231104939.0092f230@www.dlc.cybertime.ch> X-Sender: pajarola@www.dlc.cybertime.ch X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 31 Dec 1998 10:50:46 +0100 To: security@FreeBSD.ORG From: Rico Pajarola Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dima wrote: > >I have this: > >ruleadd(`pass tcp from any 20 to any 30000-63000 via NETIF setup') >ruleadd(`pass tcp from any 20 to any 1024-4096 via NETIF setup') This effectively disables a considerable part of your firewall, as it allows anyone who can bind to port 20 to connect to any port in this range. If you don't care about stray 'servers' installed by your users (one of the top reasons for me to install a firewall), this won't be a problem. It may still fail if the server doesn't connect from port 20 (probably as seldom as a server who can't to passive mode) >Or alternatively, you can use passive ftp only. In this case you >won't need any of these. I've never run into a server (or client) who can't do passive mode. But many clients can't be configured to use passive mode as default (and it's very annoying when you connect and it hangs on the first ls) Rico Pajarola To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 31 02:25:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA15582 for freebsd-security-outgoing; Thu, 31 Dec 1998 02:25:37 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell2.la.best.com (shell2.la.best.com [209.24.216.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA15577 for ; Thu, 31 Dec 1998 02:25:36 -0800 (PST) (envelope-from nugundam@shell2.la.best.com) Received: (from nugundam@localhost) by shell2.la.best.com (8.9.1/8.9.0/best.sh) id CAA13880; Thu, 31 Dec 1998 02:24:19 -0800 (PST) Message-ID: <19981231022419.A13483@la.best.com> Date: Thu, 31 Dec 1998 02:24:19 -0800 From: "Joseph T. Lee" To: Dean , Mike Holling , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and DNS References: <368AF355.F8AA6397@thegrid.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <368AF355.F8AA6397@thegrid.net>; from Dean on Wed, Dec 30, 1998 at 07:45:25PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Dec 30, 1998 at 07:45:25PM -0800, Dean wrote: > Mike Holling wrote: > > > I have the same question you do about DNS. One of my clients is using a > > machine to IP masquerade his LAN onto the Internet via DSL link. His > > provider believes they will be able to successfully keep people from > > "running servers" by monitoring traffic and probing connected machines. > > Thus, they state that if they detect a DNS server running on his machine > > they will charge him $500/mo extra. Right now the machine is running a > > local caching server for the LAN, and I can't think of any good way to > > keep external machines from querying it while still allowing responses > > from other DNS servers back in. Please let me know if you get any good > > answers. This is easy. I've done this because somebody was pinging my IP for DNS queries for a while when I didn't authorize nor advertise it. You can either authorize only a certain group of IPs to access the DNS server, as supported by DNS through the Bind 8 equavalent syntax of allow-query-by, OR using ipfw rules, allow any query packet in on 53, but do not return replies out if the incoming packet comes from a certain range of IPs OR using an ipfw rule, drop/reject incoming packets from a certain range of IPs. I don't know if it's legal for the ISP to monitor traffic as so, or banning DNS servers, since it shouldn't really matter if somebody runs their own DNS server for local caching only. It's like chasing butterflies while the buffalos rampage through the garden with quake servers and such.. Anyways, them ipfw rules can be setup in advance of setting up a DNS server to log how the ISP is probing his port 53, and set up counter rules against it, maybe even send malicious icmp packets back. Have fun, -- Joseph nugundam =best=com==/==\=IIGS=/==\=Playstation=/==\=Civic HX CVT=/==\ # Anime Expo 1998 >> www.anime-expo.org/ > # Redline Games >> www.redlinegames.com/ > # Cal-Animage Epsilon >> www.best.com/~nugundam/epsilon/ > # EX: The Online World of Anime & Manga >> www.ex.org/ / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 31 07:16:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA09268 for freebsd-security-outgoing; Thu, 31 Dec 1998 07:16:12 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from obie.softweyr.com ([204.68.178.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA09260 for ; Thu, 31 Dec 1998 07:16:10 -0800 (PST) (envelope-from wes@softweyr.com) Received: from softweyr.com (zaphod.softweyr.com [204.68.178.35]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id IAA07700; Thu, 31 Dec 1998 08:15:08 -0700 (MST) (envelope-from wes@softweyr.com) Message-ID: <368B94FC.61C6391E@softweyr.com> Date: Thu, 31 Dec 1998 08:15:08 -0700 From: Wes =?iso-8859-1?Q?Peters=D4?==?iso-8859-1?Q?=40=21=EA?= =?iso-8859-1?Q?=80?==?iso-8859-1?Q?=EA?==?iso-8859-1?Q?=80=DD=E7?= =?iso-8859-1?Q?=805=EA?==?iso-8859-1?Q?=C0?==?iso-8859-1?Q?=EA?= Organization: Softweyr llc X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.0-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: "Joseph T. Lee" CC: Dean , Mike Holling , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and DNS References: <368AF355.F8AA6397@thegrid.net> <19981231022419.A13483@la.best.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Joseph T. Lee" wrote: > > On Wed, Dec 30, 1998 at 07:45:25PM -0800, Dean wrote: > > Mike Holling wrote: > > > > > I have the same question you do about DNS. One of my clients is using a > > > machine to IP masquerade his LAN onto the Internet via DSL link. His > > > provider believes they will be able to successfully keep people from > > > "running servers" by monitoring traffic and probing connected machines. > > > Thus, they state that if they detect a DNS server running on his machine > > > they will charge him $500/mo extra. Right now the machine is running a > > > local caching server for the LAN, and I can't think of any good way to > > > keep external machines from querying it while still allowing responses > > > from other DNS servers back in. Please let me know if you get any good > > > answers. > > This is easy. I've done this because somebody was pinging my IP for > DNS queries for a while when I didn't authorize nor advertise it. > > You can either authorize only a certain group of IPs to access the DNS > server, as supported by DNS through the Bind 8 equavalent syntax of > allow-query-by, If you're running FreeBSD 3.0, it looks like the following syntax might work: options { directory "/var/named"; allow-query { localnets; !any; }; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ }; Be warned: I haven't tried this. My DNS server is still running 2.2.7, and is only a secondary for my domain. The primary is on Solaris, somewhere off in ISP land. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message