From owner-freebsd-security Sun Jul 23 5:49: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from ff.dsu.dp.ua (ff.dsu.dp.ua [194.44.184.254]) by hub.freebsd.org (Postfix) with ESMTP id 1B68937BAB6 for ; Sun, 23 Jul 2000 05:48:54 -0700 (PDT) (envelope-from dmitry@digital.dp.ua) Received: from localhost (dmitry@localhost) by ff.dsu.dp.ua (8.9.3/8.9.3) with ESMTP id PAA11598 for ; Sun, 23 Jul 2000 15:49:00 +0300 (EEST) (envelope-from dmitry@digital.dp.ua) Date: Sun, 23 Jul 2000 15:48:58 +0300 (EEST) From: Dmitry Pryanishnikov X-Sender: dmitry@ff.dsu.dp.ua To: freebsd-security@FreeBSD.ORG Subject: ssh2 bypasses host.allow in /etc/login.conf? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! I've just discovered that ssh2 on FreeBSD bypasses host.allow check in /etc/login.conf while ssh1 does not! That is, I've added a user with a class guest and added a login class guest into /etc/login.conf: guest:\ :host.allow=192.168.18.*:\ :tc=default: So I want to deny such user's login from any machine except one of our local networks. I've checked telnet,ftp,rlogin,rsh,ssh1 - all those utilities honoured login restriction. While ssh2 does not. Is it known problem? Does the solution exist? Sincerely, Dmitry Dnipropetrovsk State University, E-mail: dmitry@digital.dp.ua Physical Faculty, WWW: http://ff.dsu.dp.ua Department of Experimental Physics Dnipropetrovsk, Ukraine FTP: ftp://digital.dp.ua/DEC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 23 6:36:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailer.seidata.com (mailer.seidata.com [208.10.211.10]) by hub.freebsd.org (Postfix) with ESMTP id 8285D37B5AE for ; Sun, 23 Jul 2000 06:36:18 -0700 (PDT) (envelope-from pboehmer@seidata.com) Received: from shell.seidata.com (shell.seidata.com [208.10.211.6] (may be forged)) by mailer.seidata.com (8.9.3/Pro-8.9.3) with ESMTP id JAA49972; Sun, 23 Jul 2000 09:35:47 -0400 (EDT) Date: Sun, 23 Jul 2000 09:35:41 -0400 (EDT) From: Paul Boehmer To: Dmitry Pryanishnikov Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh2 bypasses host.allow in /etc/login.conf? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You need to compile ssh2 with tcpwrapper support in order to user the host.allow file, it is cleary stated in the documentation. On a side note, I do miss the ssh1 options AllowUser and AllowGroup that did not make it to the ssh2 implmentation, that pretty much why I have stuck to ssh1 and openssh on most of my boxes. Paul Boehmer pboehmer@seidata.com On Sun, 23 Jul 2000, Dmitry Pryanishnikov wrote: > > Hello! > > I've just discovered that ssh2 on FreeBSD bypasses host.allow check in > /etc/login.conf while ssh1 does not! That is, I've added a user with a class > guest and added a login class guest into /etc/login.conf: > > guest:\ > :host.allow=192.168.18.*:\ > :tc=default: > > So I want to deny such user's login from any machine except one of our local > networks. I've checked telnet,ftp,rlogin,rsh,ssh1 - all those utilities > honoured login restriction. While ssh2 does not. > Is it known problem? Does the solution exist? > > > Sincerely, Dmitry > > Dnipropetrovsk State University, E-mail: dmitry@digital.dp.ua > Physical Faculty, WWW: http://ff.dsu.dp.ua > Department of Experimental Physics > Dnipropetrovsk, Ukraine FTP: ftp://digital.dp.ua/DEC > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 23 8:28: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from ff.dsu.dp.ua (ff.dsu.dp.ua [194.44.184.254]) by hub.freebsd.org (Postfix) with ESMTP id 705F437B925 for ; Sun, 23 Jul 2000 08:27:51 -0700 (PDT) (envelope-from dmitry@digital.dp.ua) Received: from localhost (dmitry@localhost) by ff.dsu.dp.ua (8.9.3/8.9.3) with ESMTP id SAA30791; Sun, 23 Jul 2000 18:28:08 +0300 (EEST) (envelope-from dmitry@digital.dp.ua) Date: Sun, 23 Jul 2000 18:28:06 +0300 (EEST) From: Dmitry Pryanishnikov X-Sender: dmitry@ff.dsu.dp.ua To: Paul Boehmer Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh2 bypasses host.allow in /etc/login.conf? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! On Sun, 23 Jul 2000, Paul Boehmer wrote: > You need to compile ssh2 with tcpwrapper support in order to user the > host.allow file, it is cleary stated in the documentation. ^^^^^^^^^^^^^^^ Maybe I've missed something, but I mean NOT a file host.allow, but the BSD-native login class restrictions written in /etc/login.conf, which checked with auth_hostok() (or login_getclass()/login_getcapstr() as in sshd.c from ssh1). Of course, make WITH_TCPWRAP=yes doesn't help! Sincerely, Dmitry Dnipropetrovsk State University, E-mail: dmitry@digital.dp.ua Physical Faculty, WWW: http://ff.dsu.dp.ua Department of Experimental Physics Dnipropetrovsk, Ukraine FTP: ftp://digital.dp.ua/DEC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 23 14:50:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (Postfix) with ESMTP id 09C6F37BA8C for ; Sun, 23 Jul 2000 14:49:52 -0700 (PDT) (envelope-from anwsmh@IPAustralia.Gov.AU) Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.9.3/8.9.3) id HAA42857 for ; Mon, 24 Jul 2000 07:49:39 +1000 (EST) (envelope-from anwsmh@IPAustralia.Gov.AU) Received: from wf-156.aipo.gov.au(192.168.1.156) by pericles.IPAustralia.gov.au via smap (V2.0) id xma042852; Mon, 24 Jul 00 07:49:10 +1000 Received: from localhost (anwsmh@localhost) by stan (8.9.3/8.9.3) with ESMTP id IAA00388 for ; Mon, 24 Jul 2000 08:56:05 +1000 (EST) (envelope-from anwsmh@IPAustralia.Gov.AU) X-Authentication-Warning: stan: anwsmh owned process doing -bs Date: Mon, 24 Jul 2000 08:56:04 +1000 (EST) From: Stanley Hopcroft X-Sender: anwsmh@stan To: security@freebsd.org Subject: What does this mean and how do I stop it ? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Ladeis and Gentlemen, These entries appear frequently in the daily security report of a FreeBSD 4.0-RELEASE machine (Bind 8.2.x) > Connection attempt to UDP 127.0.0.1:2343 from 127.0.0.1:53 What do they mean and if they are not signs of bad things how can I get rid of them ? Thank you, Yours sincerely. S Hopcroft Network Specialist IP Australia +61 2 6283 3189 +61 2 6281 1353 FAX To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 23 15:25:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from atdot.dotat.org (atdot.dotat.org [150.101.89.3]) by hub.freebsd.org (Postfix) with ESMTP id 401C537BB23 for ; Sun, 23 Jul 2000 15:25:16 -0700 (PDT) (envelope-from newton@atdot.dotat.org) Received: (from newton@localhost) by atdot.dotat.org (8.9.3/8.9.3) id HAA70691; Mon, 24 Jul 2000 07:55:53 +0930 (CST) (envelope-from newton) Date: Mon, 24 Jul 2000 07:55:53 +0930 From: Mark Newton To: Stanley Hopcroft Cc: security@FreeBSD.ORG Subject: Re: What does this mean and how do I stop it ? Message-ID: <20000724075553.A70664@atdot.dotat.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from Stanley.Hopcroft@IPAustralia.Gov.AU on Mon, Jul 24, 2000 at 08:56:04AM +1000 X-PGP-Key: http://slash.dotat.org/~newton/pgpkey.txt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jul 24, 2000 at 08:56:04AM +1000, Stanley Hopcroft wrote: > What do they mean They're DNS lookups. > and if they are not signs of bad things how can I get > rid of them ? Stop looking up hostnames :-) - mark -------------------------------------------------------------------- I tried an internal modem, newton@atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 23 15:26:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 14D8737BBBC for ; Sun, 23 Jul 2000 15:26:55 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 8F2049EE01; Sun, 23 Jul 2000 15:26:37 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 8AEFE9B001; Sun, 23 Jul 2000 15:26:37 -0700 (PDT) Date: Sun, 23 Jul 2000 15:26:37 -0700 (PDT) From: Mike Hoskins To: Dmitry Pryanishnikov Cc: Paul Boehmer , freebsd-security@FreeBSD.ORG Subject: Re: ssh2 bypasses host.allow in /etc/login.conf? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 23 Jul 2000, Dmitry Pryanishnikov wrote: > Maybe I've missed something, but I mean NOT a file host.allow, but the > BSD-native login class restrictions written in /etc/login.conf, which > checked with auth_hostok() (or login_getclass()/login_getcapstr() as > in sshd.c from ssh1). Of course, make WITH_TCPWRAP=yes doesn't help! So... are these methods also in ssh2's .c file? Just curious... As Paul mentioned, not all version 1 features were carried over to version 2. Maybe this is just a case of getting bitten by this fact. Have you tried OpenSSH? A much better solution, IMCO. I can do some tests with OpenSSH if you want (rushing out the door ATM). I usually always use /etc/hosts.allow to control access anyhow, because a CGI (allowing me to add hosts to hosts.allow from an SSL webpage) I wrote points to it and I'm too lazy to change it. ;) -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 23 15:27:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 8149237B58F for ; Sun, 23 Jul 2000 15:27:45 -0700 (PDT) (envelope-from mike@sentex.net) Received: from p10 (chimp [192.168.0.2]) by cage.simianscience.com (8.9.3/8.9.3) with ESMTP id SAA14437; Sun, 23 Jul 2000 18:27:21 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20000723181947.04949220@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Sun, 23 Jul 2000 18:22:04 -0400 To: Stanley Hopcroft , security@FreeBSD.ORG From: Mike Tancsa Subject: Re: What does this mean and how do I stop it ? In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:56 AM 7/24/00 +1000, Stanley Hopcroft wrote: >Dear Ladeis and Gentlemen, > >These entries appear frequently in the daily security report of a >FreeBSD 4.0-RELEASE machine (Bind 8.2.x) > > > Connection attempt to UDP 127.0.0.1:2343 from 127.0.0.1:53 > >What do they mean and if they are not signs of bad things how can I get >rid of them ? It means a UDP packet from 127.0.0.1 port 53 got sent to 127.0.0.1 port 2343, but nothing there was listening. If you want to disable it type, sysctl net.inet.udp.log_in_vain=0 ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 23 15:41:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id C3B1137BADB for ; Sun, 23 Jul 2000 15:41:09 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id A59929EE01; Sun, 23 Jul 2000 15:40:52 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 9D9679B001; Sun, 23 Jul 2000 15:40:52 -0700 (PDT) Date: Sun, 23 Jul 2000 15:40:52 -0700 (PDT) From: Mike Hoskins To: Stanley Hopcroft Cc: security@freebsd.org Subject: Re: What does this mean and how do I stop it ? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Jul 2000, Stanley Hopcroft wrote: > > Connection attempt to UDP 127.0.0.1:2343 from 127.0.0.1:53 > What do they mean and if they are not signs of bad things how can I get > rid of them ? DNS lookups. Do you, by chance, have net.inet.udp.log_in_vain=1? Setting it to 0 will do away with these - then use something like portsentry to monitor the ports you want to. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 23 15:59:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id B263C37C368 for ; Sun, 23 Jul 2000 15:59:08 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id PAA46731; Sun, 23 Jul 2000 15:58:51 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200007232258.PAA46731@gndrsh.dnsmgr.net> Subject: Re: What does this mean and how do I stop it ? In-Reply-To: <4.2.2.20000723181947.04949220@mail.sentex.net> from Mike Tancsa at "Jul 23, 2000 06:22:04 pm" To: mike@sentex.net (Mike Tancsa) Date: Sun, 23 Jul 2000 15:58:51 -0700 (PDT) Cc: Stanley.Hopcroft@IPAustralia.Gov.AU (Stanley Hopcroft), security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > At 08:56 AM 7/24/00 +1000, Stanley Hopcroft wrote: > >Dear Ladeis and Gentlemen, > > > >These entries appear frequently in the daily security report of a > >FreeBSD 4.0-RELEASE machine (Bind 8.2.x) > > > > > Connection attempt to UDP 127.0.0.1:2343 from 127.0.0.1:53 > > > >What do they mean and if they are not signs of bad things how can I get > >rid of them ? > > > It means a UDP packet from 127.0.0.1 port 53 got sent to 127.0.0.1 port > 2343, but nothing there was listening. If you want to disable it type, > sysctl net.inet.udp.log_in_vain=0 Hiding an error condition by not logging it does not make the error condition go away. Due to massive slow downs in high level (ie, root) nameservers the timeout's used by the libc resolver should be tweaked. On our mx machines we are seeing anyplace from 1/s to 20/s of these, and that means if we had only waited slightly longer we could have probably saved yet another packet from the internet. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 23 17:44:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (Postfix) with ESMTP id 8E46837B59A for ; Sun, 23 Jul 2000 17:44:21 -0700 (PDT) (envelope-from anwsmh@IPAustralia.Gov.AU) Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.9.3/8.9.3) id KAA50447 for ; Mon, 24 Jul 2000 10:44:19 +1000 (EST) (envelope-from anwsmh@IPAustralia.Gov.AU) Received: from disc-4-161.aipo.gov.au(10.0.4.161) by pericles.IPAustralia.gov.au via smap (V2.0) id xma050439; Mon, 24 Jul 00 10:44:15 +1000 Received: from localhost (anwsmh@localhost) by stan.aipo.gov.au (8.9.3/8.9.3) with ESMTP id KAA03574 for ; Mon, 24 Jul 2000 10:49:59 +1000 (EST) (envelope-from anwsmh@IPAustralia.Gov.AU) X-Authentication-Warning: stan.aipo.gov.au: anwsmh owned process doing -bs Date: Mon, 24 Jul 2000 10:49:58 +1000 (EST) From: Stanley Hopcroft X-Sender: anwsmh@stan.aipo.gov.au To: security@freebsd.org Subject: Thank you for the explanation of the in vain resolver connection attempts. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Ladies and Gentlemen, I am writing to acknowledge the helpful replies of Messers Grimes, Tancsa, Johns and others to my question about the "in vain" connection attempts (from a resolver to a DNS server) in the daily security report. Thank you. Yours sincerely, S Hopcroft Network Specialist IP Australia +61 2 6283 3189 +61 2 6281 1353 FAX To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 23 18:14:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 99F3937B6CE for ; Sun, 23 Jul 2000 18:14:29 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Sun, 23 Jul 2000 19:14:25 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma006001; Sun, 23 Jul 00 19:14:10 -0600 Received: (from hart@localhost) by anchovy.orem.iserver.com (8.9.3/8.9.3) id TAA32580; Sun, 23 Jul 2000 19:14:10 -0600 (MDT) (envelope-from hart) Date: Sun, 23 Jul 2000 19:14:10 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: "Thomas R. Stromberg" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Status of FreeBSD security work? Audit, regression and crypto swap? In-Reply-To: <39788D89.56359DCA@rtci.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 21 Jul 2000, Thomas R. Stromberg wrote: > Ive also messed around with storing my home directory in cfs, until I > forgot its password :( One other bad thing about using CFS for a home directory is the fact that cdetach cannot make distinctions about whether it is the owner of the CFS mount who is detaching it. As long as you know the name of the mount you can detach mounts belonging to other people. Since your home directory needs to be a fixed (and well-known) path name, you can become vulnerable to a lame variety of denial-of-service attack against your account. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 0:11:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from icon.icon-bg.net (icon-bg.net [212.7.197.2]) by hub.freebsd.org (Postfix) with ESMTP id 4F0C737B72C for ; Mon, 24 Jul 2000 00:11:01 -0700 (PDT) (envelope-from v0rbiz@icon-bg.net) Received: from icon1 (office.icon-bg.net [212.7.197.3]) by icon.icon-bg.net (8.9.3/8.9.3) with SMTP id KAA01466 for ; Mon, 24 Jul 2000 10:10:04 +0300 Message-ID: <004601bff546$9cfe71a0$03c507d4@icon1.icon-bg.net> From: "Victor Ivanov" To: Subject: Re: ssh2 bypasses host.allow in /etc/login.conf? Date: Mon, 24 Jul 2000 10:10:08 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | | On Sun, 23 Jul 2000, Dmitry Pryanishnikov wrote: | | > Maybe I've missed something, but I mean NOT a file host.allow, but the | > BSD-native login class restrictions written in /etc/login.conf, which | > checked with auth_hostok() (or login_getclass()/login_getcapstr() as | > in sshd.c from ssh1). Of course, make WITH_TCPWRAP=yes doesn't help! | | So... are these methods also in ssh2's .c file? Just curious... As Paul | mentioned, not all version 1 features were carried over to version | 2. Maybe this is just a case of getting bitten by this fact. Have you | tried OpenSSH? A much better solution, IMCO. | I can do some tests with OpenSSH if you want (rushing out the door | ATM). I usually always use /etc/hosts.allow to control access anyhow, | because a CGI (allowing me to add hosts to hosts.allow from an SSL | webpage) I wrote points to it and I'm too lazy to change it. ;) | | -mrh login.conf is for login. It is no good if a program depend on another program's config file which is subject to change... (i think) maybe ssh2 does not use login? like openssh? or it is enabled with some option? is there 'UseLogin' option in the ssh2 config file (or something like?) hafe fun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 6:13:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from ff.dsu.dp.ua (ff.dsu.dp.ua [194.44.184.254]) by hub.freebsd.org (Postfix) with ESMTP id EB24E37BA78 for ; Mon, 24 Jul 2000 06:12:36 -0700 (PDT) (envelope-from dmitry@digital.dp.ua) Received: from localhost (dmitry@localhost) by ff.dsu.dp.ua (8.9.3/8.9.3) with ESMTP id QAA45625; Mon, 24 Jul 2000 16:12:07 +0300 (EEST) (envelope-from dmitry@digital.dp.ua) Date: Mon, 24 Jul 2000 16:12:06 +0300 (EEST) From: Dmitry Pryanishnikov X-Sender: dmitry@ff.dsu.dp.ua To: Mike Hoskins Cc: Paul Boehmer , freebsd-security@FreeBSD.ORG Subject: Re: ssh2 bypasses host.allow in /etc/login.conf? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! On Sun, 23 Jul 2000, Mike Hoskins wrote: > On Sun, 23 Jul 2000, Dmitry Pryanishnikov wrote: > > > Maybe I've missed something, but I mean NOT a file host.allow, but the > > BSD-native login class restrictions written in /etc/login.conf, which > > checked with auth_hostok() (or login_getclass()/login_getcapstr() as > > in sshd.c from ssh1). Of course, make WITH_TCPWRAP=yes doesn't help! > > So... are these methods also in ssh2's .c file? Just curious... As Paul I haven't found them there ;( > 2. Maybe this is just a case of getting bitten by this fact. Have you > tried OpenSSH? A much better solution, IMCO. Sorry, I don't have sufficient time now, maybe later I'll try.. Sincerely, Dmitry Dnipropetrovsk State University, E-mail: dmitry@digital.dp.ua Physical Faculty, WWW: http://ff.dsu.dp.ua Department of Experimental Physics Dnipropetrovsk, Ukraine FTP: ftp://digital.dp.ua/DEC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 8:27:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from aesthetic.detachment.org (agcess.com [208.11.244.15]) by hub.freebsd.org (Postfix) with ESMTP id 89F5837B90E for ; Mon, 24 Jul 2000 08:27:42 -0700 (PDT) (envelope-from tstromberg@rtci.com) Received: from rtci.com (helixblue@localhost [127.0.0.1]) by aesthetic.detachment.org (8.9.3/8.9.3) with ESMTP id LAA62892; Mon, 24 Jul 2000 11:27:43 -0400 (EDT) (envelope-from tstromberg@rtci.com) Message-ID: <397C606E.131A5CAE@rtci.com> Date: Mon, 24 Jul 2000 11:27:42 -0400 From: Thomas Stromberg X-Mailer: Mozilla 4.73 [en] (X11; I; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en MIME-Version: 1.0 To: Paul Hart Cc: freebsd-security@FreeBSD.ORG Subject: Re: Status of FreeBSD security work? Audit, regression and cryptoswap? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Hart wrote: > One other bad thing about using CFS for a home directory is the fact that > cdetach cannot make distinctions about whether it is the owner of the CFS > mount who is detaching it. As long as you know the name of the mount you > can detach mounts belonging to other people. Since your home directory > needs to be a fixed (and well-known) path name, you can become vulnerable > to a lame variety of denial-of-service attack against your account. > > Paul Hart What we did here for the cfs security disk script was: $target = sprintf("/crypt/.%lx", int(rand(999999))); Which provides a relatively randomized mountpoint which lies only in the knowledge of cfsd and the perl script. I also take advantage of the cfs feature which hides directories starting with a . This of course is by no means perfect, but it was secure enough for our requirements. However, if you wanted to make use of this as a home directory, you'd have to symlink to it (what I did), which would publicize the mountpoint. Though I guess some wierd antics can be done by changing the $HOME variable. ps -e will still find it however, and not all software respects $HOME. One could also dynamically modify their getpwent() info, and store it in a privatized location (nss-ldap anyone?).. This however is pure and utter insanity :) It'd be much easier to mod the cfs code. I'd love to see tcfs ported to FreeBSD, maybe it will alleviate some of the hackery. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE5fGAyoyBzPESpFVQRAgm8AKCdQMn2G8LYeLWRdlh9a8SqWlKexwCfZ7ZO 5xlhcMn/OIY9vwNUBx+PZRI= =fqqB -----END PGP SIGNATURE----- -- thomas r. stromberg : tstromberg@rtci.com senior systems administrator : http://www.afterthought.org/ research triangle commerce, inc. : 1.919.657.1317 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 11:39:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 1A52837BE27 for ; Mon, 24 Jul 2000 11:39:34 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 10382 invoked by uid 0); 24 Jul 2000 18:39:28 -0000 Received: from p3e9c3563.dip.t-dialin.net (HELO speedy.gsinet) (62.156.53.99) by mail.gmx.net with SMTP; 24 Jul 2000 18:39:28 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id TAA22263 for security@freebsd.org; Mon, 24 Jul 2000 19:29:15 +0200 Date: Mon, 24 Jul 2000 19:29:15 +0200 From: Gerhard Sittig To: security@freebsd.org Subject: Re: What does this mean and how do I stop it ? Message-ID: <20000724192915.Z24476@speedy.gsinet> Mail-Followup-To: security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from Stanley.Hopcroft@IPAustralia.Gov.AU on Mon, Jul 24, 2000 at 08:56:04AM +1000 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jul 24, 2000 at 08:56 +1000, Stanley Hopcroft wrote: > > These entries appear frequently in the daily security report of > a FreeBSD 4.0-RELEASE machine (Bind 8.2.x) > > > Connection attempt to UDP 127.0.0.1:2343 from 127.0.0.1:53 I don't care if everybody's telling you it's DNS *lookup* -- I feel this is something different, since it's going *from* port 53 *to* something random(?). So this could be some kind of DNS wakeup signal for secondaries ("notification", but I don't believe it since there's probably noone listening and there's no point in having localhost as localhost's secondary:). Or maybe more probably it's a DNS _answer_ but it's arriving too late to find the asking part listening? I'm not convinced by the other replies. :) But it's clear that you only notice them since log_in_vain is set. Although the only log entry I get with this is biff triggering at every email delivery (port 512). If you feel that bind is too slow or too aggressive when putting burdon on your machine you might want to have a look at dnscache (which was renamed lately to djbdns). It can be found in the ports. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 11:47:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 0515E37BA5D for ; Mon, 24 Jul 2000 11:47:15 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000724184713.BBDY11071.mail.rdc1.il.home.com@math.missouri.edu> for ; Mon, 24 Jul 2000 11:47:13 -0700 Message-ID: <397C8F30.8DFCE0E9@math.missouri.edu> Date: Mon, 24 Jul 2000 13:47:12 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Problems with natd and simple firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I recently tried to get natd to work with the default rc.firewall that comes with FreeBSD 4.1RC, and it didn't work. I found the problem, from looking at the web site http://www.mostgraveconcern.com/freebsd/sheet.cgi?ipfw which has a cure, but I wonder if there are other ways to fix it. In any case, the rc.firewall is currently seriously deficient. Here is the setup: my external network has net:mask = 12.34.56.0/24 and my internal network has net:mask = 192.168.1/24 Now, suppose I have established a connection: 192.168.1.2:4444 to 34.56.78.90:22 natd changes this to 12.34.56.78:4444 to 34.56.78.90:22 Now a piece of tcp comes in: 34.56.78.90:22 to 12.34.56.78:4444 via outside-interface natd converts this to 34.56.78.90:22 to 192.168.1.2:4444 via outside-interface which immediately gets killed by the rule in rc.firewall: # Stop RFC1918 nets on the outside interface ........... ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} The web site fixes this by changing the line to: ${fwcmd} add deny all from any to 192.168.0.0/16 out via ${oif} Is this the corect way to deal with this? Does this leave the computer open to spoofing? Is there some clever dynamic rule that could fix this? Or is there some option to natd that would change 34.56.78.90:22 to 12.34.56.78:4444 via outside-interface to 34.56.78.90:22 to 192.168.1.2:4444 via inside-interface ? I think that the last option would be the best, and if natd does not allow it, maybe it should be added to the program. -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 11:48:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id E28A137BD07 for ; Mon, 24 Jul 2000 11:48:14 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 33755 invoked by uid 1001); 24 Jul 2000 18:48:11 +0000 (GMT) To: Gerhard.Sittig@gmx.net Cc: security@freebsd.org Subject: Re: What does this mean and how do I stop it ? From: sthaug@nethelp.no In-Reply-To: Your message of "Mon, 24 Jul 2000 19:29:15 +0200" References: <20000724192915.Z24476@speedy.gsinet> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 24 Jul 2000 20:48:11 +0200 Message-ID: <33753.964464491@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > These entries appear frequently in the daily security report of > > a FreeBSD 4.0-RELEASE machine (Bind 8.2.x) > > > > > Connection attempt to UDP 127.0.0.1:2343 from 127.0.0.1:53 > > I don't care if everybody's telling you it's DNS *lookup* -- I > feel this is something different, since it's going *from* port 53 > *to* something random(?). It's the *answer* to a DNS query (lookup). The answer came so late that the DNS client (probably the resolver routines linked into the application) had already closed the UDP socket in question - thus there's nobody listening there. To me this was already implied from the previous messages in this thread... Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 11:54: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from ywing.creative.net.au (ywing.creative.net.au [203.56.168.34]) by hub.freebsd.org (Postfix) with ESMTP id 4345A37B972; Mon, 24 Jul 2000 11:53:40 -0700 (PDT) (envelope-from adrian@ywing.creative.net.au) Received: (from adrian@localhost) by ywing.creative.net.au (8.9.3/8.9.3) id VAA64125; Mon, 24 Jul 2000 21:00:42 +0200 (CEST) (envelope-from adrian) Date: Mon, 24 Jul 2000 21:00:42 +0200 From: Adrian Chadd To: Terje Elde Cc: Robert Watson , Sheldon Hearn , =?iso-8859-1?Q?Joachim_Str=F6mbergson?= , Greg Lewis , freebsd-security@FreeBSD.ORG Subject: Re: Status of FreeBSD security work? Audit, regression and crypto swap? Message-ID: <20000724210042.O62551@ywing.creative.net.au> References: <20000720124805.D70017@dlt.follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20000720124805.D70017@dlt.follo.net>; from terje@elde.net on Thu, Jul 20, 2000 at 12:48:05PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jul 20, 2000, Terje Elde wrote: > > Personally, my big fear is my notebook computer. I can encrypt data on it > > using command line tools, but I'd much rather see a device layer that I > > can use to protect both swap and sensitive partitions. Swap could use a > > randomized key, and mounting of data partitions could rely on a > > user-provided key for the device layer. A crypto-fs might be more fun, > > but if we have the facility to layer device access, we might as well use > > that for a quicky solution. It's easy for someone to walk off with > > personal computing devices -- in the office, at home, at the airport, ... > > For a "ugly hack, but up and running today" kinda solution, you could always > do what I do... Use cfs (yes, the software tcfs is based on is running under > freebsd, and is available in the ports collection) for your file systems, then > swap to a file, on one of the encrypted file systems. > > It's not a pretty sight, but it does the job. Whats wrong with a bdev io layer like vinum/ccd which does crypto? Then you could swap and filesystem to your block devices to your hearts content with whatever filesystem you wanted? Adrian -- Adrian Chadd Now 17-year-olds can't play a _video game_ because its called violent - and real violence is still called dinner. -- jamie@mccarthy.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 12:16:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from gollum.esys.ca (dhcp198-59.esys.ca [198.161.92.59]) by hub.freebsd.org (Postfix) with ESMTP id DD92437B87C for ; Mon, 24 Jul 2000 12:16:06 -0700 (PDT) (envelope-from lyndon@messagingdirect.com) Received: from gollum.esys.ca (localhost [127.0.0.1]) by gollum.esys.ca (8.10.2/8.10.2) with ESMTP id e6OJG4V01113; Mon, 24 Jul 2000 13:16:04 -0600 (MDT) Date: Mon, 24 Jul 2000 13:16:03 -0600 From: Lyndon Nerenberg To: Gerhard Sittig , security@FreeBSD.ORG Subject: Re: What does this mean and how do I stop it ? Message-ID: <144260000.964466163@gollum.esys.ca> In-Reply-To: <20000724192915.Z24476@speedy.gsinet> X-Mailer: Mulberry/2.0.1a3 (Linux/x86 Demo) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --On 07/24/00 19:29:15 +0200 Gerhard Sittig wrote: > On Mon, Jul 24, 2000 at 08:56 +1000, Stanley Hopcroft wrote: >> >> These entries appear frequently in the daily security report of >> a FreeBSD 4.0-RELEASE machine (Bind 8.2.x) >> >> > Connection attempt to UDP 127.0.0.1:2343 from 127.0.0.1:53 > > I don't care if everybody's telling you it's DNS *lookup* -- I > feel this is something different, since it's going *from* port 53 > *to* something random(?). If you have 'nameservers 127.0.0.1' in /etc/resolv.conf then this is probably named answering a DNS lookup request from a local process. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 12:55:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from ocis.ocis.net (ocis.ocis.net [209.52.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 404DF37BCB1 for ; Mon, 24 Jul 2000 12:55:10 -0700 (PDT) (envelope-from vdrifter@ocis.ocis.net) Received: from localhost (vdrifter@localhost) by ocis.ocis.net (8.9.3/8.9.3) with ESMTP id MAA03379 for ; Mon, 24 Jul 2000 12:55:09 -0700 Date: Mon, 24 Jul 2000 12:55:09 -0700 (PDT) From: John F Cuzzola To: security@FreeBSD.ORG Subject: invalid-state Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Everyone, On my FreeBSD 4.0-release box I've recently gotten into state-full firewall rules with ipfw (keep-state, check-state). I seem to be getting the desired effect but I notice I'm getting alot of the following kernel log messages: invalid state: 0x0 invalid state: 0x1 invalid state: 0x2 invalid state: 0x3 Can anyone give me an idea of what this means and why its happening? Thanks in Advance, John C. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 12:58:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from exchange.lightrealm.com (exchange.lightrealm.com [216.122.95.4]) by hub.freebsd.org (Postfix) with ESMTP id 59BA237BEB8; Mon, 24 Jul 2000 12:58:18 -0700 (PDT) (envelope-from rcarskadden@lightrealm.com) Received: by EXCHANGE with Internet Mail Service (5.5.2650.21) id ; Mon, 24 Jul 2000 12:18:40 -0700 Message-ID: From: Rush Carskadden To: 'Kris Kennaway' Cc: security@FreeBSD.ORG Subject: RE: randomdev entropy gathering is really weak Date: Mon, 24 Jul 2000 12:18:39 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was referring to the portion that said: > If you can't reach a NTP server, you are not connected to the internet. In > that case you don't need to worry so much about security... I was not disagreeing with Wollman, I was assisting him in pointing out Neland's oversight. ok, Rush Carskadden -----Original Message----- From: Kris Kennaway [mailto:kris@FreeBSD.ORG] Sent: Friday, July 21, 2000 7:14 PM To: Rush Carskadden Cc: 'Garrett Wollman'; Leif Neland; security@FreeBSD.ORG Subject: RE: randomdev entropy gathering is really weak On Fri, 21 Jul 2000, Rush Carskadden wrote: > It is somewhat troubling to me to think that you may assume the only > time you need security is when you are connected to the Internet. Picture a That's not what he said: > Unless, of course, the reason your machine is not connected to the > Internet is in order that it be able to provide some critical security > functionality. i.e. the machine is not connected to the net because it is critical to security. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 13:37:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 690E237B592 for ; Mon, 24 Jul 2000 13:37:46 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 035B59EE01; Mon, 24 Jul 2000 13:37:21 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id EEF1D9B001; Mon, 24 Jul 2000 13:37:21 -0700 (PDT) Date: Mon, 24 Jul 2000 13:37:21 -0700 (PDT) From: Mike Hoskins To: Stephen Montgomery-Smith Cc: freebsd-security@freebsd.org Subject: Re: Problems with natd and simple firewall In-Reply-To: <397C8F30.8DFCE0E9@math.missouri.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Jul 2000, Stephen Montgomery-Smith wrote: > which immediately gets killed by the rule in rc.firewall: > # Stop RFC1918 nets on the outside interface > ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} Wait... why is this actually killing it? Doesn't it appear as 'to 12.34.56.78 via oif', get inserted into your stack, then converted by natd and dumped out the iif? > The web site fixes this by changing the line to: > ${fwcmd} add deny all from any to 192.168.0.0/16 out via ${oif} That's a completely different rule. The first rule blocks inbound packets with RFC1918 network numbers (attempt to stop spoofing). The latter stops outbound packets (RFC1918-compliant filtering). > Is this the corect way to deal with this? Does this leave the computer > open to spoofing? Is there some clever dynamic rule that could fix > this? Open to spoofing? That depends who you ask. Some would say it doesn't, since upstream routers should already be filtering RFC1918 nets (oh boy, that can sure start an argument - *nanog memories*), others would say it's a negligiable concern since DoS-type attacks with RFC1918 sources make up a small amount of actual observed attacks (most use spoofed sources targeted at perfectly valid network numbers). As for a dynamic rule... I have the following setup: divert 8668 ip from any to any via oif allow ip from any to any via lo0 deny ip from any to 127.0.0.0/8 # specific deny/logs to monitor port scans/etc check-state allow ip from oip to any keep-state allow ip from inw to any keep-state # specific allows i want deny ip from any to any This is still very much in development, and I've only been playing with ipfw a short while (should the keep-state lines be 'to any setup keep-state' instead of just 'to any keep-state'?), but this seems to work well for me. The result is a protected LAN which can do anything it wants (controls could easily be tighted if I chose by adding denys), but only receives traffic I dictate. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 14: 0: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 960B437BCEA for ; Mon, 24 Jul 2000 14:00:00 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 5748 invoked by uid 1000); 24 Jul 2000 20:59:59 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 Jul 2000 20:59:59 -0000 Date: Mon, 24 Jul 2000 15:59:59 -0500 (CDT) From: Mike Silbersack To: Adrian Chadd Cc: Terje Elde , Robert Watson , Sheldon Hearn , =?iso-8859-1?Q?Joachim_Str=F6mbergson?= , Greg Lewis , freebsd-security@FreeBSD.ORG Subject: Re: Status of FreeBSD security work? Audit, regression and crypto swap? In-Reply-To: <20000724210042.O62551@ywing.creative.net.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Jul 2000, Adrian Chadd wrote: > Whats wrong with a bdev io layer like vinum/ccd which does crypto? > Then you could swap and filesystem to your block devices to your hearts > content with whatever filesystem you wanted? Encrypting at that low of a level wouldn't be very useful in the long run. For an encrypted filesystem to be truly useful, each user's files are encrypted with their own key. A partition-wide encryption doesn't protect anything if you get root hacked on your box. And a crypto swap should use as many keys as possible (see the openbsd implementation paper.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 14:19:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130]) by hub.freebsd.org (Postfix) with ESMTP id F418537BC01 for ; Mon, 24 Jul 2000 14:19:22 -0700 (PDT) (envelope-from dmartin@origen.com) Received: from origen.com (dubhe.origen [192.168.0.5]) by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id QAA86604; Mon, 24 Jul 2000 16:19:13 -0500 (CDT) (envelope-from dmartin@origen.com) Message-ID: <397CCEAC.ECC9CCA6@origen.com> Date: Mon, 24 Jul 2000 16:18:04 -0700 From: Richard Martin X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Mike Hoskins Cc: Stephen Montgomery-Smith , freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I agree with Stephen, this is an unaddressed concern as written, although a small one. > > The web site fixes this by changing the line to: > > ${fwcmd} add deny all from any to 192.168.0.0/16 out via ${oif} > > That's a completely different rule. The first rule blocks inbound packets > with RFC1918 network numbers (attempt to stop spoofing). The latter stops > outbound packets (RFC1918-compliant filtering). Stephen is correct, that this is the fix given by the FreeBSD website to prevent reply packets which are translated by natd from being dropped by the ruleset. You are both correct that this fix is a different rule and would not stop an inbound packet forged to be from the 192.168.0 network. > > > Is this the corect way to deal with this? Does this leave the computer > > open to spoofing? Is there some clever dynamic rule that could fix > > this? > > Open to spoofing? That depends who you ask. Some would say it doesn't, > since upstream routers should already be filtering RFC1918 nets On the other hand, I do see packets hitting the other inbound RFC 1918 filters from time to time. Someone should have a talk with those routers... A low level concern, but still a concern > > As for a dynamic rule... I have the following setup: > > divert 8668 ip from any to any via oif > allow ip from any to any via lo0 > deny ip from any to 127.0.0.0/8 > # specific deny/logs to monitor port scans/etc > check-state > allow ip from oip to any keep-state > allow ip from inw to any keep-state > # specific allows i want > deny ip from any to any This above looks promising - Is there a man page on using the state commands? -- Richard Martin dmartin@origenbio.com OriGen, inc. Tel: +1 512 474 7278 2525 Hartford Rd. Fax: +1 512 708 8522 Austin, TX 78703 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 15:33:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay1.inwind.it (relay1.inwind.it [212.141.53.67]) by hub.freebsd.org (Postfix) with ESMTP id B92EB37BD7B for ; Mon, 24 Jul 2000 15:33:41 -0700 (PDT) (envelope-from bartequi@inwind.it) Received: from bartequi.ottodomain.org (212.141.79.199) by relay1.inwind.it; 25 Jul 2000 00:33:40 +0200 From: Salvo Bartolotta Date: Mon, 24 Jul 2000 23:34:56 GMT Message-ID: <20000724.23345600@bartequi.ottodomain.org> Subject: Re: Problems with natd and simple firewall To: Richard Martin Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <397CCEAC.ECC9CCA6@origen.com> References: <397CCEAC.ECC9CCA6@origen.com> X-Mailer: SuperCalifragilis X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 7/25/00, 12:18:04 AM, Richard Martin wrote=20 regarding Re: Problems with natd and simple firewall: > On the other hand, I do see packets hitting the other inbound RFC 1918= =20 filters > from time to time. Someone should have a talk with those routers... = A low > level concern, but still a concern I have regularly (maybe I should say "systematically") been=20 logging RFC-1918-spoofed packets coming through my ISP in the past few=20 months. I have also been using a closed (stateful) packet filter.=20 Needless to say, I phoned my ISP "technicians", I also sent mail, but=20 I still regularly see those packets almost every day. What's more,=20 this is, er, a big national (!) ISP in my country. The (IPv4) 'Net may be insecure by ... definition, but this kind of=20 thoughtlessness seems to me even worse. =20 Best regards, Salvo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 15:55:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id B05C637BBBF for ; Mon, 24 Jul 2000 15:55:05 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id PAA49471; Mon, 24 Jul 2000 15:54:51 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200007242254.PAA49471@gndrsh.dnsmgr.net> Subject: Re: Problems with natd and simple firewall In-Reply-To: <20000724.23345600@bartequi.ottodomain.org> from Salvo Bartolotta at "Jul 24, 2000 11:34:56 pm" To: bartequi@inwind.it (Salvo Bartolotta) Date: Mon, 24 Jul 2000 15:54:50 -0700 (PDT) Cc: dmartin@origen.com (Richard Martin), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you wish to make yourself even sicker run a ndc dump and grovel through the file for RFC1918 addresses. It is sites not knowing how to do split DNS that are leaking RFC1918 addresses into DNS that is causing some of these that we see cross our boarder routers (And yes, we have an AS policy that filters all RFC1918 src and dst addresses at all boarders, up and down stream.) Here is a days worth of counts from one router: 00400 441 67618 deny log logamount 100 ip from 10.0.0.0/8 to any 00400 8 7746 deny log logamount 100 ip from 172.16.0.0/12 to any 00400 13 898 deny log logamount 100 ip from 192.168.0.0/16 to any 00500 5 294 deny log logamount 100 ip from any to 10.0.0.0/8 00500 4 242 deny log logamount 100 ip from any to 172.16.0.0/12 00500 53 2417 deny log logamount 100 ip from any to 192.168.0.0/16 > > On 7/25/00, 12:18:04 AM, Richard Martin wrote > regarding Re: Problems with natd and simple firewall: > > > > On the other hand, I do see packets hitting the other inbound RFC 1918 > filters > > from time to time. Someone should have a talk with those routers... > A low > > level concern, but still a concern > > > I have regularly (maybe I should say "systematically") been > logging RFC-1918-spoofed packets coming through my ISP in the past few > months. > > I have also been using a closed (stateful) packet filter. > > > > Needless to say, I phoned my ISP "technicians", I also sent mail, but > I still regularly see those packets almost every day. What's more, > this is, er, a big national (!) ISP in my country. > > The (IPv4) 'Net may be insecure by ... definition, but this kind of > thoughtlessness seems to me even worse. > > Best regards, > Salvo > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 16:12:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 7B66037BC68; Mon, 24 Jul 2000 16:12:18 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id QAA23183; Mon, 24 Jul 2000 16:12:18 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Mon, 24 Jul 2000 16:12:17 -0700 (PDT) From: Kris Kennaway To: Mike Silbersack Cc: Adrian Chadd , Terje Elde , Robert Watson , Sheldon Hearn , =?iso-8859-1?Q?Joachim_Str=F6mbergson?= , Greg Lewis , freebsd-security@FreeBSD.ORG Subject: Re: Status of FreeBSD security work? Audit, regression and crypto swap? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Jul 2000, Mike Silbersack wrote: > Encrypting at that low of a level wouldn't be very useful in the long > run. For an encrypted filesystem to be truly useful, each user's files > are encrypted with their own key. A partition-wide encryption doesn't > protect anything if you get root hacked on your box. Except this breaks the Unix filesystem semantic that you can read other people's files (if they have to provide their key manually and it is not pre-available), which is probably necessary for system operation. Unless all of the keys were available in the kernel without user intervention and stored persistently (perhaps encrypted by a master key), which sort of defeats the purpose unless you have somewhere "better" to store the key table than on disk. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 16:14:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from racine.cybercable.fr (racine.cybercable.fr [212.198.0.201]) by hub.freebsd.org (Postfix) with SMTP id 2B3C037BD22 for ; Mon, 24 Jul 2000 16:14:33 -0700 (PDT) (envelope-from clefevre@citeweb.net) Received: (qmail 3713022 invoked from network); 24 Jul 2000 23:14:29 -0000 Received: from r227m167.cybercable.tm.fr (HELO gits.dyndns.org) ([195.132.227.167]) (envelope-sender ) by racine.cybercable.fr (qmail-ldap-1.03) with SMTP for ; 24 Jul 2000 23:14:29 -0000 Received: (from root@localhost) by gits.dyndns.org (8.9.3/8.9.3) id BAA32590; Tue, 25 Jul 2000 01:14:29 +0200 (CEST) (envelope-from clefevre@citeweb.net) To: Lyndon Nerenberg Cc: Gerhard Sittig , security@FreeBSD.ORG Subject: Re: What does this mean and how do I stop it ? References: <144260000.964466163@gollum.esys.ca> X-Face: V|+c;4!|B?E%BE^{E6);aI.[<97Zd*>^#%Y5Cxv;%Y[PT-LW3;A:fRrJ8+^k"e7@+30g0YD0*^^3jgyShN7o?a]C la*Zv'5NA,=963bM%J^o]C Reply-To: Cyrille Lefevre From: Cyrille Lefevre In-Reply-To: Lyndon Nerenberg's message of "Mon, 24 Jul 2000 13:16:03 -0600" Date: 25 Jul 2000 01:14:28 +0200 Message-ID: Lines: 26 User-Agent: Gnus/5.0807 (Gnus v5.8.7) XEmacs/21.1 (Canyonlands) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lyndon Nerenberg writes: > --On 07/24/00 19:29:15 +0200 Gerhard Sittig > wrote: > > > On Mon, Jul 24, 2000 at 08:56 +1000, Stanley Hopcroft wrote: > >> > >> These entries appear frequently in the daily security report of > >> a FreeBSD 4.0-RELEASE machine (Bind 8.2.x) > >> > >> > Connection attempt to UDP 127.0.0.1:2343 from 127.0.0.1:53 > > > > I don't care if everybody's telling you it's DNS *lookup* -- I > > feel this is something different, since it's going *from* port 53 > > *to* something random(?). > > If you have 'nameservers 127.0.0.1' in /etc/resolv.conf then this is > probably named answering a DNS lookup request from a local process. well. except by setting log_in_vain to zero. is there another way to get rid of those messages ? if not, log_in_vain is meaningless if we have to set it to zero to get rid of those messages, no ? Cyrille. -- home: mailto:clefevre@citeweb.net work: mailto:Cyrille.Lefevre@edf.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 16:18:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.houston.rr.com (sm2.texas.rr.com [24.93.35.55]) by hub.freebsd.org (Postfix) with ESMTP id 18A0837B55A for ; Mon, 24 Jul 2000 16:18:30 -0700 (PDT) (envelope-from shocking@houston.rr.com) Received: from bleep.craftncomp.com ([24.27.77.164]) by mail.houston.rr.com with Microsoft SMTPSVC(5.5.1877.357.35); Mon, 24 Jul 2000 18:17:21 -0500 Received: from bloop.craftncomp.com (bloop.craftncomp.com [202.12.111.1]) by bleep.craftncomp.com (8.9.3/8.9.3) with ESMTP id SAA15669; Mon, 24 Jul 2000 18:14:19 -0500 (CDT) (envelope-from shocking@houston.rr.com) Received: from bloop.craftncomp.com (localhost [127.0.0.1]) by bloop.craftncomp.com (8.9.3/8.9.3) with ESMTP id SAA01912; Mon, 24 Jul 2000 18:14:09 -0500 (CDT) (envelope-from shocking@bloop.craftncomp.com) Message-Id: <200007242314.SAA01912@bloop.craftncomp.com> X-Mailer: exmh version 2.1.1 10/15/1999 To: security@freebsd.org, sage-au@sage-au.org.au Subject: Script kiddies and their port scans Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 24 Jul 2000 18:14:09 -0500 From: Stephen Hocking Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Checking the firewall logs I see various attempts to connect to rather unusual ports on my box - does anyone now what the following are? 27374 1243 98 - This comes up as TACNEWS in /etc/services 143 imap2 Are the two unknown ones some BackOrifice port or part of the common backdoors left behind by these twerps? Stephen -- The views expressed above are not those of PGS Tensor. "We've heard that a million monkeys at a million keyboards could produce the Complete Works of Shakespeare; now, thanks to the Internet, we know this is not true." Robert Wilensky, University of California To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 16:19:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from hecky.it.northwestern.edu (hecky.acns.nwu.edu [129.105.16.51]) by hub.freebsd.org (Postfix) with ESMTP id 5511537B589 for ; Mon, 24 Jul 2000 16:19:22 -0700 (PDT) (envelope-from djkanter@northwestern.edu) Received: (from mailnull@localhost) by hecky.it.northwestern.edu (8.8.7/8.8.7) id SAA03766 for ; Mon, 24 Jul 2000 18:19:18 -0500 (CDT) Received: from localhost.localdomain (coconut-31-028051.nuts.nwu.edu [165.124.28.51]) by hecky.acns.nwu.edu via smap (V2.0) id xma003698; Mon, 24 Jul 00 18:18:58 -0500 Received: (from david@localhost) by localhost.localdomain (8.9.3/8.9.3) id SAA63046 for freebsd-security@freebsd.org; Mon, 24 Jul 2000 18:18:10 -0500 (CDT) (envelope-from david) Date: Mon, 24 Jul 2000 18:18:10 -0500 From: "David J. Kanter" To: FreeBSD security Subject: Uninstalling KerberosIV Message-ID: <20000724181810.A63026@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i X-Organization: Northwestern University X-Operating-System: FreeBSD 4.0-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'd like to uninstall KerberosIV (from my initial 3.4-Release CD set) and drop in Kerberos V (on my now 4.0-Stable computer). I'm not sure how to gracefully get rid of KerberosIV, which I think was installed with sysinstall. Must I first update sysinstall, to the 4.0 version, then use that to get rid of the KerberosIV stuff? How do I update sysinstall, by the way? The old one would seg fault kind of frequently. (I know this was a posted issue.) Making the KerberosV port is the easy part. -- David Kanter djkanter@northwestern.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 16:23:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from slip.csosl.co.uk (slip.csosl.co.uk [194.205.66.135]) by hub.freebsd.org (Postfix) with SMTP id 2014337B768 for ; Mon, 24 Jul 2000 16:23:05 -0700 (PDT) (envelope-from nick@loman.net) Received: (qmail 48220 invoked by uid 1001); 24 Jul 2000 23:18:11 -0000 From: "Nick Loman" Date: Tue, 25 Jul 2000 00:18:10 +0100 (BST) To: security@freebsd.org Subject: Re: Script kiddies and their port scans In-Reply-To: <200007242314.SAA01912@bloop.craftncomp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Jul 2000, Stephen Hocking wrote: > Checking the firewall logs I see various attempts to connect to rather unusual > ports on my box - does anyone now what the following are? > > > 27374 > > 1243 > > 98 - This comes up as TACNEWS in /etc/services > > 143 imap2 > > Are the two unknown ones some BackOrifice port or part of the common backdoors > left behind by these twerps? I have a similar question, but the port I saw was 1236 /etc/services says: rmtcfg 1236/tcp # Gracilis Packeten remote config server (though I obviously don't run any such thing) Nick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 16:40:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from earth.wnm.net (earth.wnm.net [208.246.240.243]) by hub.freebsd.org (Postfix) with ESMTP id 3C5CB37B739 for ; Mon, 24 Jul 2000 16:40:40 -0700 (PDT) (envelope-from alex@wnm.net) Received: from localhost (alex@localhost) by earth.wnm.net (8.11.0/8.11.0) with ESMTP id e6ONfAh44141; Mon, 24 Jul 2000 18:41:10 -0500 (CDT) Date: Mon, 24 Jul 2000 18:41:10 -0500 (CDT) From: Alex Charalabidis To: Stephen Hocking Cc: security@FreeBSD.ORG, sage-au@sage-au.org.au Subject: Re: Script kiddies and their port scans In-Reply-To: <200007242314.SAA01912@bloop.craftncomp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Jul 2000, Stephen Hocking wrote: > Checking the firewall logs I see various attempts to connect to rather unusual > ports on my box - does anyone now what the following are? > > > 27374 > Sub7 trojan > 1243 > Probably Sub7, some other backdoor tools too > 98 - This comes up as TACNEWS in /etc/services > Linuxconf. Many script kiddies look specifically for Linux boxen. > 143 imap2 > IMAP is, well IMAP. hth -ac -- ============================================================== Alex Charalabidis (AC8139) 5050 Poplar Ave, Ste 170 Systems Administrator Memphis, TN 38157 WebNet Memphis (901) 432 6000 Author, The Book of IRC http://www.bookofirc.com/ ============================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 17: 8:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.everyday.cx (cr308584-a.wlfdle1.on.wave.home.com [24.114.52.208]) by hub.freebsd.org (Postfix) with ESMTP id E708637B51E for ; Mon, 24 Jul 2000 17:08:50 -0700 (PDT) (envelope-from webbie@everyday.cx) Received: from apollo (apollo.objtech.com [192.168.111.5]) by mail.everyday.cx (Postfix) with ESMTP id CEC8C49B5; Mon, 24 Jul 2000 20:08:45 -0400 (EDT) Date: Mon, 24 Jul 2000 20:08:45 -0400 From: Webbie X-Mailer: The Bat! (v1.44) Personal Reply-To: Webbie X-Priority: 3 (Normal) Message-ID: <4554750266.20000724200845@everyday.cx> To: "Nick Loman" Cc: security@freebsd.org Subject: Re[2]: Script kiddies and their port scans In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Nick, This url might help. http://www.robertgraham.com/pubs/firewall-seen.html Monday, July 24, 2000, 7:18:10 PM, you wrote: NL> On Mon, 24 Jul 2000, Stephen Hocking wrote: >> Checking the firewall logs I see various attempts to connect to rather unusual >> ports on my box - does anyone now what the following are? >> >> >> 27374 >> >> 1243 >> >> 98 - This comes up as TACNEWS in /etc/services >> >> 143 imap2 >> >> Are the two unknown ones some BackOrifice port or part of the common backdoors >> left behind by these twerps? NL> I have a similar question, but the port I saw was 1236 NL> /etc/services says: rmtcfg 1236/tcp # Gracilis Packeten remote config NL> server NL> (though I obviously don't run any such thing) NL> Nick. NL> To Unsubscribe: send mail to majordomo@FreeBSD.org NL> with "unsubscribe freebsd-security" in the body of the message -- Webbie \\|// (o o) +-------------------------oOOo-(_)-oOOo-----------------------------+ EMail : mailto:webbie(at)everyday(dot)cx PGP Key : http://www.everyday.cx/pgpkey.txt PGP Fingerprint: 0B9F E081 35CD B9AF 58EA 7E43 38EC C84F 4AB4 792C +-------------------------------------------------------------------+ not properly grounded, please bury computer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 17:40:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 1E48337B590 for ; Mon, 24 Jul 2000 17:40:10 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 6284 invoked by uid 1000); 25 Jul 2000 00:40:09 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Jul 2000 00:40:09 -0000 Date: Mon, 24 Jul 2000 19:40:09 -0500 (CDT) From: Mike Silbersack To: Kris Kennaway Cc: Adrian Chadd , Terje Elde , Robert Watson , Sheldon Hearn , =?iso-8859-1?Q?Joachim_Str=F6mbergson?= , Greg Lewis , freebsd-security@FreeBSD.ORG Subject: Re: Status of FreeBSD security work? Audit, regression and crypto swap? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Jul 2000, Kris Kennaway wrote: > On Mon, 24 Jul 2000, Mike Silbersack wrote: > > > Encrypting at that low of a level wouldn't be very useful in the long > > run. For an encrypted filesystem to be truly useful, each user's files > > are encrypted with their own key. A partition-wide encryption doesn't > > protect anything if you get root hacked on your box. > > Except this breaks the Unix filesystem semantic that you can read other > people's files (if they have to provide their key manually and it is not > pre-available), which is probably necessary for system operation. Unless > all of the keys were available in the kernel without user intervention and > stored persistently (perhaps encrypted by a master key), which sort of > defeats the purpose unless you have somewhere "better" to store the key > table than on disk. > > Kris Sorry, I should've mentioned that the encryption would be on a per-file basis. For example, I'd encrypt ~silby/personal and leave everything else untouched. This is how TCFS/CFS works, if I understand correctly. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 17:47:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.integratus.com (miami.integratus.com [63.209.2.83]) by hub.freebsd.org (Postfix) with SMTP id 5CEFB37B56B for ; Mon, 24 Jul 2000 17:47:53 -0700 (PDT) (envelope-from jar@integratus.com) Received: (qmail 29204 invoked from network); 25 Jul 2000 00:47:51 -0000 Received: from kungfu.integratus.com (HELO integratus.com) (172.20.5.168) by tortuga1.integratus.com with SMTP; 25 Jul 2000 00:47:51 -0000 Message-ID: <397CE3B8.64513F33@integratus.com> Date: Mon, 24 Jul 2000 17:47:52 -0700 From: Jack Rusher Organization: Integratus X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Status of FreeBSD security work? Audit, regression and cryptoswap? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Silbersack wrote: > > Sorry, I should've mentioned that the encryption would be on a per-file > basis. For example, I'd encrypt ~silby/personal and leave everything else > untouched. This is how TCFS/CFS works, if I understand correctly. Has everyone had a look at: http://www.fs.net/ ...Kevin Fu gave a nice presentation on this at USENIX. It is a pretty cool hack that has a nice way of handling key infrastructure for files. -- Jack Rusher, Senior Engineer | mailto:jar@integratus.com Integratus, Inc. | http://www.integratus.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 18:18:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id E13D437BD4B for ; Mon, 24 Jul 2000 18:18:05 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 673239EE01; Mon, 24 Jul 2000 18:17:44 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 6376B9B001; Mon, 24 Jul 2000 18:17:44 -0700 (PDT) Date: Mon, 24 Jul 2000 18:17:44 -0700 (PDT) From: Mike Hoskins To: Richard Martin Cc: Stephen Montgomery-Smith , freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall In-Reply-To: <397CCEAC.ECC9CCA6@origen.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Jul 2000, Richard Martin wrote: > This above looks promising - Is there a man page on using the state > commands? ipfw(8)'s been updated to include keep-state/check-state. It's not, by any means, a complete, easy to understand reference... but I did manage to get my LAN up and going with only it as reference (lost the URL to the previouslly mentioned FreeBSD site when I was setting up ipfw). -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 18:29: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from cwcom.net (email.cwcom.net [195.44.0.150]) by hub.freebsd.org (Postfix) with ESMTP id E089F37B71D for ; Mon, 24 Jul 2000 18:29:01 -0700 (PDT) (envelope-from m01ym900@cwcom.net) Received: from cwcom.net ([195.44.205.195]) by cwcom.net with Microsoft SMTPSVC(5.5.1877.387.38); Tue, 25 Jul 2000 02:29:35 +0100 Message-ID: <397CEC16.F5453AC0@cwcom.net> Date: Tue, 25 Jul 2000 02:23:35 +0100 From: m01ym900@cwcom.net Reply-To: john1000@cwcom.net X-Mailer: Mozilla 4.04 [en]C-NECCK (Win95; I) MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: orange book rating for freebsd Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org does anyone know what level of security rating freeBSD can be configured to, with regards to the orange book rating system (C1 through to A1). Tangyu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 19:16:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from ares.trc.adelaide.edu.au (ares.trc.adelaide.edu.au [129.127.246.5]) by hub.freebsd.org (Postfix) with ESMTP id CBC7637B764; Mon, 24 Jul 2000 19:16:13 -0700 (PDT) (envelope-from glewis@ares.trc.adelaide.edu.au) Received: (from glewis@localhost) by ares.trc.adelaide.edu.au (8.9.3/8.9.3) id LAA42182; Tue, 25 Jul 2000 11:46:07 +0930 (CST) (envelope-from glewis) From: Greg Lewis Message-Id: <200007250216.LAA42182@ares.trc.adelaide.edu.au> Subject: Re: Status of FreeBSD security work? Audit, regression and crypto swap? In-Reply-To: from Kris Kennaway at "Jul 24, 2000 04:12:17 pm" To: Kris Kennaway Date: Tue, 25 Jul 2000 11:46:07 +0930 (CST) Cc: freebsd-security@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL70 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > On Mon, 24 Jul 2000, Mike Silbersack wrote: > > > Encrypting at that low of a level wouldn't be very useful in the long > > run. For an encrypted filesystem to be truly useful, each user's files > > are encrypted with their own key. A partition-wide encryption doesn't > > protect anything if you get root hacked on your box. > > Except this breaks the Unix filesystem semantic that you can read other > people's files (if they have to provide their key manually and it is not > pre-available), which is probably necessary for system operation. Unless > all of the keys were available in the kernel without user intervention and > stored persistently (perhaps encrypted by a master key), which sort of > defeats the purpose unless you have somewhere "better" to store the key > table than on disk. TCFS can share files between members of a group starting with version 2.2. More details at http://tcfs.dia.unisa.it/group-sharing.html. -- Greg Lewis glewis@trc.adelaide.edu.au Computing Officer +61 8 8303 5083 Teletraffic Research Centre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 19:51:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id E414F37B8C9 for ; Mon, 24 Jul 2000 19:51:37 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id UAA23574; Mon, 24 Jul 2000 20:51:34 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id UAA85516; Mon, 24 Jul 2000 20:51:16 -0600 (MDT) Message-Id: <200007250251.UAA85516@harmony.village.org> To: john1000@cwcom.net Subject: Re: orange book rating for freebsd Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 25 Jul 2000 02:23:35 BST." <397CEC16.F5453AC0@cwcom.net> References: <397CEC16.F5453AC0@cwcom.net> Date: Mon, 24 Jul 2000 20:51:16 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <397CEC16.F5453AC0@cwcom.net> m01ym900@cwcom.net writes: : does anyone know what level of security rating freeBSD can be configured : to, with regards to the orange book rating system (C1 through to A1). FreeBSD can be configured to be C2 secure, just like all the other Unix-oids out there. There's some work with TrustedBSD to make things B1 or B2, but those are very hard. FreeBSD doesn't have the facilities to get A1, which requires, iirc, tagging of all data as unclassified, secret or top secret and not allowing data to cross the security boundaries (in either direction w/o authorization from the system administrator). Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 20:32:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id A990F37B9A5 for ; Mon, 24 Jul 2000 20:32:39 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000725033238.YQDZ11071.mail.rdc1.il.home.com@math.missouri.edu>; Mon, 24 Jul 2000 20:32:38 -0700 Message-ID: <397D0A56.E695E55C@math.missouri.edu> Date: Mon, 24 Jul 2000 22:32:38 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: Mike Hoskins Cc: freebsd-security@freebsd.org Subject: Re: Problems with natd and simple firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Hoskins wrote: > > As for a dynamic rule... I have the following setup: > > divert 8668 ip from any to any via oif > allow ip from any to any via lo0 > deny ip from any to 127.0.0.0/8 > # specific deny/logs to monitor port scans/etc > check-state > allow ip from oip to any keep-state > allow ip from inw to any keep-state > # specific allows i want > deny ip from any to any > I read the ipfw man page, and it is so terse on this subject that I cannot understand it. Like many man pages, it gives a lot of details, but does not provide the overall picture. If anyone could tell me the overall picture of what dynamic rules are about - give me a start and a context so that the man page makes sense, I would really appreciate it. -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 22:59:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from emu.prod.itd.earthlink.net (emu.prod.itd.earthlink.net [207.217.121.31]) by hub.freebsd.org (Postfix) with ESMTP id 4D2DC37B75B for ; Mon, 24 Jul 2000 22:59:47 -0700 (PDT) (envelope-from cjc@pool0830.cvx20-bradley.dialup.earthlink.net) Received: from pool0830.cvx20-bradley.dialup.earthlink.net (pool0830.cvx20-bradley.dialup.earthlink.net [209.179.253.65]) by emu.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id WAA23508; Mon, 24 Jul 2000 22:59:40 -0700 (PDT) Received: (from cjc@localhost) by pool0653.cvx20-bradley.dialup.earthlink.net (8.9.3/8.9.3) id WAA00909; Mon, 24 Jul 2000 22:50:54 -0700 (PDT) Date: Mon, 24 Jul 2000 22:50:53 -0700 From: "Crist J. Clark" To: Stephen Montgomery-Smith Cc: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <20000724225053.B258@pool0653.cvx20-bradley.dialup.e> Reply-To: cjclark@alum.mit.edu References: <397C8F30.8DFCE0E9@math.missouri.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <397C8F30.8DFCE0E9@math.missouri.edu>; from stephen@math.missouri.edu on Mon, Jul 24, 2000 at 01:47:12PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jul 24, 2000 at 01:47:12PM -0500, Stephen Montgomery-Smith wrote: > I recently tried to get natd to work with the default > rc.firewall that comes with FreeBSD 4.1RC, and it didn't > work. I found the problem, from looking at the web site > http://www.mostgraveconcern.com/freebsd/sheet.cgi?ipfw > which has a cure, but I wonder if there are other ways > to fix it. > > In any case, the rc.firewall is currently seriously > deficient. The rules in rc.firewall are not meant to be used as is or with simply plugging in your IP addresses and interface names. If you do this, as you found out, things may not work. > Here is the setup: my external network has > net:mask = 12.34.56.0/24 > and my internal network has > net:mask = 192.168.1/24 > > Now, suppose I have established a connection: > 192.168.1.2:4444 to 34.56.78.90:22 > natd changes this to > 12.34.56.78:4444 to 34.56.78.90:22 > > Now a piece of tcp comes in: > 34.56.78.90:22 to 12.34.56.78:4444 via outside-interface > natd converts this to > 34.56.78.90:22 to 192.168.1.2:4444 via outside-interface > > which immediately gets killed by the rule in rc.firewall: > > # Stop RFC1918 nets on the outside interface > ........... > ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} > > The web site fixes this by changing the line to: > > ${fwcmd} add deny all from any to 192.168.0.0/16 out via ${oif} > > Is this the corect way to deal with this? Does this leave the computer > open to spoofing? Is there some clever dynamic rule that could fix > this? Why not just block the RFC1918 addresses on the outer interface _before_ the divert rule? # Stop RFC1918 nets on the outside interface ........... ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} $fwcmd add divert natd all from any to any via ${natd_interface} Seems simple enough? No downside I can see. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 23: 6:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from ywing.creative.net.au (ywing.creative.net.au [203.56.168.34]) by hub.freebsd.org (Postfix) with ESMTP id A5B4D37B989; Mon, 24 Jul 2000 23:06:47 -0700 (PDT) (envelope-from adrian@ywing.creative.net.au) Received: (from adrian@localhost) by ywing.creative.net.au (8.9.3/8.9.3) id IAA65973; Tue, 25 Jul 2000 08:14:24 +0200 (CEST) (envelope-from adrian) Date: Tue, 25 Jul 2000 08:14:23 +0200 From: Adrian Chadd To: Mike Silbersack Cc: Kris Kennaway , Adrian Chadd , Terje Elde , Robert Watson , Sheldon Hearn , =?iso-8859-1?Q?Joachim_Str=F6mbergson?= , Greg Lewis , freebsd-security@FreeBSD.org Subject: Re: Status of FreeBSD security work? Audit, regression and crypto swap? Message-ID: <20000725081423.Q62551@ywing.creative.net.au> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from silby@silby.com on Mon, Jul 24, 2000 at 07:40:09PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jul 24, 2000, Mike Silbersack wrote: > > On Mon, 24 Jul 2000, Kris Kennaway wrote: > > > On Mon, 24 Jul 2000, Mike Silbersack wrote: > > > > > Encrypting at that low of a level wouldn't be very useful in the long > > > run. For an encrypted filesystem to be truly useful, each user's files > > > are encrypted with their own key. A partition-wide encryption doesn't > > > protect anything if you get root hacked on your box. > > > > Except this breaks the Unix filesystem semantic that you can read other > > people's files (if they have to provide their key manually and it is not > > pre-available), which is probably necessary for system operation. Unless > > all of the keys were available in the kernel without user intervention and > > stored persistently (perhaps encrypted by a master key), which sort of > > defeats the purpose unless you have somewhere "better" to store the key > > table than on disk. > > > > Kris > > Sorry, I should've mentioned that the encryption would be on a per-file > basis. For example, I'd encrypt ~silby/personal and leave everything else > untouched. This is how TCFS/CFS works, if I understand correctly. Ok. Someone is going to have to make stacking layers finally work. ;-) Adrian -- Adrian Chadd Now 17-year-olds can't play a _video game_ because its called violent - and real violence is still called dinner. -- jamie@mccarthy.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 24 23:20:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 7381F37BA69 for ; Mon, 24 Jul 2000 23:20:13 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id QAA05994; Tue, 25 Jul 2000 16:19:52 +1000 (EST) From: Darren Reed Message-Id: <200007250619.QAA05994@cairo.anu.edu.au> Subject: Re: orange book rating for freebsd To: imp@village.org (Warner Losh) Date: Tue, 25 Jul 2000 16:19:51 +1000 (Australia/NSW) Cc: john1000@cwcom.net, freebsd-security@FreeBSD.ORG In-Reply-To: <200007250251.UAA85516@harmony.village.org> from "Warner Losh" at Jul 24, 2000 08:51:16 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Warner Losh, sie said: > > In message <397CEC16.F5453AC0@cwcom.net> m01ym900@cwcom.net writes: > : does anyone know what level of security rating freeBSD can be configured > : to, with regards to the orange book rating system (C1 through to A1). > > FreeBSD can be configured to be C2 secure, just like all the other > Unix-oids out there. There's some work with TrustedBSD to make things > B1 or B2, but those are very hard. FreeBSD doesn't have the > facilities to get A1, which requires, iirc, tagging of all data as > unclassified, secret or top secret and not allowing data to cross the > security boundaries (in either direction w/o authorization from the > system administrator). In addition to programming with labels, etc, Ax also requires taking into account "signalling" via covert channels. FreeBSD will never reach an A level orange book rating because it was not designed, from scratch, to be that way. C2 is just a matter of someone with money giving a box to the NSA, appropriately configured and with suitable documentation, for review. As for "tags", those are required for B2, along with rules about which way data can "travel". Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 0: 7:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 0FCC937B989 for ; Tue, 25 Jul 2000 00:07:36 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.3) with ESMTP id JAA09857; Tue, 25 Jul 2000 09:07:16 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Darren Reed Cc: imp@village.org (Warner Losh), john1000@cwcom.net, freebsd-security@FreeBSD.ORG Subject: Re: orange book rating for freebsd In-reply-to: Your message of "Tue, 25 Jul 2000 16:19:51 +1000." <200007250619.QAA05994@cairo.anu.edu.au> Date: Tue, 25 Jul 2000 09:07:16 +0200 Message-ID: <9855.964508836@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200007250619.QAA05994@cairo.anu.edu.au>, Darren Reed writes: >In some mail from Warner Losh, sie said: >> >> In message <397CEC16.F5453AC0@cwcom.net> m01ym900@cwcom.net writes: >> : does anyone know what level of security rating freeBSD can be configured >> : to, with regards to the orange book rating system (C1 through to A1). >> >> FreeBSD can be configured to be C2 secure, just like all the other >> Unix-oids out there. There's some work with TrustedBSD to make things >> B1 or B2, but those are very hard. FreeBSD doesn't have the >> facilities to get A1, which requires, iirc, tagging of all data as >> unclassified, secret or top secret and not allowing data to cross the >> security boundaries (in either direction w/o authorization from the >> system administrator). > >In addition to programming with labels, etc, Ax also requires taking into >account "signalling" via covert channels. FreeBSD will never reach an A >level orange book rating because it was not designed, from scratch, to be >that way. C2 is just a matter of someone with money giving a box to the >NSA, appropriately configured and with suitable documentation, for review. > >As for "tags", those are required for B2, along with rules about which >way data can "travel". As far as I know we'll never get any A rating because that requires design documents which define the security. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD coreteam member | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 0: 8:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from mostgraveconcern.com (mostgraveconcern.com [216.82.145.240]) by hub.freebsd.org (Postfix) with ESMTP id D900537B9DD for ; Tue, 25 Jul 2000 00:08:31 -0700 (PDT) (envelope-from dan@mostgraveconcern.com) Received: from danco (danco.mostgraveconcern.com [10.20.155.2]) by mostgraveconcern.com (8.9.3/8.9.3) with SMTP id AAA00806; Tue, 25 Jul 2000 00:08:18 -0700 (PDT) (envelope-from dan@mostgraveconcern.com) Message-ID: <015601bff607$1c48cbc0$029b140a@danco> Reply-To: "Dan O'Connor" From: "Dan O'Connor" To: , "Stephen Montgomery-Smith" Cc: Subject: Re: Problems with natd and simple firewall Date: Tue, 25 Jul 2000 00:08:18 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Why not just block the RFC1918 addresses on the outer interface >_before_ the divert rule? I'm confused as to how ipfw treats packets with forwarding turned on, but without NAT. Packets that aren't natted supposedly only make one trip through the rules, so does ipfw check the packet as if it exists on both interfaces (in on one, out on the other) at the same time? If so, and I put the divert rule *after* the anti-spoofing and RFC1918 rules: # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} ${fwcmd} add divert natd all from any to any via ${natd_interface} And than attempt to connect to an external machine from a machine on my inside net: 192.168.1.5:1025 -> 12.34.56.78:80 Won't the RFC1918 rule kill it before it gets natted (since it's simultaneously 'in via iif' and 'out via oif')? 'man natd' seems to imply that the divert rule should come before any other rule: If you specify real firewall rules, it is best to specify line 2 at the start of the script so that natd sees all packets before they are dropped by the firewall. In this case the RFC1918 rule would see the packet as if coming from the local machine (and not as a simultaneous in-and-out packet). --Dan -- Dan O'Connor On Matters of Most Grave Concern http://www.mostgraveconcern.com FreeBSD Cheat Sheets http://www.mostgraveconcern.com/freebsd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 0:23:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 785B337B6BD for ; Tue, 25 Jul 2000 00:23:15 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000725072315.GDBZ11071.mail.rdc1.il.home.com@math.missouri.edu>; Tue, 25 Jul 2000 00:23:15 -0700 Message-ID: <397D4062.4A1FFFE2@math.missouri.edu> Date: Tue, 25 Jul 2000 02:23:14 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall References: <397C8F30.8DFCE0E9@math.missouri.edu> <20000724225053.B258@pool0653.cvx20-bradley.dialup.e> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Crist J. Clark" wrote: > > Why not just block the RFC1918 addresses on the outer interface > _before_ the divert rule? > > # Stop RFC1918 nets on the outside interface > ........... > ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} > > $fwcmd add divert natd all from any to any via ${natd_interface} > > Seems simple enough? No downside I can see. Yes, I had the same idea over dinner. Trouble is, it doesn't work. I tried it. -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 0:30:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 90EF837B9DD for ; Tue, 25 Jul 2000 00:30:28 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000725073028.GHNT11071.mail.rdc1.il.home.com@math.missouri.edu> for ; Tue, 25 Jul 2000 00:30:28 -0700 Message-ID: <397D4214.48E908CC@math.missouri.edu> Date: Tue, 25 Jul 2000 02:30:28 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall References: <397C8F30.8DFCE0E9@math.missouri.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Stephen Montgomery-Smith wrote: > > > # Stop RFC1918 nets on the outside interface > ........... > ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} > > The web site fixes this by changing the line to: > > ${fwcmd} add deny all from any to 192.168.0.0/16 out via ${oif} > Actually there is also a rule in rc.firewall: ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} which the web site changed to ${fwcmd} add deny all from 192.168.0.0/16 to any in via ${oif} I found that this change was unnecessary. But if you think about it logically, that change should be necessary. Let's suppose the gateway's external ip is 12.34.56.78, and that a computer on the internal net 10.0.0.2 wants to talk to some outside computer 66.77.88.99. So 10.0.0.2 sends an ip packet: 10.0.0.2 to 66.77.88.99 via iif I would think that the gateway sends this to 10.0.0.2 to 66.77.88.99 via oif which then the divert rule changes to 12.34.56.78 to 66.77.88.99 via oif This would be killed by the above rule. But somehow, instead what happens is that the divert rule changes 10.0.0.2 to 66.77.88.99 via iif directly to 12.34.56.78 to 66.77.88.99 via iif I think that if the code that does this gets cleaned up, then it might change to the more logical way, and then ....... -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 0:42:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from obelix.rby.hk-r.se (obelix.rby.hk-r.se [194.47.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 76FC537B9BC for ; Tue, 25 Jul 2000 00:42:14 -0700 (PDT) (envelope-from t98pth@obelix.rby.hk-r.se) Received: from orc.rby.hk-r.se (orc [194.47.134.179]) by obelix.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id e6P7fib05871; Tue, 25 Jul 2000 09:41:55 +0200 (MEST) Received: from localhost (t98pth@localhost) by orc.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id e6P7fZ014344; Tue, 25 Jul 2000 09:41:35 +0200 (MET DST) Date: Tue, 25 Jul 2000 09:41:34 +0200 (MET DST) From: =?ISO-8859-1?Q?P=E4r_Thoren?= To: Stephen Hocking Cc: security@freebsd.org, sage-au@sage-au.org.au Subject: Re: Script kiddies and their port scans In-Reply-To: <200007242314.SAA01912@bloop.craftncomp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Jul 2000, Stephen Hocking wrote: > Checking the firewall logs I see various attempts to connect to rather un= usual=20 > ports on my box - does anyone now what the following are? >=20 >=20 > 27374 >=20 > 1243 >=20 > 98 - This comes up as TACNEWS in /etc/services I have at least 4-5 of these scans for port 98 a week. At least now I know it=B4s linuxconf they are sniffing for. / P=E4r >=20 > 143 imap2 >=20 > Are the two unknown ones some BackOrifice port or part of the common back= doors=20 > left behind by these twerps? >=20 >=20 > =09Stephen > --=20 > The views expressed above are not those of PGS Tensor. >=20 > "We've heard that a million monkeys at a million keyboards could prod= uce > the Complete Works of Shakespeare; now, thanks to the Internet, we k= now > this is not true." Robert Wilensky, University of Califor= nia >=20 >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 0:49:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 186E137BAB0 for ; Tue, 25 Jul 2000 00:49:48 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id RAA17232; Tue, 25 Jul 2000 17:44:36 +1000 (EST) From: Darren Reed Message-Id: <200007250744.RAA17232@cairo.anu.edu.au> Subject: Re: orange book rating for freebsd To: phk@critter.freebsd.dk (Poul-Henning Kamp) Date: Tue, 25 Jul 2000 17:44:36 +1000 (Australia/NSW) Cc: avalon@coombs.anu.edu.au (Darren Reed), imp@village.org (Warner Losh), john1000@cwcom.net, freebsd-security@FreeBSD.ORG In-Reply-To: <9855.964508836@critter.freebsd.dk> from "Poul-Henning Kamp" at Jul 25, 2000 09:07:16 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Poul-Henning Kamp, sie said: > > In message <200007250619.QAA05994@cairo.anu.edu.au>, Darren Reed writes: > >In some mail from Warner Losh, sie said: > >> > >> In message <397CEC16.F5453AC0@cwcom.net> m01ym900@cwcom.net writes: > >> : does anyone know what level of security rating freeBSD can be configured > >> : to, with regards to the orange book rating system (C1 through to A1). > >> > >> FreeBSD can be configured to be C2 secure, just like all the other > >> Unix-oids out there. There's some work with TrustedBSD to make things > >> B1 or B2, but those are very hard. FreeBSD doesn't have the > >> facilities to get A1, which requires, iirc, tagging of all data as > >> unclassified, secret or top secret and not allowing data to cross the > >> security boundaries (in either direction w/o authorization from the > >> system administrator). > > > >In addition to programming with labels, etc, Ax also requires taking into > >account "signalling" via covert channels. FreeBSD will never reach an A > >level orange book rating because it was not designed, from scratch, to be > >that way. C2 is just a matter of someone with money giving a box to the > >NSA, appropriately configured and with suitable documentation, for review. > > > >As for "tags", those are required for B2, along with rules about which > >way data can "travel". > > As far as I know we'll never get any A rating because that requires > design documents which define the security. Yes, that's what I said. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 1: 4:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 7FDC937B9BB for ; Tue, 25 Jul 2000 01:04:26 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000725080422.HAFH11071.mail.rdc1.il.home.com@math.missouri.edu> for ; Tue, 25 Jul 2000 01:04:22 -0700 Message-ID: <397D4A06.9CFAF1FA@math.missouri.edu> Date: Tue, 25 Jul 2000 03:04:22 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall References: <397C8F30.8DFCE0E9@math.missouri.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am coming to the conclusion that the only reasonably easy way to fix this is that the antispoofing should be done by the program natd. We could add another option to natd that would disallow any outgoing packets sent to an unregistered ip address, and disallow any incoming packets from or to an unregistered ip address. Call it -antispoof. What do you guys think? I think it would be quite an easy job - I would be happy to do it, but if it isn't going to be accepted, I don't want to make the effort. Stephen -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 1:29: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from dlt.follo.net (elde.org [195.204.143.185]) by hub.freebsd.org (Postfix) with ESMTP id 4E9B937B840; Tue, 25 Jul 2000 01:29:05 -0700 (PDT) (envelope-from terje@elde.net) Received: by dlt.follo.net (Postfix, from userid 1002) id DEA215EF3E; Tue, 25 Jul 2000 10:29:01 +0200 (CEST) Date: Tue, 25 Jul 2000 10:29:01 +0200 From: Terje Elde To: Adrian Chadd Cc: Robert Watson , Sheldon Hearn , =?iso-8859-1?Q?Joachim_Str=F6mbergson?= , Greg Lewis , freebsd-security@FreeBSD.ORG Subject: Re: Status of FreeBSD security work? Audit, regression and crypto swap? Message-ID: <20000725102901.A32679@dlt.follo.net> References: <20000720124805.D70017@dlt.follo.net> <20000724210042.O62551@ywing.creative.net.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <20000724210042.O62551@ywing.creative.net.au>; from adrian@FreeBSD.ORG on Mon, Jul 24, 2000 at 09:00:42PM +0200 X-Mailer: Mutt http://www.mutt.org/ X-Editor: Vim http://www.vim.org/ X-IRC: ircii!epic4-2000 - prevail[1214] X-Goal: Exterminate All Rational Thought Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Adrian Chadd (adrian@FreeBSD.ORG) [000724 21:40]: > > For a "ugly hack, but up and running today" kinda solution, you could always > > do what I do... Use cfs (yes, the software tcfs is based on is running under > > freebsd, and is available in the ports collection) for your file systems, then > > swap to a file, on one of the encrypted file systems. > > > > It's not a pretty sight, but it does the job. > > Whats wrong with a bdev io layer like vinum/ccd which does crypto? > Then you could swap and filesystem to your block devices to your hearts > content with whatever filesystem you wanted? This would work, and probably significantly faster than the cfs model, with it's double mount points and so on. It would however also (IMHO) fall under the not pretty hack umbrella, as this doesn't easily allow handling of multi user situations and so on. Bottom line in this case is that if anyone wants to spend a weekend coding this up then that will be an advantage for all the people wanting to use encrypted homedirs and swap on single user workstations. It will make the world a little better, but it might also delay implementation and deployment of a proper system. As far as I can see what it all boils down to is that this will be coded if someone wants it bad enough to take the time. Then we'll just have to see if it delays other good stuff... To finish off with some questions... Does anyone at this time plan on taking the time to look at integrating TCFS into FreeBSD? Are there any other possibilities than a bdev io layer, cfs and tcfs? Terje -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE5fU/H8HLgLrwmRg0RAqfrAJ9Rozagx6bFj65OITuE/nQhDp+zUgCfbOvK S7I824Obbdg1lQzhHr2M6H0= =f6sI -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 1:37:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.polyflow.be (ns.polyflow.be [194.78.35.4]) by hub.freebsd.org (Postfix) with ESMTP id 67F7437BCED for ; Tue, 25 Jul 2000 01:37:27 -0700 (PDT) (envelope-from jcs@polyflow.be) Received: from jcspc (jcspc [194.78.35.55]) by ns.polyflow.be (8.8.6 (PHNE_17135)/8.8.6) with SMTP id KAA26209 for ; Tue, 25 Jul 2000 10:35:19 +0100 (WETDST) Message-Id: <3.0.6.32.20000725103811.008e8e90@polyflow.be> X-Sender: jcs@polyflow.be X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Tue, 25 Jul 2000 10:38:11 +0200 To: freebsd-security@FreeBSD.ORG From: Jean-Claude STAQUET Subject: allow access of root user Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, How do you allow remote login on a freebsd system ? I'm able to login as root on the freebsd console itself but not from another machine. Thanks, JCS Connected to tournesol.polyflow.be. Escape character is '^]'. FreeBSD/i386 (tounesol.polyflow.be) (ttyp0) login: root Password: Login incorrect To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 1:42:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id 8259B37BC5E for ; Tue, 25 Jul 2000 01:41:54 -0700 (PDT) (envelope-from jus@security.za.net) Received: from localhost (jus@localhost) by athena.za.net (8.9.3/8.9.3) with ESMTP id KAA00660; Tue, 25 Jul 2000 10:41:31 +0200 (SAST) (envelope-from jus@security.za.net) X-Authentication-Warning: athena.za.net: jus owned process doing -bs Date: Tue, 25 Jul 2000 10:41:31 +0200 (SAST) From: Justin Stanford X-Sender: jus@athena.za.net To: Jean-Claude STAQUET Cc: freebsd-security@FreeBSD.ORG Subject: Re: allow access of root user In-Reply-To: <3.0.6.32.20000725103811.008e8e90@polyflow.be> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Look in /etc/ttys - A console marked "secure" will allow root logins. -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions On Tue, 25 Jul 2000, Jean-Claude STAQUET wrote: > Hello, > > How do you allow remote login on a freebsd system ? > I'm able to login as root on the freebsd console itself but not from > another machine. > > Thanks, > JCS > > > Connected to tournesol.polyflow.be. > Escape character is '^]'. > > FreeBSD/i386 (tounesol.polyflow.be) (ttyp0) > > login: root > Password: > Login incorrect > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 2:11:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 8356E37BCA4; Tue, 25 Jul 2000 02:11:30 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id CAA03304; Tue, 25 Jul 2000 02:11:30 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 25 Jul 2000 02:11:30 -0700 (PDT) From: Kris Kennaway To: "David J. Kanter" Cc: FreeBSD security Subject: Re: Uninstalling KerberosIV In-Reply-To: <20000724181810.A63026@localhost.localdomain> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Jul 2000, David J. Kanter wrote: > I'd like to uninstall KerberosIV (from my initial 3.4-Release CD set) and > drop in Kerberos V (on my now 4.0-Stable computer). I'm not sure how to > gracefully get rid of KerberosIV, which I think was installed with > sysinstall. You can't easily deinstall Kerberos (or any other distribution component of FreeBSD, for that matter) :-( At some unspecified point in the future these will likely become packages, but not today. KerberosIV can coexist with 5, however. However, see the recent Security Advisory at ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:33.kerberosIV.asc for some suggestions. > How do I update sysinstall, by the way? cd /usr/src/release/sysinstall && make all install clean Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 2:35:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from asimov.freenix.no (asimov.freenix.no [195.139.70.52]) by hub.freebsd.org (Postfix) with ESMTP id C3D5337BD5C for ; Tue, 25 Jul 2000 02:35:45 -0700 (PDT) (envelope-from shamz@asimov.freenix.no) Received: (from shamz@localhost) by asimov.freenix.no (8.9.3/8.9.3) id LAA17464 for freebsd-security@FreeBSD.ORG; Tue, 25 Jul 2000 11:35:42 +0200 (CEST) Date: Tue, 25 Jul 2000 11:35:41 +0200 From: Shaun Jurrens To: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <20000725113541.A17445@asimov.freenix.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Guys, I see (sorry, just via the website) that you have run upon the same problem as I did, when I started using natd and ipfw with rules. There was a suggested fix back in May on -net, iirc and perhaps a PR, but no one seems to have committed the fix (??). In any case, since the divert routines re-inject the packets in to the firewall, you will kill your own nat'd packets. One could probably fix this, but the suggested fix in May worked for me. One really just needed to search the lists (and bite your teeth at the dodgy results, please fix that script). I will paste my workaround. I acutally have a setup that almost anyone could use, with state functions, etc. I almost thought about submitting it. Anyway, just add a small direction tag to the rules to stop the undesired behaviour. # These are supposed to stop traffic from supposed RFC1918 nets $fwcmd add 2200 deny all from 192.168.0.0:255.255.0.0 to any in via ${exif} $fwcmd add 2300 deny all from any to 192.168.0.0:255.255.0.0 out via ${exif} $fwcmd add 2400 deny all from 172.16.0.0:255.240.0.0 to any in via ${exif} $fwcmd add 2500 deny all from any to 172.16.0.0:255.240.0.0 out via ${exif} $fwcmd add 2600 deny all from 10.0.0.0:255.0.0.0 to any in via ${exif} $fwcmd add 2700 deny all from any to 10.0.0.0:255.0.0.0 out via ${exif} (You'll notice the addition of "in" and "out" to the rules. rc.firewall as is is not even usable with natd. It should be fixed/patched. I suggest using these for now) -- Yours truly, Shaun D. Jurrens shaun@shamz.net 0860 Oslo Norway ircnet nick: shamz #chillout #unix #freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 3:41:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from ff.dsu.dp.ua (ff.dsu.dp.ua [194.44.184.254]) by hub.freebsd.org (Postfix) with ESMTP id 9AA9137B6CC for ; Tue, 25 Jul 2000 03:41:20 -0700 (PDT) (envelope-from dmitry@digital.dp.ua) Received: from localhost (dmitry@localhost) by ff.dsu.dp.ua (8.9.3/8.9.3) with ESMTP id NAA59247; Tue, 25 Jul 2000 13:41:15 +0300 (EEST) (envelope-from dmitry@digital.dp.ua) Date: Tue, 25 Jul 2000 13:41:13 +0300 (EEST) From: Dmitry Pryanishnikov X-Sender: dmitry@ff.dsu.dp.ua To: Victor Ivanov Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh2 bypasses host.allow in /etc/login.conf? In-Reply-To: <004601bff546$9cfe71a0$03c507d4@icon1.icon-bg.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! On Mon, 24 Jul 2000, Victor Ivanov wrote: > login.conf is for login. It is no good if a program depend on another > program's config file which is subject to change... (i think) From man login.conf: login.conf contains various attributes and capabilities of login classes. A login class (an optional annotation against each record in the user ac- count database, /etc/master.passwd) determines session accounting, re- source limits and user environment settings. It is used by various pro- ^^^^^^^^^^^^^^ grams in the system to set up a user's login environment and to enforce ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ policy, accounting and administrative restrictions. It also provides the ^^^^^^ So this file is not only for login, but for any program which gives access user to the system, e.g., ftpd. BTW, ssh2 uses part of login.conf entry to establish resource limits, why don't use rest of specification? > maybe ssh2 does not use login? like openssh? or it is enabled with some > option? > is there 'UseLogin' option in the ssh2 config file (or something like?) Haven't seen such an option both in sshd2_config and in sshd2's manpage. BTW, there are other ways to check login.conf restrictions besides direct login execution (e.g., auth_hostok()). Sincerely, Dmitry Dnipropetrovsk State University, E-mail: dmitry@digital.dp.ua Physical Faculty, WWW: http://ff.dsu.dp.ua Department of Experimental Physics Dnipropetrovsk, Ukraine FTP: ftp://digital.dp.ua/DEC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 4:31:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from axl.ops.uunet.co.za (axl.ops.uunet.co.za [196.31.2.163]) by hub.freebsd.org (Postfix) with ESMTP id 189EC37BD66 for ; Tue, 25 Jul 2000 04:31:22 -0700 (PDT) (envelope-from sheldonh@axl.ops.uunet.co.za) Received: from sheldonh (helo=axl.ops.uunet.co.za) by axl.ops.uunet.co.za with local-esmtp (Exim 3.15 #1) id 13H2u8-00026Y-00; Tue, 25 Jul 2000 13:29:44 +0200 From: Sheldon Hearn To: Dmitry Pryanishnikov Cc: Victor Ivanov , freebsd-security@FreeBSD.ORG Subject: Re: ssh2 bypasses host.allow in /etc/login.conf? In-reply-to: Your message of "Tue, 25 Jul 2000 13:41:13 +0300." Date: Tue, 25 Jul 2000 13:29:44 +0200 Message-ID: <8093.964524584@axl.ops.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000 13:41:13 +0300, Dmitry Pryanishnikov wrote: > So this file is not only for login, but for any program which gives access > user to the system, e.g., ftpd. You are almost right. The important thing to remember is that this functionality is not a standard in the UNIX world. This means that many applications are not designed to make use of the functionality. Of course, any software for which the source is available can be taught to obey login.conf, but that takes work and someone has to knuckle down and to it. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 5:37:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from www.kpi.com.au (www.kpi.com.au [203.39.132.210]) by hub.freebsd.org (Postfix) with ESMTP id 892E037BD82 for ; Tue, 25 Jul 2000 05:37:37 -0700 (PDT) (envelope-from johnsa@kpi.com.au) Received: from kpi.com.au (localhost.kpi.com.au [127.0.0.1]) by www.kpi.com.au (8.9.3/8.9.3) with ESMTP id WAA03185; Tue, 25 Jul 2000 22:40:10 +1000 (EST) (envelope-from johnsa@kpi.com.au) Message-ID: <397D8ADA.413199B0@kpi.com.au> Date: Tue, 25 Jul 2000 22:40:58 +1000 From: Andrew Johns Organization: KPI Logistics X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Jean-Claude STAQUET Cc: freebsd-security@FreeBSD.ORG Subject: Re: allow access of root user References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org However, this is Not The Recommended Way. Allowing root logins from the network exposes the system to a degree (the severity of which depends upon several factors). You'd be better off logging in as a user and su'ing to root (see 'man su' for details). Justin Stanford wrote: > > Look in /etc/ttys - A console marked "secure" will allow root logins. > [snip] > > On Tue, 25 Jul 2000, Jean-Claude STAQUET wrote: > > > Hello, > > > > How do you allow remote login on a freebsd system ? > > I'm able to login as root on the freebsd console itself but not from > > another machine. > > Regards ---------------------\=-_ _-=/ Andrew Johns BSc. \ \==/ / Principal Consultant \ / KPI Logistics Pty Ltd \ / mailto:johnsa@kpi.com.au \ +/ http://www.kpi.com.au \/ Which way is up and where do I fall? My favourite boot labels: F1 Real OS -> http://www.FreeBSD.org F2 Pretend OS -> http://www.microsoft.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 7:27:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id BEEA237B6E8 for ; Tue, 25 Jul 2000 07:27:53 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2719 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 25 Jul 2000 09:26:52 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Tue, 25 Jul 2000 09:26:52 -0500 (CDT) From: James Wyatt To: Jean-Claude STAQUET Cc: freebsd-security@FreeBSD.ORG Subject: Re: allow access of root user In-Reply-To: <3.0.6.32.20000725103811.008e8e90@polyflow.be> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, Jean-Claude STAQUET wrote: > How do you allow remote login on a freebsd system ? > I'm able to login as root on the freebsd console itself but not from > another machine. Warning: allowing root to directly log in via telnet is very risky. It exposes your root password to sniffing anywhere along the IP path, provides almost no trace of *who* logged in as root, and lets casual errors become more common. (folks get lazy about being root) That said: Root logins for telnetd and login are controlled by /etc/ttys (see 'man ttys') and adding 'secure' to the 'ttyp' lines (like the 'ttyv' lines) will allow root to login directly. Please try to avoid doing that! The traditional way to become root remotely is to log in as a 'normal' user with that user's password (usually in the suaccess or wheel groups) and use 'su' (see man 'su') command to become root. Only users with both passwords are allowed to do 'powerful things'. Root password can still be sniffed, but only if whole sessions are sniffed and recorded. Simple password gatherers like Linsniffer won't work. Check-out 'sudo' in the packages (or ports) tree. It is still vulnerable to linsniffer since the same password is used, but you can limit commands that run as root for the user to things like backups and shutdown scripts. Best way, IMHO, is to use ssh (or better yet, OpenSSH) to provide encrypted root logins. There is an option to allow root logins with it directly. This requires you to install OpenSSH (see ports tree) on the hosts you want to control and some kind of ssh client on the machine(s) you want to log in from. (There are several for Windows and Unix. If it's another FreeBSD machine, you can just use OpenSSH again.) If you consider using 'ssh2', read the license carefully. Sorry for a long reply to a short question, but you *really* need to balance your risks of password sniffing and power of root access. If your hosts are next to each other on isolated switches, maybe root telnets are OK. If you are dialing-up over quite a distance and are a good target for attacks, install OpenSSH or ssh. Hope this helps - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 7:36:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from ixori.demon.nl (ixori.demon.nl [195.11.248.5]) by hub.freebsd.org (Postfix) with ESMTP id 970AC37B6A6 for ; Tue, 25 Jul 2000 07:36:32 -0700 (PDT) (envelope-from bart@ixori.demon.nl) Received: from smtp-relay by ixori.demon.nl (8.9.3/8.9.2) with ESMTP id QAA24394; Tue, 25 Jul 2000 16:41:15 +0200 (CEST) (envelope-from bart@ixori.demon.nl) Received: from network (intranet) by smtp-relay (Bart's intranet smtp server) Date: Tue, 25 Jul 2000 16:41:03 +0200 (CEST) From: Bart van Leeuwen To: James Wyatt Cc: Jean-Claude STAQUET , freebsd-security@freebsd.org Subject: Re: allow access of root user In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Uhm, telnetting in as a user and suing to root has exactly the same danger, your password goes over the net in plaintext. If you want to prevent that consider using ssh instead. Also note that when using rsh you prevent root from logging in for interactive access, but an rsh -l root will still work. To be honest, I never really saw the point of disallowing this except for the simple good habit of never using the root account at all, and only becomming superuser when you really really have to. Bart van Leeuwen ----------------------------------------------------------- mailto:bart@ixori.demon.nl - http://www.ixori.demon.nl/ ----------------------------------------------------------- On Tue, 25 Jul 2000, James Wyatt wrote: > On Tue, 25 Jul 2000, Jean-Claude STAQUET wrote: > > How do you allow remote login on a freebsd system ? > > I'm able to login as root on the freebsd console itself but not from > > another machine. > > Warning: allowing root to directly log in via telnet is very risky. It > exposes your root password to sniffing anywhere along the IP path, > provides almost no trace of *who* logged in as root, and lets casual > errors become more common. (folks get lazy about being root) > > > That said: Root logins for telnetd and login are controlled by /etc/ttys > (see 'man ttys') and adding 'secure' to the 'ttyp' lines (like the 'ttyv' > lines) will allow root to login directly. Please try to avoid doing that! > > The traditional way to become root remotely is to log in as a 'normal' > user with that user's password (usually in the suaccess or wheel groups) > and use 'su' (see man 'su') command to become root. Only users with both > passwords are allowed to do 'powerful things'. Root password can still be > sniffed, but only if whole sessions are sniffed and recorded. Simple > password gatherers like Linsniffer won't work. > > Check-out 'sudo' in the packages (or ports) tree. It is still vulnerable > to linsniffer since the same password is used, but you can limit commands > that run as root for the user to things like backups and shutdown scripts. > > > Best way, IMHO, is to use ssh (or better yet, OpenSSH) to provide > encrypted root logins. There is an option to allow root logins with it > directly. This requires you to install OpenSSH (see ports tree) on the > hosts you want to control and some kind of ssh client on the machine(s) > you want to log in from. (There are several for Windows and Unix. If it's > another FreeBSD machine, you can just use OpenSSH again.) If you consider > using 'ssh2', read the license carefully. > > > Sorry for a long reply to a short question, but you *really* need to > balance your risks of password sniffing and power of root access. If your > hosts are next to each other on isolated switches, maybe root telnets are > OK. If you are dialing-up over quite a distance and are a good target for > attacks, install OpenSSH or ssh. > > Hope this helps - Jy@ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 8:38: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id D698937B667 for ; Tue, 25 Jul 2000 08:38:00 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2584 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 25 Jul 2000 10:32:21 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Tue, 25 Jul 2000 10:32:20 -0500 (CDT) From: James Wyatt To: Bart van Leeuwen Cc: Jean-Claude STAQUET , freebsd-security@freebsd.org Subject: Re: allow access of root user In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, Bart van Leeuwen wrote: > Uhm, telnetting in as a user and suing to root has exactly the same > danger, your password goes over the net in plaintext. > [ Echo of original recommendation of using ssh ] > > To be honest, I never really saw the point of disallowing this except for > the simple good habit of never using the root account at all, and only > becomming superuser when you really really have to. > > Bart van Leeuwen > ----------------------------------------------------------- > mailto:bart@ixori.demon.nl - http://www.ixori.demon.nl/ > ----------------------------------------------------------- Check out programs such as linsniffer. It catches telnet/ftp/pop passwords and does not catch 'su'-ing passwords. It only listens for known password areas in TCP sessions to allow it to hide on infected hosts. A sniffer to catch 'su' passwords is a *lot* harder to make and remain undetected. Using 'su' for root logins allows you to immediately exclude a suddenly untrusted (i.e. fired) user without changing your root password(s). Just remove them from the wheel group... Using 'su' and 'host.allow' in /etc/login.conf, you can allow root access from different locations without adding them to root's login.conf entry. This one is a bit contrived, but if anyone ever needed it, it's possible. Of course, users of sudo don't have sniffing protections, but most will forget their root password anyway. (I did. (^_^) More reason for ssh. I prefer ssh, but some folks can't use it. If you have a terminal server at your POP and dial-in because your INet port is down or attacked, then telnet is the only game. Secure that with switch ports and anti-spoofing filters. Some folks don't want to (or can't) install ssh clients on the machines they may have to connect from. Some don't know about cheap Windows clients. Some don't mind using the broken Windows telnet client. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 9:54: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 9796737B682 for ; Tue, 25 Jul 2000 09:53:54 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000725165353.ZLBV11071.mail.rdc1.il.home.com@math.missouri.edu> for ; Tue, 25 Jul 2000 09:53:53 -0700 Message-ID: <397DC61F.18BF726E@math.missouri.edu> Date: Tue, 25 Jul 2000 11:53:52 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall References: <397C8F30.8DFCE0E9@math.missouri.edu> <397D4A06.9CFAF1FA@math.missouri.edu> Content-Type: multipart/mixed; boundary="------------E46AA3F16434CABF8E806092" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------E46AA3F16434CABF8E806092 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Stephen Montgomery-Smith wrote: > > I am coming to the conclusion that the only reasonably > easy way to fix this is that the antispoofing should > be done by the program natd. > > We could add another option to natd that would disallow > any outgoing packets sent to an unregistered ip address, > and disallow any incoming packets from or to an unregistered > ip address. Call it -antispoof. > Well I went ahead and did it. The natd program and the libalias packages are so nicely written that it was an easy programming change. It will actually be more work to rewrite the man pages. I enclose the patch. It is easy to apply: cd /usr/src (or whereever your source code is kept) patch < natd-libalias.patch cd lib/libalias make make install cd ../../sbin/natd make make install Now add -antispoof to the list of options for natd. I am not really in a position to actually test this code properly - any feedback would be most welcome. This patch is to FreeBSD 4.1RC. For me this is the first time I have done anything like this. -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu --------------E46AA3F16434CABF8E806092 Content-Type: text/plain; charset=us-ascii; name="natd-libalias.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="natd-libalias.patch" diff -ur lib-orig/libalias/alias.c lib/libalias/alias.c --- lib-orig/libalias/alias.c Tue Jul 25 10:54:58 2000 +++ lib/libalias/alias.c Tue Jul 25 10:43:54 2000 @@ -1305,6 +1305,21 @@ } +/* Unregistered address ranges */ + +/* 10.0.0.0 -> 10.255.255.255 */ +#define UNREG_ADDR_A_LOWER 0x0a000000 +#define UNREG_ADDR_A_UPPER 0x0affffff + +/* 172.16.0.0 -> 172.31.255.255 */ +#define UNREG_ADDR_B_LOWER 0xac100000 +#define UNREG_ADDR_B_UPPER 0xac1fffff + +/* 192.168.0.0 -> 192.168.255.255 */ +#define UNREG_ADDR_C_LOWER 0xc0a80000 +#define UNREG_ADDR_C_UPPER 0xc0a8ffff + + int PacketAliasIn(char *ptr, int maxpacketsize) { @@ -1328,6 +1343,41 @@ if (ntohs(pip->ip_len) > maxpacketsize || (pip->ip_hl<<2) > maxpacketsize) return PKT_ALIAS_IGNORED; + + if (packetAliasMode & PKT_ALIAS_ANTISPOOF) + { + u_long addr; + int iclass; + + iclass = 0; + addr = ntohl(pip->ip_src.s_addr); + if (addr >= UNREG_ADDR_C_LOWER && addr <= UNREG_ADDR_C_UPPER) + iclass = 3; + else if (addr >= UNREG_ADDR_B_LOWER && addr <= UNREG_ADDR_B_UPPER) + iclass = 2; + else if (addr >= UNREG_ADDR_A_LOWER && addr <= UNREG_ADDR_A_UPPER) + iclass = 1; + + if (iclass != 0) + { + return PKT_ALIAS_ANTISPOOFED; + } + + iclass = 0; + addr = ntohl(pip->ip_dst.s_addr); + if (addr >= UNREG_ADDR_C_LOWER && addr <= UNREG_ADDR_C_UPPER) + iclass = 3; + else if (addr >= UNREG_ADDR_B_LOWER && addr <= UNREG_ADDR_B_UPPER) + iclass = 2; + else if (addr >= UNREG_ADDR_A_LOWER && addr <= UNREG_ADDR_A_UPPER) + iclass = 1; + + if (iclass != 0) + { + return PKT_ALIAS_ANTISPOOFED; + } + + } iresult = PKT_ALIAS_IGNORED; if ( (ntohs(pip->ip_off) & IP_OFFMASK) == 0 ) @@ -1376,21 +1426,6 @@ } - -/* Unregistered address ranges */ - -/* 10.0.0.0 -> 10.255.255.255 */ -#define UNREG_ADDR_A_LOWER 0x0a000000 -#define UNREG_ADDR_A_UPPER 0x0affffff - -/* 172.16.0.0 -> 172.31.255.255 */ -#define UNREG_ADDR_B_LOWER 0xac100000 -#define UNREG_ADDR_B_UPPER 0xac1fffff - -/* 192.168.0.0 -> 192.168.255.255 */ -#define UNREG_ADDR_C_LOWER 0xc0a80000 -#define UNREG_ADDR_C_UPPER 0xc0a8ffff - int PacketAliasOut(char *ptr, /* valid IP packet */ int maxpacketsize /* How much the packet data may grow @@ -1416,6 +1451,26 @@ if (ntohs(pip->ip_len) > maxpacketsize || (pip->ip_hl<<2) > maxpacketsize) return PKT_ALIAS_IGNORED; + + if (packetAliasMode & PKT_ALIAS_ANTISPOOF) + { + u_long addr; + int iclass; + + iclass = 0; + addr = ntohl(pip->ip_dst.s_addr); + if (addr >= UNREG_ADDR_C_LOWER && addr <= UNREG_ADDR_C_UPPER) + iclass = 3; + else if (addr >= UNREG_ADDR_B_LOWER && addr <= UNREG_ADDR_B_UPPER) + iclass = 2; + else if (addr >= UNREG_ADDR_A_LOWER && addr <= UNREG_ADDR_A_UPPER) + iclass = 1; + + if (iclass != 0) + { + return PKT_ALIAS_ANTISPOOFED; + } + } addr_save = GetDefaultAliasAddress(); if (packetAliasMode & PKT_ALIAS_UNREGISTERED_ONLY) diff -ur lib-orig/libalias/alias.h lib/libalias/alias.h --- lib-orig/libalias/alias.h Tue Jul 25 10:54:58 2000 +++ lib/libalias/alias.h Tue Jul 25 10:50:27 2000 @@ -157,12 +157,22 @@ and PacketAliasOut() are reversed */ #define PKT_ALIAS_REVERSE 0x80 +/* If PKT_ALIAS_ANTISPOOF is set, then PacketAliasIn() and PacketAliasOut() + will stop spoofing from or to unregistered ports - so PacketAliasIn will + not allow packets sent to or from unregistered ports, and PacketAliasOut + will not allow packets to unregistered ports. If packets are found + to be spoofed, no aliasing is performed, and PacketAliasIn() and + PacketAliasOut() return PKT_ALIAS_ANTISPOOFED. The calling program + should drop these packets. */ +#define PKT_ALIAS_ANTISPOOF 0x100 + /* Return Codes */ #define PKT_ALIAS_ERROR -1 #define PKT_ALIAS_OK 1 #define PKT_ALIAS_IGNORED 2 #define PKT_ALIAS_UNRESOLVED_FRAGMENT 3 #define PKT_ALIAS_FOUND_HEADER_FRAGMENT 4 +#define PKT_ALIAS_ANTISPOOFED 5 #endif /*lint -restore */ diff -ur sbin-orig/natd/natd.c sbin/natd/natd.c --- sbin-orig/natd/natd.c Tue Jul 25 10:54:22 2000 +++ sbin/natd/natd.c Tue Jul 25 10:28:41 2000 @@ -534,7 +534,17 @@ /* * Outgoing packets. Do aliasing. */ - PacketAliasOut (packetBuf, IP_MAXPACKET); + status = PacketAliasOut (packetBuf, IP_MAXPACKET); + if (status == PKT_ALIAS_ANTISPOOFED) { + + if (verbose) + printf (" dropped.\n"); + + if (logDropped) + SyslogPacket (ip, LOG_WARNING, "denied"); + + return; + } } else { @@ -542,8 +552,9 @@ * Do aliasing. */ status = PacketAliasIn (packetBuf, IP_MAXPACKET); - if (status == PKT_ALIAS_IGNORED && - dropIgnoredIncoming) { + if (status == PKT_ALIAS_ANTISPOOFED || + (status == PKT_ALIAS_IGNORED && + dropIgnoredIncoming)) { if (verbose) printf (" dropped.\n"); @@ -911,6 +922,14 @@ "alias only unregistered addresses", "unregistered_only", "u" }, + + { PacketAliasOption, + PKT_ALIAS_ANTISPOOF, + YesNo, + "[yes|no]", + "stop spoofing via unregistered addresses", + "antispoof", + NULL }, { PacketAliasOption, PKT_ALIAS_LOG, --------------E46AA3F16434CABF8E806092-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 9:56:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id B387437B720 for ; Tue, 25 Jul 2000 09:56:48 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 8623 invoked by uid 1000); 25 Jul 2000 16:56:47 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Jul 2000 16:56:47 -0000 Date: Tue, 25 Jul 2000 11:56:47 -0500 (CDT) From: Mike Silbersack To: James Wyatt Cc: Bart van Leeuwen , Jean-Claude STAQUET , freebsd-security@freebsd.org Subject: Re: allow access of root user In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, James Wyatt wrote: > Some folks don't want to (or can't) install ssh clients on the machines > they may have to connect from. Some don't know about cheap Windows > clients. Some don't mind using the broken Windows telnet client. - Jy@ Actually, if I recall correctly, there are some Java applet ssh clients out there now. I haven't personally tried them, but I imagine they're probably more useable than the windows telnet client in any case. Perhaps once the RSA patent clears they can become more widespread in use. (And actually, for web hosting firms, it would probably be easier to tell customers to go to http://www.bigwebplace.com/login/ rather than trying to explain how to run telnet.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 10: 5:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id E2F9037B682 for ; Tue, 25 Jul 2000 10:05:18 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id D8DF71C6F; Tue, 25 Jul 2000 13:05:17 -0400 (EDT) Date: Tue, 25 Jul 2000 13:05:17 -0400 From: Bill Fumerola To: Bart van Leeuwen Cc: James Wyatt , Jean-Claude STAQUET , freebsd-security@freebsd.org Subject: Re: allow access of root user Message-ID: <20000725130517.I51462@jade.chc-chimes.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from bart@ixori.demon.nl on Tue, Jul 25, 2000 at 04:41:03PM +0200 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jul 25, 2000 at 04:41:03PM +0200, Bart van Leeuwen wrote: > Uhm, telnetting in as a user and suing to root has exactly the same > danger, your password goes over the net in plaintext. > > If you want to prevent that consider using ssh instead. > Also note that when using rsh you prevent root from logging in for > interactive access, but an rsh -l root will still > work. For those who are stupid enough to allow rsh.... > To be honest, I never really saw the point of disallowing this except for > the simple good habit of never using the root account at all, and only > becomming superuser when you really really have to. Jul 25 13:01:50 boa su: billf to root on /dev/ttyp2 That's the #1 reason you don't want several people just logging in as root. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 10: 5:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 17B2937B69B for ; Tue, 25 Jul 2000 10:05:53 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id TAA87342; Tue, 25 Jul 2000 19:05:43 +0200 (CEST) (envelope-from des@flood.ping.uio.no) To: Mike Silbersack Cc: James Wyatt , Bart van Leeuwen , Jean-Claude STAQUET , freebsd-security@FreeBSD.ORG Subject: Re: allow access of root user References: From: Dag-Erling Smorgrav Date: 25 Jul 2000 19:05:43 +0200 In-Reply-To: Mike Silbersack's message of "Tue, 25 Jul 2000 11:56:47 -0500 (CDT)" Message-ID: Lines: 13 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Silbersack writes: > Actually, if I recall correctly, there are some Java applet ssh clients > out there now. I haven't personally tried them, but I imagine they're > probably more useable than the windows telnet client in any case. Perhaps > once the RSA patent clears they can become more widespread in use. MindTerm (http://www.mindbright.se/mindterm/) works fine and has a very good terminal emulator. Illegal in the US until september, though, because of the RSA patent DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 10:23: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from federation.addy.com (federation.addy.com [208.11.142.20]) by hub.freebsd.org (Postfix) with ESMTP id 787B237BED2 for ; Tue, 25 Jul 2000 10:23:03 -0700 (PDT) (envelope-from jim@federation.addy.com) Received: from localhost (jim@localhost) by federation.addy.com (8.9.3/8.9.3) with ESMTP id NAA29523 for ; Tue, 25 Jul 2000 13:22:57 -0400 (EDT) (envelope-from jim@federation.addy.com) Date: Tue, 25 Jul 2000 13:22:57 -0400 (EDT) From: Jim Sander Cc: freebsd-security@FreeBSD.ORG Subject: Re: allow access of root user In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > there are some Java applet ssh clients out there now. Have been for a long while. (1+ years at least) Here's one that I bookmarked a while ago, although there are several others I've seen that gave mixed results... http://www.cl.cam.ac.uk/~fapp2/software/java-ssh/ Personally, I distrust JAVA-based clients since you really have no way of knowing that they're not retransmitting your host/user/pass to an unscrupulous listener. But of course there's no stopping SecureCRT from doing the same thing except their good reputation. -=Jim=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 11:26:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from fnal.gov (heffalump.fnal.gov [131.225.9.20]) by hub.freebsd.org (Postfix) with ESMTP id 9512937B7E4 for ; Tue, 25 Jul 2000 11:26:53 -0700 (PDT) (envelope-from zingelman@fnal.gov) Received: from nova.fnal.gov ([131.225.18.207]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FY900AFKN8QFC@smtp.fnal.gov> for freebsd-security@FreeBSD.ORG; Tue, 25 Jul 2000 13:26:50 -0500 (CDT) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id NAA07727 for ; Tue, 25 Jul 2000 13:26:49 -0500 (CDT) Date: Tue, 25 Jul 2000 13:26:49 -0500 (CDT) From: Tim Zingelman Subject: Re: allow access of root user In-reply-to: X-Sender: tez@nova.fnal.gov To: freebsd-security@FreeBSD.ORG Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Personally, I distrust JAVA-based clients since you really have no way > of knowing that they're not retransmitting your host/user/pass to an > unscrupulous listener. Actually, if it is an applet (the one I've used is) then the java applet security model will keep them from sending anything to anyone except the host that served the applet. - Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 11:44:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 76F8B37B75C for ; Tue, 25 Jul 2000 11:44:04 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id UAA87777; Tue, 25 Jul 2000 20:44:00 +0200 (CEST) (envelope-from des@flood.ping.uio.no) To: Jim Sander Cc: freebsd-security@FreeBSD.ORG Subject: Re: allow access of root user References: From: Dag-Erling Smorgrav Date: 25 Jul 2000 20:44:00 +0200 In-Reply-To: Jim Sander's message of "Tue, 25 Jul 2000 13:22:57 -0400 (EDT)" Message-ID: Lines: 13 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jim Sander writes: > Personally, I distrust JAVA-based clients since you really have no way > of knowing that they're not retransmitting your host/user/pass to an > unscrupulous listener. Yes, you do: you read the source code, just like with any other open-source software. http://www.mindbright.se/mindterm/ DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 11:49:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from federation.addy.com (federation.addy.com [208.11.142.20]) by hub.freebsd.org (Postfix) with ESMTP id 8A6DF37B933 for ; Tue, 25 Jul 2000 11:49:35 -0700 (PDT) (envelope-from jim@federation.addy.com) Received: from localhost (jim@localhost) by federation.addy.com (8.9.3/8.9.3) with ESMTP id OAA36976 for ; Tue, 25 Jul 2000 14:49:34 -0400 (EDT) (envelope-from jim@federation.addy.com) Date: Tue, 25 Jul 2000 14:49:34 -0400 (EDT) From: Jim Sander Cc: freebsd-security@FreeBSD.ORG Subject: Re: allow access of root user In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Actually, if it is an applet (the one I've used is) then the java applet > security model will keep them from sending anything to anyone except the > host that served the applet. Good point- didn't think of that at the time, and in the situation that prompted this discussion it would be effective. (unless your JVM implementation was buggy in that respect) The general case, and specifically the reference I gave, is different though- you specify the host to connect to, so hopefully the programmer didn't log your info and present it with his thesis. :) -=Jim=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 12: 4:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id ABE9237B993 for ; Tue, 25 Jul 2000 12:04:50 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 8510B9EE01; Tue, 25 Jul 2000 12:04:26 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 819DE9B001; Tue, 25 Jul 2000 12:04:26 -0700 (PDT) Date: Tue, 25 Jul 2000 12:04:26 -0700 (PDT) From: Mike Hoskins To: Dan O'Connor Cc: cjclark@alum.mit.edu, Stephen Montgomery-Smith , freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall In-Reply-To: <015601bff607$1c48cbc0$029b140a@danco> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, Dan O'Connor wrote: > I'm confused as to how ipfw treats packets with forwarding turned on, but > without NAT. Packets that aren't natted supposedly only make one trip > through the rules, so does ipfw check the packet as if it exists on both > interfaces (in on one, out on the other) at the same time? Well... Using only ipfw(8) as reference, The via keyword causes the interface to always be checked. If recv or xmit is used instead of via, then the only receive or transmit interface (respectively) is checked. By specifying both, it is possible to match packets based on both receive and transmit interface... And from 'CHECKLIST', o Remember that you filter both packets going in and out. Most connec -tions need packets going in both directions. Elsewhere... Remember in fact that ipfw rules are checked both on incoming and outgo- ing packets. So it seems default behavior is to check all rules for packets on all interfaces... For that reason, the via and recv/xmit keywords give flexibility to 'modify' that behavior. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 12:13:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 1C24C37B87E for ; Tue, 25 Jul 2000 12:13:33 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 243479EE01; Tue, 25 Jul 2000 12:13:10 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 1BC879B001; Tue, 25 Jul 2000 12:13:10 -0700 (PDT) Date: Tue, 25 Jul 2000 12:13:10 -0700 (PDT) From: Mike Hoskins To: Stephen Montgomery-Smith Cc: freebsd-security@freebsd.org Subject: Re: Problems with natd and simple firewall In-Reply-To: <397D0A56.E695E55C@math.missouri.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Jul 2000, Stephen Montgomery-Smith wrote: > I read the ipfw man page, and it is so terse on this subject > that I cannot understand it. Like many man pages, it gives > a lot of details, but does not provide the overall picture. As I said, not a complete reference... But I think if you read it enough times (not unlike many mathematics texts ;), it does sink in. > If anyone could tell me the overall picture of what dynamic rules > are about - give me a start and a context so that the man page > makes sense, I would really appreciate it. The ruleset I pasted, at least, is pretty straightforward... For incoming connections, allow/deny based upon the specific static rules I specified... For outgoing (from inside LAN) connections, essentially 'listen' for attempts, dynamically generate specific rules needed by that session (check state), then monitor the connection and keep the dynamic rule around as long as a conversation is taking place (keep state). So, essentially, your firewall is 'learning' rules for internal hosts... Allowing exactly what they need on the fly. You can still limit hosts with specific denys if your LAN is not fully trusted. I came into this mess with mostly only PIX/FW1 experience... I'll admit some initial frustration when glancing over the man page, but after I decided to read it, word for word, and started toying with the examples, I've found ipfw's syntax/behavior to be (often) more appealing than the other products I use on a daily basis. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 12:23:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 43BCF37B873 for ; Tue, 25 Jul 2000 12:23:41 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id E557A9EE01; Tue, 25 Jul 2000 12:23:15 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id DD8569B001; Tue, 25 Jul 2000 12:23:15 -0700 (PDT) Date: Tue, 25 Jul 2000 12:23:15 -0700 (PDT) From: Mike Hoskins To: Stephen Montgomery-Smith Cc: cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall In-Reply-To: <397D4062.4A1FFFE2@math.missouri.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, Stephen Montgomery-Smith wrote: > > ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} > > $fwcmd add divert natd all from any to any via ${natd_interface} > Yes, I had the same idea over dinner. Trouble is, it doesn't work. > I tried it. Note that I'm not arguing this couldn't be clearer or that, possibly, the code needs cleaned up in some way. I'm not arguing for or against such statements - I haven't looked at the code, so I'm trying to offer advice based only upon ipfw(8) and my lowly interpretation thereof... With that in mind, consider the above rules... A packet from an external host attempting to communicate with an inside, privately addressed host will undergo the following: * from outside machine to outside IP (in oif) * from outside IP to inside IP (divert) * delever to inside IP (out iif) Given this behavior, the above rules will obviouslly not work, because the 'deny all from ANY' rule will deny packets from 'outside IP to inside IP' which must take place according to the behavior described above. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 12:46:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from federation.addy.com (federation.addy.com [208.11.142.20]) by hub.freebsd.org (Postfix) with ESMTP id C80E537B86E for ; Tue, 25 Jul 2000 12:46:15 -0700 (PDT) (envelope-from jim@federation.addy.com) Received: from localhost (jim@localhost) by federation.addy.com (8.9.3/8.9.3) with ESMTP id PAA42324 for ; Tue, 25 Jul 2000 15:46:14 -0400 (EDT) (envelope-from jim@federation.addy.com) Date: Tue, 25 Jul 2000 15:46:14 -0400 (EDT) From: Jim Sander Cc: freebsd-security@FreeBSD.ORG Subject: Re: allow access of root user In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Yes, you do: you read the source code, just like with any other > open-source software. That's true to an extent. If you're installing for your own use, it can be very safe. The risk there would be a malicious or poor implementation, and honestly I'm not a good enough programmer to catch all the cases where that could happen even looking at the source. If you're using a "foreign" applet to connect, it's not as safe- you'd have to decompile the JAVA bytecode back into source in order to make sure what is executing matches what is published. This isn't something I'm likely to do, which is why I made the comments I did. Even open-source code that isn't "branded" by a well-respected organization isn't going to get a lot of trust. (from me) It's simply impossible for me to do an effective audit of every tool I use, so I rely upon the support and trust given by such fine organizations as FreeBSD. :) -=Jim=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 12:49: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 8CCF037B56C for ; Tue, 25 Jul 2000 12:49:05 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 7A3A69EE01; Tue, 25 Jul 2000 12:48:42 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 723F49B001; Tue, 25 Jul 2000 12:48:42 -0700 (PDT) Date: Tue, 25 Jul 2000 12:48:42 -0700 (PDT) From: Mike Hoskins To: Stephen Montgomery-Smith Cc: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall In-Reply-To: <397D4214.48E908CC@math.missouri.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, Stephen Montgomery-Smith wrote: > Actually there is also a rule in rc.firewall: > > ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} > which the web site changed to > ${fwcmd} add deny all from 192.168.0.0/16 to any in via ${oif} > I found that this change was unnecessary. Unnecessary, and perhaps unwanted if your LAN isn't fully trusted. The first rule will stop packets with source addresses of 192.168.0.0/16 going anywhere (in or out) on the outside interface. This effectively stops some DoS attacks AND disallows RFC1918 spoofing from your network. The second rule stops inbound (DoS) packets, but 'trusts' your LAN by allowing outbound (spoofed) packets. If your LAN is small and 'trusted', that may be okay, otherwise... You probably don't want to willingly make your network the source of a DoS. > But if you think about it logically, that change should be necessary. I'm not sure if this is logical... But here's my view of a packet sent from an inside host to an outside host (and everyone, please correct me if this is wrong, like I said, I've only been toying with ipfw for a couple weeks now): * from inside machine for outside machine (sent to inside IP/interface, which is the inside/private network's gw, 'in via iif') * from outside ip to outside machine (divert, sent 'out via oif') * delivered to outside machine That would seem to describe the packet's path as well as why the above rules behave as they do. The ruleset I pasted earlier (and am using now) catches inbound RFC1918 addresses, and allows everything out (check/keep-state). This is because my home LAN consists of only seven hosts at the moment (all touched only by me and my SO). If this was a publicly used LAN, I'd add specific deny/log rules for RFC1918 nets from inside hosts to stop and log DoS attempts. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 12:51:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id D073F37B6C7 for ; Tue, 25 Jul 2000 12:51:09 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id B4F839EE01; Tue, 25 Jul 2000 12:50:46 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id AC9909B001; Tue, 25 Jul 2000 12:50:46 -0700 (PDT) Date: Tue, 25 Jul 2000 12:50:46 -0700 (PDT) From: Mike Hoskins To: Stephen Montgomery-Smith Cc: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall In-Reply-To: <397D4A06.9CFAF1FA@math.missouri.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, Stephen Montgomery-Smith wrote: > We could add another option to natd that would disallow > any outgoing packets sent to an unregistered ip address, > and disallow any incoming packets from or to an unregistered > ip address. Call it -antispoof. If it makes it easier for everyone (and I don't see how it wouldn't), I'll cast my vote for -antispoof. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 12:56:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 91F2F37B6F6 for ; Tue, 25 Jul 2000 12:56:08 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 797499EE01; Tue, 25 Jul 2000 12:55:45 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 71A269B001; Tue, 25 Jul 2000 12:55:45 -0700 (PDT) Date: Tue, 25 Jul 2000 12:55:45 -0700 (PDT) From: Mike Hoskins To: Mike Silbersack Cc: James Wyatt , Bart van Leeuwen , Jean-Claude STAQUET , freebsd-security@freebsd.org Subject: Re: allow access of root user In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, Mike Silbersack wrote: > Actually, if I recall correctly, there are some Java applet ssh clients > out there now. I haven't personally tried them, but I imagine they're Yes, and it looks pretty nice. FYI - http://www.monkey.org/connect/ -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 14:28:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 7066B37BA6B for ; Tue, 25 Jul 2000 14:28:27 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id OAA52048; Tue, 25 Jul 2000 14:28:09 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200007252128.OAA52048@gndrsh.dnsmgr.net> Subject: Re: Problems with natd and simple firewall In-Reply-To: from Mike Hoskins at "Jul 25, 2000 12:50:46 pm" To: mike@adept.org (Mike Hoskins) Date: Tue, 25 Jul 2000 14:28:09 -0700 (PDT) Cc: stephen@math.missouri.edu (Stephen Montgomery-Smith), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Tue, 25 Jul 2000, Stephen Montgomery-Smith wrote: > > > We could add another option to natd that would disallow > > any outgoing packets sent to an unregistered ip address, > > and disallow any incoming packets from or to an unregistered > > ip address. Call it -antispoof. > > If it makes it easier for everyone (and I don't see how it wouldn't), I'll > cast my vote for -antispoof. And I'll cast my vote against -antispoof for the following reasons. a) The non-problem it attempts to solve can be handled by a correct ipfw rule set. b) These are RFC1918 addresses and have little to nothing to do with spoofing. RFC1918 != spoof. Spoofing occurs when using ligitmate globally routed IP addresses, usually the attack targets address as a source address in a packet. The flag should be -antirfc1918. c) It also totally ignores the fact that the problematic IP addresses are much more than RFC1918 and include the following: 0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24, 169.254.0.0/16, 240.0.0.0/4 that need to be dealt with properly and carefully at both interfaces in a firewall. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 14:53: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 347D037B791 for ; Tue, 25 Jul 2000 14:53:00 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id BC1FE9EE01; Tue, 25 Jul 2000 14:52:35 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id B463B9B001; Tue, 25 Jul 2000 14:52:35 -0700 (PDT) Date: Tue, 25 Jul 2000 14:52:35 -0700 (PDT) From: Mike Hoskins To: "Rodney W. Grimes" Cc: Stephen Montgomery-Smith , freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall In-Reply-To: <200007252128.OAA52048@gndrsh.dnsmgr.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, Rodney W. Grimes wrote: > a) The non-problem it attempts to solve can be handled by a correct > ipfw rule set. Agreed. > c) It also totally ignores the fact that the problematic IP addresses > are much more than RFC1918 and include the following: > 0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24, 169.254.0.0/16, 240.0.0.0/4 > that need to be dealt with properly and carefully at both interfaces > in a firewall. Point taken, and agreed. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 15:12:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id DBA9E37BA0A for ; Tue, 25 Jul 2000 15:12:31 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000725221229.BLYW23923.mail.rdc1.il.home.com@math.missouri.edu>; Tue, 25 Jul 2000 15:12:29 -0700 Message-ID: <397E10CC.BF84B0E7@math.missouri.edu> Date: Tue, 25 Jul 2000 17:12:28 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: "Rodney W. Grimes" Cc: Mike Hoskins , freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall References: <200007252128.OAA52048@gndrsh.dnsmgr.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Rodney W. Grimes" wrote: > > And I'll cast my vote against -antispoof for the following reasons. > > a) The non-problem it attempts to solve can be handled by a correct > ipfw rule set. Well, now that I understand a bit how dynamic rules work, I'm going to agree with this vote against my own idea. Those dynamic rules are really very very nice. But maybe a dynamic rule set should be put into the default rc.firewall - perhaps not replace simple, but an additional - maybe call it dynamic. Also, it would be good to add some comments to rc.firewall to explain this. > > b) These are RFC1918 addresses and have little to nothing to do with > spoofing. RFC1918 != spoof. Spoofing occurs when using ligitmate > globally routed IP addresses, usually the attack targets address as a > source address in a packet. The flag should be -antirfc1918. That is easily fixed. --- So my programming effort was perhaps a waste of time, except I got to see some of the inner workings of natd - truly beautiful. -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 15:31:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 85F1037BB59 for ; Tue, 25 Jul 2000 15:31:48 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 072649EE01; Tue, 25 Jul 2000 15:31:23 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id F335D9B001; Tue, 25 Jul 2000 15:31:23 -0700 (PDT) Date: Tue, 25 Jul 2000 15:31:23 -0700 (PDT) From: Mike Hoskins To: Stephen Montgomery-Smith Cc: "Rodney W. Grimes" , freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall In-Reply-To: <397E10CC.BF84B0E7@math.missouri.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, Stephen Montgomery-Smith wrote: > Well, now that I understand a bit how dynamic rules work, I'm going to > agree with this vote against my own idea. Those dynamic rules are > really very very nice. How'd we ever live without 'em? ;) > But maybe a dynamic rule set should be put into the default rc.firewall - > perhaps not replace simple, but an additional - maybe call it dynamic. It may well be added... Stateful ipfw is a relatively new happening (ipfw didn't previously have check/keep-state, you had to use ipf for such features). > Also, it would be good to add some comments to rc.firewall to explain this. Aye... A thoroughly-commeneted 'dynamic' rc.firewall option may be the best thing to come out of all this. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 16: 9:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 0876237B712 for ; Tue, 25 Jul 2000 16:09:27 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000725230926.EHGC23923.mail.rdc1.il.home.com@math.missouri.edu> for ; Tue, 25 Jul 2000 16:09:26 -0700 Message-ID: <397E1E25.FE8731E7@math.missouri.edu> Date: Tue, 25 Jul 2000 18:09:25 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: log with dynamic firewall rules Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would like to set up a firewall with dynamic rules to allow ssh from the outside. I would like these incoming ssh's logged. So I tried something like: ipfw add pass log tcp from any to my.computer.net 22 keep-state setup Now it would make sense to me that this would log the initial setup, but that the following times that the then created dynamic rule is invoked would not be logged. However that is not the case. All the tcp packets between the established conenction are logged. I know that I could have some rules: add pass tcp from any to any in via ${oif} established add pass all from any to any frag before this one, but doesn't that defeat part of the point of dynamic rules? -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 16:29: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 8BEAF37BAE5 for ; Tue, 25 Jul 2000 16:28:54 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 13D109EE02; Tue, 25 Jul 2000 16:28:29 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 0FB729B001; Tue, 25 Jul 2000 16:28:29 -0700 (PDT) Date: Tue, 25 Jul 2000 16:28:29 -0700 (PDT) From: Mike Hoskins To: Stephen Montgomery-Smith Cc: "Rodney W. Grimes" , freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, Mike Hoskins wrote: > Aye... A thoroughly-commeneted 'dynamic' rc.firewall option may be the > best thing to come out of all this. And, along those lines... Comments on the following, please. It attempts to mimic 'simple' as closely as possible and use compatible terminology for ease of comparison. -mrh *** rc.firewall.orig Tue Jul 25 15:33:17 2000 --- rc.firewall Tue Jul 25 16:25:33 2000 *************** *** 225,230 **** --- 225,288 ---- # config file. ;; + [Dd][Yy][Nn][Aa][Mm][Ii][Cc]) + ############ + # This is a prototype setup for a minimal dynamic firewall. It + # uses the check-state and keep-state options to allow dynamically- + # generated rules for inside clients. Configure this machine as a + # name, mail and ntp server and point inside clients at it. + ############ + + # Set these to your outside interface, network, netmask and ip + oif="ed0" + onet="192.0.2.0" + omask="255.255.255.240" + oip="192.0.2.1" + + # Set these to your inside interface, network, netmask and ip + iif="ed1" + inet="192.0.2.16" + imask="255.255.255.240" + iip="192.0.2.17" + + # NOTE: We assume the inside network is trusted. You may want + # to add more granular control for inside clients with specific + # denys. As is, any connection initiated by an inside client + # is allowed. + + # This is a stateful firewall with dynamically-generated rules. + # Check the dynamically-generated rules first. + ${fwcmd} add check-state + + # Allow dynamically-generated rules to be created for our + # inside clients. Upon a match, the firewall will create + # an explicit, dynamic rule matching bidirectional traffic + # between source and destination IP/port using the same + # protocol. The rule has a lifetime controlled by + # sysctl(8) variables as described in the 'SYSCTL VARIABLES' + # section of ipfw(8). + ${fwcmd} add allow ip from ${oip} to any keep-state + ${fwcmd} add allow ip from ${inet}:{$imask} to any keep-state + + # Allow setup of incoming email + ${fwcmd} add pass tcp from any to ${oip} 25 setup + + # Allow access to our WWW + ${fwcmd} add pass tcp from any to ${oip} 80 setup + + # Allow DNS queries out in the world + ${fwcmd} add pass udp from any 53 to ${oip} + ${fwcmd} add pass udp from ${oip} to any 53 + + # Allow NTP queries out in the world + ${fwcmd} add pass udp from any 123 to ${oip} + ${fwcmd} add pass udp from ${oip} to any 123 + + # Everything else is denied by default, unless the + # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel + # config file. + ;; + [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; *) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 16:34:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id AC95337BB80 for ; Tue, 25 Jul 2000 16:34:33 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id RAA28533; Tue, 25 Jul 2000 17:34:29 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id RAA24713; Tue, 25 Jul 2000 17:34:09 -0600 (MDT) Message-Id: <200007252334.RAA24713@harmony.village.org> To: Stephen Montgomery-Smith Subject: Re: Problems with natd and simple firewall Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 25 Jul 2000 03:04:22 CDT." <397D4A06.9CFAF1FA@math.missouri.edu> References: <397D4A06.9CFAF1FA@math.missouri.edu> <397C8F30.8DFCE0E9@math.missouri.edu> Date: Tue, 25 Jul 2000 17:34:08 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I don't think we need a special option. We have the following in our firewall rules: # # filter_net # # Takes one or two arguments. # # This will filter out traffic to/from these networks. The first # argument # will be filtered. If there is a second argument, it is the # interface to # filter on # filter_net() { via=${2:+via $2} $fwcmd add deny log ip from any to $1 ${via} $fwcmd add deny log ip from $1 to any ${via} } inet_if=fxp0 filter_net 192.168.0.0:255.255.0.0 filter_net 172.16.0.0:255.240.0.0 filter_net 10.0.0.0:255.0.0.0 ${inet_if} and this has been verified to work. we use net10 internally and we need for the router that we have to be able to pass those packets through the router, but not out to the internet, which is on fxp0. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 16:37:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 3552637BEC4 for ; Tue, 25 Jul 2000 16:37:50 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 86A949EE01; Tue, 25 Jul 2000 16:37:24 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 838CB9B001; Tue, 25 Jul 2000 16:37:24 -0700 (PDT) Date: Tue, 25 Jul 2000 16:37:24 -0700 (PDT) From: Mike Hoskins To: Stephen Montgomery-Smith Cc: "Rodney W. Grimes" , freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, Mike Hoskins wrote: > And, along those lines... Comments on the following, please. It attempts > to mimic 'simple' as closely as possible and use compatible terminology > for ease of comparison. > + ${fwcmd} add allow ip from ${oip} to any keep-state > + ${fwcmd} add allow ip from ${inet}:{$imask} to any keep-state Except for using 'allow' instead of rc.firewall's 'pass'. Oops. Well, except for that, any change suggestions? If not, could this be added? -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 16:39:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id EF7E137BB80 for ; Tue, 25 Jul 2000 16:39:45 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 9319F1C64; Tue, 25 Jul 2000 19:39:41 -0400 (EDT) Date: Tue, 25 Jul 2000 19:39:41 -0400 From: Bill Fumerola To: "Rodney W. Grimes" Cc: Mike Hoskins , Stephen Montgomery-Smith , freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <20000725193941.P51462@jade.chc-chimes.com> References: <200007252128.OAA52048@gndrsh.dnsmgr.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200007252128.OAA52048@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Tue, Jul 25, 2000 at 02:28:09PM -0700 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jul 25, 2000 at 02:28:09PM -0700, Rodney W. Grimes wrote: > And I'll cast my vote against -antispoof for the following reasons. Ditto. > a) The non-problem it attempts to solve can be handled by a correct > ipfw rule set. > > b) These are RFC1918 addresses and have little to nothing to do with > spoofing. RFC1918 != spoof. Spoofing occurs when using ligitmate > globally routed IP addresses, usually the attack targets address as a > source address in a packet. The flag should be -antirfc1918. > > c) It also totally ignores the fact that the problematic IP addresses > are much more than RFC1918 and include the following: > 0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24, 169.254.0.0/16, 240.0.0.0/4 > that need to be dealt with properly and carefully at both interfaces > in a firewall. Speaking has someone who operates a packet magnet, spoofed addresses come from _EVERYWHERE_ and there isn't a whole lot you can do to stop that (short of checking the route back before allowing the packet, which is more costly etc etc, cisco has something that does this). -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 17: 7:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 5EE5B37BC6C for ; Tue, 25 Jul 2000 17:07:05 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id UAA08510; Tue, 25 Jul 2000 20:07:02 -0400 (EDT) (envelope-from wollman) Date: Tue, 25 Jul 2000 20:07:02 -0400 (EDT) From: Garrett Wollman Message-Id: <200007260007.UAA08510@khavrinen.lcs.mit.edu> To: Bill Fumerola Cc: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall In-Reply-To: <20000725193941.P51462@jade.chc-chimes.com> References: <200007252128.OAA52048@gndrsh.dnsmgr.net> <20000725193941.P51462@jade.chc-chimes.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > (short of checking the route back before allowing the packet, which is more > costly etc etc, cisco has something that does this). Yep. Great feature, and it wouldn't be at all hard to implement in FreeBSD (it should be pretty obvious how to add the check in ip_forward()). Of course, even if you do that, you still need to filter out the ``bad'' addresses: Extended IP access list no-martians-dos-ai deny ip 0.0.0.0 0.255.255.255 any (66130 matches) deny ip 127.0.0.0 0.255.255.255 any (235210 matches) deny ip 192.0.2.0 0.0.0.255 any (2 matches) deny ip 10.0.0.0 0.255.255.255 any (1435097 matches) deny ip 172.16.0.0 0.15.255.255 any (686656 matches) deny ip 192.168.0.0 0.0.255.255 any (1461597 matches) deny ip 169.254.0.0 0.0.255.255 any (92100 matches) deny ip 224.0.0.0 15.255.255.255 any (653608 matches) deny ip any 128.52.0.255 0.0.255.0 (6266340 matches) [private stuff deleted] permit ip any any (82311204 matches) (This is a bit misleading: I'm fairly certain that the last counter has already wrapped, so the proportion is actually around a tenth of a percent.) -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 17:14:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id ABFD237BCDF for ; Tue, 25 Jul 2000 17:14:37 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 97C641C65; Tue, 25 Jul 2000 20:14:35 -0400 (EDT) Date: Tue, 25 Jul 2000 20:14:35 -0400 From: Bill Fumerola To: Garrett Wollman Cc: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <20000725201435.Q51462@jade.chc-chimes.com> References: <200007252128.OAA52048@gndrsh.dnsmgr.net> <20000725193941.P51462@jade.chc-chimes.com> <200007260007.UAA08510@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200007260007.UAA08510@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Tue, Jul 25, 2000 at 08:07:02PM -0400 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jul 25, 2000 at 08:07:02PM -0400, Garrett Wollman wrote: > < said: > > > (short of checking the route back before allowing the packet, which is more > > costly etc etc, cisco has something that does this). > > Yep. Great feature, and it wouldn't be at all hard to implement in > FreeBSD (it should be pretty obvious how to add the check in > ip_forward()). Of course, even if you do that, you still need to > filter out the ``bad'' addresses: I've pretty much been consumed with the 2k lines of ip_fw.c recently so I have a decent knowledge of how it works now (scary..), would this be something we'd want to do within ipfw or as a seperate entity? Is there more data (whitepapers, etc) on what the cisco products do? -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 17:59:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 6D72B37BC03 for ; Tue, 25 Jul 2000 17:59:06 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000726005905.KCTA23923.mail.rdc1.il.home.com@math.missouri.edu>; Tue, 25 Jul 2000 17:59:05 -0700 Message-ID: <397E37D9.AA26139@math.missouri.edu> Date: Tue, 25 Jul 2000 19:59:05 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: Mike Hoskins Cc: "Rodney W. Grimes" , freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Hoskins wrote: > > On Tue, 25 Jul 2000, Mike Hoskins wrote: > > > Aye... A thoroughly-commeneted 'dynamic' rc.firewall option may be the > > best thing to come out of all this. > > And, along those lines... Comments on the following, please. It attempts > to mimic 'simple' as closely as possible and use compatible terminology > for ease of comparison. > > + ${fwcmd} add allow ip from ${oip} to any keep-state > + ${fwcmd} add allow ip from ${inet}:{$imask} to any keep-state > + > ..................... > + # Allow DNS queries out in the world > + ${fwcmd} add pass udp from any 53 to ${oip} > + ${fwcmd} add pass udp from ${oip} to any 53 > + > + # Allow NTP queries out in the world > + ${fwcmd} add pass udp from any 123 to ${oip} > + ${fwcmd} add pass udp from ${oip} to any 123 > + I don't think the DNS and NTP stuff is necessary. Aren't they both covered by the first two rules? ------ Also, shouldn't NTP be > + ${fwcmd} add pass udp from any 123 to ${oip} 123 > + ${fwcmd} add pass udp from ${oip} 123 to any 123 and how about for the DNS stuff: > + # Allow DNS queries out in the world > + ${fwcmd} add pass udp from ${my-name-server} 53 to ${oip} > + ${fwcmd} add pass udp from ${oip} to ${my-name-server} 53 -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 18:15:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from listproc.corp.loudcloud.com (olly.loudcloud.com [208.50.142.100]) by hub.freebsd.org (Postfix) with ESMTP id 5ACDD37BD0F for ; Tue, 25 Jul 2000 18:15:55 -0700 (PDT) (envelope-from yardley@uiuc.edu) Received: from LIQUID-TP.uiuc.edu (liquid.geek.loudcloud.com [192.168.0.24]) by listproc.corp.loudcloud.com (8.10.1/8.10.1) with ESMTP id e6Q1GeS19564; Tue, 25 Jul 2000 18:16:40 -0700 (PDT) Message-Id: <4.3.2.7.2.20000725181153.0218d700@students.uiuc.edu> X-Sender: yardley@students.uiuc.edu X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 25 Jul 2000 18:18:36 -0700 To: Don Lewis , "Maksimov Maksim" , From: Tim Yardley Subject: Re: How defend from stream2.c attack? In-Reply-To: <200006220024.RAA05975@salsa.gv.tsc.tdk.com> References: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >This version of FreeBSD should be fairly immune to the standard stream2.c >attack (even without ICMP_BANDLIM, which I would recommend using). It >seems the biggest part of the problem was caused by the incoming packets >which had IP addresses in the multicast range. We tweaked tcp_input() >so that these get ignored. We didn't do anything about broadcast source >addresses, so if you are attacked by a variant of stream2 that uses these >you could still have problems. Just to point it out, the multicast issue was brought up by me in spank.c a long time ago. void usage (char *progname) { printf ("usage: %s [-lmnorsw] \n", progname); printf ("\t-l\t- local multicast havoc\n"); printf ("\t-m\t- multicast variation attack\n"); printf ("\t-n\t- multicast variation attack with random args\n"); printf ("\t-o\t- original raped attack\n"); printf ("\t-r\t- pure random attack on dst\n"); printf ("\t-s\t- original stream attack\n"); printf ("\t-w\t- whocares attack (random dest w/ variable multicast)\n"); printf ("\t\t- destination host (not needed for -l or -w)\n"); printf ("\t\t- ports to flood\n\n"); exit (1); } the different variations were basically "wreaking havok in semi-random manners". Each attack had a facet that was exploited directly, or in the case of the pure random, by chance. >I would recommend adding packet filter rules that block incoming packets >with IP broadcast addresses, both 255.255.255.255, and the broadcast >address(es) of your local network(s). And block multicast if you arent using it in your lan. Keep in mind that some switchs that are not multicast aware will treat the packets as broadcasts and create a storm. Very bad. /tmy -- Diving into infinity my consciousness expands in inverse proportion to my distance from singularity +-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- ---------------+ | Tim Yardley (yardley@uiuc.edu) | http://www.students.uiuc.edu/~yardley/ +-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- ---------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 18:18:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id A23B037BD25 for ; Tue, 25 Jul 2000 18:18:13 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id LAA18927; Wed, 26 Jul 2000 11:17:30 +1000 (EST) From: Darren Reed Message-Id: <200007260117.LAA18927@cairo.anu.edu.au> Subject: Re: Problems with natd and simple firewall To: billf@chimesnet.com (Bill Fumerola) Date: Wed, 26 Jul 2000 11:17:29 +1000 (Australia/NSW) Cc: freebsd@gndrsh.dnsmgr.net (Rodney W. Grimes), mike@adept.org (Mike Hoskins), stephen@math.missouri.edu (Stephen Montgomery-Smith), freebsd-security@FreeBSD.ORG In-Reply-To: <20000725193941.P51462@jade.chc-chimes.com> from "Bill Fumerola" at Jul 25, 2000 07:39:41 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Bill Fumerola, sie said: > > On Tue, Jul 25, 2000 at 02:28:09PM -0700, Rodney W. Grimes wrote: > > > And I'll cast my vote against -antispoof for the following reasons. > > Ditto. > > > a) The non-problem it attempts to solve can be handled by a correct > > ipfw rule set. > > > > b) These are RFC1918 addresses and have little to nothing to do with > > spoofing. RFC1918 != spoof. Spoofing occurs when using ligitmate > > globally routed IP addresses, usually the attack targets address as a > > source address in a packet. The flag should be -antirfc1918. > > > > c) It also totally ignores the fact that the problematic IP addresses > > are much more than RFC1918 and include the following: > > 0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24, 169.254.0.0/16, 240.0.0.0/4 > > that need to be dealt with properly and carefully at both interfaces > > in a firewall. > > Speaking has someone who operates a packet magnet, spoofed addresses come > from _EVERYWHERE_ and there isn't a whole lot you can do to stop that > (short of checking the route back before allowing the packet, which is more > costly etc etc, cisco has something that does this). Just to add fuel to this little fire, IP Filter has a knob which allows for blocking of packets received on an interface for which the route to the source address goes out a different interface. fr_chksrc sysctl net.inet.ipf.fr_chksrc Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 18:30:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from www.kpi.com.au (www.kpi.com.au [203.39.132.210]) by hub.freebsd.org (Postfix) with ESMTP id 0771637BD39 for ; Tue, 25 Jul 2000 18:30:46 -0700 (PDT) (envelope-from johnsa@kpi.com.au) Received: from kpi.com.au (ws02.kpi.com.au [203.39.132.215]) by www.kpi.com.au (8.9.3/8.9.3) with ESMTP id LAA05445; Wed, 26 Jul 2000 11:33:21 +1000 (EST) (envelope-from johnsa@kpi.com.au) Message-ID: <397E4012.A1A93351@kpi.com.au> Date: Wed, 26 Jul 2000 11:34:10 +1000 From: Andrew Johns Organization: KPI Logistics X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Stephen Montgomery-Smith Cc: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: <397E1E25.FE8731E7@math.missouri.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Stephen Montgomery-Smith wrote: > > I would like to set up a firewall with dynamic rules to allow > ssh from the outside. I would like these incoming ssh's logged. > So I tried something like: > > ipfw add pass log tcp from any to my.computer.net 22 keep-state setup > > Now it would make sense to me that this would log the initial setup, > but that the following times that the then created dynamic rule is > invoked would not be logged. > > However that is not the case. All the tcp packets between the > established conenction are logged. > > I know that I could have some rules: > > add pass tcp from any to any in via ${oif} established > add pass all from any to any frag > > before this one, but doesn't that defeat part of the point of > dynamic rules? > In a word, no. All packets must pass through the ruleset before being either passed or dropped. 'Dynamic' rules build on the base rules by keeping a table of which connections are presently in use, so that mapping can occur for delivery of the packet back to the correct socket/process, **once it has been passed** by the rule set. (This is my interpretation of it from personal experience - someone please correct me if I'm totally off the rails on this.) Therefore, any logging before the packet is passed/dropped will still occur as per usual, which is how I'd want to have it anyway. Regards ---------------------\=-_ _-=/ Andrew Johns BSc. \ \==/ / Principal Consultant \ / KPI Logistics Pty Ltd \ / mailto:johnsa@kpi.com.au \ +/ http://www.kpi.com.au \/ How do I set this laser printer to stun? My favourite boot labels: F1 Real OS -> http://www.FreeBSD.org F2 Pretend OS -> http://www.microsoft.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 18:53:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id F143337BF29 for ; Tue, 25 Jul 2000 18:53:13 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000726015311.NDDH23923.mail.rdc1.il.home.com@math.missouri.edu> for ; Tue, 25 Jul 2000 18:53:11 -0700 Message-ID: <397E4487.A868B713@math.missouri.edu> Date: Tue, 25 Jul 2000 20:53:11 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: <397E1E25.FE8731E7@math.missouri.edu> Content-Type: multipart/mixed; boundary="------------7A8C7BFFCB709DB3DF35EDB3" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------7A8C7BFFCB709DB3DF35EDB3 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Stephen Montgomery-Smith wrote: > > I would like to set up a firewall with dynamic rules to allow > ssh from the outside. I would like these incoming ssh's logged. > So I tried something like: > > ipfw add pass log tcp from any to my.computer.net 22 keep-state setup > OK, does everyone else agree with me that if an ipfw rule is logged and keep-state, then one only needs to log when the rule is established - not every time a packet passes through it? If so, I'll send-pr the following patch: --------------7A8C7BFFCB709DB3DF35EDB3 Content-Type: text/plain; charset=us-ascii; name="diff.ip_fw.c.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="diff.ip_fw.c.patch" --- ../src/sys/netinet/ip_fw.c Sat Jul 15 19:25:45 2000 +++ sys/netinet/ip_fw.c Tue Jul 25 20:39:38 2000 @@ -1215,8 +1215,13 @@ f->timestamp = time_second; /* Log to console if desired */ +#if STATEFUL /* stateful ipfw */ + if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose && q==NULL) + ipfw_report(f, ip, rif, oif); +#else if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose) ipfw_report(f, ip, rif, oif); +#endif /* Take appropriate action */ switch (f->fw_flg & IP_FW_F_COMMAND) { --------------7A8C7BFFCB709DB3DF35EDB3-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 19:11:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 5F12037BD07 for ; Tue, 25 Jul 2000 19:11:30 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000726021129.OAMG23923.mail.rdc1.il.home.com@math.missouri.edu>; Tue, 25 Jul 2000 19:11:29 -0700 Message-ID: <397E48D1.DEC661C5@math.missouri.edu> Date: Tue, 25 Jul 2000 21:11:29 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: Andrew Johns Cc: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: <397E1E25.FE8731E7@math.missouri.edu> <397E4012.A1A93351@kpi.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, I'm not really understanding you here: suppose I have a rule like: ipfw add pass log tcp from any to my.computer.net 22 keep-state lets say it is rule 600. Now someone ssh's from the outside to my.computer. So on my log file I see: ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0 But actually I get a lot more than this - I get a whole bunch of ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0 and ipfw: 600 Accept TCP 12.34.56.78:22 66.77.88.99:1000 out via rl0 also in my log file. Indeed, as the ssh conenction continues, I get more and more of these, filling up my log file, and really telling me nothing new (especially since entries in the log file are not dated). Now I could put a logamount option in my rule. This stops all this logs. But then when someone else ssh's into my computer, that info never gets logged. Now it seems to me that what should happen is this: When someone ssh's into my.computer I should see in the log file ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0 A dynamic rule is established, and it would seem to me that all the other packets processed by this dynamic rule should NOT create log entries. Now of course if someone else ssh's into my.computer, hence establishing a new dynamic rule, then by all means that should be logged. Basically a packet passing through a dynamic rule should never create a log entry. In the rare instance that one actually wants this, maybe a new rule word log-all could be created. Andrew Johns wrote: > > Stephen Montgomery-Smith wrote: > > > > I would like to set up a firewall with dynamic rules to allow > > ssh from the outside. I would like these incoming ssh's logged. > > So I tried something like: > > > > ipfw add pass log tcp from any to my.computer.net 22 keep-state setup > > > > Now it would make sense to me that this would log the initial setup, > > but that the following times that the then created dynamic rule is > > invoked would not be logged. > > > > However that is not the case. All the tcp packets between the > > established conenction are logged. > > > > I know that I could have some rules: > > > > add pass tcp from any to any in via ${oif} established > > add pass all from any to any frag > > > > before this one, but doesn't that defeat part of the point of > > dynamic rules? > > > > In a word, no. > > All packets must pass through the ruleset before being either passed > or dropped. > > 'Dynamic' rules build on the base rules by keeping a table of which > connections are presently in use, so that mapping can occur for > delivery of the packet back to the correct socket/process, **once it > has been passed** by the rule set. (This is my interpretation of it > from personal experience - someone please correct me if I'm totally > off the rails on this.) > > Therefore, any logging before the packet is passed/dropped will still > occur as per usual, which is how I'd want to have it anyway. > > with "unsubscribe freebsd-security" in the body of the message -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 19:18:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 14FDA37BD7B for ; Tue, 25 Jul 2000 19:18:43 -0700 (PDT) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id e6Q2IWJ29517; Tue, 25 Jul 2000 19:18:32 -0700 (PDT) Date: Tue, 25 Jul 2000 19:18:32 -0700 From: Alfred Perlstein To: Stephen Montgomery-Smith Cc: Andrew Johns , freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules Message-ID: <20000725191832.H17222@fw.wintelcom.net> References: <397E1E25.FE8731E7@math.missouri.edu> <397E4012.A1A93351@kpi.com.au> <397E48D1.DEC661C5@math.missouri.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <397E48D1.DEC661C5@math.missouri.edu>; from stephen@math.missouri.edu on Tue, Jul 25, 2000 at 09:11:29PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Stephen Montgomery-Smith [000725 19:14] wrote: > OK, I'm not really understanding you here: > > suppose I have a rule like: > ipfw add pass log tcp from any to my.computer.net 22 keep-state > lets say it is rule 600. > > Now someone ssh's from the outside to my.computer. So on my log file > I see: > ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0 > > But actually I get a lot more than this - I get a whole bunch of > ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0 > and > ipfw: 600 Accept TCP 12.34.56.78:22 66.77.88.99:1000 out via rl0 > also in my log file. Indeed, as the ssh conenction continues, I > get more and more of these, filling up my log file, and really > telling me nothing new (especially since entries in the log file > are not dated). You probably want to use the 'setup' keyword to capture the initial connection. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 19:20:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from www.kpi.com.au (www.kpi.com.au [203.39.132.210]) by hub.freebsd.org (Postfix) with ESMTP id CEE1537BD89 for ; Tue, 25 Jul 2000 19:20:22 -0700 (PDT) (envelope-from johnsa@kpi.com.au) Received: from kpi.com.au (ws02.kpi.com.au [203.39.132.215]) by www.kpi.com.au (8.9.3/8.9.3) with ESMTP id MAA05645; Wed, 26 Jul 2000 12:23:04 +1000 (EST) (envelope-from johnsa@kpi.com.au) Message-ID: <397E4BB9.8D9B6A39@kpi.com.au> Date: Wed, 26 Jul 2000 12:23:53 +1000 From: Andrew Johns Organization: KPI Logistics X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Stephen Montgomery-Smith Cc: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: <397E1E25.FE8731E7@math.missouri.edu> <397E4012.A1A93351@kpi.com.au> <397E48D1.DEC661C5@math.missouri.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Why haven't you got something such as: allow all from any to any established **PRIOR** to the accept rule - that is what the established keyword is for, I thought. Stephen Montgomery-Smith wrote: > > OK, I'm not really understanding you here: > > suppose I have a rule like: > ipfw add pass log tcp from any to my.computer.net 22 keep-state > lets say it is rule 600. > > Now someone ssh's from the outside to my.computer. So on my log file > I see: > ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0 > > But actually I get a lot more than this - I get a whole bunch of > ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0 > and > ipfw: 600 Accept TCP 12.34.56.78:22 66.77.88.99:1000 out via rl0 > also in my log file. Indeed, as the ssh conenction continues, I > get more and more of these, filling up my log file, and really > telling me nothing new (especially since entries in the log file > are not dated). > > Now I could put a logamount option in my rule. This stops all > this logs. But then when someone else ssh's into my computer, > that info never gets logged. > > Now it seems to me that what should happen is this: When > someone ssh's into my.computer I should see in the log file > ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0 > > A dynamic rule is established, and it would seem to me that all > the other packets processed by this dynamic rule should NOT create > log entries. > > Now of course if someone else ssh's into my.computer, hence establishing > a new dynamic rule, then by all means that should be logged. > > Basically a packet passing through a dynamic rule should never create > a log entry. In the rare instance that one actually wants this, > maybe a new rule word log-all could be created. > > Andrew Johns wrote: > > > > Stephen Montgomery-Smith wrote: > > > > > > I would like to set up a firewall with dynamic rules to allow > > > ssh from the outside. I would like these incoming ssh's logged. > > > So I tried something like: > > > > > > ipfw add pass log tcp from any to my.computer.net 22 keep-state setup > > > > > > Now it would make sense to me that this would log the initial setup, > > > but that the following times that the then created dynamic rule is > > > invoked would not be logged. > > > > > > However that is not the case. All the tcp packets between the > > > established conenction are logged. > > > > > > I know that I could have some rules: > > > > > > add pass tcp from any to any in via ${oif} established > > > add pass all from any to any frag > > > > > > before this one, but doesn't that defeat part of the point of > > > dynamic rules? > > > > > > > In a word, no. > > > > All packets must pass through the ruleset before being either passed > > or dropped. > > > > 'Dynamic' rules build on the base rules by keeping a table of which > > connections are presently in use, so that mapping can occur for > > delivery of the packet back to the correct socket/process, **once it > > has been passed** by the rule set. (This is my interpretation of it > > from personal experience - someone please correct me if I'm totally > > off the rails on this.) > > > > Therefore, any logging before the packet is passed/dropped will still > > occur as per usual, which is how I'd want to have it anyway. > > > > with "unsubscribe freebsd-security" in the body of the message > > -- > Stephen Montgomery-Smith > Department of Mathematics, University of Missouri, Columbia, MO 65211 > Phone 573-882-4540, fax 573-882-1869 > http://www.math.missouri.edu/~stephen stephen@math.missouri.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ---------------------\=-_ _-=/ Andrew Johns BSc. \ \==/ / Principal Consultant \ / KPI Logistics Pty Ltd \ / mailto:johnsa@kpi.com.au \ +/ http://www.kpi.com.au \/ How do I set this laser printer to stun? My favourite boot labels: F1 Real OS -> http://www.FreeBSD.org F2 Pretend OS -> http://www.microsoft.com ******************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPI client engagement letter. ******************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 19:23:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 8EEDE37BD98 for ; Tue, 25 Jul 2000 19:23:16 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 6CA069EE01; Tue, 25 Jul 2000 19:22:48 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 697909B001; Tue, 25 Jul 2000 19:22:48 -0700 (PDT) Date: Tue, 25 Jul 2000 19:22:48 -0700 (PDT) From: Mike Hoskins To: Stephen Montgomery-Smith Cc: Andrew Johns , freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules In-Reply-To: <397E48D1.DEC661C5@math.missouri.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, Stephen Montgomery-Smith wrote: > Now it seems to me that what should happen is this: When > someone ssh's into my.computer I should see in the log file > ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0 You have a good point... It should be possible to configure a rule to log either way... Continuouslly (perhaps, make this the default behavior) or setup only (via some flag). -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 19:30:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 7FE1D37BD07 for ; Tue, 25 Jul 2000 19:30:19 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000726023018.PDOC23923.mail.rdc1.il.home.com@math.missouri.edu>; Tue, 25 Jul 2000 19:30:18 -0700 Message-ID: <397E4D3A.AE59E537@math.missouri.edu> Date: Tue, 25 Jul 2000 21:30:18 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: Alfred Perlstein Cc: Andrew Johns , freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: <397E1E25.FE8731E7@math.missouri.edu> <397E4012.A1A93351@kpi.com.au> <397E48D1.DEC661C5@math.missouri.edu> <20000725191832.H17222@fw.wintelcom.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alfred Perlstein wrote: > > You probably want to use the 'setup' keyword to capture the initial > connection. > I tried that but that didn't stop the excessive logging. -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 19:31:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id EA5AF37BD89 for ; Tue, 25 Jul 2000 19:31:45 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000726023145.PFLN23923.mail.rdc1.il.home.com@math.missouri.edu>; Tue, 25 Jul 2000 19:31:45 -0700 Message-ID: <397E4D90.F701C473@math.missouri.edu> Date: Tue, 25 Jul 2000 21:31:44 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: Mike Hoskins Cc: Andrew Johns , freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Hoskins wrote: > > On Tue, 25 Jul 2000, Stephen Montgomery-Smith wrote: > > > Now it seems to me that what should happen is this: When > > someone ssh's into my.computer I should see in the log file > > ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0 > > You have a good point... It should be possible to configure a rule to log > either way... Continuouslly (perhaps, make this the default behavior) or > setup only (via some flag). > I would think the other way - on setup would be the default. -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 19:35:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 1A7B637BDA3 for ; Tue, 25 Jul 2000 19:35:13 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000726023512.PKJF23923.mail.rdc1.il.home.com@math.missouri.edu>; Tue, 25 Jul 2000 19:35:12 -0700 Message-ID: <397E4E5F.202EBF1D@math.missouri.edu> Date: Tue, 25 Jul 2000 21:35:11 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: Andrew Johns Cc: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: <397E1E25.FE8731E7@math.missouri.edu> <397E4012.A1A93351@kpi.com.au> <397E48D1.DEC661C5@math.missouri.edu> <397E4BB9.8D9B6A39@kpi.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Andrew Johns wrote: > > Why haven't you got something such as: > > allow all from any to any established > > **PRIOR** to the accept rule - that is what the established keyword is > for, I thought. > But that defeats the whole point of having a dynamic rule established - with the above rule the dynamic rule will never be used. -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 19:39:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 04DC837BBFF for ; Tue, 25 Jul 2000 19:39:53 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id MAA02404; Wed, 26 Jul 2000 12:39:44 +1000 (EST) From: Darren Reed Message-Id: <200007260239.MAA02404@cairo.anu.edu.au> Subject: Re: log with dynamic firewall rules To: stephen@math.missouri.edu (Stephen Montgomery-Smith) Date: Wed, 26 Jul 2000 12:39:44 +1000 (Australia/NSW) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <397E4487.A868B713@math.missouri.edu> from "Stephen Montgomery-Smith" at Jul 25, 2000 08:53:11 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Stephen Montgomery-Smith, sie said: > > This is a multi-part message in MIME format. > --------------7A8C7BFFCB709DB3DF35EDB3 > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > > Stephen Montgomery-Smith wrote: > > > > I would like to set up a firewall with dynamic rules to allow > > ssh from the outside. I would like these incoming ssh's logged. > > So I tried something like: > > > > ipfw add pass log tcp from any to my.computer.net 22 keep-state setup > > > > OK, does everyone else agree with me that if an ipfw rule is logged > and keep-state, then one only needs to log when the rule is established - > not every time a packet passes through it? [...] ah, you've stumbled across that one :) pass in log first ... keep state is what you would do in IP Filter :-) Remember, that there may be some situations where you want to log them all. On top of that, you can just leave out "log" from the filter rule and use the state log instead. You know, in half the time you've spent toying with ipfw you could have had ipfilter working and not had to patch the source O:-) It seems the "statefulness" of ipfw is much more complex than it should be. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 19:47:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 709DA37BBFF for ; Tue, 25 Jul 2000 19:47:12 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id WAA08877; Tue, 25 Jul 2000 22:47:10 -0400 (EDT) (envelope-from wollman) Date: Tue, 25 Jul 2000 22:47:10 -0400 (EDT) From: Garrett Wollman Message-Id: <200007260247.WAA08877@khavrinen.lcs.mit.edu> To: Bill Fumerola Cc: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall In-Reply-To: <20000725201435.Q51462@jade.chc-chimes.com> References: <200007252128.OAA52048@gndrsh.dnsmgr.net> <20000725193941.P51462@jade.chc-chimes.com> <200007260007.UAA08510@khavrinen.lcs.mit.edu> <20000725201435.Q51462@jade.chc-chimes.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I've pretty much been consumed with the 2k lines of ip_fw.c recently > so I have a decent knowledge of how it works now (scary..), would this > be something we'd want to do within ipfw or as a seperate entity? ipfw *hack* *spit* *cough* OK, I've recovered now. It's probably easiest to do it in ipfw, since that gives you a mechanism to specify it on an interface-by-interface basis. Something like `deny from any to any !rpf-check via intX' (or, for the converse, `pass from any to any rpf-check via intX'). I think you need to be careful to do this only when packets arrive; if you do this check on departing packets you may trip over some legitimate traffic. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 19:56: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 2A5F237BDBE for ; Tue, 25 Jul 2000 19:56:04 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000726025603.QLJB23923.mail.rdc1.il.home.com@math.missouri.edu>; Tue, 25 Jul 2000 19:56:03 -0700 Message-ID: <397E5342.16736F51@math.missouri.edu> Date: Tue, 25 Jul 2000 21:56:02 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: <200007260239.MAA02404@cairo.anu.edu.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ah, well this shows my patchy knowledge. I didn't even know about ipf until I read your post. I'll go read the man pages. Would running both ipfw and ipf be considered over the top? Darren Reed wrote: > > ah, you've stumbled across that one :) > > pass in log first ... keep state > > is what you would do in IP Filter :-) Remember, that there may be some > situations where you want to log them all. On top of that, you can just > leave out "log" from the filter rule and use the state log instead. > > You know, in half the time you've spent toying with ipfw you could have > had ipfilter working and not had to patch the source O:-) > > It seems the "statefulness" of ipfw is much more complex than it should be. > > Darren > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 20:15:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.pinboard.com (mail.pinboard.com [194.209.195.7]) by hub.freebsd.org (Postfix) with ESMTP id 5BD2737B636 for ; Tue, 25 Jul 2000 20:15:30 -0700 (PDT) (envelope-from kurt@pinboard.com) Received: (from uucp@localhost) by mail.pinboard.com (8.9.3/8.9.3/20000102-00-KK) with UUCP id FAA15223; Wed, 26 Jul 2000 05:15:27 +0200 (CEST) (envelope-from kurt@badger.pbdhome.pinboard.com (kurt@badger.pbdhome.pinboard.com)) (client-IP ) Received: from badger.pbdhome.pinboard.com (badger.pbdhome.pinboard.com [192.168.0.6]) by squirrel.pbdhome.pinboard.com (8.9.1/8.9.1-19980817-01/KK) with ESMTP id WAA00713; Tue, 25 Jul 2000 22:19:13 +0200 (CEST) (envelope-from: kurt@badger.pbdhome.pinboard.com) Received: (from kurt@localhost) by badger.pbdhome.pinboard.com (8.9.3/8.9.3-bader.tmp-KK) id WAA00368; Tue, 25 Jul 2000 22:18:44 +0200 (CEST) (envelope-from kurt) Date: Tue, 25 Jul 2000 22:18:44 +0200 From: kurt@pinboard.com To: Stephen Hocking Cc: security@FreeBSD.ORG Subject: Re: Script kiddies and their port scans Message-ID: <20000725221843.A328@pinboard.com> References: <200007242314.SAA01912@bloop.craftncomp.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <200007242314.SAA01912@bloop.craftncomp.com>; from shocking@houston.rr.com on Mon, Jul 24, 2000 at 06:14:09PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jul 24, 2000 at 06:14:09PM -0500, Stephen Hocking wrote: > Checking the firewall logs I see various attempts to connect to rather unusual > ports on my box - does anyone now what the following are? > 27374 SubSeven v2.1 (windows trojan) > 1243 SubSeven (windows trojan) > 98 - This comes up as TACNEWS in /etc/services linuxconf (linux configuration via web - sometimes on by default without the admins knowing about it) > 143 imap2 imap4 (mail server, some versions with known buffer overflows) info about SubSeven: http://www.sans.org/newlook/resources/IDFAQ/subseven.htm useful URL's: http://www.sans.org/newlook/resources/IDFAQ/oddports.htm http://www.sans.org/y2k/ports.htm http://www.simovits.com/nyheter9902.html (I have some more, but only at the office. However, above is still better than nothing.) -- ---------------------------------------------------------------------- : Kurt@pinboard.com http://www.pinboard.com/ business : : http://kurt.www.pinboard.com/ private : ---------------------------------------------------------------------- : Unix and Internet Specialist : ---------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 21: 0: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 1EAC337BDD4 for ; Tue, 25 Jul 2000 20:59:55 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id NAA16019; Wed, 26 Jul 2000 13:59:40 +1000 (EST) From: Darren Reed Message-Id: <200007260359.NAA16019@cairo.anu.edu.au> Subject: Re: log with dynamic firewall rules To: stephen@math.missouri.edu (Stephen Montgomery-Smith) Date: Wed, 26 Jul 2000 13:59:40 +1000 (Australia/NSW) Cc: avalon@coombs.anu.edu.au (Darren Reed), freebsd-security@FreeBSD.ORG In-Reply-To: <397E5342.16736F51@math.missouri.edu> from "Stephen Montgomery-Smith" at Jul 25, 2000 09:56:02 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Stephen Montgomery-Smith, sie said: > > Ah, well this shows my patchy knowledge. I didn't even know about > ipf until I read your post. I'll go read the man pages. > > Would running both ipfw and ipf be considered over the top? Depends on your level of paranoia :-) But running IP Filter on a Solaris box with Firewall-1 wouldn't be "over the top" :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 22: 0:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id DA6B337B581 for ; Tue, 25 Jul 2000 22:00:05 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustident!@homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id WAA04345; Tue, 25 Jul 2000 22:59:30 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <397E7133.2126EB17@softweyr.com> Date: Tue, 25 Jul 2000 23:03:47 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.1-RC i386) X-Accept-Language: en MIME-Version: 1.0 To: Darren Reed Cc: Warner Losh , john1000@cwcom.net, freebsd-security@FreeBSD.ORG Subject: Re: orange book rating for freebsd References: <200007250619.QAA05994@cairo.anu.edu.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren Reed wrote: > > C2 is just a matter of someone with money giving a box to the > NSA, appropriately configured and with suitable documentation, for review. Please note that the certification would apply only to identical systems: hardware, software, and even the configuration would have to be the same. Changing the video card or even the keyboard would invalidate the rating and require an additional rating for the new system. Yes, the additional rating SHOULD be trivial, but with the US federal gummint, you can never tell. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 22: 2: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id D532837BE03 for ; Tue, 25 Jul 2000 22:02:00 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000726050200.WUGU23923.mail.rdc1.il.home.com@math.missouri.edu> for ; Tue, 25 Jul 2000 22:02:00 -0700 Message-ID: <397E70C7.76EDB004@math.missouri.edu> Date: Wed, 26 Jul 2000 00:01:59 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: <397E1E25.FE8731E7@math.missouri.edu> <397E4487.A868B713@math.missouri.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, it seems that people would like to leave the logging behaviour of keep-state rules like it is. People could use ipf - I know nothing about that as I have not read the man page yet. For ipfw, I realise now that it would be rather easy to have two kinds of logging for keep-state rules - one which keeps logging every packet that comes through, and one which only logs when a new dynamic rule is created. All the help manuals on natd point one to ipfw, and really it is quite easy to use. I did not find out about ipf until I see you guys talking about it. I think this kind of extra functionality in ipfw would be very helpful. Really, the only question is which syntax to use. Maybe we should keep add pass log from xxx to yyy keep-state to do what it does now. We could have a new keyword: keep-state-log add pass log from xxx to yyy keep-state-log would be like keep-state plus logging when a new dynamic rule is created. Or this could be indicated by add pass log-new-state from xxx to yyy keep-state The first of these options (the keep-state-log) is really easy to program. And in a way it makes more sense, since it is really the keep state we are logging, not that pass that we are logging. Or maybe it should be written: add pass log from xxx to yyy keep-state log yes that seems the best way. -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 22:29:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 9A47B37BE42 for ; Tue, 25 Jul 2000 22:29:45 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustident!@homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id XAA04429; Tue, 25 Jul 2000 23:29:29 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <397E783B.ADB8162A@softweyr.com> Date: Tue, 25 Jul 2000 23:33:47 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.1-RC i386) X-Accept-Language: en MIME-Version: 1.0 To: Tim Yardley Cc: Don Lewis , Maksimov Maksim , freebsd-security@FreeBSD.ORG Subject: Re: How defend from stream2.c attack? References: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> <4.3.2.7.2.20000725181153.0218d700@students.uiuc.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tim Yardley wrote: > > >I would recommend adding packet filter rules that block incoming packets > >with IP broadcast addresses, both 255.255.255.255, and the broadcast > >address(es) of your local network(s). > > And block multicast if you arent using it in your lan. Keep in mind that > some switchs that are not multicast aware will treat the packets as > broadcasts and create a storm. Very bad. With FreeBSD prior to 3.4/4.0 it didn't matter if you were attempting to use multicast or not, a stream attack using random multicast source addresses would turn your FreeBSD box into an attack reflector on every attached interface. Urk! That no longer happens; the code now realizes that a TCP packet from a multicast address is malformed and dumps it on the floor. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 23: 5: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from listproc.corp.loudcloud.com (olly.loudcloud.com [208.50.142.100]) by hub.freebsd.org (Postfix) with ESMTP id 3082737BE16 for ; Tue, 25 Jul 2000 23:04:47 -0700 (PDT) (envelope-from yardley@uiuc.edu) Received: from LIQUID-TP.uiuc.edu (liquid.geek.loudcloud.com [192.168.0.24]) by listproc.corp.loudcloud.com (8.10.1/8.10.1) with ESMTP id e6Q64ZS29275; Tue, 25 Jul 2000 23:04:36 -0700 (PDT) Message-Id: <4.3.2.7.2.20000725223522.00b5dcc0@students.uiuc.edu> X-Sender: yardley@students.uiuc.edu X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 25 Jul 2000 22:39:09 -0700 To: Wes Peters From: Tim Yardley Subject: Re: How defend from stream2.c attack? Cc: Don Lewis , Maksimov Maksim , freebsd-security@FreeBSD.ORG In-Reply-To: <397E783B.ADB8162A@softweyr.com> References: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> <4.3.2.7.2.20000725181153.0218d700@students.uiuc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >With FreeBSD prior to 3.4/4.0 it didn't matter if you were attempting to >use multicast or not, a stream attack using random multicast source >addresses would turn your FreeBSD box into an attack reflector on every >attached interface. Urk! Correct. The blocking of multicast statement was meant for people that DO NOT use multicast. If you use multicast, then you cannot block it at the router. In otherwords, block * with multicast addresses. You could always just block tcp with multicast addresses, and that will not affect any real multicast traffic. >That no longer happens; the code now realizes that a TCP packet from a >multicast address is malformed and dumps it on the floor. Any sane stack would drop the multicast packets on the floor immediately if they are TCP packets. That is basically what the patch did. Since the notion of TCP multicast is not even possible, that is the correct thing to do. /tmy -- Diving into infinity my consciousness expands in inverse proportion to my distance from singularity +-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- ---------------+ | Tim Yardley (yardley@uiuc.edu) | http://www.students.uiuc.edu/~yardley/ +-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- ---------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 23:25: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 6D4CB37B5D3 for ; Tue, 25 Jul 2000 23:25:01 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustident!@homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id AAA04544; Wed, 26 Jul 2000 00:24:47 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <397E8531.AE1DF9F@softweyr.com> Date: Wed, 26 Jul 2000 00:29:05 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.1-RC i386) X-Accept-Language: en MIME-Version: 1.0 To: Tim Yardley Cc: Don Lewis , Maksimov Maksim , freebsd-security@FreeBSD.ORG Subject: Re: How defend from stream2.c attack? References: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> <4.3.2.7.2.20000725181153.0218d700@students.uiuc.edu> <4.3.2.7.2.20000725223522.00b5dcc0@students.uiuc.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tim Yardley wrote: > > >With FreeBSD prior to 3.4/4.0 it didn't matter if you were attempting to > >use multicast or not, a stream attack using random multicast source > >addresses would turn your FreeBSD box into an attack reflector on every > >attached interface. Urk! > > Correct. The blocking of multicast statement was meant for people that DO > NOT use multicast. If you use multicast, then you cannot block it at the > router. In otherwords, block * with multicast addresses. You could always > just block tcp with multicast addresses, and that will not affect any real > multicast traffic. > > >That no longer happens; the code now realizes that a TCP packet from a > >multicast address is malformed and dumps it on the floor. > > Any sane stack would drop the multicast packets on the floor immediately if > they are TCP packets. That is basically what the patch did. Since the > notion of TCP multicast is not even possible, that is the correct thing to do. But then again, that problem existing in the 4.2BSD stack and lived on until a few months ago. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 23:42:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from merlin.prod.itd.earthlink.net (merlin.prod.itd.earthlink.net [207.217.120.156]) by hub.freebsd.org (Postfix) with ESMTP id CA72B37B697 for ; Tue, 25 Jul 2000 23:42:26 -0700 (PDT) (envelope-from cjc@pool0327.cvx20-bradley.dialup.earthlink.net) Received: from pool0327.cvx20-bradley.dialup.earthlink.net (pool0327.cvx20-bradley.dialup.earthlink.net [209.179.251.72]) by merlin.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id XAA13298; Tue, 25 Jul 2000 23:41:01 -0700 (PDT) Received: (from cjc@localhost) by pool0087.cvx20-bradley.dialup.earthlink.net (8.9.3/8.9.3) id XAA00954; Tue, 25 Jul 2000 23:32:10 -0700 (PDT) Date: Tue, 25 Jul 2000 23:32:09 -0700 From: "Crist J. Clark" To: Bart van Leeuwen Cc: James Wyatt , Jean-Claude STAQUET , freebsd-security@FreeBSD.ORG Subject: Re: allow access of root user Message-ID: <20000725233208.A307@pool0460.cvx20-bradley.dialup.e> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from bart@ixori.demon.nl on Tue, Jul 25, 2000 at 04:41:03PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jul 25, 2000 at 04:41:03PM +0200, Bart van Leeuwen wrote: > Uhm, telnetting in as a user and suing to root has exactly the same > danger, your password goes over the net in plaintext. > > If you want to prevent that consider using ssh instead. > Also note that when using rsh you prevent root from logging in for > interactive access, but an rsh -l root will still > work. > > To be honest, I never really saw the point of disallowing this except for > the simple good habit of never using the root account at all, and only > becomming superuser when you really really have to. Two words: Audit trail. Since so many academic and business machines have multiple administrators, i.e. multiple people who own root, knowing _who_ is actually root is vital for a number of reasons. Direct console logins by root should be discouraged on such machines as well. (When I hear about people leaving root logged in at a console with a GUI waiting to be exploited. "But I locked the screensaver!" Ahhh!) -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 25 23:59:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from kestrel.prod.itd.earthlink.net (kestrel.prod.itd.earthlink.net [207.217.121.155]) by hub.freebsd.org (Postfix) with ESMTP id A6C0B37BDEE for ; Tue, 25 Jul 2000 23:59:31 -0700 (PDT) (envelope-from cjc@pool0651.cvx21-bradley.dialup.earthlink.net) Received: from pool0651.cvx21-bradley.dialup.earthlink.net (pool0651.cvx21-bradley.dialup.earthlink.net [209.179.194.141]) by kestrel.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id XAA05084; Tue, 25 Jul 2000 23:59:17 -0700 (PDT) Received: (from cjc@localhost) by pool0327.cvx20-bradley.dialup.earthlink.net (8.9.3/8.9.3) id XAA01133; Tue, 25 Jul 2000 23:55:09 -0700 (PDT) Date: Tue, 25 Jul 2000 23:55:08 -0700 From: "Crist J. Clark" To: Mike Hoskins Cc: Stephen Montgomery-Smith , freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <20000725235508.D307@pool0460.cvx20-bradley.dialup.e> Reply-To: cjclark@alum.mit.edu References: <397D4062.4A1FFFE2@math.missouri.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from mike@adept.org on Tue, Jul 25, 2000 at 12:23:15PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jul 25, 2000 at 12:23:15PM -0700, Mike Hoskins wrote: > On Tue, 25 Jul 2000, Stephen Montgomery-Smith wrote: > > > > ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} > > > $fwcmd add divert natd all from any to any via ${natd_interface} > > Yes, I had the same idea over dinner. Trouble is, it doesn't work. > > I tried it. > > Note that I'm not arguing this couldn't be clearer or that, possibly, the > code needs cleaned up in some way. I'm not arguing for or against such > statements - I haven't looked at the code, so I'm trying to offer advice > based only upon ipfw(8) and my lowly interpretation thereof... > > With that in mind, consider the above rules... > > A packet from an external host attempting to communicate with an inside, > privately addressed host will undergo the following: > > * from outside machine to outside IP (in oif) > * from outside IP to inside IP (divert) > * delever to inside IP (out iif) > > Given this behavior, the above rules will obviouslly not work, because the > 'deny all from ANY' rule will deny packets from 'outside IP to inside IP' > which must take place according to the behavior described above. Not following you. And I am not sure why that does not work (coulda sworn I've done it like that in the past and don't presently have a setup to test it easily). Here's how I see packets that are supposed to pass go, 1) From an outside machine they come in oif. 2) Skip the first rule since 192.168.0.0/16 does not match. 3) Match divert rule and passed to NAT. 4) Enter rule list again after NAT rule and match a pass rule somewhere below the two shown. 5) Now, enter the list again to leave after being sent through routing, they are associated with the internal interface, iif. 6) Since we are associated with iif, they don't match the first rule even though addresses match. 6) They also don't match the divert rule for the same reason. 7) They match some rule below and fly on out the interface. Where is my logic/understanding wrong? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 26 0:20:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 6044737BFAC for ; Wed, 26 Jul 2000 00:20:08 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000726072007.CURR23923.mail.rdc1.il.home.com@math.missouri.edu>; Wed, 26 Jul 2000 00:20:07 -0700 Message-ID: <397E9127.D2E661C2@math.missouri.edu> Date: Wed, 26 Jul 2000 02:20:07 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: Mike Hoskins , freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall References: <397D4062.4A1FFFE2@math.missouri.edu> <20000725235508.D307@pool0460.cvx20-bradley.dialup.e> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Crist J. Clark" wrote: > > On Tue, Jul 25, 2000 at 12:23:15PM -0700, Mike Hoskins wrote: > > On Tue, 25 Jul 2000, Stephen Montgomery-Smith wrote: > > > > > > ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} > > > > $fwcmd add divert natd all from any to any via ${natd_interface} > > > Yes, I had the same idea over dinner. Trouble is, it doesn't work. > > > I tried it. > > Sorry guys - I must have made a mistake. It does seem to work now that I try it. Maybe I made a typo somewhere. Without dynamic rules, this really seems the best solution to me. -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 26 4:15:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.ctimail3.com (main1.my3mail.com [203.80.96.151]) by hub.freebsd.org (Postfix) with ESMTP id 9AC9C37BF27 for ; Wed, 26 Jul 2000 04:15:18 -0700 (PDT) (envelope-from July3@wsi-hk.com) Received: from oemcomputer27 (207user29.ctimail3.com [203.80.207.29]) by mail.ctimail3.com (8.9.3/8.9.3) with SMTP id TAA02348 for ; Wed, 26 Jul 2000 19:15:28 +0800 (HKT) Message-Id: <200007261115.TAA02348@mail.ctimail3.com> From: "Peter Forsythe" To: "freebsd-security@freebsd.org" Date: Wed, 26 Jul 2000 19:11:34 +0800 Subject: Workplace English and Summer Specials Reply-To: July3@wsi-hk.com MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Priority: 3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [This email is an update of Hong Kong government's Workplace English Campaign, and of Wall Street Institute English specials for July. If you wish to be removed, or are not in Hong Kong, please click on remove@wsi-hk.com]. The Workplace English Campaign of the Hong Kong government is now in Phase II -- which is significantly more flexible than Phase I, including funding up to $HK4,500. We at Wall Street Institute have assisted over 500 individual applications. Please contact us if you would like to know how you or your colleagues benefit from this program -- 2575 6888. SUMMER SPECIALS: Those enrolling in July are eligible for THREE FREE MONTHS of English learning. Anyone enrolling in July can also take part in a draw to win a TWO WEEK TRIP to Toronto, Sydney or London, including accommodation. Phone us for more details (2575 6888) or fill in the form below and fax or email by return. Looking forward to hearing from you. Peter Forsythe Fax form to 2575 1999 or email to July@wsi-hk.com: ---------------------------------------------------------------- Please send me more information on WEC and Summer Specials: Name _____________________________ Address___________________________ Phone_____________________________ Fax_______________________________ ------------------------------------------------------------------ (For remove, put "remove" in subject line or click on remove@wsi-hk.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 26 5:55:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 4869A37B6FA for ; Wed, 26 Jul 2000 05:55:17 -0700 (PDT) (envelope-from jkerle@gmx.de) Received: (qmail 10137 invoked by uid 0); 26 Jul 2000 12:55:14 -0000 Received: from p3e9e19ee.dip0.t-ipconnect.de (HELO abyss.stuwo.de) (62.158.25.238) by mail.gmx.net with SMTP; 26 Jul 2000 12:55:14 -0000 Received: from abyss.stuwo.de (IDENT:jkerle@abyss.stuwo.de [192.168.150.201]) by abyss.stuwo.de (8.9.3/8.8.7) with ESMTP id OAA15994; Wed, 26 Jul 2000 14:43:01 +0200 Date: Wed, 26 Jul 2000 14:43:01 +0200 (CEST) From: Jens Kerle X-Sender: jkerle@abyss.stuwo.de To: Nick Loman Cc: security@FreeBSD.ORG Subject: Re: Script kiddies and their port scans In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, Nick Loman wrote: > On Mon, 24 Jul 2000, Stephen Hocking wrote: > > > Checking the firewall logs I see various attempts to connect to rather unusual > > ports on my box - does anyone now what the following are? > > > > > > 27374 > > > > 1243 > > > > 98 - This comes up as TACNEWS in /etc/services > > > > 143 imap2 > > > > Are the two unknown ones some BackOrifice port or part of the common backdoors > > left behind by these twerps? > > I have a similar question, but the port I saw was 1236 > > /etc/services says: rmtcfg 1236/tcp # Gracilis Packeten remote config > server > > (though I obviously don't run any such thing) > > Nick. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > http://www.robertgraham.com/pubs/firewall-seen.html SubSeven scans i have them evey 10 min on my dial in fw log what now ? Ignore them ? Mfg, Jens To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 26 6: 2:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from srv5-cba.cba.zaz.com.br (srv5-cba.cba.zaz.com.br [200.241.191.7]) by hub.freebsd.org (Postfix) with ESMTP id 15F2C37BEFB for ; Wed, 26 Jul 2000 06:01:55 -0700 (PDT) (envelope-from waltercruz@terra.com.br) Received: from capitao ([200.241.191.102]) by srv5-cba.cba.zaz.com.br (8.9.3/8.9.3) with SMTP id IAA10000 for ; Wed, 26 Jul 2000 08:53:52 -0400 Message-ID: <002701bff6f9$56263f60$66bff1c8@cba.terra.com.br> From: "Walter Cruz" To: Subject: swap_pager_getswapspace: failed Date: Wed, 26 Jul 2000 09:02:08 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (Sorry, my english is terrible) My system log file is being filled with this error message. What can I do to avoid this problem?? []'s Walter Cruz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 26 6:28:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from ixori.demon.nl (ixori.demon.nl [195.11.248.5]) by hub.freebsd.org (Postfix) with ESMTP id 421BF37BC5A for ; Wed, 26 Jul 2000 06:27:57 -0700 (PDT) (envelope-from bart@ixori.demon.nl) Received: from smtp-relay by ixori.demon.nl (8.9.3/8.9.2) with ESMTP id PAA27108; Wed, 26 Jul 2000 15:32:38 +0200 (CEST) (envelope-from bart@ixori.demon.nl) Received: from network (intranet) by smtp-relay (Bart's intranet smtp server) Date: Wed, 26 Jul 2000 15:32:24 +0200 (CEST) From: Bart van Leeuwen To: "Crist J. Clark" Cc: James Wyatt , Jean-Claude STAQUET , freebsd-security@freebsd.org Subject: Re: allow access of root user In-Reply-To: <20000725233208.A307@pool0460.cvx20-bradley.dialup.e> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Of course audit trails etc are much nicer when people su to root, and in general being better able to see whats going on is a good reason to use su. My comment is not that using su is pointless, but that the disallowing interacive root logons like the default configuration does is pointless because that same default configuration provides easy ways around it (for example with rsh, which is also enabled by default, and yes, I know that one should be turned off, just as you should disable 'secure' on console etc to prevent direct root logons there ;-) So, the reason why I think it is pointless is because it is only done for the first 10% or so and leaves the rest to the user... well, in that case the annoyance it causes is bigger then the trouble it saves imho. Bart van Leeuwen ----------------------------------------------------------- mailto:bart@ixori.demon.nl - http://www.ixori.demon.nl/ ----------------------------------------------------------- On Tue, 25 Jul 2000, Crist J. Clark wrote: > On Tue, Jul 25, 2000 at 04:41:03PM +0200, Bart van Leeuwen wrote: > > Uhm, telnetting in as a user and suing to root has exactly the same > > danger, your password goes over the net in plaintext. > > > > If you want to prevent that consider using ssh instead. > > Also note that when using rsh you prevent root from logging in for > > interactive access, but an rsh -l root will still > > work. > > > > To be honest, I never really saw the point of disallowing this except for > > the simple good habit of never using the root account at all, and only > > becomming superuser when you really really have to. > > Two words: Audit trail. > > Since so many academic and business machines have multiple > administrators, i.e. multiple people who own root, knowing _who_ is > actually root is vital for a number of reasons. Direct console logins > by root should be discouraged on such machines as well. (When I hear > about people leaving root logged in at a console with a GUI waiting to > be exploited. "But I locked the screensaver!" Ahhh!) > -- > Crist J. Clark cjclark@alum.mit.edu > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 26 7: 3:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from web5103.mail.yahoo.com (web5103.mail.yahoo.com [216.115.106.73]) by hub.freebsd.org (Postfix) with SMTP id 2071E37B5FD for ; Wed, 26 Jul 2000 07:03:38 -0700 (PDT) (envelope-from kellysm_2k@yahoo.com) Message-ID: <20000726140337.10891.qmail@web5103.mail.yahoo.com> Received: from [208.178.167.196] by web5103.mail.yahoo.com; Wed, 26 Jul 2000 07:03:37 PDT Date: Wed, 26 Jul 2000 07:03:37 -0700 (PDT) From: Shawn Kelly Subject: ipfw vs ipfilter To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1957747793-964620217=:10264" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --0-1957747793-964620217=:10264 Content-Type: text/plain; charset=us-ascii I'm new to FreeBSD and I have a couple of questions regarding firewalls. What are the major differences between ipfw and ipfilter? Is one better than the other? Why? Does it depend on the situation? Which one is receiving more development time? Is this because of limited resources or because on is a stronger product? Thank you! Shawn Kelly --------------------------------- Do You Yahoo!? Get Yahoo! Mail - Free email you can access from anywhere! --0-1957747793-964620217=:10264 Content-Type: text/html; charset=us-ascii

I'm new to FreeBSD and I have a couple of questions regarding firewalls.

What are the major differences between ipfw and ipfilter?

Is one better than the other? Why? Does it depend on the situation?

Which one is receiving more development time? Is this because of limited resources or because on is a stronger product?

Thank you!

 

Shawn Kelly


Do You Yahoo!?
Get Yahoo! Mail - Free email you can access from anywhere! --0-1957747793-964620217=:10264-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 26 10: 1: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id BD89B37BBAE for ; Wed, 26 Jul 2000 10:00:39 -0700 (PDT) (envelope-from ben@scientia.demon.co.uk) Received: from strontium.scientia.demon.co.uk ([192.168.91.36] ident=exim) by scientia.demon.co.uk with esmtp (Exim 3.15 #1) id 13HTfk-0006XG-00; Wed, 26 Jul 2000 17:04:40 +0100 Received: (from ben) by strontium.scientia.demon.co.uk (Exim 3.15 #1) id 13HTfk-0004IC-00; Wed, 26 Jul 2000 17:04:40 +0100 Date: Wed, 26 Jul 2000 17:04:40 +0100 From: Ben Smithurst To: Walter Cruz Cc: freebsd-security@freebsd.org Subject: Re: swap_pager_getswapspace: failed Message-ID: <20000726170440.K28657@strontium.scientia.demon.co.uk> References: <002701bff6f9$56263f60$66bff1c8@cba.terra.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <002701bff6f9$56263f60$66bff1c8@cba.terra.com.br> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Walter Cruz wrote: > My system log file is being filled with this error message. What can I do to > avoid this problem?? Add more swap space. Be generous with swap space, disks are cheap. -- Ben Smithurst / ben@FreeBSD.org / PGP: 0x99392F7D FreeBSD Documentation Project / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 26 11:33:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 1686E37BF29 for ; Wed, 26 Jul 2000 11:33:37 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000726183336.IPUY23923.mail.rdc1.il.home.com@math.missouri.edu>; Wed, 26 Jul 2000 11:33:36 -0700 Message-ID: <397F2EFF.9181FC46@math.missouri.edu> Date: Wed, 26 Jul 2000 13:33:35 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: Mike Hoskins , freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall References: <397D4062.4A1FFFE2@math.missouri.edu> <20000725235508.D307@pool0460.cvx20-bradley.dialup.e> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} > > > > $fwcmd add divert natd all from any to any via ${natd_interface} I think this solution is really nice, and I took the liberty of submitting a send-pr with this suggested change: http://www.freebsd.org/cgi/query-pr.cgi?pr=20197 -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 26 11:35: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 0EC2837BDDD for ; Wed, 26 Jul 2000 11:35:04 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000726183503.IRXD23923.mail.rdc1.il.home.com@math.missouri.edu> for ; Wed, 26 Jul 2000 11:35:03 -0700 Message-ID: <397F2F56.AFA96186@math.missouri.edu> Date: Wed, 26 Jul 2000 13:35:02 -0500 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: <397E1E25.FE8731E7@math.missouri.edu> <397E4487.A868B713@math.missouri.edu> <397E70C7.76EDB004@math.missouri.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, I submitted a send-pr to get the behaviour I wanted as an option for keep-state logs http://www.freebsd.org/cgi/query-pr.cgi?pr=20198 -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 26 12:20:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 0959337BF4B for ; Wed, 26 Jul 2000 12:20:46 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 17934 invoked by uid 0); 26 Jul 2000 19:20:43 -0000 Received: from pc19f5d7b.dip.t-dialin.net (HELO speedy.gsinet) (193.159.93.123) by mail.gmx.net with SMTP; 26 Jul 2000 19:20:43 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id TAA27431 for freebsd-security@FreeBSD.ORG; Wed, 26 Jul 2000 19:11:13 +0200 Date: Wed, 26 Jul 2000 19:11:13 +0200 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) Message-ID: <20000726191113.I24476@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200007260239.MAA02404@cairo.anu.edu.au> <397E5342.16736F51@math.missouri.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <397E5342.16736F51@math.missouri.edu>; from stephen@math.missouri.edu on Tue, Jul 25, 2000 at 09:56:02PM -0500 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jul 25, 2000 at 21:56 -0500, Stephen Montgomery-Smith wrote: > > Ah, well this shows my patchy knowledge. I didn't even know > about ipf until I read your post. I'll go read the man pages. I suggest you read the HowTo at http://www.obfuscation.org/ipf/, this and the "man 5 ipf; man 8 ipf" pages should be all you need. If ipf(5) is "too dry" for your taste, you can glimpse over the /usr/src/contrib/ipfilter/rules/ examples. > Would running both ipfw and ipf be considered over the top? I was never sure whether they collide or not. But having ipf running I don't see a point in using ipfw. Make sure you have options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK in your kernel config and remove the IPFIREWALL* stuff. This will choose _one_ of these alternatives clearly and leave no "window in time" when booting with packets potentially slipping through. BTW: This reminds me that I wanted to file a PR worded "I wish rc.network would be expanded to load ipfilter as an alternative to ipfw" -- till then see the thread with <20000626220852.M9883@speedy.gsinet> in it (although my patch was rejected due to its dirty nature and inconsistency with current rc style -- so take it with the necessary caution). virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 26 12:21: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 87CBB37BF49 for ; Wed, 26 Jul 2000 12:20:45 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 17898 invoked by uid 0); 26 Jul 2000 19:20:43 -0000 Received: from pc19f5d7b.dip.t-dialin.net (HELO speedy.gsinet) (193.159.93.123) by mail.gmx.net with SMTP; 26 Jul 2000 19:20:43 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id TAA27434 for freebsd-security@FreeBSD.ORG; Wed, 26 Jul 2000 19:15:37 +0200 Date: Wed, 26 Jul 2000 19:15:37 +0200 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: reporting vulnerabilities (how to ...) Message-ID: <20000726191537.J24476@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For those who don't follow bugtraq (that closely): May I attract your attention to the following article? It should be in the archives at securityfocus.com and maybe available at your favourite search engine. ----------------------------------------------------------------- Message-ID: Date: Tue, 25 Jul 2000 11:46:21 -0700 From: Alfred Huger Subject: New reporting service w/ Bugtraq To: BUGTRAQ@SECURITYFOCUS.COM ----------------------------------------------------------------- Since I vaguely remember the "two different kinds of advisories" thread (not that I would like to revive it:) and the most notable idea from it on creating an RFC or a similar template for "how to report these things" (resulting in a probably increased completeness of the report, the report suiting even for automatic processing and undoubtably easier reception for human minds) I feel this could be of interest to whoever was involved in this thread then. I didn't keep track of who made the suggestion. But I'm glad now there's obviously a partner to talk to with very likely open ears for this kind of contributing input. :) I take it that bugtraq is a more promising forum for this due to its cross platform nature. And the securityfocus staff should be more than willing to save their own time, especially when it's about their voluntary service. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 26 14:29:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.lsumc.edu (relay.lsumc.edu [155.58.128.154]) by hub.freebsd.org (Postfix) with ESMTP id 2A1FA37BEB6 for ; Wed, 26 Jul 2000 14:29:53 -0700 (PDT) (envelope-from jmire@lsuhsc.edu) Received: from exchgateway.lsumc.edu ([155.58.128.64]) by relay.lsumc.edu (Post.Office MTA v3.5.3 release 223 ID# 0-60969U13000L13000S0V35) with ESMTP id edu for ; Wed, 26 Jul 2000 16:30:44 -0500 Received: by exchgateway.lsumc.edu with Internet Mail Service (5.5.2650.21) id <30NDM6J8>; Wed, 26 Jul 2000 16:29:47 -0500 Message-ID: From: jmire@lsuhsc.edu (Mire, John) To: "'freebsd-security@freebsd.org'" Subject: NetMAX-Firewall with Router Date: Wed, 26 Jul 2000 16:28:40 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Anyone using the FreeBSD version of this product and would like to comment on it? -- John Mire: jmire@lsuhsc.edu LSU Health Sciences Center Computer Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 26 14:46:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 8553A37BF97 for ; Wed, 26 Jul 2000 14:46:25 -0700 (PDT) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id e6QLkNA28192; Wed, 26 Jul 2000 14:46:23 -0700 (PDT) Date: Wed, 26 Jul 2000 14:46:23 -0700 From: Alfred Perlstein To: "Mire, John" Cc: "'freebsd-security@freebsd.org'" Subject: Re: NetMAX-Firewall with Router Message-ID: <20000726144623.N17222@fw.wintelcom.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from jmire@lsuhsc.edu on Wed, Jul 26, 2000 at 04:28:40PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Mire, John [000726 14:33] wrote: > Anyone using the FreeBSD version of this product and would like to comment > on it? Not using it, but i've heard a lot of people have said that it's a really good product. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 26 15:20:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from delsol.sunfire.net (delsol.sunfire.net [206.24.0.165]) by hub.freebsd.org (Postfix) with SMTP id 65CD037C01C for ; Wed, 26 Jul 2000 15:20:15 -0700 (PDT) (envelope-from afurman@delsol.sunfire.net) Received: (qmail 76701 invoked by uid 1001); 26 Jul 2000 22:20:11 -0000 Date: Wed, 26 Jul 2000 18:20:11 -0400 From: Adam Furman To: "Mire, John" Cc: freebsd-security@freebsd.org Subject: Re: NetMAX-Firewall with Router Message-ID: <20000726182011.A76667@delsol.sunfire.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from jmire@lsuhsc.edu on Wed, Jul 26, 2000 at 04:28:40PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John, I do use the NetMAX firewall running FreeBSD and run regular FreeBSD firewalls. I find the NetMAX firewall great if you want a web software to configure the firewall. It does a great job in that respect. But for some security on the firewall it self it leaves a lot of programs running and leaves Telnet open. The web software isn't even running over HTTPS if you want to go into security. From what they have told me they are a little bit more advanced in their Linux version with the security features but they did say they will be adding them sometime in the near future to the FreeBSD version. Adam On Wed, Jul 26, 2000 at 04:28:40PM -0500, Mire, John wrote: > Anyone using the FreeBSD version of this product and would like to comment > on it? > > -- > John Mire: jmire@lsuhsc.edu > LSU Health Sciences Center Computer Services > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 26 15:27:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.lsumc.edu (relay.lsumc.edu [155.58.128.154]) by hub.freebsd.org (Postfix) with ESMTP id 99A7037B71A for ; Wed, 26 Jul 2000 15:26:59 -0700 (PDT) (envelope-from jmire@lsuhsc.edu) Received: from exchgateway.lsumc.edu ([155.58.128.64]) by relay.lsumc.edu (Post.Office MTA v3.5.3 release 223 ID# 0-60969U13000L13000S0V35) with ESMTP id edu; Wed, 26 Jul 2000 17:27:47 -0500 Received: by exchgateway.lsumc.edu with Internet Mail Service (5.5.2650.21) id <30NDM7SC>; Wed, 26 Jul 2000 17:26:50 -0500 Message-ID: From: jmire@lsuhsc.edu (Mire, John) To: 'Adam Furman' Cc: freebsd-security@freebsd.org Subject: RE: NetMAX-Firewall with Router Date: Wed, 26 Jul 2000 17:25:43 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks Adam, I ask b/c I ordered it for FreeBSD and received the Linux version and was debating on sending it back but a friend wanted to see this version, so he gets it. I wanted something to give me a jump into 'install and run' firewall setup and then start the refinement and learning process. -- John Mire: jmire@lsuhsc.edu LSU Health Sciences Center Computer Services -----Original Message----- From: Adam Furman [mailto:afurman@amf.net] Sent: Wednesday, July 26, 2000 17:20 To: Mire, John Cc: freebsd-security@freebsd.org Subject: Re: NetMAX-Firewall with Router John, I do use the NetMAX firewall running FreeBSD and run regular FreeBSD firewalls. I find the NetMAX firewall great if you want a web software to configure the firewall. It does a great job in that respect. But for some security on the firewall it self it leaves a lot of programs running and leaves Telnet open. The web software isn't even running over HTTPS if you want to go into security. From what they have told me they are a little bit more advanced in their Linux version with the security features but they did say they will be adding them sometime in the near future to the FreeBSD version. Adam On Wed, Jul 26, 2000 at 04:28:40PM -0500, Mire, John wrote: > Anyone using the FreeBSD version of this product and would like to comment > on it? > > -- > John Mire: jmire@lsuhsc.edu > LSU Health Sciences Center Computer Services > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 26 20:54:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.lsumc.edu (relay.lsumc.edu [155.58.128.154]) by hub.freebsd.org (Postfix) with ESMTP id 4FDBB37B81F for ; Wed, 26 Jul 2000 20:54:50 -0700 (PDT) (envelope-from jmire@lsuhsc.edu) Received: from exchgateway.lsumc.edu ([155.58.128.64]) by relay.lsumc.edu (Post.Office MTA v3.5.3 release 223 ID# 0-60969U13000L13000S0V35) with ESMTP id edu; Wed, 26 Jul 2000 22:55:42 -0500 Received: by exchgateway.lsumc.edu with Internet Mail Service (5.5.2650.21) id <30NDNAVF>; Wed, 26 Jul 2000 22:54:44 -0500 Message-ID: From: jmire@lsuhsc.edu (Mire, John) To: freebsd-security@freebsd.org Cc: "'George.Giles@mcmail.vanderbilt.edu'" , "Mire, John" Subject: RE: NetMAX-Firewall with Router Date: Wed, 26 Jul 2000 22:53:37 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks George, could you elaborate what you didn't like specifically? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 0:13:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from ux1.ibb.net (ibb0005.ibb.uu.nl [131.211.124.5]) by hub.freebsd.org (Postfix) with ESMTP id 362C837C03A for ; Thu, 27 Jul 2000 00:13:49 -0700 (PDT) (envelope-from reinoud@ibb.net) Received: from localhost (reinoud@localhost) by ux1.ibb.net (8.9.3/8.9.3/UX1TT) with SMTP id JAA08670; Thu, 27 Jul 2000 09:13:33 +0200 Date: Thu, 27 Jul 2000 09:13:33 +0200 (MET DST) From: Reinoud To: Gerhard Sittig Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-Reply-To: <20000726191113.I24476@speedy.gsinet> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 26 Jul 2000, Gerhard Sittig wrote: > On Tue, Jul 25, 2000 at 21:56 -0500, Stephen Montgomery-Smith wrote: > > > > Would running both ipfw and ipf be considered over the top? > > I was never sure whether they collide or not. But having ipf > running I don't see a point in using ipfw. Make sure you have > There can be one reason to run ipfw and ipf together. I just use ipf as firewall, and started using ipfw cause dummynet can only be used when you're using ipfw as far as i can tell. So ipf is still used (and will always be :) ) as ip filter on the machines, and ipfw is used just to make dummynet work to control bandwidth. Bye, Reinoud. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 0:26:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id A10E037C045 for ; Thu, 27 Jul 2000 00:26:03 -0700 (PDT) (envelope-from trish@bsdunix.net) Received: from localhost (trish@localhost) by superconductor.rush.net (8.9.3/8.9.3) with ESMTP id DAA28875; Thu, 27 Jul 2000 03:25:34 -0400 (EDT) Date: Thu, 27 Jul 2000 03:25:33 -0400 (EDT) From: Siobhan Patricia Lynch X-Sender: trish@superconductor.rush.net To: Reinoud Cc: Gerhard Sittig , freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I actually use ipfw for everything, I can;t see any real advantage to ipfilter in a situation that we're using it for (some people know where I work) ipfilter has to be flushed and reloaded, I don;t have that luxury ipfw I can add rules on the fly. now back in 3.x, I would have chosen ipf over ipfw, but with the dawn of check-state and keep-state, ipfw wins hands down in this situation. -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Thu, 27 Jul 2000, Reinoud wrote: > On Wed, 26 Jul 2000, Gerhard Sittig wrote: > > > On Tue, Jul 25, 2000 at 21:56 -0500, Stephen Montgomery-Smith wrote: > > > > > > Would running both ipfw and ipf be considered over the top? > > > > I was never sure whether they collide or not. But having ipf > > running I don't see a point in using ipfw. Make sure you have > > > > There can be one reason to run ipfw and ipf together. > I just use ipf as firewall, and started using ipfw cause dummynet > can only be used when you're using ipfw as far as i can tell. > So ipf is still used (and will always be :) ) as ip filter on the > machines, and ipfw is used just to make dummynet work to control > bandwidth. > Bye, > > Reinoud. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 0:36:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 4BF3037BA8F for ; Thu, 27 Jul 2000 00:36:41 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id RAA18535; Thu, 27 Jul 2000 17:35:42 +1000 (EST) From: Darren Reed Message-Id: <200007270735.RAA18535@cairo.anu.edu.au> Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) To: trish@bsdunix.net (Siobhan Patricia Lynch) Date: Thu, 27 Jul 2000 17:35:42 +1000 (Australia/NSW) Cc: Reinoud.Koornstra@ibb.net (Reinoud), Gerhard.Sittig@gmx.net (Gerhard Sittig), freebsd-security@FreeBSD.ORG In-Reply-To: from "Siobhan Patricia Lynch" at Jul 27, 2000 03:25:33 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Siobhan Patricia Lynch, sie said: > > I actually use ipfw for everything, I can;t see any real advantage to > ipfilter in a situation that we're using it for (some people know > where I work) > > ipfilter has to be flushed and reloaded, I don;t have that luxury > > ipfw I can add rules on the fly. You can do that with ipfilter too. In fact, ipfilter allows you to make complete ruleset changes, on the fly with 0 security risk (i.e. there is no gap of "half your rules being in place"). Even at bootup, you can go from "no rules, default = block" to "full ruleset" and not have any packets slip between the cracks as various lines get added to allow/deny things. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 0:50:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from fork.computel.sk (fork.computel.sk [195.28.96.96]) by hub.freebsd.org (Postfix) with ESMTP id CA63037BA8F for ; Thu, 27 Jul 2000 00:50:12 -0700 (PDT) (envelope-from pavol_adamec@tempest.sk) Received: from tempest.sk (t74.tempest.sk [195.28.100.74]) by fork.computel.sk with ESMTP id JAA00702 for ; Thu, 27 Jul 2000 09:50:05 +0200 Message-ID: <397FE9A4.1C1B9215@tempest.sk> Date: Thu, 27 Jul 2000 09:49:56 +0200 From: Pavol Adamec Organization: Tempest X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 4.0-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Siobhan Patricia Lynch wrote: > ipfilter has to be flushed and reloaded, I don;t have that luxury > > ipfw I can add rules on the fly. > Sorry, but ipf can add rules on the fly too. As for ipf and ipfw - their capabilities are almost equal. The are differencies - ipnat is done within the kernel space, natd is running in user space. Running in user space in this case means that the translation slower. BUT you can control where you want your translation done - before, in-the-middle-of or at the end of the filtering rules. There's no such choice with ipnat. And more, and more such details. Paul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 1: 1: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id CE46037C07D for ; Thu, 27 Jul 2000 01:00:55 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id SAA23526; Thu, 27 Jul 2000 18:00:40 +1000 (EST) From: Darren Reed Message-Id: <200007270800.SAA23526@cairo.anu.edu.au> Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) To: pavol_adamec@tempest.sk (Pavol Adamec) Date: Thu, 27 Jul 2000 18:00:40 +1000 (Australia/NSW) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <397FE9A4.1C1B9215@tempest.sk> from "Pavol Adamec" at Jul 27, 2000 09:49:56 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Pavol Adamec, sie said: > > Siobhan Patricia Lynch wrote: > > > ipfilter has to be flushed and reloaded, I don;t have that luxury > > > > ipfw I can add rules on the fly. > > > > Sorry, but ipf can add rules on the fly too. > As for ipf and ipfw - their capabilities are almost equal. [...] IP Filter 4.0 will change that quite dramatically :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 3:28:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 422F837B6DA for ; Thu, 27 Jul 2000 03:28:14 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id UAA14610; Thu, 27 Jul 2000 20:28:01 +1000 (EST) From: Darren Reed Message-Id: <200007271028.UAA14610@cairo.anu.edu.au> Subject: Re: ipfw vs ipfilter To: kellysm_2k@yahoo.com (Shawn Kelly) Date: Thu, 27 Jul 2000 20:28:01 +1000 (Australia/NSW) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20000726140337.10891.qmail@web5103.mail.yahoo.com> from "Shawn Kelly" at Jul 26, 2000 07:03:37 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Shawn Kelly, sie said: > > I'm new to FreeBSD and I have a couple of questions regarding firewalls. > > What are the major differences between ipfw and ipfilter? ipfilter is semi-platform independant, ipfw is freebsd specific. ipfilter logging is via a character device, ipfw uses kernel syslog. ... > Is one better than the other? Why? Does it depend on the situation? ipfw is marginally better for freebsd because it supports all the freebsd specific hacks - not that this buys you anything wonderful in terms of filtering. ipfilter is generally considered to be the "leading" public domain packet filtering package and I try to ensure it stays that way :-) For example, the state tracking code in IP Filter is still without an equal. If you are *serious* about your security you wouldn't use ipfw (by serious I mean not for home/small company use, where physical security is recognised, etc). > Which one is receiving more development time? heh that's a weird question to ask. I should add that if YOU feel it is important then YOU should add some worth to them by donating some of your time. someone should really do a web page that talks about the differences :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 6:38:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from web5103.mail.yahoo.com (web5103.mail.yahoo.com [216.115.106.73]) by hub.freebsd.org (Postfix) with SMTP id 32A6E37B7B5 for ; Thu, 27 Jul 2000 06:38:24 -0700 (PDT) (envelope-from kellysm_2k@yahoo.com) Message-ID: <20000727133821.10760.qmail@web5103.mail.yahoo.com> Received: from [208.178.167.196] by web5103.mail.yahoo.com; Thu, 27 Jul 2000 06:38:21 PDT Date: Thu, 27 Jul 2000 06:38:21 -0700 (PDT) From: Shawn Kelly Subject: Re: ipfw vs ipfilter To: Darren Reed Cc: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1804289383-964705101=:10725" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --0-1804289383-964705101=:10725 Content-Type: text/plain; charset=us-ascii >I should add that if YOU feel it is important then YOU should add some worth to them by donating some of your time. I agree. But I need some time to learn C/C++. I'm lucky that I can spell C/C++ let alone program in it. Once I get FreeBSD installed, and start playing, I'll be able to start learning C and then contributing. Not an excuse, but a reason. Shawn --------------------------------- Do You Yahoo!? Get Yahoo! Mail - Free email you can access from anywhere! --0-1804289383-964705101=:10725 Content-Type: text/html; charset=us-ascii

>I should add that if YOU feel it is important then YOU should add some worth to them by donating some of your time.

I agree. But I need some time to learn C/C++. I'm lucky that I can spell C/C++ let alone program in it. Once I get FreeBSD installed, and start playing, I'll be able to start learning C and then contributing.

Not an excuse, but a reason.

Shawn


Do You Yahoo!?
Get Yahoo! Mail - Free email you can access from anywhere! --0-1804289383-964705101=:10725-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 8:31:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id 74C7937B947 for ; Thu, 27 Jul 2000 08:31:19 -0700 (PDT) (envelope-from trish@bsdunix.net) Received: from localhost (trish@localhost) by superconductor.rush.net (8.9.3/8.9.3) with ESMTP id LAA01411; Thu, 27 Jul 2000 11:30:31 -0400 (EDT) Date: Thu, 27 Jul 2000 11:30:31 -0400 (EDT) From: Siobhan Patricia Lynch X-Sender: trish@superconductor.rush.net To: Darren Reed Cc: Reinoud , Gerhard Sittig , freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-Reply-To: <200007270735.RAA18535@cairo.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm not saying that ipf is bad, in fact, prior to keep-state and check-state in ipfw, I used ipf quite a bit. again, *some* people here know who I work for, but the networking going into sites looks like this: cisco (non-stateful) -> freebsd bridging ipfw -> arrowpoint web content switch -> clusters ipfw works quite well, but wouldn;t in this situation prior to freebsd 4.0 if theres something absolutely amazing in the next version if ipf that makes my life hella better at work, I'll use it ;) as it is, I'm using OpenBSD/IPSec to tunnel and bridge packets from exodus to the office (well not quite yet, but we have the go ahead on that project) , which is irony, those who know who I am will agree ;) -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Thu, 27 Jul 2000, Darren Reed wrote: > In some mail from Siobhan Patricia Lynch, sie said: > > > > I actually use ipfw for everything, I can;t see any real advantage to > > ipfilter in a situation that we're using it for (some people know > > where I work) > > > > ipfilter has to be flushed and reloaded, I don;t have that luxury > > > > ipfw I can add rules on the fly. > > You can do that with ipfilter too. > > In fact, ipfilter allows you to make complete ruleset changes, on the > fly with 0 security risk (i.e. there is no gap of "half your rules > being in place"). > > Even at bootup, you can go from "no rules, default = block" to > "full ruleset" and not have any packets slip between the cracks > as various lines get added to allow/deny things. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 8:33:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 8A79537C147 for ; Thu, 27 Jul 2000 08:33:52 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id LAA93594; Thu, 27 Jul 2000 11:33:38 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 27 Jul 2000 11:33:38 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Adam Furman Cc: "Mire, John" , freebsd-security@freebsd.org Subject: Re: NetMAX-Firewall with Router In-Reply-To: <20000726182011.A76667@delsol.sunfire.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 26 Jul 2000, Adam Furman wrote: > and leaves Telnet open. The web software isn't even running over HTTPS if > you want to go into security. From what they have told me they are a I've actually had to address the problem of initial configuration for a number of embedded network devices, and am not sure your comment about HTTPS is all that useful for initial configuration. HTTP over SSL generally uses an x.509 certificate, which binds a DNS name to a key using a known authority. In order for the device to be shipped from the factory to use a globally recognized certificate, the manafacturor would have to know (in advance) the hostname you were going to access it via, and generate a certificate per box, at a non-trivial cost if they use a standard certificate authority. In practice, for el-cheapo firewall software (and in fact, almost everything else), this is just not realistic. Now, what you can do is ship, on a piece of paper, the certificate or key fingerprints for various services, and include instructions for verifying that the key is correct using the fingerprint. But in that situation, you'll get complaints from users about obscure and insecure interfaces :-). Besides which, until recently, manual certificate verification has been rather broken in both IE and NS, meaning that doing this puts you at risk. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 8:48:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from sn1oexchr01.nextvenue.com (sn1oexchr01.nextvenue.com [63.209.169.9]) by hub.freebsd.org (Postfix) with SMTP id DE85837B857 for ; Thu, 27 Jul 2000 08:48:16 -0700 (PDT) (envelope-from nevans@nextvenue.com) Received: FROM sn1exchmbx.nextvenue.com BY sn1oexchr01.nextvenue.com ; Thu Jul 27 11:46:23 2000 -0400 Received: by sn1exchmbx.nextvenue.com with Internet Mail Service (5.5.2650.21) id ; Thu, 27 Jul 2000 11:43:45 -0400 Message-ID: <712384017032D411AD7B0001023D799B07CA70@sn1exchmbx.nextvenue.com> From: Nick Evans To: 'Siobhan Patricia Lynch' Cc: "'freebsd-security@freebsd.org'" Subject: RE: ipf or ipfw (was: log with dynamic firewall rules) Date: Thu, 27 Jul 2000 11:43:37 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFF7E1.6E2983E0" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF7E1.6E2983E0 Content-Type: text/plain; charset="iso-8859-1" It wouldn't work with ipf, period. IPF doesn't support bridging in FreeBSD 4, no? or is your bridging in reference to something else? -----Original Message----- From: Siobhan Patricia Lynch [mailto:trish@bsdunix.net] Sent: Thursday, July 27, 2000 11:31 AM To: Darren Reed Cc: Reinoud; Gerhard Sittig; freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) I'm not saying that ipf is bad, in fact, prior to keep-state and check-state in ipfw, I used ipf quite a bit. again, *some* people here know who I work for, but the networking going into sites looks like this: cisco (non-stateful) -> freebsd bridging ipfw -> arrowpoint web content switch -> clusters ipfw works quite well, but wouldn;t in this situation prior to freebsd 4.0 if theres something absolutely amazing in the next version if ipf that makes my life hella better at work, I'll use it ;) as it is, I'm using OpenBSD/IPSec to tunnel and bridge packets from exodus to the office (well not quite yet, but we have the go ahead on that project) , which is irony, those who know who I am will agree ;) -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Thu, 27 Jul 2000, Darren Reed wrote: > In some mail from Siobhan Patricia Lynch, sie said: > > > > I actually use ipfw for everything, I can;t see any real advantage to > > ipfilter in a situation that we're using it for (some people know > > where I work) > > > > ipfilter has to be flushed and reloaded, I don;t have that luxury > > > > ipfw I can add rules on the fly. > > You can do that with ipfilter too. > > In fact, ipfilter allows you to make complete ruleset changes, on the > fly with 0 security risk (i.e. there is no gap of "half your rules > being in place"). > > Even at bootup, you can go from "no rules, default = block" to > "full ruleset" and not have any packets slip between the cracks > as various lines get added to allow/deny things. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------_=_NextPart_001_01BFF7E1.6E2983E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: ipf or ipfw (was: log with dynamic firewall rules)

It wouldn't work with ipf, period. IPF doesn't = support bridging in FreeBSD 4, no? or is your bridging in reference to = something else?

-----Original Message-----
From: Siobhan Patricia Lynch [mailto:trish@bsdunix.net]
Sent: Thursday, July 27, 2000 11:31 AM
To: Darren Reed
Cc: Reinoud; Gerhard Sittig; = freebsd-security@FreeBSD.ORG
Subject: Re: ipf or ipfw (was: log with dynamic = firewall rules)


I'm not saying that ipf is bad, in fact, prior to = keep-state and
check-state in ipfw, I used ipf quite a bit.

again, *some* people here know who I work for, but = the networking going
into sites looks like this:

cisco (non-stateful) -> freebsd bridging ipfw = -> arrowpoint web content
switch -> clusters

ipfw works quite well, but wouldn;t in this situation = prior to freebsd 4.0

if theres something absolutely amazing in the next = version if ipf that
makes my life hella better at work, I'll use it = ;)

as it is, I'm using OpenBSD/IPSec to tunnel and = bridge packets from exodus
to the office (well not quite yet, but we have the = go ahead on that
project) , which is irony, those who know who I am = will agree ;)

-Trish

__

Trish Lynch
FreeBSD - The Power to Serve    =         trish@bsdunix.net
Rush Networking =         =         =         trish@rush.net

On Thu, 27 Jul 2000, Darren Reed wrote:

> In some mail from Siobhan Patricia Lynch, sie = said:
> >
> > I actually use ipfw for everything, I = can;t see any real advantage to
> > ipfilter in a situation that we're using = it for (some people know
> > where I work)
> >
> > ipfilter has to be flushed and reloaded, I = don;t have that luxury
> >
> > ipfw I can add rules on the fly.
>
> You can do that with ipfilter too.
>
> In fact, ipfilter allows you to make complete = ruleset changes, on the
> fly with 0 security risk (i.e. there is no gap = of "half your rules
> being in place").
>
> Even at bootup, you can go from "no rules, = default =3D block" to
> "full ruleset" and not have any = packets slip between the cracks
> as various lines get added to allow/deny = things.
>
>
>
> To Unsubscribe: send mail to = majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" = in the body of the message
>



To Unsubscribe: send mail to = majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the = body of the message

------_=_NextPart_001_01BFF7E1.6E2983E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 8:51: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id 48B8137B9CB for ; Thu, 27 Jul 2000 08:50:52 -0700 (PDT) (envelope-from trish@bsdunix.net) Received: from localhost (trish@localhost) by superconductor.rush.net (8.9.3/8.9.3) with ESMTP id LAA22456; Thu, 27 Jul 2000 11:50:46 -0400 (EDT) Date: Thu, 27 Jul 2000 11:50:46 -0400 (EDT) From: Siobhan Patricia Lynch X-Sender: trish@superconductor.rush.net To: Nick Evans Cc: "'freebsd-security@freebsd.org'" Subject: RE: ipf or ipfw (was: log with dynamic firewall rules In-Reply-To: <712384017032D411AD7B0001023D799B07CA70@sn1exchmbx.nextvenue.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm not sure, never tried it, I *know* it works with OpenBSD which would be my choice if using ipf anyway. -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Thu, 27 Jul 2000, Nick Evans wrote: > It wouldn't work with ipf, period. IPF doesn't support bridging in FreeBSD > 4, no? or is your bridging in reference to something else? > > -----Original Message----- > From: Siobhan Patricia Lynch [mailto:trish@bsdunix.net] > Sent: Thursday, July 27, 2000 11:31 AM > To: Darren Reed > Cc: Reinoud; Gerhard Sittig; freebsd-security@FreeBSD.ORG > Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) > > > I'm not saying that ipf is bad, in fact, prior to keep-state and > check-state in ipfw, I used ipf quite a bit. > > again, *some* people here know who I work for, but the networking going > into sites looks like this: > > cisco (non-stateful) -> freebsd bridging ipfw -> arrowpoint web content > switch -> clusters > > ipfw works quite well, but wouldn;t in this situation prior to freebsd 4.0 > > if theres something absolutely amazing in the next version if ipf that > makes my life hella better at work, I'll use it ;) > > as it is, I'm using OpenBSD/IPSec to tunnel and bridge packets from exodus > to the office (well not quite yet, but we have the go ahead on that > project) , which is irony, those who know who I am will agree ;) > > -Trish > > __ > > Trish Lynch > FreeBSD - The Power to Serve trish@bsdunix.net > Rush Networking trish@rush.net > > On Thu, 27 Jul 2000, Darren Reed wrote: > > > In some mail from Siobhan Patricia Lynch, sie said: > > > > > > I actually use ipfw for everything, I can;t see any real advantage to > > > ipfilter in a situation that we're using it for (some people know > > > where I work) > > > > > > ipfilter has to be flushed and reloaded, I don;t have that luxury > > > > > > ipfw I can add rules on the fly. > > > > You can do that with ipfilter too. > > > > In fact, ipfilter allows you to make complete ruleset changes, on the > > fly with 0 security risk (i.e. there is no gap of "half your rules > > being in place"). > > > > Even at bootup, you can go from "no rules, default = block" to > > "full ruleset" and not have any packets slip between the cracks > > as various lines get added to allow/deny things. > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 8:52:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from sn1oexchr01.nextvenue.com (sn1oexchr01.nextvenue.com [63.209.169.9]) by hub.freebsd.org (Postfix) with SMTP id ED94737B857 for ; Thu, 27 Jul 2000 08:52:11 -0700 (PDT) (envelope-from nevans@nextvenue.com) Received: FROM sn1exchmbx.nextvenue.com BY sn1oexchr01.nextvenue.com ; Thu Jul 27 11:50:23 2000 -0400 Received: by sn1exchmbx.nextvenue.com with Internet Mail Service (5.5.2650.21) id ; Thu, 27 Jul 2000 11:47:45 -0400 Message-ID: <712384017032D411AD7B0001023D799B07CA71@sn1exchmbx.nextvenue.com> From: Nick Evans To: 'Siobhan Patricia Lynch' Cc: "'freebsd-security@freebsd.org'" Subject: RE: ipf or ipfw (was: log with dynamic firewall rules Date: Thu, 27 Jul 2000 11:47:37 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFF7E1.FD070060" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF7E1.FD070060 Content-Type: text/plain; charset="iso-8859-1" Yeah as far as I know, ipf does NOT work with bridging under FreeBSD, unfortunately. -----Original Message----- From: Siobhan Patricia Lynch [mailto:trish@bsdunix.net] Sent: Thursday, July 27, 2000 11:51 AM To: Nick Evans Cc: 'freebsd-security@freebsd.org' Subject: RE: ipf or ipfw (was: log with dynamic firewall rules I'm not sure, never tried it, I *know* it works with OpenBSD which would be my choice if using ipf anyway. -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Thu, 27 Jul 2000, Nick Evans wrote: > It wouldn't work with ipf, period. IPF doesn't support bridging in FreeBSD > 4, no? or is your bridging in reference to something else? > > -----Original Message----- > From: Siobhan Patricia Lynch [mailto:trish@bsdunix.net] > Sent: Thursday, July 27, 2000 11:31 AM > To: Darren Reed > Cc: Reinoud; Gerhard Sittig; freebsd-security@FreeBSD.ORG > Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) > > > I'm not saying that ipf is bad, in fact, prior to keep-state and > check-state in ipfw, I used ipf quite a bit. > > again, *some* people here know who I work for, but the networking going > into sites looks like this: > > cisco (non-stateful) -> freebsd bridging ipfw -> arrowpoint web content > switch -> clusters > > ipfw works quite well, but wouldn;t in this situation prior to freebsd 4.0 > > if theres something absolutely amazing in the next version if ipf that > makes my life hella better at work, I'll use it ;) > > as it is, I'm using OpenBSD/IPSec to tunnel and bridge packets from exodus > to the office (well not quite yet, but we have the go ahead on that > project) , which is irony, those who know who I am will agree ;) > > -Trish > > __ > > Trish Lynch > FreeBSD - The Power to Serve trish@bsdunix.net > Rush Networking trish@rush.net > > On Thu, 27 Jul 2000, Darren Reed wrote: > > > In some mail from Siobhan Patricia Lynch, sie said: > > > > > > I actually use ipfw for everything, I can;t see any real advantage to > > > ipfilter in a situation that we're using it for (some people know > > > where I work) > > > > > > ipfilter has to be flushed and reloaded, I don;t have that luxury > > > > > > ipfw I can add rules on the fly. > > > > You can do that with ipfilter too. > > > > In fact, ipfilter allows you to make complete ruleset changes, on the > > fly with 0 security risk (i.e. there is no gap of "half your rules > > being in place"). > > > > Even at bootup, you can go from "no rules, default = block" to > > "full ruleset" and not have any packets slip between the cracks > > as various lines get added to allow/deny things. > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ------_=_NextPart_001_01BFF7E1.FD070060 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: ipf or ipfw (was: log with dynamic firewall rules

Yeah as far as I know, ipf does NOT work with = bridging under FreeBSD, unfortunately.

-----Original Message-----
From: Siobhan Patricia Lynch [mailto:trish@bsdunix.net]
Sent: Thursday, July 27, 2000 11:51 AM
To: Nick Evans
Cc: 'freebsd-security@freebsd.org'
Subject: RE: ipf or ipfw (was: log with dynamic = firewall rules


I'm not sure, never tried it, I *know* it works with = OpenBSD which would
be my choice if using ipf anyway.

-Trish

__

Trish Lynch
FreeBSD - The Power to Serve    =         trish@bsdunix.net
Rush Networking =         =         =         trish@rush.net

On Thu, 27 Jul 2000, Nick Evans wrote:

> It wouldn't work with ipf, period. IPF doesn't = support bridging in FreeBSD
> 4, no? or is your bridging in reference to = something else?
>
> -----Original Message-----
> From: Siobhan Patricia Lynch [mailto:trish@bsdunix.net]
> Sent: Thursday, July 27, 2000 11:31 AM
> To: Darren Reed
> Cc: Reinoud; Gerhard Sittig; = freebsd-security@FreeBSD.ORG
> Subject: Re: ipf or ipfw (was: log with dynamic = firewall rules)
>
>
> I'm not saying that ipf is bad, in fact, prior = to keep-state and
> check-state in ipfw, I used ipf quite a = bit.
>
> again, *some* people here know who I work for, = but the networking going
> into sites looks like this:
>
> cisco (non-stateful) -> freebsd bridging = ipfw -> arrowpoint web content
> switch -> clusters
>
> ipfw works quite well, but wouldn;t in this = situation prior to freebsd 4.0
>
> if theres something absolutely amazing in the = next version if ipf that
> makes my life hella better at work, I'll use it = ;)
>
> as it is, I'm using OpenBSD/IPSec to tunnel and = bridge packets from exodus
> to the office (well not quite yet, but we have = the go ahead on that
> project) , which is irony, those who know who I = am will agree ;)
>
> -Trish
>
> __
>
> Trish Lynch
> FreeBSD - The Power to Serve  =         trish@bsdunix.net
> Rush = Networking       =         =         =         trish@rush.net
>
> On Thu, 27 Jul 2000, Darren Reed wrote:
>
> > In some mail from Siobhan Patricia Lynch, = sie said:
> > >
> > > I actually use ipfw for everything, I = can;t see any real advantage to
> > > ipfilter in a situation that we're = using it for (some people know
> > > where I work)
> > >
> > > ipfilter has to be flushed and = reloaded, I don;t have that luxury
> > >
> > > ipfw I can add rules on the = fly.
> >
> > You can do that with ipfilter too.
> >
> > In fact, ipfilter allows you to make = complete ruleset changes, on the
> > fly with 0 security risk (i.e. there is no = gap of "half your rules
> > being in place").
> >
> > Even at bootup, you can go from "no = rules, default =3D block" to
> > "full ruleset" and not have any = packets slip between the cracks
> > as various lines get added to allow/deny = things.
> >
> >
> >
> > To Unsubscribe: send mail to = majordomo@FreeBSD.org
> > with "unsubscribe = freebsd-security" in the body of the message
> >
>
>
>
> To Unsubscribe: send mail to = majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" = in the body of the message
>

------_=_NextPart_001_01BFF7E1.FD070060-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 9:11:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id B5F9E37B52F for ; Thu, 27 Jul 2000 09:11:18 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id MAA95905; Thu, 27 Jul 2000 12:11:16 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 27 Jul 2000 12:11:16 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: freebsd-security@FreeBSD.org Cc: ogud@tislabs.com Subject: MFC'ing OpenSSL 0.9.5a? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A co-worker of mine pointed out that FreeBSD 4.1-RELEASE shipped with OpenSSL 0.9.4, which apparently causes problems for BIND9 due to API changes between versions, and bugs in 0.9.4. FreeBSD 5.0-CURRENT appears to be using OpenSSL 0.9.5a; I was wondering if there were any plans to MFC the new version of OpenSSL? Of course, people only bring these things up after releases, but it would be nice to have it in the immediate -STABLE upgrade path, and in time for the November post-RSA-patent release. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 11:16:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 2C37D37BA12 for ; Thu, 27 Jul 2000 11:16:34 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 23751 invoked by uid 0); 27 Jul 2000 18:16:32 -0000 Received: from p3e9e7b4e.dip.t-dialin.net (HELO speedy.gsinet) (62.158.123.78) by mail.gmx.net with SMTP; 27 Jul 2000 18:16:32 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id TAA29812 for freebsd-security@FreeBSD.ORG; Thu, 27 Jul 2000 19:59:58 +0200 Date: Thu, 27 Jul 2000 19:59:57 +0200 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) Message-ID: <20000727195957.P24476@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200007260239.MAA02404@cairo.anu.edu.au> <397E5342.16736F51@math.missouri.edu> <20000726191113.I24476@speedy.gsinet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000726191113.I24476@speedy.gsinet>; from Gerhard.Sittig@gmx.net on Wed, Jul 26, 2000 at 07:11:13PM +0200 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jul 26, 2000 at 19:11 +0200, Gerhard Sittig wrote: > > BTW: This reminds me that I wanted to file a PR worded "I wish > rc.network would be expanded to load ipfilter as an alternative > to ipfw" Been there. Done that. See http://www.freebsd.org/cgi/query-pr.cgi?pr=20202 for a cleaner and more complete patch. Extending the manpage was the most delaying part in this, BTW. :> If you don't care about "having a well documented extension" and "having this applied with installworld" you could as well apply the patches to /etc/rc.network and /etc/rc.conf only. :) virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 11:40:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from 01.dhcp.hck.carroll.com (core1.hck.carroll.com [216.44.16.2]) by hub.freebsd.org (Postfix) with ESMTP id 20EF037BB6B for ; Thu, 27 Jul 2000 11:40:35 -0700 (PDT) (envelope-from damien@01.dhcp.hck.carroll.com) Received: (from damien@localhost) by 01.dhcp.hck.carroll.com (8.9.3/8.9.3) id OAA30414 for freebsd-security@freebsd.org; Thu, 27 Jul 2000 14:41:01 -0400 (EDT) (envelope-from damien) Date: Thu, 27 Jul 2000 14:41:01 -0400 From: Damien Tougas To: freebsd-security@freebsd.org Subject: Kerberos and DHCP Message-ID: <20000727144100.A30282@tougas.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I don't know alot about kerberos, and was wondering if someone could answer a question for me. It is my understanding that kerberos depends on a host key for autentication, and that the host key is tied to the hostname of the client. If that is the case, how is it possible to use kerberos with a client computer that connects via dhcp? Thanks for you help. -- Damien Tougas E-mail: damien@tougas.net http://www.tougas.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 12:16:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from evelake.pdl.cs.cmu.edu (EVELAKE.PDL.CS.CMU.EDU [128.2.189.75]) by hub.freebsd.org (Postfix) with SMTP id 55A2937B5C5 for ; Thu, 27 Jul 2000 12:16:21 -0700 (PDT) (envelope-from magus+@evelake.pdl.cs.cmu.edu) To: Damien Tougas Cc: freebsd-security@freebsd.org Subject: Re: Kerberos and DHCP References: <20000727144100.A30282@tougas.net> From: Nat Lanza Date: 27 Jul 2000 15:16:01 -0400 In-Reply-To: Damien Tougas's message of "Thu, 27 Jul 2000 14:41:01 -0400" Message-ID: Lines: 42 User-Agent: Gnus/5.0802 (Gnus v5.8.2) XEmacs/20.4 (Emerald) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Damien Tougas writes: > I don't know alot about kerberos, and was wondering if someone could > answer a question for me. It is my understanding that kerberos depends > on a host key for autentication, and that the host key is tied to the > hostname of the client. If that is the case, how is it possible to use > kerberos with a client computer that connects via dhcp? I think you're confusing "uses DHCP" with "does not have a static IP address". It's definitely possible to configure DHCP such that a machine will always be given the same IP address. CMU does this; when I plug my wavelan card into my laptop, it will always be 'pellerin.wv.cc.cmu.edu', even though it's using DHCP. The difficulty with kerberos is dynamic addresses, and even that is only a problem in some cases. You need a host key if you want to authenticate the host -- for example, a kerberized ssh connection to host foo.cs.cmu.edu wants to make sure that the entity claiming to be foo.cs.cmu.edu really is the real foo.cs.cmu.edu and not an impostor, so it uses foo's host key. If you just want to use the machine for outbound connections, where you're more interested in authenticating the user than the host, then you don't really need a host key. My laptop exists on three networks (as pellerin.pdl.cs.cmu.edu, pellerin.wv.cc.cmu.edu, and pellerin.rem.cmu.edu), depending on where I am. I don't have a host key on it, and I can still make outbound kerberized ssh and telnet connections, authenticate to AFS, and run various kerberos-aware tools like zephyr in all three networks without problems. So basically you only really need to care about a host key when the machine is a server. If you only have a dynamic address for the machine, then it's unlikely that you want to use it as a server, so you're fine. --nat -- nat lanza --------------------- research programmer, parallel data lab, cmu scs magus@cs.cmu.edu -------------------------------- http://www.cs.cmu.edu/~magus/ there are no whole truths; all truths are half-truths -- alfred north whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 12:23:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id A3DF737B7B5 for ; Thu, 27 Jul 2000 12:23:24 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id MAA26522; Thu, 27 Jul 2000 12:21:57 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda26520; Thu Jul 27 12:21:52 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id MAA98491; Thu, 27 Jul 2000 12:21:52 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdY98489; Thu Jul 27 12:21:50 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.2/8.9.1) id e6RJLm344639; Thu, 27 Jul 2000 12:21:48 -0700 (PDT) Message-Id: <200007271921.e6RJLm344639@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdf44524; Thu Jul 27 12:20:49 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: Damien Tougas Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos and DHCP In-reply-to: Your message of "Thu, 27 Jul 2000 14:41:01 EDT." <20000727144100.A30282@tougas.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 27 Jul 2000 12:20:48 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000727144100.A30282@tougas.net>, Damien Tougas writes: > Hello, > > I don't know alot about kerberos, and was wondering if someone could > answer a question for me. It is my understanding that kerberos depends > on a host key for autentication, and that the host key is tied to the > hostname of the client. If that is the case, how is it possible to use > kerberos with a client computer that connects via dhcp? Kerberos does not require a host key for client systems. DHCP and KRB5 clients work nicely together. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 12:50: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 19BB937BD63 for ; Thu, 27 Jul 2000 12:50:04 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 4C9799EE01; Thu, 27 Jul 2000 12:49:58 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 48DF89B001; Thu, 27 Jul 2000 12:49:58 -0700 (PDT) Date: Thu, 27 Jul 2000 12:49:58 -0700 (PDT) From: Mike Hoskins To: Darren Reed Cc: Pavol Adamec , freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-Reply-To: <200007270800.SAA23526@cairo.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 27 Jul 2000, Darren Reed wrote: > IP Filter 4.0 will change that quite dramatically :-) What's the best place to go see a relatively thorough (unbiased would be nice too) comparison between the two? I.e. some webpage with a column of IPFW 'features' vs. a column of ipf 'features' or examples of rulesets doing the same thing for each showing one is/isn't more efficient... The only real reason I've heard ipf reccomended since ipfw got keep-state/check-state is ipnat. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 14:24:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 8AADF37C0EA for ; Thu, 27 Jul 2000 14:24:10 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 108A31C7A; Thu, 27 Jul 2000 17:24:10 -0400 (EDT) Date: Thu, 27 Jul 2000 17:24:10 -0400 From: Bill Fumerola To: Darren Reed Cc: Shawn Kelly , freebsd-security@FreeBSD.ORG Subject: Re: ipfw vs ipfilter Message-ID: <20000727172410.O51462@jade.chc-chimes.com> References: <20000726140337.10891.qmail@web5103.mail.yahoo.com> <200007271028.UAA14610@cairo.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200007271028.UAA14610@cairo.anu.edu.au>; from avalon@coombs.anu.edu.au on Thu, Jul 27, 2000 at 08:28:01PM +1000 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jul 27, 2000 at 08:28:01PM +1000, Darren Reed wrote: > > Is one better than the other? Why? Does it depend on the situation? > > ipfw is marginally better for freebsd because it supports all the > freebsd specific hacks - not that this buys you anything wonderful > in terms of filtering. ipfilter is generally considered to be the > "leading" public domain packet filtering package and I try to ensure > it stays that way :-) For example, the state tracking code in IP Filter > is still without an equal. If you are *serious* about your security > you wouldn't use ipfw (by serious I mean not for home/small company > use, where physical security is recognised, etc). Does ipfilter have rate limiting? -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 14:29:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id EF9F037C0BF for ; Thu, 27 Jul 2000 14:29:21 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id HAA04394; Fri, 28 Jul 2000 07:29:10 +1000 (EST) From: Darren Reed Message-Id: <200007272129.HAA04394@cairo.anu.edu.au> Subject: Re: ipfw vs ipfilter In-Reply-To: <20000727172410.O51462@jade.chc-chimes.com> from Bill Fumerola at "Jul 27, 0 05:24:10 pm" To: billf@chimesnet.com (Bill Fumerola) Date: Fri, 28 Jul 2000 07:29:10 +1000 (EST) Cc: avalon@coombs.anu.edu.au, kellysm_2k@yahoo.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Bill Fumerola, sie said: > On Thu, Jul 27, 2000 at 08:28:01PM +1000, Darren Reed wrote: > > > > Is one better than the other? Why? Does it depend on the situation? > > > > ipfw is marginally better for freebsd because it supports all the > > freebsd specific hacks - not that this buys you anything wonderful > > in terms of filtering. ipfilter is generally considered to be the > > "leading" public domain packet filtering package and I try to ensure > > it stays that way :-) For example, the state tracking code in IP Filter > > is still without an equal. If you are *serious* about your security > > you wouldn't use ipfw (by serious I mean not for home/small company > > use, where physical security is recognised, etc). > > Does ipfilter have rate limiting? no...and lots of people ask for it too O:-/ personally, it's not clear to me that this belongs there - ALTQ (whatever that is) often gets cited for doing that sort of work. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 15:49:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from dt052n3e.san.rr.com (dt052n3e.san.rr.com [204.210.33.62]) by hub.freebsd.org (Postfix) with ESMTP id 9DA7D37C10E; Thu, 27 Jul 2000 15:49:21 -0700 (PDT) (envelope-from DougB@gorean.org) Received: from gorean.org (master [10.0.0.2]) by dt052n3e.san.rr.com (8.9.3/8.9.3) with ESMTP id PAA98114; Thu, 27 Jul 2000 15:49:19 -0700 (PDT) (envelope-from DougB@gorean.org) Message-ID: <3980BC6F.265136D2@gorean.org> Date: Thu, 27 Jul 2000 15:49:19 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Robert Watson Cc: freebsd-security@FreeBSD.org, ogud@tislabs.com Subject: Re: MFC'ing OpenSSL 0.9.5a? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson wrote: > > A co-worker of mine pointed out that FreeBSD 4.1-RELEASE shipped with > OpenSSL 0.9.4, which apparently causes problems for BIND9 due to API > changes between versions, and bugs in 0.9.4. FreeBSD 5.0-CURRENT appears > to be using OpenSSL 0.9.5a; I was wondering if there were any plans to MFC > the new version of OpenSSL? Of course there are. Kris has already stated that he would be doing this as soon as some of the nebulous issues involving the upgrade have been solved in -current. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 18: 5:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from pebkac.owp.csus.edu (pebkac.owp.csus.edu [130.86.232.245]) by hub.freebsd.org (Postfix) with ESMTP id 327A237C15A for ; Thu, 27 Jul 2000 18:05:19 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Received: from owp.csus.edu (mail.owp.csus.edu [130.86.232.247]) by pebkac.owp.csus.edu (8.9.3/8.9.3) with ESMTP id SAA91482; Thu, 27 Jul 2000 18:05:15 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Message-ID: <3980DBA1.1436F6DB@owp.csus.edu> Date: Thu, 27 Jul 2000 18:02:25 -0700 From: Joseph Scott X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Gerhard Sittig Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) References: <200007260239.MAA02404@cairo.anu.edu.au> <397E5342.16736F51@math.missouri.edu> <20000726191113.I24476@speedy.gsinet> <20000727195957.P24476@speedy.gsinet> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gerhard Sittig wrote: > > On Wed, Jul 26, 2000 at 19:11 +0200, Gerhard Sittig wrote: > > > > BTW: This reminds me that I wanted to file a PR worded "I wish > > rc.network would be expanded to load ipfilter as an alternative > > to ipfw" > > Been there. Done that. > > See http://www.freebsd.org/cgi/query-pr.cgi?pr=20202 for a > cleaner and more complete patch. Extending the manpage was the > most delaying part in this, BTW. :> > > If you don't care about "having a well documented extension" and > "having this applied with installworld" you could as well apply > the patches to /etc/rc.network and /etc/rc.conf only. :) If you are looking for votes to get this commited, count me as one. -- Joseph Scott joseph.scott@owp.csus.edu Office Of Water Programs - CSU Sacramento To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 27 23: 6:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 8DA0E37B72F; Thu, 27 Jul 2000 23:06:45 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id XAA18804; Thu, 27 Jul 2000 23:06:45 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 27 Jul 2000 23:06:45 -0700 (PDT) From: Kris Kennaway To: Robert Watson Cc: freebsd-security@FreeBSD.org, ogud@tislabs.com Subject: Re: MFC'ing OpenSSL 0.9.5a? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 27 Jul 2000, Robert Watson wrote: > A co-worker of mine pointed out that FreeBSD 4.1-RELEASE shipped with > OpenSSL 0.9.4, which apparently causes problems for BIND9 due to API > changes between versions, and bugs in 0.9.4. FreeBSD 5.0-CURRENT appears > to be using OpenSSL 0.9.5a; I was wondering if there were any plans to MFC > the new version of OpenSSL? Of course, people only bring these things up > after releases, but it would be nice to have it in the immediate -STABLE > upgrade path, and in time for the November post-RSA-patent release. Several people had weird problems with 0.9.5a which I could never reproduce or track down - this made me nervous to merge it. If I had some success stories of people who have successfully run SSL webservers using it in -current it might ease my fears somewhat :-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 28 2:24:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from grunt.vl.net.ua (grunt.vl.net.ua [194.44.80.198]) by hub.freebsd.org (Postfix) with ESMTP id 8B47E37BF16 for ; Fri, 28 Jul 2000 02:24:14 -0700 (PDT) (envelope-from news@grunt.vl.net.ua) Received: from news by grunt.vl.net.ua with local (Exim 3.12 #2) id 13I6NF-000HoM-00 for freebsd-security@freebsd.org; Fri, 28 Jul 2000 12:24:09 +0300 To: freebsd-security@freebsd.org Subject: Confirmation for subscribe freebsd-security Date: 28 Jul 2000 12:24:02 +0300 Message-ID: <20000728091919.C0CA637B570@hub.freebsd.org> X-Trace: uran.kharkiv.net 964776249 67028 127.0.0.1 (28 Jul 2000 09:24:09 GMT) X-Complaints-To: usenet@news.kharkiv.net NNTP-Posting-Date: 28 Jul 2000 09:24:09 GMT X-Received: from hub.freebsd.org (hub.FreeBSD.ORG [204.216.27.18]) X-Received: by hub.freebsd.org (Postfix, from userid 538) X-To: freebsd-security-m@kharkiv.net X-Reply-To: Majordomo@FreeBSD.ORG X-Via: News-To-Mail v1.0 From: Majordomo@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -- Please be sure to read the charters before subscribing or sending mail to any FreeBSD mailing list for an explanation of which topics are relevant for a given list and what types of postings are and are not allowed. They may be found at: http://www.freebsd.org/handbook/eresources.html#ERESOURCES-MAIL Someone (possibly you) has requested that your email address be added to or deleted from the mailing list "freebsd-security@FreeBSD.ORG". If you really want this action to be taken, please send the following commands (exactly as shown) back to "Majordomo@FreeBSD.ORG": auth 8587e59e subscribe freebsd-security freebsd-security-m@kharkiv.net If you do not want this action to be taken, simply ignore this message and the request will be disregarded. If your mailer will not allow you to send the entire command as a single line, you may split it using backslashes, like so: auth 8587e59e subscribe freebsd-security \ freebsd-security-m@kharkiv.net If you have any questions about the policy of the list owner, please contact "freebsd-security-approval@FreeBSD.ORG". Thanks! Majordomo@FreeBSD.ORG --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 28 2:25: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from grunt.vl.net.ua (grunt.vl.net.ua [194.44.80.198]) by hub.freebsd.org (Postfix) with ESMTP id C4B2937BF16 for ; Fri, 28 Jul 2000 02:25:01 -0700 (PDT) (envelope-from news@grunt.vl.net.ua) Received: from news by grunt.vl.net.ua with local (Exim 3.12 #2) id 13I6O1-000HoT-00 for freebsd-security@freebsd.org; Fri, 28 Jul 2000 12:24:57 +0300 To: freebsd-security@freebsd.org Subject: Majordomo results Date: 28 Jul 2000 12:24:50 +0300 Message-ID: <20000728091919.C858137B746@hub.freebsd.org> X-Trace: uran.kharkiv.net 964776297 67063 127.0.0.1 (28 Jul 2000 09:24:57 GMT) X-Complaints-To: usenet@news.kharkiv.net NNTP-Posting-Date: 28 Jul 2000 09:24:57 GMT X-Received: from hub.freebsd.org (hub.FreeBSD.ORG [204.216.27.18]) X-Received: by hub.freebsd.org (Postfix, from userid 538) X-To: freebsd-security-m@kharkiv.net X-Reply-To: Majordomo@FreeBSD.ORG X-Via: News-To-Mail v1.0 From: Majordomo@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -- >>>> subscribe freebsd-security **** Your request to Majordomo@FreeBSD.ORG: **** **** subscribe freebsd-security freebsd-security-m@kharkiv.net **** **** must be authenticated. To accomplish this, another request must be **** sent in with an authorization key, which has been sent to: **** freebsd-security-m@kharkiv.net **** **** If the message is not received, there is generally a problem with **** the address. Before reporting this as a problem, please note the **** following: **** **** You only need to give an address to the subscribe command if you want **** to receive list mail at a different address from where you sent the **** command. Otherwise you can simply omit it. **** **** If you do give an address to the subscribe command, it must be a legal **** address. It should not consist solely of your name. The address must **** point to a machine that is reachable from the list server. **** **** If you have any questions about the policy of the list owner, please **** contact "freebsd-security-approval@FreeBSD.ORG". **** **** Thanks! **** **** Majordomo@FreeBSD.ORG >>>> --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 28 2:35:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from grunt.vl.net.ua (grunt.vl.net.ua [194.44.80.198]) by hub.freebsd.org (Postfix) with ESMTP id 67E2E37B93F for ; Fri, 28 Jul 2000 02:35:37 -0700 (PDT) (envelope-from news@grunt.vl.net.ua) Received: from news by grunt.vl.net.ua with local (Exim 3.12 #2) id 13I6YJ-000HwU-00 for freebsd-security@freebsd.org; Fri, 28 Jul 2000 12:35:35 +0300 To: freebsd-security@freebsd.org Subject: Welcome to freebsd-security Date: 28 Jul 2000 12:35:28 +0300 Message-ID: <20000728092613.B9A9F37B965@hub.freebsd.org> X-Trace: uran.kharkiv.net 964776935 67599 127.0.0.1 (28 Jul 2000 09:35:35 GMT) X-Complaints-To: usenet@news.kharkiv.net NNTP-Posting-Date: 28 Jul 2000 09:35:35 GMT X-Received: from hub.freebsd.org (hub.FreeBSD.ORG [204.216.27.18]) X-Received: by hub.freebsd.org (Postfix, from userid 538) X-To: freebsd-security-m@kharkiv.net X-Reply-To: Majordomo@FreeBSD.ORG X-Via: News-To-Mail v1.0 From: Majordomo@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -- Welcome to the freebsd-security mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to with the following command in the body of your email message: unsubscribe freebsd-security or from another account, besides freebsd-security-m@kharkiv.net: unsubscribe freebsd-security freebsd-security-m@kharkiv.net If you ever need to get in contact with the owner of the list, (if you have trouble unsubscribing, or have questions about the list itself) send email to . This is the general rule for most mailing lists when you need to contact a human. Here's the general information for the list you've subscribed to, in case you don't already have it: FREEBSD-SECURITY Security issues FreeBSD computer security issues (DES, Kerberos, known security holes and fixes, etc). --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 28 2:36:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from grunt.vl.net.ua (grunt.vl.net.ua [194.44.80.198]) by hub.freebsd.org (Postfix) with ESMTP id 4085537B93F for ; Fri, 28 Jul 2000 02:36:51 -0700 (PDT) (envelope-from news@grunt.vl.net.ua) Received: from news by grunt.vl.net.ua with local (Exim 3.12 #2) id 13I6ZU-000Hwa-00 for freebsd-security@freebsd.org; Fri, 28 Jul 2000 12:36:48 +0300 To: freebsd-security@freebsd.org Subject: Majordomo results Date: 28 Jul 2000 12:36:42 +0300 Message-ID: <20000728092613.CD12037C278@hub.freebsd.org> X-Trace: uran.kharkiv.net 964777009 67668 127.0.0.1 (28 Jul 2000 09:36:49 GMT) X-Complaints-To: usenet@news.kharkiv.net NNTP-Posting-Date: 28 Jul 2000 09:36:49 GMT X-Received: from hub.freebsd.org (hub.FreeBSD.ORG [204.216.27.18]) X-Received: by hub.freebsd.org (Postfix, from userid 538) X-To: freebsd-security-m@kharkiv.net X-Reply-To: Majordomo@FreeBSD.ORG X-Via: News-To-Mail v1.0 From: Majordomo@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -- >>>> auth 8587e59e subscribe freebsd-security Succeeded. >>>> --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 28 2:42:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from grunt.vl.net.ua (grunt.vl.net.ua [194.44.80.198]) by hub.freebsd.org (Postfix) with ESMTP id 543B237C061 for ; Fri, 28 Jul 2000 02:42:10 -0700 (PDT) (envelope-from news@grunt.vl.net.ua) Received: from news by grunt.vl.net.ua with local (Exim 3.12 #2) id 13I6ed-000I0c-00 for freebsd-security@freebsd.org; Fri, 28 Jul 2000 12:42:07 +0300 To: freebsd-security@freebsd.org Subject: ? Date: 28 Jul 2000 12:42:00 +0300 Message-ID: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Trace: uran.kharkiv.net 964777327 67812 127.0.0.1 (28 Jul 2000 09:42:07 GMT) X-Complaints-To: usenet@news.kharkiv.net NNTP-Posting-Date: 28 Jul 2000 09:42:07 GMT X-Received: from athena.za.net (athena.za.net [196.30.167.200]) X-Received: from localhost (jus@localhost) X-Authentication-Warning: athena.za.net: jus owned process doing -bs X-Sender: jus@athena.za.net X-To: freebsd-security-m@kharkiv.net X-Via: News-To-Mail v1.0 From: jus@security.za.net (Justin Stanford) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Who are you, and why am I getting damned freebsd-security subscriptions messages from freebsd.org's majordomo in my mailbox? -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 28 3:10:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (Postfix) with ESMTP id 4A7D437B9D6 for ; Fri, 28 Jul 2000 03:10:53 -0700 (PDT) (envelope-from narvi@haldjas.folklore.ee) Received: from localhost (narvi@localhost) by haldjas.folklore.ee (8.9.3/8.9.3) with SMTP id MAA15194; Fri, 28 Jul 2000 12:10:38 +0200 (EET) (envelope-from narvi@haldjas.folklore.ee) Date: Fri, 28 Jul 2000 12:10:37 +0200 (EET) From: Narvi To: Justin Stanford Cc: freebsd-security@FreeBSD.ORG Subject: Re: ? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 28 Jul 2000, Justin Stanford wrote: > Who are you, and why am I getting damned freebsd-security subscriptions > messages from freebsd.org's majordomo in my mailbox? > Somebody seems to be subscribing several lists to themselves, if i read the messages right. Not just security but hardware aswell... > -- > Justin Stanford > 082 7402741 > jus@security.za.net > www.security.za.net > IT Security and Solutions > > > --- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 28 3:17: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 0E69037B965 for ; Fri, 28 Jul 2000 03:17:02 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.3) with ESMTP id MAA01227; Fri, 28 Jul 2000 12:16:47 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Narvi Cc: Justin Stanford , freebsd-security@FreeBSD.ORG Subject: Re: ? In-reply-to: Your message of "Fri, 28 Jul 2000 12:10:37 +0200." Date: Fri, 28 Jul 2000 12:16:47 +0200 Message-ID: <1225.964779407@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have added a mail-filter which I hope should stop this as a temporary measure. Our Postmaster will take over when he comes online. Poul-Henning In message , Nar vi writes: > >On 28 Jul 2000, Justin Stanford wrote: > >> Who are you, and why am I getting damned freebsd-security subscriptions >> messages from freebsd.org's majordomo in my mailbox? >> > >Somebody seems to be subscribing several lists to themselves, if i read >the messages right. Not just security but hardware aswell... > >> -- >> Justin Stanford >> 082 7402741 >> jus@security.za.net >> www.security.za.net >> IT Security and Solutions >> >> >> --- >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD coreteam member | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 28 3:44:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id BA5FF37BACF for ; Fri, 28 Jul 2000 03:44:15 -0700 (PDT) (envelope-from jus@security.za.net) Received: from localhost (jus@localhost) by athena.za.net (8.9.3/8.9.3) with ESMTP id MAA01422; Fri, 28 Jul 2000 12:40:32 +0200 (SAST) (envelope-from jus@security.za.net) X-Authentication-Warning: athena.za.net: jus owned process doing -bs Date: Fri, 28 Jul 2000 12:40:32 +0200 (SAST) From: Justin Stanford X-Sender: jus@athena.za.net To: Poul-Henning Kamp Cc: Narvi , freebsd-security@FreeBSD.ORG Subject: Re: ? In-Reply-To: <1225.964779407@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks :) I never expected the mail I wrote to freebsd-security-m@kharvi.net to end up on the list :P Regards, jus -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions On Fri, 28 Jul 2000, Poul-Henning Kamp wrote: > > I have added a mail-filter which I hope should stop this as a temporary > measure. > > Our Postmaster will take over when he comes online. > > Poul-Henning > > In message , Nar > vi writes: > > > >On 28 Jul 2000, Justin Stanford wrote: > > > >> Who are you, and why am I getting damned freebsd-security subscriptions > >> messages from freebsd.org's majordomo in my mailbox? > >> > > > >Somebody seems to be subscribing several lists to themselves, if i read > >the messages right. Not just security but hardware aswell... > > > >> -- > >> Justin Stanford > >> 082 7402741 > >> jus@security.za.net > >> www.security.za.net > >> IT Security and Solutions > >> > >> > >> --- > >> > >> > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe freebsd-security" in the body of the message > >> > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > -- > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > phk@FreeBSD.ORG | TCP/IP since RFC 956 > FreeBSD coreteam member | BSD since 4.3-tahoe > Never attribute to malice what can adequately be explained by incompetence. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 28 4:42:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from warf.msc.cornell.edu (warf.msc.cornell.edu [128.84.249.249]) by hub.freebsd.org (Postfix) with ESMTP id 51F0C37C05D; Fri, 28 Jul 2000 04:41:59 -0700 (PDT) (envelope-from mitch@ccmr.cornell.edu) Received: from khitomer.msc.cornell.edu (IDENT:0@khitomer.msc.cornell.edu [128.84.249.245]) by warf.msc.cornell.edu (8.9.3/8.9.3) with ESMTP id HAA10713; Fri, 28 Jul 2000 07:41:51 -0400 Received: from localhost (mitch@localhost) by khitomer.msc.cornell.edu (8.9.3/8.9.3) with ESMTP id HAA05547; Fri, 28 Jul 2000 07:41:48 -0400 X-Authentication-Warning: khitomer.msc.cornell.edu: mitch owned process doing -bs Date: Fri, 28 Jul 2000 07:41:48 -0400 (EDT) From: Mitch Collinsworth To: Justin Stanford Cc: Poul-Henning Kamp , Narvi , freebsd-security@freebsd.org, freebsd-hardware@freebsd.org, freebsd-isp@freebsd.org Subject: Re: ? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What's going on here is that this guy is creating local newsgroups to distribute these lists into. Unfortunately his news <---> mail gateway is running in both directions, so anything sent to the gateway e-mail address is getting fed back into the list posting address and we're all seeing it. Whether this is acceptable practice is a policy question for the freebsd lists administrator to deal with. In the mean time I would suggest addressing any complaints to the lists admin and to the address in his X-Complaints-To: header, usenet@news.kharkiv.net. -Mitch On Fri, 28 Jul 2000, Justin Stanford wrote: > Thanks:) > > I never expected the mail I wrote to freebsd-security-m@kharvi.net to > end up on the list :P > > Regards, > jus > > -- > Justin Stanford > 082 7402741 > jus@security.za.net > www.security.za.net > IT Security and Solutions > > > On Fri, 28 Jul 2000, Poul-Henning Kamp wrote: > > > > > I have added a mail-filter which I hope should stop this as a temporary > > measure. > > > > Our Postmaster will take over when he comes online. > > > > Poul-Henning > > > > In message , Nar > > vi writes: > > > > > >On 28 Jul 2000, Justin Stanford wrote: > > > > > >> Who are you, and why am I getting damned freebsd-security subscriptions > > >> messages from freebsd.org's majordomo in my mailbox? > > >> > > > > > >Somebody seems to be subscribing several lists to themselves, if i read > > >the messages right. Not just security but hardware aswell... > > > > > >> -- > > >> Justin Stanford > > >> 082 7402741 > > >> jus@security.za.net > > >> www.security.za.net > > >> IT Security and Solutions > > >> > > >> > > >> --- > > >> > > >> > > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > > >> with "unsubscribe freebsd-security" in the body of the message > > >> > > > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-security" in the body of the message > > > > > > > -- > > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > > phk@FreeBSD.ORG | TCP/IP since RFC 956 > > FreeBSD coreteam member | BSD since 4.3-tahoe > > Never attribute to malice what can adequately be explained by incompetence. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 28 7:12:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130]) by hub.freebsd.org (Postfix) with ESMTP id B067A37C1EA for ; Fri, 28 Jul 2000 07:12:50 -0700 (PDT) (envelope-from dmartin@origen.com) Received: from origen.com (dubhe.origen [192.168.0.5]) by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id JAA98816 for ; Fri, 28 Jul 2000 09:12:45 -0500 (CDT) (envelope-from dmartin@origen.com) Message-ID: <3981B0AF.411197BF@origen.com> Date: Fri, 28 Jul 2000 09:11:27 -0700 From: Richard Martin X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Majordomo results References: <20000728092613.CD12037C278@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Been a while since I looked at Majordomo docs, but shouldn't the 'Administrivia' setting divert messages with 'subscribe' and such to the list admin? -- Richard Martin dmartin@origen.com OriGen, inc. Tel: +1 512 474 7278 2525 Hartford Rd. Fax: +1 512 708 8522 Austin, TX 78703 http://www.origen.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 28 11:12:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from horizon.barak-online.net (horizon.barak.net.il [206.49.94.218]) by hub.freebsd.org (Postfix) with ESMTP id 5685B37B7F9 for ; Fri, 28 Jul 2000 11:12:29 -0700 (PDT) (envelope-from bk532@iname.com) Received: from localhost.local.net (pop09-1-ras1-p192.barak.net.il [212.150.107.192]) by horizon.barak-online.net (8.9.3/8.9.1) with ESMTP id VAA16299; Fri, 28 Jul 2000 21:11:36 +0300 (IDT) Received: from iname.com (localhost.local.net [127.0.0.1]) by localhost.local.net (8.9.3/8.9.3) with ESMTP id KAA10570; Fri, 28 Jul 2000 10:47:32 +0300 (IDT) (envelope-from bk532@iname.com) Message-ID: <39813A94.86908214@iname.com> Date: Fri, 28 Jul 2000 10:47:32 +0300 From: Boris Karnaukh Organization: Private person X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.1-RC i386) X-Accept-Language: en, ru MIME-Version: 1.0 To: Damien Tougas Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos and DHCP References: <20000727144100.A30282@tougas.net> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Damien Tougas wrote: > > Hello, > > I don't know alot about kerberos, and was wondering if someone could > answer a question for me. It is my understanding that kerberos depends > on a host key for autentication, and that the host key is tied to the > hostname of the client. If that is the case, how is it possible to use > kerberos with a client computer that connects via dhcp? > You can bind IP address to your client computer's MAC address on DHCP server. So your client computer will always get same IP and you'll have opportunity add it's address to DNS. -- Boris Karnaukh (mailto:bk532@iname.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 28 11:12:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from horizon.barak-online.net (horizon.barak.net.il [206.49.94.218]) by hub.freebsd.org (Postfix) with ESMTP id B8CD037B8CE for ; Fri, 28 Jul 2000 11:12:55 -0700 (PDT) (envelope-from bk532@iname.com) Received: from localhost.local.net (pop09-1-ras1-p192.barak.net.il [212.150.107.192]) by horizon.barak-online.net (8.9.3/8.9.1) with ESMTP id VAA16327; Fri, 28 Jul 2000 21:11:54 +0300 (IDT) Received: from iname.com (localhost.local.net [127.0.0.1]) by localhost.local.net (8.9.3/8.9.3) with ESMTP id KAA10563; Fri, 28 Jul 2000 10:42:38 +0300 (IDT) (envelope-from bk532@iname.com) Message-ID: <3981396A.1806E796@iname.com> Date: Fri, 28 Jul 2000 10:42:34 +0300 From: Boris Karnaukh Organization: Private person X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.1-RC i386) X-Accept-Language: en, ru MIME-Version: 1.0 To: Walter Cruz Cc: freebsd-security@FreeBSD.ORG Subject: Re: swap_pager_getswapspace: failed References: <002701bff6f9$56263f60$66bff1c8@cba.terra.com.br> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Walter Cruz wrote: > > (Sorry, my english is terrible) > My system log file is being filled with this error message. What can I do to > avoid this problem?? > 1. Check whether you have sufficient swap space. Use /usr/bin/swapinfo. 2. Run systat -vm Look at "Flt" counter 3. Run top for a while to see whether on of your processes is eating memory. -- Boris Karnaukh (mailto:bk532@iname.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 28 13:42:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from dt052n3e.san.rr.com (dt052n3e.san.rr.com [204.210.33.62]) by hub.freebsd.org (Postfix) with ESMTP id 9B86837BD80 for ; Fri, 28 Jul 2000 13:42:29 -0700 (PDT) (envelope-from DougB@gorean.org) Received: from gorean.org (master [10.0.0.2]) by dt052n3e.san.rr.com (8.9.3/8.9.3) with ESMTP id NAA10082; Fri, 28 Jul 2000 13:42:11 -0700 (PDT) (envelope-from DougB@gorean.org) Message-ID: <3981F022.A2303FD0@gorean.org> Date: Fri, 28 Jul 2000 13:42:10 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Richard Martin Cc: freebsd-security@FreeBSD.ORG Subject: Re: Majordomo results References: <20000728092613.CD12037C278@hub.freebsd.org> <3981B0AF.411197BF@origen.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Richard Martin wrote: > > Been a while since I looked at Majordomo docs, but shouldn't the > 'Administrivia' setting divert messages with 'subscribe' and such to the > list admin? Yes, but it's turned off because it generates too many false positives. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 28 15: 0:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from drwho.xnet.com (drwho.xnet.com [205.243.140.183]) by hub.freebsd.org (Postfix) with ESMTP id 2398E37B7B2 for ; Fri, 28 Jul 2000 15:00:29 -0700 (PDT) (envelope-from drwho@xnet.com) Received: from sun.segfault.lan (sun.segfault.lan [192.168.16.4]) by drwho.xnet.com (8.9.3/8.9.3) with SMTP id RAA90314 for ; Fri, 28 Jul 2000 17:00:27 -0500 (CDT) Message-Id: <200007282200.RAA90314@drwho.xnet.com> Date: Fri, 28 Jul 2000 17:01:37 -0500 (CDT) From: Michael Maxwell Reply-To: Michael Maxwell Subject: Re: Majordomo results To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: mggWzAJONCpfLm3evg0OXQ== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4m sparc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Delivered-To: freebsd-security@freebsd.org >To: freebsd-security@FreeBSD.ORG >Subject: Majordomo results >Date: 28 Jul 2000 12:36:42 +0300 >X-Trace: uran.kharkiv.net 964777009 67668 127.0.0.1 (28 Jul 2000 09:36:49 GMT) >X-Complaints-To: usenet@news.kharkiv.net >NNTP-Posting-Date: 28 Jul 2000 09:36:49 GMT >X-Received: from hub.freebsd.org (hub.FreeBSD.ORG [204.216.27.18]) >X-Received: by hub.freebsd.org (Postfix, from userid 538) >X-To: freebsd-security-m@kharkiv.net >X-Reply-To: Majordomo@FreeBSD.ORG >X-Via: News-To-Mail v1.0 >From: Majordomo@FreeBSD.ORG >X-Loop: FreeBSD.org >X-UIDL: :U4!!H,D"!4%!"!+e^!! > >-- > >>>>> auth 8587e59e subscribe freebsd-security >Succeeded. >>>>> >--- > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > Did anyone else see all this? I just got 3 messages prior to this that followed the subscribe options (the confirmation messages), but they had someone else's email address on them. I'm already on the list, so it wasn't me trying to subscribe... Michael Maxwell | Certified Unix Geek: BSD/Solaris/SCO drwho @ xnet . com | "I'm not wearing any pants..." Film at eleven. home.xnet.com/~drwho | "Four legs good, two legs bad." -G. Orwell/Animal Farm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 28 23: 7:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id B6A5937B545 for ; Fri, 28 Jul 2000 23:07:11 -0700 (PDT) (envelope-from mike@sentex.net) Received: from chimp (chimp [192.168.0.2]) by cage.simianscience.com (8.9.3/8.9.3) with ESMTP id CAA02731 for ; Sat, 29 Jul 2000 02:07:00 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20000729015307.033b94a8@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Sat, 29 Jul 2000 02:01:49 -0400 To: security@freebsd.org From: Mike Tancsa Subject: CDSA ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Anyone take a look at this ? Supposedly coming to LINUX by the end of August as open source ( http://developer.intel.com/ial/security/faq.htm for more info.) I guess it kinda reminds me of PAM, but much more comprehensive... From the FAQ, "CDSA eases the process of adding security to software products. By writing to one common API, a software developer can add authentication services (such as smart card readers), encryption services (such as DES) and the ability to manage security processes (key recovery, export restrictions, prevention of attacks on the internal software pieces). Application developers can focus on a single API for all security services, instead of a potentially conflicting collection of individual APIs from multiple toolkit vendors. This provides application developers with flexibility, consistency, and portability when implementing security solutions within their products." ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 28 23:14:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 7EF0637BA07; Fri, 28 Jul 2000 23:14:29 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id XAA08341; Fri, 28 Jul 2000 23:14:29 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Fri, 28 Jul 2000 23:14:29 -0700 (PDT) From: Kris Kennaway To: Mike Tancsa Cc: security@freebsd.org Subject: Re: CDSA ? In-Reply-To: <4.2.2.20000729015307.033b94a8@mail.sentex.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 29 Jul 2000, Mike Tancsa wrote: > Anyone take a look at this ? Supposedly coming to LINUX by the end of > August as open source ( http://developer.intel.com/ial/security/faq.htm for > more info.) I guess it kinda reminds me of PAM, but much more > comprehensive... From the FAQ, Give them a few years to work out all of the security vulnerabilities :-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 28 23:24:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id DBDD937BBA2; Fri, 28 Jul 2000 23:24:33 -0700 (PDT) (envelope-from mike@sentex.net) Received: from chimp (chimp [192.168.0.2]) by cage.simianscience.com (8.9.3/8.9.3) with ESMTP id CAA02757; Sat, 29 Jul 2000 02:24:32 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20000729021637.03da10c0@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Sat, 29 Jul 2000 02:19:21 -0400 To: Kris Kennaway From: Mike Tancsa Subject: Re: CDSA ? Cc: security@FreeBSD.org In-Reply-To: References: <4.2.2.20000729015307.033b94a8@mail.sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:14 PM 7/28/2000 -0700, Kris Kennaway wrote: >On Sat, 29 Jul 2000, Mike Tancsa wrote: > > > Anyone take a look at this ? Supposedly coming to LINUX by the end of > > August as open source ( http://developer.intel.com/ial/security/faq.htm > for > > more info.) I guess it kinda reminds me of PAM, but much more > > comprehensive... From the FAQ, > >Give them a few years to work out all of the security vulnerabilities :-) No doubt. But are there any security initiatives similar to this one out there already ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 29 7:54:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (Postfix) with ESMTP id 9960C37B97E for ; Sat, 29 Jul 2000 07:54:25 -0700 (PDT) (envelope-from narvi@haldjas.folklore.ee) Received: from localhost (narvi@localhost) by haldjas.folklore.ee (8.9.3/8.9.3) with SMTP id QAA36097; Sat, 29 Jul 2000 16:54:17 +0200 (EET) (envelope-from narvi@haldjas.folklore.ee) Date: Sat, 29 Jul 2000 16:54:16 +0200 (EET) From: Narvi To: Mike Tancsa Cc: security@FreeBSD.ORG Subject: Re: CDSA ? In-Reply-To: <4.2.2.20000729015307.033b94a8@mail.sentex.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org CDSA is "yet another" crypto interface standard. Except it's "still coming" unlike others that exist now and implementation of which are availablle under a reasonable standard. On Sat, 29 Jul 2000, Mike Tancsa wrote: > > Anyone take a look at this ? Supposedly coming to LINUX by the end of > August as open source ( http://developer.intel.com/ial/security/faq.htm for > more info.) I guess it kinda reminds me of PAM, but much more > comprehensive... From the FAQ, > > "CDSA eases the process of adding security to software products. By writing > to one common API, a software developer can add authentication services > (such as smart card readers), encryption services (such as DES) and the > ability to manage security processes (key recovery, export restrictions, > prevention of attacks on the internal software pieces). Application > developers can focus on a single API for all security services, instead of > a potentially conflicting collection of individual APIs from multiple > toolkit vendors. This provides application developers with flexibility, > consistency, and portability when implementing security solutions within > their products." > > > ---Mike > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Network Administration, mike@sentex.net > Sentex Communications www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 29 15:14:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 2BA9B37B621; Sat, 29 Jul 2000 15:14:19 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA61690; Sat, 29 Jul 2000 15:14:18 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sat, 29 Jul 2000 15:14:18 -0700 (PDT) From: Kris Kennaway To: Mike Tancsa Cc: security@FreeBSD.org Subject: Re: CDSA ? In-Reply-To: <4.2.2.20000729021637.03da10c0@mail.sentex.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 29 Jul 2000, Mike Tancsa wrote: > At 11:14 PM 7/28/2000 -0700, Kris Kennaway wrote: > >On Sat, 29 Jul 2000, Mike Tancsa wrote: > > > > > Anyone take a look at this ? Supposedly coming to LINUX by the end of > > > August as open source ( http://developer.intel.com/ial/security/faq.htm > > for > > > more info.) I guess it kinda reminds me of PAM, but much more > > > comprehensive... From the FAQ, > > > >Give them a few years to work out all of the security vulnerabilities :-) > > No doubt. But are there any security initiatives similar to this one out > there already ? GSSAPI sounds similar in concept, but I don't know about coverage. It will be interesting to see what license they choose for the reference implementation: if they care about getting this adopted as a defacto standard they'd be stupid to GPL it :-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 29 16: 2:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by hub.freebsd.org (Postfix) with ESMTP id 7FCDE37B621 for ; Sat, 29 Jul 2000 16:02:20 -0700 (PDT) (envelope-from bokr@accessone.com) Received: from [129.250.38.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp (Exim 3.12 #7) id 13IfcZ-0004ST-00; Sat, 29 Jul 2000 23:02:19 +0000 Received: from [204.250.68.168] (helo=gazelle) by dfw-mmp3.email.verio.net with smtp (Exim 3.15 #4) id 13IfcY-0001M3-00; Sat, 29 Jul 2000 23:02:18 +0000 Message-Id: <3.0.5.32.20000729160602.00914500@mail.accessone.com> X-Sender: bokr@mail.accessone.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Sat, 29 Jul 2000 16:06:02 -0700 To: Mitch Collinsworth From: Bengt Richter Subject: Re: ? Cc: freebsd-security@freebsd.org In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:41 2000-07-28 -0400 Mitch Collinsworth wrote: >What's going on here is that this guy is creating local newsgroups to >distribute these lists into. Unfortunately his news <---> mail gateway >is running in both directions, so anything sent to the gateway e-mail >address is getting fed back into the list posting address and we're all >seeing it. Whether this is acceptable practice is a policy question for >the freebsd lists administrator to deal with. In the mean time I would >suggest addressing any complaints to the lists admin and to the address >in his X-Complaints-To: header, usenet@news.kharkiv.net. > >-Mitch > Maybe there is a win-win possibility after the initial annoyance. The "arkiv" in kharkiv.net sugggests the idea that they're subscribing to various lists to do automatic archiving. I would like access to that, especially with search capability. BUT ... not at the cost of seeing a kind of cross-post spam in freebsd-security. I don't think newsgroup (if that's what it's about) posts should automatically be passed through to mailing lists. For one thing, many news reader programs blindly copy the cross-posting info such that even experienced users may accidentally spam unintentionally in sending a quick reply. To have that kind of traffic into freebsd-security (and the other lists I haven't Cc'd) would be disruptive. If that is what's coming, I would vote for blocking their incoming traffic. I would hope it's just a temporary configuration error of some kind, to give them the benefit of the doubt. An unmoderated newsgroup connected as feared would amount to a spam pass-through. There's enough already directly. However, they may well be doing a valuable service for a group of people (potentially including us) by passively taking a single feed from freebsd-security@freebsd.org and publishing it in a context of their own (guessing that is their intent). Just so their subscribers have to take an "opt-in" action (like filling in Cc:) _each time_ in order to post to a mailing list, not an "opt-out" each time to override auto-spam. Regards, Bengt Richter P.S. Could we filter to exclude non-subscribers and have a category of listen-only subscribers to deal with the current issue, if necessary? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 29 16:32:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from front4m.grolier.fr (front4m.grolier.fr [195.36.216.54]) by hub.freebsd.org (Postfix) with ESMTP id A796C37B8A5 for ; Sat, 29 Jul 2000 16:32:44 -0700 (PDT) (envelope-from 87ch197@gadz.org) Received: from mailhost.ue.ensam.fr (bas2-65.idf7-1.club-internet.fr [195.36.255.65]) by front4m.grolier.fr (8.9.3/No_Relay+No_Spam_MGC990224) with ESMTP id BAA21220 for ; Sun, 30 Jul 2000 01:26:42 +0200 (MET DST) Received: from KLYUM (klyum.ue.ensam.fr [192.168.195.187]) by mailhost.ue.ensam.fr (8.9.1a/jtpda-5.3.1) with SMTP id MAA30379 for ; Sat, 29 Jul 2000 12:26:32 +0200 Message-ID: <00b501bff9b4$d0e102e0$bbc3a8c0@KLYUM> From: "K 87" <87ch197@gadz.org> To: Subject: Date: Sun, 30 Jul 2000 01:29:17 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 29 19:25:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.sfo.geocast.com (mail.sfo.geocast.com [209.125.100.13]) by hub.freebsd.org (Postfix) with ESMTP id 7D97637B621; Sat, 29 Jul 2000 19:25:34 -0700 (PDT) (envelope-from castor@geocast.com) Received: from swamp.sfo.geocast.com ([209.125.100.45]) by mail.sfo.geocast.com (Netscape Messaging Server 3.6) with ESMTP id AAA35D0; Sat, 29 Jul 2000 19:25:33 -0700 Date: Sat, 29 Jul 2000 19:25:31 -0700 (PDT) From: "Castor Fu" X-Sender: castor@swamp.sfo.geocast.net To: Kris Kennaway Cc: Mike Tancsa , security@FreeBSD.ORG Subject: Re: CDSA ? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 29 Jul 2000, Kris Kennaway wrote: > > > > Anyone take a look at this ? Supposedly coming to LINUX by the end of > > > > August as open source ( http://developer.intel.com/ial/security/faq.htm > > > for > > > > more info.) I guess it kinda reminds me of PAM, but much more > > > > comprehensive... From the FAQ, > > > > > >Give them a few years to work out all of the security vulnerabilities :-) > > > > No doubt. But are there any security initiatives similar to this one out > > there already ? > > GSSAPI sounds similar in concept, but I don't know about coverage. > > It will be interesting to see what license they choose for the reference > implementation: if they care about getting this adopted as a defacto > standard they'd be stupid to GPL it :-) If you look at the web page, the win32 reference implementation is BSD licensed. There were some comments about require 4.5 gigabytes to build it though. . . It seems to provide a lot more services than GSSAPI. . . -castor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 29 23:46:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from internet.digitel2002.hu (internet.digitel2002.hu [213.163.0.65]) by hub.freebsd.org (Postfix) with ESMTP id 1A0F337B9A1 for ; Sat, 29 Jul 2000 23:46:30 -0700 (PDT) (envelope-from mico@bsd.hu) Received: from fmdb.c3.hu (dial-080.digitel2002.hu [213.163.2.80]) by internet.digitel2002.hu (8.8.8/8.8.8) with SMTP id IAA23348 for ; Sun, 30 Jul 2000 08:46:16 +0200 (MET DST) Received: (qmail 1757 invoked by uid 1004); 29 Jul 2000 17:48:21 -0000 From: "Miklos Niedermayer" Date: Sat, 29 Jul 2000 19:48:21 +0200 To: Mike Hoskins Cc: Darren Reed , Pavol Adamec , freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) Message-ID: <20000729194821.B1716@bsd.hu> Mail-Followup-To: Niedermayer Miklos , Mike Hoskins , Darren Reed , Pavol Adamec , freebsd-security@FreeBSD.ORG References: <200007270800.SAA23526@cairo.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from mike@adept.org on Thu, Jul 27, 2000 at 12:49:58PM -0700 X-Operating-System: FreeBSD 4.0 - The Power to Serve Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hell, Mike Hoskins: > The only real reason I've heard ipf reccomended since ipfw got > keep-state/check-state is ipnat. I think that ipfw's statefullness is in a very early stage. -- ______ o _. __ / / / (_(_(__(_) @ bsd.hu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message