From owner-freebsd-security Sun Feb 24 0: 6:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 3AB0737B400 for ; Sun, 24 Feb 2002 00:06:21 -0800 (PST) Received: (qmail 24669 invoked by uid 1001); 24 Feb 2002 08:06:01 -0000 Date: Sun, 24 Feb 2002 03:06:01 -0500 From: "Peter C. Lai" To: Jeff Palmer Cc: freebsd-security@FreeBSD.ORG Subject: Re: Couple of concerns with default rc.firewall Message-ID: <20020224030601.A24528@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <003b01c1bcda$d4f06020$0286a8c0@home.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <003b01c1bcda$d4f06020$0286a8c0@home.lan>; from scorpio@drkshdw.org on Sat, Feb 23, 2002 at 09:27:39PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Some people prefer to block all ICMP, but personally, I do not support that line of thought, because blocking ICMP breaks routing RFCs. Furthermore, although people can't say, ping your box, they can still dos the machine by overwhelming the ipfw rules. On Sat, Feb 23, 2002 at 09:27:39PM -0500, Jeff Palmer wrote: > Hi all. > > I have a few concerns with the default /etc/rc.firewall. > It's fairly common practice (and typically considered to be the most secure practice) to build a default-to-deny firewall. Only traffic that yous pecifically allow, can pass. > > Taking this into consideration, I checked 'man firewall' and find that it too, agrees with the above. > > Having said that... is where we get into my problem. > I compile my kernel with ipfw support. Without the default_to_allow. and use a slightly modified "simple" configuration. This, by default denies all incoming icmp. > So, I again referred back to 'man firewall' and again, it agrees with my thinking.. Certain ICMP types are beneficial, and should not be denied (especially considering most users probably aren't "into" security so they use a default firewall if any at all.) > > Is there any reason in particular, that ALL icmp traffic is denied by default, except for using the 'open' ruleset? > Or is this just a simple oversight, that needs to be examined? > > Thanks in advance for any feedback. > Also, thanks for NOT flaming me if I've missed something obvious. > -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 24 4:16:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id DA0F037B400 for ; Sun, 24 Feb 2002 04:16:35 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 518C15341; Sun, 24 Feb 2002 13:16:32 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Jeff Palmer" Cc: Subject: Re: Couple of concerns with default rc.firewall References: <003b01c1bcda$d4f06020$0286a8c0@home.lan> From: Dag-Erling Smorgrav Date: 24 Feb 2002 13:16:31 +0100 In-Reply-To: <003b01c1bcda$d4f06020$0286a8c0@home.lan> Message-ID: Lines: 16 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Jeff Palmer" writes: > Is there any reason in particular, that ALL icmp traffic is denied > by default, except for using the 'open' ruleset? The default rule #65535 is "deny ip from any to any". Wouldn't you be surprised if this *didn't* block all ICMP packets? Just add the following early on in your firewall ruleset: allow icmp from any to any icmptype 0,3,8,11 preferably *after* any anti-spoofing rules. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 24 7:30:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from scorpio.drkshdw.org (user4.net011.fl.sprint-hsd.net [207.30.203.4]) by hub.freebsd.org (Postfix) with ESMTP id 055E537B404 for ; Sun, 24 Feb 2002 07:30:21 -0800 (PST) Received: from scorpio (jeff.home.lan [192.168.134.2]) by scorpio.drkshdw.org (8.11.6/8.11.6) with SMTP id g1OFUGK07834; Sun, 24 Feb 2002 10:30:16 -0500 (EST) (envelope-from scorpio@drkshdw.org) Message-ID: <001101c1bd48$2df35020$0286a8c0@home.lan> From: "Jeff Palmer" To: "Dag-Erling Smorgrav" Cc: References: <003b01c1bcda$d4f06020$0286a8c0@home.lan> Subject: Re: Couple of concerns with default rc.firewall Date: Sun, 24 Feb 2002 10:30:23 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org DES, Maybe you fail to see my point. I was wondering if there was a reason the FreeBSD team has decided not to allow certain ICMP's by default. I'm perfectly aware of how to change the rules to do what I want. I was asking if there was a reason for this decision, or if it was an oversight. ----- Original Message ----- From: "Dag-Erling Smorgrav" To: "Jeff Palmer" Cc: Sent: Sunday, February 24, 2002 7:16 AM Subject: Re: Couple of concerns with default rc.firewall > "Jeff Palmer" writes: > > Is there any reason in particular, that ALL icmp traffic is denied > > by default, except for using the 'open' ruleset? > > The default rule #65535 is "deny ip from any to any". Wouldn't you be > surprised if this *didn't* block all ICMP packets? > > Just add the following early on in your firewall ruleset: > > allow icmp from any to any icmptype 0,3,8,11 > > preferably *after* any anti-spoofing rules. > > DES > -- > Dag-Erling Smorgrav - des@ofug.org > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 24 7:40:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 576DE37B402 for ; Sun, 24 Feb 2002 07:40:39 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 2EC985341; Sun, 24 Feb 2002 16:40:36 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Jeff Palmer" Cc: Subject: Re: Couple of concerns with default rc.firewall References: <003b01c1bcda$d4f06020$0286a8c0@home.lan> <001101c1bd48$2df35020$0286a8c0@home.lan> From: Dag-Erling Smorgrav Date: 24 Feb 2002 16:40:36 +0100 In-Reply-To: <001101c1bd48$2df35020$0286a8c0@home.lan> Message-ID: Lines: 12 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Jeff Palmer" writes: > Maybe you fail to see my point. I was wondering if there was a reason the > FreeBSD team has decided not to allow certain ICMP's by default. > I'm perfectly aware of how to change the rules to do what I want. I was > asking if there was a reason for this decision, or if it was an oversight. Are you trying to say that "deny ip from any to any" should *not* block all IP packets? DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 24 7:43:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id DE52A37B402 for ; Sun, 24 Feb 2002 07:43:49 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id g1OFhYD15182; Sun, 24 Feb 2002 10:43:34 -0500 (EST) Date: Sun, 24 Feb 2002 10:43:34 -0500 (EST) From: Ralph Huntington To: Jeff Palmer Cc: Dag-Erling Smorgrav , Subject: Re: Couple of concerns with default rc.firewall In-Reply-To: <001101c1bd48$2df35020$0286a8c0@home.lan> Message-ID: <20020224104008.H14963-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Maybe I'm missing the point, but doesn't "deny ip from any to any" (which is the last rule in a block-all-by-default firewall) doesn't that mean to block everything, meaning everything? Nothing would be allowed, not any icmp of any type or anything else. In order to allow anything in particular, that would have to be explicitly enabled in a prior (ipfw) rule, is that not correct? On Sun, 24 Feb 2002, Jeff Palmer wrote: > DES, > > Maybe you fail to see my point. I was wondering if there was a reason the > FreeBSD team has decided not to allow certain ICMP's by default. > I'm perfectly aware of how to change the rules to do what I want. I was > asking if there was a reason for this decision, or if it was an oversight. > > > ----- Original Message ----- > From: "Dag-Erling Smorgrav" > To: "Jeff Palmer" > Cc: > Sent: Sunday, February 24, 2002 7:16 AM > Subject: Re: Couple of concerns with default rc.firewall > > > > "Jeff Palmer" writes: > > > Is there any reason in particular, that ALL icmp traffic is denied > > > by default, except for using the 'open' ruleset? > > > > The default rule #65535 is "deny ip from any to any". Wouldn't you be > > surprised if this *didn't* block all ICMP packets? > > > > Just add the following early on in your firewall ruleset: > > > > allow icmp from any to any icmptype 0,3,8,11 > > > > preferably *after* any anti-spoofing rules. > > > > DES > > -- > > Dag-Erling Smorgrav - des@ofug.org > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 24 8: 8:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-66-67-16-161.stny.rr.com [66.67.16.161]) by hub.freebsd.org (Postfix) with ESMTP id 5D71337B400 for ; Sun, 24 Feb 2002 08:08:23 -0800 (PST) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.6/8.11.4) with ESMTP id g1OG8Km17540; Sun, 24 Feb 2002 11:08:20 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Sun, 24 Feb 2002 11:08:20 -0500 (EST) From: Matt Piechota To: Ralph Huntington Cc: freebsd-security@FreeBSD.ORG Subject: Re: Couple of concerns with default rc.firewall In-Reply-To: <20020224104008.H14963-100000@mohegan.mohawk.net> Message-ID: <20020224110246.M17449-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 24 Feb 2002, Ralph Huntington wrote: > Maybe I'm missing the point, but doesn't "deny ip from any to any" (which > is the last rule in a block-all-by-default firewall) doesn't that mean to > block everything, meaning everything? Nothing would be allowed, not any > icmp of any type or anything else. In order to allow anything in > particular, that would have to be explicitly enabled in a prior (ipfw) > rule, is that not correct? I think the question is did the FreeBSD team intentionally (for the reasons of security) make the default install non-compliant with some RFCs (read: broken), or was it just not thought of? And second, should this be changed? I don't think the original poster was suggesting that deny ip from any to any shouldn't block anything, just asking should there be a rule in rc.firewall in the default install to allow ICMP so the machine is well behaved. -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 24 8:13:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from scorpio.drkshdw.org (user4.net011.fl.sprint-hsd.net [207.30.203.4]) by hub.freebsd.org (Postfix) with ESMTP id 781EE37B400 for ; Sun, 24 Feb 2002 08:13:48 -0800 (PST) Received: from scorpio (jeff.home.lan [192.168.134.2]) by scorpio.drkshdw.org (8.11.6/8.11.6) with SMTP id g1OGDgK69271; Sun, 24 Feb 2002 11:13:42 -0500 (EST) (envelope-from scorpio@drkshdw.org) Message-ID: <001901c1bd4e$3f03d8c0$0286a8c0@home.lan> From: "Jeff Palmer" To: "Ralph Huntington" Cc: "Dag-Erling Smorgrav" , References: <20020224104008.H14963-100000@mohegan.mohawk.net> Subject: Re: Couple of concerns with default rc.firewall Date: Sun, 24 Feb 2002 11:13:49 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm not sure if you two are bored, or what the problem is. Let me re-iterate the last two lines of my original message. "Is there any reason in particular, that ALL icmp traffic is denied by default, except for using the 'open' ruleset? Or is this just a simple oversight, that needs to be examined?" I'm ASKING if it was an oversight that the DEFAULT policies (other than 'open') are denying ICMP. As it is typically agreed that some ICMP types are beneficial. I know damn well how a firewall works. I also know how to modify it for MY needs. (You might have noticed in my original post, that I said I use a modified simple ruleset, ICMP's is just one of the modifications..) I'm not asking why it blocks ICMP's due to a lack of knowledge about how packet filtering works. I'm asking why the default firewall blocks beneficial ICMP's due to the fact that some people hear "install a firewall, install a firewall" and don't know the first thing about it. Chances are high that they are using these default rules, which block ICMP's. I've monitored this list for quite some time. I'd rather this thread not be turned into the circus that you two seem to enjoy. It's a legit concern, and I'd rather it be addressed publicly. ----- Original Message ----- From: "Ralph Huntington" To: "Jeff Palmer" Cc: "Dag-Erling Smorgrav" ; Sent: Sunday, February 24, 2002 10:43 AM Subject: Re: Couple of concerns with default rc.firewall > Maybe I'm missing the point, but doesn't "deny ip from any to any" (which > is the last rule in a block-all-by-default firewall) doesn't that mean to > block everything, meaning everything? Nothing would be allowed, not any > icmp of any type or anything else. In order to allow anything in > particular, that would have to be explicitly enabled in a prior (ipfw) > rule, is that not correct? > > > On Sun, 24 Feb 2002, Jeff Palmer wrote: > > > DES, > > > > Maybe you fail to see my point. I was wondering if there was a reason the > > FreeBSD team has decided not to allow certain ICMP's by default. > > I'm perfectly aware of how to change the rules to do what I want. I was > > asking if there was a reason for this decision, or if it was an oversight. > > > > > > ----- Original Message ----- > > From: "Dag-Erling Smorgrav" > > To: "Jeff Palmer" > > Cc: > > Sent: Sunday, February 24, 2002 7:16 AM > > Subject: Re: Couple of concerns with default rc.firewall > > > > > > > "Jeff Palmer" writes: > > > > Is there any reason in particular, that ALL icmp traffic is denied > > > > by default, except for using the 'open' ruleset? > > > > > > The default rule #65535 is "deny ip from any to any". Wouldn't you be > > > surprised if this *didn't* block all ICMP packets? > > > > > > Just add the following early on in your firewall ruleset: > > > > > > allow icmp from any to any icmptype 0,3,8,11 > > > > > > preferably *after* any anti-spoofing rules. > > > > > > DES > > > -- > > > Dag-Erling Smorgrav - des@ofug.org > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 24 8:20:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33]) by hub.freebsd.org (Postfix) with ESMTP id C021237B402 for ; Sun, 24 Feb 2002 08:20:30 -0800 (PST) Received: (from bv@localhost) by bilver.wjv.com (8.11.6/8.11.6) id g1OGKT401130 for security@FreeBSD.ORG; Sun, 24 Feb 2002 11:20:29 -0500 (EST) (envelope-from bv) Date: Sun, 24 Feb 2002 11:20:29 -0500 From: Bill Vermillion To: security@FreeBSD.ORG Subject: Re: security-digest V5 #439 Message-ID: <20020224162029.GD83570@wjv.com> Reply-To: bv@wjv.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.25i Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Date: 23 Feb 2002 20:58:33 +0100 > From: Dag-Erling Smorgrav > Subject: Re: Third /tmp location ? > Bill Vermillion writes: > > > Is the /usr/tmp really used for somethink usefull ? > > I would think man 7 hier will answer that for you in a hurry. > > Yes it really is usefull. > Bzzzt. FreeBSD has never had /usr/tmp, and all software that expects > /usr/tmp has been changed to use /var/tmp instead. And I set /usr/tmp for many things because there is no reason that I can see to have var so big that it will hold large files I may have to edit. I put /usr/tmp in almost all my .exrc files as too many times I've gotten 'file system full'. I've had occasions where I've pulled in some really large files in 'vi'. As I said "Yes it really is usefull". User applications really should probably go in /usr/tmp if you have a lot of users. Bill -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 24 8:46:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 8142A37B400 for ; Sun, 24 Feb 2002 08:46:30 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id E6D6A5341; Sun, 24 Feb 2002 17:46:27 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Jeff Palmer" Cc: "Ralph Huntington" , Subject: Re: Couple of concerns with default rc.firewall References: <20020224104008.H14963-100000@mohegan.mohawk.net> <001901c1bd4e$3f03d8c0$0286a8c0@home.lan> From: Dag-Erling Smorgrav Date: 24 Feb 2002 17:46:27 +0100 In-Reply-To: <001901c1bd4e$3f03d8c0$0286a8c0@home.lan> Message-ID: Lines: 13 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Jeff Palmer" writes: > I'm not sure if you two are bored, or what the problem is. Maybe the problem is your attitude, and your inability and / or unwillingness to express yourself clearly. If the question is "why don't any of the default policies in /etc/rc.firewall include a rule to let icmp packets through?", the answer is (probably) "because nobody cared enough add one". DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 24 14: 6:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 89B6537B404 for ; Sun, 24 Feb 2002 14:06:19 -0800 (PST) Received: from hades.hell.gr (patr364-a01.otenet.gr [195.167.109.33]) by mailsrv.otenet.gr (8.12.2/8.12.2) with ESMTP id g1OM5Aqk007572; Mon, 25 Feb 2002 00:06:08 +0200 (EET) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id g1OJNdv22708; Sun, 24 Feb 2002 21:23:39 +0200 (EET) (envelope-from keramida@freebsd.org) Date: Sun, 24 Feb 2002 21:23:38 +0200 From: Giorgos Keramidas To: Dag-Erling Smorgrav Cc: Jeff Palmer , freebsd-security@freebsd.org Subject: Re: Couple of concerns with default rc.firewall Message-ID: <20020224192337.GD21689@hades.hell.gr> References: <20020224104008.H14963-100000@mohegan.mohawk.net> <001901c1bd4e$3f03d8c0$0286a8c0@home.lan> Mime-Version: 1.0 Content-Type: application/pgp; x-action=sign; format=text Content-Disposition: inline; filename="msg.pgp" In-Reply-To: User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2002-02-24 17:46, Dag-Erling Smorgrav wrote: > "Jeff Palmer" writes: > > I'm not sure if you two are bored, or what the problem is. > > Maybe the problem is your attitude, and your inability and / or > unwillingness to express yourself clearly. > > If the question is "why don't any of the default policies in > /etc/rc.firewall include a rule to let icmp packets through?", the > answer is (probably) "because nobody cared enough add one". Oh but they did :-) Quoting rc.firewall: # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. I really don't see why we should beat this to death. If the default firewall policy (compiled into the kernel) is to block all IP packets, then rc.firewall sets up things so that certain things are allowed anyway, and falls back to the default policy. If the default compiled in-kernel policy is to allow everything, then everything is passed through. Jeff, is there some specific problem in the current rc.firewall code that you want to have changed? If so, then can you post a patch that makes thee changes to the list? Please? There really is no need to fight about something, when we don't know what that something is }:-) Giorgos Keramidas FreeBSD Documentation Project keramida@{freebsd.org,ceid.upatras.gr} http://www.FreeBSD.org/docproj/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) iD8DBQE8eT251g+UGjGGA7YRAmWCAJ4hl/wc03hkmMX5NXtxLJHCAeeKtACffjsk T+PqIkTpd53UQiKTP0UEXpI= =rPO+ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 24 14:51: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from Mail.Math.Princeton.EDU (mail.math.Princeton.EDU [128.112.18.14]) by hub.freebsd.org (Postfix) with ESMTP id 9E2F237B405 for ; Sun, 24 Feb 2002 14:51:01 -0800 (PST) Received: from math.Princeton.EDU (IDENT:root@math.Princeton.EDU [128.112.18.16]) by Mail.Math.Princeton.EDU (8.11.6/8.11.6) with ESMTP id g1OMp0428812 for ; Sun, 24 Feb 2002 17:51:00 -0500 Received: from math.Princeton.EDU (stalker@localhost) by math.Princeton.EDU (8.11.6/8.11.6) with ESMTP id g1OMp0d06553 for ; Sun, 24 Feb 2002 17:51:00 -0500 Message-Id: <200202242251.g1OMp0d06553@math.Princeton.EDU> To: freebsd-security@FreeBSD.org Subject: Re: Couple of concerns with default rc.firewall In-reply-to: References: <20020224104008.H14963-100000@mohegan.mohawk.net> <001901c1bd4e$3f03d8c0$0286a8c0@home.lan> Comments: In-reply-to Dag-Erling Smorgrav message dated "24 Feb 2002 17:46:27 +0100." Date: Sun, 24 Feb 2002 17:51:00 -0500 From: John Stalker Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I would say that Jeff expressed himself quite clearly. At least I had no trouble understanding him. The question is not why the default firewall rules as written block absolutely everything. Anyone can read them and verify that that is their effect. The question is whether this is a sensible choice of default. I don't really like this choice. I don't think it helps matters much to say that users can always switch to default to allow. That isn't a very good default either. A good choice of default would be one which blocks ALMOST everything. The truly paranoid can always remove a few lines and make it deny absolutely everything, but if you are that paranoid you should probably be running OpenBSD. The problem with making a default which is so secure as to be unusable is that it tempts people to punch giant holes in it to make their systems usable again. I would bet that most people who try default to deny either remove their firewalls entirely or switch to default to accept rather than learn how to identify which packets they need and modify the rules to allow only those. > "Jeff Palmer" writes: > > I'm not sure if you two are bored, or what the problem is. > > Maybe the problem is your attitude, and your inability and / or > unwillingness to express yourself clearly. > > If the question is "why don't any of the default policies in > /etc/rc.firewall include a rule to let icmp packets through?", the > answer is (probably) "because nobody cared enough add one". > > DES > -- > Dag-Erling Smorgrav - des@ofug.org -- John Stalker Department of Mathematics Princeton University (609)258-6469 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 24 15: 5:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 1DF3C37B404 for ; Sun, 24 Feb 2002 15:05:38 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020224230537.EYBX1147.rwcrmhc52.attbi.com@blossom.cjclark.org>; Sun, 24 Feb 2002 23:05:37 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g1ON5XB15591; Sun, 24 Feb 2002 15:05:33 -0800 (PST) (envelope-from cjc) Date: Sun, 24 Feb 2002 15:05:33 -0800 From: "Crist J. Clark" To: Matt Piechota Cc: Ralph Huntington , freebsd-security@FreeBSD.ORG Subject: Re: Couple of concerns with default rc.firewall Message-ID: <20020224150533.C83869@blossom.cjclark.org> References: <20020224104008.H14963-100000@mohegan.mohawk.net> <20020224110246.M17449-100000@cithaeron.argolis.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020224110246.M17449-100000@cithaeron.argolis.org>; from piechota@argolis.org on Sun, Feb 24, 2002 at 11:08:20AM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Feb 24, 2002 at 11:08:20AM -0500, Matt Piechota wrote: > On Sun, 24 Feb 2002, Ralph Huntington wrote: > > > Maybe I'm missing the point, but doesn't "deny ip from any to any" (which > > is the last rule in a block-all-by-default firewall) doesn't that mean to > > block everything, meaning everything? Nothing would be allowed, not any > > icmp of any type or anything else. In order to allow anything in > > particular, that would have to be explicitly enabled in a prior (ipfw) > > rule, is that not correct? > > I think the question is did the FreeBSD team intentionally (for the > reasons of security) make the default install non-compliant with some > RFCs (read: broken), or was it just not thought of? Pretty much any kind of firewalling makes a system non-compliant. For example, not returning a RST on any TCP port not in the LISTEN state breaks the Standard. What's the first thing people do when firewalling a host? Block incoming TCP so it doesn't generate RSTs. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 24 18: 0:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 1E55C37B404 for ; Sun, 24 Feb 2002 18:00:24 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id g1P20MD67411; Sun, 24 Feb 2002 21:00:22 -0500 (EST) Date: Sun, 24 Feb 2002 21:00:22 -0500 (EST) From: Ralph Huntington To: Matt Piechota Cc: Subject: Re: Couple of concerns with default rc.firewall In-Reply-To: <20020224110246.M17449-100000@cithaeron.argolis.org> Message-ID: <20020224210004.Q67313-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I think the question is did the FreeBSD team intentionally (for the > reasons of security) make the default install non-compliant with some > RFCs (read: broken), or was it just not thought of? And second, > should this be changed? I don't think the original poster was > suggesting that deny ip from any to any shouldn't block anything, just > asking should there be a rule in rc.firewall in the default install to > allow ICMP so the machine is well behaved. Thank you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 24 18:38: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 76FF837B405 for ; Sun, 24 Feb 2002 18:38:01 -0800 (PST) Received: (qmail 30716 invoked by uid 1001); 25 Feb 2002 02:37:32 -0000 Date: Sun, 24 Feb 2002 21:37:32 -0500 From: "Peter C. Lai" To: Ralph Huntington Cc: Matt Piechota , freebsd-security@FreeBSD.ORG Subject: Re: Couple of concerns with default rc.firewall Message-ID: <20020224213732.A30666@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <20020224110246.M17449-100000@cithaeron.argolis.org> <20020224210004.Q67313-100000@mohegan.mohawk.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020224210004.Q67313-100000@mohegan.mohawk.net>; from rjh@mohawk.net on Sun, Feb 24, 2002 at 09:00:22PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As another note, rc.firewall presents several preset options for your firewall, that of OPEN, CLIENT, or SIMPLE. I use a version of simple that allows more stuff through. I forgot about icmp until i realized i couldn't ping my box and some script which depended on the response time broke. I think allowing ICMP ought to be in either CLIENT or SIMPLE. On Sun, Feb 24, 2002 at 09:00:22PM -0500, Ralph Huntington wrote: > > I think the question is did the FreeBSD team intentionally (for the > > reasons of security) make the default install non-compliant with some > > RFCs (read: broken), or was it just not thought of? And second, > > should this be changed? I don't think the original poster was > > suggesting that deny ip from any to any shouldn't block anything, just > > asking should there be a rule in rc.firewall in the default install to > > allow ICMP so the machine is well behaved. > > Thank you. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 24 23:43:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns1.mgul.ac.ru (ns1.mgul.ac.ru [193.233.63.19]) by hub.freebsd.org (Postfix) with ESMTP id 70A6D37B405; Sun, 24 Feb 2002 23:43:40 -0800 (PST) Received: from ns2.mgul.ac.ru (ns2.mgul.ac.ru [193.233.63.17]) by ns1.mgul.ac.ru (8.12.2/8.12.2) with ESMTP id g1P7hWcl059668; Mon, 25 Feb 2002 10:43:37 +0300 (MSK) Date: Mon, 25 Feb 2002 10:43:32 +0300 From: "Andrey V. Pevnev" X-Mailer: The Bat! (v1.53d) Personal Reply-To: "Andrey V. Pevnev" Organization: Moscow State Forestry University X-Priority: 3 (Normal) Message-ID: <95519839649.20020225104332@mgul.ac.ru> To: freebsd-security@FreeBSD.ORG Cc: ache@FreeBSD.ORG Subject: Why procmail port installed with SUID root? MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! Does anybody knows why procmail-3.22 port installed with SUID root by default? I'am using it as MDA from sendmail-8.12.2 (FEATURE(`local_procmail')), and it works fine without SUID (I've chmod'ed it to 555). I think that it's better to install it without SUID by default (as mail.local) to make system more secure. -- With best regards, MSFU LAN Admin Andrey AVP30-RIPE, mailto:andrey@mgul.ac.ru, http://www.mgul.ac.ru/~andrey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 1:42:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 407F937B402; Mon, 25 Feb 2002 01:41:45 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 16fHgZ-000LPK-00; Mon, 25 Feb 2002 11:44:43 +0200 From: Sheldon Hearn To: Matthew Dillon Cc: =?ISO-8859-2?Q?Milo=F2_Pape=BE=EDk?= , "'dillon@freebsd.org'" , "'freebsd-security@freebsd.org'" Subject: Re: Third /tmp location ? In-reply-to: Your message of "Fri, 22 Feb 2002 10:34:20 PST." <200202221834.g1MIYKW18033@apollo.backplane.com> Date: Mon, 25 Feb 2002 11:44:43 +0200 Message-ID: <82293.1014630283@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 22 Feb 2002 10:34:20 PST, Matthew Dillon wrote: > Huh? I never created a /usr/tmp. What created it? Sorry, Matt. I remember /usr/tmp being suggested at the time you were circulating your patches and made too many assumptions. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 5:11: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.oskarmobil.cz (smtp1.oskarmobil.cz [217.77.161.133]) by hub.freebsd.org (Postfix) with ESMTP id 2142237B417 for ; Mon, 25 Feb 2002 05:10:54 -0800 (PST) Received: from wh01ex01.ceskymobil.cz (wh01ex01.oskarmobil.cz [172.20.116.17]) by smtp1.oskarmobil.cz (8.11.2/8.11.1) with ESMTP id g1PD4Lg86659; Mon, 25 Feb 2002 14:04:21 +0100 (CET) (envelope-from Milon.Papezik@oskarmobil.cz) Received: by wh01ex01.oskarmobil.cz with Internet Mail Service (5.5.2653.19) id ; Mon, 25 Feb 2002 14:07:37 +0100 Message-ID: From: =?iso-8859-1?Q?Milon_Papez=EDk?= To: "'Kris Kennaway'" , "Scot W. Hetzel" Cc: "'freebsd-security@freebsd.org'" Subject: RE: RE: Third /tmp location ? Date: Mon, 25 Feb 2002 14:07:31 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org OK, in such case the /usr/tmp/shloud does not need and should not be world writable (i.e. mode only 01700 instead of 01777). Thanks, Milon -- milon.papezik@oskarmobil.cz -----Original Message----- From: Kris Kennaway [mailto:kris@obsecurity.org] Sent: Sunday, February 24, 2002 1:17 AM To: Scot W. Hetzel Cc: Kris Kennaway; Milon Papez=EDk; 'Matthew Dillon'; 'freebsd-security@freebsd.org' Subject: Re: RE: Third /tmp location ? On Sat, Feb 23, 2002 at 02:48:52PM -0600, Scot W. Hetzel wrote: > From: "Kris Kennaway" >=20 > How about patching find_play_pen to set a variable to say that = /usr/tmp was > created by the pkg_install tools and then when the pkg_install tools = call > leave_playpen, /usr/tmp is removed only if the variable is set. That might be the best idea. > attached is a untested patch for pen.c. It's best to include patches directly so they can be read inline, but thanks..I'll try and take a look at it. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 7:10:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.univr.it (mail.univr.it [157.27.6.110]) by hub.freebsd.org (Postfix) with SMTP id 6CE4037B417 for ; Mon, 25 Feb 2002 07:10:32 -0800 (PST) Received: (qmail 5489 invoked from network); 25 Feb 2002 15:06:47 -0000 Received: from morpheus.univr.it (HELO morpheus) (157.27.6.83) by mail.univr.it with SMTP; 25 Feb 2002 15:06:47 -0000 Message-ID: <017001c1be0e$0057acd0$53061b9d@univr.it> From: "Alberto Manzoni" To: Subject: Mbuf cluster allocation failed Error Date: Mon, 25 Feb 2002 16:06:28 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, i have this error >Mbuf cluster allocation failed I have not found around any hints. Maybe this is due to the limited fd allocated?? Tanks in advance -- Alberto To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 7:11:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from post.mail.nl.demon.net (post-11.mail.nl.demon.net [194.159.73.21]) by hub.freebsd.org (Postfix) with ESMTP id AE55437B434 for ; Mon, 25 Feb 2002 07:11:04 -0800 (PST) Received: from [212.238.194.207] (helo=mailhost.raggedclown.net) by post.mail.nl.demon.net with esmtp (Exim 3.33 #1) id 16fMmN-000BuG-00 for freebsd-security@FreeBSD.ORG; Mon, 25 Feb 2002 15:11:03 +0000 Received: from angel.raggedclown.net (angel.raggedclown.intra [192.168.1.7]) by mailhost.raggedclown.net (Ragged Clown Mail Gateway [buffy]) with ESMTP id B428413040 for ; Mon, 25 Feb 2002 16:11:02 +0100 (CET) Received: by angel.raggedclown.net (Ragged Clown Host [angel], from userid 1005) id 6E47122593; Mon, 25 Feb 2002 16:11:02 +0100 (CET) Date: Mon, 25 Feb 2002 16:11:02 +0100 From: Cliff Sarginson To: freebsd-security@FreeBSD.ORG Subject: Re: Why procmail port installed with SUID root? Message-ID: <20020225151102.GA6292@raggedclown.net> References: <95519839649.20020225104332@mgul.ac.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <95519839649.20020225104332@mgul.ac.ru> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Feb 25, 2002 at 10:43:32AM +0300, Andrey V. Pevnev wrote: > Hello! > > Does anybody knows why procmail-3.22 port installed with SUID root by > default? I'am using it as MDA from sendmail-8.12.2 > (FEATURE(`local_procmail')), and it works fine without SUID (I've > chmod'ed it to 555). > I think that it's better to install it without SUID by default (as > mail.local) to make system more secure. > -d recipient ... This turns on explicit delivery mode, delivery will be to the local user recipient. This, of course, only is possible if procmail has root privileges (or if procmail is already running with the recipient's euid and egid). Procmail will setuid to the intended recipients and delivers the mail as if it were invoked by the recipient with no arguments (i.e., if no rcfile is found, delivery is like ordinary mail). This option is incompatible with -p. -- Regards Cliff Sarginson -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 7:13:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id DA93937B487 for ; Mon, 25 Feb 2002 07:11:52 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g1PFBqK25598; Mon, 25 Feb 2002 09:11:52 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA23730; Mon, 25 Feb 2002 09:11:51 -0600 (CST) Message-ID: <3C7A53C0.C2E5ED69@centtech.com> Date: Mon, 25 Feb 2002 09:09:52 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Alberto Manzoni Cc: freebsd-security@freebsd.org Subject: Re: Mbuf cluster allocation failed Error References: <017001c1be0e$0057acd0$53061b9d@univr.it> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What version of FreeBSD are you using? Eric Alberto Manzoni wrote: > > Hi all, > > i have this error > > >Mbuf cluster allocation failed > > I have not found around any hints. > > Maybe this is due to the limited fd allocated?? > > Tanks in advance > > -- > Alberto > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 7:18:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.univr.it (mail.univr.it [157.27.6.110]) by hub.freebsd.org (Postfix) with SMTP id CA0F937B402 for ; Mon, 25 Feb 2002 07:18:45 -0800 (PST) Received: (qmail 7349 invoked from network); 25 Feb 2002 15:15:02 -0000 Received: from morpheus.univr.it (HELO morpheus) (157.27.6.83) by mail.univr.it with SMTP; 25 Feb 2002 15:15:02 -0000 Message-ID: <01f501c1be0f$26f371c0$53061b9d@univr.it> From: "Alberto Manzoni" To: Subject: Re: Mbuf cluster allocation failed Error Date: Mon, 25 Feb 2002 16:14:42 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FreeBSD 4.3-RELEASE Intel Pro 1000XT Server >What version of FreeBSD are you using? > >Eric > > >Alberto Manzoni wrote: >> >> Hi all, >> >> i have this error >> >> >Mbuf cluster allocation failed >> >> I have not found around any hints. >> >> Maybe this is due to the limited fd allocated?? >> >> Tanks in advance >> >> -- >> Alberto To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 7:19:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id BAFA337B402 for ; Mon, 25 Feb 2002 07:19:03 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g1PFJ3K25763; Mon, 25 Feb 2002 09:19:03 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA23950; Mon, 25 Feb 2002 09:19:02 -0600 (CST) Message-ID: <3C7A556F.A403A30C@centtech.com> Date: Mon, 25 Feb 2002 09:17:03 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Alberto Manzoni , freebsd-security@freebsd.org Subject: Re: Mbuf cluster allocation failed Error References: <017001c1be0e$0057acd0$53061b9d@univr.it> <3C7A53C0.C2E5ED69@centtech.com> <017f01c1be0e$937ac240$53061b9d@univr.it> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok, what does a netstat -m show? You may need to increase your MBUF's (done in the kernel on versions prior to 4.5R) Eric Alberto Manzoni wrote: > > Yeah...sorry! > > I left it! :-) > > FreBSD 4.3-RELEASE > > ----- Original Message ----- > From: "Eric Anderson" > To: "Alberto Manzoni" > Cc: > Sent: Monday, February 25, 2002 4:09 PM > Subject: Re: Mbuf cluster allocation failed Error > > > What version of FreeBSD are you using? > > > > Eric > > > > > > Alberto Manzoni wrote: > > > > > > Hi all, > > > > > > i have this error > > > > > > >Mbuf cluster allocation failed > > > > > > I have not found around any hints. > > > > > > Maybe this is due to the limited fd allocated?? > > > > > > Tanks in advance > > > > > > -- > > > Alberto > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > > ------------------------------------------------------------------ > > Eric Anderson Systems Administrator Centaur Technology > > If at first you don't succeed, sky diving is probably not for you. > > ------------------------------------------------------------------ > > -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 7:23:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.univr.it (mail.univr.it [157.27.6.110]) by hub.freebsd.org (Postfix) with SMTP id B2B2C37B405 for ; Mon, 25 Feb 2002 07:23:46 -0800 (PST) Received: (qmail 8450 invoked from network); 25 Feb 2002 15:20:02 -0000 Received: from morpheus.univr.it (HELO morpheus) (157.27.6.83) by mail.univr.it with SMTP; 25 Feb 2002 15:20:02 -0000 Message-ID: <021f01c1be0f$da45d100$53061b9d@univr.it> From: "Alberto Manzoni" To: , References: <017001c1be0e$0057acd0$53061b9d@univr.it> <3C7A53C0.C2E5ED69@centtech.com> <017f01c1be0e$937ac240$53061b9d@univr.it> <3C7A556F.A403A30C@centtech.com> Subject: Re: Mbuf cluster allocation failed Error Date: Mon, 25 Feb 2002 16:19:43 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is the output of "netstat -m" 502/1088/34816 mbufs in use (current/peak/max): 326 mbufs allocated to data 176 mbufs allocated to packet headers 324/756/8704 mbuf clusters in use (current/peak/max) 1784 Kbytes allocated to network (6% of mb_map in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines I have changed the maxuser statement end recompiled the kernel with Intel Pro 1000XT support built in. It is the right way? Thank You! Alberto ----- Original Message ----- From: "Eric Anderson" To: "Alberto Manzoni" ; Sent: Monday, February 25, 2002 4:17 PM Subject: Re: Mbuf cluster allocation failed Error > Ok, what does a netstat -m show? > > You may need to increase your MBUF's (done in the kernel on versions prior to > 4.5R) > > Eric To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 7:33:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 3631C37B402 for ; Mon, 25 Feb 2002 07:32:41 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g1PFWeK26155; Mon, 25 Feb 2002 09:32:40 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA24243; Mon, 25 Feb 2002 09:32:40 -0600 (CST) Message-ID: <3C7A58A0.DB6C399A@centtech.com> Date: Mon, 25 Feb 2002 09:30:40 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Alberto Manzoni Cc: freebsd-security@freebsd.org Subject: Re: Mbuf cluster allocation failed Error References: <017001c1be0e$0057acd0$53061b9d@univr.it> <3C7A53C0.C2E5ED69@centtech.com> <017f01c1be0e$937ac240$53061b9d@univr.it> <3C7A556F.A403A30C@centtech.com> <021f01c1be0f$da45d100$53061b9d@univr.it> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yep.. those numbers look good.. I've had this problem a lot with NFS servers that are heavily used. Eric Alberto Manzoni wrote: > > This is the output of "netstat -m" > > 502/1088/34816 mbufs in use (current/peak/max): > 326 mbufs allocated to data > 176 mbufs allocated to packet headers > 324/756/8704 mbuf clusters in use (current/peak/max) > 1784 Kbytes allocated to network (6% of mb_map in use) > 0 requests for memory denied > 0 requests for memory delayed > 0 calls to protocol drain routines > > I have changed the maxuser statement end recompiled the kernel with Intel > Pro 1000XT support built in. > > It is the right way? > > Thank You! > > Alberto > > ----- Original Message ----- > From: "Eric Anderson" > To: "Alberto Manzoni" ; > > Sent: Monday, February 25, 2002 4:17 PM > Subject: Re: Mbuf cluster allocation failed Error > > > Ok, what does a netstat -m show? > > > > You may need to increase your MBUF's (done in the kernel on versions prior > to > > 4.5R) > > > > Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 9: 0:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.univr.it (mail.univr.it [157.27.6.110]) by hub.freebsd.org (Postfix) with SMTP id 069CC37B405 for ; Mon, 25 Feb 2002 09:00:02 -0800 (PST) Received: (qmail 26442 invoked from network); 25 Feb 2002 16:56:12 -0000 Received: from morpheus.univr.it (HELO morpheus) (157.27.6.83) by mail.univr.it with SMTP; 25 Feb 2002 16:56:12 -0000 Message-ID: <000501c1be1d$498ad990$53061b9d@univr.it> From: "Alberto Manzoni" To: Subject: Squid error Date: Mon, 25 Feb 2002 17:55:53 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A box running FreeBSD 4.3-RELEASE and Squid >Feb 25 09:26:46 ns2 squid[279]: Starting Squid Cache version 2.4.STABLE1 for i386--freebsd4.3... >Feb 25 09:26:46 ns2 squid[279]: Process ID 279 >Feb 25 09:26:46 ns2 squid[279]: With 16424 file descriptors available ... >Feb 25 09:26:47 ns2 squid[279]: Accepting HTTP connections at 0.0.0.0, port 3128, FD 12. >Feb 25 09:26:47 ns2 squid[279]: Accepting HTTP connections at 0.0.0.0, port 8080, FD 13. I see this records in /var/log/messages >Feb 25 14:16:56 xxx squid[279]: comm_accept: FD 13: (53) Software caused connection abort >Feb 25 14:16:56 xxx squid[279]: httpAccept: FD 13: accept failure: (53) Software caused connection abort >Feb 25 14:19:18 xxx squid[279]: comm_accept: FD 13: (53) Software caused connection abort >Feb 25 14:19:18 xxx squid[279]: httpAccept: FD 13: accept failure: (53) Software caused connection abort >Feb 25 14:19:18 xxx squid[279]: comm_accept: FD 13: (53) Software caused connection abort >Feb 25 14:19:18 xxx squid[279]: httpAccept: FD 13: accept failure: (53) Software caused connection abort >Feb 25 14:19:18 xxx squid[279]: comm_accept: FD 13: (53) Software caused connection abort >Feb 25 14:19:18 xxx squid[279]: httpAccept: FD 13: accept failure: (53) Software caused connection abort >Feb 25 14:19:18 xxx squid[279]: comm_accept: FD 13: (53) Software caused connection abort >Feb 25 14:19:18 xxx squid[279]: httpAccept: FD 13: accept failure: (53) Software caused connection abort >Feb 25 14:19:18 xxx squid[279]: comm_accept: FD 13: (53) Software caused connection abort >Feb 25 14:19:18 xxx squid[279]: httpAccept: FD 13: accept failure: (53) Software caused connection abort It is a normal behaviour of Squid?? What get wrong?This is due to a squid configuration error? Thank you -- Alberto To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 14: 1:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 885BF37B417 for ; Mon, 25 Feb 2002 14:01:07 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020225220107.HIUV1147.rwcrmhc52.attbi.com@blossom.cjclark.org>; Mon, 25 Feb 2002 22:01:07 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g1PM15i52970; Mon, 25 Feb 2002 14:01:05 -0800 (PST) (envelope-from cjc) Date: Mon, 25 Feb 2002 14:01:05 -0800 From: "Crist J. Clark" To: Alberto Manzoni Cc: freebsd-security@FreeBSD.ORG Subject: Re: Squid error Message-ID: <20020225140105.A52727@blossom.cjclark.org> References: <000501c1be1d$498ad990$53061b9d@univr.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000501c1be1d$498ad990$53061b9d@univr.it>; from alberto.manzoni@univr.it on Mon, Feb 25, 2002 at 05:55:53PM +0100 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This and your previous question are not appropriate for this list. This list is for issues directly related to FreeBSD security. Please use freebsd-questions or another forum where they are on topic. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 14:21:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp-server6.tampabay.rr.com (smtp-server6.tampabay.rr.com [65.32.1.43]) by hub.freebsd.org (Postfix) with ESMTP id 49E8A37B402; Mon, 25 Feb 2002 14:21:05 -0800 (PST) Received: from mercenary (65.35.126.255.melbourne-ubr-b.cfl.rr.com [65.35.126.255]) by smtp-server6.tampabay.rr.com (8.11.2/8.11.2) with SMTP id g1PML4f24363; Mon, 25 Feb 2002 17:21:04 -0500 (EST) Message-ID: <005c01c1be42$61ff3a00$ff7e2341@mercenary> From: "David" To: "Crist J. Clark" , "Alberto Manzoni" Cc: References: <000501c1be1d$498ad990$53061b9d@univr.it> <20020225140105.A52727@blossom.cjclark.org> Subject: Re: Squid error Date: Mon, 25 Feb 2002 16:21:25 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Disposition-Notification-To: "David" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I believe his concern was if it was a security issue he was seeing, or if this was something otherwise. Just because he/she does not know exactly what the output means doesn't justify you to say such. I am glad he emailed this mailing list. --It is better to be safe then sorry. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 17:33:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from ibb1150.ibb.uu.nl (ibb1150.ibb.uu.nl [131.211.125.150]) by hub.freebsd.org (Postfix) with ESMTP id 5B18437B400 for ; Mon, 25 Feb 2002 17:33:40 -0800 (PST) Received: by ibb1150.ibb.uu.nl (Postfix, from userid 1000) id B7EAE43F0; Tue, 26 Feb 2002 02:33:35 +0100 (CET) Date: Tue, 26 Feb 2002 02:33:35 +0100 From: Mipam To: Alberto Manzoni Cc: anderson@centtech.com, freebsd-security@FreeBSD.ORG Subject: Re: Mbuf cluster allocation failed Error Message-ID: <20020226013335.GC624@ibb1150.ibb.uu.nl> Reply-To: mipam@ibb.net References: <017001c1be0e$0057acd0$53061b9d@univr.it> <3C7A53C0.C2E5ED69@centtech.com> <017f01c1be0e$937ac240$53061b9d@univr.it> <3C7A556F.A403A30C@centtech.com> <021f01c1be0f$da45d100$53061b9d@univr.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <021f01c1be0f$da45d100$53061b9d@univr.it> User-Agent: Mutt/1.3.27i X-Operating-System: BSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Feb 25, 2002 at 04:19:43PM +0100, Alberto Manzoni wrote: > This is the output of "netstat -m" > > 502/1088/34816 mbufs in use (current/peak/max): > 326 mbufs allocated to data > 176 mbufs allocated to packet headers > 324/756/8704 mbuf clusters in use (current/peak/max) > 1784 Kbytes allocated to network (6% of mb_map in use) > 0 requests for memory denied > 0 requests for memory delayed > 0 calls to protocol drain routines Hmm you could recompile your kernel and add options NMBCLUSTERS=[high value] in it to cope with this problem. Bye, Mipam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 18:49:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from pivsbh2.ms.com (pivsbh2.ms.com [199.89.64.104]) by hub.freebsd.org (Postfix) with ESMTP id B691B37B41B for ; Mon, 25 Feb 2002 18:49:20 -0800 (PST) Received: from pivsbh2-idmz.ms.com (localhost [127.0.0.1]) by pivsbh2.ms.com (Postfix) with SMTP id 18205ADEA; Mon, 25 Feb 2002 21:49:20 -0500 (EST) Received: from morganstanley.com (unknown [172.19.97.161]) by pivsbh2-idmz.ms.com (Postfix) with ESMTP id CE295AE09; Mon, 25 Feb 2002 21:49:17 -0500 (EST) Message-ID: <3C7AF7AC.D119D0EF@morganstanley.com> Date: Tue, 26 Feb 2002 10:49:16 +0800 From: Victor Tayer Reply-To: Victor.Tayer@morganstanley.com Organization: Morgan Stanley X-Mailer: Mozilla 4.76 [en]C-CCK-MCD MS4.76 V20001206.2 (WinNT; U) X-Accept-Language: en,ja MIME-Version: 1.0 To: mipam@ibb.net Cc: Alberto Manzoni , anderson@centtech.com, freebsd-security@FreeBSD.ORG Subject: Re: Mbuf cluster allocation failed Error References: <017001c1be0e$0057acd0$53061b9d@univr.it> <3C7A53C0.C2E5ED69@centtech.com> <017f01c1be0e$937ac240$53061b9d@univr.it> <3C7A556F.A403A30C@centtech.com> <021f01c1be0f$da45d100$53061b9d@univr.it> <20020226013335.GC624@ibb1150.ibb.uu.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org yup i agree. had that error also when i was still working for an isp. that server was used as a transparent proxy with a more than thousand subs. all i did was recompiled the kernel to support NMBCLUSTERS=65536 (max) at first then trimmed it down so i would not be raping my box very hard. :P victor "jett" tayer Mipam wrote: > On Mon, Feb 25, 2002 at 04:19:43PM +0100, Alberto Manzoni wrote: > > This is the output of "netstat -m" > > > > 502/1088/34816 mbufs in use (current/peak/max): > > 326 mbufs allocated to data > > 176 mbufs allocated to packet headers > > 324/756/8704 mbuf clusters in use (current/peak/max) > > 1784 Kbytes allocated to network (6% of mb_map in use) > > 0 requests for memory denied > > 0 requests for memory delayed > > 0 calls to protocol drain routines > > Hmm you could recompile your kernel and add > options NMBCLUSTERS=[high value] in it to cope with this > problem. > Bye, > > Mipam. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 19: 2:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from postoffice.igalaxy.net (hal.igalaxy.net [64.160.104.142]) by hub.freebsd.org (Postfix) with ESMTP id 0638D37B402 for ; Mon, 25 Feb 2002 19:02:27 -0800 (PST) Received: from mikeyg [64.160.106.135] by postoffice.igalaxy.net (SMTPD32-7.05) id AC97BEB008A; Mon, 25 Feb 2002 19:10:15 -0800 Message-ID: <001701c1be72$03003920$0301a8c0@mikeyg> From: "Mike Grissom" To: Cc: References: <017001c1be0e$0057acd0$53061b9d@univr.it> <3C7A53C0.C2E5ED69@centtech.com> <017f01c1be0e$937ac240$53061b9d@univr.it> <3C7A556F.A403A30C@centtech.com> <021f01c1be0f$da45d100$53061b9d@univr.it> <20020226013335.GC624@ibb1150.ibb.uu.nl> <3C7AF7AC.D119D0EF@morganstanley.com> Subject: Re: Mbuf cluster allocation failed Error Date: Mon, 25 Feb 2002 19:02:21 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The highest NMBCLUSTERS stated in LINT is 32768, just a warning. Read the LINT file ----- Original Message ----- From: "Victor Tayer" To: Cc: "Alberto Manzoni" ; ; Sent: Monday, February 25, 2002 6:49 PM Subject: Re: Mbuf cluster allocation failed Error > yup i agree. had that error also when i was still working for an isp. > that server was used as a transparent proxy with a more than thousand > subs. all i did was recompiled the kernel to support NMBCLUSTERS=65536 > (max) at first then trimmed it down so i would not be raping my box very > hard. :P > > victor "jett" tayer > > Mipam wrote: > > > On Mon, Feb 25, 2002 at 04:19:43PM +0100, Alberto Manzoni wrote: > > > This is the output of "netstat -m" > > > > > > 502/1088/34816 mbufs in use (current/peak/max): > > > 326 mbufs allocated to data > > > 176 mbufs allocated to packet headers > > > 324/756/8704 mbuf clusters in use (current/peak/max) > > > 1784 Kbytes allocated to network (6% of mb_map in use) > > > 0 requests for memory denied > > > 0 requests for memory delayed > > > 0 calls to protocol drain routines > > > > Hmm you could recompile your kernel and add > > options NMBCLUSTERS=[high value] in it to cope with this > > problem. > > Bye, > > > > Mipam. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 19: 4: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 96A3C37B404 for ; Mon, 25 Feb 2002 19:03:59 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g1Q33tK12750; Mon, 25 Feb 2002 21:03:55 -0600 (CST) Received: from centtech.com (andersonpc [192.168.42.18]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id VAA12336; Mon, 25 Feb 2002 21:03:54 -0600 (CST) Message-ID: <3C7AFC72.A17D7857@centtech.com> Date: Mon, 25 Feb 2002 21:09:39 -0600 From: Eric Anderson X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Mike Grissom Cc: Victor.Tayer@morganstanley.com, freebsd-security@freebsd.org Subject: Re: Mbuf cluster allocation failed Error References: <017001c1be0e$0057acd0$53061b9d@univr.it> <3C7A53C0.C2E5ED69@centtech.com> <017f01c1be0e$937ac240$53061b9d@univr.it> <3C7A556F.A403A30C@centtech.com> <021f01c1be0f$da45d100$53061b9d@univr.it> <20020226013335.GC624@ibb1150.ibb.uu.nl> <3C7AF7AC.D119D0EF@morganstanley.com> <001701c1be72$03003920$0301a8c0@mikeyg> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org True! Be careful because your machine may not boot if you whack it too hard. (so to speak). Eric Mike Grissom wrote: > The highest NMBCLUSTERS stated in LINT is 32768, just a warning. Read the > LINT file > > ----- Original Message ----- > From: "Victor Tayer" > To: > Cc: "Alberto Manzoni" ; ; > > Sent: Monday, February 25, 2002 6:49 PM > Subject: Re: Mbuf cluster allocation failed Error > > > yup i agree. had that error also when i was still working for an isp. > > that server was used as a transparent proxy with a more than thousand > > subs. all i did was recompiled the kernel to support NMBCLUSTERS=65536 > > (max) at first then trimmed it down so i would not be raping my box very > > hard. :P > > > > victor "jett" tayer > > > > Mipam wrote: > > > > > On Mon, Feb 25, 2002 at 04:19:43PM +0100, Alberto Manzoni wrote: > > > > This is the output of "netstat -m" > > > > > > > > 502/1088/34816 mbufs in use (current/peak/max): > > > > 326 mbufs allocated to data > > > > 176 mbufs allocated to packet headers > > > > 324/756/8704 mbuf clusters in use (current/peak/max) > > > > 1784 Kbytes allocated to network (6% of mb_map in use) > > > > 0 requests for memory denied > > > > 0 requests for memory delayed > > > > 0 calls to protocol drain routines > > > > > > Hmm you could recompile your kernel and add > > > options NMBCLUSTERS=[high value] in it to cope with this > > > problem. > > > Bye, > > > > > > Mipam. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 19: 6:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from pivsbh2.ms.com (pivsbh2.ms.com [199.89.64.104]) by hub.freebsd.org (Postfix) with ESMTP id 5CD7637B404 for ; Mon, 25 Feb 2002 19:06:24 -0800 (PST) Received: from pivsbh2-idmz.ms.com (localhost [127.0.0.1]) by pivsbh2.ms.com (Postfix) with SMTP id EB088AC30; Mon, 25 Feb 2002 22:06:23 -0500 (EST) Received: from morganstanley.com (unknown [172.19.97.161]) by pivsbh2-idmz.ms.com (Postfix) with ESMTP id D3804AE27; Mon, 25 Feb 2002 22:06:21 -0500 (EST) Message-ID: <3C7AFBAC.7F1861B6@morganstanley.com> Date: Tue, 26 Feb 2002 11:06:20 +0800 From: Victor Tayer Reply-To: Victor.Tayer@morganstanley.com Organization: Morgan Stanley X-Mailer: Mozilla 4.76 [en]C-CCK-MCD MS4.76 V20001206.2 (WinNT; U) X-Accept-Language: en,ja MIME-Version: 1.0 To: Eric Anderson Cc: Mike Grissom , freebsd-security@freebsd.org Subject: Re: Mbuf cluster allocation failed Error References: <017001c1be0e$0057acd0$53061b9d@univr.it> <3C7A53C0.C2E5ED69@centtech.com> <017f01c1be0e$937ac240$53061b9d@univr.it> <3C7A556F.A403A30C@centtech.com> <021f01c1be0f$da45d100$53061b9d@univr.it> <20020226013335.GC624@ibb1150.ibb.uu.nl> <3C7AF7AC.D119D0EF@morganstanley.com> <001701c1be72$03003920$0301a8c0@mikeyg> <3C7AFC72.A17D7857@centtech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org yeah. thats why i trimmed it down. but if you're really paranoid... :-) hek! it worked for me. Eric Anderson wrote: > True! Be careful because your machine may not boot if you whack it too hard. > (so to speak). > > Eric To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 19: 9: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id B45C137B404 for ; Mon, 25 Feb 2002 19:08:55 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g1Q38tK12877; Mon, 25 Feb 2002 21:08:55 -0600 (CST) Received: from centtech.com (andersonpc [192.168.42.18]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id VAA12463; Mon, 25 Feb 2002 21:08:54 -0600 (CST) Message-ID: <3C7AFD9E.AA3274D1@centtech.com> Date: Mon, 25 Feb 2002 21:14:39 -0600 From: Eric Anderson X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Victor.Tayer@morganstanley.com Cc: Mike Grissom , freebsd-security@freebsd.org Subject: Re: Mbuf cluster allocation failed Error References: <017001c1be0e$0057acd0$53061b9d@univr.it> <3C7A53C0.C2E5ED69@centtech.com> <017f01c1be0e$937ac240$53061b9d@univr.it> <3C7A556F.A403A30C@centtech.com> <021f01c1be0f$da45d100$53061b9d@univr.it> <20020226013335.GC624@ibb1150.ibb.uu.nl> <3C7AF7AC.D119D0EF@morganstanley.com> <001701c1be72$03003920$0301a8c0@mikeyg> <3C7AFC72.A17D7857@centtech.com> <3C7AFBAC.7F1861B6@morganstanley.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Heh, well, I'm only paranoid on production boxes where a reboot takes too long, which happens to be ALL my FreeBSD boxes. :D Eric Victor Tayer wrote: > yeah. thats why i trimmed it down. but if you're really paranoid... :-) hek! it > worked for me. > > Eric Anderson wrote: > > > True! Be careful because your machine may not boot if you whack it too hard. > > (so to speak). > > > > Eric To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 19:17:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from pivsbh2.ms.com (pivsbh2.ms.com [199.89.64.104]) by hub.freebsd.org (Postfix) with ESMTP id 4621037B41A for ; Mon, 25 Feb 2002 19:17:20 -0800 (PST) Received: from pivsbh2-idmz.ms.com (localhost [127.0.0.1]) by pivsbh2.ms.com (Postfix) with SMTP id ACE80AE4D; Mon, 25 Feb 2002 22:17:19 -0500 (EST) Received: from morganstanley.com (unknown [172.19.97.161]) by pivsbh2-idmz.ms.com (Postfix) with ESMTP id E95A4AE3D; Mon, 25 Feb 2002 22:17:17 -0500 (EST) Message-ID: <3C7AFE3C.55B59570@morganstanley.com> Date: Tue, 26 Feb 2002 11:17:17 +0800 From: Victor Tayer Reply-To: Victor.Tayer@morganstanley.com Organization: Morgan Stanley X-Mailer: Mozilla 4.76 [en]C-CCK-MCD MS4.76 V20001206.2 (WinNT; U) X-Accept-Language: en,ja MIME-Version: 1.0 To: Eric Anderson Cc: Mike Grissom , freebsd-security@freebsd.org Subject: Re: Mbuf cluster allocation failed Error References: <017001c1be0e$0057acd0$53061b9d@univr.it> <3C7A53C0.C2E5ED69@centtech.com> <017f01c1be0e$937ac240$53061b9d@univr.it> <3C7A556F.A403A30C@centtech.com> <021f01c1be0f$da45d100$53061b9d@univr.it> <20020226013335.GC624@ibb1150.ibb.uu.nl> <3C7AF7AC.D119D0EF@morganstanley.com> <001701c1be72$03003920$0301a8c0@mikeyg> <3C7AFC72.A17D7857@centtech.com> <3C7AFBAC.7F1861B6@morganstanley.com> <3C7AFD9E.AA3274D1@centtech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org got that. but do you really have to send this 3 times... :P Eric Anderson wrote: > Heh, well, I'm only paranoid on production boxes where a reboot takes too long, > which happens to be ALL my FreeBSD boxes. :D > > Eric > > Victor Tayer wrote: > > > yeah. thats why i trimmed it down. but if you're really paranoid... :-) hek! it > > worked for me. > > > > Eric Anderson wrote: > > > > > True! Be careful because your machine may not boot if you whack it too hard. > > > (so to speak). > > > > > > Eric > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 25 19:18:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id DEDB537B405 for ; Mon, 25 Feb 2002 19:18:50 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g1Q3IoK13062; Mon, 25 Feb 2002 21:18:50 -0600 (CST) Received: from centtech.com (andersonpc [192.168.42.18]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id VAA12693; Mon, 25 Feb 2002 21:18:49 -0600 (CST) Message-ID: <3C7AFFF2.24B278C9@centtech.com> Date: Mon, 25 Feb 2002 21:24:34 -0600 From: Eric Anderson X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Victor.Tayer@morganstanley.com Cc: freebsd-security@freebsd.org Subject: Re: Mbuf cluster allocation failed Error References: <017001c1be0e$0057acd0$53061b9d@univr.it> <3C7A53C0.C2E5ED69@centtech.com> <017f01c1be0e$937ac240$53061b9d@univr.it> <3C7A556F.A403A30C@centtech.com> <021f01c1be0f$da45d100$53061b9d@univr.it> <20020226013335.GC624@ibb1150.ibb.uu.nl> <3C7AF7AC.D119D0EF@morganstanley.com> <001701c1be72$03003920$0301a8c0@mikeyg> <3C7AFC72.A17D7857@centtech.com> <3C7AFBAC.7F1861B6@morganstanley.com> <3C7AFD9E.AA3274D1@centtech.com> <3C7AFE3C.55B59570@morganstanley.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hmm.. I didn't.. I'm having the same problem. I get one from the sender, one from the freebsd-security@ list, and another, for no reason at all. ? Eric Victor Tayer wrote: > got that. but do you really have to send this 3 times... :P > > Eric Anderson wrote: > > > Heh, well, I'm only paranoid on production boxes where a reboot takes too long, > > which happens to be ALL my FreeBSD boxes. :D > > > > Eric > > > > Victor Tayer wrote: > > > > > yeah. thats why i trimmed it down. but if you're really paranoid... :-) hek! it > > > worked for me. > > > > > > Eric Anderson wrote: > > > > > > > True! Be careful because your machine may not boot if you whack it too hard. > > > > (so to speak). > > > > > > > > Eric > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 1: 6:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.univr.it (mail.univr.it [157.27.6.110]) by hub.freebsd.org (Postfix) with SMTP id 046CE37B404 for ; Tue, 26 Feb 2002 01:06:25 -0800 (PST) Received: (qmail 13160 invoked from network); 26 Feb 2002 09:02:34 -0000 Received: from morpheus.univr.it (HELO morpheus) (157.27.6.83) by mail.univr.it with SMTP; 26 Feb 2002 09:02:34 -0000 Message-ID: <025101c1bea4$489c2070$53061b9d@univr.it> From: "Alberto Manzoni" To: "David" , "Crist J. Clark" , Cc: References: <000501c1be1d$498ad990$53061b9d@univr.it> <20020225140105.A52727@blossom.cjclark.org> <005c01c1be42$61ff3a00$ff7e2341@mercenary> Subject: Re: Squid error Date: Tue, 26 Feb 2002 10:02:14 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm sorry. I very apologize myself for this "OT" to all. Next time i'll be more careful!! Many thanks to all who directly posted to me some hints. -- Alberto Manzoni ----- Original Message ----- From: "David" To: "Crist J. Clark" ; "Alberto Manzoni" Cc: Sent: Monday, February 25, 2002 10:21 PM Subject: Re: Squid error > I believe his concern was if it was a security issue he was seeing, or if > this was something otherwise. Just because he/she does not know exactly > what the output means doesn't justify you to say such. I am glad he emailed > this mailing list. > > --It is better to be safe then sorry. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 2:24:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from access.lek.ru (access.lek.ru [194.135.204.1]) by hub.freebsd.org (Postfix) with ESMTP id B07FD37B417 for ; Tue, 26 Feb 2002 02:24:38 -0800 (PST) Received: from telecom.lek.ru (telecom.lek.ru [194.135.204.4]) by access.lek.ru (8.11.6/8.8.5) with ESMTP id g1QARjm06755 for ; Tue, 26 Feb 2002 13:27:45 +0300 (MSK) Date: Tue, 26 Feb 2002 13:24:36 +0300 (MSK) From: "Ilya V. Serov" To: freebsd-security@FreeBSD.org Subject: Question abt NATD Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org How do You do, guies. Sorry in advance, if somebody will consider my question stupid. I have a FreeBSD 4.4-RELEASE box with natd configured to perfom ip maquarading. It is extreemly necessary to be able to view the NAT translation table. For I guess this info is stored somewhere to let the kernel know how to translate addresses, so I think it is possible to read this info from there. Have anyone done this "manulay", or maybe a standart routine is present to help to do this? I have studied many documentation sources, but found no hint on the topic. Can anyone help me? Sorry for such a long letter and for my poor english ;-)) Thanks in advance. Ilya V. Serov LEK TELECOM Co, St-Petersburg, Russia. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 2:41:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from vic.inty.net (vic.inty.net [213.38.150.164]) by hub.freebsd.org (Postfix) with ESMTP id 6050E37B400 for ; Tue, 26 Feb 2002 02:41:06 -0800 (PST) Received: from inty.hq.inty.net ([213.38.150.161]) by vic.inty.net (8.11.3/8.11.3) with ESMTP id g1QAf2A70601; Tue, 26 Feb 2002 10:41:02 GMT Received: from tariq ([10.0.1.156]) by inty.hq.inty.net (8.12.1/8.12.1) with SMTP id g1QAf0Kt094033; Tue, 26 Feb 2002 10:41:01 GMT From: "Tariq Rashid" To: "Ilya V. Serov" , Subject: RE: Question abt NATD Date: Tue, 26 Feb 2002 10:42:26 -0000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal X-Sender-IP: 10.0.1.156 X-INT-DeliveryDone: g1QAf0Kt094033 X-suppress-rcpt-virus-notify: yes X-Skip-Virus-Check: yes X-Virus-Checked: 822 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org natd does not use the kernel for NAT - it is a user land process and uses libalias. you may wish to alter libalias to provide yourself with an "view" to its mappings i'd recommend using ipnat which is in-kernel. use ipnat -l to list the rules and the currently mapped sessions (see man ipnat for deatils) tariq -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Ilya V. Serov Sent: 26 February 2002 10:25 To: freebsd-security@FreeBSD.org Subject: Question abt NATD How do You do, guies. Sorry in advance, if somebody will consider my question stupid. I have a FreeBSD 4.4-RELEASE box with natd configured to perfom ip maquarading. It is extreemly necessary to be able to view the NAT translation table. For I guess this info is stored somewhere to let the kernel know how to translate addresses, so I think it is possible to read this info from there. Have anyone done this "manulay", or maybe a standart routine is present to help to do this? I have studied many documentation sources, but found no hint on the topic. Can anyone help me? Sorry for such a long letter and for my poor english ;-)) Thanks in advance. Ilya V. Serov LEK TELECOM Co, St-Petersburg, Russia. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message intY has automatically scanned this email with Sophos Anti-Virus (www.inty.com) intY has automatically scanned this email with Sophos Anti-Virus (www.inty.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 3:26: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mumba.junik.lv (mail.junik.lv [195.216.160.134]) by hub.freebsd.org (Postfix) with ESMTP id BBEA137B404 for ; Tue, 26 Feb 2002 03:25:57 -0800 (PST) Received: (from root@localhost) by mumba.junik.lv (8.8.8/8.8.8) id NAA08973 for freebsd-security@freebsd.org; Tue, 26 Feb 2002 13:25:55 +0200 Received: from Adam ([213.182.205.6]) by mumba.junik.lv (8.8.8/8.8.8) with SMTP id NAA08877 for ; Tue, 26 Feb 2002 13:25:50 +0200 Message-ID: <003101c1beb8$b196e240$06cdb6d5@junik.lv> From: "Adam@junik.lv" To: Subject: ssh and ipfw Date: Tue, 26 Feb 2002 13:28:19 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_002E_01C1BEC9.74C29E20" X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_002E_01C1BEC9.74C29E20 Content-Type: text/plain; Content-Transfer-Encoding: quoted-printable I would appreciate any help with this issue: I'm using ipfw on two machines, both running FreeBSD 4.5 RELEASE. At both machines the following rules apply: ipfw add pass tcp from A to B 22 ipfw add pass tcp form B to A 22 A and B being the respective IP addresses of the machines! Surprisingly, when I tried to log from each of the machines into the = other, the ipfw wouldn't pass any tcp through. The login format is as per usual: ssh username@A ssh usernamer@B Thanks in anticipation, Adam ______________________________________ Scanned and protected by Inflex http://pldaniels.com/inflex ------=_NextPart_000_002E_01C1BEC9.74C29E20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
 I would appreciate = any=20 help with this issue:
 
I'm using ipfw on two machines, = both running=20 FreeBSD 4.5 RELEASE.
At both machines the following = rules=20 apply:
ipfw add pass tcp from A to B=20 22
ipfw add pass tcp form B to A=20 22
A and B being the = respective IP=20 addresses of the machines!
 
Surprisingly, when I tried to = log from each=20 of the machines into the other, the ipfw wouldn't pass any tcp=20 through.
 
 
The login format is as per=20 usual:
 
ssh username@A
ssh usernamer@B
 
 
Thanks in = anticipation,
Adam
 

______________________________________
Scanned and protected by Inflex
http://pldaniels.com/inflex
------=_NextPart_000_002E_01C1BEC9.74C29E20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 3:33:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 65E9E37B405 for ; Tue, 26 Feb 2002 03:33:13 -0800 (PST) Received: (qmail 33087 invoked by uid 1000); 26 Feb 2002 11:33:11 -0000 Date: Tue, 26 Feb 2002 12:33:11 +0100 From: Bart Matthaei To: "Adam@junik.lv" Cc: security@freebsd.org Subject: Re: ssh and ipfw Message-ID: <20020226123311.A31322@heresy.dreamflow.nl> References: <003101c1beb8$b196e240$06cdb6d5@junik.lv> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="EVF5PPMfhYS0aIcm" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <003101c1beb8$b196e240$06cdb6d5@junik.lv>; from adam@junik.lv on Tue, Feb 26, 2002 at 01:28:19PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 26, 2002 at 01:28:19PM +0200, Adam@junik.lv wrote: > I'm using ipfw on two machines, both running FreeBSD 4.5 RELEASE. > At both machines the following rules apply: > ipfw add pass tcp from A to B 22 > ipfw add pass tcp form B to A 22 > A and B being the respective IP addresses of the machines! You want to allow established connections=20 ipfw add pass tcp from any to any established HTH. Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Kiss me twice. I'm schizophrenic. --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8e3J3gcc6pR+tCegRAkL9AJ9NtTmCKthis4DpGFR528eXWFgLWQCgr6pr pKykfG0JU4/lMUsSKDlOnEI= =5me6 -----END PGP SIGNATURE----- --EVF5PPMfhYS0aIcm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 3:34:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 6313037B404 for ; Tue, 26 Feb 2002 03:34:27 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 16ffvS-0005Ps-00; Tue, 26 Feb 2002 13:37:42 +0200 From: Sheldon Hearn To: "Adam@junik.lv" Cc: freebsd-security@freebsd.org Subject: Re: ssh and ipfw In-reply-to: Your message of "Tue, 26 Feb 2002 13:28:19 +0200." <003101c1beb8$b196e240$06cdb6d5@junik.lv> Date: Tue, 26 Feb 2002 13:37:42 +0200 Message-ID: <20823.1014723462@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 26 Feb 2002 13:28:19 +0200, "Adam@junik.lv" wrote: > I would appreciate any help with this issue: You should have sent your question to the freebsd-questions mailing list. > I'm using ipfw on two machines, both running FreeBSD 4.5 RELEASE. > At both machines the following rules apply: > ipfw add pass tcp from A to B 22 > ipfw add pass tcp form B to A 22 Spot the difference: ipfw add pass tcp from A to B 22 ipfw add pass tcp form B 22 to A Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 3:42: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from rubicon.soft.lv (ilg01-195-114-52-166.hi.delfi.lv [195.114.52.166]) by hub.freebsd.org (Postfix) with ESMTP id 1B50137B41D for ; Tue, 26 Feb 2002 03:42:01 -0800 (PST) Received: by rubicon.soft.lv (Postfix, from userid 1016) id 6E0952727; Tue, 26 Feb 2002 13:41:57 +0200 (EET) Received: from blacksun (unknown [62.85.35.1]) by rubicon.soft.lv (Postfix) with ESMTP id 55CEF271D; Tue, 26 Feb 2002 13:41:56 +0200 (EET) Message-ID: <01bf01c1beba$cbd0d560$8501a8c0@bis.lv> From: To: "Adam@junik.lv" Cc: References: <003101c1beb8$b196e240$06cdb6d5@junik.lv> Subject: Re: ssh and ipfw Date: Tue, 26 Feb 2002 13:43:22 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- I'm using ipfw on two machines, both running FreeBSD 4.5 RELEASE. At both machines the following rules apply: ipfw add pass tcp from A to B 22 ipfw add pass tcp form B to A 22 A and B being the respective IP addresses of the machines! when you establish connection from A -> B 22 first rule allow access, then B 22 answers -> A and ipfw blocks this connection. In /etc/sh.firewall is good example how to setup firewall. You must add rules: IP A ${fwcmd} add allow from any to any established ${fwcmd} add allow from A to B 22 setup IP B ${fwcmd} add allow from any to any established ${fwcmd} add allow from B to A 22 setup To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 4:12:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (discworld.nanolink.com [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id 12C4437B400 for ; Tue, 26 Feb 2002 04:12:18 -0800 (PST) Received: (qmail 77803 invoked by uid 1000); 26 Feb 2002 12:12:39 -0000 Date: Tue, 26 Feb 2002 14:12:39 +0200 From: Peter Pentchev To: "Ilya V. Serov" Cc: freebsd-security@FreeBSD.org Subject: Re: Question abt NATD Message-ID: <20020226141239.B349@straylight.oblivion.bg> Mail-Followup-To: "Ilya V. Serov" , freebsd-security@FreeBSD.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="l76fUT7nc3MelDdI" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from serov@telecom.lek.ru on Tue, Feb 26, 2002 at 01:24:36PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --l76fUT7nc3MelDdI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 26, 2002 at 01:24:36PM +0300, Ilya V. Serov wrote: >=20 > How do You do, guies. >=20 > Sorry in advance, if somebody will consider my question stupid. >=20 > I have a FreeBSD 4.4-RELEASE box with natd configured to perfom ip > maquarading. It is extreemly necessary to be able to view the NAT > translation table. For I guess this info is stored somewhere to let > the kernel know how to translate addresses, so I think it is possible to > read this info from there. Have anyone done this "manulay", or maybe a > standart routine is present to help to do this? I have studied many > documentation sources, but found no hint on the topic. > Can anyone help me? As Tariq Rashid already explained, natd does not store the information inside the kernel. Several of my machines use NAT via ppp(8)'s built-in interface to libalias (which is functionally pretty much the same as natd(8)), and several months ago I wrote up a quick hack to libalias and ppp(8) to display the list of currently masqueraded connections. However, it turned out to be not all that useful, since there were some issues with timing out connections, so I kind of let it rot. If there is enough interest, I could resurrect it and post it for review and suggestions for improvement. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am the meaning of this sentence. --l76fUT7nc3MelDdI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjx7e7cACgkQ7Ri2jRYZRVMDUQCbBRgXLScmxA7XxJViE1A8OIIk IvIAn0KtIkShTHusAhU25g49hwBpe/M7 =SLt6 -----END PGP SIGNATURE----- --l76fUT7nc3MelDdI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 4:49:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.spc.org (insomnia.spc.org [195.224.94.183]) by hub.freebsd.org (Postfix) with SMTP id 7A5F037B402 for ; Tue, 26 Feb 2002 04:49:51 -0800 (PST) Received: (qmail 26760 invoked by uid 1031); 26 Feb 2002 12:39:09 -0000 Date: Tue, 26 Feb 2002 12:39:09 +0000 From: Bruce M Simpson To: freebsd-security@FreeBSD.ORG Subject: Re: Third /tmp location ? Message-ID: <20020226123909.C26932@spc.org> Mail-Followup-To: Bruce M Simpson , freebsd-security@FreeBSD.ORG References: <20020222152529.A16356@xor.obsecurity.org> <20020222152714.B16356@xor.obsecurity.org> <000501c1bcab$84ff2df0$1efd2fd8@westbend.net> <3C781741.744669C9@abc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3C781741.744669C9@abc.ro>; from andrei@abc.ro on Sun, Feb 24, 2002 at 12:27:13AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I, too, have one on a 4.5-RELEASE production box. Tut tut! Have we decided to patch playpen? On Sun, Feb 24, 2002 at 12:27:13AM +0200, ANdrei wrote: > everybody id talking about a world writable /usr/tmp... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 6: 8:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from aladin.ee.itb.ac.id (aladin.ee.itb.ac.id [167.205.48.241]) by hub.freebsd.org (Postfix) with SMTP id 4223337B400 for ; Tue, 26 Feb 2002 06:08:30 -0800 (PST) Received: (qmail 1360 invoked by uid 1010); 2 Jan 1997 02:43:23 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Jan 1997 02:43:23 -0000 Date: Thu, 2 Jan 1997 09:43:23 +0700 (WIT) From: Adiguna M To: freebsd-security@freebsd.org Subject: test .... delete Message-ID: <19970102094302.M1351-100000@aladin.ee.itb.ac.id> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 10:12:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id C30B337B405 for ; Tue, 26 Feb 2002 10:12:05 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id g1QIC4T20759 for ; Tue, 26 Feb 2002 10:12:05 -0800 (PST) Date: Tue, 26 Feb 2002 10:12:04 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: Third /tmp location ? (and maybe a fourth too) In-Reply-To: Message-ID: <20020226095708.Y20347-100000@roble.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Bill Vermillion wrote: > > From: Dag-Erling Smorgrav > > > Bill Vermillion writes: > > > > Is the /usr/tmp really used for somethink usefull ? > > > I would think man 7 hier will answer that for you in a hurry. > > > Yes it really is usefull. > > > Bzzzt. FreeBSD has never had /usr/tmp, and all software that expects > > /usr/tmp has been changed to use /var/tmp instead. > > And I set /usr/tmp for many things because there is no reason that > I can see to have var so big that it will hold large files I may > have to edit. I put /usr/tmp in almost all my .exrc files > as too many times I've gotten 'file system full'. File system full errors are typically caused by unnecessary partitioning. You rarely see them on single-partition systems. Creating symlinks or additional tmp directories to avoid the inevitable drawback of excess partitions is two bads, which don't sum to a good. Both also violate the KIS principle. > As I said "Yes it really is usefull". User applications really > should probably go in /usr/tmp if you have a lot of users. I do believe you're serious!? A better solution, if you *really* need a user+shared application space, would be /usr/local/${user}/... but even that's a hack. How about `mkdir /usr/local/$app ; chown $user /usr/local/app ; ln -s /usr/local/$app/bin/$app /usr/local/bin`? WRT security, shared user application directories, whether /var/tmp or /cgi-bin, should be avoided where possible. This is what read-only permissions and root-only access are all about. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 12:49:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from cerebellum.za.net (cerebellum.za.net [196.34.172.103]) by hub.freebsd.org (Postfix) with ESMTP id DE33637B47E for ; Tue, 26 Feb 2002 12:48:25 -0800 (PST) Received: from nicki (rdg-dial-196-2-33-214.mweb.co.za [196.2.33.214]) by cerebellum.za.net (8.11.6/8.11.3) with SMTP id g1QKp3j50511 for ; Tue, 26 Feb 2002 22:51:06 +0200 (SAST) (envelope-from ian@cerebellum.za.net) From: "Ian Barnes" To: Subject: login problem Date: Tue, 26 Feb 2002 23:06:27 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I ssh into my FreeBSD 4.5 box using ssh. I wanted to change my shell from bash to tcsh, so i ran vipw, edited the file from /usr/local/bin/bash to /bin/bash (not thinking straight). Saved it, and exited. Now i cant get back in, because there is no /bin/bash. Is there anyway i can get root on the box? Thanks Ian Barnes -------------------------------------------- BOFH - MOM'S Pharmacies Email: ian@cerebellum.za.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 12:55:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 7FCBF37B405 for ; Tue, 26 Feb 2002 12:55:36 -0800 (PST) Received: (qmail 64611 invoked by uid 1000); 26 Feb 2002 20:55:34 -0000 Date: Tue, 26 Feb 2002 21:55:34 +0100 From: Bart Matthaei To: Ian Barnes Cc: security@freebsd.org Subject: Re: login problem Message-ID: <20020226215534.A62131@heresy.dreamflow.nl> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from ian@cerebellum.za.net on Tue, Feb 26, 2002 at 11:06:27PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --GvXjxJ+pjyke8COw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 26, 2002 at 11:06:27PM +0200, Ian Barnes wrote: > Is there anyway i can get root on the box? 1. See if you can pass a shell to ssh. "ssh box.domain.tld /usr/local/bin/bash" might do the trick. I'm not sure if this works, so don't sue me for it. 2. Plug in a monitor + keyboard, and log in as root, fix the problem. No sane person would allow root logins from ssh, or telnet, so unless you want to / can r00t your own box, you'll need physical access for this option. Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Kiss me twice. I'm schizophrenic. --GvXjxJ+pjyke8COw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8e/ZGgcc6pR+tCegRAtIKAKC3lCRflRTKG66y5aKh/ZKqOXwsPgCgnBKW fg48slGj/2h0ISi0AzGq4zk= =EBxU -----END PGP SIGNATURE----- --GvXjxJ+pjyke8COw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 12:56:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31]) by hub.freebsd.org (Postfix) with ESMTP id F1E8E37B402 for ; Tue, 26 Feb 2002 12:56:50 -0800 (PST) Received: from dali.cs.wm.edu (dali [128.239.26.26]) by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id g1QKum821144 for ; Tue, 26 Feb 2002 15:56:48 -0500 (EST) Received: (from zvezdan@localhost) by dali.cs.wm.edu (8.11.6/8.9.1) id g1QKunR22399 for security@FreeBSD.ORG; Tue, 26 Feb 2002 15:56:49 -0500 Date: Tue, 26 Feb 2002 15:56:49 -0500 From: Zvezdan Petkovic To: security@FreeBSD.ORG Subject: Re: Third /tmp location ? (and maybe a fourth too) Message-ID: <20020226155649.A22293@dali.cs.wm.edu> Mail-Followup-To: security@FreeBSD.ORG References: <20020226095708.Y20347-100000@roble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020226095708.Y20347-100000@roble.com>; from marquis@roble.com on Tue, Feb 26, 2002 at 10:12:04AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Feb 26, 2002 at 10:12:04AM -0800, Roger Marquis wrote: > Bill Vermillion wrote: > > > From: Dag-Erling Smorgrav > > > > > Bill Vermillion writes: > > > > > Is the /usr/tmp really used for somethink usefull ? > > > > I would think man 7 hier will answer that for you in a hurry. > > > > Yes it really is usefull. > > > > > Bzzzt. FreeBSD has never had /usr/tmp, and all software that expects > > > /usr/tmp has been changed to use /var/tmp instead. > > > > And I set /usr/tmp for many things because there is no reason that > > I can see to have var so big that it will hold large files I may > > have to edit. I put /usr/tmp in almost all my .exrc files > > as too many times I've gotten 'file system full'. > > File system full errors are typically caused by unnecessary > partitioning. You rarely see them on single-partition systems. But on a single-partition systems you can't make /usr read-only and File System Hierarchy Standard is made exactly because of that. Multiple partitions enable a clear distinctions between _shareable_ and _unshareable_ data, as well as between _static_ and _variable_. Consider this example (from FSH standard): +---------+--------------------+-----------------+ | | shareable | unshareable | +---------+--------------------+-----------------+ | static | /usr | /etc | | | /opt | /boot | +---------+--------------------+-----------------+ | variable| /var/mail | /var/run | | | /var/spool/news | /var/lock | +---------+--------------------+-----------------+ In the above example if you use multiple partitions you can: * share /usr across the network * mount /usr read-only * mount /usr from read-only media such as CD-ROM * have to mount /var and / as read-write but if /var/mail is a separate partition you can share it across the network. * /etc, /boot, /var/run and /var/lock must be local to each machine. There are obvious security advantages as well as flexibility in the networked environment that cannot be achieved with a single-partition systems. For the very simple environments though having a single partition makes a lot of sense. There are two schools of thought related to partitioning. Both are right for there respective intentions. Notice that on a read-only /usr one can't make /usr/tmp either. :-) Best regards, -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 12:57:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 7534F37B426 for ; Tue, 26 Feb 2002 12:57:18 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id 1865613669; Tue, 26 Feb 2002 15:57:12 -0500 (EST) Date: Tue, 26 Feb 2002 15:57:11 -0500 From: Chris Faulhaber To: Ian Barnes Cc: security@freebsd.org Subject: Re: login problem Message-ID: <20020226205711.GB99775@peitho.fxp.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2oS5YaxWCcQjTEyO" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.24i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --2oS5YaxWCcQjTEyO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 26, 2002 at 11:06:27PM +0200, Ian Barnes wrote: > Hi, >=20 > I ssh into my FreeBSD 4.5 box using ssh. I wanted to change my shell from > bash to tcsh, so i ran vipw, edited the file from /usr/local/bin/bash to > /bin/bash (not thinking straight). Saved it, and exited. Now i cant get b= ack > in, because there is no /bin/bash. >=20 > Is there anyway i can get root on the box? >=20 Assuming you can login as a user with su privileges, use 'su -m'. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --2oS5YaxWCcQjTEyO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjx79qcACgkQObaG4P6BelDT2wCeNHko7LrfTkWTgoz3iyC/b6Eu +JoAnia+5nMrf1N02fte2ietuLSPLlUK =3TXp -----END PGP SIGNATURE----- --2oS5YaxWCcQjTEyO-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 13: 0: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from cpl-emea-mail1.cpl.novell.com (cpl-emea-mail1.cpl.novell.com [147.2.71.56]) by hub.freebsd.org (Postfix) with ESMTP id 6D02637B400 for ; Tue, 26 Feb 2002 12:59:55 -0800 (PST) Received: from EMEA-MTA by cpl-emea-mail1.cpl.novell.com with Novell_GroupWise; Tue, 26 Feb 2002 21:59:45 +0100 Message-Id: X-Mailer: Novell GroupWise Internet Agent 6.0.1 Date: Tue, 26 Feb 2002 21:59:37 +0100 From: "Guy Coste" To: , Subject: Re: login problem Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=_89D4C351.89E8B5F5" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a MIME message. If you are reading this text, you may want to consider changing to a mail reader or gateway that understands how to properly handle MIME multipart messages. --=_89D4C351.89E8B5F5 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit you may use 'toor' the root bash user >>> "Ian Barnes" 22:06:27 26-Feb-02 >>> Hi, I ssh into my FreeBSD 4.5 box using ssh. I wanted to change my shell from bash to tcsh, so i ran vipw, edited the file from /usr/local/bin/bash to /bin/bash (not thinking straight). Saved it, and exited. Now i cant get back in, because there is no /bin/bash. Is there anyway i can get root on the box? Thanks Ian Barnes -------------------------------------------- BOFH - MOM'S Pharmacies Email: ian@cerebellum.za.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message --=_89D4C351.89E8B5F5 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Description: HTML you may use 'toor' the root bash user

>>> "Ian Barnes" <ian@cerebellum.za.net> 22:06:27 26-Feb-02 >>>
Hi,

I ssh into my FreeBSD 4.5 box using ssh. I wanted to change my shell from
bash to tcsh, so i ran vipw, edited the file from /usr/local/bin/bash to
/bin/bash (not thinking straight). Saved it, and exited. Now i cant get back
in, because there is no /bin/bash.

Is there anyway i can get root on the box?

Thanks

Ian Barnes
--------------------------------------------
BOFH - MOM'S Pharmacies
Email: ian@cerebellum.za.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
--=_89D4C351.89E8B5F5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 13: 2: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 067FD37B402 for ; Tue, 26 Feb 2002 13:01:59 -0800 (PST) Received: (qmail 64972 invoked by uid 1000); 26 Feb 2002 21:01:58 -0000 Date: Tue, 26 Feb 2002 22:01:58 +0100 From: Bart Matthaei To: security@freebsd.org Subject: Re: login problem Message-ID: <20020226220158.C62131@heresy.dreamflow.nl> References: <20020226215534.A62131@heresy.dreamflow.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="UPT3ojh+0CqEDtpF" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020226215534.A62131@heresy.dreamflow.nl>; from bart@dreamflow.nl on Tue, Feb 26, 2002 at 09:55:34PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --UPT3ojh+0CqEDtpF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > 1. See if you can pass a shell to ssh. "ssh box.domain.tld > /usr/local/bin/bash" might do the trick. I'm not sure if this works, > so don't sue me for it. Correction: I checked it out on my box. If the shell is non-existent, pam will deny access to the user account (correct me if im wrong). So I guess this one won't work unless /bin/bash exists. Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Kiss me twice. I'm schizophrenic. --UPT3ojh+0CqEDtpF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8e/fGgcc6pR+tCegRAldcAJwKW3JTAr4xAi8YZoPdHMzzUGPGTACgzAbi lf6+dLc06Sdr/xm0pJ28DM8= =tgr8 -----END PGP SIGNATURE----- --UPT3ojh+0CqEDtpF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 13: 4:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 2759D37B417 for ; Tue, 26 Feb 2002 13:04:35 -0800 (PST) Received: (qmail 65052 invoked by uid 1000); 26 Feb 2002 21:04:34 -0000 Date: Tue, 26 Feb 2002 22:04:34 +0100 From: Bart Matthaei To: Guy Coste Cc: security@freebsd.org Subject: Re: login problem Message-ID: <20020226220434.E62131@heresy.dreamflow.nl> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="idY8LE8SD6/8DnRI" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from gcoste@novell.com on Tue, Feb 26, 2002 at 09:59:37PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --idY8LE8SD6/8DnRI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 26, 2002 at 09:59:37PM +0100, Guy Coste wrote: > you may use 'toor' the root bash user Correct me if i'm wrong, but "toor" is password-less out of the box. Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Kiss me twice. I'm schizophrenic. --idY8LE8SD6/8DnRI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8e/higcc6pR+tCegRAqQMAJwPqBekDfZhmdqUYh9HXnvOu5AFGgCfXzOG WZVgqe7kdZ05SSwsjiuAvPY= =4Yyl -----END PGP SIGNATURE----- --idY8LE8SD6/8DnRI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 13:12:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from energyhq.homeip.net (213-97-200-73.uc.nombres.ttd.es [213.97.200.73]) by hub.freebsd.org (Postfix) with ESMTP id C0F2E37B402 for ; Tue, 26 Feb 2002 13:12:27 -0800 (PST) Received: by energyhq.homeip.net (Postfix, from userid 1001) id CBA2D3FC9D; Tue, 26 Feb 2002 22:12:28 +0100 (CET) Date: Tue, 26 Feb 2002 22:12:28 +0100 From: Miguel Mendez To: Bart Matthaei Cc: Guy Coste , security@freebsd.org Subject: Re: login problem Message-ID: <20020226221228.A10897@energyhq.homeip.net> Mail-Followup-To: Bart Matthaei , Guy Coste , security@freebsd.org References: <20020226220434.E62131@heresy.dreamflow.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020226220434.E62131@heresy.dreamflow.nl>; from bart@dreamflow.nl on Tue, Feb 26, 2002 at 10:04:34PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 26, 2002 at 10:04:34PM +0100, Bart Matthaei wrote: > On Tue, Feb 26, 2002 at 09:59:37PM +0100, Guy Coste wrote: > > you may use 'toor' the root bash user >=20 > Correct me if i'm wrong, >=20 > but "toor" is password-less out of the box. Hello? password-less as in 'please hack me?' No, it's actually *disabled*. Check you /etc/master.passwd=20 toor:*:0:0::0:0:Bourne-again Superuser:/root: Cheers, --=20 Miguel Mendez - flynn@energyhq.homeip.net GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt EnergyHQ :: http://www.energyhq.tk FreeBSD - The power to serve! --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8e/o7nLctrNyFFPERAvJEAKCbJFy+91ltVB2TEIA9VKk3ExBkOwCeOkrY V7STDTqFmzu5ZywfyXRcO24= =GjFU -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 13:14:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from chaos.evolve.za.net (chaos.evolve.za.net [196.34.172.107]) by hub.freebsd.org (Postfix) with ESMTP id 8B43237B402 for ; Tue, 26 Feb 2002 13:14:15 -0800 (PST) Received: from DAVE ([192.168.0.56]) by chaos.evolve.za.net (8.11.6/1.1.3) with SMTP id g1QLDg850105; Tue, 26 Feb 2002 23:13:46 +0200 (SAST) (envelope-from dave@raven.za.net) Message-ID: <010e01c1bf09$cfd15d20$3800a8c0@DAVE> From: "Dave Raven" To: "Chris Faulhaber" , "Ian Barnes" Cc: References: <20020226205711.GB99775@peitho.fxp.org> Subject: Re: login problem Date: Tue, 26 Feb 2002 23:08:49 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org you should get an error message like so with su -m: su: permission denied (shell). ( I tested it ) and I dont think it will work with a non-existant shell anyway... Or is there another reason for that? Dave. ----- Original Message ----- From: "Chris Faulhaber" To: "Ian Barnes" Cc: Sent: Tuesday, February 26, 2002 10:57 PM Subject: Re: login problem > On Tue, Feb 26, 2002 at 11:06:27PM +0200, Ian Barnes wrote: > > Hi, > > > > I ssh into my FreeBSD 4.5 box using ssh. I wanted to change my shell > from > > bash to tcsh, so i ran vipw, edited the file from /usr/local/bin/bash > to > > /bin/bash (not thinking straight). Saved it, and exited. Now i cant > get back > > in, because there is no /bin/bash. > > > > Is there anyway i can get root on the box? > > > > Assuming you can login as a user with su privileges, use > 'su -m'. > > -- > Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org > -------------------------------------------------------- > FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 13:15:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id D347D37B41B for ; Tue, 26 Feb 2002 13:15:13 -0800 (PST) Received: (qmail 65527 invoked by uid 1000); 26 Feb 2002 21:15:13 -0000 Date: Tue, 26 Feb 2002 22:15:12 +0100 From: Bart Matthaei To: Miguel Mendez Cc: security@freebsd.org Subject: Re: login problem Message-ID: <20020226221512.F62131@heresy.dreamflow.nl> References: <20020226220434.E62131@heresy.dreamflow.nl> <20020226221228.A10897@energyhq.homeip.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="GV0iVqYguTV4Q9ER" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020226221228.A10897@energyhq.homeip.net>; from flynn@energyhq.homeip.net on Tue, Feb 26, 2002 at 10:12:28PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --GV0iVqYguTV4Q9ER Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 26, 2002 at 10:12:28PM +0100, Miguel Mendez wrote: > Hello? password-less as in 'please hack me?' >=20 > No, it's actually *disabled*. Check you /etc/master.passwd=20 >=20 > toor:*:0:0::0:0:Bourne-again Superuser:/root: Thats what I meant. "It hasn't got a password" isn't "It has an empty password". But sorry if it came out wrong. Anyway, "It hasn't got a password" , so you can't log in with it. Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Kiss me twice. I'm schizophrenic. --GV0iVqYguTV4Q9ER Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8e/rggcc6pR+tCegRAlofAKCyZWEwOICF7mUmgN9usSaVwYDqsgCeN5VF c8YMj8PyrEbDgMEAHPS9kyo= =lf6y -----END PGP SIGNATURE----- --GV0iVqYguTV4Q9ER-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 13:22:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id A63C637B434 for ; Tue, 26 Feb 2002 13:22:02 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g1QLM1K07282; Tue, 26 Feb 2002 15:22:01 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id PAA05871; Tue, 26 Feb 2002 15:22:01 -0600 (CST) Message-ID: <3C7BFBFF.6398655F@centtech.com> Date: Tue, 26 Feb 2002 15:19:59 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Bart Matthaei Cc: Miguel Mendez , security@freebsd.org Subject: Re: login problem References: <20020226220434.E62131@heresy.dreamflow.nl> <20020226221228.A10897@energyhq.homeip.net> <20020226221512.F62131@heresy.dreamflow.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, "technically" it HAS a password, it is just not possible to encrypt a password and have it end up "*". If it was, that would be REALLY scary. :) But, I'm no stickler, I knew what you meant either way. Eric Bart Matthaei wrote: > > On Tue, Feb 26, 2002 at 10:12:28PM +0100, Miguel Mendez wrote: > > Hello? password-less as in 'please hack me?' > > > > No, it's actually *disabled*. Check you /etc/master.passwd > > > > toor:*:0:0::0:0:Bourne-again Superuser:/root: > > Thats what I meant. > > "It hasn't got a password" isn't "It has an empty password". > > But sorry if it came out wrong. > > Anyway, "It hasn't got a password" , so you can't log in with it. > > Regards, > > Bart > > -- > Bart Matthaei bart@dreamflow.nl > > Kiss me twice. I'm schizophrenic. > > -------------------------------------------------------------------------------- > Part 1.2Type: application/pgp-signature -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 13:25:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 3B40937B402 for ; Tue, 26 Feb 2002 13:25:24 -0800 (PST) Received: (qmail 66347 invoked by uid 1000); 26 Feb 2002 21:25:23 -0000 Date: Tue, 26 Feb 2002 22:25:23 +0100 From: Bart Matthaei To: Eric Anderson Cc: security@freebsd.org Subject: Re: login problem Message-ID: <20020226222523.G62131@heresy.dreamflow.nl> References: <20020226220434.E62131@heresy.dreamflow.nl> <20020226221228.A10897@energyhq.homeip.net> <20020226221512.F62131@heresy.dreamflow.nl> <3C7BFBFF.6398655F@centtech.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="m972NQjnE83KvVa/" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3C7BFBFF.6398655F@centtech.com>; from anderson@centtech.com on Tue, Feb 26, 2002 at 03:19:59PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --m972NQjnE83KvVa/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 26, 2002 at 03:19:59PM -0600, Eric Anderson wrote: > Well, "technically" it HAS a password, it is just not possible to encrypt= a > password and have it end up "*". If it was, that would be REALLY scary. = :) >=20 > But, I'm no stickler, I knew what you meant either way. Argh ;) Ok, your right. I'm sorry for the miscommunication, and I hope we can live hapilly ever after ;) Love, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Kiss me twice. I'm schizophrenic. --m972NQjnE83KvVa/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8e/1Dgcc6pR+tCegRAoo/AJsH795dkcOJCdS1Ypn7/Lmi3hx34wCfeysx 5qP8BgMFMTMtxiCDIXUUif4= =5G7X -----END PGP SIGNATURE----- --m972NQjnE83KvVa/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 13:31:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 5182337B429 for ; Tue, 26 Feb 2002 13:30:36 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g1QLUZK07496; Tue, 26 Feb 2002 15:30:35 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id PAA06035; Tue, 26 Feb 2002 15:30:35 -0600 (CST) Message-ID: <3C7BFE01.845A76BC@centtech.com> Date: Tue, 26 Feb 2002 15:28:33 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Bart Matthaei Cc: security@freebsd.org Subject: Re: login problem References: <20020226220434.E62131@heresy.dreamflow.nl> <20020226221228.A10897@energyhq.homeip.net> <20020226221512.F62131@heresy.dreamflow.nl> <3C7BFBFF.6398655F@centtech.com> <20020226222523.G62131@heresy.dreamflow.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Oh, the tears of unfathomable sadness." -Eric Cartman (Scott Tenorman Must Die) Bart Matthaei wrote: > > On Tue, Feb 26, 2002 at 03:19:59PM -0600, Eric Anderson wrote: > > Well, "technically" it HAS a password, it is just not possible to encrypt a > > password and have it end up "*". If it was, that would be REALLY scary. :) > > > > But, I'm no stickler, I knew what you meant either way. > > Argh ;) > > Ok, your right. I'm sorry for the miscommunication, and I hope we can > live hapilly ever after ;) > > Love, > > Bart > -- > Bart Matthaei bart@dreamflow.nl > > Kiss me twice. I'm schizophrenic. > > -------------------------------------------------------------------------------- > Part 1.2Type: application/pgp-signature -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 15:25:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 8148037B402 for ; Tue, 26 Feb 2002 15:25:29 -0800 (PST) Received: (qmail 46062 invoked by uid 1001); 26 Feb 2002 23:24:34 -0000 Date: Tue, 26 Feb 2002 18:24:34 -0500 From: "Peter C. Lai" To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: Third /tmp location ? (and maybe a fourth too) Message-ID: <20020226182434.B45921@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <20020226095708.Y20347-100000@roble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020226095708.Y20347-100000@roble.com>; from marquis@roble.com on Tue, Feb 26, 2002 at 10:12:04AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Feb 26, 2002 at 10:12:04AM -0800, Roger Marquis wrote: > Bill Vermillion wrote: > > > From: Dag-Erling Smorgrav > > > > > Bill Vermillion writes: > > > > > Is the /usr/tmp really used for somethink usefull ? > > > > I would think man 7 hier will answer that for you in a hurry. > > > > Yes it really is usefull. > > > > > Bzzzt. FreeBSD has never had /usr/tmp, and all software that expects > > > /usr/tmp has been changed to use /var/tmp instead. > > > > And I set /usr/tmp for many things because there is no reason that > > I can see to have var so big that it will hold large files I may > > have to edit. I put /usr/tmp in almost all my .exrc files > > as too many times I've gotten 'file system full'. > > File system full errors are typically caused by unnecessary > partitioning. You rarely see them on single-partition systems. > Creating symlinks or additional tmp directories to avoid the > inevitable drawback of excess partitions is two bads, which don't > sum to a good. Both also violate the KIS principle. > Unfortunately, as demonstrated in another reply, the optimal partition scheme (/, /usr, /var) is preferred over single partition schemes. However, it is unable to avoid this problem. Unless you are running a news server or heavy mail server, /var doesn't need to be very big (and you are wasting space by making it so). I have a 50mb /var partition, but I wouldn't be able to say, pkg_add StarOffice or something and have it fit like that. Perhaps use of growfs(8) should be discussed? (off this list of course :) > > As I said "Yes it really is usefull". User applications really > > should probably go in /usr/tmp if you have a lot of users. > > I do believe you're serious!? A better solution, if you *really* > need a user+shared application space, would be /usr/local/${user}/... > but even that's a hack. How about `mkdir /usr/local/$app ; chown > $user /usr/local/app ; ln -s /usr/local/$app/bin/$app /usr/local/bin`? > Aren't ./tmp directories usually set sticky so that Thus, everyone can create or write to their own file, but they can not touch (in the literal sense) other people's files in that directory. To me, to replicate your scheme, one merely needs to chmod 0770 (or 0660 only) stuff that gets put in there... > WRT security, shared user application directories, whether /var/tmp > or /cgi-bin, should be avoided where possible. This is what > read-only permissions and root-only access are all about. Read above... > > -- > Roger Marquis > Roble Systems Consulting > http://www.roble.com/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 15:39:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id 559FD37B43D for ; Tue, 26 Feb 2002 15:39:06 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id g1QNd5R26215 for ; Tue, 26 Feb 2002 15:39:05 -0800 (PST) Date: Tue, 26 Feb 2002 15:39:05 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: Third /tmp location ? (and maybe a fourth too) In-Reply-To: <20020226182434.B45921@cowbert.2y.net> Message-ID: <20020226152847.L25859-100000@roble.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > File system full errors are typically caused by unnecessary > > partitioning. You rarely see them on single-partition systems. > > Creating symlinks or additional tmp directories to avoid the > > inevitable drawback of excess partitions is two bads, which don't > > sum to a good. Both also violate the KIS principle. > > Unfortunately, as demonstrated in another reply, > the optimal partition scheme (/, /usr, /var) is > preferred over single partition schemes. Preferred by who? Not by the majority of admins I've worked with over the past couple of decades. Neither is there any real gain afforded by a read-only /usr. /usr had to be partitioned years ago because it wouldn't fit on the root disk. With the introduction of 1GB disks there is no longer a good reason to partition /usr though some still rationalize the practice citing unsubstantiated benefits of read-only mounts vs read-only permissions. Creating a partition for /var is also rarely necessary unless your applications require partitioning for performance , pseudo-quotas, or they need more disk than the root volume provides. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 16: 4:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from www.kpi.com.au (www.kpi.com.au [203.39.132.210]) by hub.freebsd.org (Postfix) with ESMTP id 6053B37B417 for ; Tue, 26 Feb 2002 16:04:23 -0800 (PST) Received: from kpi.com.au (localhost.kpi.com.au [127.0.0.1]) by www.kpi.com.au (8.9.3/8.9.3) with ESMTP id LAA54931; Wed, 27 Feb 2002 11:16:58 +1100 (EST) (envelope-from johnsa@kpi.com.au) Message-ID: <3C7C227B.9020100@kpi.com.au> Date: Wed, 27 Feb 2002 11:04:11 +1100 From: Andrew Johns User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1 X-Accept-Language: en-gb MIME-Version: 1.0 To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: Third /tmp location ? (and maybe a fourth too) References: <20020226152847.L25859-100000@roble.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Roger Marquis wrote: >>> File system full errors are typically caused by >>> unnecessary partitioning. You rarely see them on >>> single-partition systems. Creating symlinks or >>> additional tmp directories to avoid the inevitable >>> drawback of excess partitions is two bads, which don't sum >>> to a good. Both also violate the KIS principle. >>> >> Unfortunately, as demonstrated in another reply, the >> optimal partition scheme (/, /usr, /var) is preferred over >> single partition schemes. >> > > Preferred by who? Not by the majority of admins I've worked > with over the past couple of decades. Neither is there any > real gain afforded by a read-only /usr. /usr had to be > partitioned years ago because it wouldn't fit on the root > disk. With the introduction of 1GB disks there is no longer > a good reason to partition /usr though some still > rationalize the practice citing unsubstantiated benefits of > read-only mounts vs read-only permissions. It's called Defense in Depth, IIRC. Rather than "r/o mounts vs r/o permissions", it should be "r/o mounts AND r/o perms" to afford the greatest depth, although neither of these methods stop anything once someone has root - it will just take them that little bit longer to get around it (even if only seconds - note:I'm in agreement that it's basically unsubstantiated, however see below). > > Creating a partition for /var is also rarely necessary unless > your applications require partitioning for performance , > pseudo-quotas, or they need more disk than the root volume > provides. > I remember once seeing a system fill /var with a runaway process that crashed overnight. Unfortunately all on one partition. System emailed support, they dialled in to fix. Their dial-up password had expired, they were prompted for new one, system removed passwd file to update, runaway process saw the free space and immediately filled it: => nowhere to write new passwd files! => passwd files empty => no users could log in. => no terminals logged in as root (policy), but there were 600 users already in... I had to pull the plug to reboot it. This was for a bank and they ran for a whole day (bank terminals stay logged into unix account but with PICK application f/end) without any new logins. Having something fill a separately mounted /var would never cause this problem... Just a few cents worth... Cheers AJ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 16:15:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id D9B0537B400 for ; Tue, 26 Feb 2002 16:15:53 -0800 (PST) Received: (qmail 70671 invoked by uid 1000); 27 Feb 2002 00:15:48 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 27 Feb 2002 00:15:48 -0000 Date: Tue, 26 Feb 2002 16:15:44 -0800 (PST) From: Jason Stone X-X-Sender: To: Subject: Re: Third /tmp location ? (and maybe a fourth too) In-Reply-To: <20020226152847.L25859-100000@roble.com> Message-ID: <20020226160701.V52647-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Unfortunately, as demonstrated in another reply, > > the optimal partition scheme (/, /usr, /var) is > > preferred over single partition schemes. > > Preferred by who? Not by the majority of admins I've worked with over > the past couple of decades. [..] Creating a partition for /var is > also rarely necessary All partitions that can be written by users should be mounted "nosuid,nodev" and possibly even "noexec" if you can get away with it. /usr obviously can't be mounted "noexec" and most people can't even mount it "nosuid" - therefore, it is wholly unacceptable from a security standpoint to have a user-writable directory in /usr I think that the ideal solution is for pkg_add to honour TMPDIR and, if it can't get enough space in /tmp, die with a message like, "Not enough space in /tmp, consider setting TMPDIR." pkg_add should never create directories without my consent, even if it deletes them immediately afterwards (even if their weren't concerns about race conditions), and it should clearly never, ever leave world-writable directories on un-restricted mount points lying around. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8fCU0swXMWWtptckRAju/AJ4r8UeajrOBS/DPP47PSIzuDQXpUgCbBlbt dXsmpqioR/P0Z1u+DpIBWtE= =gze7 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 16:21:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31]) by hub.freebsd.org (Postfix) with ESMTP id E459337B417 for ; Tue, 26 Feb 2002 16:21:48 -0800 (PST) Received: from dali.cs.wm.edu (dali [128.239.26.26]) by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id g1R0LZ824075 for ; Tue, 26 Feb 2002 19:21:36 -0500 (EST) Received: (from zvezdan@localhost) by dali.cs.wm.edu (8.11.6/8.9.1) id g1R0LbE22746 for security@FreeBSD.ORG; Tue, 26 Feb 2002 19:21:37 -0500 Date: Tue, 26 Feb 2002 19:21:37 -0500 From: Zvezdan Petkovic To: security@FreeBSD.ORG Subject: Re: Third /tmp location ? (and maybe a fourth too) Message-ID: <20020226192137.A22734@dali.cs.wm.edu> Mail-Followup-To: security@FreeBSD.ORG References: <20020226152847.L25859-100000@roble.com> <3C7C227B.9020100@kpi.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3C7C227B.9020100@kpi.com.au>; from johnsa@kpi.com.au on Wed, Feb 27, 2002 at 11:04:11AM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Feb 27, 2002 at 11:04:11AM +1100, Andrew Johns wrote: > Roger Marquis wrote: > > >>> File system full errors are typically caused by > >>> unnecessary partitioning. You rarely see them on > >>> single-partition systems. Creating symlinks or > >>> additional tmp directories to avoid the inevitable > >>> drawback of excess partitions is two bads, which don't sum > >>> to a good. Both also violate the KIS principle. > >>> > >> Unfortunately, as demonstrated in another reply, the > >> optimal partition scheme (/, /usr, /var) is preferred over > >> single partition schemes. > >> > > > > Preferred by who? Not by the majority of admins I've worked > > with over the past couple of decades. Neither is there any > > real gain afforded by a read-only /usr. /usr had to be > > partitioned years ago because it wouldn't fit on the root > > disk. With the introduction of 1GB disks there is no longer > > a good reason to partition /usr though some still > > rationalize the practice citing unsubstantiated benefits of > > read-only mounts vs read-only permissions. > > It's called Defense in Depth, IIRC. Rather than "r/o mounts vs > r/o permissions", it should be "r/o mounts AND r/o perms" to > afford the greatest depth, although neither of these methods stop > anything once someone has root - it will just take them that > little bit longer to get around it (even if only seconds - > note:I'm in agreement that it's basically unsubstantiated, > however see below). > system running from CDROM would do the job. A hacker cannot change /usr/bin/passwd runnning from CDROM. > > > > > Creating a partition for /var is also rarely necessary unless > > your applications require partitioning for performance , > > pseudo-quotas, or they need more disk than the root volume > > provides. > > > > I remember once seeing a system fill /var with a runaway process > that crashed overnight. Unfortunately all on one partition. > System emailed support, they dialled in to fix. Their dial-up > password had expired, they were prompted for new one, system > removed passwd file to update, runaway process saw the free space > and immediately filled it: > => nowhere to write new passwd files! > => passwd files empty > => no users could log in. > => no terminals logged in as root (policy), but there were 600 > users already in... > > I had to pull the plug to reboot it. This was for a bank and > they ran for a whole day (bank terminals stay logged into unix > account but with PICK application f/end) without any new logins. > > Having something fill a separately mounted /var would never cause > this problem... > > Just a few cents worth... > Excellent example. But as I said before, there are two irreconcilable shools of thought on this. I tend to be more practical and flexible than dogmatic. Depending on circumstances and requirements, both choices can be good. -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 18:56:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from terra.com.br (200-207-202-232.dsl.telesp.net.br [200.207.202.232]) by hub.freebsd.org (Postfix) with SMTP id C8A2937B402; Tue, 26 Feb 2002 18:41:21 -0800 (PST) From: "cadware.com.br" To: Subject: =?iso-8859-1?Q?assine_a_revista_cadware=AE_e_ganhe_25%_de_desconto?= Date: Wed, 9 Jan 2002 09:50:48 -0200 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0020_01C198F3.29CF2240"; type="multipart/alternative" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Message-Id: <20020227024121.C8A2937B402@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0020_01C198F3.29CF2240 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0021_01C198F3.29CF2240" ------=_NextPart_001_0021_01C198F3.29CF2240 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable desenho assistido por computador =20 projeto e desenho assistidos por computador, computa=E7=E3o gr=E1fica, = inform=E1tica, gest=E3o, processos, aec, mcad, cad corporativo, = engenharia integrada, automa=E7=E3o, computa=E7=E3o aplicada =E0 = ind=FAstria da constru=E7=E3o civil, ind=FAstria mec=E2nica, ind=FAstria = de m=E1quinas-ferramenta, sistemas integrados de manufatura, ind=FAstria = de pl=E1sticos, ind=FAstria de embalagens, computa=E7=E3o pessoal, = inform=E1tica dom=E9stica... cad/cam/cae/pdm/inform=E1tica=20 Assine aqui cadware.com.br [revista+WEB] e ganhe 25% de desconto Para n=E3o receber mais informa=E7=F5es sobre a revista cadware.com.br = clique aqui. cr=E9dito das imagens: superior - renderworks/neio archanjo; inferior - = solid edge/sunfab hydraulics ------=_NextPart_001_0021_01C198F3.29CF2240 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable


desenho assistido
por computador

  3D""


projeto e desenho assistidos por computador, computa=E7=E3o = gr=E1fica,=20 inform=E1tica, gest=E3o, processos, aec, mcad, cad corporativo, = engenharia=20 integrada, automa=E7=E3o, computa=E7=E3o aplicada =E0 ind=FAstria da = constru=E7=E3o civil,=20 ind=FAstria mec=E2nica, ind=FAstria = de m=E1quinas-ferramenta, sistemas=20 integrados de manufatura, ind=FAstria de = pl=E1sticos, ind=FAstria de=20 embalagens, computa=E7=E3o pessoal, inform=E1tica=20 dom=E9stica...


3D""


3D""

cad/cam/cae/pdm/inform=E1tica=20


Assine aqui=20 cadware.com.br [revista+WEB] e ganhe 25% de desconto


Para n=E3o receber mais informa=E7=F5es sobre a = revista=20 cadware.com.br clique aqui.
cr=E9dito das imagens: superior - = renderworks/neio=20 archanjo; = inferior -=20 solid edge/sunfab = hydraulics

------=_NextPart_001_0021_01C198F3.29CF2240-- ------=_NextPart_000_0020_01C198F3.29CF2240 Content-Type: application/octet-stream; name="fig001" Content-Transfer-Encoding: base64 Content-ID: <001901c19903$e16db6e0$e8cacfc8@mshome.net> /9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAEBAQEBAQEBAQEBAQEBAQIBAQEBAQIBAQECAgICAgIC AgIDAwQDAwMDAwICAwQDAwQEBAQEAgMFBQQEBQQEBAT/2wBDAQEBAQEBAQIBAQIEAwIDBAQEBAQE BAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAT/wAARCACdARADASIA AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3 ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3 uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD/AD/6 KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK/pD/YN/4IhW+o+EtA+PX/BQSLxh 4K0nxZZWfif4J/sleG9Ui8L/ABc+KOlS+TcQeJ/HOoNHLJ4W8M3RZba1tjGuu6xm4a0j063ji1WT 9H/2h/gB/wAE89E139no/tH/ALPvjbxN8OPD90/wL+Dnwa+AN3p3wz+FHhLVfGV4umWniLxIq3tr rN7Hb6gdImzazz3FzIk81/LftNLGfnavEuCWM+p4WMqsle7hZpNJtpNtcz0s7aJ6N3TR6dPK68sO 8TVkoR0tzX1u0uidlr/S1P4naK9+/ag/Z68WfssfHT4gfA3xlcR6jqXgrVhDYa/bWcllYeKNOuI0 udO1O3jYnalxBLE7IHcRyeZH5jlCx8Br36c4VYRqU3eLSafdPVM86UZQk4SVmnZhRRRVkhRRRQAU UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUV9wfsMfsdXv7V/xA8Qap4x1XWfh5+zF8EtMtvHH7T3x t0/S49TfwHo1zcG00rRdFtZGUal4p8S3wi0bw/oVv5lzfX11v8oWlpf3FtUIynJQgrt6Imc404uc 3ZLVn6m/8G8X/BGg/wDBTv8AaLT4j/GuO70n9j74E+JLW88c23lvZ3vx/wBdtRBqC+AdFnOPMjEE lrc63NalprGwv7VSbaTUbS5j+vPjZ/wTB/Y6+LPiLxpdaf8ADy/+D2uaj8QdWW21L4Q6jL4c0eyg i1u+sILe38O3YnsY4ESGIRpBDbCWJrdvN3tcTDgvht8XrPXf2nPgrrl18K7fwr8L/groen/BX9k7 9mHwJ48GgeHv2QbbxZ4rtdB0S/tfEsEP2jXvEHnatr3iTxPqRZp/E+rXlvbgW9rBauv2H+1/8Vdb +AeoxjwtPaS3eq/HjxJ8OzL4qhF3Dqv2WTVLmxfU5g0T75vsUcbX0YYvKPOljePJg9mtkmIp4mng 72qShKT5tFFx5rq6ve6jdXte9rdTyKOd4atQq4qMW6cZRirNNvmUej5Uvelayvs0m2j8Nviz/wAE WPjPpEc2sfAzx34O+J2k/wBlx38PhvxNer4A8ayyMUVre3kn/wCJbKAWOJZrq1ZjHIvlZTLfl58W P2e/jd8C7pLX4ufC/wAYeBPNufsdvfa3pEiaNeSkSlY7fUE3W0rMsMkiiORt8YDrlGVj/UD4C/4K S/D3UL7UNB+I/wAOfFPgK98OhdLvdQsVj13wzYxQGE3ZitLkx6gIIUSK2by4biHEuwLPHFcTt9me B/jf8F/jFb3Wi+CfiD4P8ZJqVpeQ6h4Tvr6KbXLmI3Fvb3EE2jXIVmkiUyW1zm3ZVGoFDLHJN9jf z54LEwv7l0t2vet11tezt0dmehHF4eVo81m9ubTm9L7+qv13P4T6K/sV+MX/AATJ/Y9+L8O1vhcv wx8QXxjFlrvwV8rwTIskpVwo0t0fTGYmFUEYgAkjedomjfBH5S/GD/gif8UNBttT1j4I/FPwx8SL OPdc6X4X8X2Y+H3iu7Rre7uo7SC4M01jPMVgjWOSSW1WYNJKyW0cb7eS1tzpPxEor3D4v/s1fHv4 CX9xYfF/4TeNfA629ybRNZ1PR5LjwpqEgCbhY61D5lhdgF1UtazyKGypIYEDw+gAqzDbNPFK0Qkk mjYEQxqrsYxHLJLIRu34RYskhSoBJZlwA1avo79lX9mD4/8A7XPxq8K/BX9m74d3/wARfiXr0Nxq 9tpqS2+l6Jo2nWSM9/rGr6pdSRWmn6faIC01/dTQxxMUAkEjRgzOcKcHUqSSitW27JLu29EOKcpK CWr0R4f4V8K+KPHXijw34I8EeG9e8ZeNPGWvWfhXwh4Q8K6PceIfFHirVNRuI7PT9N03T7dHnubq 5nmhhht4UeSWSVERWZgD/Yd+wB/wSz+Gv/BPTxRpPxS/agsfCnxh/br8PSwvonwylWx8cfAP9iPV JUt7i2v9cnDvY+J/Hdt51ubTT4WudH0V5Jbmf7deR2H2fI/4Jn/D34KfsweFPjL8P/hvoWlaH/wU D+F3xj8R/DH9on9qq1vYNV1Xwfod3qN5pGgj4AapJHFNoHh/xJ4fuLppfFxittavbfUr+GxubFJL C8t/tbWtZ0nwN4S8Qa+8dpp2leEdOvL5rSBrdrWzSygF7d2p2RgNIJobkNbGPzZ2lfYkLSzeT+f5 /nuKxFWWW4FONPZy+1O9tI6O0Wn8WjetrJJv6TLsuo06X1zEtOS1S3UbX1l31Wq6dex2Xxk/aJ8J eDdb0/UfF2uT+LfGXxM8bS3Op3V5qZvvE+t37Qoz6jfSNiSY3E8drp6mPIje6gREdIXhT5N/4KCQ MkP7M27aH/4aX+HMkyAFwjnxvpAkh3sA/BZcblRmWMEouNtfjF+zxrvjH9vT/goVYfFLUtT165+G /wAG9XfxX4PtJp5JdH8J6HYSG10OFoVkEiXV5JBFeSpIhDix8qRJIHUQ/r1+3j4huJtP/Z4utZhi lGm/tT+AI74ZUTrEvjbTJyJFZg68RMFYlQ6vv2x79pjBZdHLM2w1Bte1cJOa6xbi7J26qybtfe+q KxGJlisFVmo2gpRUX395XbW3XTXufOn/AAW4/ZV/4Wd8JLH9pDwjpbXfjn4GyvpPjU2kRk1LXvB1 5dsxupIo4SznSr66WcYZI4bTVL2RiUiUR/yhV/oueIrzwT4v0XxBpfiZdE8TeGfEdje+H9d0rXQL qz8S2l/DJbz6fLBIf3yXCTzROCjMd7fI7pivwt+Fv/BrJ+3N8dvjZ8Rp7SfwP+zp+yNpOtS654T+ PXxu1V9Nl1bw7do95YyWHhzedTlNtE8cMt1f/Y7OX7NcSQXlwsZJ9XhLMJ16M8vqp80LtO3RvVPs 03pfdPRaO3NneFUKkcVBrllo/VLf5rfzT7n8utfR+tfsf/tR+G/gV4U/aZ8Q/AX4oaF8BvHetXWh eCvibq/hS607w74sls7AandXGnGRVkuLOO2LO2oRI1pmORPPLxui/wCin/wTR/4I7f8ABFn9ln4s +Bvh3pNrrX7af7X1z8Lr743eGfi7+0V8Jdau/gr4r0fRp/Dmla14i+G2mTWa+Ep7K01DV9IuLW5l m1q6gl1Yi11a6+zSeX9Ff8F7Ly+n8O/sbXTXk0tx/wALQ8bRSyTvJNc/Z/8AhGdNeRUfJ2KZEt8g qEyw5WTy9/6BQwEqkeao7atW63tfbsfIVswhCahSjzaXvfS2v+R/lJ0V/TZ8ev8Agnz8BPjb9v1r SdLX4UePLxjMfE3gqyhh0TULhvOZn1HQwY7ZwzyB3e1+zzP5YLO2Tu/Eb9oH9i344fs7Qy6z4o0a z8R+CEdR/wAJ54OuH1bQLQSziCAX6FEnszI7wqhuY0jd5lSOSRgQMa+DrULtq8e61+/t8zppYmlV tG9pdnv8u58mUUUVynQFFFFABRRRQAUUUUAFFFFABRRXSeDfB/ir4h+L/CvgDwL4e1fxb438c+JL Hwf4O8KeH7GTU9e8Tarqd1FZadp1jbIC81xc3E8MMUSAs7yqoBJAoA9a/Zn/AGbPiZ+1d8WtH+EX wvh0O0v7jT7zxR4w8b+M9XHhj4ZfCPwzpEDXviHxj4u1plaPTdE0izjmu7y9kVikcW2OOaaSGGT9 w/EuqeBtD0H4afs//s1zeLb79mX4OalL4o+FOna9oi+EPGvxs8YX+n30XiP4xeM9Oiwx1LU7e0fT dE0q+aZ9A8OR2sCBNQvNWmfk/Dvgv4Y/s/8Awr1f9lL4I63pPxal8d61ptj+1v8AHfw1dSar4N/a V8S6HqNneWXgbwRceWIbr4c+GLu6infUYg8fizXtNN7JJLpGn6Rbt0/hnQJ7LQtU8YBYrrxYvhGL x14Yu7hryy12C/iFrYTaPeaYym4vZLi/1SNrbTkjmubiadfLglZYwv6NwvkE6cljcRFc+r95fAk9 W7vSV1o9Gujs7v8APeJs9jNPBUZNQuk7byb2Xfl11te+26aX6K/8Ecf2S/AH7Tf7b3wa+HHxO8R6 lq3w5m+E+qftJatpGiX+qeCtc1S/+G9z4FhsdCv7iORporSa91yzvXSIwMbaxmjZGa7Ln54/4KmS /wBtfD/wfdXU5a41j9prxJdT2EdsjS6jJqul+JGvkktPsl0sbL9vurt4riCS3CW6gtHD+9j93/4J 6ftVJ+yl+3v4Y+NMtj8RvEvhZT8R/A1h8BbrStH0Hxn4H1f4jeL/AAn8PdAg8YayjzLJcy23gvQ9 Y1T7DNLaadb6RapZ29zPLd3F74x/wVUtG0PwL8N9MglmN5pn7UviLQ9IMpjtlMwtNd06KcCO9ikC BLdZHitZBcSRo0QhQTx+TxcRr/hZnyq0PYysmndNKafTq7yvraMld3Vl2cPNLJ4pSTk6sbu6a3i0 k9dFH3W1pzKVnezf5M3aahrFpqur6iG/tzQr6G+u20rULnSrjxVpsGn25t7u9tl3zT39jHDcW7wx vI1xZRb8XlzYWscnC7kg0HV79tPvfDVhc6lq0niXSZtPkW903WHmvkOoR3ECI1w6z3x3+TNHGY7a 38i7t3swlxPpMVjpl6ddsby40m7tL1F8zRQuraP4KmjsdPN89vdJboLKCOJ7NpJlmtHdI0uUAjiu EboNUiuZrCHxDYR2+pXts2oW2saFYNLdwW06vfW076ZY5jitoZ5YLkhr6aQWNxbS6XG72tzAo+Yl J10qkP40d9NWlfVWdrr7XVpp73Z9Wqbw37nl/cy0jpazf2fR6cuvlZXjb2rwF+1n8fPh++jx+Fvj Dq76bLdzSwaVr0UfxF8M+J7RpZ4bC6DTPLCsSzXMEkhtpraWSW6gXybG41CzRftv4a/8FMb+dGtf id8Ktm2xiurfXfBGtW2la3qUTF0uXXTb2WRbSeNYJZJIZbpY0iBaUxG2urSD8qrbT9Ovb1dWkK6N b6fdS6vo3izxBYXmnaVo91cWlxY21jPN/rbqdfOhtk0zzxcIGkt/sNpHbRSPD4u1Tb4f8Z6Po819 pmk6lZ3cEr6rDca7qd/dEXNukuq3qsE8ibUIbe0g0m0M4kit1T7JeI00VolWqShGeIjGUOicbTdt 7S0k07tXbdraLSwpUYx5o4duMr62leKv5ax2SdrJq6WnM2f1B/8ACzPB9rovh258W6tpvgb/AIWB bTGy8KeO9R07R7w3UJeS/sri2897GSW0aVslZpI1aFT5iKkcifLvxY/4Jsfsd/HST+1dT+FFj4D1 a+gmA8XfBq+/4QFmQvPMJhYQxT6Tcs89zKftJs3kIjEZkEaW0NfPX/BQjWru3+Hv7PcqiPUoNV8T eKX8RWlrqEaP4hsJrO5muLa2uJLu0WCaZLVp4ZjO0kbWsc6+b5CFvzr8O/FL4nfCfUdFj+FnxX8a +BdN128j1bwhfwa9N/ZXiH7TO17NBqOi3LXEMLywyXFslzNbNcQ3VtcwlLe3kt7W86cwy/B0oN4e pJSvK6dml70lG2qeqW+tnva6b5MFjcZWT9rFW91pq6b92Lkraxbu32Vuujt7x4q/4IT3134+8J2/ w+/aR8N6T8MdX8SWtr431X4k+D9TuPGnw70id7Qz6ja2WkxXMetSwwnUZzbIbAv9mgRGdZ1mX9vf gv8As5/CX9kL4e+NfgP+zBe+OT8GPH/ia21Txt408YfDi0t/2gfjPJYEQXNt4v8AEmmh1HhcLBb3 +neEhHZx2RnuZL97+9nZIvyh8If8FMPjF4b0+5uviD4G8NfEHS7Swk1K0t9MtJ/BHj+SKC3tmvFk g8qa2hvrf7TfRLYy2z+ZNbIDcxNHLI/0XpX/AAVL/Zo15TZ+I/h3+0HpF7GJprjTtR+DLeI5rE24 3q0LiRpAZ43tkhl/dbPP3MlvGywL8XnOS1szpKk8TaCurK3LJ6Wbi0pO3S2i7X1PoMDj3g6jm6Xv LZu6fyabjf1V+vp5N+1D461v4K/tm2fxtt7W807Qvhx8B/B2l+LJ7OOSR/iR8PrzW9U0fxNf2lsL eZL248Nahe+GLmNV8krb2s6zvJFJAE+GP25/27/E3xfs9M+Dfwt0rWvD3w/OtprGseJLuyurTxP8 V7i5S7s7KHTNPSbzo7CaK5by0n2X81wPLk+y/Y50g+kv2+JdV/a0+Eng/U/gN4d+IPil/hnrGo6n 4k8Eah8FvEPw/wDibqGk6pDFayX+mW9zZi21S1Nzp9tdXVrpjgOtraG5tolit0tvy68JfAzUL5/D dven4hWnimXwA+t6j4fk8M29x4ubRtKn+xSyeHCJZWlsILvQtUuTqllZsqRSqGmuAl8F5aeW4TLK EcRj4p1KaSjbmd7aJ8tm+bS610u9lFNY5hnPsqNStFvlbu1vq3st7rXWy6X01Ox+EHi34j/AfQPD vgbwJ478fWfjj4g+LrbTdN8DfCTUbuz1vxRrc7WdjaWbWFjbyT3d1FIsNji1aQyPeSmANcGG4X96 /wBjX9h39sT9rz4Q6Z8Uf29f2q/gp+yJ+y/4J+JOj/F74e/GL9oDxH4W034369pXgu+mfUn8P+F7 W4trK40uS4tLZk13UrnaYbZZbS01aG6g8j8B9F8KfAfQZ/FereIvjD8QPhbfWfgefWbPxjpOu6jP 418X6h4q0bVINKhRFQyy2FxDrE9zf+XBi8sZzbrdRfabq5g/aP8AZ8+Bn7Nvwo+JHxn1X9kz4q+E PEen6p+0p8P/AIR/Efw18IviVpXjH4UeOPhHaX+mat4rurnXtViuvEGmeFNQu9Njn183AvLS2thZ QXN1M0thaah7uUYOjneJVeFKzu07qMZWsk2ne6vfld36tK7OFcRU45dKUacopy0clJ6JJrZtRirb NJ81027xt/UH4h+Mv7If7D/jnxR4a+AXwMbW/wBqWx+JXgD4EeEvjD+2Jpeu6R4p8VeK/ifqOhLp uh+AdLOnTiy+zw39rqOpwXP/AAjMFss+hb2uY7qK6h/Mz9t79uD4rftC/Cj9srxCvjrXNc8K6X8b o/2JNT+HXxj8CeEPjb/wrnSLfRfG9lq/jfQdC0uCHQNIl8WeKvJ8EWf2y113VJB4cEdpqCtdXF1b crpnwev9O8JftZaD4J8G+MvF3xM+Fv7aR/a58OfDvwfoGo+FfCniTxH8SH0vw98OdIufEFgzy6Dq fiKz0/wd4hv7vVr+yuNKtr60Mtlp2qaqI7fsvjV8QPhB8HPAP7cHiL4f+KbP4nfDX4pfFHV/hAfD f7HmkaH4s0HwH8avG3wqtPFPjjxTeaxrF2uiaba6fa6f4lhivdD0zxBCln441GxtJRqc+oXMv2mA yTLcsjTg0oRvF2iuVyTdN72uuaMlJNLa/vNHz2PzPH42U1eTumm27KPuzV73VrNJX5ne6aSa0/XD /gmH8E/G/hb9tv8A4KR/GrxZe6jDpXjRPDXw+8BaBq/xC1b4xano/h3TviB8UjpmmXPiO8vbhY5v Dv8AZFx4Xu9P097jS7a/0e/gs9U1CO2UnmP+C9HlHwd+x48waSQfFnxmtv8AMFMbnwpau7svH8Ec nqQH6YyU2/8Agl/8SPG3iL9sf9uD4Qw+DbTQPgh+y/8ADnw7+z38L9dtNQ8beLL3xVF4X+I3xF0T T7zVtf8AEWoXk1zdTWek3WqRi3227x61eSJc6oJX1O5zP+C8ClvBP7IbAgIvxb8YM6hdzMx8LWoQ r842tkAltj42lMDdvoacXrFJXVrW29mrO6b+JavVtttuzbEtKkUpaq66WXvS91aKyj8Oy0StdH88 vCq+SqurZGCOpUED8eaYwLLJGyh0lV0miZRLFcRlQjxyJnaQ3O5W+XntXzr42/al+D3wz+Jcvww+ Iurar4N1EaRper2XiXU9GmufA10mqSPBHHNqVv5gszHKUSWS9ENuPPV/OCHePfdL1TTNd0uz1vQd U0vXtE1a3S50zWdFvoNV0fUYpELxS29zCWidGHKbHrOE4Sb5Wm9np9/9dfxOuUJwjFte6fB3x5/4 Jw/Aj4yzan4g8LiT4LeOtSmW8fWPC+mre+CtSlZ0Mpu9A8yOKEvGsgDWElsquN7xzszb/wAQvjr+ yH8dv2eXlu/HfhJ7zwoJRHb+P/Csj694KuMtFGpkugiyWrO8yIkd/FbySH7iMMMf6ujjlvvbs7WP AwO/H19KY8UUsE1rLFFc291E1td2lxFHc291FIrLJHLESysrKzqysrKyt0rmrYKjWu0rS7r9V/TZ vRxdalZSlddn+j3+/TyP4rqK/p78a/8ABH3wr+1XealqX7PvhqX4V+IrBZLrxB4k0+2Ft8E7RLaB prhLu2YhIbgx24SOHSnyJbpWltljZ5ov5hK8evhquHa9otHez6O3Y9SjiKWITdN6rddUFFFFc5uF FFFABRRRQAV+t37BV1qvwb+Hnjrx3ovgl9F+KXxaj/4QLwn8cE1l1+IHgPwff2t/pfiPS/AljErN Z6p4ma6XSrrXmK3tppiz2unqrazLeW313/wRf/Zy+B3wT+Ov7P8A+1Z+2x8JvGHxnXxTey+KP2Zf 2YPCcOiLquopY22q39r8VfHB1i6trG38OW8nh/VY9I0x2kvddu9Ou7i3t5bfTUg1brte8J6jpfxD +KHiH4j6hLPrafFTxJHLNLK5iRp/EE9tbzSoWLTXj3Qt3t3hllASdw6lC8kv2PDGRSxeJVfFQaik pRurKS5mubXdJxaS6vQ+R4nzpYTCuhh5e83KMmnrFqKajZa3aknfot97rkfB/hnQdE8OReIvEf8A wj+jadHaWEfh+O5tYf7D0RLqzsn0KXT9n/HvctcWNpaDTsLJM8MAUOR5JteN/FN1f6jH9m0fUpNX 0m6l8QaToOpWui6lrXwiu7W5sdc/tXSdasyUm1KeTw3LaX1wZfstrp+ozw2rRrLdS3FHV/F2uavq 9sumXTWtxdak9rHI2oSWen6MNZm077ZaapOJZLKc3Vzd3tpFdqgdIyLS1CO8kkvU+EfCr+HNB1bV bPTbnVfFPhzw3F41a0e5FlqehahbPp+iS6fcCynmNylxdTxCG2thPJK8hx9odn2fpyXPVhQwrtSi 03J6Xl3fRtaWV/ntf82bhCk6+JV6klZJdrXaV9Vfq3G71SW7Ptf/AIJS/sbzftN/tpfCD4N6t43t vAngNfh5J+0BdeLPDItPEnivxXpvwvufBDQeFdPs7gBbQT3viK3zqdyHaS1h1GKO0jLQXkfmf/BU TVrjWPh/8HdXYy2U/iD46+J7wSaar6mNKl1PR9VuHntoU3rOVYkKrRTxiJzcOoWOSvr/AP4JgftM +Bv2bv2+PCXxV8a39kfhrrfgf41/CHSJdP8AAuvx/H3WrnxR8T/C3gzwppvinw7Ihi8OXV/q3gbU b6PT7q3mXTbNryS/vJBcQW1l8Z/8FPLPUk8BfArw55Jv3ufj34j0TWLfT1neWWGDS7pZWinVmeJj cxW0pkt5RJFIyxicFUuLj834gt/bdR05Nw9m+VvVu6alv0cubXtqrtn6NkCccnpqtFRmquqTta0k 0tOqSV9N7363/HSGWybVNVk0/RLfTvEUGpaXbeLbfWLyPR9Q1aK2sbaeRba6SYrc36RwahBHF9ri t2kvG86d40C10/hHT4/DvhqLxDZ6pdalbeIdObW9Ktb54I5/HEElpPLHpV3LPbiQaf5JeJbi+WS5 itSRC58mIW+hCt54bnudNMCX/iu2lt9P0a4eeCTw9oNta2tihXVIhPZpd3BSC3a4itUMFvLdQiOC 6+wyqnCX15pmu+GdV1DVYLh9M157yfXbvXkOi3V7fRSb4NU1TUUjUWpY29pubyBdLJNZzJb2ttHJ ar8pGX1SXPe9RWsvsq72f8zva0dukm9UfUWWIi1b3Ho3rd97Ptfro+1tGu48Sz3x1bT7rS7rT77w nPcaja6BJbXcVvF4YuIFc3kwgeQKmoRXDRLcEzRiKK383bbz3DQP5j4gi0210z4gb0vLK8Hh2ePV H1C+SDUtWQaVcXCyWbpGD5zxWWphriIyxRtY3EKwXNtaQ21h6Ro2oK15b6Bqep6lLpl1aypqtvPc QG7jmtYtNvLXU5bSKVZoJoxfwCfS7Yx28sOo3MUghE9otxyHjmPV9J8N+O49c/sqWfTtCuj4W1Oz ikiTW3m0KO7ktm00+es9o1strPEkz3CNDaRs4UWb3EJiZRqJYqL0baav8LtppfZpe71smtbXboRd NPBz36PrJLq73u02lLV810+tl+qn/BQ8iT4f/s2mCaD7OfGniQ213MWu7O0MVpq2qWVysQkRJYUu 47KcHzWYoYnjkSSKOdPzV0i9udWsF8O+KrLQWN5e2d8kOmXcWvafoN0ZWbT9XMckUJFve3NpDazS biwdFdjb/ZZ5JP06/wCCh0UjeEf2cBaLtubfx14lvl/cSXc8UUVtfNezpGuJJWeKSRFeI7fMkjmf fA86SfkxpaXd3o3hmy8Gz3V2l5fW0XhnR1uJ9QutXmiurhdT0VrSWOKVYLWCK4hgKvZFFSM3Itre 1u5k9PMak446mkrpqSa0d06k9N762000fbS3n5fHnwc1zJJOLvf4WoR1d+17vo1o93e9fbRJ4xso RrHh+5n1yz0/XZbaP/TTqDW9sdNt9LtjHc27TXQuZYJLQoJ2LxM1tB9r8xen1q51TwrHq2gaPqdk /wAQLm2ltNPk3PbweDdR1A3U9o9l+5b7Td6o017Jc3tuziA2dxGgNyl3fw7viK9e08P6vLoM9n4i 8T6Rot3pOtatprQ+Gb7UtBme2W9s9IvriZxawWME9otxdebEbl7aGSKfYHjuvKtds7PSNJ8X3p0y 70+GL4f6jHNqWn6HZaX9i0u5adbzTozZblivbZ5LERfaikcyWgygmiuJq8/EU/qcoPDWdV6xbatH Wy97X309G1L3Ula7aa1jUq4ulJThdK6cU7czel3ezUGne1rtaNWTv9y/tz/Fq5lj8A638PZPE3w4 8K6t8M9d0z4aeNPBWr3PhLxR8Q7ubxDGlvremQ2kkdz/AGLLcT6dDA77l1CO9e4RY4Ps0918DR/E Xxb8PfiF8OfjLrWv634o+Img/FFLPxMk3id/DMl9PLoSadPYQ6lZR+Xp0S2afZFeyi2xoqxzKGgd Yf0j/wCCmvhuXXvFf7Pk0kenaiLX4ZeJLfT7LWtGm17RLi7m18XVzJqMUTqogItAkJG6MXLqVUsY oj+bHxu0D/hJtDXV9LXVJtbTVrFtYuLN1BbT9NF9pN1qkTx27YmijmjtLrzHMixW+ns6JsiRjNqL lj50683KrCSkm3o1bVJaJJNtpPXlu5Ny38zLcFThQp4ht8sm27W0l8Kd7fyqy3WiaSd7fYR/aX/Y 40/wdpHgH42fs2eLrmC28G33w+8HXXiLWl8a+EvAng+6livJtM0fxvFp8fiC4WyvWiudOtdRsbt7 HUZkWDVbTT7t8fpn8KPg9+yT4F+F+l+Ovg54X8I+MfBn7T37W3wq+EWo6V4r8TP42sfht4b1rXNL vvGmj6D4WgS+0jWo9Zl0q1lOixzxQm8tbKNri/8AKtNMt/xV13wtoOq6Posnjq/mjuLPVYv+EO0X UNM/0TxPfQzNYx391YXLvfz6Vem2vrWGJ7hXvvtMqJNJL5MsX7HfsbeF/hh4H/Zl/Z58J6jN4u8F X3xf+I+l6E2ufByzg8KarpP/AAkOl2/hCfxzrV5JKtzZXWiL4g0aSfWYBHLata3l1HZrNFIidWQ4 apXxMKmJh7OcU5cqbaSV2nom1dWa301tZpG+a4n2eGlSpxTTfK9E022k1/K0rWu1q76pI+4/Fd78 Tda8H/FT4u/Fzx0L3RP2R/8AgqFc/tB+JNf1G1j03Tfhp4H+Etn4Z8LWgl8GaBFp+k/2ZpGt/D2O xtoNNEjahqOtMLKC5ikv9ZfvviL+zn4K0L4Z/wDBRTwt46sf7S+FFr4w1f8Ab50T4o+O/HWmeBtK ufEXjLQYdU8KabbQz3mn6PqV7PBr/imz8Ra/psssDWHgi58MWUt8LnV1tOb1z41/EnX9R8feMfAH wW8I+Grix/4KM/DD4M/EHwl4O0O2+LGq+PPhb8MNI8Jal4P0bwz491+303TbfU9TvPDXxBttPtbO Gyt7Uzv5I0yyM2oX3N/Fz4G/Fz4hfC39vTwT8RfH0viHxF8PP2zPEn7X/hrXPi98TPEXxL8RXHhZ PCN74Rubq28T3yC4t9Ct/Dfivwamh3NrdRy6rrV1aWVtK+kRy6yPpsKnzwhh4KK5o2bu5X5oJSWr crNrRNNx1jfp4OK5FGUq83JqM0lFpRS5Z3TdkldL4pK3MkpW6/vp/wAE4vjb4c8a/tJftYfDKDxB 4X8Q/Fzwd8MPBt5+1RN4E8C+IdG8G+GviFo/jb4laDrfh2x8Uappmk/27ZaUb+DQbKC20uKHR7Xw LZ2Ul3fzi4e28p/4LvFR4C/ZGbOG/wCFueLl3FvnYf8ACLWr7U/75Tnn7g69vUv+CePwY+HelftI /Hv4/WsvxJ17xv8AGv4T+Gfir4N8Y/EzQtS8K+JdY0vxZ4i8Zt4wl1Cy+z2dhDqeoXumeF9c1LRI rK1j8NyeIbPT44LaeO6M3C/8FykWb4ffsqxyLugl+LnilCCMsS/heFflbG9W4dt+Rnb9/wCdEk85 RuneWvMm9H/KtFs2uiel10tv0yqKNaL5LKzVrpv4nq7Xs3u1d26u5/BF+3DPDa/tK+InS5tRM3wy 8LXuqQz6m+jRWdrZaiuLmdsuksSm9VpHuFRUSGLyGuH3xx/L3hPx142+GF7qOv8Aw88b+I/h1r2s 3f2y8lOqDQYb+/aNrK4h1Pw5OkunTRrI9rcTG8tonDi2iSeS4uVVPpn9vPdZftHa60d/Ol7bfDfw y8llaApfbo7/AMrTp7Awxm8S6866uktpYFuopLieNbu3htwrT/J8drf/ANl29uEhsITpWl3c9hpu hHWPDN1btZwoUNxtuItS062EGoI0Lu2YbaS4SeZ4bZbj5qq3HETtKzu/I+upRi8LTVrqy3+flbpv 38z9DvAP/BRe70+c6d8W/BVrrWnaVbMfEHjr4eRto2uaSD5zwXWp+E76QNDHLDDcSj7PdGYLEjta o80Vuv8ASv8AAr9jHT9d0zQ/Hnxd1NdQ0zWNNtfEOh/DrQryW0t721vYYpbKbXL9WSdwy3Fu8llZ bFXG1riYHyX/AIc/EcEyaF4qOYpIoNA1Ce4tHiu9YbTppotRaV01ZQLqacvcN9pGpL5Ms0086LAI 7eM/6SnwpjaP4TfC7yJLcSv8LfD8kdxJFNParJJo1m8bNGSsrRhmX5dyu6Ly+991e7ks54ic4Vte VJr53/K3Xfozx82hDDxhKmrXvdK3lor33v8AO2hPZ6VpukaE2iaDpthoui6fol1aaVpOiWa6NpOm q9rMUEUMO2OIsyszOPmZzuDM6Js/ywbfw/De+HW1S0mAvLa4SK8jnvYUt0WR5lUsMDyt2xNrTOoY pIMKWhEv91n7cP7d/wC3b+wB4zufFHjL4LfCr4+fsqazpzWdv400zWW8A+NfCk88620seoTPczfL JHeLHaxzQGWSVYw1zlmik/iS0jSdY8IXC2msXdodM1BIk0y8kv4pNGljZkmma3EytGsodoXi8xI8 yRK5cRpIr8mdYmnXrU6EU1UXMnFqz1slbXVbWd3ceSpxjN3VpNJa76tPS91rtdb+TueMRxvK6RRI 8kkjiOOONS7yMxAVVUckkkAAdc1fvtKutOSE3YSGaVFka0k3R3UKuGMbMrAAghWyULbCNr7Gwtdr Z6DF4Ye81PW4rsSWMinTPLtWeSGRXASV0Dqm9JDEQC7xFVbJIltnl4e/1C4v5WaSa4a3SRzaW00o eOzRiCI41VVRQAFGI0RcKMKoAA8O/loe7dPZ/wBf12v5lCiiimAV+jX7Fn7I2kePrSL4+fHDSHv/ AIOaNrE+meAfhhLql54Z1b9pvX9PWKW70uLULcCew8MaT9ospfEmvW7JNbQX1pYWLNq2p6ei/nLX 9C3g3Q9J+Hngnwh8KfhvHe3kel2tukT38stzeSz6iUvdVvJzuMULSSqoeOMoFSGILu8tZD9Jw1k0 M2xcpV5WpU7NrdybbtFLzs9dlpdO9j57iLN5ZVhoqlG9Sd0nsla122u11Zde63P0D/YE8NWP7QH/ AAUc/Zc+DXjPxFPDa/FHxH43v/iJ4l8MaHZaAv2TSvg748gSx0LTVc22nWdtb6NZaVpelQA22j6P pdjaW8Edtp7LF8GeJvFviH4ieM/EWoCKwtNb1rxrq+vaodKtxcw+FxcarcNdAK3l3Egg+1FLkeWk si6bIfstsp2H7R/YT8N+OLH9sn9mbw98Cpdbk+PfiHW/iGPBviTQLq30fXrG4k+DfxKtLu5s7ud0 htIoF1G/ja7kQPFIYH83ckElfMN/rXw70i/8Qw/DpLPSvA/iDxdfeKNDuLW0ltNJtbbUdQvr6xQR kRtDmKa48i1Ijkhie3FwqpHAG/TPY8ub1Yz5YwjSgkobKCnU92ySUX2S6ardo/N513LLqbi26jqV G295T5afvNtu+ml9LKyaa1aaN4esPClmtrp4u7vXNT02XTtQuEvLS81q7tl067h1O5S2ma3gvrTT rmziuluGUS2sMk6QF3lS0n5jxz4/EtxZX9nFpUt94Pu5vH1jfJFb+JtM+FV7o+p6N4zTXvAur3dn bX9q5l8H2dvfalfgNLYazfIos45ZDJROpeIviDMlhYJJb6FEbPxRc3JsVuNOVoLuOc3jREIty9vc jUY5jbRJHbmeR5IYN7mb9eP+CM37E/7NX7SX7XOp/D/4/eHZ/HXhj4IfBQftFnS28aXWneHP+Ei8 I+MfBVhpk+rrE8CazpfkwTyy2WoWzWqoFEitKTJNrmOMlh8DUr06S9nTTl2Tey1e7d1fdLR6mOBw yq4unh6tRqpUnFJ68ytbRLeySbv12atdryz/AIJcf8E9f2mf2p/Hdt8TfBPgy50z4MeHNM0zxto3 7QHxOv8AxF4A+GnxHu/B93pF3Y2vhzWoNOni16Y6rZ6k19cwvFY3EMIh+13bLfRQer/Fn4R+DP2i dHSz8WXPi7S4rTXtZ16zHh68GnXtvNrlxJJdxPazQS+YZFu1R7NgrssXk7EZPso/Qj9un/gvrrfh rw/qHwd/4Ji/AbxL4M0VNPvdMP7UHxT/AGdtf8D+CfCZ1W3Z3n8D/Dq5sLV9RuVknjnN/rwtNPhb ym/s7UAWEf8AOj4X/a8+NHhWK20Q+KfA/iW6soIdPvI/Gfg22TXpfJKM7TCylsXWchEIYxqEVVUR On7sfj+OzjGYvHvFylaVnFW7Xbtrvq3fS3S1j9cwWU4TA4VYWUbxum0+6Su+ttVfvfW9tvRNX/4J jaT583/CKfGjXEsIJLfUYtK8a+GIb66024guYxay2t9p13BDHEGFuUjWyM0zS3IYJGqW8fgviT/g nV+0bpxupNM1H4efFCNtKudKudLstcm8MiaxkmheaCLSry2Mdxd7I1gkd5Y4JFjSILbedcPN9RaV +3h4rSUR+JPhF4d1HT1jErXXh3xteW1y05hMTxRWN1ZyrHGyJEhaW7cyKIxiPyxJJ6vpn7cvwkvY n/4SPwz8StDlWVlnmn0az8XJPHJE8TSyG1neUuu3a8iI77WKIh27xx/WXJqVSEX8rb+UHH9fwu+z 2La5YVZRaenvX10/mT9Ntd99vyD8X/sv/G7w5f215r/wN+I4urCXUL7wx4ltNFufiBaeHzNCwZ3u bK4llW2L6jcRRTPPDDK9oI45EeKwkk8W1yCfUPDPi7wVrFtqWk+I7WK6tvDjajcC5i0fU5LQPb6O b+7EDSBtQinuNPAdzayGGRzaI8VvH/Rfpf7WP7OWoRtczfFfQfDAaZIri88fW198N4bd5zFbOtxd X8UMLRySGIIvyJJlgzptgdPUo9d+HHxDsY7sar8PvHWnz2uEuLjUdK8WJOs1vbwvAhfzH3NcsjeR E6SufJTejvCia0cTQhNupB2as0nZJd7NX31WujSfdEVKVapBRUlz7ptO6fR6SS7JqzTV1re5+Z3/ AAUF0q48V+Df2dobGKz1C2HjLxLqj3D+W2mQC3tNQe2ur3UNkkdpY70QPdeTIqiRLeSB45pI6/L2 61O1/sIaHa2eo61b67DFpvjfUz9plu9ZuY52eOeKyaWWey0s3EktrJaTwyvIjrHc20VvpzWy/wBI 3xA/Z0+EfxD8PeHvA/jjwLdQeF/B2kS6Vovh7w94k1LwFZ6PbJbRTGC1i0+4tojbRxWVqsUcvmW8 awqI0jjeeB/lzxL/AMExfgxfXCTeFfiT8YfBMtp5UVvZLqWj+KbOBYUlhgtUF3Y27tG7xRxlpnZo /KuBFJbi4uhN1Y/HYeu26MnCfvXck9E5SaScVK7d7ybS/lTsve5cLhsVRjKFZ3iuW1re8+WKcpJp bNWSTaWjd3ZR/ECa6vNKvfEmtaXqgttf0iJdR1WeSO4s9Dhu5bGaSGeC2zNEYZbuBY7i1EjSRRxy CB4nuZvt2v8AEHRr9tC13VtCtl0jSrnRLp9IsrHT2F/4c8QO9/IZor2GZFjjn+0o0kzoEe11ScTx u80yQ/o543/4JcfFQWWsw+CfjN4G8YwXFjLb22i/EbQLrwfaC2fT7WxvP7YvrW0umnEDQ2120S21 qY5pW8xJIxDND474l/Yf/ao0tPFGjXXwevPGvh3xXoN5p2p3/wAOfEukazqeofaZFjQ22mLcxXGL aO8t4kv7kbp4LaYFm82O7mxoU1WX1fnhyPWMnJLla62bTtJaSstrNaxs98RX9jy4mMHzLRrlb5o6 dUmrq75XdK6adk7v0D/gpdNYt4k+Akl/aanqFk/wl8WxXVhpSxtLqkMniDTALSO4MgkUK0ENxH5I AP2B5JDaWq3ufjKxh1HQLu58ZTyyXlzJqemw2XhO9urrTNI8SWkk0mmSX0+EnuYrJIJreCQoyLe3 Vqzwwo8U01feX/BQKzElt8F/iJ4j03WrDw5ofwj1NJdLvNHvNP1ubUNV1lL630vUL6S2mi0y2kt4 LmPVJJTHLCl3GDjc8kX533us6rrM+s+JpbnwzrWoNqNhoNhpFtqFvodrPJEbi/hs7OweWaOC2az0 m2ubPY6KsWoNLjTBcXFwnfmSjSx1TGvV3TgkrppJO7k9HqmorR3V3ZK0uXLLVcDDD3SaT509G9Ze 6lvazTbeqTaSd7qx4kk186u2tTFLuz8RahbeJLO+muXsYtN8PLp0NvqS3RRHszdacryLBCBFCtrZ sLVsLJGn7Sfs0aJo+pfsXfs3v4jk+EGn6jqGs6Z4e8K6F8QYjeaR4t8Q6zoNk2g2b6FabU1fTJ77 R7CyuNMtzDFfL4pitTeWcciQah+K2jafayvY+GWs57cp4mtdQ8HeILkXqzX2q2+mwwR6prN7bmCW Jrlzc6ZfTPGT5nkvIUgkgtp/1M8Ea15P7Fv7OxsrfxfZQaD4gbxzD4Tj02XRfGMeqaHJoItbOwe8 WOCxu7OUwTWBkjjjthZ2s8d6LcQSv3ZJK+KqYim/ijJptu8ZLeL62bkmm29LO97nBm6UsLHCTV1G SWqilKOqv1V2laUbbra2/wCg3xd/aM+DniLT/wBp34f2EPxB8Z/Db9pf9q/R/wBj3WrjxZb2PwZ/ 4Ra4uv8AhFvEnxp8YyWl1FJrN7fa8ms67PNqdiulRz2OjvbWtjpMFvH/AGj438V/2qfi78U/An7T OreC4bL4deONf+P0P7P/AIh8R/Dz4ex+ItA174X6b4d8SeF/DTza9rx1HWIotQvLbR4bmDRb2wUW VrZva2MGmxz6refD/jb4y+BdNn+Jvh4694Di1u7+LKeKdD8u5Xx5qGl+MNTurvV3sVk8qWUxaHHL dbI9S+z3FxPZi4u8yxqDx/iH9qdotS+IHjDRNO8a+KL/AFLx5cfDrV9Nvv8Aim5J9Z1HS5LvxD4m W0unkN7cXMWlyXBmSC4ult729htXhSa5ml3hWpc8W6rk246J6Nc1Oyuls0rXd9Y3SurLmqUpqEkq SjDXVp6PlqK9m0rrS9nqpau1mv63f+CV/hDx6f28f21PjrquqXUnhv4l6XpHhx9B8Z/FHW/ihr3h KyvvEXizWfD2geHL+W6udNhs9FlsNc0rUNMtrj7JaXmn/ZrISC2TPsP/AAXFU/8ACAfsptz8vxe8 Thj8xwG8Lw9xx1A68V8L/wDBFn4v/ELxN+1/8dfhlJpnh+H4RfCH4Q+Efh18P9fsda8ReJdS1I6L quvoI9f1zU7+5iub1ZbnVbr9wkCk6vfFvNnd7uT7m/4LhGGb4dfssShcMvxg8ToFkkRJI5P+Eaii ljb76sy5ZNvbZ9/jnKSlGCbVtu38i107rVvu/kc1aK9uuR3Vnr296WnonpbyP4RP269NEn7UOpXU K3Pn3Hw28ORMr3NxbaKwiuQkEl2qP5jPG9yH/wBHRWh2LumH22JD8QWun3pQLYrBoniC50+W+8Hv 5On6T4vhlW2s7KU/YElNnFIsmmtHcWkwhgs0SBEnSaLZB9rft6tYRftJ65cznTs2vww8K6jc/a4F Z0igv3IeOdnaMOfOlWK2ngS3urhreOSacb7V/hbSvEuj+KNFu9P0W/uNVN5pk9vFpeqPNqCX1zCY Lo2tzO8Y1GUQhwYL9ZhsupXlMNqiWFm/yuIm1XqWTvdrTX7Wnp2fyPs8HKKwtNReqS+buna/bppr 6F3xbPaPoPiu0s1uViHhDVG0uxudQmjvbGyeNrlbi4kjjKNEwgSN45mLi8uYQ7uLm3mm/wBIf4N2 D3Hwg+EMsxaKOX4U+GpGRSplz/Ytgw3N/wACPZ/u/hX+br4nWK907x/aJPJNawW2savfSfv7Szul lW4tYb+W3kuSJ545neSWWB5mSOGeCXT7Wex0+Jf7xf8AgmJ+1D8V/wBr34G6T8QNb+Ak/wAGfg/o mhab4F+E2q+IPEE2r+LfiSmjWdrp99rMieSkEFvJJa3kaxAlw1srqZUlVh7GQ16X1mtC+rSslskr 3em2jW/X5HmZ7G8I1IpJJu+ve35W6dr2Vz6Y/af+Keo/Af4EePvH3hj4QeNPj54ntNJlsvC3wl8D wwahr/i/ULmGSGBY4JlZWjhzJcymGK4mEUMrRQTPtjb/ADMvB95K2nQ6Rp+o2V5BHayWtxNLps8k aGYyPJFMLfySUZSDFJeTOwAZY0hYyxr/AKtv9mK1vepIY7mSayngS3dnit3kkjkEaO3Of3vk7WPy q6K/VP3f+aV8E/8Agnr+0n8VPGXiX4Mwp4S8D6l4T8PSa3rOteJbuW08O2WqGK4kTRJdShjJubiV JLfzrvS2u7W2iaBJZQZWjMcTRnUnScJa62Vtmrbau/e2l2t1qceUPnjU1+Fxate90pWa131021d7 2un8laHZHUm8yyawttWto18QLYa3pk0986zg3FtPG8Mj3ADfaLUvIUMk8dpGZJWWWOGThPHv9vxX UEOqR2p07ONIurJzfWNykKJExgumAY4GxZAgRGdNxTcdx+wtY+Cnxe+EnijUbDxB+zn4h+KFz4M0 Sfwv4pXTbPUvEOlabMLc6Ta6va3lnBHcWDKuj6bc2sroHEdzIjPHKVKfLbeO4bjT9V8MeINGilRb uVbZ7mJ9PubNxPLLLNc7mkkaYKkcBVy8zDIFxG+95flqcqqqySjemle7a87pWbbatF2aWjSi27pe xHnhKU4SvTTkuV3vHVX1Su0uiavZaXbV/IKKKK7TsCv6PdJ1HTPB3h7TrRc3+q3OmWC6ncur/atR kuYIGSIIXf8AdIFWP7OVZ8szb5H8vZ/OFX9JPh6xsfCmlWWtX959s1s+GrOe4vrxZJ7XTmjso4Ib W3jKb5D87HzC4JaNfub5FT9C4BuqmKta9oavp8W3mfB8cKPs8NKV7Jz0XX4T6/8A+CcvjHUPgX+3 j+zH8d/GNtqOsTaRp3xQ8M23gWyt1e51W21H4TePdRjM00kmLaWFLO1PmiC5ldHkVYR9ozXxXYfC 3UNPvtT03xjPNMnhnxPqnh5bNzFczeJHsLy4gW+vER0lJngtIZwsbxDzJ4GaY73iP6B/8EtdJ8Ef Fv8A4KM/s/6D8VdAtdY+D8nhH4m69eDxNJNF4T1fX9F8G6g+kpql6uyKSCJhfXcaXDR2zXMUbeYL qGKKT83JPife2+kjUfEkqyXum6fMnifU9cM+nmW+08ol7c6rFMkElu3mxl5Y3ij8qSPcTCWkig+y qSw6zSo6l+RUob395+0qa9lHdNLTvfW3xyjL+zKUaStU9pO7TTtaNO+93ty69dXpdHs10sOm6asY uI/D+j3d01lHqMM1vZwW817pWuadb3EYAEkpuZINNigihtnW4uZYYZbyxZ5Lm2+8f+CY37TmseB/ 2xPDlx8LtG0Wex+IPw/1r4Ba7Y6zPqX/AAiNhpXj7xF4R8S6hqmheGYrqRdNu4rPwfpMkSfaZlDa rdSyPIUiYfK37MP/AAT8/br/AG8r63vPgJ8ItYufCM1jLKP2g/i7dP8ACr4E6U1iNakFwviGW2mu NRT+0vDdtClr4f07ULeN9RtjczaZBd29y/8AS58Iv+CQH7FP/BMv4d65+0V+2l+1XpOp+JNO8O3O paD4m8Q+NZ/2XPgd4Z1a0utIvdDGiaT/AGj/AGxq0xk0vTrZoNd1HV45gm20trX7Y1m/z3Euf4Se DqYBSTlZpRjsnZbrbTz0TTSS1PoOG8hxaxcMx5XFJrWWt0m37t9k7t7aprXe388X7V/7TXxN/Zw8 dfCXwf4D0fwjrGneLvAmqavrEfiW5vn1A3Wg6xpmmqy3drIgWJ0vrjDNbpKXij8vy9kaNwfin9rY p+zj8EvjH48+BHgjxDe/GTxr4i+HmpeE28Sx6XoXhxvD9/4h0yK7iu7ywuUuYZ7rQtphngL7roRI JC8cQ+wPGWg/shfH7S9Dk+LenfBL4jX+hWrR6TL4kuIDq3htLx2vpooQwjmtoNss5mW4Pyy2ztsf 7Od9XW/2Sf2cfE3w38C/CfTrQ6Z4G+Fmp6vr/gXT/DnxPvrq+0O71e71D+1JJL57u6nuzK+s3m0X DXD5vbpRJGscCr+XJNrmitP6sfpzcW2m9f69P60Z8RWfxb/ZL8Q/B3VPjR4m+BesfD/wvonxZg+E mqaVZaRpr+INK1C40rTtUtbkRaXcxW8trINW0+JbjzUPmTFHjRGjmgxda0D4A+MvhP4u+KPwZm8U Snwr4s0vwfqlpqt1rWlW+lXl7f6dJcWM1lqEQYNFZapDKzspVTIsbtH5crQ/W97+wR4GtPg/qXwY 8OeM/jH4Y0LWfipN8VYtb1a707x1rui6idJsNIW0t5bixED2WLZ0jTbJIrx3BjmnV0eDynWf2aB+ zr+zf8UfCum+JvEnj2XxP8TNF8Xvqup+GYoNSTZrPha3khex08FWMSo7TSQRqizQySyI/wC8eSva U9XJ+7bf+tu33ehKi0k1e3b/AC/Dc+FFv7A39zpaXkZv7KI3c+mxzomoWUcqutu8kLK2BuUAf3k/ iXejiKXSNJkkgvpdNtTdvb3CG5ks4RdGSMkbo5vLLlMTrvT5G3u43fvCI0uYNOsr43l7pumafq+w WT313o8Ola6sW22c273TxrIcpBaPIpwT5FvnpHVq5V57Xw3c2WsWFkItR1GbVoJPDcXiSXxFbeXa pDAt1JcRi1aNySjxxSb0yGDHzd+MbPZ/11BJXaTsv16nR+FvEHjTRNQ0m08M/EX4j+GFaa3trS20 bxvrFrpFtLLL8gOmi7W0aNHkLp5kfzvDbnyVMEHleo6N+1N+0doqz3Fv8X7vXCQWs7Dx34J0nXLK zxBESv8AokNrcEM0TbkkunKhmKNGyQPD5HoTSLrOk3EIERsNTgvpboyxBLaOGeJzMzNhSqB1xv5w 3Q8g1LPyJY1bUJoY7pNQtxcLfTXVm4tRFMl2ls8cEsavCyRfupduECrDuAeNk0p2c1rr/X/B6D55 yirvW+n59f8ALU+0Lb9uf4sadZWMuseBfhh4qg1FriaGa11TWvA9z5MV9HYsSg+1iF4ZbCWSD5Ea RGjBMWUuK9M0n9vjQryCSbxH8HPF8N0sjS31r4J8V6F4os7cy3cayXRivzo4MbzT2rsifvEWPgSe dcB/zsD2Fr4e0EXFimoG98P6va28kupT6f8A2Pdv4k1phdRoIyrlXIZo5d4YJ8ksKO8ZXR4bq5sv Es1rbPdq3hiVjLBGEt223unbkedsr/En8e8b12n50y04w0vp/wAP/X9MLqLUY7f8P/W5+wXh39sr 4GahKkMfjDXtBudRkiK22seB9UImme4txGqyRRTQ5c3MchZYt5mvJURJpGkFeHfEXVf2O/iJ8bfC rfELX/gTD8NdS+BfjO08VeK9Y1bw94K0a21+w8X+C4dAW8v7oQxrqltFeeJpbG3umNzA1xqzrGWk lcfn3qPhu60bU9HS5TfDqWp2UumXF4lsLW+Q2mh3zTxyRSPuT7Rqk9k6yLHIj6dK+CHBXC+IyWFr 4wabwxMgd9X1rS5IPs1/bQWsvyTXEk4uJJ5GlE9nqIglt5oLfyLvHkq4ijTaeIqUoOVNNSW1m09N V/W33mU4wcX7SF9Oiv8AJLv8/V2OP+N58EeAJ7i71H4MeBfHHwvi+ImnjVP2r/2Ufj9cfEnwRofh +bX5o1ude8PW5uoLfWjbO8kbXUtvE2olpIkaXyjb85+0d8etE1n4ffDv9nzwf8Wbq/8Aht4eg0rx lq3x11tLjxB4k1S6vJLG9s9E0Ox023jsribSv7FsEub9mVjNBeoyRSW80Zm+J/hzXfD2neI/E+nX /ijWvGWi+F0gj8V6QX0a6tXvPD1rfpCiWeA+Va0VrbHl3P2NA8OAmzxjwfoHj3wv8P5vt3hXWtW8 XXur3fiWTRvHmt3+jXmnRaraLqCMLu1vleRbhrxZo5JY5p0uS4Jt2keSLnhmea0cO1RSipNJpt3a ae8km1a9nrbv0Z5NeOIrKDp4dKava7tZbt6c0U7pWspLS0nF8nN0fwqu/gdZ6Vpfgvwb4jvZZNG1 +fxrYW19Z3mi6zqsslk8Ecru1uqzyGGZHfexS3Kw/wASQsPorTE8BeE7+z/4ShNA0fTIfFr6rANV vbVAmuX66ncixtmlZmW4l8zUUcFQ9wZJ0SJEmdj534P8FeHXh8N634+8LfEbTr2xum1bU/BOh/Fb TNRgstW0+O90m9tw32W5tVCS214HtLktd23lmOR4cIkfra/C/wDZ78N38XhPWtX+KfhHTfF3xg0T 4k3M2r2/gzxDa3MutFtHtoZ7aO5sriLT1u/7SR5Wit72ZtImkimjkjQ17uAzH2dKDxKUZq20W1pK Lvdav4Xs77pK92m8vrYmnyzT57O6ck021KLV2lfdPa+qvpc/qy/4Iz/FfwbrX7QnxK+GFnfz6r8S PCHw/wDAuofGWY6JrGnadp+q6a/im1sbS2W8tLe2ktki1e3sLSKznmihg0dt8rPcSIPrz/gtvLn4 b/subJzPCPjH4mgSSOWW7gLxeGIzsWZ0csrLCrffd1mUp5svz7Pye/4JIfE79lTWP2hX8Q/DLWfi vrnxc8d+HpL/AMSeJ/G3hLxX4Q+GviXS3MMlydPkmtV0c20dzcRSackN1cvEZbmZBOHmuH/VH/gs 7d/afhH+yncmbe8vxY8Qi5EcUlv5byeF1RIvJb5XRVWBQy/dWOJt7pcb39ajUpV8O69J6Xs76aqC va99tk9Lq2ibseNi4VaWJVOa1t07czt0vqtXvZ9Xu/4bv23Dc/8ADTetPFdXMH2b4Z+DER7ayWSK 3D6yzhbibhVaXyHS3eQSR2+y/kfyI2IuPzv8UfDOea3s/EehXa+H9Rmu4V02O50i90TS7iT7LaXQ ltrYqJbIsHcurtLbwC1EKSRrawmv0X/bdRT+01qMhtLiQN8KtCv98QEb30On3Ukk9pBOpaaQ7Zwl zbRKdy31puaKK4uTL8bws+oQ6Pc+ItLufENlZ2K2wsdOsli0W/EiaeVbSzD5YubdCboPM8sVpMIZ 5LaGaKe2gj+RzGeIhVlOhFSSbb67X0UXpd9btKy+76OnHFTw9CNBxSsrt7eSS0vf87XTbaPn3WdN HiGHxn4g13V4rmew0a4tW06aEa3f6bc2ljcquZMyPHEbhoQAsUDRSXO547SMSh/9PL9mvTNL0f8A Zz/Z70zRdG0zw/pll8CfB9vY6PpWnJpVnpkR8O6cYoIrcKvlxqqKqLsDkRgY4r/Mx8R6Ha6L4Tvd Q8OfZL+Cfw/fWWpJf2smi2OofZZblFv3sb2AKuqN9kjcBUDywWd9/qjLBn/Sm/Y48G6X4I/Zb/Z4 8L6Bq3irVtCi+Dug6vpcvi7xhe+PdTtE1LT7XUri1j1a9llu3treW7lisoZZHS3tUghjYQpbovrc O06lOtVWnK1pa2lm7ddNLdFffW55WdxqRo041Wm+Z6r0V9Ou+jerT1s9X9HT3VhY2811qWpaXpNk sM0Ju9X1C20yxQ/Z5QqtJK6x5wxyu7olfxJ/s0fDvx34c8WP8QNY8dPDoPh39m7xpaePfDFjqd2N IuPGMFtfW2s+JntonNo91cT3c8guIAs8Fu8aSBEnghj/ALSPih8I/hb8dPAmt/Cz4x+APCvxM+Hn iKMf2v4P8Y6Ums6LcyWxee1naKTlZYpQksU6ukkbKCJEKg1/nC/DT4RXfhj4iWml/sq+MPjRe/Fb TPBmraP4lHwuht28O/b9Gttd07W9a1C7v5I7U6ZJHHLut2LKoacW011uDRducYiOGq0Kk4pu7t1b dtlHr02ersnvrxZfKkqVX2lRwk0lrFd+6u+jutHa7V2tO+8HftyftSfBzVvDr+GNdv8A4r+MfH6+ GPDcfhDxuYPHWtapb6hFu0/T1v4li1Vb6G5hvLS1nknujPHdRySGWSO1MH0JP8Tvgr+0f8RdH+B3 7TH7J9v4l+OHiHxHa+ArX4k/CbSbS3m17Uzb3KRGSe0uYdRgito4XWYGW8tLSW0uI5AFtXmb8tPh TD4m134t/C6/8DXU9h8ZNM8c+C7v4cQ6no9tD4WtrqDVdIs/C15Nkk2tjcXGq6VLIoYqo85QpAjU fYfww1XXNE/aP+GXiS80l4/F+q/tU2nhCXUZZrO5gstMvfiVpUvjGzt5FBecx6xdSWsE0OyBbTXb rO6WUPXl5f8AV8TFSxcXdzXM4xkotNtyWzUW72TnJpOylqz0qmKq0adJRac3BrZ6ztZSb5mnFLVr V2vq2nfi/jZ+xR+zQbD4ra38Cf2ibO38R/CrSvEureJvg54vlt9U8QQ3Hhye9OoWdpPm2u0ijFo8 ETPbXXmN5LG4KSl1/KCv12i0rw5pvxt/aN8Zsq3+vX0P7Rnw605dUjYJY6jp3gz4k6tf6tC3lhFu I7SXwlawHfER59wFhby1aP8AImjHYSlhmnRk3FuSV9bJWcdbLVxkm1bTS+rsvUwmIq101VjaSSv5 vVOyaWia0fW/azZX7ffs4ePvDvif4OeC/iB8VdXtYdQtopPhxMmqvbWdn4yu7DWdX1S1u5YYEiku riSHVdM0wW43zvFokYSRsokH4g1+pX/BL/8A4Ki+Mf8AgmL8RPiF8U/DHwb8A/HnxTq/wvvPBvwo 0n4v3k934E+EmuXmq6Vfy+JodOijFxLM9vp1xYyJY3enTPFqDn7WpRAOzIM3hk+LniakHOLi0op2 TlpZvfbXo9/mcOe5VLN8JGhTkozUk1Jq9lqnbVP5XV7bo/p7/YO/4Jv/ALcfx58VeFvjpY/Ax/gp 8A/h1pmueKYvH37ScN98JJvF6ah4V8Q6Kx0DwabGTWblT/aF5GLvVINOt1FzDNCdUjQxv67+wv8A Dr/gnH+zXY/Ev9pn4+fs5+Nv2qPjdq/xFXxR+zn8M9N8Dj4kXPgnT9a0fSL6+K2GoX0HhmGefXl1 KS2vtUkiuraK7lsYQlrC5n/nL/aB/wCC6vx9/bCur64/av8AiB8d/iho+pq4m+FGh+MNN+G37P2n xTyyzz6dH4N0q2trbULJWeKJF8RyatcvDawia6mkUyNp/szfHXxl+2H8UdH+B37K37NXxh+K3xw8 S6fcXGheDfDmp6Rp2nqltEFlutV1ua4gtNM06EC1WbUb3y4IQ8e9jtjRsc04hxuOnPF4iooR5bOz 5YqMW5K+quk2223ddddqy3IsBg6UKVCm5STbTkk3zOKi2k07NpK9kvK12f0l/tI/8FoP+CnXxRiH hv4L/BiT9i/wJfXEWheF7PwH8L7/APae/aWumaS1WwtdJ1F9NfQLS9lhNvZCz0vQ9VdWkk8m+lnW G6t/xT8ZeHvFHiX4h3vxH+MFn8UvF/xmSQ22oeNP2g5PE/i74w+HmSLyH097rxB5up6YkK3Dxtpy i1ig86RPITJAoeIP2xfjj+wH+3Z8efgV8EfFv7PfxNuPAvh61+GHij4/aZda94n1mG6udBW81+Lw Hq8l6h0N4LvWLjSLnUrNLK7vV0ls3cKKkdp5xqX7a/j/AEpPsFv8GPg7PHFYXE8it46+Il34kvy0 8ciS315qes3bJPFFNGLie4inlu7i4e5KxMFt2+bjXxtdxxGEjB0JRi4ycpJyUkndR5drNW1d9XZW Z9HCnh4QnDESkqibTSSaSW6b5ruV0r9EnfU9Vjsry+lWG0sb7U5wTNHb2Wnz31xsVcSOkUau/wDG N5Xn5vxPo2hfAH4iax50kHguDSUQTeY+p/ZLO9kFvHOHU20ZecbHDQ7ZVVw8yptfzE3/AA54T/4K X/Fzwxd/abb4MfCjUItYhkuItI1nxt4ludPuYVESSsS1r8+7zo5ynmFo01C3WdA42j9KP2CPjN+2 d/wUdt9S8QeAvhT4m03wD8OPiz4P8HeMNL+HXh7TNM8EsNU0L4x6vry32qNFE11b2+/4cWM9mLh7 iBY9OmlAae6a47KMpygpVUlPrZ3W+mtl+KX6mEvZu/s5XW+unrpd/hfX7j0DwL+yN4lvDBLd+Lta s1lZIFPh64n8JaTMWCvDF9uuSsrJO0DMuyOJ3W3Rlf5xLD9ZeEPCf7Ntr8A/iN4c8L/FXQ/ih8aZ PAfh74uaPb2nxS1n4tyr4RvfGlhoMPiHSbwTzaQYJ7uSa18yzZHy8sQhWN960P2e/wDgkd+254k1 /wDZ/wDEvxmsfDekaj4E1L4GeNvFln46+LEfjbxJcXXhL4YfE3RvGMgtLP7cE1G11rxTokjXUz/6 Q6XMwleO1iL/AEDqf/BJn4l/sR/sZa98W/iT8SfCkviGw/Yi+Ev7Feq+DvBWg6lLb6dq+jfFWx8R 3fiax1u9MExhabUZlWzubC3k862VmMRWSCLPFWeFqQbtFRd/LR/f/XQvDNxrwaWt127/ANa/M/Me Hwq93c6kZrK50sprd/bQ291qsd39rtbS9ltrO+je3eSHy7uOKC7hiISSOO8hSWKKUSKvmXiDwv4a lGni+8N+HtSnghklMd3oVjqV5YtdJaSCPdJGzr5q+W+FK70iif58Jj0vw54a8Q+GdFs9H1Lxz4h8 f6hDfXEkniTxUYoNdm+1TPc21pJHECmy2QpFFLglGjy7kkvXK+LUd20+GN7LT7+4srqCK+uNNN+l vcw280dnLdRoY5riKAxqpjMkbmGIosiHBH517T97UUJ6dGrpdN72drd9T6mcF7OPNFp63Ttf70rX 220PK38P/CnwtcWninxPa+DfBFhpF5ajU/FV5qcXg3StLju7iKFYXvmktoAksluoWNiPMeNPk+f5 /n3446d8OPgp8Jdb+Jd14X1K/HhqaztW0nTvEt7aQahHeXqWUbIxyrYWYT+Zs2OiO6RrvQJ9ZyeH PDXi+7i8L+JPDujeLPC2raraG40bxTpFnrFtemG7RbW4uopUMYkiJTa0SBN8kfzJwieS/F7xt4b8 CfDK98a+JpfJ0KyurGSVY9Ha6vJmuZ7e1tYo7FGcu5uJjsWJFRVEPCbHc+vlter9Yop1ZfErrm0a 7Jbrzv0+ZxYmjG1Ryprlto7a3v1008rfhueD6F4nOu+KPh34Z0nwX4a0rQ5h8R9K1TXL8XerXFhd +FvFuoQaaIb7KxW73sk15K1tKVYBgYnUhPM+vLnwh4R1u2128uPDehajLdeGm867m01Zbm5RrzSJ JBLdQtGGO5Y3/vv5fyONjivmtviNZ6t4ittA/tTXtVsfF9x4nTwPpc3grTdAt/AFj4KvZPD/AIjt Lu/ivHl1H7ZqKPfQSvA5AvHXZbq0ka/WX9sWmmxeIJbjUbTTrmfw9FaSLqd1bRvPHNe6akodd4jd k2xjG/YmQibN5ST2c+k6VClOE2tXqvRvTbr+XzPNy9RlOo5K+n6r+vzPmrxf4L+HPg2yHiT7HaeH La08VabDc6vbaldWunRtPfwiATgkKS8stvGjYfMtyYXQ5Ofl7x/4q8C3Hjq00/Rr2TWr6y+LXjDS 9dltrCa+XRrnS9B8R6hqEFpEY96TpJJaxtIrFhBdTACYF1g+m/iN4t+DvifSh4P8R/Er4Z263vi/ TZnsNY+JtppEszabqdpfwxpILoTeYJ4rQoijCqsZdNquieafFvxT8AH8XeHNY1X4n/ADXYdK+Jsc /iHRtU8b6V4rgkj1PS5PDeoRyackjqIR9pgW4M6SQhbW7eSGOJkuFjJsfTeEftqnNPmbV7yfLorp av0037XKxuFkq0eWPutLVaLZ2v0f3nyd8Vvj/wCJ9N8X3mn+EY7e98B+JND8DeLdOuNQi1KS61KO +8NaW0N/qelRTpbhrf7KESebb5EMfyTySptPj/iT4xfEHXZfC0Vpr7+GT/wgdhpXiG20Xwxa2sk1 3btfJE6vcQSP5LRG4EhMaQLOpS3uLpP3jfQXxv8AAHw7sfHnxU1HxNpelfEfw5p/hPwpoOheHPh1 4qfU9T8IPo/h3R7K5Oq6RHrGnnLNDbPEbcX8ZjXItIZJJJD8keJ76TW/Fnwui1Px/wCGNIuNR+Ds UOo+LfEsdxY6Pd3lhd6wWSdCVd2mvJZoHllVJYpIHyY9k1mPapVqGIT9hOLXl960Wqfe6V93ucFS EqclKUGm9L620v19b/1a0/jn4q/Ea5itL/VPil4yn1DxN+zdZaXrUF74qbWJfFltqdlePq8V0t55 5eSdbWAySxgSLhWLBsNWvY3Vxf8AxZ8LWWs+OL3UNP8AAvjvwCngv4d63e6nr0fiO61f+yf7Zu9A hne9tra5Rms7udZY70TOyBjdRM8M3L+MtQ+FfiDwZ8HfDfhKHWP+FnTfDrR9D8ZXWn66tlomtS3c GoWNhprXN3fy2qziS9015UNnarBBBduJGYeY30Ra2vh74R/HT4Uas+lP8RvGl34q8HP400vxDfWi 2fwp1iSTw5aXZt7KzhdDdwlza2rXE808JhFwrXm9rl9ZRqRU5QjzPs0tLLpfRK+t731snsZpxld3 /N/hfz/4Nj+gH/gllr/xMh+NXgLwfqHwxm8A+EvBvwvi0/w5rdr4haaG4W9stPuZ7O0cRQRP5Erp C0lrAsJaJkVULrs/ej/grN9of9nr9kQTyLKf+Fp+Ik8yHZ5LRp4XhCeWuWKpIjMWjYIARnZIiLM/ 8yn/AASc/aL+InxI/bN8FeFNR0bwrpHwn1z4b+Ldc+HXk6RNaeM30rR9Y0+y0+bUZheyKGltpsmK SFIiqRlRIXMj/wBNn/BWpUl/Z3/ZAuJY7cyw/FrXFeKVVR7KdfCslu8UAPzBlEkkbmUNIouSi7I3 mSvoclhP+y5+00lzXaXnHbX+lsfM52nHMYXW0bapXXvPfzX9a6n8Tv7cqWg/aV3SPpsU9z8P/CsY a6iknvJZDrNollJEoKNFLEJ9Q+yPG4mnluZ9u37EGHxTBcaXYw2jX3/CM6aiMDeOEj0U3k9rZaBc Wtzb2QUROltJb2qRWsimPzJrVdomjewr7Y/bq8deBdF/aIu9A8QfD7xT4h1mD4c6BrtvrWjfERvD kEaJPfNAG057iK3PlXEduHmCtI4lljJRSpk+IdY8U/BPxFe6n5WlftCWupR+FoWTTtRg8Oahd2en Ld21oktuZRHeS30EzeZBJcySyRySzPGx3CSTx6qbxNTll7zbWzvve2mt+y21vq739/DSf1anzJX5 V5dFrf8ABXeltDyYa7/ZXhnxn4dNxfXi6L4evrW/MNjDcWdjPq0N2JFZAv75J2CzNeW8jBZIbR42 NoWit/8ARY/ZP1vx1rvwN/Z41rWFuvDfg6P4H+EJtD0RoHGrS2a6FYRW0eoPMzlpEV5SdhMoVCjz O7rMv+dnqui+Btb07W9W0G6+KN9c3nhPU9Vi/wCEx1jRZrICLRL/AFNVuIbSNniWNGEsUJKIGubc jY8mxf8AR5/Zq1m18P8AwP8AgJomsaBrWrSaT8FPC+lzahb2LDR5ltNDsIhcW1sxLbH2MyBScY6v 98exkEeatUd3ey79290391lbtseTnmtKkra3aXfaP66f8HRfbFpPBdwxTW00U1vcWz+VIGJiZWid SWOcfxEN67a/h9+BHwt8KeFviXa6vqH7TPw8trNfht40+Dt/oX9v3XhmHxBrWsx63He6xcRXbQIL 6SO5ctN9nmaNYJpHmkt1hEH9u2k6tYaqJDbMwaJHE8EsTRtEDE2AwX5NuQfut/BX8BeofE/4dae/ jrxDb/EO28R3PhnW9V+INvbQ/C3UpklsLi/8TeGoo7qAXAW+e1vJJ4iJYiDFZwfOVR726ee3hKi4 xXN73ROS0Wze3n33s7I5cipRl7WU0rq2/bX+nrtbRlrQ/wBkTwV8NdR+Ffxn+GHxqu7nWfAPjDSr V/AvjPTLDWLCx07S/EtjBpmqJeafdW0kqT28aagwkjeOUwxzbAsVukfY+M/2KP2ltA/aa0P476En wv8AFXgDSPiroPilPCGmeKbzTdQj0Oy8TW3it9K3T2htHnkniub83YmUPPqF1II2D2uzemtvh1rm keMPDuk2PjfxZr3h7w9Hpej6bbaZbXV/qOqt4MfxFpVqLmKWVUuZLSzgtZ57j7PHJO1rGCwuQsnx P8a/2h/iL8HvAHw/8b/C+4+IHhBNe1KXR7vRPiDrOr7LuI6fa3cE+mW0ctqsdupluEmidJF89lzt khLHyqGZYnDQhTpyXLzqdrJe8lZXVnzK17p3TS12R7NXLcNVqSrSj7zi43b6X6J6LWN1ZaX03Z2n xH+Hnxp0L9pH4oXh8BePdA+Euqab8WLTwj8QJ7CTUtAsJ/EXhv4jx6Xqt3cWE10umwT33je4ZzKv mJHHacxsXVPw5r7i8Sf8FE/2pvE2jap4fu/GmnWmk6zpV/o2pR2egW8mozQ6jZvZStHqM3mXkMka yNJHJBMjLL8xLZYH4dqcVjJYvWcUpc0paPT3raJWSSjay62snsjTDYWOGXLB3XLGOq1fLfVu7bbv dt21u+oUV+69/wD8Exv2c7O4kWT4h/Gi0t4pC0zX0ek281nEHUKZleyTnBkDhd3lmJz852I/0R+z p/wRU/Zb8ai/+NH7R37TXiP4B/sg/DuRD478aax4t8IR/GP4sanMsFtZ+DPh14TX7RfTahPdTqG1 XULVLaMTW8UFrfs9xJZ+VisZh8HSlWxErJeTu32S3bfRL8jqp2rTVOm02+z6d2+y/wCBuflV/wAE 9f8Agm18ev8Agoh8RtY0XwD/AGT8Nvgh8M9Ll8Y/tG/tUfExzoHwJ/Z48N2cZub/AFTXdYlaO3a5 8hJnttMSVZ7jypHPk20F3d239bngzTv2fv2Rvg34g/ZT/wCCfei694J+DPi2CGL9on9o7xba3Glf tEftoX1napbg6jcNtuNB8KIXvlt/D9skZnF3M7rCLq8XUud8cftF/DHxh8Nfh5+z58J/BHgL9nD9 jn4VTWuo/CL9lbw14n0rXYILyzla8s/FfjrU0mlfXPE88qW1zJcS3F1BbXcSvDPdTrJqNx5fP468 PuZEh17w8zm4WGC3Gr2zXBZ5Noby/M3s5Af+HPC7Fd0+f82zTMcZnc4xnCVOhd2hf4ldWc2tHe2k b2S3u2z7HBYPC4BOTkpVbPW6aXTT0119LXsmfgf+0OmlWH7dvx/t4XttMTRtZ8OppFhH9nisfk8N aStpbWlqYSsYX7MF3RPFJuW0WN/laKfh/iC0awW4kkWbTl1NNHuLFIEhf7HK87pHLJv3+YSrmCaK a0kgS6Uo8ggljvOl/aZuTL+2f8evEENxamxXxdot5BqdmkMsEUa6DoFtePG4JllWW01CeEqTsj+0 5WGZXmWLzvxje3Qu4IUvLS3u7e9e8UWVzHGLIK/k6TeyysAyQbLi0827bzltpNTi2RPiGR/07BRc cDRhb7EP/SUu79fLR21s/l675sVUk7Nc0vXd9fvtp3XXTiCLoagFfyZbuDTbGC8tmMiG2kFzNLMJ JyJGfbG6CKMt5UaQrHF5MbHH9lv/AAaXftPfszfDv9kP9pD4T/FLVtUu/H3iz9tka3o+hab4D17W NPv7HW/hrq2q6PdSXkaPaxxTW/wy+IBCTzK8c2jxRyM01xZpJ/GNZqfPWWxSG2tGvdkFnZx29ja2 NpGrqtrHBCHidY3kceapjaYqZ2CM7xH91v8AggX+0Z/wTs/Zv+D3xm179qj4vfG/4efEjV/j5ovi TwNo3hT4feMvG/g240Dw94J8a+HtNuZ59A0S+j+0u/xS8Ym5tbq52LcWumzRQW8lsJHa9nzKSWq6 /Oz++1/NWZxQknOTejVlt10um3brdv5fL+9XQv8Agqh+x9bL8Lovh94T+Ld9a/Fnxh4Y8C+FZLP4 Xv4KtoX8W/DHxZ8V9HvbuPVJrSVIH0bwXqENwUjkuYr17W3lh/dzNbflb+35/wAFaPhp+0r8PfAv 7Mmi/CTxn8PtO/aF/Z/8C/tP+F/HXxM8X+HtO1lNV1DxJpWtaD4Bg8NWVzdyXGqXek6P4u1Cef7T DbQ/2AscUl19oMlv8YaR/wAFG/8Agh34evfB+o2Hxx/aK8STfDLxFoPifw/5nwP+KEVnHqXhPwH4 m+FdhK8cfhiBN0Wh+IPEdpLEUiiNwobbH5GxfxQ/aq/b6/Yhm/bc+A1t8AfE3jOb9mH4bfAPwD4a 0nxL4y0Txna+I/Aus+C7LxjpVhoM2nalZDVNXFxbPp8xvkjX7S1/NDP9qOxIfEz6vnNHD0I5Jh4V pSqwjUUnZKi21Ule6u4qzsr3V7J9PSwccG51Xiqji1FuFtW58ysno9NXr5LbU+7JdKhfWNOtEXXb y71LxLpmias1gumsujQXs0Udzqginkg3wWEQF1MiTLPcRWsn2VbhsQxdBcfs8+A9Z1G2sNW+KPiK 3NhrMWjX6aX4S01ZUF0GureQNPcSBVaOQSKyR7Nls/zjZNn4Z+HP7en7IOrf8Ib8PfBnxL1zxDfa xLa+BtB/t3wx401i71u6vJpLC3N5rF3apJJJNda5DFLc3VyjRiaMzTXZllVfqDSPHltF4ma+vJYH uJTZ6J4kSXyne6jDRS2LXMWxBLKVhiaJj914kSF4URIY+v8AsrKoy5o0knptf5demn4i+vY5t803 bs1+tj9KvgN/wTg/Zm8Ra7Nq/iL4wftE+JLvw/fwQzeHhr/hTwvo8kluVnW5CWugJfbpQzgpHeEq HPAKF6+79G/4IR/8Em/Gfhqy0b4nfC742/Erw/rItzrdp4u/a6+KU+mu1sF+ytJp1hrdtZNsaKCX iAPJJKZE2+Wwk+C/gr8d9PsLTULiZTMx1K2a68ppbyTzgqsroqpuXy8r5beVEv7qRcJs2J+jfgP9 qbTraSztdU07U76wuVCpNZxKdRsGVmlDpLu2t5YndFh38Kfvpvd62oZdgsPK9OklO+7vdW7NvZtK 667mTxVerFxnNtddV56Pz6X67ntVl/wR0/4IteFEKw/sF/BDxRdxi6Z9Q8e6dffES9upLq+jupw9 9qd3dO8ktxdXOx2Y4dJQGVJFMnv3hX9mD/gnF4HuI4/CX7D37KOjCaFLQ3dt8EfC76k0LyQzlRI+ msTHmCKQgyrvktYiodTBI3CaL8S/APiKzW+0zxNp80aQq8ttch7XUbANuRkmtZF3IRhlxjbz0er1 t8RfCMN1EG1NMqGmyGCRjYyrKrurMybdy5dl2/P9/wCXfXZOlTny+0jdb6xvZ+X9LoZc04t2k/6/ q592+Evhd+zm9rGnhX4RfCLSY7Vm22th8O9D037MUkSPYiJbqqnDw5T5XVLiAsq+bHu8d+OevfDf w1c/2RZeFvBb2SWsserSReD9NubSK9S4QrGkrQhWeMw/vhvQRtFGu7fuSqX/AAt3wXofgvVtbvtW jWHSLd7uyhuLSO4WS6YxPpkVvGgLeeZ0ll/eLOkjQPvJ34X4r8W/GWw8T2MEF3ClnPBCBysU0at5 cZeN1Zn/AHbebJI275t1u6O6PsdJajBXSByuuVvQ8B+Oet+CJ9dgkTwr4MZ7i2llmNx4WsLkWLNK bW3SRjDmRvLtpUVfm2+Xs3vvCV+Mv7RHhv4dal4x0rTJvh34Als4rC81Cxt7rwLpM2nW8jTLH57R rCm5lkRk2q8SqLmVePJSF/vHxt490vU9T1a0hngktdOuZLa0ugzmWWOCKQny22srb5IJvK2h9+x9 nXZX5r/GbxAlxqGh3KtuubvRbqRoNuGUvfpHIplbMm1WhbYrb1d4VeL+N6cIxbvZW/r7xSbSb5te n9afmv8APw3xB8Gf2efH1xat4z+Cnwn8RDR4Y9L0aTVvh5pd6dNsre4jaS3tleFZUCqrqkFvEkTe a+yJGSZk5k/srfsqNrsWqH9nn4RW2raHJZwaVqcHhq5MWnzWgRrMiW3mjJERtYkjbcv7iMkFRGsM /oK65DPFJLMUhfyV3bi8rTPCshiRSVY/vNyx7EKRJst92zyvOot9Ys5FUy7beWKORnSSSRDOzlne MT/MUbLr5fyqpdvmfIfZqowjflX9df63M2+bljJ/10/r7yH4OfBn4Mfs9+P9J+IXwY8B6b4A8X6B oWoeFdK1LTr/AFLVrDTLbV5Ir+9hj06aWW0jNx9ltpQ7wRMUineJtjwvN9e/F39oH4kfHbSvBXgH 4v8AiJPFHh34b6/ca94RsE0Wz8M3mlX97p0sVxD9rhKSSf6JKjOkssaMhba7yp9qr5RstZt7gDcY wyxbvs8kccMWDI0wXdsChS7yu21Sibo22J5KPTrXXLSeEu7fY4xEVcw4+2skIaSKQxhk3MpQFdrJ sdYmREdJjLrSrzjFwhVaT3Sdtdr29Opz1aMJtOdOMn0b1dvW39dNTxP4t/sU/s9fGjxq/jvxZdfE 7TfFltpun6Xc614L+IN54cuFg0plSK2+zNbSxo6te7pmkidohLIzJbBVEvz7p/8AwSb/AGZrO/vL vTvit+0NZzTXd5bPHb+MvCslkA081zcJDZS6E3AuLGK48ssdq2DnzCoNzF96xa3aTW5u1RIZLNDJ bxrdPvgRI2ESOuxmYpJPJMjLsRmVz+5d97yPrts0JumnkdXZrOVBc3CXHlOsSqgkL/6v5m+WRpWb 7HbrlId7vlJqblzS16/Pf7zaM5QioRh7q7bfL+v0Pzrm/wCCSnwYOn3Mdj8e/i5badLpktlaW+ua N4Y1qBbe5tW0yV4z9ntxGqxXFvtSNg0czRttaV0r+i3wT+2Nqngrwb4E8IN8PtJ1mPwb4VsPBlvq 8XjGXRrnUDolnHp7y3ULadJFDLKbOeTyfPYHy2fKKiMPzoOr2sMkSs0ZS5AkunLOILp0VJHkdjGr OyyoZNzq27aqb3TLvKmqWjXEcMl1I0tvkfaVuWcsGijZolLfvWj8tWRf+Wp3bGfa7od6GJq4STdG pZu19E7790/M56+Ho14xjWp+6r236aPZrokfrBpf7e+m2rSx3nwku45YUaW4TSPG8Bly6kQyBHso m2sob5n2Mhi+4n3z+KupfA3XbuN7O3l8BRi/8RNrJMuo69cEHTNRfUrFTAlvJ5l693eRW93cKy3F 0heTYjzNbx+jxeIY1tPtIvbpWuUjjnMl0xSeaRYElMiqqbVbyG3ypKsqJLsRxs3vImrwRyJElxKH tbJHhQokQkYM08lsreUwbzJEd/O2Mnyq+y3+RLesTiquKS+sTule2iW++1uwYWjh8JNzoQaendrT ve/fY+c/FXwe/arvtO+I2m6J8S/g1G2t/C240Twvf6J4Z1TwNr3h/wAWF1W11F7mSS7iFsUkjQtu Lu5Vo4iQS/5WfFP/AIJlft8fEzTtD0rxd8Sfgx4n0nwXpj3nh7T7zx0iXNjPdxQy6lHZyLots2Jp lkPlEFIktEjaVxbLJX7srrELQwIl0k1tdsxaAwxxqEErsIFSRWX5mmmDSFZZebd3leZHUzS+IEka 8d76d7m5vPsjCGVgJPMmMjOC3miNcxbUQIXi2RMjP9yHzcLhoYKiqEakpLXWcryet9Xa73Vrt6W1 7+5nWczzrMqmZVcPTpSm1eFGlGlTjZJaQiowjteySTd2vL+dzTv+CNXx8i+GPxu1/wAU+I9G0z4t +BpPDEnwY+FXh1dN8UaL8eLfVLm+i8TSf8JK+p20ejSaLFHpUkUN1azHU21VlgZFtbiVPBIv+CVX 7eks8VuPgVHHJPIIoTcfFTwVawyOz+WiiR9XVMsfujPzL8y5Xmv6mW1u3Pn/AOkJGXmisGRY5Izs EsFzGIRuynlyQQ7o2chtju8tzM/mRW7LxHarqNltu542fVY7eSRWcz7YZ5Ps8rLu8tXVZolLfeRw jpKnlfPvaOvva/gvw/U811YuCUYu99+9+jV9La206q52OqfFPxoNS1RT8H7UudUnNtbn4pWI3rvZ UWNvs2zaWT5G+4vmLvdB0xJfiBqd1cWuoX3wd+HM95EjRfab74hafNdqkrwsscbS2PnPv3JuBxve MNs/fJv/AJntR8E+CLu9vLq88I+E7ia91a4+3XOpaNBOGnnuZLpo1JVmdyjTzRnlpbaXz0nwXJqp 4H8GW805PgTwrZybLuGRpfCWm2H2SCWe/RJ2X7OkkhlVrWMrCksO26RY8wo9ybblUTuvd7X/AK1R w/2Yr2jU963bX89tu2rsf0mah4k8P3iKmu/B39ne8cg/aINd8b6FqdkjqYyyF5NPG9CYERHVEWQE u6RnckfI6ivwVltbltS+D/7EEObaZxe6pqHhG7jRlV5UmZ20xUEQkVS5TO6QZ/jfZ/PPF4M8Du89 mngvwk0RW1Lw/wDCNWMMAN3dLE0TzmJIC+61iyQpWISW5eCPz4EtjS/DHhrT0trmw8JeGrWe6liB m0bw5Y288kpjjitpI0l8sxs6vOHEnk+Q97Pbs8yJPcQ4unQcW5wXTeKt3+Xf73ddbjgZxXu1Xb+t NG/8vzP0W8SfsYfsw6z4/wDFPxI1H47/ALPfg268Rz29zP4d8E/EzQPh34B0mOyso9NijsNKtvMt 7eCBEgn8sicSzzPgpmNo+Rvv2TP2FbiW7a9/a3+DtxqckrSvHa/tw6J4MtdNu1t47eS6NudJu4Gu mdkkcvFIrtA2/wA7fI6/HKJpjb9Qk07TGuDZme7a2h3B0tXknaOQYN1JGCb+4EeyZ3S6RNjpcTRT 6EYlQW0J8yWaX/j3KW8d+Lt0kjkAR0mjDzFpYYXit5ZpfPnjxJJBakyaprZx0+a18/Te76adNemn CStBT09Ft/Xft1sfX+l/sgf8E0opbSTxN+1xb20MTJJdLoH/AAUX8G+IVl2/ZlKGM+F4HZCYpSxV 4nYXchXy8RrD9efAzQv+CTvwA8H6roHh749+C/iBqOs+Ip9etG+IPxy0Dxdq893cxWsY0y11K2sb eNbVPKt5GVomlEshcmR1RJPyBW6iZpZRNmdbMSmyjZ/KnRkure2LRKEhP2si7xO6RiRrKF5o0+zP bQSmYyQzSpqSPb2q3TTX2+GSO2SJmsb2OeJ1xgzQyJKLx1QLHI8iwSMl1FE+Vpxa0/r+l92mxVSl 7Sm4zd43WjVr9u/yv6n7RTftFf8ABOqOBpI1/Z3MccgLXEHx/ikBlEJWITTW+jz7GC2sqgur/u1W T5/JTyPJ/EesfsIa58S9J+IkeqeDLTWtA1fQpF0LR/jFrbaBLLoNh4rs7S1kjTwVNcbLyPxtqEt4 guIyW03Ttjwjz/M/Llo7+RIrGG5W21K3immskF0l4Ybx7WeGKzleXZNMiSOklx+8ikkezZpJGjmK T5zLDcwEWskUWmym785NSWKeadob4GWOVJHWPZ9onmgntWEM8dtfeUjafJBNayNUqV/divWy/wAv 872b0sYRy+gm3CyWq0S2d9L9N1pZu6e+h+umr/tGfsVz6fLa6Lq/gzTNXvdMW48O+IdA8Q/EDW7z TJGtJXtdW0+ebwfPYSPalopY/OhngRri0jlgfz4IrniLf4q/sbW1xc6xN+2X+0Ld3eu2FvPqGmJ8 BbTULPTJLeTzQ8Uf/CE2s6hZ450826jYSyGONo8r5b/mnP8A2jLEFiQm+t0czSzxvd6kim6liZQ4 eNmKSmRid8Tr9of95B50t/aSPJm2h8oXckUssEwit/NDPM7NZxoJGEbMqm4sxFMohieO58x2EKGe MhRhG7UV56fl+He9uhNPAUYNQhKShvaOl9b6PZeenXe10fsBof7c/wCzP4bjW20X45/E3U3RRcyy ax+yJ4ruo50ZHdROIfsyrHK8iriFVctevsCNL5ieyWX/AAVf+GOiw+XYePJb1dl0Um1P9jTxp9sc WEayzM0qeKIo2K4VVZUCu8TrEJZS6P8AgXevLHHe3T3l7a/aGvbS2jWGJg92Zbm3sp8SAoknnRRG BJGws19DbvHcZs1tJdShM7TQRSeW3mpGjRTtFcPBDJYR3KxzqHuQT58MYkUGSOO7WaBYZYYFanCL SVtb23e/ya36a6fK5rPDLTmqytp1X42Wvn/k9P3+h/4LH/DiCa2urbVY5XaVobbZ+zN490G7d1hn uTE0p1dyjbbZ3cOGRIwS+Ayl+p0b/gt58NraeC78QeEfiH4r0xHWGS18GeBNV0PxI1zcKy2ypa6n 5VkV+dZZPNuIxBbt9q3MJI1k/nakme3ngSXz5Y5ZnRpGngsYhI2oRwW9sFjAiRjI8EZEInHn2+wy Q3XlR3zmht7qZp0yy2iy28k9vA0U0UbKtmsCB/OGPtNq0kcMgkjheMJJHHNarHWajG8ZX087/P7X /DfcOOGcWpQqyt8v1Vv63P6V5f8Agvv8BGtTa237Pf7VF5p9vbi/TT/7J8LWF1uWSVolX7Vq0Rz5 hk/cL/pERkUPGkk6RngPFH/BcP4HeJrq2j0v9m79qa03zppouL0eCUt4iZ7i1JlaHXZXZDJbPhkB 3jyiisJIhL/PN9k3tASYmc3dvYj7TK8jWzvMkSzFyskiTL5ksCS+b5088csE0zfJNa0rts6W1zA8 EtvJpt1dmK52GxnjuLR9RdHlAZE+W6miRzHJB5Mkpe3kSFIJHy2fxO3y8vJf16HQocm8n+Hl5f1+ X7LX/wDwVp+G2plDafs+fHqOSWwilgvbvUPBsOkyieWSIJDcR6y6SPI7kRRRsjtLdWhkcefHM/iv i/8A4KAeEPE2rWs9j8Dvi0n2W2FsgudW8Ji41Wd7hY4QGTVCy74455ma5eMmW3v2LB0MQ/Naedh5 8bhbmW3uZw0dxDKwmuoTNZzySNMkg8t7cXQdszs8M6+abiWRTK6dcQQXDYFta2Uc0ct7cG7ct9gt ppY55X+WZFSNndpwgeaKKTa8kcctq5RSavtp/l91/K/qSlbm5l71v/Sf8/6W595x/tv6FPGjx/B7 4gxRzfZhAb3XtBEqC6uLm3AlWC6k4jEUNxJsy5hldlWURlmhu/23tPgS4m/4VXr1ulqLpZp77xFa qf3ABhVI4I5JS0iL5ohAMqrG6GNZ/Lt5fhXyWuZ4oJ/t5d723uHlWcGWOZLiCCVnVyCWmNtDHIrI izOvlyeYJ5Hkx7KWOazsmiMVtNdNbz213b6gk5n82K2SHUFkt3V2ygtlMgWV3g1BfPCSP5ASjDSV v6+fz+7qVypdNPL16dPv/E++Jv22zny3+FLWt0yRf8S/UvG8cNwjytKjRu8VpJFuj+zTLP5cjRw+ V5jlIDHPJgt+3J4pVBN/wpjw3IogmkuNvxavSbYrOtuqljoIDgySxNJsJdYJfMjS4P7uvij7SMSr p0C29uU+1WsyxK9itvPLFPFBbx28m5GjjijQPseNHmXy45ZI5LeKZ7lkleG5ecQXMczNchWlSRkv IZZVgY5g3uzpKIfMHmRQTFGURyMlcu8Nttd/8/V9b2Xe75YvaP8AW1tf8rp2Xe/2dJ+294tSfUYJ vhJ4Nt7iwjS4FrafFC+1O5khdC7TzF9It/KMkay+UrZWSS2nDyQJE8qIP20/HDArJ8NvBNs3mNby SjxPqF3A06wrMYgklvA5QGSL9+4jJLMDbxkI8nxA8UkErQNE8KzxwxzyiZ7iK2e4uRZG3gLK8KHZ 5Jurho4xK6WjySSsJbjT5VCPe3MrzGM3txJLb2sn7mGK3tYrBJJUtJGDK6S3VvHI7q7yJd27z3En 7iC2Vo3WulvP0vp+H5bgoxut7ab/AHfn/wANY+yR+2x8QJktmt/BHgxIpbS3n3TQ6nNbRtOlxM6S Tx3jIrAQPxAs6Byvz7JLd5adz+2X8VSoW08N/DGOZp1wZ9E1q7DQiXczJGupxq5kSKRYy0ixiSaE u6h3CfISeal5FcNDbrbyWf2m7SZ5I7+ZhPfG3IeNnJjlE9zsaby5ILmB0bznlKWui4ZSttP5aTJE uzy5CVvWLRpPIC+c/LMmWhLxPJF91/O3mnbRr/P9NfL9RcsU1ZLl+/X5rX8d769fpVv2yPjXJbxz R2fwriDqJ5BF4J1pPlkhkkiVoptZaRJE8y2Rw33PIm3wg7havf8AbA+NFxLJ9jj+HyRxXF9au58G XN7IZbWSzhWIqmosMRyC+hZXfekkBjJZ7eTd8ukbZF2vLJuNq9zLHNDOkqxxmW2tLtZS9y/7yaFk Yboy1uEkcJNNFdQxIIpbi2lkIgkaKZEuLJWazt7eO3tnW2udiGcl2kudpkaSPzrfzpmE0XkzZRcY xV4v5tfr+uxckk7dG2u7/rc+mF/bB+N115Rtm8Dwo9nFIz/8IgHt/P3Xcd0ih7kOUj8uAiVhHHJG PMglnEuIYZ/2tPjpJ5og1fwjaom5o/P8CQXck8bCzYMqGSPdmNrtB5aF2klQ4xA8Evzjdzy2sUl3 Jay3MMfntdRRyC1u5SlvNOFRiUjDPJErMZJoY0iDyLPFtjeXMl1MrCqXs+j2AkSOGeZLiE2jTSjS 5ES2uHSJQJFu5YxMI0lkURvGYziOtFHROC1t039P6/4JnUlTjfTte1uvp+ur6H0037VPx/8ANhiX xV4SlZZ4YbmWD4fWNtbOX8mKaOOUtKpJeOZkIfZEl7GztcJbSG4isv2pvj1Nc2zp4309JFupHJXw Ha2kkroLWVdihFCJlgybGbcpnjOySK4r5bk1O31C2MFzqdktxf2ZmSbSNUWcvHeWryh7SZHgdkRJ Ga2njSNJXntmCRTITFdSSe4cy3cN5dGCYTOht7q7ghmGoxzyQ27LBG08UDW8QtpDGkjpbWskSSyS JNWUvZ04XdVLpq+t9fXqvLfyeM8RQpJyk0lpq3tb8/66M6bVJHWeO5MUZV9UhiDXM6idS6RvKouG LxJvltYpYwyv58tnFAskHmRrG5beZCiR2m8NeM6rHbMlvcyS3GoWLrKsciOsk8UUaJKEQmIeTJ5W UEnS6loJ828drtmKa21q2VlAll+3abbrcSASYcjz3yHDZjkmTI813OPeaNaguOf9KFxd/wCphlBN zJOkhlV0ZZWKzSkyMN5dz83ltJE9ya0dtbf+2v8AyNm3yba3X4/8MzKizNaiCa4Z5CkM95PGIppL lVvZ7m5nETgzRiSFppZkneSeBZZoxLJIIZakV9giMkV0t5IzRuspW8FpM9pfSPDcTRbjFGi2sqfI 7RySQOEnkkmjc7i6Cmr3ktlLLGou7qzsm8yF7i3jYXt2Y5VhaTAKTW0lwB18ySI5BgjIeljHcTrc KRHJNqBLv5SGQr9h1Odl3KFPS1jRT/B5cJHMKYNJNtLS/wCenT1X3FJ2cY396/brby7v7raHN+VG 9iYbiK/nsb6zmkv7afGpu6XMUljMZ9quPna6mk+8tvHFby8w28cLtsTTFTczT3LtseYXV15hhJSK KVYpWuMqdvlT3Uy4eGSOOd5/OTfEZ5dOsomgSW3eW1NtqFxGWRYZZpJLIvFPMJHjLB5BAvkuDvtg kSo7RoY2208PTSWiJNfRyo507Tpoms2ktpIdSupkjiMbysCkS3NsHjfdHN9jXKLkbJcnHdaf8H/g PXfX76XO07LXXrpfr5/8P5HKXAuWS5ayvJ4prO1uRab3iNrDfNELSJnQbZYjHcpCsggMCxGC1jjM Hl6hAbN00P2uC0xPLFLPLbxWtuVkgtoVksriBkJwiAxQbLZF5LO0yR+RG89nZeGSfRtN1cSKXvbb QJZY7pGvD5mv37aVBI25tj/Z96PJ5iP56RCNDbZ31oS+G47CCC3t725ji1jW7uyLB3mlhljimmku HErSRyFzC0hR02NcSvPKs0ktybi3Fxi5yWienqrN9b7tabfjccXGLm46Xt0Wtk3s79Vv/mYUBkSZ i9xasswgTbbQxQ2sECzSPFG4RzuQi5RZUJMc0s6fZoLZ5XEpHKFhNyLdFkhlgv7lpIn8zT5IjcR3 FuOCWxaXt1Cn7x4UlmmjRwiTGHaGjlfJne8leR5IgXMUckpS5UOsLO4YukMl8kimTdI3ky+ZJIbq 6aV0OiyXJtoxdxbgnkyPcWf2gtCt7fwTojbxIjSrFetvV8h57cncsMqXSnG8XJq8dE9t+ml/638h JurL7r/8HX8rrqcy8aRokMMkRhtLu9jlFvJFJY3l3HdXBvJLlWOEmilmubmRZDBJLJaSmSRoEvLp 7MrJDLbSM8kcbyPaXKwW00l5Mkst1OzzTmNQpiNnLIjzpH+8a1TzIlSSC72/7BmurXzTqcscl2Yy Z1tka5tprue7mWeEnKboJbT7RD5qSBJpd2CscMcaRaHEbeIwvFbrf+HrbVZYIbbFrBA1vb+TbQJu zEI0it02owgYxO5tvMkeQ1KMrSbe3n8/1179gcYWtbR+nqnt5673Wljn5EMcUYuJoo5Unlh1BLG2 jghuXSz1KyneK3lOY4knd5E3SJsggZzL5EEk7yLNftFJcNFAuqTussdlbzzeTcXMd5JO1sGaJpPm litg9wYI1SGYzPb20jpbjctdHN/dXOnNPFHtujA7ra+XG09vqOpWUc6rGyOmDonnDy5FkSR7V45Y 5LdpJ4rTQjJBpWmy3ay22q/ZzHA1qsVnBDc2Mt3DbyQRlUkSOOKKFkASORHnjEcdu8drDHu3fMtF 6eXb1t+T0HzSlKyXRv8Ar/h/usr5Fu20wBZ5ZHvvMjtoWs5LJ5447CaMQWdsWE/m7La9kjjkeWWM S3EM0iRwbBUiZHaK6tbjeBcWNxYC0khFrKJUKm9t/IWSVHXT7e7SylVVSVg6LJPbppxh6T+zYLiy lvLgJcwR20OoXdpdx/ak1ItpcN45nDEo0jW0wsC5QgxRr8uPkqCXSjHLFaXNws93Lf3WlSXscHlh DbTxXt3JGjtIw+1XBjd0d3WRYY0n+1BEK44nFUMND99K3yb766RbTs3bt0OHF4/CYOS+sO0kk9nt ddk9/wCnqZ9jbeQ9vbwpb2lkktpa2KabFC1rBHuAjSOIO6bI7eW2RFjj8sRThEOy5+y2WZF5v9ly zwQmKRdNbJJdmmKaBpzAGdmEc2dsDC4zJ/yyDRkwTIOsXRJIoxDDerG6XAuI3+yBsTowlEkjFvMl /evK++V2mb7TPvmkeTzFyofB9naW8ssM5KpbPZyeZaQ+bJax28lnFZhkVVSCKGUJHHGqhdjEl/tF 39o8ivxBltO8W5OW6SXp3aXU86Wf5crxjKTXSyff+9a3pouvZGe0y5DCUeS2qXaCcm6SSeOTV75p HSCOITNFNG85lMKMkcFxNJlIhDJHSt59mnyBrh5pYIrlrzYI4Lp/sunW1nqMVw+GgLpc2d5DIYAk cc0CBFjSCaSuql0JzdfaJNQlmeX5BHLawtBG+XmeRBt3JvZp9wjZS63DJIZI0hSKT+wo4Y5mjm27 2eWcYkP2lnjWGR5SZPndokEXmPufYqJuMaiOvMqcZZbShU9nSm1G99Iq1kn/ADdnfbXrqrHJPivB L3aVOTb9F3S7/P8A4GuIRcQ3Bl2pdKNRZreNXa3M/m6xc+dMytM37v8Afyug8zzEQvjMjwxLkJNB JFYW8dzBdrJLKtrcfuoLedorV5GkgjyjKJUmllVvKWaZ7q7kP+iiSQdmNBiGSrwBiXc/6ChXe8cc bOVJ5OI16575z0q2dJYu2+5D7VDDMbjktuPAcDqikccEVMuMUnaFB+XNN9V1Si+tl6PzduP/AFt/ 580H6uX+fR9rafnxKywzpm2iKgtFOZxEEbc8byOFj3lmChjudXdXd0R/nk2U2IXZuCXiEQ88XBI/ 4+boyR21tI0jqfKVD5LsjRO7vHJDvWEpNG/eNp4YYaVmHoxdh+W6k/s59jIlzsj/ALnkg9SSRnOa 5anFmKbXsoQiv73NLT8Pl2/LmlxXi5WjSpq+2zk/xlHTyv8A8DjhbOsDRiVvljG0SXEUSoZJ4jIp jRmUkqky9HQl9yJG+I48y40q6uJ8reoAqRfZA2m21ybKVYDbF4MgOB5cm9QTE4lmuhM91bzJZp6O tjtC/vFJVQu7yuSB+NO+yH/nqP8Av2f8a55cT5m/gnFekX8929/M5pcTZjNK04xdraR76PVt9NL/ ADOJfTroyytbrFC7Xb3byGD7RdMZmM80aTsA/wC8mdPMdnzIkA+WOQx3Ec0djOrMGZI4HQJNGUk3 SIk0Twb5DN94CJlkyoSRnV0SHZsrsPsh/wCeo/79n/GmGyJYkzcbcAbWXByeeGHr+nWuZ57mb/5i ZL0UV/7ajnq5/mNS7lWd/L3V3fR9l/luzlv7Pt2REKyMY5fOEZXf8+8OzIxjwMNl/wDpm4GwpwTI ul7zHIry2728wlikiuLmK4DxvujYTebv/hXOc5R3j/1bvGemSxlIx9oTgAZMBJPufno+xyn/AJbp 3/5YHsM/3q43mOMnzRqYmT1/mmrK1rb276pK/XVGUsxzKo1OpUnZK1ubbu/ivr/XW/MnRdPnktp3 s7MSW2wWxNs6ywIkbIiqd+UAycYx0xz1L202xXzIvs9ooaZrsiPTI3DSNGsbHIUsCFihGeuFTk9+ kNkTjMvAOSApUngjGQfcflQbFSCPMce4Z8j3HzVl9ZqP46sn6OX6t+fyfqzjqYmdS653bXRyl1Xk v1T+RkRwJFuljiMJfEjhZTDkuzu+/Bxnc7uSBklj15zdjQCSM7pP9YvWVyPvDqM1aFmwABlBOBk+ XjJ7nGakjsz5kf70f6xf+WfoQfWspSp73X4/189yHUpci0s7dv8ALQ//2Q== ------=_NextPart_000_0020_01C198F3.29CF2240 Content-Type: application/octet-stream; name="logocw_em" Content-Transfer-Encoding: base64 Content-ID: <001a01c19903$e16db6e0$e8cacfc8@mshome.net> /9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHBwYIDAoMDAsK CwsNDhIQDQ4RDgsLEBYQERMUFRUVDA8XGBYUGBIUFRT/2wBDAQMEBAUEBQkFBQkUDQsNFBQUFBQU FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBT/wAARCABQAJEDASIA AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3 ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3 uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD8sLe0 kuSdgBx61ej8NX8oBWLgjOTW54C8PJrXmGR3VVfGF4B4H+Nex6D8L7SVUxDE59XUsT+JrwMdmtPB ycZH2mVZA8xpKaW/n/wDwqDwPq9yCUgU4xjDg7uccYp0ngPWomKtakEcEZr620P4RzvGqQJbIvZQ QoFb8PwK1q5IEVtBJn0mX+teDLia7tGJ9dHgRKPNOZ8TnwVqwGfs+B7nFIvgvVWOBApPs1fcR/Zu 8YSoWg8PvdD/AKYzw5/VxTof2afHykmHwXqBJ7o0B/8AalbU8/rTf8P7kYS4MoJaVo/OSX6nxFH8 PtblDEWh2qNxJ7Cs638O39zM8S27CReoYY/XpX3o/wCzv8RFjZG8D6qwIwSEiP8AJ6xpP2ZPG0B3 /wDCD6zFj7zeSnI+obNd0c60tKm7+n/DnnVODp83NCrBrtzxd/xR8TSeGtQiJDQHj0BqrPpdzbKW kiZR7g19OeOvBLeFrv7HqFlJpeoKuWs7o4kOenHOK8t1uxa7t3MFvuibpJxtP4mu6hjp1norngY7 KIYN2np87/loeV0U+ZSszg4yGI4+tMr2z5VqzsFFFFAgooooAKKKKACiiigDu/hnf/YzP838YIGf b/8AVXuOg+KViCHcAR718uWOpT6c+6FgD15Ga+zf2JP2Vp/2jPDfibx34v8AGkXgb4ceG5DDe6iV j3yyCISOA7kJEqK0bFmDZ3AAdx8xmOUvGTclbU+9ybiGGW0lB9DV0bx6sIAL8j0Nb8HxMEPSTn3r Wf8AZd+FugfGO9stW+P1nB8Mv+EatfEVhr2Lffcia6ntvISUPsdla3YkqhJ3Y2gqScP9qL9lW5+G un/DXxF8KvGsPj3wp481OHRNOnn2hxdynEOJE+V0YhweFKlMEHPHzUuF6zejR9zHj6go8rT+46/w j418QeLL82Hh3TdR1y9SMym10y1e4lVAQC21ATgEgZ6cj1pIPjxPEvFy4x/00r6u/ZV/Za8Kfs5f GOG1PxPi8RfEJvDsh1Hw6wiRhC8sR+0Rxhi6oGQL82c7gcivz9k/Zx16/wD2evhL8UdB8aDWY/Hf iC18PS6YNGaP+y5pZZYSzS+cd4WWHZyiBt64IyM6f6sVoxTjJX1v+hwPjbDVaklUh7ulu73vf8D1 0/tFXiAYu2U+oc1n6n+0ffi3lZr+baqkkeaf8ar6l+wF4ssP2rNJ+D3/AAn4ksNQ8NyeIh4nOhMq IElaJoRD9pwzBvLyRJwJFOOmcj4G/s//AAd8c+GZbvx9+0Bb6Nc32uXekaRa2ht4Hu44ZzHHcEO0 nyy/Kw6KMgbm6lrhzEt6yQv9b8vWqp6+h8w/Ezxrd+LNfuNWurt5LuWXcQ7liB/D17DH61xGuat9 pTaOUc+YBuJwecjH1z+lfYsP/BNnWdZ/a88SfBq48ex2VvaeGj4o0/W/7K897qDz4oFieLzkCNvd wWDEfu84+bC3dV/4JN+JtK+LXgfwZceO7W4g1XSrvWNd1SLTGSHSYYGiVkQtIfOLNMApIj6E4wDX 11DA+yST6HxeKzqnX2TPn79lP9nXSvjNrMV34jmuU0661u20DTbO2lEX2y9lSWdhJIFdkijhhYtt XcxkRVZeWW9+1b+zx4X+FtpJqfhm6mtbizubC31TQ7mSV2tPtttNcWp2yxxywuVtp/MgmBdMxncQ +F+lPHHwc8O/skfBlfip8H/Gk3xU+Hs2sQpdypc28d1pOoRiWKK9tZ/KeMH968Lo8L7lmXggBl+N fjB+0Vf/ABQ8G+HvCcFlPZ6LpEcKtcancRXmo3phEqWyzXKQQ7o4I55ljXZkebJuZ8qE9lHxzd3c 8fooooEFFFb2q+BNd0TwfoPim9sGg0HXZrqDTrwyIRcPbGMTgKCWXaZY/vAZ3cZwcAGDRRRQAUUU UAFfpx+zB4Y1X49f8EqPiV8PPAkHn+MrPW90tgkqxPdr51tccHP8caOi7sbmjK9Oa/Meu8+EHx38 ffAPXZ9Y8AeKL3w1fXEYina22vHOgOQJI3DI+CSRuU4ycYzQB9//ALDn7HmqfDC8+ImtfFD4cWvi /wAd+HvCdprnhjwbqUiTkedNqIWMoQyJK0tkCOG2ednhiQPoD4kfETV7n4YfsneKfiF4Lh8Bapdf Eq0W48OQweUunLIt9FbFkcgoQjQyMDhlJb5QRtH5aQftu/HG3+JU/j6P4iakPFc9iNMkvTFCUa2D s6xeSU8raHZmHy8FiRjJrlPiF+0X8S/ix4bg0Dxh4y1TxFo8F9JqUVpfSB1S5cyFpAcZzmWTjOAG wAAAAAfsx8Of2ffHXhv/AIKa/Ev4pX2lZ8Da34bjt7PV1nQgzbLGPySm7eGH2aQ9MYA55Aryz/gk 9dWXxX/ZYn8Ma0tvMvgrxjFqdosi58tVaK6jc5J+YSiYg8dB3Ga/PK5/b3/aCupdKkf4p62H0y3a 1tmjMaYRtmd+1B5jfIvzvuYc4PzNnz34YfHbx98F4NZh8EeKb7w3FrKRx6glmygXKoHCBsg9PMfH +8aAP2h8K/GnSvH/AOzXq37S0UanWfD/AIc8U6dbRsxXzFa8DwAkj5SwtYDyCR5pA75+dv2T/CDf CP8AYb8FfEz4bfBbTvix8UvE+tT2V1Nd24mksIhdTwo+cFkiXyIdwUoo8wuzALmvzj0j43+PNA+G eqfD3TvFOo2fgrU5jPeaNFJiGZyUJJ4zz5aZAODjnqc7ngH9qT4r/C74f6n4J8K+ONT0TwxqRka4 sLYpwXXa5jcqXi3Ac+Wy5+tAH7L3DFf+CoetEEgj4MsQR2/4my18a/8ABG3xlFe/ET4qeHNQmTUt Y1rRhe2trqTF47plkInDk5BL+bFu7sFJ528fHjftc/GF/H0vjY+P9WPiuXTP7FfVdyea1l5nm+R9 3G3eA3TrXnfg7xlrnw98T6d4i8NardaJrmny+da39lIY5YmwQcEdiCQQeCCQQQSKAP0o/al8VfE+ 3/Y9+Ifh2/8A2bfDnwQ8F/b7GS6l02+gj8+5N1BhooIIgsjHyo1aQkDaBgnAFfMfwp+H9l8JfgZ4 x+IHib4YR+NPGGn+KLHw2fD3iS3uY4tJhlgeZp5oEKPulISJC+AGYEZJCnz74uftifGT47eHI9A8 ceO7/W9FSRZTYiKG3ikdful1hRN+DyN2cHnrWPo37THxU8PeONb8Yab481uy8S62qrqWow3JD3gU AL5g6MVAG0kfL2xQB9RfBH4R+BbrSPhdaX/woXXG+Kni/VtF1R7ie4Nx4Wt4HVI4Ldty7JY1kadn lBZkhYEYzjd/Z5+F/wALn8MfCPwtrngPQvGz+MdY8XWN54lkkmina1063EkJgaOQBWdihD5baoYD O7I+M/DHx/8AiT4L0rxDpuieONc02y8QSPLqkUN6/wDpcjgh5HJOd7AkM4IZhwSRVPw98ZfGvhOP w5HpHiK8sE8OveSaSIiv+htdoEuSnH/LRVAOfSgD0/8Aak8H6Xe+IvhLf+EPCNromoeNvB1hqs+h +H4pmhe+lurq3228TM7jcIIgEBJLEnksc/RfwN8N6Pr/AMGf2cvAHiz4Yr4tXxH4s8R6FeXV208M +iRs1t57xqrKqTLtEpZ8lVtZVC/OxHw03xQ8VPrHhTVTrl1/aPhSGCDRLkEB7COGZpoVjOONsjsw znk11OmftQ/FnRvD2paFYeP9bstJ1KS5mu7a3uSgmkuG3TuSOdznOTnPJHQnIB6z43svA/wo/ZO8 Iy2ng3QPFfirxJrHiPSB4svFlYpaWzwIs0Kxyqvm5ljaN23hQGGCHOflWtjUfGOtat4Y0bw7eajN caJo8txNYWTkbLd5yhmZeM5cxx5/3RWPQAUUUUAFFdB4Q8Eah41muItPaBWgCs/nuV4OcYwD6V1E fwD8SyOqiXT8sQOZm/8Aia4KuPwtCfs6lRJ9j6vAcK55meHWLwWEnOm72kldOzs/uZ5vRXsPwt/Z k8TfE3VtVhg8xLHSLOS+vprG1kvJxGrrGFihXHmO8joqgso5JLKoJHVfFn9irxP4BsvCuo6Hc3Hi TT/EFpLcJbz6ZLZ6jZSROEliubXMhjwWXa24hwcjjBPefKHzpRX0p4Q/YzF/8LH8c+LPHVr4Rs7f xAmh3dg2lXFzdQ7reSYMFwgZzsGEyBtJJcEbD13if/gnovh/V/iFoMHxN07UvE/hfSJfEEGnRaVO kd5YpBHOWeZmxFKY5NwjAkGMZYEkAA+PaK+q/CP7B134x0w29l4xhufFA8LnxQ1pZ6f5+nQqUaRL Sa8EoaO4KLkq0OA2V3HGaPBn7Bd94nv/AAZ4dvPGdrpHjfxho51nSNNk095bLy2EhgSe6V90bSLE zfLE4XgE5OKAPlSivqv4ZfsKf8LCvPCmmf8ACf2b6v4okuxYJommyX1vbRwP5YlvGd4ZbdXkBC/u m+XaxxnApfCr9iyH4keI9O8My+Mbix8RyR3U2pJa6QlxZaRFBLIjyXFw1zGQu2MOSEPEijkmgD5p Om3a6ct+bWcWDSmBboxnyjIAGKBsY3AEHHXBHrVevvvwj+yr4p+MXwq8FfDzT/jZYXfw5bxve6dp 1nJ4eaMw3KWzzNcBsCRi6SZEbPsAkyWDDbXkyfsLX/ibwDpmu+BPGVl4y1OTXrXw9f6dHYS2kdtc XCkxvHLIczRbhtLbEI67cZwAfLtFfTvjT9h7U/Dnwv8AEHi6x166eTw/ew2t9p+u6JLpZuIpX8tL izdnfz034BBVGUEFlGQD4Q3w91Zeoh/77P8AhQBzNFdE/gTU0zkw8ejH/CoG8H36dfKHvuP+FAGJ RWo/hu6QH5oyQPu5OT+lZjKUYqwIIOCD2oASiiigDtPhp48t/At1fS3FrLdC4VVAjYDGCfX616BF +0Pp0cit/ZF0dpBx5i814XRXj4jKcJiqjrVY3k/Nn6Lk/H+f5Fgo5fgaqjTjeycYvdtvVq+7PqX9 nX9qXwn4H8QeItH8caJqF54H8Wae+l6odPZDc2oMqyRXMYb7zRugO3I6k8kAHV1T9rPQ/gb4hMPw H1jxFHC8brf+IdShhhlvgxQrEsOGCRx7MhidzM78ABa+RaK9jY/O276n17rX7Y2g+PPgfq+g+LLn xFd+N9U8Vw+Ibm/TT7eS3dEtXttpbz0bdtcN9wD5cd9w7fVv23fhdqfxn+Ifi0W/i+PTPE3g6Tw5 DEdJtTNBO9jFaeYw+2YKDyt/Byd2MDGT8F0UCP0a8G/tp/BPQNU8LX8V74r0jTV8KXGhz+G7XSo2 tdOu2t5I5Lst54895mbOQu75su4xtrvfEvjjwb8PLDwR4P1DXfGvgnx3aaJFb6Ve3fg1dXvEjuQZ XjtrhJASVjnCbYiREWIRtwY1+VFFAH6R6J+0p8IPgT4k8B6Lca1rsV34G1+eDWrLQdPVrXWn87Ka hLK0qnKJhTEyuyMhRcD5zwWuftafCDSvh/4m8M+ELrxtp194o1GS513XJdDtGkurYMTHaQgXqlIS xLNn5mzg8cV8M0UAfoJ8IP24Pg18JrPwpY29p44urTQ/F0/iLLaVZ75Yn09bUJ/x+YDll3nsAxAz jJ5T4N/tt+DPgv8ADzUNP0+18Q6jr8fiix16y83T7eK2mitiwMUr/aGaMyKxBKq+3PGetfE1FAH1 58cvjF8BLiw1DVPh1a+KLzWdecS/2ZqsMVvbaGDIskgV1JMzcGNQPlCsxJJC14I/xOt3x/ocox/t CvPqKAO7f4iwO2fssg/EVnT+OfMJAs/kB4Jk5/lXK0UAb83iwzEZtQAOmJP/AK1YU0pmleRsAuxY ge9NooAKKKKAP//Z ------=_NextPart_000_0020_01C198F3.29CF2240 Content-Type: application/octet-stream; name="fig002" Content-Transfer-Encoding: base64 Content-ID: <001b01c19903$e16db6e0$e8cacfc8@mshome.net> /9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAEBAQEBAQEBAQEBAQEBAQIBAQEBAQIBAQECAgICAgIC AgIDAwQDAwMDAwICAwQDAwQEBAQEAgMFBQQEBQQEBAT/2wBDAQEBAQEBAQIBAQIEAwIDBAQEBAQE BAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAT/wAARCACwAQUDASIA AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3 ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3 uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD/AD/6 KKKACiiigAooooAKKKKACiiigAooooAKKu22m395cC0tLO4uLtolmjtIome6mVgrKY4vvPlWDYUE 7ct0BI7ez+EnxLv4hNa+CPETxnqW054mQFioLI2GGSDjIG4cjI5qlGUtUtPw121E2luzzuiuzvfh 14906SSK78G+JozHtLOui3EsOGVWUiRUKnIdTwe9cvPYX9rN9nubK7t7gRtMYJ7Z4Ztihiz7CAcA I+TjA2H0NE4ypu01b1/P08xlSiiipAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo oAKKKKACitDSdJ1LXdSs9I0eyuNR1PUJ1trOytUMk07tnAA9AASScAAEkgAmv0z+DP8AwS6+MnxG 0+z1nxAYvDen3qAW6zuInnaRgkRhyDJIW8xNgSMqzDhmBAOlOlOq+WCE5U4pupJRXmfl5RX6++Nv +CWN/o/9q6b4Q+I+l+JfEunSC0fSVuFkD3CMpmt7afyoop5V2SowR2CSBkILIWP5i/Eb4X+NPhdr l1ofi/Qb/SJ4JzCr3ETmAsCwMfmlF+cbGyrKrDbkqARVToVaavUVn2ej3ts9/ldaomNSlO3s5J37 a29Tzyu58I/Drxf43uYrbw5oepaq0ksaEafaNdMN7bQN3EYflCI5HRisitwmXHvvwa+EXgZvCMXx c+KieJ9Q8Ir4mtvC+k+HfC1hFdav4r1CdJ7hbW1LyJEqJDZXjzz3LxxxLbyjbIxhEv8ATB/wTy8F /BHxX8B7T4sQ+A9H+EdjL4y1fwl4fsNU8S2/irxVf2GiTR2b3l06W1vFayPcrdItpaJKqLaqxnlM jY1w2FlXqxhFru73ta3lrvZNab79scXiYYWk6kld3SXq+jTs/wAUfgN8Mv8AgmR+0N48+z3GoaSP DljJMGM9/C0cckIIDMTKYsAbZMlS5wpIGBk/on8KP+CNnh2OW1ufGet6pr8ySiZ7KwtGuo2DKVMb OVSIDsSySAOeCx+Wv3ri8XfC3w/b6pLpGk3fiG8t7eJRK8JRWWW7giYrI20/xRqPl5RvrXM6j8bf ETq8Oh6bpWh2/wAwXykW5uNuNu4D5V3DH+30PNe5TyyjGNqkt+yt2011/HfXRniVM3xEm3SjZd5W f5WX4P7z5p+GP/BOH4P+ALGI2vgDRYRbxmdrjxC6TjIUvITAqIo5Y8BR/rK/Siw/Zi+DPhCwsNCl +HXhDU7iLS7W8m1WXSE8y/a5t4pzLF5ZRUj+ZlVV+XK9TXxRqnirxLrO4alrep3Kuw3Qi4MEBOWw pjj2r/E/uM+9fbf7PPjA+MfhlJ4YvJDN4i+EqJFbmRnabUfDd1K/2ViTyfsM5libusT78fOc+jg6 GDhUUVSVnpdq78t7nj47E46pTdT2rutbJ2/KxzWqfsn/ALO+uny7r4WaB+9JjzbNLAQGxlg2W6lP T+D8a/J74j/so/s9fGPxd428P+CPgxcal8PNE1CTRrbxpba5DbQyT2oCXtwjTRpAyeesoj2ujhYs 78shr9i/ilqup3x8P/CbwpqMml+Mfit9tsf7WtnVbzwd4esoVk8Q6+pPR4YXitoGAOLvUIMhwkle B3ejaXcvaeEvCWnRaT4A8LBNH0HSLdcQXC258pp7g/ec5ViN27czBsfcrqxeCwS5eWlFS6WST9bq 1tdfuMcDj8dHmlOrJrom20vPld+mi+Z+D/i//gjn4C16e8m8EeMJtHS43OsctrNObZy7OBHKkktu eirtUKmC21hwRwD/APBEzUvJZ4fiJNO5VvLQGOIZDEAFjAeuY+3G7v0r+lLTvCjJGHMQ3FVz5yq7 KGPy7F/H9RXSDQIIwyyswcgsDkjHyEbR+BH97h/rXnxyjDyV22lvqk7X10bjd+l9+7Z6bzzFRily p+dn+V9PwP5E/Hn/AAR++Nfhq3mudC1a312OIbkjitVmncbUXBUOpHzCRsbc4cABthZvzq+I37Pv xU+Fd7NZeMfDN5p/k5DXRhlFpuVyjhnZF2KgBZpJAsagcvkqD/fZe6KhyPKic4C4YqwkOBkxyg47 J/jXhnxI+Cvgv4hadPp3iTw9p2qQ+W6q1xbR/ardnV1LRvgMnf8Ai/Fu/Li8jkoN0ZLZJXSWz7qy u9rtX89jrw/EEZTUa8LLur/k9fx+R/A4Rg4PBHBB6iiv6C/2q/8Agk/Az6l4q+EBuIJw73FxoapF 5kz7t7RoMqrsf3g3DbJkhiki81+GPj74Z+Nvhlq02jeMtAv9HuY5mhSW4gZLa4Ks6kI5A+YbGyjY dccqMjPz9bDVaLanFp9nut/vVutrH0FKrSrU1VpTTi+36/0zgqKKK5zQKKKKACiiigAooooAKKKK ACiiigAooooAKAMnA5J4AHU0VseHoY7nXdGtZkEsF3qcFnPGQDvjmlWJwD2O12ww5U4IIIBDjZtX 2A/eT/gl7+xvZ3ulR/GTxzokd8ZSn9iWVzZLI8ksoSSGNi4yIwojd0wMyDG5gpVv0e/bV+Nep/s9 fs++N/F3gSKx1b4l+XDoPh60W8F63hdLy+sdJutQmWByUnRtSt4bWBvLc5mkAQxRPXZfs7z+GbL4 a/B3wPeeL9A8G6P4n0aKwje+1y38Ny3k17DOzhZXZZnkLBVXZ8/yZ55Nfm58JvAug/Drx/8AGH4I ah4Y02fwZrFxY/FHRPDTWi6bZalZs1hBf2xaNQsOUfSdjqjFJLaR8ybML9JgqXsqMeR6zTu09U7a JaPbb1+4+cxdd4jFydZe7BrTuk7PRu/RK2ujMD9kL40fEb4naJr3hr4raLYweI/DGm2Go6Zr+l6U NHtPEOm3bTWzR3NmkSW8NxBJFBI6wiJWS+jV4Y5IiJPqzxv4M8CfFTTf7L+KfheDxPEITb2/iG2j hTxjaoEKrE88ymG9iBA2w3Y3Ejb56J8lfRvi3U/2edL+HN94a+DvgS70DxD4hv8ASUutT1K1MGs6 TY2OoRapdw3EqqYmaaS0trc+U7hlmlfJSP5sr4bfBbxh8SrdtZsRBoHhOO4ktm8TanbyTxajLE7p PHp9ohVphEyOkkzMsUbkoWd0dE7qeF9rSVGuueWmrbv6t2v+BzVMY6dR14WjHt/wP0f5H5p/t4/s /fDn4e/saeEPFfwY+I3hnxFL8LvjCB40+Hdx5fhfxjpekeItIm0qx1aXQ7sLJdWcN3ZJYyS2Inhj fVUVnxIGX2H/AIJSeKNS8V/sx66uomKSbQ/jZr9jaJbxuXWK9sdD1V8gMT/r727I4wQB1IYn7s8Y /s2+FNX0TVPD2pa1e+KtN1K0l0rWtOvPDC6poF/BKuyeOQRkcbiSGjkMiEA53okg/Pc/AO7/AGWt Ju/A3w48X/EHSfA3jPxRe+Jb3SW8SNbafbX5gs4Y4IJYraG8CtAixhLiSUsLQNvdg1cMsHVwNVVa bvDXTS95W6/d5rsdCxUMZQdGTtNtO9ui8vJdNtb9z9OtS8R6B4btNWfxBrmlaOraNJKsWoX0UN3c C3vLK4dYbfcJGbbA7Dajjaj14Zr37Sfw90xpIdMfUfEM8ZYbLCEQwFgQAN7b8ffjxlccV8P6D4bs 5dctZmgjln1SWXTLu8miEl5cpfxTWTtLdSlmk+a6VsM/34hx3q/a6IWSMPDGH8lS6SBzll3KVQuR j+PomBmm8RWly2ik/v8A8uhEcNC/vNt/d/nqe5az+094sv8AzI/DmgabpceSiT3JbUpivzlTsBc7 vuZ+5gA+1c74K/aN+OHw9+InhX4p6H4snOq+FdQa5m0G7ZB4e8UafOjQ6lo+o25Dl7edHKkKqlZI EfPBB4u30MsqjnDYGWAODkoWcZ8vgRjAxnnPqa2ofDkzR7T8qGM7nJjQSZZ97EHPOeDh+N4PHSpv V5lKc3/X5v8ApF8lBJx5VbqfvB8GX1fxvrf7Tf7QN7pk+m22raR4Z+Fnwk0eS6lvItB0K90ez8UX kFncMFaXzLi/gje4CJv8j5x8lY3xh+LXwO/ZE8A2PjD41+Jhpd3rFldP4J8A+H7L/hI/ir8T7mwj WW5tvD2hLIr3JjLRpNdzNDZWxuI/tF3EMsflHQv+CiXg/wDZ/wD2NbDwBr+hnxZ8e/DGtHw38KPB Fwbm00v4h6fGbe4ttZ1PUo1kMGmaRHMIbtmYTyP9mghjZ7iBx+YPwf8AgF+09/wUW8SftLftGXGv Ra7o/wAA/CMniH9ob9pHxzYznwZ4XSGN7vTvh/4S0iCVXub6QiO3stA094bSw8+OS9vEkmYXXZic zpYek602k+72V0rebb6Le+r8/Mw+XudWSm7U1vbRtLez6eu7f3r6E+IH/BTP9of4gX11Z/Cbwx4O /Z58I3CvaWF3qFjF8WPi/KjyStFeS31ysei2MyxmJntY7DUI4yZF+1S5Vh51o3x+/aK1SQTaz+0b 8W9ZuFJZ5n8R2eiAbmDFja2FvBbKcP8AKhhCrnI2YJPUeCPht8KPhLqlxf8Aj7SvDXinRZLlPAGp eIviNqegWmlfDnXbiyN1YanFBeyWjL9tGo29pJa2sepSn/RWtniC3Qk8T8P+Lvj544i8RSeEH8Ie F/FPw4vIfE+heBtI+Ftp40OtX1pqMVr4h0S6u7hrm+j0iJ7KaBhpts9zHJfrIZVhRLeuKOIxdf2t Vt2hyveyfMnslfa1ndLdPqm+2cMJhqkKEoq8r20vtvdvbXTVvy7H3f4A+P8A8dNOAj1Hx2/jK2IB kt/G/h+y1gqpc/JHc20VrcdsljK+QnR+31n4a+PWha1HDB4r0W48NXTgH7fYSya3oquVYxsRt+1Q jg5wtwiYO5q/Mf4q/DvVfCOs+G/2gfgT8X/iTD8I/iV8RBqPi74W+LPAra54T8CW8bBbuztrLVDF relC/wATz2lrFHBHZy2dxbJEfOsoZPW9H+JGgG4uNPv5oxLaiK1TU9HMmraLqV229L5LeRVLhYPL Rx5qb3Rtmx/Jkd/VwVTHywkcU6bUWk+WVm3dXWl7r00Z5ld4F4h4bmXNrqk1azs1eyV181ofphLp +ma5ZLf6bcWWr6ZKAkd9ps0V5BtDbihdd3p0b5kx9xK+Pfj3+yL8NPjTo15beJPD9o9zPC6RavBa xvcEBWKlyVww+Yf60cED50rE0nxBfaRMmr+Ftal06WRFabUNGuvLjnjALRC4jw0citydsqunHTnn 1rRfj3cxlbfxpoKXqvktrPhlFt7pVKIoe506RvLlyd+HhliBwP3Tc4qpLDYuKhiIWf4fJ7r0/FlQ jiMJKVShO60/4a2zP5kf2pf+CafxH+Ek9/r/AIItJfEXhpHaQR28bbraNUbCbQGKu21MeY21mk2+ YSAX/MHUtK1HR7uSx1SyuLC8iJWS3uYzFKpDFSSD24OD0IIIyCCf7zPEXjr4SX+iSai/iCy1COdW iTSLazll12ZnDbomsJFSWP7w3NLsjGz77CvzZ+P37CfwL/aKtLjV/Bn2bRfFCo5igktZNKIJdWZG hGGjLeWmDEXjYqVEaglj4OLytqcp0pcy8mrp+nXTe1nfWze/0eFzdVrRxKcZd3s9e/r3v69D+Uqi vrf4+/sbfFv4DarcW2r6DqWp6d5jtaX1nafaBLEpcmQ7CdyhfLG8AZLHcsfyB/kivGnTlDf+n2fZ +T9dmmetGUZrmi9AoooqCgooooAKKKKACiiigAooooAKlhkeKVJI5GiYHHmKzKVDAq2SOcEEggdQ TUVFVGThJTW6d/uD1P6BvDF9aeIfBPwF+NOlW0cmp2vhSDRLvUBBAl+ZfDd+mp2UMkp+bJt9YYRA n5VgJ4MZFfY/x28P22l/GL4X/EHTi1vY6vq138NtXuYIl8iW31m1h1HSN5P8Kw65Zsf7gsj028fn 3+wzqT+NP2bdT8P3G15PBPjSy1KBAAGS3u4bzSZXwVOBma13EkgiMcoPlX9U/iRodz4k/Z90y+27 7/SPht4c8c6b8xab7Z4c1fUvDupyjsR9nvNE3DG47V4zkH6DAJToVFazVml5p329N0fN5hanioro 9H+X3X238ib4I/CnUfjj8WPB3wstHvLS012WfVPGGp2EgtrvQdC02MT6rcxyEgrJJ5lvYxOuTHc6 nAcYjJr9p/FPgPR9NsptD03S7XSPB/gqwtdI/snTYFtbMyeRE1lpEUa8C3gge3kdE4ladEbGx9/z n/wTC8J6TdeK/wBpH4nzlLm002TQfh1pjsqOtjDfWreMtS2P1zJbX3hzdnj/AEYEAZyft74iafP/ AMK3s3cSLfajp83izUst8pvNWlaWJemP3ZuVjVf4Vt19s+vh8WliJYdLSy/FN/db8WjxMXRcuWrF 3h29Gvy/Rn5u+K9Tv9XvZbHS82Ol20rRh7dvIe6K4VlVjt2qvzfdYbtp9RXxx+03a2NrpPgXwtdw ifWdc8Rza5p6lk8yxtrCwube4lYcN+8a/iiXDDhn/uV+m9j4ItrdFDog2rt/hHCFgGb+LsOnT+X5 Q/tZ6q1z+1NpXhuF5EsvClpoXhyCLzAEWXUGe4vAqHbw3nxqT/sdvLqcS3GnKcnq3b79f1OjCpe1 tHZK/wB3/BPB4/DUkUbzRxbLhBvhbb87SRlCgyf9pD/H2zzXa3vhmFdY1VoFJgm1Ge5gJbYixTSL cptHy/wyJ1bJ25r1O28L5w3llcqVLIsa8MCSVbv93nL54rsrnw0fNspcYN1oljNIxIyXhtksmkDH k4a0PvwK4FT92Vo9/wDgf123Ot1Ff3Vp/X9f1p4Zb+GSHBWMbsfPjCBmOwshYbPTj5uAnXFdBZ+F s+WsUUjSSOipxjzZHOAzkc5O8dX79B0Pslt4bCgfu+D8oU7dylSQFB455B+8fuV84ftZ+Ppfhb8N 4tA0K6a0+IHxOe48KeGrq3mSK+8P6esUf9v68jffQ2kE0cMLgMBfanZ7gFMhq3Bxi5cvur0/IlTn JxjB+920X3/hY/Pb4weLtX+IHj/xBc+Crb+3ZEvI/ht8KtOSKZ7XXLpJmtY7l4z5ZSO91Oa4keZW EZtIIJd6opZf7O/Anwy8Ofs5f8EW9S+F/hG4W9tdPm+EHgfXtSjgWzvPFV1qvjfTNV8R6lMzZO/U brUNRvJPmLs07jexwa/kS/Zf8E2J16H4iXGkxpoXgl30DwBE1hLBZRX6I9jqN5YsyCF/7PtxNYq0 EjrFc3V3G6o1u8Y/qG8GfGOHxt+wX+0B4DuLtZDoOmfCv4hi1Cr5s9voPip7i4CTMMR7V09JG+8f m/P844qxnt8VSwVGV1Fpvl/maS/C9/VvqenCjJUlPW1/+Gt/XorWv/Nxc/sw6Dp3jTxd4D+MMHhD UtJ1fQ9X8I+HL7xRdP4ifToZ51Giazbi5Rnhvr61gEL6pEpube4uzDFcM8JB/Z34M/A3xDoOveHv jVp+p+HfElv428CJ4SbxJ8JfEbab4f8AD8GrGwlvdXNheRtc3BD2WnySP9tUOlvcOlpC8u9PD/hp 8RYfGtp4w8NfF7wYNZ03xa9pp2l2mk2GoeGYtBtYWhu9S0vVLqKa6s79kd7S6tL0SxJ5qoPs6TQJ PP7F+yl8Rfhz4K0PVfhxHr3inwzqlp4lvL23XxfcRLBpEVxKfs+ny26xRCCECMSLLMrxTPM7/aEj EMMf6Ll2HxeOorH4yLhWjpzQldNpq/MtrysnZpxSt3Z4OMnDCVXgKaTi9Wne9mlrF9UmnqndN+R3 /wAQvhhJqmm6rYyxW2ofaLpLzUZdKVIby6nRBGstxEyqblWAATz1xIiI6NvRNnyZ4a/ZMv8A4k+I tQg8JzWfg+TTLmGTxTf6lZSzeG9RjZldRb2IdLmO+2BXSWD/AEdN3zj7m77t+PPxxsfhJpsejSWO nSfETxNp0/8Awjttc2b3ugWNqzoZNV1S3UiRLZXETRxxPGbuWE/PsjmkT5j+BPibxde+ML3UUh1q 6OnXyX/iTxbqM73Giz3shNybZbqPZLNO6MGMMEISKGRS4RDGkn1yhiJ4KVacUo6WffvZf1r0PmOe gsxhQhJufVb27Jvf/geR03hj4B+DvhxeWcmqeHLHXW02d7PWNd8dyQeILCZJFaKaMogS3i8zKlvI jSRZSr43oaw/jp8DtO8G6XN4l8Eaf4o8qdJZLXwtfRNNO0phlmis7eadUkBlCGOCV3aJ8rz9yvp/ 4gWWreGtSt/GFta6rqvim60Y3vgzQNYuobQaKzuqTznSfmEkVtGks8bTq7Tytbt5yImyP5ysvi/F deJf+Ee1PTbi8svEkh0zxF/wkE0x/tq4h23TT2Vz9+C9tmiR2bcqy+V/qvvzP83RVXG1qioWnTvb nUrvmtrGKV7xW0nfe6Sum179fE0cMqcqz5Wle1t13e2vVeW+jPj+1QyFZHR41XYzxzqYpUcZwkiH +JQMuvHCDpWhHqFjZ6lpWnzapYWWuavvGg6ZJqsFjrWpeUpkmaxgaRZZdoRy/lK2xIyecV9CeJfg lBb2+ueJfBeo6j4i0u2trvX5vC406ObxTYmKJ7lbVI1ZTcRs0RWJ4ldsunyfJvr+PyX402PxN8Ra 14u+Jwlm8d6xrU3iJvGVhLPHrOlyxkT2iWTb/MtbaxCxx28NpOpVLNMR/M+7nxc54OUaUotyk3pt ot1/Xnqejgo08ZGeIhK9NR1s7vVbvv8Amt7WTt/V/qLxeK9NOj+LtL0jxNpLQtFc2erWCSvPlXG5 pchlZSPvL02cV8G/Gz/gmd8Ffif9uv8AwQJvBniC4R7jyJZhIjuYysbC4VSz/dODMJQAxyVwBXy/ 8Ef28vHXw0h0vQ/i0t58ZPhnBGtrafEbS7qO4+LPh2CJZf39/ESsWsxgxIGdzBeYSdzJcbAH/RS8 +OvgPxv4JtPGPwt8YaT4t0nUGS30zUtBvJYbm1vZI1lit7uIhLq0njQhpIrhIpUCOwTADVjUjhsR BVKkbS7rSXffbTfW9utjvg8ZhILkfuN2ta62WmuzSava3kfz1fHP9hX4y/BWa6mu9Fvtb0lTJJbX um2q3SSooDqFdHIf5BJ9zLkhP3Shiy/FcsUsEskE8ckM0MjRTQyoY5YnUlWVlPIIIIIPIIr+xj4J +PdQ+K1t4v8AAviS3TxLqPg7SNN1TVNUn023u7bV7DVJ9QtLQ6jZqMLL5mmXfzrGI3VSBteN93yn +0v/AME4Pht8U4b7XfBsEfgzxQytKIYmSPT7qQKCkaTFSYeVkURzhox5w2yKQCOKvl0pWrUneD7L X7l+Nvu79uHzKnL9zXjyzXXo7269Pn970P5j6K+gPjV+zX8UfgVq0+meMfD9/HFA7A6hFbFrQooO JCclgh2swkx5ZRoyHO7C/P8AXkzi4ScW/wCv6+ffU9T+v6/r0CiiipAKKKKACiiigArXsdA1zU5X g03SdR1C5jlaGW0sbR7u8hdAMrJCgLr1IG4DJVgMlWA+3f2Gf2PfE37UvjuKx03w/quuWWnW99qL aXYiAPrcdlbedIitcNFAiggRebNNHF5txEGkj2kt/Sn8KP8AgnV8VPCWj6NaaL8Ef2dfhBZNeW2j abqnxJ1jxD+1F48v55w8NvEfDeiQaPpFvN5cbTS/8TC9ghWKUySyIrT1zYrG4TAzjHEy1aTst7N2 7fld21tozKpVjDdq/a/9f18r/k3/AMEwPg18StL8PfGabWvDuo2WknwpdeIZkkTzRFDpz2F4bkGP OzaLacvvIZQisAMHd+2Hgnw3Z6h4J8DaVcOA2uaX8UvhFZ2okHl3VzfaFo/jW0iKEfNIB4Xu5Eye FSX3x9UeI/2FPiHo3w28YeM9d+NHxMuofAvw6vPFWofDL4N2Nh8FPgx4lvtEsWvpJ73SrVbvVpre Z7V3l0+41aSylQsjwFHKN5h4I8LSzXv7PJSTba6V+2dBDqCfK/nW+v8Awr+IOhCNT2Uy3dozH/pl jvX0fC+ZUcy9tOCtGOmt7/Cmlr6WPmM5qKXI4NXuuj7v8db+urdtvpz9gnSrTwt+y/8AFbUoiY73 xJrF7q05X7zy6b4H0PQEVW7lTpTcsO1fTPxw8R2Gj6NdWbNAscR0i2DblB8sJLIgVd3/AEzX+D+G vlv9nzVW8JfBvxh4RmuRHJeahrCRxsFQoJ7ea0Vl/wBnfA/T04ryH9rj4weRaw3STskd9o2j6mEa RvL+WKJZGUbu/mvu+p9q91YZUpPFTluu/VJL9GeVzyrVVh0lyp+mmrf5/hc7rUPiRYWyPsliyF3A MSiZ2kbf/Hk79a/FP46eK7Of9r2XXbyVzbXPxU8LwKSAyxxXc2mWEQXA4XdNE3+1y3A6ej6x8cct LGLl9+GTowDMd2DIOR3THf5xX58/tG+OJjceMPG1pH5l/beEJNf0+R8RlbjS7YzwEv1O17VHwPyI 5rhxVeFSMXJ6Jp7f8D1PUw2HnBvTVpr+un9dD9urfwrtdlMOZAxLlRuLmMnaGAwK6g+GUNtpBIVT Dp8lrjkMAt/fyr8vzf8APZD/AMAr1tNEMxSeWMkzRRXTg7EXdKiu21mb/aP8Hb8RvDQSbPTWVOqX Kv8AM5IdbqRjk/L/AH/zf3r0FTlqlHQ4ZSk3r/l/lp954Zeado/h/TNU13xFqNhomhaFpdxrev65 qtxFp+l6PYWUD3V1d3dw/CQwxRSu5KgYjyeBX4Sapf8AxL/bQ/aKhh+HHhi91XxP49uZvDfwh8Ia sZbKPwP4Q0ppJ5r/AFSS2tria0ieNJNWv52t5JI7jVbazZZGgtUP2L/wUk/aBs5bq6/Zi8Mal9n0 nQI7XxD+0NqcUaS6beoyNeaX4LdlGSRts9V1NAwby2062ZZBc3UaeAfCT4X6n4V1jwRD4k8Y6T8G /G3xS0wvYeM/E+qS6JbfDeOR5bm10vUb6K/so7WaeSG0acve20Jubu2gMx2wmTws6zCeBwdWtTV2 tO6bd0m/JWtpu3bbf1MBRfPdq83q0v5V/n6rTr2+vfGfwW+NH7N/wT/Zv8D/ABfsPhpo0Xg7w/qn w18NWvwl0TV9H07Mk8niGZryDUlS5kklkbUpjfNGj3Nyb2SaR5Jo4ovZf2VPiBrGseJPGvwrsxdz 2nxG+D+u+FZWt9PkuoLS4V7e60+e4h4CohN2q7lwzEqX+fB6b9pr9lDUvhd+ynrXjHxL8dvGPxm+ Jekpo+q+DI/EHxFtfiU01poTzS6hCbdLmC1eRtKudTskn0uznu5Lq4s3u7+7jRi/5/8AwUb4j/Zd G+LPgEeG/EfhqbUGtrjRZNWiZvFVja3C/aFCIqoH2PI9pOryDdK58opM4k/OcqwzzTMIqU25OTlL lV2rO7lZtXSbV/uSbsn6uKr8mCqVpWbWiu+VN7pX6X1tp+Fz6g0XS/ij4u0++tviDoPi34feOnWa 81vSZ9GOg3lrr9mlnYXd1bXMttE+pWO0ObckosiFEyHhIj878ZP4i8EeIdVvtb0vWtT+H0niG5u/ DWuxXCjxf4Kgv5jdrbpdDeYIY5Li5RLe732UqQx+W6Dg/oH4g8GyX2iLrlvDJcD7GJNP1rTpkluI lSB3htlnVmRVlSdVZN21t/3zsTZ4SyahpkKpfWM+o6PGstpGk8bRahZIqtHNHbzN8pVdxVoyWibP ZK/pfBqnWoR5HFVNpWSSk7atrbVLZ+fkfi2LlOOIlKalyr4bycnFN6K7101u1v8AeeHfDDSvGvxN 8UWtm3jLV/FWm+JL9NLstOutMTU9dklWKRFsLOafctrZ6ZBJp/mmJnsYZ7qG1iVyl06fsx4dl0X4 ZWXhXw9o/hTRL3SNOR/scUBjv7PVblUluXuJZlVEmka4je4u5tv714X2gK6V+aPhTwhoegarY+IP Ds8dr4ej0670bVtDhimtNOitL6TzZo5YYWiuLJ3Jf5428jYz7PKzsf7K8A6rZWzLqrah4juvB3hi 1lTw54a0ezt11bwZBFbyLcC3s0i2an9ta4uHkmG6XPlt5TM/nJyZrl9bFYV0aSahZJpNppPSVmmr O10npZ2tqztyvF0aOJdSuvfeqla97XtfTvZve/ZJG/4s8VeIGCagk6zaz/aUerX2um4ZpUvJCEjl t42fNu04UpNHueB4ok2RJzXpOh/Br4R6tf3+veNGhtNb1yJ9I0PxJ4fu49O8KX810zlyjOrRw3U4 YJNHdpHiI7YvNeV2qn4E8U/DnWfE9x4x8HSzeM9al0tr7UPDN5Jbz6n4PheM2F7O9oQsF+hVnt32 v5kTs+1XZ9tdpf8AwtjlbVPE/wAEtURLa9QvL4E1RZJ/D+uRCLMlrEsyptlVgy/ZZ9jLv5aHmvOw dCjRXsIS9m00lbRRSWiX8vRLS2+2h6OMrVaqVSUeeNm315k2tddH33v6nzt4y+FPjz4Wa5MbQpqW jW7vcaXqelCa2WyRQztFMhZmtZkCjerO0TKn30+5X51ftUf8E3vgD+2ONW8VNYp8GPjlOgurj4q+ D9Jjm0zxCyyPI0ninw5EYobx5fMnLajZGK7LLE0plWNYX/Zf4e+MdatDNZS2DaRe2DyWd/8AD/xP eGFUSMN58ml3U+94Rt8zbbXYeJ0HysiOk5+Z/jV8S/AdjovjX4jeBLvSPhh4P8D27TeNPid4tvLf TtBtL1F+0Gx0C3lZ4vtrsEP2hRcIihpQ0KrHcP342hhMTRlSzOndJfGn+L/zTZxYLEYrB4iNXK6j Tb+Hv5JdfRpedj+Kj4w/B39pv9jTxdN4a+MHhjVrHT5Wli0XxDHjXvA3i5JGlktprLVApWSKcQmc W7tFcCGbc0URcE5mi/EMnXNO8QfCS81bwj8RNXuZ7K4l0r7HDpF/Hux5urWcjtbywTSTFQt0jSmS RWUOUijk/cjUPjx4U/aW8EfES4svBs118Nb7xPb6HpPiD4gQSX8XxwtYoI2vvENvY34N3JJbXcM6 yTTptSRrUxsHW4t7X8svjV+yh4W8F+GvH/xJ+FFp4l+3eFdH/tiTwr+91iy8OWn2zTrW81Gyucm6 P2SO4nkfzw4ijm+0CdfJFfnNSksNUX1dp0le110vfWyd7eabV9rH6rQqSq2WMgoVNE7WtdbX2k7b Wva3uvZHWePP2ivj5pvh++8IfDfxfeaD4c1+5sNZ+KC+Btau/Bl18VdS02zmt1t4NVtpRqA0iyMt 5Ha6dHcxpNc3ktzNBL+6kfX+Dn7bfx600Wej6b8YNUn1q0t4be58H/FTRrTxjoF5KLeKSb7Bcb0v nT5JHQfbSypK5MbDYyfAnhz4u/2dYzxXDxpaw2zG20J4pmTzIYnjtYre4XO2MBLbLShnV0yjRqoB 147bxJr3j/4frqOt2QupfES69JoMUctsNOisyLuSd23ylm8qCRPnfCOCkbMgZly+uRjFKEnz3913 d7J3aaTaasm7NW1be9m6eETnKNSC5LatpLW26sve0tzXtrdJ6H7Q/wDDY/hrx9p6+Fv2i/glZX/h 6VpIz4o+G8762+jFxHm8GlTAXibt5LLZyXLZH+pfOR8R/tAfsQeDNX8L6t8Xv2YfFej/ABB8FwJL dXljo9wltqeiuXhYQahYHDWjRosy7PLRd75doghBaXgijlnkdIoIYmlMxL/JEApBIySSFOScncWP 0rz/AEnxv4w+H/xT8F/EFLO3bwtpnizSrrX7LwvdLaeKPEeiR3y/2pps1/M8dtJb3ltNcoqTB4o5 LiHbEuDPVVrV01Pl5+90m+mq2bfTZrvexGGrSpJxi7Q13u42Su3d25drt7a2Pzrngmtppbe4ikgu IJGhngmQxzQupKsjqeQwIIIPIIIIqKvub9qfwL8L/F+p6r8ZPgLrGp3vhjU9Wt7fxL4O8RaJN4f8 Z+Bb2/tnu7ay1OzYGNJGSNoo54JJLW7khcQytKHjPwzXmTg42kk+V7X/AB+56X6+Wy9ZNMKKKKzG FFFFAH9e3/BFm6+IXwj+B+oeMfhN8Efh18TtW8f2VnpGueMfip8cLX4I+A/hwIZJdXlgkSDTNT1b UJ9Qk1G2dYbCxWCGHSHMtyjCFG/UjXPj7+0NFd6ZJ8Y/2qv2VPhEQdS+xeD/ANnr4C6t4k8Y6LLf 2N5Y291pHirxbrwjmv7KC5nCXEvh6W1kLs505iUEP85v7DPx01TSv2Xray8PeHJfFl14b8QwaZrH h+HSPEPizUBbzW7WUM9vomlXURvCZ4IVdbiC9RFnTbFEZHdforUfjZ8XfBiQab4nlt/2fvBfjLTt Rht9Q8Qav4N/Zhs9Nu2tXutPnuNHFxpmt3D/AGq2tFk/0S5k8q4n3EjKD5TN6VSWYTbimpJWdr6W Ssr3ta1vdVzklSUptpr7tfud187H6O+OtI+FviPTbnU/ipe/tl/tMXMmvW+qWmtftR/HjW/BHw+s b6KWFdNv9P8ACT3HhrwlIllLFbXESW1hc7prVZAk0oJf6q8O6U0EfwqAffdQ/tleAzIJCsLTyyad rcTuqZ+b5ZZXxjPyetfzO6X8afh1rXxK8CeH9Y+Ovg7VviD4i+Jfh3SLrSPhh4P1/wCJFzqwu9b0 6G2x4l1WPQIJUmFxGWuoGvPLiaSREnwc/wBT90sWn+I/2atLd4oH8Vftv2cMMao+Zxofw58feIpD G4GAVXSicy4jIU/xYB+v4LhVVDESk3unHtZKTbj5W1Vla1raHi53RcXSVm73eqs1ttbt5HzR4/8A F3/CAeNbDQonjSHWfDurazGCyBlax8STW6M6/wAZkXUG+nke/Pw1+1P4sm1XwPpEsE5zbabLo5IZ PMAhaVkYk8cKqnPrH1Ga9t/a/wBQeD4xeGLe3kZJLb4VresgPlGFNX8SeKCu5M/LuW2hb0/c/Svh Dxj4kPiXwdr+jSO7T2BGoR28rIrGNpFimRTkYAkRN3oJh1wa+zxFRqlKC63t9552EoL2kKqWnXX+ vI+Fbz4jXMzOYmc7IXkZJbpEl4jRwRHyxyRJglOfNyOuR498TPFC6n4H8YtPeW7k+EdYjjBJLzNL Z3CbY3IC8Mw4OHAPbzSg8r8XeLJfD/iPUPD7WmoX80D+fFFa6bJqihLmVFiR281YoSdtw+WKrtif cQQgbz/V9cvtY0uS08SrceHNB1LUdOtdev21j7ZLa2txf2IvTFbRjYsSK9wEJk3MinKjd8vzVSca cUqk0pdI3XM0+vK25NarVaLS7PpadKdlNR8/x16Wfdar53P7yYNMS3jhVsIwggR1AUOWWGNWV/b5 a+Rv22v2oLb9l34YaHN4fsrfXvjF8RJb3QfhX4fu1Sex0xo5wuo+KtXgeQE6dpSS2zmNdourue0t EKCWSSP2bX/j9pEV9fx6D4W1S6VbqRIptTvLbSoSoO1W8uLzm/gT+79e1flR+314OvPjFrfhH4pa Xo1vb/EHSPhvJoWnaboxKv4o03TNf1m4n0mR5mZnuM6gs9qxaLFwUQusVxLn6ebbhak9fw2/F/O1 99D5ihTpyrLnjp63v3Xl6ddtNz85vhr4T1rX7zxrqNhM3ifxZ4W8OXfj/TpPG0jeIX8aeJr+9ubm G81mWRh58k919rupQQoluJ4/mRU59pW5m+JfwM1rx9ot9bX/AI68Gie68Q+GV0e7hMqxIbm5doQ7 7I57OaK+jVjMQ8LwEiWOTy/FvA2p6/oGpQeJ9E1G90W6jhIaeRVW2ureQq7wXcMo8uSIsse+KVCE EQdGR9kh9b+H3xf8FeGdb8UweBNZ8MXnxJ8UyyaxqHgnw14l0bVr7xVdWcU08dlYi7k82xWLzryS K3+0SRKstwXjBcyJ4+JdLFYKrgJv3p6X01fRt909ut1vqz0I0qsMdRxCd4wTcl22210tZJp6Wb01 1/VP/gnP8Vf+CbPwr8M6N4Y+DuqeKE/am8c2slx4U+E5+D2of8J7c+JLu0lt408L/aLNfDep3wIe Maq13DpkFuSzCwtTNLN5LN+xvqf7JHxN8ceGvBHjJPEuiRazbz+ONC0yxm1rwl4evLvTrbV10K2k hdIrSbS7TUNPhtWlhSVtNFoN7xRpHb/CH7NH7T/jX/gnd8ftZ8e/CL4FfCz45fD74t38Xw90keOV vPAHjL4G6xevZxXPg2z8X7SmgQX7SaVItvrEbWjWsKNG9qoupp/7APFnwz+IetfDrwo/7S3h7wt4 NuviTr1nrfi3wr8J/iBP458HaIbu1u9M0vTtC8aC0t11O5tobgX1/dQQLA00ElqgurG2Mt18tw7h 6uW5/OniIp3j7t7X5lZ3j8LSs2ldPVtXNM+g54VTpVH7KpZt6O9r7rddLu9rrezufj78Gvide6Xc XvhYXyae17atbWS3MYuNPLTBo7SZoThdsUsiRydAqSp8p8oYzofBviyS8uINb1zxBp0Gk+JbPWNT Syje7WZLq/aXVjPamMS3KlUmiWON08pZXdEf+Pt/H/wE8U+Cr6w1nQbVPEmrWsMWv2ttCg0bxZpY dpBJFqFkxWKeSOFd0r2bIJVZcW8aOiVk3fxOOuaAdI8TW9/oGr6XO4kvzH5d8YXhWJbe5DCOSa3+ VXRsNLHt+4+8u/6zgcdCFZUmuVStq901+Z8FjcunKjKvzc3Lsl1T/L/gbm7qfwu12KytvFHh64g1 20W2e6k1nwnLJd2vlxzpDeQWzSIjPNEHAk0+6jgn+X5Ul/gw7fwxbXOqQXsXitPDumS20uvR61Za ze6NY2thDC9zLdMISvlhFUBQxZpZJUi2JxnofDXjHXvCmpx6nYaq2hanqVvC41O6tGv/AAx4wtCp MMWs2JIW5iwzKlyCk8W9/nTMhk5LXfDeoa/8QhZ6H4Yv9HHiS0utVTwrpbtrFqL95YJZLXT5VAa5 s3Z7maDcEdQ210RkQS/Q154lwcYztJqyla9k2lzNbPlV32drO1zwaUKPMpcrtq3Fu2qTdl2u1bur 3V7Gnovj/S9I8a+DNe1JkuvDNjq5mM2s3E02sXmomKRNJ1zUoI5ViuQjOzo8S5tZZXdkd131+i2g eLtN8R3Md7YX0mkeI51Tbd27JdPqixncqXEePLvEGEIb5bpEb5H5r88fhv8As3fEH4r3/iv+zNKt /CY8ExS3af8ACcWl9o0muagsySW+nWdoI/tcYk2B5rxongifykAmdjHHi674p8b+Ap73wdrWnar4 c8WXDvA2n6kQjxozAPeRSp+6kjyrbbq2cjfv3JvQ7M/qOGdJwpzblHq3eT+bve76WsuiWhosxxNO onVh7j6JWimumm1u+71bbPpP47fGjwf48XVtI8ZappfhTwJ4Ftpn8YfFqw1KCCz1g2wea6sVvZ0A jsY47aaeTzw4iNncSulxDCnn/ltH8Bvit/wUNs7D4z+JP7O8P/sc+C9cSX9nL4U+Mjd+FNJ+NdlZ Xk0Op+O/EDMsl3baNbRRXU9jp1yPN1E2uZ5LZGluZvJ/i1480n9q743WH7Nhsk1/9n/4MXeneN/2 qF8N6xc6Tq/xe1G3uZb7S/h4ZbZ0aHzxpTy3V/CXlgeAp5lvPYqJ/wB1dMl8I/tt+PNd8HeEdF0S 5/Yw/Z/1GDwXqeh2Gnww+CP2kPFmm28UcHhx7aIG3l8GeGSsNvLpsarDquqac0M6iwsRBqPyeNxn tKksJLWgm01dWck9btu6jF9rJtWtZJP67L8N9UprGtL20rSTa+GL2VtE5yTdlq1Gzerbj+A/xM1A 2niS80u31Gz1jT5dPttT8F6zpum3ujeH/F/h67lubXR9e0SGaCJ30q7WxultLuJWtrkafKbWa4g8 ud8f4eWuoJ8Q/hXb6HFPNreqfFjwvolilmiyTXT6n4g03T7hJF4JWSG5ulmAwrQTPhdj4Pu/7bPj uP4pfth/FrXLPWBr2m+BYbD4KJrQkhuLbXb/AMOy6jNr95FNF1WHUtYv9K2bUWBvD5VI0QknR/ZG sYNG+M3hL4xavozazpXwd1ltV0fS5rloI7zXZrG6tbSbYCEl+w297LdLFIDGtxJZyDHlg14dkq7V J313S0sn0fbs+3TofSSqTWG50uWbTdt/RvbV9vzaPOv23f8AgjB4Z8Qa3efEX9mMaJ8N/FEGpRz3 PgK+t5bX4aamsFxmWa3itopJrGVY2UtFbJJA5hVVhhaR5T0Hw2/4Jh2Hwa+FGpeMNX8ReG/i/wCN /G+gCHxF8TvDsdxN4C8GzKA6eHoLaeBb62sYbpQZryaESTtEJJord0WE/wBGvh3xR8Nvjfpv2rw/ eQWOsqqpd6XJiK6gcqQyyQt83bHrgfer5kt/hz8avGfxF8QSfsu2fgnRND8I+J7rwd8Uvjb8R7/V R8JtY1rTZBHqfg7RNEsIGl8RajZYay1S/W4sLXRLiYW/2rUL22vdLt9MUskwMZZhimoLZ3ffsldu /l8kjjpY/MqsVhrtpbt9V5vdeV9fU/iE/aw0v4mfCbUvDHgnxn4W1TwfqhuJteuYLlVv/D2ti3kR LOXTtRiJgvbVGMkgKHOWi86KN1Ma+O+GvH/iDxJBD4Ys575Zrljdarql9JHqcthBC7DdbtIu5nlR 4LdmkyNqZKsZJWP9vvxj/Zm8E/G3wx40+DfiqD4V2fj640qHR/i/8FfC/wAQo/FnhPTdRlEV4RYX Iitr+xmSSO2uraWa0tAskMO+2t2XdX43+Kv+Cef7A978RPEGuaEPiZ8FvHF7pkkejfsVeMfE+peF vDviS7sri+g1N9D1fWxbeK7rSbhV0149MnR5omWUx+INUjmjMHi11Cq+bL8RGpFq+jV13vF67Xeq 0vqu/s4bE4eolTxVPlm7rVaO72vqn8r+t20fjrJoVv8ADD9lnxlruryakNa+Pviy0ufCmn6zeD7Z feH9H+2QWuruuxZM31xfam6LKis0Wmo6jZKsj/DNfWP7Y2qePr/4uaja+N9KudEh0lBpfhvSxYLp elafZQRwQLbWtsqqkSweSkIiQKsaRQqsaBQW+Tq5KloqME72V76dUn/w66O6suvtR5tXLe7/AD/r 9QooorIoKKKKAPqD9mP46L8IvEWraVrrXkngbxtpc/h/xPb2F/caTeJFdIkbSw3cEkcsDLsRxLGw ZHhiOQocN+tXhvwd+yJ4Rh0jSP2fP+CbHiv9sHU9a02112f4n/Hr9tSXSfC9xqcRW6urK+8IeHrf Q7VbaCYkQRX8wNxGB8r4fP8APrXV6J458XeG3V9C1/UNMCRiNIbWXZaJgKCwgx5e87eX27iWYkks Sc8RQpYtRjWW3VXV0tk+Wzevd76vYrmko2i3970fffof1XfsheK/28/EnjjwhdeA/gX8H/2Pfhrc +OtBn+Lvh/8AZu+A3w88L/Cq48GW7wp4it9T1DWkl8V2+rXMJFs99peq6gbhWjRre1a1S4n/AH20 b/hH9Vv/AIManFcWOoN8P9Y+I3xiR7G5jvbXT7nTvDEfg+FJZI2YK3l+M5Qq/fIJ6V/GT/wTi/ag 8X3HjvXvCnjHVtW8SR3/AIYuVi06BYrzV9ZSON5za2tqzoJZGe2gWNQyBpZ0ACkln/Vr4Uf8FvP2 XvBfwp8W+Bb74VftFatJrWrNqHhrWfCvhXwvqskmnXklidUtLiFNbWS1aR7WKRTKMP5Z3KjIEPt5 NSo4OjOK0babdrXVmu3RXs36Js+dzjDVq9aMqMeZJdFteVtW2m9beSvc9Z/ab1ZtW+O3jG3kVwfC +i6B4PVSCXBt9EsNRmAA6/vtWugx6b93vX58fFS6vPA+u2PiaCNLjRtZlaC7t2LJFNceWPtlhI2Q iefEGkjdzjzQ54EeK83/AGvfGXxk/aJ8TeC/F/wS8R+NNC8GfFS91b4z3+ueDbqXR9YuV1PVFbSN Mup4njljNjZSSR7AxjE0beYpMSMn0L4b8KeNvFXwY8MaN8dNKmsfFXiLRrq21S6W0jsby+m07U7u xtddtoShjSdvs0F3hEKJNO6FCj+WfYlL28pUoJp2TT6N/n1v8/I54U/YxhOUl2atrb+l+H3/AJK/ tS+BL3S9V034k+E5b7UPDd5Z5uvsV5Po8N3bNI5hkllD4RoJrmdZV2qIyJASMNj5DXSra/8ACr6v 9ntdOtb2zvBbWlgI47hRZrczIJWcSSzjfbQCQxiEL5qsxYBjH+rXivS9U+G+o33gbx9pn9seF9eu J5tLmgy6aihVjJf6QrfuxOyun2qwd02uu8k5SWb88fjp8Mb7wDbvrPge9t9b+F2sTm3urjTlS/tt Cv3ADW90rJ5lq0qpHIiPtKsHRSfLVm8TEKV5Oqm4aJxu9LWs7JrVO2u2ive1j2MNNPlU43e8X5bN Jq9ml5O+2m6/q2f4h+Do9L07V7/xPo1vDqWk2erDbexzMUubSOcMFXdx+8P4HvXxJ+3Z8U7TVP2Y /FevfDbxHqCan4OluPD2u6joamHV9NstZ1jwuZpLc8FVaE6xErZBUCU7lKll/C7Rf2mPENt4U0DR rm8KS6DpMOkee0107stpE8NqY4UGGzFFaK2Z4SzwuflGGrsPgn+1Zb+GvGNxa/EqB9c+GfxB0OTw V8UNDj0p3hewnjlWK7gX7S7GW2lnnLFFDSQXc6hSyW4j63mMJpxcrNpJbu11vomtHa6evRroctPL J0pKrf3k+a1tHbZary9O+h4VqvjrwjdTRR3Ft4g19ILZ0S91i/m1kxOyhYhBFdyuipEruF3xnlEy GAbfHp/iu+8Qal4W0zwRpUekeK9O8UiXwJZ6LYKL651S+1HSnspIWGUFwHtEjGQoCiNQzAYH6zeE /gz+wTr9jo918NI/hv4k1qHT7a4NprHxD1DWde1SEsPPub3Rry5j8tx5sZkjFrEYzFt2DLFvo3wp 4p/Zq+Ehl02Hxp8CvhzIJhdX+n6VrPh/Q792dVQNLBbN55JC8EqxKqMk5Fcf1Oo5J1qsbWSbTTTS d9bNJO/a1ldRsmzaeKhGyjTlzK6s/PXzv/XW5sftDfD74peMPAcnhz4bW13rNv4i8QaXp/j3wbH4 jsNC8N6/pMN6J7ua5juykbmL7NZriOQSSxRkAlU2n6E/4Jz+Brn9gayn8YeFPh58INS+Kvia/wBQ l8Uat4y0JvHWr6VpF2Y7dfDujeI0e2ubG1aG3iknEaXJM1xIryXKohrwG4/bq/ZX0Q39vZfEPUPF 17pRY3Fn4E8Ca54h3uIiY0ju3t47V1JUojLOI+OTgsV6rwz+3b+yf4lYWp+Ldh4W1GO2E91pfj7w 9qvhO9s8kfJJNLb/AGZ5NqqSsUrE54JzXoylhKzXNytxtqmrpK+/3/loeVDDYiM580ZKMlqtbOzX TovS27ep+/ngv43eCf2ktXvvCuk+ANV8EfF+28K6h8StW1m0sYY/htcXSTRWc62kAmuZfItJdR0+ 3WOZUn8hImHmOJBH2nhnwpc60yR+JfBRmtZtOUWmsppF1faGxSBGnt5WuCzLFMyt+9S6Vdyp8q/w fiP8OPjZ4N8YXl14n+DHxV0PXNT8J3CfbNZ8BeI47jUtCN2k6RJcxgEpHcKsyETxvBMI5FCuVYD6 s+HPxG0+7i/sxru80DXZ2Jlt11m9bS9caNWkeeBZJHjVtpZmjcl0wNjunK+hhaipxvSd3ok229PJ 3vtp8jysRhJSlyzdlrpZX3T10X+fqfZWs/CP4aeKdQvPD2l2us6Jqmn4a98Jpew2bxrNGzI+jXU6 tbGf50k+yyttZHQ+anmq5+bNe+G/iHwZet4b8QW0XizwbcXE0dhcNbS6ZfaffQxNPDCpOZ9Ovxtd /Id8SCJnt5ZUBcd/8Ofjb4PvL6fwncavb+LGeWa+iiHnpqtuQvmTy6Tqciqk20K7tC0kqbIvl8nY zp9HayukeNvDNzp+szDxFos9ulvpniy2D2viXwzPGyy2K30f3iiTxROBJu5UeTK9fUYTHN07N3Xb ez8n3Xa9/NnzONy9Qm5Ws+jStf1W1t9dj5/8GeJfHmmWNx4k8ReItY8S+DvC8cTwfEOOzif4k+Ak mDpbWVwkSLJqMcqxSqltL5ruqOzy7a+bv21fjbYeE/g78UfjB4k8Nr8TNX0V7DwH8HbHwveBdc8R a7qTx6XpNtZ2cTeaivdXUEk0EDSs8EF35aSODGvQ6v4f8S6W2oaxPrF3aW3hTXtS1S7tmnfT7mzu ba3ZDeSREoJPtaoqwyj5HhkTZ996/Nv44XX/AAkv7U/7Ffw41a0tLzwt8Mvh/qX7ZPjqHWIri302 /aC/1Ow8P3cQiZWYQamk7NGAiFJCwL7ir+VjcXWp3mqiTm2opK3Kr8qlJbuV25O1kkkuW6bfoZfg oV37OrTbjDWV3fmaXM4ry2jfV3badmkvifwX8RLP4D/B/U/hJ4ZmvJvi94o8Z6l4P8Y/Fe9146p/ aPie7vJLbxRqdkJbcTzzQf2bcRQSXChWOl28jbmklL/qx8H/ANtGX4Dfs7z+BPgzDp+ha34a8JN4 P+GFu1iLiw0LUJ4jDFqt5bbl85LQeZdvGzIZjbRpuUtkfzFW/jHxDpfij4caBrdprUuu+Ar/AFSx 8SaO2l3lxryXz28OnWjzW00S3QlnkuIgIpERzLdmMoJdy1+rHgrRLvR9Gs49RUf2qIo5r9dvm+RL Iistsr4QER4RWfgu0bcDfz8tRxE5JLmT922nRL79fP8AE+1r4WnGLhJac3M9N22/k72fpfpodV4X 8NXMSaB4W8PRXd/qNzcQaPpn9oXb3F3qN1Mx33F7dSAySNu8+a4nkzIS00hBya/Snwj4ZsPB3hzS vDOmuZINKg2SXjpsl1K5kd5bq6dezSyvM2B9xXReNhNeDfs++CQkV18QtRtwsl4lxo3hNWj5jtQw hvr1UGfmmaL7PGxz+7jl/gmxX0jf6hpulWF/qusahYaPpGk2U+p6vq+qXkdlpWk2drC093eXU7/u 44YIYZJHkkIEccZJx37aFNQpqpy6v8FuefiKkqk/Lp9/6/12Oa1/X/GVrr3grwN8LtZ1Lw38UviX qlzovhzxTpRU3Hw40qxgF14j8XTqFI8rSbVohbiWNopdU1LR7dl23LMnVft6f8FWvGn7Cv7G3wu/ 4J+/AK78N/DnVfE2gWfg74aePNLjs4vFn7PfgLRZIYb6W2lljmYarrZWW0g1SYFxJJq1400V0Ibp H/Bl9P8AA3gP4h/tZfFiLU9I/wCEs8OpqvhrRtSsDH4i8D+ANPfzfD2iwW6jeNR8QXEg1q5t2RZz c63p9i6sdMhA/mn/AOCg2k+Ovir4tvP2j/FOs6Q1/qNnBpmt+Fo7qaeTw7D9qYWNtps5RUuLS1S8 gtQ3l27hIYXeIvK7V8Hj8bHNs6jTdpUKT0W8ZSXV91dell56etgsNT5EqnlfXVt7L5a9GtPOx8x+ O/HUPhnxTpur+DZopviXba5c6teeL4rqXWtbS7uZGNwbqeXeb25uHlmLtdNK6bmBG9mav2/8N/tB fH/wL4Kt9I1b42eJJvCtnpI1Pxv4M+Jpsfi98L55Bal9Rt7jT/E0eoPDZxuZQLe3niWONAPM2jbX 4p/AH4B614vv4PFOt217p2iWtg+raH5F5Npep306SRrbXMbxgSRxIxZ1lVlZniUqGXca9l/aV+Kf ivw/4E+FvhdtQvZ9cvby+1XxPqs0M0MevxaTeTabaJcSKiRTNM6Tzzxph45YbdyAwhkox8freKpY WqlZK90ldRd9mne9tr23unfb1Y0I+yWqaTt30flt8vLorH0L8Wvjf8C/2hfD9n4d+M3w08JfBiVo YfDfgL4p/CvQbrwz4GDWkc6acNW8LTz3Nxo0TwwIkElhLdRxKds9tCm9Y/yo+J/w/wBS+GPjPVfC GpuJ5LEpNa3iBVjvreVQ8UyBWYYYE4wx6dT1ral1nxP8X9as9O1C4ttM0vS7OfVL+SztZTpukW0E bSXV7MpdizYARTI6qXkRd6b2Y/Tf/BQxvtfxn0rWprSKx1LX/BOk6vq1nbQva2dlc3Gn2lxPDDCQ oVVeZ+ig84J+UAey4RjS5Yp8i0i3d3t5vVb2tqv0minCCpyeqWy6a6edvPq0fBVFFFc5sFFFFABR RRQB3/wx8fal8NPGmg+MNKkniu9F1OC/R7aTyJ8RSAsA4w33S5ChgvmLEzBtgU/e/wAfrLSt+lfH 3wPbLefDv4z6s8utWOnXK/8AFF+Mp43vNR08xSMkKWmqKk2pWnlsAJHvoQgESg/mTX1f+z78ftJ8 B6Xr/wANPiRpEnij4R+OLGXS/FehMUZRE8kU8M9uNheK5t5o/tEFyhLxTKhA27w12jWp/V5xunfq +q0WjT9LWd3vYlpKSn1/ry/D0P0i/wCCZv7ZJ+CPjXV/hL4r0rSLvwZ8QLjd8O7fXrZGufDGtGYz PYQXMpEMb3xmnkit96K88jIrF3hDfqf8W/iTffFLxTba9c2psbDRfDsPhnSLTyYYCIo7y8vri5kj j+VHlmv5UVFdwkVvEd4YyV/ONZ/CH4N6jJBeXn7Z3hzRNPVhe7bT4eXcPiOKVJRJGz2yXccTSK6h lJuBsYfKFGDX3VB+3F8JPAGi6Zpeu/ETxF8atas7FLafV7fwpYeBINWeMFWlnNnNeOGcKocrNE7N IXWRWZ2T2MBjJ4WhDD4uPvKyVk3ptb3m2/V9XbZHk43Ayq1FiY25m3e3Ny3u7NXu9Ot1f0ufd2t+ GNJ8W6RdaHr+iwa9o96rLc2c8DTRCQJ+7khlGGjlTf8AJJE6OmR89fKOu/sReE9RlvDo/jHx5pFh fQ3Fo+mavptl44t4IpjDmP7Xdxi5kRWiSRY7uWdTg8YjQL8b+JP20/2ffiHfX3/Cc/BHxlfWOtb4 tRt1+Nfjm1061jdNjJb2aa69qqlQQY/sxQ7zlTyTTm0f9nX41axqPif4VfH74kfA/wCJ+ouClp4q SybwNdSw28NrY2kEmj2mnXVhAoFtF5yWd4VWM5EzsS11sdSrXU6Lkl2km+zel9/8raMIYCrBx/eW 6vR/8N89Guvl99eB/wBkv4S+D9p8QWl18T72GEWkEfxDsdPvtA0xFUoyW2gwwrYq65lUTzRSzosj KsiAAVr6v+wd8HfjrqeneB/CXg3wJ8O/E2vatBcrrenWQ0GK6t9PiurmexhjR1hiaaNpOYljkl+z fecLHj829S+Jv7c37LN9Hb+JNTufih4HnilvNI8S6x53xV+HHiCELKxmtNfQrdRFI4ZHa1ee3mij IMtugK1+h/wK/aUHxc8PWms6t8Kvix8Pb5UivotWXwNrniPwDeEl5I7rTvEFralItqJDKGvFhCNL H5c05Ga2w+Ky6tBU5RUUtr2t9/yXmZ1qOPo1HWjK+u+/4fn89z1/xR+xX+zN+yP4Ikvfi38NvhP8 Y9Nv/A3iOTUXvrOa1vrG4utQ0i00qK3vrOe3uYriN4tUeOcTKY47e4Tblx5f4+6h40/4J6eJLubT P+FGeJvBVvdM0EOt+Cvib4gW5s9zFVeNNV+3xEgFSplXbuB3KRgn2/8A4KI/tSr4j061+EOga/Pr 0sPz+J9bNzDciWQl1e0QrnEcKExKuIwWmncAtIzH8eq8nGSo+35YU0oqyXK7XS++zfn0s7Ho4SnO NGM60m5vVu99fl27d7n6z/Eb9nD4O6R4L+EHi/4LeKfFnjL4W+N/t2iM3juXS/8AhJvAviWxuU1U W1nqWnwQmWLU9OlkmjBjSSN9CuwzgOiJ8s+J/h9r2ixzkSarNYQgPa6mhS61mySBWOZmwpulBM08 kI3Ltn+QqVQyfav7Blhofxn+BvjD4P8AiC81uOfQvF2m+LPDt5pWo21n4i0W7snmiM2mS3EU8OZY NXuLSSKWLa9vPOq4PzD9D/Dn/BMWDx54dTXPDX7QPxT8Manb3kp1PTfF3wQ0n4jaBcABiqJNpE+m 3MbhnYF98gQROCpJAXysbnWX4GosHmDahZNe45pJtPSUYySd4pN2s7Wfu3vVSNZVHOnJKKa6tX+T WiS67q7a1ufzl+B/HnxC+C3jvSPH/wAONT/4RLxHHbzrcxGRbXRNXt/PKXFvNa3G1ZbO4EcbG1nG 9TGHCR7YXH9Cv7M37RFp+0h4Hu9dvPD0vhXxj4bvLbRvG3h4f6Tokdxd25ubW5024OSYLhA7+RKf NgZTG5kxHcTYXij/AIJtfGqzuAmhfGn9m/xXp7ktI/jrTfFXwW1CzAICyiOax1VXPK4JkQIRysmR t43wL8H/ANp79l/Wdeh0j4dfDH4meG9W1uzl8Y6L8OPitpks6yQFbWDUbDUNQTTjHJFDO8Zt5IJ4 ZUWEBrYIz1WB4kyT2kVTxcVTenLK6d+/vcrurfy3fc48VQliYXUP3i0TWumn3rzf36s+y/FvxA0H 4SeHLr4heItYn0Ow8LTW93Bd2VtJqGpT6i0yJYWtlaJ+8nnuZ3WJIOC4Z1JEYeSvVP2bP+Cn/wAE /i38R/D3w603R/i58Ovij4u1uDw/4I8K+IdD0NrDxg9xlrlptTfU1061t7aFZ57q3upHujGiJaWt 9cSxW0nw/wD8FKP2W/jz4r8D6D4d8DLpes678NPHFx4ll0nwvrUWraV49MdultDcaBqShI5bix3X ZFnN5Vw63ThI/MWKKb8MbfxppHiW5uvBnxP8NyaNrVpriaDPbXdtcf2tZXMUlxFLHdwOFnhmTyYb WR1/eiQkvsUbV+rlj6lGovq7XK+yvdaK6avr+VrtPZebQy2hiaLlXT5r69GtVZpX1XVxaV+jW5/o F6td6D4e8VXfgr4g3OnaZd+LfDN1H4UhsdRh1v4feMLbbJAk9tayr59vdLcKqeRfKVG2UWr/ACSL X89fxauvElz+138VPizremadZaPrvwT074YeCL9NZtNS+3R2Guy3l7bWMMbM6WsMIssmXaHzbvli 7Knxd8Hf28/ix8OxZeHP2gLnXPjV4EazstM034lmY6r8Q/COm2tobSJLlcs+qWcEgDbLhhdwRXe4 XF0Q1un0bqXxJ0b4kWkPjXwxq1v4h8Na3CI9Bv8AT5c20sSs25JFKqYpGYp5sMwSaEhUdI33pWmK xSxUYx5ndO/5797X23Wz10MMLl6wbcqNnCStzLbvp2bsr3XYz/EGp3viHWZL/VJxqeqCysrG912+ tbe68SXlvZLdDTrW51N0+0ypEbq4wk0jgF1OBtUp1ngfwdc+NvEWmeGLdpobeUPc6zfQfLJpdhEV NzPG2co8geOGMYwJrhOBseuIs4hbQyXE8gjIWWeWdwoWMkBpJCmAQFwuSfQ5Ar7x+DHgVvCPhcXu p2og8R+KBDqOpwSR7ZtMtQrNYaex/h8tS8sq8/vbhumxMc8IOrNJvTeX5W/pnTiJqEFDq/z/AOAe s29tbWVrbWNjbx2VjZQR2FlZ26lILWGGNY4o41PRERF+gGPp4l4y1bTfH3xd+Gn7O1z4U+Kfivwv 4g8Q6NrPxruPhx8MNV+IWiaZpl3fSr4W8MeKLq1hlg02w8T6lptxDdvNu36Xpd/EUSK7WeL0/wAX +KrLwV4d1LxJf2F9q32H7Na6Z4f0eAS654p1K/uYbDSNG02Pcoe8v726s7OBCyqXuk3Mqqz10kuv az+xn+zxe69qeq6ZqP7QHxB1Oe91+/0qQ3Wi+LfHWuWkcd3FDHKVNxoGiWVrb2kFvOrZ0zw/bI0c kkrb/O4jzSOAwyoQV6k7pJOzS6u9nbstO3kZ4Oi6k/aNaL8/+Bv6vbt4N+098RtV/aL+P/hz9kD4 SXlr4h8QeGtUTX/iRpNtu86y1RLT+0Pt2sQKyPBpuhWTtcTtOvlyahqFtBEwu4YYpfyG/bU+GWre J/2jPB37Gvw8vZ9R8TprUK/EXVJUUDS5EsTqbxyZlSOQadp32jU7uCPARri3jB82PaP2duP+Cp/x F/Zc/Yvg8RfFn4n2/wAZP2nPjlZ3PiD9nHw/4j8MaBZp8IPAQjh0qw8deJm0+0iV9Ov57aXWbCzd FfUZdRsLOCDaly0f0t/wSA/4JBeMLLw/qvxP+KK63qH7Rv7QmmJ4z+Js3jLT3uvGXwX8Jz3TakLL WLi5zdy+J9duJ1uNRiuZBILyO3txCn2C7ZvMy7B4TLsFLE13ZNKc5O3upq6Wi+KWm9m9FbdLtlXl Sm5ySUU3GKf2pdZLRWS9LXW/U/H/AE/4PWfw48N3BjsJbbS7DTILXSLS5aWGSDTdNi+zW0SyMRva Rw6s4OWDKTIf4/mH4waPPqvgCLwo+g2GvWd6we+fVYWGmpNCqk+RMMNHM8rLmSBlaNBKN6CTen7K ft/fAXwD4H/apP7FXwR+OHxZ0T4r+PPHGk3/AI08O+LdOsvjb8Ffhvfa7Jca7eafa6rczx67omsW WhW1zr8ejFbjSI4LazhuLa1e+WevVv8Agoj4I/ZC/Zg/ZX8NX+iqtv4hGmwfCn4D+B765fVvEnj/ AFa3tV87UNVuhuk8i0RpNV1jUp8qpdgJmnu4IpMcsw081r1s4qN+xTbjdWu7e6mn2Vn1TdmjWeNj h40qMItylrt5b+l7/Lrbf+Z34S/CjTdT1Hwn8PYND0vQl8balFcfEX7NcXM1lpujafAb/wASzS3E rPciJNPt7+CHMhVLi9t41Ied5T8qftZfEaP4pfHXxv4pgWJbZ9RksrQRuJPLijkkZIiQAP3W8xAA kBYl6cgfa/ibxanwQ+At/wCLbu+W7+JXxz8Oxaf4SN9DFFqOl+EpUF9FfyqAvlz6/cWyX0sW5F+x WenIIhJI8Z/JuWSSaSSaV3klldpJJHYu7sxJZmY5JJJJJJyc16eIqPSEXZWtbyv+jVt76ep34dS5 XKerb89/R+Wl9mn5XGUUUVyHQFFFFABRRRQAUUUUAFFFFABU1vcTWsqzQSGORQVyMEMrAqysp4ZW BIZSCGBIIIJFQ0Ud1/WoHuXgX9pD40fDmMxeFfH/AIj06HyyvkR6g3lzMWUqZ25kcKAQoDqVwvO1 dh1fFf7Vfx88ZoItc+JHiK5gEYj8h715owACo2hy20bTtwuBgdOAa+eKK1VaaTjpayWy6K29rp+a 1b1eorLe39f0ia4uJruaS4uJDLPKQ0srAeZK2AC7nuxxlmOSxJJJJJMNFFZDPXvhH8ZfE3we1wa3 oBM7MEjubSW4aOC6iRndYWOCVAeR2DR7WBduSCQf1D+Gn/BW7xF4It1gi034h6E9yqR3kfh74lav Loys3lrJL9gurqez4AdvltQW9ASWr8XqKmcKVSKjVgpLzV/zJcU7X/rqf0feGf8AgszZ2hkW+8e+ PlEkbKbfXPCPhzxRYqVKkktDpNhcHIZ1GJyxCc9QDxfxF/4Ka+B4rGbUdDl0LW9cn882mow+BDp0 +mXNxBLGkxK3l5EAfMZlVgjgRttUYIr+fWisXgcv3hRSle6a79NLbr+kSqVNOLtqj9Zf2d/+Ck3j DQPGmoWfxOuLi78H+K72M6pCb2SW2iK3IkhlkLKxEkWVImGB8rAhUZhX6WfGv9mT9nj9uHwdB440 jV4tB8b2sKDT/ib4YtoJdctMxPHDZeI7DK/bLdT5O12kWZTCvk3Sxs0L/wAt1fTv7PX7VPxK/Z+8 RWF/oWr3d1oKzhNS0W4lNzDLbsuyWJI3JjKMApaJwVcJjK7i1evRxMXF06iTT3T2fo/sv716Ws8K mFTl7WEmprVNdPLzT+9emh1Pj3wr8V/2V/GV54G+K2n299p2sSz6lDrelXMmseGvFEasnmyaZMyx hW3L5ckckcUsfmpvjjyjH1r9mPxN4f8ACd/LrOqahII/GksenRaL4eAj8L+CIBczxi/v4VdFuXea FLVblIneKGzupGkaENI36C+OPHHwf+KfwutPiXe3Hh698AeMLyHT/FHhLxUUu18Paktuk9tBa7ir Sw3CRyfZWTFxDcGaIuzNG4/ETX9X8Q+CvGmrpqPhrUvB1tqN419ounXtk9tNDpsXnWWnxRPJ5iz2 0cURiWYGZXeAOzXG1kk09oqMVBSfs+l1dqzWj0elrpbu2i02whGU3Ubjars9dG0209VdNtu/Vdnd 3/avSPjP8LtP8VaN9m1TQvHUWlalFe6tpOkavDqemwpbudkd3cxuykl448wfMzlcONr/AD/qL4G+ Inhb4kacNV8Oagt3IwEl5YTMo1O2LglxJDjDKSp+Zfk5r+TGLxPqmoprXjc6j/YNlp8C6daajo+l Ri+16aNDbrd3UcgPnCQyrGiyFmjyVE0eJXl+xfh38YPiZ4Lv7Czkl1XwH4j1OEWvh7xXYSxavpWk ztaJI0sxEaqtxat50nkzx+TKbQrGZYypXpw+NtKV3eK9UtEurWtr9L6p9Uc+Jy/ngm3qu+vy9f01 P6K/hF4Y/wCFr/FxvHl7CD8Pv2ffEV74f8EG6RfsHi7x/JYtY6zr0M+/a9r4bstQ1DR4ySwOq6nr G9I5dMhdvzs/aV/aQ8OfGr47nQtF17QtXGlXcXw2+CngJ9btLDUfGFxqFzbwy3URneGCOfXL82kc bT3AjisrexkkaEtcLTf2jP26NL+Df7G3h34SfDPSofDmqeKJLT4X2ninSrtpZ9E8OXUV3ca7rDxy ebJcareZm8y4dnaWbU7q4lYyMEl/B34jfETQzokvhXwo8Wp22qhLzUdRuI3uRGJCJ2y8wMkl1LIx llmf5kYgZMm4x/Hxof2viqmZ4yTUU7QitNE9G32/zfkb4fDzo8sLevVfLtrr5rS2p/W5/wAE7/8A glnqvgz4haT8c/2k9UsPjV+0po2rweJLa3M11rHw1+FWqWkYttN1rUb64BOp6xp9ssMdhGI47LSz GWsbZ5Ujvk/ar9qz/gpRZ/8ABOz4St4U+F8em+LP2rfi1aXFx8MfDupqbyG2y32O98d+MbJNyf2J o4lZrOFnie9vY4bKKQefc3Uf87vwo/4Ki/tE/s6fsYfDX4S6F4W8M2/jP4c/DKWXxl8cvjD4p1D4 qa3pbh7nU5pIvC8cFvDeT20c4sLf7XqJWJbOAbLsKIm/B/40/HvUviPr3iT44ePvHvjDxn408c3o 1G28Sah4ruG8beI7iJSIJJb63eIwR23mMi20CQWdihMFtawII7caYp4nPqkqGlLC022kndzfRyaS vrqlayWmisznjhZqsquIfPJ6JLVW7Lsu/Vn11d/F/wAfeEPjLpHxV8H+KX1n4leEvH2tfEbX/GXj W0Pit/iN4t8TRatD4n1XXoo5YXuZ7v8AtrVN7RT2winu5SjCKKJBn+JvFvin4u6/q/7TX7UXjK68 a+ENJ87T7ez1OKLSNC8cvZEiPwb4W0yNhb2Ph+zuUim1WaIv9pmhNrLNd3E13La+WeANG8PeE/gJ 4O+Nf7SHi9NZj8YwX+peFvhHpGm3Og614m0+2unsrS98S6wcMtvdzQXRitdNhE1zDHDK14BK8bfD vxy/aB8WfGjVIkvPsejeEdIgh07wx4U0W1XS9F0Sxto1is7OG1TEUUUCKFjgiURx843nMjezTlDC 4WOGw8ny66dG+ra7vfXvpsehClJ13UqwV1onq3btstPne90tFd5Hxy+NHiX42+PdZ8Y67dTN9umk S2gyIkSAyKyJ5a4VVAihCxj5UWGNRwi48YoorCUuaTlY69Oi+7QKKKKkAooooAKKKKACiiigAooo oAKKKKACiiigAooooAKKKKACiiigAooooA9y+E3x28SfC2DU9H+xaV4s8HaxF5er+CfE9hHq/h/V lMiu0ckUu5EGQJA3luVkiUqEYmQfTf8AwvX9kX4j2P8AZvxT+B/iLTLu20M+HvD/AIi8P/EvxMX8 F25LtF/ZGn3F9e2UMVuzySJZi2FuWO0RAOWj/PKitVVlyqD+Ht/XXt2IlBPVaPv/AF6v72feXgq1 /Yl8L2Oh3uu/FD4+a74l0y6e9sr3RtD0PRtCs/OQoTFpN3a6j5UsbqzNM0zMCqPHESqSH1Kf4r/s gEEN8Tv2lJVAVgv2bwm4LKwcHB8ODoVXGcYPfrX5d0Vo68IwUKSkkv71159Ov3+YnTUneW/ofpn4 qtf2LvjH4Om0HRviZ8VvC/xE0x5G8E+KviHqek3Pg8ySrEX02+0Ow0uzMcczxjdqFr5s6vJudLpI 0iXN+C3wY/Z1+EmrHxj8ffjPp+reI9KvI7zwN4a+F62+saIJEBIv9UudSjg3+W+PLtoI8q6RySSb cRP+bwODkcEcgjqKKwtRcWnFtO99e63ukurbffZW3Lak9n/X5/joft/4z8Q/s3/HXwV4i+HGg/tG ar4Q1XX7VDbX+r+CLTVdPnMFyk8dte/ZL9ZooZpYYhLNDFKyq6nyZDmN/gfwx+yxc+GPE76x8bvE vg7Qvhd4YvxfapfaF4xsdev/AIhWsEkhFpoi2826M3flJH596bY26XauY3kUW7/HFSCaZcBZZFAD KMORw6lXH4gkH1BxSoU8NRi0o2/G713d1b8demoRXLG3+f8AwT3j9oX403Hxl8ZnULO2TRvCGh2k OheD/DVkn2XSdF0+zhS1s4La3HEccUEUMMa9QkQJAZnz4HRRTlJzfNLf/L+v8wSS0S0CiiipGFFF FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUU AFFFFABRRRQAUUUUAf/Z ------=_NextPart_000_0020_01C198F3.29CF2240-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 19:56:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from ness.plymouth.edu (ness.plymouth.edu [158.136.1.140]) by hub.freebsd.org (Postfix) with ESMTP id 2335537B417; Tue, 26 Feb 2002 19:56:11 -0800 (PST) Received: (from ted@localhost) by ness.plymouth.edu (8.11.6/8.10.0) id g1R3u5u25254; Tue, 26 Feb 2002 22:56:05 -0500 (EST) From: Ted Wisniewski Message-Id: <200202270356.g1R3u5u25254@ness.plymouth.edu> Subject: PAM & LDAP - Pointer anyone? To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Date: Tue, 26 Feb 2002 22:56:05 -0500 (EST) X-Mailer: ELM [version 2.4ME+ PL88 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I was wondering... Has anyone done this successfully? I have FreeBSD 4.5, OpenLdap 2.0.23 & pam_ldap-137 I have LDAP running, and configured where I can successfully Authenticate FTP sessions. However, when I try to authenticate any other service - no go. I am specifically intersted in: ssh, telnet, pop3, imap Since I have been able to do "ftp" I must be doing something correctly. pam.conf entry (for telnetd): # "telnetd" is for SRA authenticated telnet only. Non-SRA uses 'login' telnetd auth required pam_ldap.so try_first_pass I also have ftpd: ftpd auth sufficient pam_skey.so ftpd auth requisite pam_cleartext_pass_ok.so ftpd auth sufficient pam_ldap.so try_first_pass Perhaps I am missing something obvious? If someone has done this and can point me in the right direction, it would be much appreciated. Thanks, Ted -- | Ted Wisniewski INET: ted@mail.plymouth.edu | | Information Technology Services ted@wiz.plymouth.edu | | Plymouth State College tedw@tigger.plymouth.edu | | Plymouth NH, 03264 HTTP: http://oz.plymouth.edu/~ted/ | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 21: 7:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from kryptos.mud.pl (201-moc-7.acn.waw.pl [212.76.58.201]) by hub.freebsd.org (Postfix) with ESMTP id 3AD9E37B400; Tue, 26 Feb 2002 21:07:31 -0800 (PST) Received: from localhost (wtp@localhost) by kryptos.mud.pl (8.11.6/8.11.6) with ESMTP id g1R57QW00806; Wed, 27 Feb 2002 06:07:26 +0100 (CET) (envelope-from wtp@mud.pl) X-Authentication-Warning: kryptos.mud.pl: wtp owned process doing -bs Date: Wed, 27 Feb 2002 06:07:25 +0100 (CET) From: Krzysztof Stryjek Reply-To: wtp@mud.pl To: Ted Wisniewski Cc: freebsd-questions@FreeBSD.ORG, Subject: Re: PAM & LDAP - Pointer anyone? In-Reply-To: <200202270356.g1R3u5u25254@ness.plymouth.edu> Message-ID: <20020227060530.O501-100000@kryptos.mud.pl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, On Tue, 26 Feb 2002, Ted Wisniewski wrote: > I have LDAP running, and configured where I can successfully Authenticate > FTP sessions. However, when I try to authenticate any other > service - no go. > > I am specifically intersted in: > > ssh, telnet, pop3, imap > So you have to edit pam.conf and enable pam_ldap.so for sshd, imapd, pop3d, etc. Greetings -- /~\ The ASCII Krzysztof Stryjek \ / Ribbon Campaign X Against HTML wtp@mud.pl / \ Email! ICQ: 124986907 http://mud.pl/~wtp/ The meta-Turing test counts a thing as intelligent if it seeks to devise and apply Turing tests to objects of its own creation. -- Lew Mammel, Jr. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 22:54:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from pivsbh1.ms.com (pivsbh1-x0.ms.com [199.89.64.101]) by hub.freebsd.org (Postfix) with ESMTP id 6A44037B400 for ; Tue, 26 Feb 2002 22:54:48 -0800 (PST) Received: from pivsbh1-idmz.ms.com (localhost [127.0.0.1]) by pivsbh1.ms.com (Postfix) with SMTP id 9ECF220E99 for ; Wed, 27 Feb 2002 01:54:47 -0500 (EST) Received: from morganstanley.com (unknown [172.19.97.161]) by pivsbh1-idmz.ms.com (Postfix) with ESMTP id 7521720DAE for ; Wed, 27 Feb 2002 01:54:46 -0500 (EST) Message-ID: <3C7C82B4.A2190AB@morganstanley.com> Date: Wed, 27 Feb 2002 14:54:44 +0800 From: Victor Tayer Reply-To: Victor.Tayer@morganstanley.com Organization: Morgan Stanley X-Mailer: Mozilla 4.76 [en]C-CCK-MCD MS4.76 V20001206.2 (WinNT; U) X-Accept-Language: en,ja MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Mbuf cluster allocation failed Error Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org yup i agree. had that error also when i was still working for an isp. that server was used as a transparent proxy with a more than thousand subs. all i did was recompiled the kernel to support NMBCLUSTERS=65536 (max) at first then trimmed it down so i would not be raping my box very hard. :P victor "jett" tayer Mipam wrote: > On Mon, Feb 25, 2002 at 04:19:43PM +0100, Alberto Manzoni wrote: > > This is the output of "netstat -m" > > > > 502/1088/34816 mbufs in use (current/peak/max): > > 326 mbufs allocated to data > > 176 mbufs allocated to packet headers > > 324/756/8704 mbuf clusters in use (current/peak/max) > > 1784 Kbytes allocated to network (6% of mb_map in use) > > 0 requests for memory denied > > 0 requests for memory delayed > > 0 calls to protocol drain routines > > Hmm you could recompile your kernel and add > options NMBCLUSTERS=[high value] in it to cope with this > problem. > Bye, > > Mipam. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 26 23: 0:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from pivsbh1.ms.com (pivsbh1-x0.ms.com [199.89.64.101]) by hub.freebsd.org (Postfix) with ESMTP id 11EBE37B400 for ; Tue, 26 Feb 2002 23:00:48 -0800 (PST) Received: from pivsbh1-idmz.ms.com (localhost [127.0.0.1]) by pivsbh1.ms.com (Postfix) with SMTP id 9BB5C2112D; Wed, 27 Feb 2002 02:00:47 -0500 (EST) Received: from morganstanley.com (unknown [172.19.97.161]) by pivsbh1-idmz.ms.com (Postfix) with ESMTP id 08D3420FD6; Wed, 27 Feb 2002 02:00:46 -0500 (EST) Message-ID: <3C7C841B.62C4A004@morganstanley.com> Date: Wed, 27 Feb 2002 15:00:44 +0800 From: Victor Tayer Reply-To: Victor.Tayer@morganstanley.com Organization: Morgan Stanley X-Mailer: Mozilla 4.76 [en]C-CCK-MCD MS4.76 V20001206.2 (WinNT; U) X-Accept-Language: en,ja MIME-Version: 1.0 To: Bart Matthaei Cc: Miguel Mendez , security@freebsd.org Subject: Re: login problem References: <20020226220434.E62131@heresy.dreamflow.nl> <20020226221228.A10897@energyhq.homeip.net> <20020226221512.F62131@heresy.dreamflow.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i think booting the server in single-user mode will do the job jett tayer Bart Matthaei wrote: > On Tue, Feb 26, 2002 at 10:12:28PM +0100, Miguel Mendez wrote: > > Hello? password-less as in 'please hack me?' > > > > No, it's actually *disabled*. Check you /etc/master.passwd > > > > toor:*:0:0::0:0:Bourne-again Superuser:/root: > > Thats what I meant. > > "It hasn't got a password" isn't "It has an empty password". > > But sorry if it came out wrong. > > Anyway, "It hasn't got a password" , so you can't log in with it. > > Regards, > > Bart > > -- > Bart Matthaei bart@dreamflow.nl > > Kiss me twice. I'm schizophrenic. > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 0:25:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from slc.edu (weir-01c.slc.edu [207.106.89.46]) by hub.freebsd.org (Postfix) with ESMTP id 62F8D37B405 for ; Wed, 27 Feb 2002 00:25:48 -0800 (PST) Received: (from anthony@localhost) by slc.edu (8.11.1/8.11.1) id g1R8UtL34753; Wed, 27 Feb 2002 03:30:55 -0500 (EST) (envelope-from anthony) Date: Wed, 27 Feb 2002 03:30:55 -0500 From: Anthony Schneider To: Victor Tayer Cc: Bart Matthaei , Miguel Mendez , security@FreeBSD.ORG Subject: Re: login problem Message-ID: <20020227033055.A34699@mail.slc.edu> References: <20020226220434.E62131@heresy.dreamflow.nl> <20020226221228.A10897@energyhq.homeip.net> <20020226221512.F62131@heresy.dreamflow.nl> <3C7C841B.62C4A004@morganstanley.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="VbJkn9YxBvnuCH5J" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3C7C841B.62C4A004@morganstanley.com>; from Victor.Tayer@morganstanley.com on Wed, Feb 27, 2002 at 03:00:44PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable =2E..assuming you have console set to secure in /etc/ttys... -Anthony. On Wed, Feb 27, 2002 at 03:00:44PM +0800, Victor Tayer wrote: > i think booting the server in single-user mode will do the job >=20 > jett tayer >=20 > Bart Matthaei wrote: >=20 > > On Tue, Feb 26, 2002 at 10:12:28PM +0100, Miguel Mendez wrote: > > > Hello? password-less as in 'please hack me?' > > > > > > No, it's actually *disabled*. Check you /etc/master.passwd > > > > > > toor:*:0:0::0:0:Bourne-again Superuser:/root: > > > > Thats what I meant. > > > > "It hasn't got a password" isn't "It has an empty password". > > > > But sorry if it came out wrong. > > > > Anyway, "It hasn't got a password" , so you can't log in with it. > > > > Regards, > > > > Bart > > > > -- > > Bart Matthaei bart@dreamflow.nl > > > > Kiss me twice. I'm schizophrenic. > > > > ---------------------------------------------------------------------= --- > > Part 1.2Type: application/pgp-signature >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --VbJkn9YxBvnuCH5J Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjx8mT4ACgkQ+rDjkNht5F2TxgCeMXeIFj2BBses8MyVtMvV7rIX ddIAnRPHAbpDxdhlBzwk4qmHpY+pB8Kd =hRix -----END PGP SIGNATURE----- --VbJkn9YxBvnuCH5J-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 2:14: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from amsfep12-int.chello.nl (amsfep12-int.chello.nl [213.46.243.17]) by hub.freebsd.org (Postfix) with ESMTP id 1526C37B400 for ; Wed, 27 Feb 2002 02:13:57 -0800 (PST) Received: from hict.nl ([213.46.122.205]) by amsfep12-int.chello.nl (InterMail vM.5.01.03.06 201-253-122-118-106-20010523) with ESMTP id <20020227101356.JHGZ2595.amsfep12-int.chello.nl@hict.nl> for ; Wed, 27 Feb 2002 11:13:56 +0100 Message-ID: <3C7CB173.5F5A9837@hict.nl> Date: Wed, 27 Feb 2002 11:14:11 +0100 From: Geert Houben X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: best firewall option for FreeBSD Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I have to build a firewall for our University with 2 NIC's. One connected to internet and the second connected to the network. The e-mail is running on M$ Exchange, but this servers are placed outside of the network. With the firewall we would like to increase the security, but also make it impossible for internal users to use anything else but http, https, ssh, ftp-client,pop3-client, Outlook. So it has to be impossible to use Morpheus, Kazaa, Napster etc. What firewall software (Opensource) would you advice? Or do I have to choose another OS? Best regards, Geert Houben -- http://www.hict.nl e-mail: g.houben@hict.nl tel: +31(0)26 321 4177 fax: +31(0)26 321 4267 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 2:28:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from kumquat.mail.uk.easynet.net (kumquat.mail.uk.easynet.net [195.40.1.42]) by hub.freebsd.org (Postfix) with ESMTP id D9E5337B41A for ; Wed, 27 Feb 2002 02:28:25 -0800 (PST) Received: from magrat.office.easynet.net ([195.40.3.130]) by kumquat.mail.uk.easynet.net with esmtp (Exim 3.33 #1) id 16g1Ji-0007XW-00; Wed, 27 Feb 2002 10:28:10 +0000 Received: by MAGRAT with Internet Mail Service (5.5.2653.19) id <16H95AZ5>; Wed, 27 Feb 2002 10:28:10 -0000 Message-ID: <7052044C7D7AD511A20200508B5A9C58516C2E@MAGRAT> From: Lee Brotherston To: 'Geert Houben' , freebsd-security@freebsd.org Subject: RE: best firewall option for FreeBSD Date: Wed, 27 Feb 2002 10:28:09 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org | What firewall software (Opensource) would you advice? Or do I have to | choose another OS? Personally I would favour using either ipf (ipfilters) or ipfw. Both are compiled into the kernel or can be loaded as modules. ipfw is probably easier to use for a newcomer, as the rule ordering is easier to understand, however ipf has some really good features, especially if you are using nat (it can do nat in the kernel using ipnat afaik). The homepage for ipf is http://coombs.anu.edu.au/~avalon/ip-filter.html and there is a really good tutorial at http://www.obfuscation.org/ipf/ipf-howto.txt ipfw doesn't require quite as much explanation, there is a page on http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html which covers it. Although 'man ipfw' will probably provide most of what you want. Hope it helps Lee -- Lee Brotherston - IP Security Manager, Easynet Ltd http://www.easynet.net/ Phone: +44 20 7900 4444 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 2:29:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from hqvsbh2.ms.com (hqvsbh2.ms.com [205.228.12.104]) by hub.freebsd.org (Postfix) with ESMTP id 8C81E37B41A for ; Wed, 27 Feb 2002 02:29:19 -0800 (PST) Received: from hqvsbh2-idmz.ms.com (localhost [127.0.0.1]) by hqvsbh2.ms.com (Postfix) with SMTP id 2F6B3AE67; Wed, 27 Feb 2002 05:29:19 -0500 (EST) Received: from morganstanley.com (unknown [172.19.97.161]) by hqvsbh2-idmz.ms.com (Postfix) with ESMTP id A5A7AAE8E; Wed, 27 Feb 2002 05:29:17 -0500 (EST) Message-ID: <3C7CB4F8.5ABB1DDB@morganstanley.com> Date: Wed, 27 Feb 2002 18:29:13 +0800 From: Victor Tayer Reply-To: Victor.Tayer@morganstanley.com Organization: Morgan Stanley X-Mailer: Mozilla 4.76 [en]C-CCK-MCD MS4.76 V20001206.2 (WinNT; U) X-Accept-Language: en,ja MIME-Version: 1.0 To: Geert Houben Cc: freebsd-security@freebsd.org Subject: Re: best firewall option for FreeBSD References: <3C7CB173.5F5A9837@hict.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org you would want to use freebsd for the OS and qmail or postfix for the mta and ipfw/ipfilter for the firewall package jett tayer Geert Houben wrote: > Hi all, > > I have to build a firewall for our University with 2 NIC's. One > connected to internet and the second connected to the network. > The e-mail is running on M$ Exchange, but this servers are placed > outside of the network. > With the firewall we would like to increase the security, but also make > it impossible for internal users to use anything else but http, https, > ssh, ftp-client,pop3-client, Outlook. So it has to be impossible to use > Morpheus, Kazaa, Napster etc. > > What firewall software (Opensource) would you advice? Or do I have to > choose another OS? > > Best regards, > Geert Houben > > -- > http://www.hict.nl > e-mail: g.houben@hict.nl > tel: +31(0)26 321 4177 > fax: +31(0)26 321 4267 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 2:35: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 512F537B405 for ; Wed, 27 Feb 2002 02:34:58 -0800 (PST) Received: (qmail 78943 invoked by uid 1000); 27 Feb 2002 10:34:56 -0000 Date: Wed, 27 Feb 2002 11:34:56 +0100 From: Bart Matthaei To: Geert Houben Cc: security@freebsd.org Subject: Re: best firewall option for FreeBSD Message-ID: <20020227113456.L62131@heresy.dreamflow.nl> References: <3C7CB173.5F5A9837@hict.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IbVRjBtIbJdbeK1C" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3C7CB173.5F5A9837@hict.nl>; from sec@hict.nl on Wed, Feb 27, 2002 at 11:14:11AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --IbVRjBtIbJdbeK1C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 27, 2002 at 11:14:11AM +0100, Geert Houben wrote: [snip] Correct me if im wrong. The easiest way of achieving this is to deny everything coming from your internal net by default, and set up rules to allow certain services, like ssh.=20 Example: # allow established connections ( remote host -> source port on client ) ipfw add pass all from any to any established =20 ipfw add pass tcp from any to any 22 recv $internal_nic # allow ssh ipfw add pass tcp from any to any 80 recv $internal_nic # allow http ipfw add pass tcp from any to any 21 recv $internal_nic # allow ftp ipfw add deny all from any to any recv $internal_nic You'll get a pretty long set of firewallrules, but that doesn't matter. You should also decide if you want your internal net to have public or private ipspace (and if private, using ipnat or natd: natd runs in userland, so thats no option for large networks (imho). ipnat runs in la kernel, so it performs better for large nets. ). Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Kiss me twice. I'm schizophrenic. --IbVRjBtIbJdbeK1C Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8fLZQgcc6pR+tCegRAluyAJ9GDTKQDsuibrY/g+EHYpsXQMhbSACgx4pZ YII51AaObwFKUNnOjZ2H148= =t2DO -----END PGP SIGNATURE----- --IbVRjBtIbJdbeK1C-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 3:52:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from tesla.foo.is (tesla.reverse-bias.org [217.151.166.96]) by hub.freebsd.org (Postfix) with ESMTP id 031AD37B400; Wed, 27 Feb 2002 03:52:37 -0800 (PST) Received: from germanium (germanium.reverse-bias.org [192.168.1.1]) by tesla.foo.is (Postfix) with SMTP id 5C8BB2739; Wed, 27 Feb 2002 11:52:30 +0000 (GMT) Content-Type: text/plain; charset="iso-8859-1" From: Baldur Gislason To: Bart Matthaei Subject: Re: best firewall option for FreeBSD Date: Wed, 27 Feb 2002 11:52:22 +0000 X-Mailer: KMail [version 1.2] References: <3C7CB173.5F5A9837@hict.nl> <20020227113456.L62131@heresy.dreamflow.nl> In-Reply-To: <20020227113456.L62131@heresy.dreamflow.nl> Cc: freebsd-security@freebsd.org, freebsd-ipfw@freebsd.org MIME-Version: 1.0 Message-Id: <02022711522201.07860@germanium> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It's never a good idea to silently deny incoming connections on port 113 (RFC1413 ident) as remote daemons you connect to often try establishing a connection to your host on that port and you won't be served untill they've timed out on the ident connection. Also, never trust your local users too much, especially if you have a wireless network. The most practical design is a DMZ (De-Militarized Zone) for the servers, external net and partially trusted user network, if you have a wireless network it may even be a good idea to isolate that from the rest of the user network, as you must not trust the wireless users at all unless they're authenticated somehow. On the DMZ you'd allow in certain ports on each server and range 49152 through 65535 (dynamic port range) may be a good idea if you run an ftpd and want users to be able to use passive transfers (That applies to most users that are behind a firewall). Baldur On Wednesday 27 February 2002 10:34, you wrote: > On Wed, Feb 27, 2002 at 11:14:11AM +0100, Geert Houben wrote: > [snip] > > Correct me if im wrong. > > The easiest way of achieving this is to deny everything coming > from your internal net by default, and set up rules to allow certain > services, like ssh. > > Example: > > # allow established connections ( remote host -> source port on client ) > ipfw add pass all from any to any established > > ipfw add pass tcp from any to any 22 recv $internal_nic # allow ssh > ipfw add pass tcp from any to any 80 recv $internal_nic # allow http > ipfw add pass tcp from any to any 21 recv $internal_nic # allow ftp > > > > ipfw add deny all from any to any recv $internal_nic > > You'll get a pretty long set of firewallrules, but that doesn't > matter. > > You should also decide if you want your internal net to have public or > private ipspace (and if private, using ipnat or natd: > > natd runs in userland, so thats no option for large networks (imho). > ipnat runs in la kernel, so it performs better for large nets. > > ). > > Regards, > > Bart ---------------------------------------- Content-Type: application/pgp-signature; charset="us-ascii"; name="Attachment: 1" Content-Transfer-Encoding: 7bit Content-Description: ---------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 3:58:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id BB3D337B400 for ; Wed, 27 Feb 2002 03:58:38 -0800 (PST) Received: (qmail 80260 invoked by uid 1000); 27 Feb 2002 11:58:36 -0000 Date: Wed, 27 Feb 2002 12:58:36 +0100 From: Bart Matthaei To: Baldur Gislason Cc: security@freebsd.org Subject: Re: best firewall option for FreeBSD Message-ID: <20020227125836.O62131@heresy.dreamflow.nl> References: <3C7CB173.5F5A9837@hict.nl> <20020227113456.L62131@heresy.dreamflow.nl> <02022711522201.07860@germanium> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="STPqjqpCrtky8aYs" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <02022711522201.07860@germanium>; from baldur@foo.is on Wed, Feb 27, 2002 at 11:52:22AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --STPqjqpCrtky8aYs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 27, 2002 at 11:52:22AM +0000, Baldur Gislason wrote: > It's never a good idea to silently deny incoming connections on port 113 = (RFC1413 ident) > as remote daemons you connect to often try establishing a connection to y= our host on that > port and you won't be served untill they've timed out on the ident connec= tion. These were just some example firewall rules, not a complete setup. Also, it's better to reset connections to 113 than to deny them (reset won't cause a timeout interval, but will just refuse the connection). But I see no obvious reason why you would want to disable ident. It's pretty trivial. Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Kiss me twice. I'm schizophrenic. --STPqjqpCrtky8aYs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8fMnsgcc6pR+tCegRAo85AJ9cQVmjcwm7/xq98Cqlg/3GXAA7pACeIKZi bPQ0GWeIPNnAle6YIPpVJSU= =OVrH -----END PGP SIGNATURE----- --STPqjqpCrtky8aYs-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 5:28:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from web13305.mail.yahoo.com (web13305.mail.yahoo.com [216.136.175.41]) by hub.freebsd.org (Postfix) with SMTP id 094F937B405 for ; Wed, 27 Feb 2002 05:28:47 -0800 (PST) Message-ID: <20020227132846.28405.qmail@web13305.mail.yahoo.com> Received: from [193.174.9.34] by web13305.mail.yahoo.com via HTTP; Wed, 27 Feb 2002 14:28:46 CET Date: Wed, 27 Feb 2002 14:28:46 +0100 (CET) From: =?iso-8859-1?q?m=20p?= Subject: Re: best firewall option for FreeBSD To: sec@hict.nl Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Hi all, > > I have to build a firewall for our University with 2 NIC's. One > connected to internet and the second connected to the network. > The e-mail is running on M$ Exchange, but this servers are placed > outside of the network. > With the firewall we would like to increase the security, but also make > it impossible for internal users to use anything else but http, https, > ssh, ftp-client,pop3-client, Outlook. So it has to be impossible to use > Morpheus, Kazaa, Napster etc. > > What firewall software (Opensource) would you advice? Or do I have to > choose another OS? > > Best regards, > Geert Houben Hi Geert, you can use either ipfw (the firewall I prefer) or ipfilter. For your case I would you ipfilter. Why? To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant with outlook)) you can choose both. But ftp is a braindead (from a firewaller sight) protocol. You can not simple make a rule "allow tcp from internal network to external ftp-server" - because it will use more than one port. So you should use ipfilter which "inspects" the pakets flowing through to get the new ftp port which have to be open - or use a ftp-proxy (there are some in the ports, look for one fitting your purpose). Another thought: Should this firewall be "visible" to the user? Should he/she know about it? If not you can only add a transparent proxy and/or building a bridging rather than a routing firewall. If yes, well, why not considering a new infrastructure for your servers in the net and your users too? An Exchange server in the internet without firewall (and securing Windows behorehand - but of course you have done that, haven't you?) is not nearly secure - for example. You can work on that detail and a lot more with a new concept which have to include security concerns, usefulness, managebility (if there is this word), TOC .... Hope that helps Marc __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Ihre E-Mail noch individueller? - http://domains.yahoo.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 5:41:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from stargate.compuware.com (stargate.compuware.com [166.90.248.158]) by hub.freebsd.org (Postfix) with SMTP id 08EA837B400 for ; Wed, 27 Feb 2002 05:41:34 -0800 (PST) Received: from [199.186.16.12] by stargate.compuware.com via smtpd (for hub.FreeBSD.org [216.136.204.18]) with SMTP; 27 Feb 2002 13:41:34 UT Received: from bh1.compuware.com (compuware.com [172.22.1.239]) by cwus-dtw-mr02.compuware.com (Postfix) with ESMTP id 4600174F17; Wed, 27 Feb 2002 08:41:33 -0500 (EST) Received: by bh1.compuware.com with Internet Mail Service (5.5.2653.19) id ; Wed, 27 Feb 2002 08:41:32 -0500 Message-ID: From: "Barkell, Bill" To: 'm p' , sec@hict.nl Cc: freebsd-security@freebsd.org Subject: RE: best firewall option for FreeBSD Date: Wed, 27 Feb 2002 08:41:28 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org How about spending a few more $ and add a third NIC? This will give you the ability to add a DMZ for that pesky mail server at a later date. Bill Barkell -----Original Message----- From: m p [mailto:sumirati@yahoo.de] Sent: Wednesday, February 27, 2002 8:29 AM To: sec@hict.nl Cc: freebsd-security@freebsd.org Subject: Re: best firewall option for FreeBSD > Hi all, > > I have to build a firewall for our University with 2 NIC's. One > connected to internet and the second connected to the network. > The e-mail is running on M$ Exchange, but this servers are placed > outside of the network. > With the firewall we would like to increase the security, but also make > it impossible for internal users to use anything else but http, https, > ssh, ftp-client,pop3-client, Outlook. So it has to be impossible to use > Morpheus, Kazaa, Napster etc. > > What firewall software (Opensource) would you advice? Or do I have to > choose another OS? > > Best regards, > Geert Houben Hi Geert, you can use either ipfw (the firewall I prefer) or ipfilter. For your case I would you ipfilter. Why? To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant with outlook)) you can choose both. But ftp is a braindead (from a firewaller sight) protocol. You can not simple make a rule "allow tcp from internal network to external ftp-server" - because it will use more than one port. So you should use ipfilter which "inspects" the pakets flowing through to get the new ftp port which have to be open - or use a ftp-proxy (there are some in the ports, look for one fitting your purpose). Another thought: Should this firewall be "visible" to the user? Should he/she know about it? If not you can only add a transparent proxy and/or building a bridging rather than a routing firewall. If yes, well, why not considering a new infrastructure for your servers in the net and your users too? An Exchange server in the internet without firewall (and securing Windows behorehand - but of course you have done that, haven't you?) is not nearly secure - for example. You can work on that detail and a lot more with a new concept which have to include security concerns, usefulness, managebility (if there is this word), TOC .... Hope that helps Marc __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Ihre E-Mail noch individueller? - http://domains.yahoo.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 5:47:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 01BFC37B402 for ; Wed, 27 Feb 2002 05:47:32 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g1RDlVK27762; Wed, 27 Feb 2002 07:47:31 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id HAA24911; Wed, 27 Feb 2002 07:47:30 -0600 (CST) Message-ID: <3C7CE2F7.B188503D@centtech.com> Date: Wed, 27 Feb 2002 07:45:27 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Barkell, Bill" Cc: freebsd-security@freebsd.org Subject: Re: best firewall option for FreeBSD References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Speaking of this, what is the appropriate way to add a DMZ? I have a setup kind of like this (3 nics - 1 to the net, 1 to the "internal" net, and 1 not used). I would like to use the 3rd NIC to be a DMZ, but I would like to let nearly everything thru - like stuff for games, internet phone stuff, etc. How can I implement this and still keep the security of the box uncomprimised? ANyone know of a good FAQ or HOWTO on this? I use ipfilter, and ipnat, so I just started looking at the map and redir functions to ipnat. Eric "Barkell, Bill" wrote: > > How about spending a few more $ and add a third NIC? This will give you the > ability to add a DMZ for that pesky mail server at a later date. > > Bill Barkell > > -----Original Message----- > From: m p [mailto:sumirati@yahoo.de] > Sent: Wednesday, February 27, 2002 8:29 AM > To: sec@hict.nl > Cc: freebsd-security@freebsd.org > Subject: Re: best firewall option for FreeBSD > > > Hi all, > > > > I have to build a firewall for our University with 2 NIC's. One > > connected to internet and the second connected to the network. > > The e-mail is running on M$ Exchange, but this servers are placed > > outside of the network. > > With the firewall we would like to increase the security, but also make > > it impossible for internal users to use anything else but http, https, > > ssh, ftp-client,pop3-client, Outlook. So it has to be impossible to use > > Morpheus, Kazaa, Napster etc. > > > > What firewall software (Opensource) would you advice? Or do I have to > > choose another OS? > > > > Best regards, > > Geert Houben > > Hi Geert, > > you can use either ipfw (the firewall I prefer) or ipfilter. > > For your case I would you ipfilter. Why? > > To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant > with outlook)) you can choose both. But ftp is a braindead (from a > firewaller > sight) protocol. You can not simple make a rule "allow tcp from internal > network to external ftp-server" - because it will use more than one port. > > So you should use ipfilter which "inspects" the pakets flowing through to > get > the new ftp port which have to be open - or use a ftp-proxy (there are some > in > the ports, look for one fitting your purpose). > > Another thought: > > Should this firewall be "visible" to the user? Should he/she know about it? > If > not you can only add a transparent proxy and/or building a bridging rather > than > a routing firewall. > If yes, well, why not considering a new infrastructure for your servers in > the > net and your users too? > An Exchange server in the internet without firewall (and securing Windows > behorehand - but of course you have done that, haven't you?) is not nearly > secure - for example. > You can work on that detail and a lot more with a new concept which have to > include security concerns, usefulness, managebility (if there is this word), > TOC .... > > Hope that helps > > Marc > > __________________________________________________________________ > > Gesendet von Yahoo! Mail - http://mail.yahoo.de > Ihre E-Mail noch individueller? - http://domains.yahoo.de > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 5:48:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id E60E837B42C for ; Wed, 27 Feb 2002 05:48:08 -0800 (PST) Received: (qmail 83687 invoked by uid 1000); 27 Feb 2002 13:48:06 -0000 Date: Wed, 27 Feb 2002 14:48:06 +0100 From: Bart Matthaei To: m p Cc: security@freebsd.org Subject: Re: best firewall option for FreeBSD Message-ID: <20020227144806.W62131@heresy.dreamflow.nl> References: <20020227132846.28405.qmail@web13305.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="NqSa+Xr3J/G6Hhls" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020227132846.28405.qmail@web13305.mail.yahoo.com>; from sumirati@yahoo.de on Wed, Feb 27, 2002 at 02:28:46PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --NqSa+Xr3J/G6Hhls Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 27, 2002 at 02:28:46PM +0100, m p wrote: > To filter all but ssh, http, https, smtp and pop3 (aka mail (what you mea= nt > with outlook)) you can choose both. But ftp is a braindead (from a firewa= ller > sight) protocol. You can not simple make a rule "allow tcp from internal > network to external ftp-server" - because it will use more than one port. Agreed. I know that linux has a fix for this issue. There's FTP masquerading support in the kernel. BSD hasn't got such a thing as far as i know. You can try to direct all the ftp traffic to natd, or ipnat. (ipfw divert natd tcp from any to any 21).=20 No idea if this will actually work. > So you should use ipfilter which "inspects" the pakets flowing through to= get > the new ftp port which have to be open - or use a ftp-proxy (there are so= me in > the ports, look for one fitting your purpose). Agreed. No comments on your other advice ;) Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Kiss me twice. I'm schizophrenic. --NqSa+Xr3J/G6Hhls Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8fOOWgcc6pR+tCegRAl6EAJ4mo9FS2iqZQNNOf0sqcRgxHLbA9gCaAuRr Aba/uq8ZL5iyNcSzDSHM9/M= =Y6lo -----END PGP SIGNATURE----- --NqSa+Xr3J/G6Hhls-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 6: 2:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from stargate.compuware.com (stargate.compuware.com [166.90.248.158]) by hub.freebsd.org (Postfix) with SMTP id E320637B420 for ; Wed, 27 Feb 2002 06:02:03 -0800 (PST) Received: from [199.186.16.12] by stargate.compuware.com via smtpd (for hub.FreeBSD.org [216.136.204.18]) with SMTP; 27 Feb 2002 14:02:03 UT Received: from bh1.compuware.com (compuware.com [172.22.1.239]) by cwus-dtw-mr02.compuware.com (Postfix) with ESMTP id 7325874EF9 for ; Wed, 27 Feb 2002 09:02:03 -0500 (EST) Received: by bh1.compuware.com with Internet Mail Service (5.5.2653.19) id ; Wed, 27 Feb 2002 09:02:02 -0500 Message-ID: From: "Barkell, Bill" To: security@freebsd.org Subject: RE: best firewall option for FreeBSD Date: Wed, 27 Feb 2002 09:02:00 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FTP can be handled by IPfilter. Refer to the IPfilter HOW-TO documentation. It is done with a trick in IPNAT, which redirects the ftp return traffic to a source port 21. As I understand it, if only an inbound rule exists, IPfilter will treat the return (outbound) traffic as an established session, since the source IP and port now match the established connection ... so it works quite nicely. Bill Barkell -----Original Message----- From: Bart Matthaei [mailto:bart@dreamflow.nl] Sent: Wednesday, February 27, 2002 8:48 AM To: m p Cc: security@freebsd.org Subject: Re: best firewall option for FreeBSD On Wed, Feb 27, 2002 at 02:28:46PM +0100, m p wrote: > To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant > with outlook)) you can choose both. But ftp is a braindead (from a firewaller > sight) protocol. You can not simple make a rule "allow tcp from internal > network to external ftp-server" - because it will use more than one port. Agreed. I know that linux has a fix for this issue. There's FTP masquerading support in the kernel. BSD hasn't got such a thing as far as i know. You can try to direct all the ftp traffic to natd, or ipnat. (ipfw divert natd tcp from any to any 21). No idea if this will actually work. > So you should use ipfilter which "inspects" the pakets flowing through to get > the new ftp port which have to be open - or use a ftp-proxy (there are some in > the ports, look for one fitting your purpose). Agreed. No comments on your other advice ;) Regards, Bart -- Bart Matthaei bart@dreamflow.nl Kiss me twice. I'm schizophrenic. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 6:15: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from spmler3.mail.eds.com (spmler3.mail.eds.com [194.128.225.186]) by hub.freebsd.org (Postfix) with ESMTP id 2A99437B402; Wed, 27 Feb 2002 06:14:45 -0800 (PST) Received: from spmlir1.mail.eds.com (spmlir1-2.mail.eds.com [192.168.1.6]) by spmler3.mail.eds.com (8.11.6/8.11.3) with ESMTP id g1REEVb15186; Wed, 27 Feb 2002 14:14:39 GMT Received: from nnse.eds.com (localhost [127.0.0.1]) by spmlir1.mail.eds.com (8.11.6/8.11.3) with ESMTP id g1REEUt19402; Wed, 27 Feb 2002 14:14:31 GMT Received: from gbspm002.exemhub.exch.eds.com ([207.37.51.200]) by nnse.eds.com (8.11.6/8.11.3) with ESMTP id g1REEUO17136; Wed, 27 Feb 2002 14:14:30 GMT Received: by GBSPM002 with Internet Mail Service (5.5.2653.19) id ; Wed, 27 Feb 2002 14:14:29 -0000 Message-ID: From: "Van Beerschoten, Stephan" To: "'security@freebsd.org'" , "'isp@freebsd.org'" , "'ports@freebsd.org'" Subject: FW: HEADS UP: Security Alert For Apache / PHP Webservers Date: Wed, 27 Feb 2002 14:14:24 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I usually don't mail from my corporate account, but this needs some fast fixing on almost all FreeBSD/apache/php servers. -Stephan > -----Original Message----- > From: Bandell, Yaron > Sent: woensdag 27 februari 2002 15:12 > To: Van Beerschoten, Stephan > Subject: FW: HEADS UP: Security Alert For Apache / PHP Webservers > > > Damn, dit keer geen IIS buffer overflow exploit :( > > -----Original Message----- > From: Boyce, Nick > Sent: woensdag 27 februari 2002 14:40 > To: EMEA WebMaster > Subject: HEADS UP: Security Alert For Apache / PHP Webservers > > Security Alert - Apache/PHP - Release Date 27.Feb.2002 - Severe > > A security alert has been released relating to a remotely exploitable > security hole in PHP, and information is cirulating on public mailing > lists about methods & tools for exploiting the hole. The problem is not > in Apache itself, but in the optional PHP scripting module. This module > is widely used by Apache sites (it's the equivalent of IIS/ASP for Apache > sites), but is not always installed. > > The hole (holes actually - there are multiple problems) is/are serious and > allow(s) remote compromise (of the user running the webserver - maybe of > root - it's not imediately clear to me). A fixed version of PHP has been > produced and is available from http://www.php.net. > > Full details are at http://security.e-matters.de/advisories/012002.html, > but here's an extract : > > Overview > > We found several flaws in the way PHP handles multipart/form-data > POST requests. Each of the flaws could allow an attacker to execute > arbitrary code on the victim's system. > > > Details > > PHP supports multipart/form-data POST requests (as described in > RFC1867) known as POST fileuploads. Unfourtunately there are several flaws > in the php_mime_split function that could be used by an attacker to > execute arbitrary code. During our research we found out that not only > PHP4 but also older versions from the PHP3 tree are vulnerable. > [snip] > Finally I want to mention that most of these vulnerabilities are > exploitable only on linux or solaris. But the heap off by one is only > exploitable on x86 architecture and the arbitrary heap overflow in PHP3 is > exploitable on most OS and architectures. (This includes *BSD) > > > Nick > EDS Southwest Solution Centre, Bristol, UK > Internet email: nick.boyce@eds.com | tel: +44 117 989 2941 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 7:50:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from skip-ext.ab.videon.ca (skip-ext.ab.videon.ca [206.75.216.36]) by hub.freebsd.org (Postfix) with SMTP id 49AD837B405 for ; Wed, 27 Feb 2002 07:50:08 -0800 (PST) Received: (qmail 12074 invoked from network); 27 Feb 2002 15:50:07 -0000 Received: from unknown (HELO e6943cy62k081) ([204.209.209.205]) (envelope-sender ) by skip-ext.ab.videon.ca (qmail-ldap-1.03) with SMTP for ; 27 Feb 2002 15:50:07 -0000 Message-ID: <07cb01c1bfa6$d1c99550$3531000a@shaw.ca> From: "Laurence Brockman" To: , , References: Subject: Re: HEADS UP: Security Alert For Apache / PHP Webservers Date: Wed, 27 Feb 2002 08:52:54 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just another heads up as well. Lately on a lot of security lists there is a lot of dis-information being posted. On Security Focus lists there have even been "exploits" posted that in reality are trojans that will open up a root shell on unsuspecting users. So far I have seen these so called advisories (Or really rumours of vulnerabilities) for Apache, SSH2 (Later versions), BIND and SNMPD (UCD-SNMP ver 4.2.2 I think, or ver 4.2.1). Now the SNMPD advisory is real, but the exploits that have been released aren't. So again, be careful with what you believe and run from these lists (As you should always be)... See the following from Blue Boar of the Vuln-Dev list http://online.securityfocus.com/archive/82/258445 Thanks, Laurence ----- Original Message ----- From: "Van Beerschoten, Stephan" To: ; ; Sent: Wednesday, February 27, 2002 7:14 AM Subject: FW: HEADS UP: Security Alert For Apache / PHP Webservers > I usually don't mail from my corporate account, but this needs some fast > fixing on almost all FreeBSD/apache/php servers. > > -Stephan > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 7:57:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.linuxcare.com (mail.linuxcare.com [216.88.157.164]) by hub.freebsd.org (Postfix) with ESMTP id 2529E37B417 for ; Wed, 27 Feb 2002 07:57:24 -0800 (PST) Received: from linuxcare.com (wiliweld.i.linuxcare.com [10.1.0.139]) by mail.linuxcare.com (Postfix) with ESMTP id 4238B1572 for ; Wed, 27 Feb 2002 07:57:23 -0800 (PST) Message-ID: <3C7D01E4.8F8BA807@linuxcare.com> Date: Wed, 27 Feb 2002 07:57:24 -0800 From: Bill Organization: "Linux, A Way of Life !!!" X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: Third /tmp location ? (and maybe a fourth too) References: <20020226152847.L25859-100000@roble.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Roger Marquis wrote: > > > Creating a partition for /var is also rarely necessary unless your > applications require partitioning for performance , pseudo-quotas, > or they need more disk than the root volume provides. > [humbly_snipped] I've been pinched before by error files in a overflowed /var/log/ where /var is inside / and filled up the whole parition to where I was barely able to log in to start freeing up space and will never do that again. I keep a "water_dike" around /var per-se' in the form of it's own partiton. My $0.02 -- Bill Schoolcraft Linux/Unix System Engineer 650 Townsend Street San Francisco, CA 94103 SF (415) 354-4878 http://www.linuxcare.com "Linux/Unix, A Way Of Life." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 8:44:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from void.xpert.com (xpert.com [199.203.132.1]) by hub.freebsd.org (Postfix) with ESMTP id 6A5CD37B402; Wed, 27 Feb 2002 08:44:18 -0800 (PST) Received: from mailserv.xpert.com ([199.203.132.135]) by void.xpert.com with esmtp (Exim 3.22 #1) id 16g784-00045J-00; Wed, 27 Feb 2002 18:40:32 +0200 Received: by mailserv.xpert.com with Internet Mail Service (5.5.2650.21) id ; Wed, 27 Feb 2002 18:44:09 +0200 Message-ID: From: Yonatan Bokovza To: 'Laurence Brockman' , security@freebsd.org, ports@freebsd.org Subject: RE: HEADS UP: Security Alert For Apache / PHP Webservers Date: Wed, 27 Feb 2002 18:44:07 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----Original Message----- > From: Laurence Brockman [mailto:laurence@fluxinc.com] > Sent: Wednesday, February 27, 2002 17:53 > To: security@freebsd.org; isp@freebsd.org; ports@freebsd.org > Subject: Re: HEADS UP: Security Alert For Apache / PHP Webservers > > > Just another heads up as well. > > Lately on a lot of security lists there is a lot of > dis-information being > posted. On Security Focus lists there have even been > "exploits" posted that > in reality are trojans that will open up a root shell on > unsuspecting users. Only this seems real, as PHP released version 4.1.2 today, "Due to a security issue found in in all versions of PHP" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 9:19:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from probsd.ws (ilm25-53-085.ec.rr.com [24.25.53.85]) by hub.freebsd.org (Postfix) with ESMTP id DA6AF37B438 for ; Wed, 27 Feb 2002 09:18:42 -0800 (PST) Received: by probsd.ws (8.11.6/8.11.6) id g1RHK0M08880 for security@FreeBSD.ORG; Wed, 27 Feb 2002 12:20:00 -0500 (EST) (envelope-from freebsd) Message-Id: <200202271720.g1RHK0M08880@probsd.ws> Content-Type: text/plain; charset="iso-8859-1" From: Michael Sharp To: security@FreeBSD.ORG Subject: apache/PHP4.1.1 Date: Wed, 27 Feb 2002 12:20:00 -0500 X-Mailer: KMail [version 1.3.2] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I dont see this exploit on the 4.5-RELEASE Errata site or is it so new that its not up yet? I guess I should CVSup my ports michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 9:29:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from C-Tower.Area51.DK (c-tower.area51.dk [212.242.89.130]) by hub.freebsd.org (Postfix) with SMTP id 183CA37B402 for ; Wed, 27 Feb 2002 09:29:15 -0800 (PST) Received: (qmail 54621 invoked by uid 1007); 27 Feb 2002 17:29:13 -0000 Date: Wed, 27 Feb 2002 17:29:13 +0000 From: Alex Holst To: security@FreeBSD.ORG Subject: Re: apache/PHP4.1.1 Message-ID: <20020227172913.GA54158@area51.dk> References: <200202271720.g1RHK0M08880@probsd.ws> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <200202271720.g1RHK0M08880@probsd.ws> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Michael Sharp (mds@ec.rr.com): > I dont see this exploit on the 4.5-RELEASE Errata site or is it so new that > its not up yet? I guess I should CVSup my ports Why would there be an *exploit* on the errata page? There will eventually be an advisory pointing to a fix, I'm sure, but there will probably never an exploit posted to the errata page. -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 9:30:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id BABE237B405 for ; Wed, 27 Feb 2002 09:30:38 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 832BF1E38; Wed, 27 Feb 2002 16:16:18 +0000 (GMT) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id g1RGFZp16472; Wed, 27 Feb 2002 17:15:35 +0100 Date: Wed, 27 Feb 2002 17:15:35 +0100 From: Krzysztof Zaraska To: "Bart Matthaei" Cc: sumirati@yahoo.de, security@freebsd.org Subject: Re: best firewall option for FreeBSD Message-Id: <20020227171535.5a55cee3.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <20020227144806.W62131@heresy.dreamflow.nl> References: <20020227132846.28405.qmail@web13305.mail.yahoo.com> <20020227144806.W62131@heresy.dreamflow.nl> Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 27 Feb 2002 14:48:06 +0100 Bart Matthaei wrote: > On Wed, Feb 27, 2002 at 02:28:46PM +0100, m p wrote: > > To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant > > with outlook)) you can choose both. But ftp is a braindead (from a firewaller > > sight) protocol. You can not simple make a rule "allow tcp from internal > > network to external ftp-server" - because it will use more than one port. > > Agreed. > I know that linux has a fix for this issue. There's FTP > masquerading support in the kernel. BSD hasn't got such a thing as far > as i know. This can be done with IPFilter (ipf) using ipnat. I have a working firewall with that :) -- // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // Prelude IDS: http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 10:11:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from ariel.dreamlabs.com (ariel.dreamlabs.com [216.129.214.43]) by hub.freebsd.org (Postfix) with ESMTP id 1185437B41A; Wed, 27 Feb 2002 10:11:31 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by ariel.dreamlabs.com (Postfix) with ESMTP id 37F2121468; Wed, 27 Feb 2002 13:11:30 -0500 (EST) Received: from shadow (shadow.dreamlabs.com [216.129.214.38]) by ariel.dreamlabs.com (Postfix) with ESMTP id 657AD21302; Wed, 27 Feb 2002 13:11:24 -0500 (EST) From: "Mit Rowe" To: , Subject: PHP 4.1.1 security bug Date: Wed, 27 Feb 2002 13:11:23 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Virus-Scanned: by AMaViS snapshot-20010714 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ref: http://www.php.net http://security.e-matters.de/advisories/012002.html ___________________________________________________________ Mit Rowe DreamLabs mit@dreamlabs.com __________________________________________________________ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 10:16:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id CE6D337B402 for ; Wed, 27 Feb 2002 10:16:26 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id g1RIG8h02875; Wed, 27 Feb 2002 13:16:08 -0500 (EST) Date: Wed, 27 Feb 2002 13:16:08 -0500 (EST) From: Ralph Huntington To: Krzysztof Zaraska Cc: Bart Matthaei , , Subject: Re: best firewall option for FreeBSD In-Reply-To: <20020227171535.5a55cee3.kzaraska@student.uci.agh.edu.pl> Message-ID: <20020227130641.Y62593-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > I know that linux has a fix for this issue. There's FTP > > masquerading support in the kernel. BSD hasn't got such a thing as far > > as i know. > > This can be done with IPFilter (ipf) using ipnat. I have a working > firewall with that :) So do I. This works fine with ipf. In fact, here it is. (Change de0 to match your public interface and, of course, change the ip addresses to suit your situation. These are fake addresses. You may also wish to be more restrictive; this is merely a working example.) from /etc/ipf.rules right after the first two in and out rules: # Allow traffic originating from inside to receive replies # pass out quick proto tcp/udp from any to any keep state pass in quick on de0 proto tcp from any port = ftp-data to any # and all three lines of /etc/ipnat.rules: map de0 10.0.0.0/8 -> 12.34.56.78/32 map de0 10.0.0.0/8 -> 12.34.56.78/32 proxy port 21 ftp/tcp map de0 10.0.0.0/8 -> 12.34.56.78/32 portmap tcp/udp 1025:65000 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 12:27:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from pi.yip.org (pi.yip.org [199.45.111.121]) by hub.freebsd.org (Postfix) with ESMTP id B227837B41D for ; Wed, 27 Feb 2002 12:27:24 -0800 (PST) Received: (from melange@localhost) by pi.yip.org (8.11.3/8.11.3) id g1RKRLP80588 for freebsd-security@FreeBSD.ORG; Wed, 27 Feb 2002 15:27:21 -0500 (EST) (envelope-from melange@yip.org) Date: Wed, 27 Feb 2002 15:27:20 -0500 From: Bob K To: freebsd-security@FreeBSD.ORG Subject: Re: PHP 4.1.1 security bug Message-ID: <20020227152720.G40253@yip.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mitayai@dreamlabs.com on Wed, Feb 27, 2002 at 01:11:23PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Feb 27, 2002 at 01:11:23PM -0500, Mit Rowe wrote: > Ref: > http://www.php.net > http://security.e-matters.de/advisories/012002.html The advisory mentions a workaround (Recommendation) for php4 (file_uploads in php.ini), but nothing for php3 - does anyone know if there is something that can be done for that besides disabling it? (until it's finished recompiling, I mean) -- Bob | There's more to life than e-mail, supposedly. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 13:11:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id 0363F37B405 for ; Wed, 27 Feb 2002 13:11:18 -0800 (PST) Received: from peony.ezo.net (peony.ezo.net [206.102.130.11]) by lily.ezo.net (8.11.6/8.11.6) with ESMTP id g1RLBNo47848 for ; Wed, 27 Feb 2002 16:11:23 -0500 (EST) (envelope-from jflowers@ezo.net) From: "Jim Flowers" To: freebsd-security@FreeBSD.ORG Subject: Re: PHP 4.1.1 security bug Mod_php4 Date: Wed, 27 Feb 2002 16:12:02 -0500 Message-Id: <20020227161202.M37412@ezo.net> In-Reply-To: <20020227152720.G40253@yip.org> References: <20020227152720.G40253@yip.org> X-Mailer: Open WebMail 1.60 20020130 X-OriginatingIP: 24.93.230.119 (jflowers) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Any reason why I can't just compile the new version telling it about apxs and then copy the resulting .so file atop the old one rather than wait for mod_php4? Oh yeah, probably check the php.ini file against the new php.ini.dist for any changes. -- Jim Flowers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 14: 9:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 1FB8837B400 for ; Wed, 27 Feb 2002 14:09:40 -0800 (PST) Received: (qmail 54757 invoked by uid 1001); 27 Feb 2002 22:09:28 -0000 Date: Wed, 27 Feb 2002 17:09:28 -0500 From: "Peter C. Lai" To: freebsd-security@freebsd.org Subject: allowing icmp still doesn't allow traceroute Message-ID: <20020227170928.A54682@cowbert.2y.net> Reply-To: peter.lai@uconn.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have: 00600 allow icmp from any to any for ipfw, and i still get sendto Permission denied when I try to traceroute. I later also explicitly defined icmptypes 0,3,8,11,13 and this does not solve the problem. any suggestions? -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 14:22:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from pi.yip.org (pi.yip.org [199.45.111.121]) by hub.freebsd.org (Postfix) with ESMTP id B92A337B402 for ; Wed, 27 Feb 2002 14:22:40 -0800 (PST) Received: (from melange@localhost) by pi.yip.org (8.11.3/8.11.3) id g1RMMdH28715 for freebsd-security@FreeBSD.ORG; Wed, 27 Feb 2002 17:22:39 -0500 (EST) (envelope-from melange@yip.org) Date: Wed, 27 Feb 2002 17:22:39 -0500 From: Bob K To: freebsd-security@FreeBSD.ORG Subject: Re: allowing icmp still doesn't allow traceroute Message-ID: <20020227172238.K40253@yip.org> References: <20020227170928.A54682@cowbert.2y.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020227170928.A54682@cowbert.2y.net>; from sirmoo@cowbert.2y.net on Wed, Feb 27, 2002 at 05:09:28PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Feb 27, 2002 at 05:09:28PM -0500, Peter C. Lai wrote: > I have: > 00600 allow icmp from any to any > > for ipfw, and i still get sendto Permission denied when > I try to traceroute. > > I later also explicitly defined icmptypes 0,3,8,11,13 > and this does not solve the problem. > > any suggestions? Add a rule such as this one: add unreach port udp from any to any 33434-33524 in recv -- Bob | It's pretty good, if you don't think about it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 14:24: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from moutng1.kundenserver.de (moutng1.kundenserver.de [212.227.126.171]) by hub.freebsd.org (Postfix) with ESMTP id 6425D37B400 for ; Wed, 27 Feb 2002 14:23:55 -0800 (PST) Received: from [195.20.224.148] (helo=mxintern.kundenserver.de) by moutng1.kundenserver.de with esmtp (Exim 3.22 #2) id 16gCUM-0006Us-00 for freebsd-security@freebsd.org; Wed, 27 Feb 2002 23:23:54 +0100 Received: from [172.17.29.6] (helo=alex.i.schlund.de) by mxintern.kundenserver.de with smtp (Exim 2.12 #3) id 16gCUM-0002wE-00 for freebsd-security@freebsd.org; Wed, 27 Feb 2002 23:23:54 +0100 Received: (qmail 36943 invoked by uid 519); 27 Feb 2002 22:23:54 -0000 Date: Wed, 27 Feb 2002 23:23:54 +0100 From: Alex Kiesel To: "Peter C. Lai" Cc: freebsd-security@freebsd.org Subject: Re: allowing icmp still doesn't allow traceroute Message-ID: <20020227222354.GC36724@schlund.de> References: <20020227170928.A54682@cowbert.2y.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020227170928.A54682@cowbert.2y.net> User-Agent: Mutt/1.3.27i X-Binford: 6100 (more power) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Feb 27, 2002, Peter C. Lai wrote: > I have: > 00600 allow icmp from any to any > > for ipfw, and i still get sendto Permission denied when > I try to traceroute. > > I later also explicitly defined icmptypes 0,3,8,11,13 > and this does not solve the problem. > > any suggestions? Hi Peter, use this: 03900 allow udp from any to any 33434-33523 Alex -- Alex Kiesel PGP Key: 0x09F4FA11 Todays excuse: ATM cell has no roaming feature turned on, notebooks can't connect To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 14:27:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from pi.yip.org (pi.yip.org [199.45.111.121]) by hub.freebsd.org (Postfix) with ESMTP id B9C1837B400 for ; Wed, 27 Feb 2002 14:27:45 -0800 (PST) Received: (from melange@localhost) by pi.yip.org (8.11.3/8.11.3) id g1RMRjW28818 for freebsd-security@FreeBSD.ORG; Wed, 27 Feb 2002 17:27:45 -0500 (EST) (envelope-from melange@yip.org) Date: Wed, 27 Feb 2002 17:27:45 -0500 From: Bob K To: freebsd-security@FreeBSD.ORG Subject: Re: allowing icmp still doesn't allow traceroute Message-ID: <20020227172744.L40253@yip.org> References: <20020227170928.A54682@cowbert.2y.net> <20020227172238.K40253@yip.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020227172238.K40253@yip.org>; from melange@yip.org on Wed, Feb 27, 2002 at 05:22:39PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Feb 27, 2002 at 05:22:39PM -0500, Bob K wrote: > On Wed, Feb 27, 2002 at 05:09:28PM -0500, Peter C. Lai wrote: > > I have: > > 00600 allow icmp from any to any > > > > for ipfw, and i still get sendto Permission denied when > > I try to traceroute. > > > > I later also explicitly defined icmptypes 0,3,8,11,13 > > and this does not solve the problem. > > > > any suggestions? > > Add a rule such as this one: > > add unreach port udp from any to any 33434-33524 in recv Sigh, didn't read closely enough, sorry. That'll allow other people to traceroute to you. You want to allow UDP packets in that above range leaving your machine - this should do it: allow udp from any to any 33434-33524 out xmit (the "out xmit " part is optional, depending on the rest of your rules) -- Bob | It's pretty good, if you don't think about it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 14:50:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from probsd.ws (ilm25-53-085.ec.rr.com [24.25.53.85]) by hub.freebsd.org (Postfix) with ESMTP id 9617F37B41C for ; Wed, 27 Feb 2002 14:50:37 -0800 (PST) Received: by probsd.ws (8.11.6/8.11.6) id g1RMpor35924 for security@FreeBSD.ORG; Wed, 27 Feb 2002 17:51:50 -0500 (EST) (envelope-from freebsd) Message-Id: <200202272251.g1RMpor35924@probsd.ws> Content-Type: text/plain; charset="iso-8859-1" From: Michael Sharp To: security@FreeBSD.ORG Subject: cvsup Date: Wed, 27 Feb 2002 17:51:50 -0500 X-Mailer: KMail [version 1.3.2] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I ran cvsup on ports 20 minutes ago and noticed that new Makefiles were pulled down for mod_php3 and mod_php4. I then ran portsdb -U to update the INDEX file, but portversion shows that the new Makefiles didnt change the version number. So my question is this... was this the fix for the PHP issue, and all I need to do new is cd to the mod_php4 directory and run 'make deinstall distclean', then do a 'make install' in mod_php4 to rebuild with the new changes? michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 15: 4:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 87D4237B432 for ; Wed, 27 Feb 2002 15:03:33 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id 2222C1366A; Wed, 27 Feb 2002 18:03:33 -0500 (EST) Date: Wed, 27 Feb 2002 18:03:33 -0500 From: Chris Faulhaber To: Michael Sharp Cc: security@FreeBSD.ORG Subject: Re: cvsup Message-ID: <20020227230332.GA42263@peitho.fxp.org> References: <200202272251.g1RMpor35924@probsd.ws> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qMm9M+Fa2AknHoGS" Content-Disposition: inline In-Reply-To: <200202272251.g1RMpor35924@probsd.ws> User-Agent: Mutt/1.3.24i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This is actually more of a -ports question... On Wed, Feb 27, 2002 at 05:51:50PM -0500, Michael Sharp wrote: > I ran cvsup on ports 20 minutes ago and noticed that new Makefiles were= =20 > pulled down for mod_php3 and mod_php4. I then ran portsdb -U to update th= e=20 > INDEX file, but portversion shows that the new Makefiles didnt change the= =20 > version number. >=20 > So my question is this... was this the fix for the PHP issue, and all I n= eed=20 > to do new is cd to the mod_php4 directory and run 'make deinstall distcle= an',=20 > then do a 'make install' in mod_php4 to rebuild with the new changes? >=20 I committed an update earlier marking the ports as FORBIDDEN due to the security issue until the maintainer update the ports. The maintainer updated the ports to the non-vulnerable versions about 1/2 hour ago. Chances are you only received the FORBIDDEN update and may have to way up to another 1/2 hour until the newer changes have propagated. To check, see if the ports are marked with a FORBIDDEN line. You may also use cvsweb: http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/mod_php3/ http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/mod_php4/ to see if the Makefile in your ports tree matches the newest version in the repository. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --qMm9M+Fa2AknHoGS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjx9ZcQACgkQObaG4P6BelDN4QCfXr0WuiGsL1TPmXS19X0Y7QJV Le8An1I/Gg3+GjM5NvOnZd/mblpWGrkg =z6rI -----END PGP SIGNATURE----- --qMm9M+Fa2AknHoGS-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 15:17: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from probsd.ws (ilm25-53-085.ec.rr.com [24.25.53.85]) by hub.freebsd.org (Postfix) with ESMTP id 46BF137B429 for ; Wed, 27 Feb 2002 15:16:45 -0800 (PST) Received: by probsd.ws (8.11.6/8.11.6) id g1RNI2135979 for security@FreeBSD.ORG; Wed, 27 Feb 2002 18:18:02 -0500 (EST) (envelope-from freebsd) Message-Id: <200202272318.g1RNI2135979@probsd.ws> Content-Type: text/plain; charset="iso-8859-1" From: Michael Sharp To: security@FreeBSD.ORG Subject: Re: cvsup Date: Wed, 27 Feb 2002 18:18:02 -0500 X-Mailer: KMail [version 1.3.2] References: <200202272251.g1RMpor35924@probsd.ws> <20020227230332.GA42263@peitho.fxp.org> In-Reply-To: <20020227230332.GA42263@peitho.fxp.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org God forbide, I sent to the wrong list. ppl are more concerned about a posting to a list than putting out something via announcements, ports, errata, smoke signals or something. I'll figure it out myself On Wednesday 27 February 2002 06:03 pm, you wrote: > This is actually more of a -ports question... > > On Wed, Feb 27, 2002 at 05:51:50PM -0500, Michael Sharp wrote: > > I ran cvsup on ports 20 minutes ago and noticed that new Makefiles were > > pulled down for mod_php3 and mod_php4. I then ran portsdb -U to update > > the INDEX file, but portversion shows that the new Makefiles didnt change > > the version number. > > > > So my question is this... was this the fix for the PHP issue, and all I > > need to do new is cd to the mod_php4 directory and run 'make deinstall > > distclean', then do a 'make install' in mod_php4 to rebuild with the new > > changes? > > I committed an update earlier marking the ports as FORBIDDEN due to > the security issue until the maintainer update the ports. The > maintainer updated the ports to the non-vulnerable versions about > 1/2 hour ago. Chances are you only received the FORBIDDEN update > and may have to way up to another 1/2 hour until the newer changes > have propagated. > > To check, see if the ports are marked with a FORBIDDEN line. You may > also use cvsweb: > > http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/mod_php3/ > http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/mod_php4/ > > to see if the Makefile in your ports tree matches the newest version > in the repository. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 15:52:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mafalda.univalle.edu.co (mafalda.univalle.edu.co [200.68.158.4]) by hub.freebsd.org (Postfix) with ESMTP id 38F2137B405 for ; Wed, 27 Feb 2002 15:52:19 -0800 (PST) Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [192.168.18.91]) by mafalda.univalle.edu.co (8.12.1/4.3.4) with ESMTP id g1PE87kv003658 for ; Mon, 25 Feb 2002 09:08:07 -0500 (GMT) Received: from libertad.univalle.edu.co (buliwyf@localhost.univalle.edu.co [127.0.0.1]) by libertad.univalle.edu.co (8.12.2/8.12.1) with ESMTP id g1PE885r032572 for ; Mon, 25 Feb 2002 09:08:08 -0500 (COT) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.12.2/8.12.2/Submit) with ESMTP id g1PE88RX032569 for ; Mon, 25 Feb 2002 09:08:08 -0500 (COT) Date: Mon, 25 Feb 2002 09:08:08 -0500 (COT) From: Buliwyf McGraw To: freebsd-security@FreeBSD.ORG Subject: Changing Passwords through the web (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello friends... I was using webmin to create users by the web... but i need to do an interface for users can change them passwords by the web too. I can not use webmin, because the webmin user need a password... i need an open interface, for everyone who wants change his own password, can do it by the web... I was thinking on suexec apache service... but in the web site i found that suexec doesn't support root scripts anymore... so, i get lost... Any question or sugestion is welcome. Thank you ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 15:57:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mafalda.univalle.edu.co (mafalda.univalle.edu.co [200.68.158.4]) by hub.freebsd.org (Postfix) with ESMTP id 35AE337B402 for ; Wed, 27 Feb 2002 15:57:33 -0800 (PST) Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [192.168.18.91]) by mafalda.univalle.edu.co (8.12.1/4.3.4) with ESMTP id g1OEchkv001063 for ; Sun, 24 Feb 2002 09:38:43 -0500 (GMT) Received: from libertad.univalle.edu.co (buliwyf@localhost.univalle.edu.co [127.0.0.1]) by libertad.univalle.edu.co (8.12.2/8.12.1) with ESMTP id g1OEcj5r090328 for ; Sun, 24 Feb 2002 09:38:45 -0500 (COT) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.12.2/8.12.2/Submit) with ESMTP id g1OEcieI090325 for ; Sun, 24 Feb 2002 09:38:45 -0500 (COT) Date: Sun, 24 Feb 2002 09:38:44 -0500 (COT) From: Buliwyf McGraw To: freebsd-security@FreeBSD.ORG Subject: Changing Passwords through the web Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello friends... I was using webmin to create users by the web... but i need to do an interface for users can change them passwords by the web too. I can not use webmin, because the webmin user need a password... i need an open interface, for everyone who wants change his own password, can do it by the web... I was thinking on suexec apache service... but in the web site i found that suexec doesn't support root scripts anymore... so, i get lost... Any question or sugestion is welcome. Thank you ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 17:15:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from ariel.dreamlabs.com (ariel.dreamlabs.com [216.129.214.43]) by hub.freebsd.org (Postfix) with ESMTP id E31CB37B41A for ; Wed, 27 Feb 2002 17:15:22 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by ariel.dreamlabs.com (Postfix) with ESMTP id 4AFF7213AF; Wed, 27 Feb 2002 20:15:18 -0500 (EST) Received: from shadow (unknown [24.103.70.130]) by ariel.dreamlabs.com (Postfix) with ESMTP id 868A32138B; Wed, 27 Feb 2002 20:15:11 -0500 (EST) From: "Mit Rowe" To: "Buliwyf McGraw" , Subject: RE: Changing Passwords through the web Date: Wed, 27 Feb 2002 20:15:08 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Virus-Scanned: by AMaViS snapshot-20010714 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org a poppasswd interface is pretty easy... the IMP port uses one for an example implementation. > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Buliwyf McGraw > Sent: February 24, 2002 09:39 > To: freebsd-security@FreeBSD.ORG > Subject: Changing Passwords through the web > > > > Hello friends... > I was using webmin to create users by the web... but i need > to do an interface for users can change them passwords by the > web too. > I can not use webmin, because the webmin user need a password... > i need an open interface, for everyone who wants change his own > password, can do it by the web... > I was thinking on suexec apache service... but in the web site > i found that suexec doesn't support root scripts anymore... > so, i get lost... > > Any question or sugestion is welcome. > Thank you > > ======================================================================= > Buliwyf McGraw > Administrador del Servidor Libertad > Centro de Servicios de Informacion > Universidad del Valle > ======================================================================= > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 17:19:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mafalda.univalle.edu.co (mafalda.univalle.edu.co [200.68.158.4]) by hub.freebsd.org (Postfix) with ESMTP id 4CF5837B41B for ; Wed, 27 Feb 2002 17:19:17 -0800 (PST) Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [192.168.18.91]) by mafalda.univalle.edu.co (8.12.1/4.3.4) with ESMTP id g1NFaCkv018779 for ; Sat, 23 Feb 2002 10:36:12 -0500 (GMT) Received: from libertad.univalle.edu.co (buliwyf@localhost.univalle.edu.co [127.0.0.1]) by libertad.univalle.edu.co (8.12.2/8.12.1) with ESMTP id g1NFaB5r050439 for ; Sat, 23 Feb 2002 10:36:11 -0500 (COT) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.12.2/8.12.2/Submit) with ESMTP id g1NFaA4B050436 for ; Sat, 23 Feb 2002 10:36:11 -0500 (COT) Date: Sat, 23 Feb 2002 10:36:10 -0500 (COT) From: Buliwyf McGraw To: freebsd-security@FreeBSD.ORG Subject: Changing Passwords through the web Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello friends... I was using webmin to create users by the web... but i need to do an interface for users can change them passwords by the web too. I can not use webmin, because the webmin user need a password... i need an open interface, for everyone who wants change his own password, can do it... I was thinking on suexec apache service... but in the web site i found that suexec doesn't support root scripts anymore... so, i get lost... Any question or sugestion is welcome. Thank you ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 27 20:50:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail1.zer0.org (klapaucius.zer0.org [204.152.186.45]) by hub.freebsd.org (Postfix) with ESMTP id A28D037B400; Wed, 27 Feb 2002 20:50:28 -0800 (PST) Received: by mail1.zer0.org (Postfix, from userid 1001) id 404E4239A0D; Wed, 27 Feb 2002 20:50:28 -0800 (PST) Date: Wed, 27 Feb 2002 20:50:28 -0800 From: Gregory Sutter To: Mit Rowe Cc: Buliwyf McGraw , freebsd-security@FreeBSD.ORG, freebsd-chat@freebsd.org Subject: Re: Changing Passwords through the web Message-ID: <20020228045028.GC55856@klapaucius.zer0.org> Reply-To: freebsd-chat@freebsd.org, gsutter@zer0.org Mail-Followup-To: freebsd-chat@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/e2eDi0V/xtL+Mc8" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.27i Organization: Zer0 X-Purpose: For great justice! Mail-Copies-To: poster Followup-To: freebsd-chat@freebsd.org X-Followup-To: freebsd-chat@freebsd.org X-Please-Followup-To: freebsd-chat@freebsd.org X-For-The-Love-of-Peace-Please-Followup-To: freebsd-chat@freebsd.org X-Screw-You-If-You-Don't-Followup-To: freebsd-chat@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --/e2eDi0V/xtL+Mc8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [ moving to -chat; please followup there ] On 2002-02-27 20:15 -0500, Mit Rowe wrote: > a poppasswd interface is pretty easy... the IMP port uses one for an exam= ple > implementation. Are there any general-purpose web-based password management systems? I'm looking for one that can take a user-input password (over https) and keep it in an encrypted file/database, so the administrator can at any time export: - DES crypted version of password - MD5 crypted version of password - SHA crypted version of password - unencrypted password (optional) - etc. Greg --=20 Gregory S. Sutter Good judgement comes from experience. mailto:gsutter@zer0.org Experience comes from bad judgement. http://www.zer0.org/~gsutter/ hkp://wwwkeys.pgp.net/0x845DFEDD --/e2eDi0V/xtL+Mc8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQE8fbcUIBUx1YRd/t0RAt4fAJ4iKE30KprkowDAWDwjLtdptA7t/ACfdN4+ zk6CXLL4L0276adIC7bK5HY= =ozOg -----END PGP SIGNATURE----- --/e2eDi0V/xtL+Mc8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 28 2:47:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (support.nanolink.com [217.75.134.33]) by hub.freebsd.org (Postfix) with SMTP id 30BBE37B400 for ; Thu, 28 Feb 2002 02:47:13 -0800 (PST) Received: (qmail 5479 invoked by uid 1000); 28 Feb 2002 10:47:30 -0000 Date: Thu, 28 Feb 2002 12:47:29 +0200 From: Peter Pentchev To: Michael Sharp Cc: security@FreeBSD.ORG Subject: Re: cvsup Message-ID: <20020228124729.B456@straylight.oblivion.bg> Mail-Followup-To: Michael Sharp , security@FreeBSD.ORG References: <200202272251.g1RMpor35924@probsd.ws> <20020227230332.GA42263@peitho.fxp.org> <200202272318.g1RNI2135979@probsd.ws> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="SkvwRMAIpAhPCcCJ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200202272318.g1RNI2135979@probsd.ws>; from mds@ec.rr.com on Wed, Feb 27, 2002 at 06:18:02PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --SkvwRMAIpAhPCcCJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 27, 2002 at 06:18:02PM -0500, Michael Sharp wrote: > On Wednesday 27 February 2002 06:03 pm, you wrote: > > This is actually more of a -ports question... > > > > On Wed, Feb 27, 2002 at 05:51:50PM -0500, Michael Sharp wrote: > > > I ran cvsup on ports 20 minutes ago and noticed that new Makefiles we= re > > > pulled down for mod_php3 and mod_php4. I then ran portsdb -U to update > > > the INDEX file, but portversion shows that the new Makefiles didnt ch= ange > > > the version number. > > > > > > So my question is this... was this the fix for the PHP issue, and all= I > > > need to do new is cd to the mod_php4 directory and run 'make deinstall > > > distclean', then do a 'make install' in mod_php4 to rebuild with the = new > > > changes? > > > > I committed an update earlier marking the ports as FORBIDDEN due to > > the security issue until the maintainer update the ports. The > > maintainer updated the ports to the non-vulnerable versions about > > 1/2 hour ago. Chances are you only received the FORBIDDEN update > > and may have to way up to another 1/2 hour until the newer changes > > have propagated. > > > > To check, see if the ports are marked with a FORBIDDEN line. You may > > also use cvsweb: > > > > http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/mod_php3/ > > http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/mod_php4/ > > > > to see if the Makefile in your ports tree matches the newest version > > in the repository. > > God forbide, I sent to the wrong list. ppl are more concerned about a pos= ting=20 > to a list than putting out something via announcements, ports, errata, sm= oke=20 > signals or something. I'll figure it out myself Erm, you did notice, did you not, that Chris actually replied to your question with a nice explanation of the FORBIDDEN tag and the updated versions? As for the advisories, I expect one would go out shortly - drafting and issuing a security advisory is not too simple, it is definitely not just a matter of sitting down for five minutes and spewing out a couple of pages of text.. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence would be seven words long if it were six words shorter. --SkvwRMAIpAhPCcCJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjx+CsAACgkQ7Ri2jRYZRVOiUwCgs4gXY/tak4Ut4flW3G1rusZV PjcAmgIfM/Rym6UK16qa2TySeN8tqKSJ =2U9f -----END PGP SIGNATURE----- --SkvwRMAIpAhPCcCJ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 28 2:55:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.unibe.ch (mailhub.unibe.ch [130.92.9.52]) by hub.freebsd.org (Postfix) with ESMTP id B3C8C37B402 for ; Thu, 28 Feb 2002 02:55:14 -0800 (PST) Received: from CONVERSION-DAEMON.mailhub.unibe.ch by mailhub.unibe.ch (PMDF V6.1 #40086) id <0GS800001P01Z2@mailhub.unibe.ch> for freebsd-security@freebsd.org; Thu, 28 Feb 2002 11:55:13 +0100 (MET) Received: from iamexwi.unibe.ch (haegar.unibe.ch [130.92.63.4]) by mailhub.unibe.ch (PMDF V6.1 #40086) with ESMTP id <0GS800EEGP01BJ@mailhub.unibe.ch> for freebsd-security@freebsd.org; Thu, 28 Feb 2002 11:55:13 +0100 (MET) Received: from klee.unibe.ch (klee [130.92.63.36]) by iamexwi.unibe.ch (8.9.3+Sun/8.8.8) with ESMTP id LAA24680 for ; Thu, 28 Feb 2002 11:55:13 +0100 (MET) Received: (from roth@localhost) by klee.unibe.ch (8.10.2+Sun/8.10.2) id g1SAtAA21796 for freebsd-security@freebsd.org; Thu, 28 Feb 2002 11:55:10 +0100 (MET) Date: Thu, 28 Feb 2002 11:55:10 +0100 From: Tobias Roth Subject: Re: PHP 4.1.1 security bug In-reply-to: <"from melange"@yip.org> To: freebsd-security@freebsd.org Message-id: <20020228115510.A21754@klee.unibe.ch> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.2.5.1i References: <"from mitayai"@dreamlabs.com> <20020227152720.G40253@yip.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Wed, Feb 27, 2002 at 01:11:23PM -0500, Mit Rowe wrote: > > Ref: > > http://www.php.net > > http://security.e-matters.de/advisories/012002.html > > The advisory mentions a workaround (Recommendation) for php4 > (file_uploads in php.ini), but nothing for php3 - does anyone know if > there is something that can be done for that besides disabling it? > (until it's finished recompiling, I mean) I tried this workaround, but I don't know if everything is ok: with file_uploads = On, phpinfo() shows file_uploads = 1 with file_uploads = Off, phpinfo() shows file_uploads = no value so is 'no value' OK? I'd rather see a 'Off' instead cheers, T. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 28 4:44:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id BA66837B417 for ; Thu, 28 Feb 2002 04:44:45 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g1SCidK27952; Thu, 28 Feb 2002 06:44:39 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id GAA23444; Thu, 28 Feb 2002 06:44:38 -0600 (CST) Message-ID: <3C7E2634.87A8D746@centtech.com> Date: Thu, 28 Feb 2002 06:44:36 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Buliwyf McGraw Cc: freebsd-security@freebsd.org Subject: Re: Changing Passwords through the web References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org They way I have done this type of thing in the past, is I have a web/cgi script that takes the users old password, checks it against the password file, takes the new passwords, checks it against a "bad password" list, then I store it, and have a cron job run a separate script (as root) to do the password changing. I feel it protects you against suid web stuff (which I am totally against). If you can write programs well and know how to look for holes of that sort, you should be fine. Eric Buliwyf McGraw wrote: > > Hello friends... > I was using webmin to create users by the web... but i need > to do an interface for users can change them passwords by the > web too. > I can not use webmin, because the webmin user need a password... > i need an open interface, for everyone who wants change his own > password, can do it... > I was thinking on suexec apache service... but in the web site > i found that suexec doesn't support root scripts anymore... > so, i get lost... > > Any question or sugestion is welcome. > Thank you > > ======================================================================= > Buliwyf McGraw > Administrador del Servidor Libertad > Centro de Servicios de Informacion > Universidad del Valle > ======================================================================= > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 28 6:47:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from post.webmailer.de (natwar.webmailer.de [192.67.198.70]) by hub.freebsd.org (Postfix) with ESMTP id 2FF2E37B405 for ; Thu, 28 Feb 2002 06:47:42 -0800 (PST) Received: from pinguin.rompcik (dial-195-14-254-71.netcologne.de [195.14.254.71]) by post.webmailer.de (8.9.3/8.8.7) with SMTP id PAA22250 for ; Thu, 28 Feb 2002 15:47:38 +0100 (MET) Content-Type: text/plain; charset="iso-8859-1" From: Oliver Rompcik To: freebsd-security@FreeBSD.ORG Subject: Multiple Vulnerabilities in PHP fileupload Date: Thu, 28 Feb 2002 15:55:49 +0100 X-Mailer: KMail [version 1.2] MIME-Version: 1.0 Message-Id: <02022815554902.01017@pinguin.rompcik> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org CERT reported several vulnerabilities in all PHP Versions <= 4.1.1. See advisory at http://www.cert.org/advisories/CA-2002-05.html Fixed version of PHP 4.1.2 is available at http://www.php.net. Until fixed FreeBSD binary package is available, users should build 4.1.2 from source. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 28 7: 3:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx2.itb.ac.id (mx2.itb.ac.id [202.249.24.69]) by hub.freebsd.org (Postfix) with ESMTP id C7D7037B417 for ; Thu, 28 Feb 2002 07:03:07 -0800 (PST) Received: from tf.itb.ac.id (server.tf.ITB.ac.id [167.205.26.30]) by mx2.itb.ac.id (Postfix) with SMTP id 33C673E365 for ; Thu, 28 Feb 2002 22:02:31 +0700 (JAVT) Received: (qmail 6633 invoked by uid 19773); 28 Feb 2002 15:02:31 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 28 Feb 2002 15:02:31 -0000 Date: Thu, 28 Feb 2002 22:02:31 +0700 (JAVT) From: Heriyadi To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 28 7:35: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (support.nanolink.com [217.75.134.33]) by hub.freebsd.org (Postfix) with SMTP id 550C337B402 for ; Thu, 28 Feb 2002 07:34:57 -0800 (PST) Received: (qmail 75722 invoked by uid 1000); 28 Feb 2002 15:35:13 -0000 Date: Thu, 28 Feb 2002 17:35:13 +0200 From: Peter Pentchev To: Oliver Rompcik Cc: freebsd-security@FreeBSD.ORG Subject: Re: Multiple Vulnerabilities in PHP fileupload Message-ID: <20020228173513.E456@straylight.oblivion.bg> Mail-Followup-To: Oliver Rompcik , freebsd-security@FreeBSD.ORG References: <02022815554902.01017@pinguin.rompcik> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="KDt/GgjP6HVcx58l" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <02022815554902.01017@pinguin.rompcik>; from rompcik@informatik.uni-bonn.de on Thu, Feb 28, 2002 at 03:55:49PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --KDt/GgjP6HVcx58l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 28, 2002 at 03:55:49PM +0100, Oliver Rompcik wrote: > CERT reported several vulnerabilities in all PHP Versions <=3D 4.1.1. > See advisory at http://www.cert.org/advisories/CA-2002-05.html >=20 > Fixed version of PHP 4.1.2 is available at http://www.php.net. > Until fixed FreeBSD binary package is available, users should build 4.1.2= =20 > from source. =2E.or from the www/mod_php port, which was updated to include a fix for this vulnerability 17 hours ago, at Wed Feb 27 22:17:22 2002 UTC. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 When you are not looking at it, this sentence is in Spanish. --KDt/GgjP6HVcx58l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjx+TjEACgkQ7Ri2jRYZRVO+SACdHj4kw1gqe3NMIr9BqVdfWEMA yskAnjJnL9LoeZs0023NpVPBVtfvvHxB =M5dO -----END PGP SIGNATURE----- --KDt/GgjP6HVcx58l-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 28 7:35:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mile.nevermind.kiev.ua (freebsddiary.org.ua [213.186.199.26]) by hub.freebsd.org (Postfix) with ESMTP id CAD7037B42A for ; Thu, 28 Feb 2002 07:35:29 -0800 (PST) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.11.6/8.11.4) id g1SFZNw49223 for security@FreeBSD.Org; Thu, 28 Feb 2002 17:35:23 +0200 (EET) (envelope-from never) Date: Thu, 28 Feb 2002 17:35:12 +0200 From: Nevermind To: security@FreeBSD.Org Subject: mod_ssl Buffer Overflow Message-ID: <20020228153512.GA48368@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: Mutt/1.3.26i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org http://marc.theaimsgroup.com/?l=bugtraq&m=101484301309557 SYNOPSIS mod_ssl (www.modssl.org) is a commonly used Apache module that provides strong cryptography for the Apache web server. The module utilizes OpenSSL (formerly SSLeay) for the SSL implementation. modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the underlying OpenSSL routines in a manner which could overflow a buffer within the implementation. This situation appears difficult to exploit in a production environment, however, for reasons detailed below. CAUSE The session caching mechanisms utilizing dbm and shared memory utilize the OpenSSL routine i2d_SSL_SESSION, which "serializes" an SSL session into a format that can be stored in the session cache. The OpenSSL docs inform us: When using i2d_SSL_SESSION(), the memory location pointed to by pp must be large enough to hold the binary representation of the session. There is no known limit on the size of the created ASN1 representation, so the necessary amount of space should be obtained by first calling i2d_SSL_SESSION() with pp=NULL, and obtain the size needed, then allocate the memory and call i2d_SSL_SESSION() again. mod_ssl < the version listed above do not do this, however, and could potentially lead to an overflow of the static buffer used by mod_ssl for holding the contents of the serialized session. .... -- NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 28 18: 9:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from devilhome.gielstrup.dk (cpe.atm0-0-0-129268.0x3ef27dd9.bynxx3.customer.tele.dk [62.242.125.217]) by hub.freebsd.org (Postfix) with ESMTP id 2B61437B41D for ; Thu, 28 Feb 2002 18:09:47 -0800 (PST) Received: from Christian (home [10.0.0.120]) by devilhome.gielstrup.dk (Postfix) with SMTP id 64630145A25 for ; Fri, 1 Mar 2002 03:09:47 +0100 (CET) Message-ID: <004b01c1c0c6$1b413380$7800000a@gielstrup.dk> From: "Christian Gielstrup" To: Subject: resolve ipaddr and ports in logs Date: Fri, 1 Mar 2002 03:09:22 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings from Denmark.. Is it possible to have the ipaddresses and ports resolved on the rules = that are logged? I mean simular to the output produced by ipfw -N s E.g every connection reaching to my last reachable rule (/sbin/ipfw a = 999 deny l a f a t a). (Default 65535 rule is missing the log option) It would be nice if ip's and ports could be resolved into names, via = DNS, host file and the services file. I realize the extra load this could give a fw under "attack", but who = isn`t limiting the log amount. Best regards, Christian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 28 18:36:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id D476337B405 for ; Thu, 28 Feb 2002 18:36:45 -0800 (PST) Received: from isc.org (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.6/8.11.2) with ESMTP id g212aA104411; Fri, 1 Mar 2002 13:36:13 +1100 (EST) (envelope-from marka@isc.org) Message-Id: <200203010236.g212aA104411@drugs.dv.isc.org> To: "Christian Gielstrup" Cc: freebsd-security@freebsd.org From: Mark.Andrews@isc.org Subject: Re: resolve ipaddr and ports in logs In-reply-to: Your message of "Fri, 01 Mar 2002 03:09:22 BST." <004b01c1c0c6$1b413380$7800000a@gielstrup.dk> Date: Fri, 01 Mar 2002 13:36:10 +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Greetings from Denmark.. > > Is it possible to have the ipaddresses and ports resolved on the rules = > that are logged? > I mean simular to the output produced by ipfw -N s > > E.g every connection reaching to my last reachable rule (/sbin/ipfw a = > 999 deny l a f a t a). (Default 65535 rule is missing the log option) > It would be nice if ip's and ports could be resolved into names, via = > DNS, host file and the services file. > I realize the extra load this could give a fw under "attack", but who = > isn`t limiting the log amount. You want the kernel to perform DNS lookups for you? Just post process the logs if you want this information. Mark > > Best regards, > > Christian > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 1 2: 6:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.zrz.tu-berlin.de (mail.zrz.TU-Berlin.DE [130.149.4.15]) by hub.freebsd.org (Postfix) with ESMTP id 67DE137B400 for ; Fri, 1 Mar 2002 02:06:49 -0800 (PST) Received: from p-164-123.zrz.tu-berlin.de ([130.149.164.123] helo=math.tu-berlin.de) by mail.zrz.tu-berlin.de with esmtp (exim-3.35) id 16gjw8-0000vv-00; Fri, 01 Mar 2002 11:06:48 +0100 Received: from localhost (petros@localhost) by math.tu-berlin.de (8.9.3/8.9.3) with ESMTP id LAA09423; Fri, 1 Mar 2002 11:07:07 +0100 (CET) (envelope-from peter.ross@alumni.tu-berlin.de) X-Authentication-Warning: sorchen.zrz.tu-berlin.de: petros owned process doing -bs Date: Fri, 1 Mar 2002 11:07:07 +0100 (CET) From: Peter Ross X-Sender: petros@sorchen.zrz.tu-berlin.de To: Christian Gielstrup Cc: freebsd-security@freebsd.org Subject: Re: resolve ipaddr and ports in logs In-Reply-To: <004b01c1c0c6$1b413380$7800000a@gielstrup.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Christian > Greetings from Denmark.. Hi, greetings from your southern neighbour in Germany:) > Is it possible to have the ipaddresses and ports resolved on the rules > that are logged? I think it isn't a good idea cause it takes too much time and traffic. If there are Disastrous Name Service (DNS) problems the output may stop. And you need the logs if you have problems.. Write a script which takes the log file, performs the DNS lookups, looks in /etc/services and write the resolved addresses and ports to the output. You need the resolved addresses only if you look over. Regards Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 1 2:10:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from euromedia.pl (trinity.euromedia.pl [62.233.132.2]) by hub.freebsd.org (Postfix) with SMTP id 8789337B417 for ; Fri, 1 Mar 2002 02:10:39 -0800 (PST) Received: (qmail 30894 invoked by uid 85); 1 Mar 2002 10:10:39 -0000 Received: from lw@euromedia.pl by trinity.euromedia.pl by uid 82 with qmail-scanner-1.10 (Antyvir Scan.. Clear:0. Processed in 0.618964 secs); 01 Mar 2002 10:10:39 -0000 Received: from unknown (HELO lw.euromedia.pl) (62.233.132.6) by trinity.euromedia.pl with SMTP; 1 Mar 2002 10:10:38 -0000 Date: Fri, 1 Mar 2002 11:14:16 +0100 From: Lukasz Wojtow Cc: lists@gielstrup.dk, freebsd-security@freebsd.org Subject: Re: resolve ipaddr and ports in logs Message-Id: <20020301111416.304a1832.lw@euromedia.pl> In-Reply-To: References: <004b01c1c0c6$1b413380$7800000a@gielstrup.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Is it possible to have the ipaddresses and ports resolved on the rules > > that are logged? > Write a script which takes the log file, performs the DNS lookups, > looks in /etc/services and write the resolved addresses and ports to the > output. fwlogwatch doing such thing, nice tool best regards (from Poland this time ;) Lukasz -- "... az w jedna krotka chwile, pojmiesz po co zyjesz ..." Perfect "Kolysanka dla nieznajomej" Lukasz Wojtow To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 1 3:59:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.imp.ch (mail.imp.ch [157.161.1.2]) by hub.freebsd.org (Postfix) with ESMTP id 306F337B41D for ; Fri, 1 Mar 2002 03:59:33 -0800 (PST) Received: from levais.imp.ch (levais.imp.ch [157.161.4.66]) by mail.imp.ch (8.11.6/8.11.6) with ESMTP id g21Bxia33477 for ; Fri, 1 Mar 2002 12:59:45 +0100 (CET) Date: Fri, 1 Mar 2002 13:01:13 +0100 (CET) From: Martin Blapp To: Subject: implementing non-executable pages for IA-32 processors Message-ID: <20020301125948.W40806-100000@levais.imp.ch> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Could this adapted to FreeBSD ? http://pageexec.virtualave.net/pageexec.txt Martin Martin Blapp, ------------------------------------------------------------------ ImproWare AG, UNIXSP & ISP, Zurlindenstrasse 29, 4133 Pratteln, CH Phone: +41 061 826 93 00: +41 61 826 93 01 PGP Fingerprint: B434 53FC C87C FE7B 0A18 B84C 8686 EF22 D300 551E ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 1 5:55:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP2.MC.VANDERBILT.EDU (mcsmtp2.mc.Vanderbilt.Edu [160.129.50.78]) by hub.freebsd.org (Postfix) with ESMTP id 33FD237B41A for ; Fri, 1 Mar 2002 05:55:08 -0800 (PST) Subject: ipfw and DHCP To: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.6a January 17, 2001 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Fri, 1 Mar 2002 07:52:26 -0600 X-MIMETrack: Serialize by Router on MCSMTP2.MC.vanderbilt.edu/VUMC/Vanderbilt(Release 5.0.6a |January 17, 2001) at 03/01/2002 07:44:27 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org How do you get ipfw to pick-up DHCP value for oif in the rc.firewall script ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 1 5:58: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by hub.freebsd.org (Postfix) with ESMTP id EBFD337B417 for ; Fri, 1 Mar 2002 05:58:06 -0800 (PST) Received: (from david@localhost) by bunrab.catwhisker.org (8.11.6/8.11.6) id g21Dw6i06900; Fri, 1 Mar 2002 05:58:06 -0800 (PST) (envelope-from david) Date: Fri, 1 Mar 2002 05:58:06 -0800 (PST) From: David Wolfskill Message-Id: <200203011358.g21Dw6i06900@bunrab.catwhisker.org> To: freebsd-security@FreeBSD.ORG, George.Giles@mcmail.vanderbilt.edu Subject: Re: ipfw and DHCP In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >From: George.Giles@mcmail.vanderbilt.edu >Date: Fri, 1 Mar 2002 07:52:26 -0600 >How do you get ipfw to pick-up DHCP value for oif in the rc.firewall script >? From "man ipfw": src and dst: any | me | [not]
[ports] Specifying any makes the rule match any IP address. Specifying me makes the rule match any IP address configured on an interface in the system. Cheers, david (links to my resume at http://www.catwhisker.org/~david) -- David H. Wolfskill david@catwhisker.org I believe it would be irresponsible (and thus, unethical) for me to advise, recommend, or support the use of any product that is or depends on any Microsoft product for any purpose other than personal amusement. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 1 6: 0: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 81AD337B402 for ; Fri, 1 Mar 2002 05:59:51 -0800 (PST) Received: (qmail 52633 invoked by uid 1000); 1 Mar 2002 13:59:50 -0000 Date: Fri, 1 Mar 2002 14:59:50 +0100 From: Bart Matthaei To: George.Giles@mcmail.vanderbilt.edu Cc: security@freebsd.org Subject: Re: ipfw and DHCP Message-ID: <20020301145949.D50583@heresy.dreamflow.nl> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="zYM0uCDKw75PZbzx" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Fri, Mar 01, 2002 at 07:52:26AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --zYM0uCDKw75PZbzx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 01, 2002 at 07:52:26AM -0600, George.Giles@mcmail.vanderbilt.ed= u wrote: > How do you get ipfw to pick-up DHCP value for oif in the rc.firewall scri= pt > ? There are some ways (scripting) to pass the ip from dhclient to rc.firewall. But in a DHCP setup, I would advice you to use interfaces in your firewall, instead of IPs. Example: ipfw add deny tcp from any to any 22 recv $external_interface instead of=20 ipfw add deny tcp from any to $dhcp_ip 22 HTH. Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Kiss me twice. I'm schizophrenic. --zYM0uCDKw75PZbzx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8f4lVgcc6pR+tCegRAuVtAKDDNzRrCAAf0+WKA+eOMiPxwIwvWACeN7b8 9Nu8BmndcZavGvyM7HEWKfM= =0kYX -----END PGP SIGNATURE----- --zYM0uCDKw75PZbzx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 1 6: 8:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.terraempresas.com.br (mail.terraempresas.com.br [200.177.96.20]) by hub.freebsd.org (Postfix) with ESMTP id CF5DF37B417 for ; Fri, 1 Mar 2002 06:08:34 -0800 (PST) Received: from [200.177.125.11] (ws1-tic.terraempresas.com.br [200.177.125.9]) by mail.terraempresas.com.br (8.12.2/8.11.2) with SMTP id g21E8W1k002066 for ; Fri, 1 Mar 2002 11:08:32 -0300 From: "Paulo Henrique" To: Received: from no.name.available by [200.177.125.11] via smtpd (for mail.terraempresas.com.br [200.177.96.20]) with SMTP; 1 Mar 2002 14:19:37 UT Subject: unsubscribe Date: Fri, 1 Mar 2002 11:08:51 -0300 Message-ID: <00eb01c1c12a$9dffaa90$0939a8c0@terraempresas.com.br> MIME-Version: 1.0 Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type=signed-data Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7m" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEYENvbnRl bnQtVHlwZTogdGV4dC9wbGFpbjsNCgljaGFyc2V0PSJ1cy1hc2NpaSINCkNvbnRlbnQtVHJhbnNm ZXItRW5jb2Rpbmc6IDdiaXQNCg0KdW5zdWJzY3JpYmUNCgAAAAAAAKCCCOAwggJ+MIIB56ADAgEC AgMG3owwDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZp Y2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDAe Fw0wMjAyMjgxODAwNDlaFw0wMzAyMjgxODAwNDlaMEQxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFp bCBNZW1iZXIxITAfBgkqhkiG9w0BCQEWEnBhdWxvQHRlcnJhLmNvbS5icjCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEA4FYo5D6I72EktFBvvHHnNafNTinEajRwr2Qofq7XZ2QQwhljMPbxqnlK L+tPEEJA++iljGFhQiQVw5TLZNReFwC9bmEh+ZrQgBXj6goli0HN3vf46lNFu9maS7G2uXJ4qoVO cSyTn9Cmfi6Veksa6dARHr4KT9qAF3KI5yljxm8CAwEAAaMvMC0wHQYDVR0RBBYwFIEScGF1bG9A dGVycmEuY29tLmJyMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAD11jVnwn3lF0hdmY TlW+vm1PzvaTt2+gpcgBD7j0Wi+c3SzOuGP/rz6QEcQN9AEiJUu9nfPRCuq6rfs9DMJDdIQpogCs Gq3cx5ExONoh/5VuPqMTgNEoCmj3KVm2AiqlO28IXdEoLTBdcyyTeFisg/3m/BxbPoOvJvxXslTC ryUwggMpMIICkqADAgECAgEMMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UE CBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25z dWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQD ExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZy ZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDAwODMwMDAwMDAwWhcNMDIwODI5MjM1OTU5WjCBkjELMAkG A1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYD VQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJz b25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDe MzKmY8cJJUU+0m54J2eBxdqIGYKXDuNEKYpjNSptcDz63K737nRvMLwzkH/5NHGgo22Y8cNPomXb DfpL8dbdYaX5hc1VmjUanZJ1qCeu2HL5ugL217CR3hzpq+AYA6h8Q0JQUYeDPPA5tJtUihOH/7Ob nUlmAC0JieyUa+mhaQIDAQABo04wTDApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxh YmVsMS0yOTcwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQAD gYEAcxtvJmWL/xU0S1liiu1EvknH6A27j7kNaiYqYoQfuIdjdBxtt88aU5FL4c3mONntUPQ6bDSS rOaSnG7BIwHCCafvS65y3QZn9VBvLli4tgvBUFe17BzX7xe21Yibt6KIGu05Wzl9NPy2lhglTWr0 ncXDkS+plrgFPFL83eliA0gwggMtMIIClqADAgECAgEAMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYD VQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNV BAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERp dmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0B CQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNOTYwMTAxMDAwMDAwWhcNMjAxMjMx MjM1OTU5WjCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ Q2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNh dGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWls IENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDUadfUsJRkW3HpR9gMUbbqcpGwhF59LQ2PexLfhSV1KHQ6Qixj J5+Ve0vvfhmHHYbqo925zpZkGsIUbkSsfOaP6E0PcR9AOKYAo4d49vmUhl6t6sBeduvZFKNdbnp8 DKVLVX8GGSl/npom1Wq7OCQIapjHsdqjmJH9edvlWsQcuQIDAQABoxMwETAPBgNVHRMBAf8EBTAD AQH/MA0GCSqGSIb3DQEBBAUAA4GBAMfskn5O+PWWpWdiKqTwTRFg0G+NYFhhrCa7UjVcCM8w+6hK loofYkIjjBcP9LpknBesRynfnZhe0mxgcVyirNx54+duAEcftQ0o6AKd5Jr9E/Sm2Xyx+NxfIyYJ kYBz0BQb3kOpgyXy5pwvFcr+pquKB3WLDN1RhGvk+NHOd6KBMYIDaTCCA2UCAQEwgZowgZIxCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0G A1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVy c29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDBt6MMAkGBSsOAwIaBQCgggIkMBgGCSqGSIb3 DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAyMDMwMTE0MDg0M1owIwYJKoZIhvcN AQkEMRYEFI1Zif2ijtl42z3t6N2hEFKr6PMBMGcGCSqGSIb3DQEJDzFaMFgwCgYIKoZIhvcNAwcw DgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAcG BSsOAwIaMAoGCCqGSIb3DQIFMIGrBgkrBgEEAYI3EAQxgZ0wgZowgZIxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3Rl MR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1h aWwgUlNBIDIwMDAuOC4zMAIDBt6MMIGtBgsqhkiG9w0BCRACCzGBnaCBmjCBkjELMAkGA1UEBhMC WkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZU aGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBG cmVlbWFpbCBSU0EgMjAwMC44LjMwAgMG3owwDQYJKoZIhvcNAQEBBQAEgYAfI/v2+GmeNZfoLUei mHviryqCrNMhGWRySC9HtwAsaRm8eFoMqBeki+/2D2R72pbdNdeWmx2w6zlmHuZvdMbFAe6k13rz 2Ri7v14R2vtCAs89lpY1EhwNoiO9DwODU/H1KvS9lArYv86NdgrY18qBl5H3Cnr37c+wIUoQHDVr EAAAAAAAAA== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 1 10: 2:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 6B4AD37B440 for ; Fri, 1 Mar 2002 10:02:29 -0800 (PST) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id g21I2Kq90478; Fri, 1 Mar 2002 13:02:20 -0500 (EST) (envelope-from arr@FreeBSD.org) X-Authentication-Warning: fledge.watson.org: arr owned process doing -bs Date: Fri, 1 Mar 2002 13:02:19 -0500 (EST) From: "Andrew R. Reiter" X-Sender: arr@fledge.watson.org To: Martin Blapp Cc: freebsd-security@FreeBSD.org Subject: Re: implementing non-executable pages for IA-32 processors In-Reply-To: <20020301125948.W40806-100000@levais.imp.ch> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 1 Mar 2002, Martin Blapp wrote: : :Hi, : :Could this adapted to FreeBSD ? Yes. -- Andrew R. Reiter arr@watson.org arr@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 1 10:40:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from FreeBSD.Happydays.DynDNS.Org (adsl-65-66-152-44.dsl.kscymo.swbell.net [65.66.152.44]) by hub.freebsd.org (Postfix) with ESMTP id 5E60A37B402 for ; Fri, 1 Mar 2002 10:40:30 -0800 (PST) Received: from WinME (winme.happydays.local [10.240.98.11]) by FreeBSD.Happydays.DynDNS.Org (8.11.6/8.11.6) with SMTP id g21IeTn04548 for ; Fri, 1 Mar 2002 12:40:29 -0600 (CST) (envelope-from dweimer@happydays.dyndns.org) Reply-To: From: "Dean E. Weimer" To: "Freebsd-Security (E-mail)" Subject: IPFilter Questions Date: Fri, 1 Mar 2002 12:40:32 -0600 Message-ID: <000401c1c150$92091de0$0b62f00a@Happydays.Local> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I recently set up IPFilter on my FreeBSD 4-5 system, And have most things working one thing that isn't is http downloads, I can browse the web just fine, and even right click on an image and do a save image as, however if I go to Microsoft's download page and try to download something, I receive the first packet, and everything else gets blocked. Here are the relevant rules from my ipf.rules file. pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state keep frags block out log quick on tun0 proto tcp from 10.240.98.0/24 to any port = 80 keep state pass out quick on tun0 proto tcp from any to any port = 80 keep state block return-rst in log quick on tun0 proto tcp from any to any keep state block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any to any keep state block in log on tun0 all block out log on tun0 all The first Rule seems to work fine allowing me to browse the web pages on my system just fine, it keeps the state open and allows port 80 out after it receives the connection. The second rule works fine forcing my windows clients to not use NAT and instead use the proxy server, (SQUID 2.4-STABLE4 running on firewall server), which the third rule then allows to go out, and keeps the state open to allow text and images back in. Now what doesn't happen, is downloads, if I click a link to download a file, I get the first packet, and then it hangs. Looking at the logs gives me this: First from ipmon: (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR tcp len 20 1492 -A K-S IN (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 PR tcp len 20 1492 -A K-S IN Then with ipfstat -t: 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 12927 0:15 207.46.106.150,80 64.218.106.107,2124 4/6 5 1700 1:59:31 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 is the IP address of Microsoft's Server. The questions?? What I want to know is why the download is being blocked, and not being passed in because of the state that should have been saved from the outbound connection? Did I just miss something simple?? Also is this the correct way to handle dynamic IP's? I have an "ipf -y" command in my link.up and link.down scripts. Thanks, Dean E. Weimer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 1 10:51:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 5AF3F37B405 for ; Fri, 1 Mar 2002 10:51:40 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g21IpdK08126; Fri, 1 Mar 2002 12:51:39 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id MAA02875; Fri, 1 Mar 2002 12:51:39 -0600 (CST) Message-ID: <3C7FCDB6.FD151D09@centtech.com> Date: Fri, 01 Mar 2002 12:51:34 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: dweimer@swbell.net Cc: "Freebsd-Security (E-mail)" Subject: Re: IPFilter Questions References: <000401c1c150$92091de0$0b62f00a@Happydays.Local> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is it using FTP or HTTP to do the transfer? Eric "Dean E. Weimer" wrote: > > I recently set up IPFilter on my FreeBSD 4-5 system, And have most things > working one thing that isn't is http downloads, I can browse the web just > fine, and even right click on an image and do a save image as, however if I > go to Microsoft's download page and try to download something, I receive the > first packet, and everything else gets blocked. Here are the relevant rules > from my ipf.rules file. > > pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state > keep frags > block out log quick on tun0 proto tcp from 10.240.98.0/24 to any port = 80 > keep state > pass out quick on tun0 proto tcp from any to any port = 80 keep state > > block return-rst in log quick on tun0 proto tcp from any to any keep state > block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any > to any keep state > block in log on tun0 all > block out log on tun0 all > > The first Rule seems to work fine allowing me to browse the web pages on my > system just fine, it keeps the state open and allows port 80 out after it > receives the connection. The second rule works fine forcing my windows > clients to not use NAT and instead use the proxy server, (SQUID 2.4-STABLE4 > running on firewall server), which the third rule then allows to go out, and > keeps the state open to allow text and images back in. Now what doesn't > happen, is downloads, if I click a link to download a file, I get the first > packet, and then it hangs. Looking at the logs gives me this: > > First from ipmon: > (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR tcp len 20 > 1492 -A K-S IN > (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 PR tcp len > 20 1492 -A K-S IN > > Then with ipfstat -t: > 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 12927 > 0:15 > 207.46.106.150,80 64.218.106.107,2124 4/6 5 1700 > 1:59:31 > > 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 is the > IP address of Microsoft's Server. > > The questions?? > What I want to know is why the download is being blocked, and not being > passed in because of the state that should have been saved from the outbound > connection? Did I just miss something simple?? > Also is this the correct way to handle dynamic IP's? I have an "ipf -y" > command in my link.up and link.down scripts. > > Thanks, > Dean E. Weimer > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 1 10:57:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from FreeBSD.Happydays.DynDNS.Org (adsl-65-66-152-44.dsl.kscymo.swbell.net [65.66.152.44]) by hub.freebsd.org (Postfix) with ESMTP id 3071737B41A for ; Fri, 1 Mar 2002 10:57:43 -0800 (PST) Received: from localhost (dweimer@localhost) by FreeBSD.Happydays.DynDNS.Org (8.11.6/8.11.6) with ESMTP id g21IvcA04795; Fri, 1 Mar 2002 12:57:38 -0600 (CST) (envelope-from dweimer@Happydays.DynDNS.Org) Date: Fri, 1 Mar 2002 12:57:38 -0600 (CST) From: "Dean E. Weimer" To: Eric Anderson Cc: dweimer@swbell.net, "Freebsd-Security (E-mail)" Subject: Re: IPFilter Questions In-Reply-To: <3C7FCDB6.FD151D09@centtech.com> Message-ID: <20020301125603.J4731-100000@FreeBSD.Happydays.DynDNS.Org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I would be assuming that it is http since the port that is in the output from ipmon is 80, however if it were trying passive ftp this would cause the problem. On Fri, 1 Mar 2002, Eric Anderson wrote: > Is it using FTP or HTTP to do the transfer? > > Eric > > > "Dean E. Weimer" wrote: > > > > I recently set up IPFilter on my FreeBSD 4-5 system, And have most things > > working one thing that isn't is http downloads, I can browse the web just > > fine, and even right click on an image and do a save image as, however if I > > go to Microsoft's download page and try to download something, I receive the > > first packet, and everything else gets blocked. Here are the relevant rules > > from my ipf.rules file. > > > > pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state > > keep frags > > block out log quick on tun0 proto tcp from 10.240.98.0/24 to any port = 80 > > keep state > > pass out quick on tun0 proto tcp from any to any port = 80 keep state > > > > block return-rst in log quick on tun0 proto tcp from any to any keep state > > block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any > > to any keep state > > block in log on tun0 all > > block out log on tun0 all > > > > The first Rule seems to work fine allowing me to browse the web pages on my > > system just fine, it keeps the state open and allows port 80 out after it > > receives the connection. The second rule works fine forcing my windows > > clients to not use NAT and instead use the proxy server, (SQUID 2.4-STABLE4 > > running on firewall server), which the third rule then allows to go out, and > > keeps the state open to allow text and images back in. Now what doesn't > > happen, is downloads, if I click a link to download a file, I get the first > > packet, and then it hangs. Looking at the logs gives me this: > > > > First from ipmon: > > (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR tcp len 20 > > 1492 -A K-S IN > > (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 PR tcp len > > 20 1492 -A K-S IN > > > > Then with ipfstat -t: > > 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 12927 > > 0:15 > > 207.46.106.150,80 64.218.106.107,2124 4/6 5 1700 > > 1:59:31 > > > > 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 is the > > IP address of Microsoft's Server. > > > > The questions?? > > What I want to know is why the download is being blocked, and not being > > passed in because of the state that should have been saved from the outbound > > connection? Did I just miss something simple?? > > Also is this the correct way to handle dynamic IP's? I have an "ipf -y" > > command in my link.up and link.down scripts. > > > > Thanks, > > Dean E. Weimer > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > ------------------------------------------------------------------ > Eric Anderson Systems Administrator Centaur Technology > If at first you don't succeed, sky diving is probably not for you. > ------------------------------------------------------------------ > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 1 11: 3:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id D102337B400 for ; Fri, 1 Mar 2002 11:03:14 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g21J3DK08404; Fri, 1 Mar 2002 13:03:13 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id NAA03212; Fri, 1 Mar 2002 13:03:13 -0600 (CST) Message-ID: <3C7FD06D.A449F035@centtech.com> Date: Fri, 01 Mar 2002 13:03:09 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Dean E. Weimer" Cc: dweimer@swbell.net, "Freebsd-Security (E-mail)" Subject: Re: IPFilter Questions References: <20020301125603.J4731-100000@FreeBSD.Happydays.DynDNS.Org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm assuming nothing. I would try an ftp, and an http download from NON-MS sites.. I've had troubles in the past with them if I don't use IE5.x or "better".. Eric "Dean E. Weimer" wrote: > > I would be assuming that it is http since the port that is in the output > from ipmon is 80, however if it were trying passive ftp this would cause > the problem. > > On Fri, 1 Mar 2002, Eric Anderson wrote: > > > Is it using FTP or HTTP to do the transfer? > > > > Eric > > > > > > "Dean E. Weimer" wrote: > > > > > > I recently set up IPFilter on my FreeBSD 4-5 system, And have most things > > > working one thing that isn't is http downloads, I can browse the web just > > > fine, and even right click on an image and do a save image as, however if I > > > go to Microsoft's download page and try to download something, I receive the > > > first packet, and everything else gets blocked. Here are the relevant rules > > > from my ipf.rules file. > > > > > > pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state > > > keep frags > > > block out log quick on tun0 proto tcp from 10.240.98.0/24 to any port = 80 > > > keep state > > > pass out quick on tun0 proto tcp from any to any port = 80 keep state > > > > > > block return-rst in log quick on tun0 proto tcp from any to any keep state > > > block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any > > > to any keep state > > > block in log on tun0 all > > > block out log on tun0 all > > > > > > The first Rule seems to work fine allowing me to browse the web pages on my > > > system just fine, it keeps the state open and allows port 80 out after it > > > receives the connection. The second rule works fine forcing my windows > > > clients to not use NAT and instead use the proxy server, (SQUID 2.4-STABLE4 > > > running on firewall server), which the third rule then allows to go out, and > > > keeps the state open to allow text and images back in. Now what doesn't > > > happen, is downloads, if I click a link to download a file, I get the first > > > packet, and then it hangs. Looking at the logs gives me this: > > > > > > First from ipmon: > > > (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR tcp len 20 > > > 1492 -A K-S IN > > > (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 PR tcp len > > > 20 1492 -A K-S IN > > > > > > Then with ipfstat -t: > > > 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 12927 > > > 0:15 > > > 207.46.106.150,80 64.218.106.107,2124 4/6 5 1700 > > > 1:59:31 > > > > > > 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 is the > > > IP address of Microsoft's Server. > > > > > > The questions?? > > > What I want to know is why the download is being blocked, and not being > > > passed in because of the state that should have been saved from the outbound > > > connection? Did I just miss something simple?? > > > Also is this the correct way to handle dynamic IP's? I have an "ipf -y" > > > command in my link.up and link.down scripts. > > > > > > Thanks, > > > Dean E. Weimer > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > > ------------------------------------------------------------------ > > Eric Anderson Systems Administrator Centaur Technology > > If at first you don't succeed, sky diving is probably not for you. > > ------------------------------------------------------------------ > > -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 1 11:40:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from FreeBSD.Happydays.DynDNS.Org (adsl-65-66-152-44.dsl.kscymo.swbell.net [65.66.152.44]) by hub.freebsd.org (Postfix) with ESMTP id 5751A37B405 for ; Fri, 1 Mar 2002 11:40:46 -0800 (PST) Received: from localhost (dweimer@localhost) by FreeBSD.Happydays.DynDNS.Org (8.11.6/8.11.6) with ESMTP id g21Jeg305445; Fri, 1 Mar 2002 13:40:42 -0600 (CST) (envelope-from dweimer@Happydays.DynDNS.Org) Date: Fri, 1 Mar 2002 13:40:42 -0600 (CST) From: "Dean E. Weimer" To: Eric Anderson Cc: dweimer@swbell.net, "Freebsd-Security (E-mail)" Subject: Re: IPFilter Questions In-Reply-To: <3C7FD06D.A449F035@centtech.com> Message-ID: <20020301133247.O5310-100000@FreeBSD.Happydays.DynDNS.Org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org OPening Port 20 works, however, is there some error here, why wouldn't ipmon report a block from 207.46.106.150,20 instead of 207.46.106.150,80. I knew perfectly well that ftp didn't work with my config, I hadn't got to that one yet. I did try other sites too, Microsoft was just the first one I tried, and the only one that I noted the exact log messages from, I was using IE6.0, and then tried lynx locally on the firewall to verify that it wasn't some internally routing issue. I am remotely connected now, so lynx is all I can test at the moment, but that works with port 20 open. On Fri, 1 Mar 2002, Eric Anderson wrote: > I'm assuming nothing. I would try an ftp, and an http download from NON-MS > sites.. I've had troubles in the past with them if I don't use IE5.x or > "better".. > > Eric > > > "Dean E. Weimer" wrote: > > > > I would be assuming that it is http since the port that is in the output > > from ipmon is 80, however if it were trying passive ftp this would cause > > the problem. > > > > On Fri, 1 Mar 2002, Eric Anderson wrote: > > > > > Is it using FTP or HTTP to do the transfer? > > > > > > Eric > > > > > > > > > "Dean E. Weimer" wrote: > > > > > > > > I recently set up IPFilter on my FreeBSD 4-5 system, And have most things > > > > working one thing that isn't is http downloads, I can browse the web just > > > > fine, and even right click on an image and do a save image as, however if I > > > > go to Microsoft's download page and try to download something, I receive the > > > > first packet, and everything else gets blocked. Here are the relevant rules > > > > from my ipf.rules file. > > > > > > > > pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state > > > > keep frags > > > > block out log quick on tun0 proto tcp from 10.240.98.0/24 to any port = 80 > > > > keep state > > > > pass out quick on tun0 proto tcp from any to any port = 80 keep state > > > > > > > > block return-rst in log quick on tun0 proto tcp from any to any keep state > > > > block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any > > > > to any keep state > > > > block in log on tun0 all > > > > block out log on tun0 all > > > > > > > > The first Rule seems to work fine allowing me to browse the web pages on my > > > > system just fine, it keeps the state open and allows port 80 out after it > > > > receives the connection. The second rule works fine forcing my windows > > > > clients to not use NAT and instead use the proxy server, (SQUID 2.4-STABLE4 > > > > running on firewall server), which the third rule then allows to go out, and > > > > keeps the state open to allow text and images back in. Now what doesn't > > > > happen, is downloads, if I click a link to download a file, I get the first > > > > packet, and then it hangs. Looking at the logs gives me this: > > > > > > > > First from ipmon: > > > > (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR tcp len 20 > > > > 1492 -A K-S IN > > > > (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 PR tcp len > > > > 20 1492 -A K-S IN > > > > > > > > Then with ipfstat -t: > > > > 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 12927 > > > > 0:15 > > > > 207.46.106.150,80 64.218.106.107,2124 4/6 5 1700 > > > > 1:59:31 > > > > > > > > 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 is the > > > > IP address of Microsoft's Server. > > > > > > > > The questions?? > > > > What I want to know is why the download is being blocked, and not being > > > > passed in because of the state that should have been saved from the outbound > > > > connection? Did I just miss something simple?? > > > > Also is this the correct way to handle dynamic IP's? I have an "ipf -y" > > > > command in my link.up and link.down scripts. > > > > > > > > Thanks, > > > > Dean E. Weimer > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > -- > > > ------------------------------------------------------------------ > > > Eric Anderson Systems Administrator Centaur Technology > > > If at first you don't succeed, sky diving is probably not for you. > > > ------------------------------------------------------------------ > > > > > -- > ------------------------------------------------------------------ > Eric Anderson Systems Administrator Centaur Technology > If at first you don't succeed, sky diving is probably not for you. > ------------------------------------------------------------------ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 1 12: 9:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from FreeBSD.Happydays.DynDNS.Org (adsl-65-66-152-44.dsl.kscymo.swbell.net [65.66.152.44]) by hub.freebsd.org (Postfix) with ESMTP id 5B46837B405 for ; Fri, 1 Mar 2002 12:09:06 -0800 (PST) Received: from localhost (dweimer@localhost) by FreeBSD.Happydays.DynDNS.Org (8.11.6/8.11.6) with ESMTP id g21K8x405833; Fri, 1 Mar 2002 14:08:59 -0600 (CST) (envelope-from dweimer@Happydays.DynDNS.Org) Date: Fri, 1 Mar 2002 14:08:59 -0600 (CST) From: "Dean E. Weimer" To: Eric Anderson Cc: dweimer@swbell.net, "Freebsd-Security (E-mail)" Subject: Re: IPFilter Questions In-Reply-To: <3C7FD06D.A449F035@centtech.com> Message-ID: <20020301135312.U5593-100000@FreeBSD.Happydays.DynDNS.Org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org OK, I reallize that I made a mistake in my last reply, I understand that port 80 on their end means nothing, because you can use any outgoing port you want such as 2124 that my proxy used in this example, but the inbound port that ipmon reported blocked was the same as my outbound port that I initiated the download with. If opening port 20 allows the data in, why wasn't the connection reported blocked on port 20 instead of 2124 that this example used. On Fri, 1 Mar 2002, Eric Anderson wrote: > I'm assuming nothing. I would try an ftp, and an http download from NON-MS > sites.. I've had troubles in the past with them if I don't use IE5.x or > "better".. > > Eric > > > "Dean E. Weimer" wrote: > > > > I would be assuming that it is http since the port that is in the output > > from ipmon is 80, however if it were trying passive ftp this would cause > > the problem. > > > > On Fri, 1 Mar 2002, Eric Anderson wrote: > > > > > Is it using FTP or HTTP to do the transfer? > > > > > > Eric > > > > > > > > > "Dean E. Weimer" wrote: > > > > > > > > I recently set up IPFilter on my FreeBSD 4-5 system, And have most things > > > > working one thing that isn't is http downloads, I can browse the web just > > > > fine, and even right click on an image and do a save image as, however if I > > > > go to Microsoft's download page and try to download something, I receive the > > > > first packet, and everything else gets blocked. Here are the relevant rules > > > > from my ipf.rules file. > > > > > > > > pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state > > > > keep frags > > > > block out log quick on tun0 proto tcp from 10.240.98.0/24 to any port = 80 > > > > keep state > > > > pass out quick on tun0 proto tcp from any to any port = 80 keep state > > > > > > > > block return-rst in log quick on tun0 proto tcp from any to any keep state > > > > block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any > > > > to any keep state > > > > block in log on tun0 all > > > > block out log on tun0 all > > > > > > > > The first Rule seems to work fine allowing me to browse the web pages on my > > > > system just fine, it keeps the state open and allows port 80 out after it > > > > receives the connection. The second rule works fine forcing my windows > > > > clients to not use NAT and instead use the proxy server, (SQUID 2.4-STABLE4 > > > > running on firewall server), which the third rule then allows to go out, and > > > > keeps the state open to allow text and images back in. Now what doesn't > > > > happen, is downloads, if I click a link to download a file, I get the first > > > > packet, and then it hangs. Looking at the logs gives me this: > > > > > > > > First from ipmon: > > > > (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR tcp len 20 > > > > 1492 -A K-S IN > > > > (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 PR tcp len > > > > 20 1492 -A K-S IN > > > > > > > > Then with ipfstat -t: > > > > 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 12927 > > > > 0:15 > > > > 207.46.106.150,80 64.218.106.107,2124 4/6 5 1700 > > > > 1:59:31 > > > > > > > > 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 is the > > > > IP address of Microsoft's Server. > > > > > > > > The questions?? > > > > What I want to know is why the download is being blocked, and not being > > > > passed in because of the state that should have been saved from the outbound > > > > connection? Did I just miss something simple?? > > > > Also is this the correct way to handle dynamic IP's? I have an "ipf -y" > > > > command in my link.up and link.down scripts. > > > > > > > > Thanks, > > > > Dean E. Weimer > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > -- > > > ------------------------------------------------------------------ > > > Eric Anderson Systems Administrator Centaur Technology > > > If at first you don't succeed, sky diving is probably not for you. > > > ------------------------------------------------------------------ > > > > > -- > ------------------------------------------------------------------ > Eric Anderson Systems Administrator Centaur Technology > If at first you don't succeed, sky diving is probably not for you. > ------------------------------------------------------------------ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 1 12:16: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id E5A5937B400 for ; Fri, 1 Mar 2002 12:15:49 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g21KFnK10030; Fri, 1 Mar 2002 14:15:49 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id OAA04899; Fri, 1 Mar 2002 14:15:48 -0600 (CST) Message-ID: <3C7FE170.F0A26778@centtech.com> Date: Fri, 01 Mar 2002 14:15:44 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Dean E. Weimer" Cc: dweimer@swbell.net, "Freebsd-Security (E-mail)" Subject: Re: IPFilter Questions References: <20020301135312.U5593-100000@FreeBSD.Happydays.DynDNS.Org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Port 20 is the ftp-data port, so opening that allowed the ftp-data to come back thru, so it sounds like it was an ftp transfer. Ftp is a strange and old beast, so don't try to make perfect sense of it.. I'm not the expert on this list, thats for sure, so you may want to wait until someone describes the "real" cause. :D Eric "Dean E. Weimer" wrote: > > OK, I reallize that I made a mistake in my last reply, I understand that > port 80 on their end means nothing, because you can use any outgoing port > you want such as 2124 that my proxy used in this example, but the inbound > port that ipmon reported blocked was the same as my outbound port that I > initiated the download with. If opening port 20 allows the data in, why > wasn't the connection reported blocked on port 20 instead of 2124 that > this example used. > > On Fri, 1 Mar 2002, Eric Anderson wrote: > > > I'm assuming nothing. I would try an ftp, and an http download from NON-MS > > sites.. I've had troubles in the past with them if I don't use IE5.x or > > "better".. > > > > Eric > > > > > > "Dean E. Weimer" wrote: > > > > > > I would be assuming that it is http since the port that is in the output > > > from ipmon is 80, however if it were trying passive ftp this would cause > > > the problem. > > > > > > On Fri, 1 Mar 2002, Eric Anderson wrote: > > > > > > > Is it using FTP or HTTP to do the transfer? > > > > > > > > Eric > > > > > > > > > > > > "Dean E. Weimer" wrote: > > > > > > > > > > I recently set up IPFilter on my FreeBSD 4-5 system, And have most things > > > > > working one thing that isn't is http downloads, I can browse the web just > > > > > fine, and even right click on an image and do a save image as, however if I > > > > > go to Microsoft's download page and try to download something, I receive the > > > > > first packet, and everything else gets blocked. Here are the relevant rules > > > > > from my ipf.rules file. > > > > > > > > > > pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state > > > > > keep frags > > > > > block out log quick on tun0 proto tcp from 10.240.98.0/24 to any port = 80 > > > > > keep state > > > > > pass out quick on tun0 proto tcp from any to any port = 80 keep state > > > > > > > > > > block return-rst in log quick on tun0 proto tcp from any to any keep state > > > > > block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any > > > > > to any keep state > > > > > block in log on tun0 all > > > > > block out log on tun0 all > > > > > > > > > > The first Rule seems to work fine allowing me to browse the web pages on my > > > > > system just fine, it keeps the state open and allows port 80 out after it > > > > > receives the connection. The second rule works fine forcing my windows > > > > > clients to not use NAT and instead use the proxy server, (SQUID 2.4-STABLE4 > > > > > running on firewall server), which the third rule then allows to go out, and > > > > > keeps the state open to allow text and images back in. Now what doesn't > > > > > happen, is downloads, if I click a link to download a file, I get the first > > > > > packet, and then it hangs. Looking at the logs gives me this: > > > > > > > > > > First from ipmon: > > > > > (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR tcp len 20 > > > > > 1492 -A K-S IN > > > > > (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 PR tcp len > > > > > 20 1492 -A K-S IN > > > > > > > > > > Then with ipfstat -t: > > > > > 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 12927 > > > > > 0:15 > > > > > 207.46.106.150,80 64.218.106.107,2124 4/6 5 1700 > > > > > 1:59:31 > > > > > > > > > > 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 is the > > > > > IP address of Microsoft's Server. > > > > > > > > > > The questions?? > > > > > What I want to know is why the download is being blocked, and not being > > > > > passed in because of the state that should have been saved from the outbound > > > > > connection? Did I just miss something simple?? > > > > > Also is this the correct way to handle dynamic IP's? I have an "ipf -y" > > > > > command in my link.up and link.down scripts. > > > > > > > > > > Thanks, > > > > > Dean E. Weimer > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > -- > > > > ------------------------------------------------------------------ > > > > Eric Anderson Systems Administrator Centaur Technology > > > > If at first you don't succeed, sky diving is probably not for you. > > > > ------------------------------------------------------------------ > > > > > > > > -- > > ------------------------------------------------------------------ > > Eric Anderson Systems Administrator Centaur Technology > > If at first you don't succeed, sky diving is probably not for you. > > ------------------------------------------------------------------ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 1 13:17:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id E05D437B41D for ; Fri, 1 Mar 2002 13:17:10 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g21LH9K11534; Fri, 1 Mar 2002 15:17:09 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id PAA06504; Fri, 1 Mar 2002 15:17:09 -0600 (CST) Message-ID: <3C7FEFD0.36A532EC@centtech.com> Date: Fri, 01 Mar 2002 15:17:04 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: pfak@telus.net Cc: dweimer@swbell.net, freebsd-security@freebsd.org Subject: Re: IPFilter Questions References: <3c7fef42.5465.0@telus.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Look in /etc/services: ftp-data 20/tcp #File Transfer [Default Data] ftp-data 20/udp #File Transfer [Default Data] ftp 21/tcp #File Transfer [Control] ftp 21/udp #File Transfer [Control] port 20 is for ftp data.. Eric Peter Kieser wrote: > > Hmm. I always thought FTP was port 21.. Someone prove me wrong here. Also, why > are you blocking port 80 going out? And the flags you're using may have something > to do with it. > > --Peter > > >Port 20 is the ftp-data port, so opening that allowed the ftp-data to come > back > >thru, so it sounds like it was an ftp transfer. Ftp is a strange and old > beast, > >so don't try to make perfect sense of it.. I'm not the expert on this list, > > >thats for sure, so you may want to wait until someone describes the "real" > > >cause. :D > > > >Eric > > > > > > > >"Dean E. Weimer" wrote: > >> > >> OK, I reallize that I made a mistake in my last reply, I understand that > > >> port 80 on their end means nothing, because you can use any outgoing port > > >> you want such as 2124 that my proxy used in this example, but the inbound > > >> port that ipmon reported blocked was the same as my outbound port that I > > >> initiated the download with. If opening port 20 allows the data in, why > > >> wasn't the connection reported blocked on port 20 instead of 2124 that > >> this example used. > >> > >> On Fri, 1 Mar 2002, Eric Anderson wrote: > >> > >> > I'm assuming nothing. I would try an ftp, and an http download from NON-MS > > >> > sites.. I've had troubles in the past with them if I don't use IE5.x or > > >> > "better".. > >> > > >> > Eric > >> > > >> > > >> > "Dean E. Weimer" wrote: > >> > > > >> > > I would be assuming that it is http since the port that is in the output > > >> > > from ipmon is 80, however if it were trying passive ftp this would cause > > >> > > the problem. > >> > > > >> > > On Fri, 1 Mar 2002, Eric Anderson wrote: > >> > > > >> > > > Is it using FTP or HTTP to do the transfer? > >> > > > > >> > > > Eric > >> > > > > >> > > > > >> > > > "Dean E. Weimer" wrote: > >> > > > > > >> > > > > I recently set up IPFilter on my FreeBSD 4-5 system, And have most > things > >> > > > > working one thing that isn't is http downloads, I can browse the > web just > >> > > > > fine, and even right click on an image and do a save image as, however > if I > >> > > > > go to Microsoft's download page and try to download something, I > receive the > >> > > > > first packet, and everything else gets blocked. Here are the relevant > rules > >> > > > > from my ipf.rules file. > >> > > > > > >> > > > > pass in quick on tun0 proto tcp from any to any port = 80 flags > S keep state > >> > > > > keep frags > >> > > > > block out log quick on tun0 proto tcp from 10.240.98.0/24 to any > port = 80 > >> > > > > keep state > >> > > > > pass out quick on tun0 proto tcp from any to any port = 80 keep > state > >> > > > > > >> > > > > block return-rst in log quick on tun0 proto tcp from any to any > keep state > >> > > > > block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp > from any > >> > > > > to any keep state > >> > > > > block in log on tun0 all > >> > > > > block out log on tun0 all > >> > > > > > >> > > > > The first Rule seems to work fine allowing me to browse the web > pages on my > >> > > > > system just fine, it keeps the state open and allows port 80 out > after it > >> > > > > receives the connection. The second rule works fine forcing my windows > > >> > > > > clients to not use NAT and instead use the proxy server, (SQUID > 2.4-STABLE4 > >> > > > > running on firewall server), which the third rule then allows to > go out, and > >> > > > > keeps the state open to allow text and images back in. Now what > doesn't > >> > > > > happen, is downloads, if I click a link to download a file, I get > the first > >> > > > > packet, and then it hangs. Looking at the logs gives me this: > >> > > > > > >> > > > > First from ipmon: > >> > > > > (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR > tcp len 20 > >> > > > > 1492 -A K-S IN > >> > > > > (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 > PR tcp len > >> > > > > 20 1492 -A K-S IN > >> > > > > > >> > > > > Then with ipfstat -t: > >> > > > > 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 > 12927 > >> > > > > 0:15 > >> > > > > 207.46.106.150,80 64.218.106.107,2124 4/6 5 > 1700 > >> > > > > 1:59:31 > >> > > > > > >> > > > > 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 > is the > >> > > > > IP address of Microsoft's Server. > >> > > > > > >> > > > > The questions?? > >> > > > > What I want to know is why the download is being blocked, and not > being > >> > > > > passed in because of the state that should have been saved from > the outbound > >> > > > > connection? Did I just miss something simple?? > >> > > > > Also is this the correct way to handle dynamic IP's? I have an > "ipf -y" > >> > > > > command in my link.up and link.down scripts. > >> > > > > > >> > > > > Thanks, > >> > > > > Dean E. Weimer > >> > > > > > >> > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > >> > > > > with "unsubscribe freebsd-security" in the body of the message > >> > > > > >> > > > -- > >> > > > ------------------------------------------------------------------ > > >> > > > Eric Anderson Systems Administrator Centaur Technology > >> > > > If at first you don't succeed, sky diving is probably not for you. > > >> > > > ------------------------------------------------------------------ > > >> > > > > >> > > >> > -- > >> > ------------------------------------------------------------------ > >> > Eric Anderson Systems Administrator Centaur Technology > >> > If at first you don't succeed, sky diving is probably not for you. > >> > ------------------------------------------------------------------ > >> > > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org > >> > with "unsubscribe freebsd-security" in the body of the message > >> > > > > >-- > >------------------------------------------------------------------ > >Eric Anderson Systems Administrator Centaur Technology > >If at first you don't succeed, sky diving is probably not for you. > >------------------------------------------------------------------ > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > Internet service provided by telus.net http://www.telus.net/ -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 2 6:33:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from laika.martini.nu (12-224-18-46.client.attbi.com [12.224.18.46]) by hub.freebsd.org (Postfix) with SMTP id 6FA7A37B400 for ; Sat, 2 Mar 2002 06:33:13 -0800 (PST) Received: (qmail 19642 invoked by uid 1001); 2 Mar 2002 14:33:12 -0000 Date: Sat, 2 Mar 2002 06:33:10 -0800 To: Buliwyf McGraw Cc: freebsd-security@FreeBSD.ORG Subject: Re: Changing Passwords through the web Message-ID: <20020302063310.C77232@martini.nu> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from "buliwyf@libertad.univalle.edu.co" on Sat, Feb 23, 2002 at 10:36:10AM X-Sysinfo: FreeBSD 4.5-RELEASE, up 6 days From: Mahlon X-Delivery-Agent: TMDA/0.44 (Python 2.2; freebsd-4.5-RELEASE-i386) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Feb 23, 2002, Buliwyf McGraw wrote: > > Hello friends... > I was using webmin to create users by the web... but i need > to do an interface for users can change them passwords by the > web too. > I can not use webmin, because the webmin user need a password... > i need an open interface, for everyone who wants change his own > password, can do it... Fool around with webmin some more. Since you are already using it to create users, you might as well use its built in features to implement what you want to do. Have it automatically create 'webmin users' along with your system users. Make them part of a webmin group that only has access to the change password module, and you are set. Mahlon E. Smith jabber id: mahlon@chat.martini.nu http://www.martini.nu/ get pgp key: mahlon-pgp@martini.nu .......................................................................... Today is an excellent day to become a missing person. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 2 13:57:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169]) by hub.freebsd.org (Postfix) with ESMTP id B6D6937B405; Sat, 2 Mar 2002 13:56:55 -0800 (PST) Received: from smtp.free.fr (nas-cbv-4-141-102.dial.proxad.net [62.147.141.102]) by postfix3-2.free.fr (Postfix) with SMTP id 34BB6180AD; Sat, 2 Mar 2002 22:56:29 +0100 (CET) From: isabelle boinot SUBJECT: GALAS, J.L. MERY et O. LE GUISQUET). X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Outlook Express 5.00.2615.200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_001D_01B1A2C7.1AA2C7D0" Content-Transfer-Encoding: 7bit Message-Id: <20020302215629.34BB6180AD@postfix3-2.free.fr> Date: Sat, 2 Mar 2002 22:56:29 +0100 (CET) To: undisclosed-recipients: ; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_001D_01B1A2C7.1AA2C7D0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit BERAS (UNPF), J.M. YZERMANN et P. OSSENT (FNSPF). L’opportunité de présenter un projet d’ « Accord de Bonnes Pratiques Commerciales  annoncée par le Président BERAS lors de la réunion de la DGCCRF du 12 janvier a été confirmée et la CSRP a été chargée de travailler sur un avant-projet. ------=_NextPart_000_001D_01B1A2C7.1AA2C7D0 Content-Type: application/octet-stream; name="délégation.pif" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="délégation.pif" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v ZGUuDQ0KJAAAAAAAAABQRQAATAEEAKx4RjUAAAAA1cMAAOAADwELAQUAAAQAAAAKAAAAAAAAKhAA AAAQAAAAIAAAAABAAAAQAAAAEAAABAAAAAAAAAAEAAAAAAAAAO35AAAABAAA0GoBAAIAAAAAABAA ABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAAwAABQAAAAAEAAAMgDAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AACgMAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAJAIAAAAQAAAAEAAAABAA AAAAAAAAAAAAAAAAACAAAGAuZGF0YQAAAAcAAAAAIAAAABAAAAAgAAAAAAAAAAAAAAAAAABAAADA LmlkYXRhAABKAgAAADAAAAAQAAAAMAAAAAAAAAAAAAAAAAAAQAAAQC5yc3JjAAAA7bkAAABAAAAA kAAAAEAAAAAAAAAAAAAAAAAAAEAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFaLdCQIM8CL DoA5IHQXiw6KEYTSdA8PvtKNBIBBiQ6NRELQ6+Rew8IYAFWL7PiLwyvbZmP/D4Qle++xFUN8bwEz wUgzxPkLxiPC1g0bA28Bi8Qbxpgjw/n5c1VdPXMJbwHoDAAAAIvH6QoAAAAxORvC1vkzwcP5QOhn AAAA/OgMAAAAM8fpDAAAADE5SBPEG8aYwxvAkMHQaeju////M/9mY/boCwAAAIP4J+kGAAAAMS/W E8HDA8RA6PT///+LFUAwQADoDQAAANYLxekOAAAAMQojwJDB0FTDDVMvbwGD6Fr/4vlzTmRn/zYA AGRniSYAADPAgSjwtO+xhcB1Gjld8A+F2AAAAP91+P8VxDBAAGoBWOnCAAAAOV3wD4W+AAAAjUXM x0XsAAACAFCNRexQjUXkUGgAIEAAaCcQQABTx0XMGAAAAMdF2AIAAAD/FbQwQABQjUXwUOjAAAAA /3X0/xW4MEAA/3X0/xXEMEAAizXYMEAAaP8AAABq/41F+FNQagFfV/8V3DBAADvHdSRXU1ONRbBT UP/WhcB02I1FsFD/FeAwQACNRbBQ/xXkMEAA69z/dej/FcQwQABorA0AAP8VoDBAAP918OhIAAAA /3X4/xXEMEAAM8BfXlvJw4s1pDBAAGr//3X0/9ZT/3X4/9aFwHTZaE1KQgBoQ0sAAGgABAAA/3Xw /xXoMEAAU/8VoDBAAOvO/yXQMEAA/yXMMEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIZWxwZXIAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAiDAAAJGhOTf/////VDEAANgwAAB8MAAA laE5N/////+EMQAAzDAAAFAwAACzwh83/////zwyAACgMAAAAAAAAABQQAAAAAAAAAAAAAAAAACm MQAAkDEAACIyAAAQMgAAAjIAALoxAACuMQAA3DEAAO4xAADOMQAAAAAAAHAxAABgMQAAAAAAAEQx AAAoMQAAFDEAAAAxAADwMAAAAAAAAAgt+b+9yPe/TeX4v9rF+L9sXfm/Fnf3v48r+b9XDfq/R2P5 v23g978AAAAAO1uVfxF0lX8AAAAADVj1v0ta9b9pV/W/M0f1vwhX9b8AAAAAzgFQb3N0TWVzc2Fn ZUEAAJIARGlzcGF0Y2hNZXNzYWdlQQAAXQJUcmFuc2xhdGVNZXNzYWdlAAC5AU1zZ1dhaXRGb3JN dWx0aXBsZU9iamVjdHMAywFQZWVrTWVzc2FnZUEAAFVTRVIzMi5kbGwAALMAbGluZVNodXRkb3du AABzAGxpbmVJbml0aWFsaXplRXhBAFRBUEkzMi5kbGwAAK4CV2FpdEZvclNpbmdsZU9iamVjdAB9 AlNsZWVwAFECU2V0RXZlbnQAABQBR2V0TW9kdWxlSGFuZGxlQQAAJwBDbG9zZUhhbmRsZQBlAER1 cGxpY2F0ZUhhbmRsZQDhAEdldEN1cnJlbnRQcm9jZXNzAOABT3BlblByb2Nlc3MA0ABHZXRDb21t YW5kTGluZUEACQJSZWdpc3RlclNlcnZpY2VQcm9jZXNzAABLRVJORUwzMi5kbGwAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACseEY1AAAAAAAAAQAQAAAAGAAAgAAAAACseEY1 AAAAAAAAAQABAAAAMAAAgAAAAACseEY1AAAAAAAAAQAJBAAASAAAAGBAAABoAwAAAAAAAAAAAAAA AAAAAAAAAGh5NAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAoA BADOBwAACgAEAM4HAAA/AAAAAAAAAAQABAABAAAAAAAAAAAAAAAAAAAAyAIAAAEAUwB0AHIAaQBu AGcARgBpAGwAZQBJAG4AZgBvAAAApAIAAAEAMAA0ADAAOQAwADQARQA0AAAATAAWAAEAQwBvAG0A cABhAG4AeQBOAGEAbQBlAAAAAABNAGkAYwByAG8AcwBvAGYAdAAgAEMAbwByAHAAbwByAGEAdABp AG8AbgAAAIIALQABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABNAGkAYwByAG8A cwBvAGYAdACuACAAVwBpAG4AZABvAHcAcwAoAFQATQApACAAVABBAFAASQAgADEANgBiAGkAdAAg AGEAcABwACAAaABlAGwAcABlAHIAAAAAADQACgABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAA NAAuADEAMAAuADEAOQA5ADgAAAAuAAcAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAHQAYQBw AGkAMQA2AAAAAABqACMAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIA aQBnAGgAdAAgACgAQwApACAATQBpAGMAcgBvAHMAbwBmAHQAIABDAG8AcgBwAC4AIAAxADkAOQA4 AAAAAAA+AAsAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAVABBAFAASQAxADYA LgBFAFgARQAAAAAAcgApAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABNAGkAYwByAG8AcwBv AGYAdAAoAFIAKQAgAFcAaQBuAGQAbwB3AHMAKABSACkAIABPAHAAZQByAGEAdABpAG4AZwAgAFMA eQBzAHQAZQBtAAAAAAA4AAoAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAA0AC4AMQAw AC4AMQA5ADkAOAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEA bgBzAGwAYQB0AGkAbwBuAAAAAAAJBOQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAA9DWZmAegKAAAAwdhH6QkAAAAxOYPYPMOD6D3o9P///+gEcgAA8kqz sSgRMXiGvCFSVJyFywLqwBM9H6UYNft/4/QsGQmWf4B/59JWUn07e6paGJElNIkJHrq28CvNyZqi 6b5now2q1m1eJrWRAWjDR15jwLpNKuQoA4B1tcjjJ55U61KO4uj7qav4KaNEvLZYcfWV//tftBgQ fi4STFt2BfPilzKANEJzdrqe1SwXcKVCu+zw0Nj13LOHPps7/qX8GyL8iEeKIn2d0ogQRapS3iGy EStjm1MWYC0luNs+MR3KkE0uf8OgwsnGl3xSgAvwNeksGvNLoJvr7sm9ZksMvcGcedL3dR1AjL4T Mh6IcsJci5Ty0U2djFoXLfvm+oyYdfG51FkGQ1mAk+RTi2tjlHeV2+Y92cuHluAyGaI5bGMIRnAM WyGxf+fuDh4oFhaumxmUm/peYgEqZWWUcZdFam9O7Y/oGSqtYmd+ePBpUM7kSelXTc5KZrpk9Dfh hRO9v/CsuE+Irql+1lgIBfz8b3pkJU+E7YsNHnYqkBwKhCvnvY0w5bBDCeUGbt4ZfZIMGtUEYRS5 CWQyjie0eUhjpu2QC5qspBoFcXh5ap+qYFt0jQYKzn5Hx5ImslfLnmt0Q88cstrPS2pGTRdqkQ69 J8X+YgdlI8RU8xd74iRxdnGYe0wsFMjV0GSTOcOsvOKFnN0wcSFfneAyZXBI9q8e4bAVkvm/sgsY kZETwThuohKAz1ZfkhI5E72Rq11ej6w8Byd+JMq1q+93fFOCzjhOb0eGwER6ywvm8YsXEzSqT/fp HkJTWqHbo5jrccAy8dVOPz77U00CNkKmBxjdEmHn63ajzAuykExBUn/mKO5Ages2nVCXIIAL9h6z bMJclBgeM4ksVKP/GX2bCUwH77l5+CpU7IQrLYptKyjX/Hqhvp010Y5uyrqalWxSspV3JwaXMZot jt8+x3lOKra4y3Bmj9Mlt92gdhqRCkooM4GB+Wf2e1J0D6QqDmPBAKfayP0BnLvChw3OFUHm3L+S 4RFbgpzeT0h1FiWsvFBpQra/lkeX2JY4zXym5TU11cIfKtvX0GrdTuuVCuLYvWyS24JElMtqXPfn hZFsKC+ee8LR2sMeYA6odp5Zoew5ECcNgSVxqIjG6Jw9Gus08HVxCg7mD09K32lJj+ieukooBgI3 QLt6k7l9jVHtUzi9Km3+pWoDhDX8bAfRVAlAKoyH7cGZR9nt9Rj9bPww0FDr4se7PDZOBZ6nI7Zn yg/7V49fpuMvoCpVKtZ2bVlpKCXEv11Au++kCwb3jf8yATzt9NjU2aGe5FvHBczmeNroy+qxO8H0 +TblynEwFsczZCJ3CQH6EuD0e9skW0kQ0EAuf5ajbGYe4P+4YHfu7fxqRcRFM/nuq4xK4QhrHiiG GJZ+u0r8yaQWM5mjGzlhCd8t4/+QSfoPP6qRtd9fqjwB8EN6cWZRgrYa+7omEy1TijDZZOsRmNu7 1S1M8kJN0ZTj73YJV+ZbKMdb33d1CmQHTs5cjuWSClsKLgLAfa+kRTv0dixFbyvf2BKolwiHZMce hN2B5bvq6cXYXJkwUrwjsWMDiIKQStVebJ0lywZYRpprWA67Gcq1uY7t/fhpPickMAiXNV8sNABt tbWHcohT0DCIFNjQYgJrBwSTy3zb6lE136n+bzZMYM0QCBgagvVCN44rfy3Pvg6lBv6zV1KdDl0z EjzklS0Exd1H8rR43fUZ4VABVaSQKrIjVtu3SaWg1HGVBf7yzktaIjVNRD0ccui29S5ev2DWuspl NUM8BoaaInVbw4BLdnwbLQrrJlo0mSKIz26r67Xm0kbSu3rjs3yK0ZgGnSmaCPIuTDfRpYxHgjOJ 6Uo+bHv4AbAhwu2NeaJVsxPPycy8zOXP1+EHpXdI6ue6r/t7awZ0tU+P9CWzfvFEe0rcq4Ydxdev 1bnXBFzoUNF5pt8qUCRqOdrg2DSIacH4A7BA4jRJlUOMv0v2htFBmSor8JI2MZuQa/8BQvYq/CZl maUxyH+jq1bOxj2jzH4TQMAL5KpSJ7QVQj51D+xSJNiYvd3jS7f26/vpciy41qxvMLFHTfzaQI/e xdKy1e1dhSjNrbfW+Ak+IPtUwRQuD3JKJfsfck7AQAqDHmJa3Juwi7fMEPq5UP2uMZ0jTaFKjC25 fNDUsFo4yTkE/Th2gNydnxjGegY93Ukg1Qq4kh3+vi1NA7LGn293roO2bCoIMqOTGskyJdPeo2Fc hV0j0G43S47H50Cf3CB59Ri71vCHzNY6UmuzpFgo4iqc53SwqWlgDUrcAAo7bxK24ZmtxgFx4oC9 lCDpJrfLGoKSI+Wo1yam9Tfrrm0apLyX95Igxv0qMlhwZq0TCMrHpZ94ZKqhkFawhxQhveqI7DTj t3zz8G1NfXPRDY+viwY9ln3k/1D11vHm5rYjrt/v9mAKwAkJ6OkEKrXMcG/57eYWo8OQNxc5eYe1 Oqe/KChns+dC4MyIXldl9WfpiPKw6JBsxy/7W0BSWjG0ebkbgKHvF4ln7molZ1EWDA+2VtkFMHLd X55H6hl8KRxYVf3RnNanzThZknu5OyUIZAT1+e//J7QwYcq/6BysM7Sdyd7GOAFM0A6QeWTkGCsm rB6BHObPckRVVdZ0tXTZXiLg41GMe3Ea9K9yYBCALLLRxEBGTRHb9VZKyWancp2ndFS/1zfPcDYW Qhua209cmaB20Bcl/NBwNJ5RfEwPA79tyRTB4EEhPaVewhPz0I+Jbc7W6dbBHcNzdwa5NKNI08AS 2y4Wt11mKSyP0+fNcunGT0v2S6fAde08V486PvA2SnpUwA9sE2hZCX2bZj30eUbwArFXgCwWbc7c Mzq373r/X/aOU6YYMStOX3ImGyWiiS/XPKcyC58enTVoKi4K3wv1ml96J+ahJMU7x3eG1WQFmuF7 Pee3gVn7m+JJ/NMPO4kRTLCJEKlpNcZuiSVcoO5r7xGE5UnvrRl+bbDY0TbJPigGo1ZMrrSwa4C4 VR7TMljSzCdWi9VogIcYd4O7cMlEvwwyFLVlFCEivuhiifwBpVlb0y+QENZ6p4jPy921SNoWSFF5 7JaiM9YxKM/FC+sSpTVG+YvLeyszoBfIjJ+sdrF2ml+vGxDN9ztcKqUllkXzf1Yv03D8DPjkjkJt yb0Ygqx2LFmSXelpomLeajo+tIwVEfaFwx3KrzdFJrD188+xybSm6nRRMdtyKip8LSNxvAPENM5v bfD8RErlzG8Fsg5tzmegNQbay8YDUKgmlncmL/waIl36JavVzK5qHaxpdJmh9Myf6UTGbdWhUM0N HZOX5il5mSJejyIpTFn+Qu49dd6GZ6lkX/L+ISOY40PMWr47VuYzn1GWoTGwAWgaZD8jcPmKXiaS or2Kz+XJ2Ui11THTrR1mTrsiZJd1bGwvh1EoRRzDAxQjhSSLHZ1TsZ00RDseK8+iQEzjL2U9RQ/6 UgupNQkh0Zu+tH6p7CYOtUBMwza9HctSRYLTsPhU2dQ88yDMEOAseDPXjUNq38yxFK/qmO4D9E3r 94vPz3KrNPUONiZxOi+bsm6ChbHP0owCC9+CbCMARACdv5/8W3LYGxJM9CkL68iF3Dh8p/bXCHIA 6l+Fm2ag4Yxeyq77hgEV2hHQGcbCOVKt2K5aXTILCvX97otCmch4WJoJPy7TKwYC717pUaZ3GH+j q+m9W5oirJysVXsRBGRdRp79TjRDhH3X7gs1uI5rUsx9mzcjtWlnnRtnjA750orVtSlHyipj/MbF bSyWVpCt3wcxCwvE3VofaztDt2E29zAhjc8UX/vzfrxjwGMgAy3gvqqzHOTH/ZMXujK2B6VSIlJE u2uW8NJe1ZhRzWNUfLpBpAWBMIitkvay1DdBHw9Lny+3Q3PD4nPkXWwlDr+APFHRIkbrRtzag2xn qJGgOOSLEkopWTUWXSAHsfBs7pOxlPuKSt+MlIoAHc+RZC/s2gt873iYV3CyQKBrkgLjPqUQZAum SyIm7vLAuhSNXVEu0jzKi/jjhVkPvlXx3RqCbHfmxXO+si04o4kGwjnjNP8dwzFHk03cXe4z835l VYEw6rzH31OZ5Vg6ciYByPYNH7DotN6kVQmTCTJeHepwGtv2RWMy+fzG497yEdHKwn9v4qmUR3GI LwoxFsRk3+fR+q5nnugkWAxEWYQpqeL16x78B/+eLBBYgrUeCKe3gOwZUZCiFOEpht9aa/vZSJ0+ foxAD5ufJ3PzhtHRYp1rwrql2upLVQpoP0Mgmxydo17r/RUbvvHjRRhzBOinnfxtyohywpwz9Pmd OpnLKQv7Ko9MIyCsVfdWt4EsiM7kvD16VTkhdRDAzt5mrCJvHGqarxXozVLSOJLr8VNw3Jl/B++6 ZfXDeRy6+wdGuB7Lh0XdCXT6t8aFQbxv1879se2sHRD130TUzZJpSULNbsucnhmA7Pvq3Zai1EXa 3N69qhVY5dHiOzzEZzKeby0dVlLy/9ePzkYxGFEhKeCxv1l0Haeqn430kKjUjnRZiJQhfw2Y6dev jUQpU4IkeRksSXzEjBHQRLXvuaauDwqmEEbyOMbBjbVumBNjExa+cffCjYK1aSmwT61G6CKmwdCg nfOMlk7CG8PxaM9l7yGxkyGUUUbTGhfMooy5wWSVi3swjUYJYSjg+1ymvP0+02xltyitGx3xa0WX Om0rxGOyHBnVqjixQUo7q/l5/cXmcCPZFpFZoTrWF+cFHbhT3QokOuNG11adbv6Wrdx96CByncyP EHsAPO1joyEcwD/i3SAfCqOtU3ykzf/JbT9v1ZHTmDj6JXnFkaPZqOz1+kJ/CMvCkWbRWsp2Ibir /qhEIh6QsQSlnC5JmfYXCNkNCa0lgjepyMOsTlhETCw+KHpV7DGv9rYREDRkPBn2VWxjFPUHDa0F jE3lAatS3eJWQeht/zsUYGobkGpCSthHRxZ13HWwtAMpGtK9hl02owPhoGQAoeOvkZwUjP2MJx6V oUaXBW4amb8N36sYki0zwSwXYwySPcwUXmVS5PXG3lLDjtiJXwSQh5EaEiN6OSgSUOsgUJGGsTdv DekeE8XjQ0y3tMLGJziLNqmDKSn5vAPX38EkiX7HBBVrydPwMQYuNO5CNImhlmOsdGwujj3T3Z8o ZO2qdlyZAAVxCM4RY9qWJpxqv0n/Zt0IW8aZO4gq8k6VBLEE8TYj2st/myzFlAudvFY/agx+zUUd L03Ut0bkhXzu1ET4xxC9HWKxQ9WqDTLIx4Fra2hLNpGt5ylE/WR8YNIzN8741yW4r05d70NkhNyd I0qSJcOb05uYS92mWhUD7ZabpzxbAs3LZLFAlcnD4gK8MJnMHT252KLf7rVDCwttK7RIpMShNQ1C kF7/e4K+KB5xtmIbWhIPczQdu8FrI1hVz2YaahczXhM9x03cJ2V7LpL0r3e594ZdFlhFdslaqaFt W6i+iyDUMXLOP2qBAjQJLabCBEVZW5LFUw4f17tGso/g4JUFCt3uY2fvVqVlllWE6yEmiWWMiMPI K4cBGgSxBNMqiBDLOiT4PdtqebpehfcQfpgQIK5JWQI5ysV88lKlf1GSwN98POD26eYjCVYl7O7E HuaJabdqxtY1K1HSXBK/1+JRxz4AatlzEFXfINLmuyiuotDwONmMWiV8Ya1fn8a/e2mks2SR5fIu zUoSQ56dFE4ibdjydelEHk7r/brVGidD4f4y9wh+bw9QGjxd1voXV2IkoOTyF0fsr2NsEp6+PsEY Pl6YReH8uyFJDSjoWdRZ0vdPaA96L9cG9fkxFwS8t8xgXaEmirDKO1akmbbqBWnbztCgrAjBP0pB qbwdKD+FlL7ZTspOXHtmzX4hkZAztAVjqji7liuGWKVRpL6d2+J64z47K8UfiamhczJlHd/brx7X A6dthpxAU7dByRfRbZt5t7kvZ7l2sCAmScSuwdN8brhzIwUWIMe5R0lLg6cNtVe/v8U/M/R0Ncpc dODBYGDJ+bG/+6EsIHfB7Fs4AkSSVSZWQIGWoaqdAjxTmUmOrFk8Cr+lxCzzyC/fwtFUwcNzb3zn Hl8TZhKn/zfOF8fPqASl8gWfdcSGMJiKLoOqGH9Rl/upQUz/hJAXwxT18EZvgP1QUupLJ/qo7Ziy 20esr1Zmewkawa7NyogdLobsNGAUZ6mzDRlRlwglu19mWoeSTc5HwVU7RszS4pGQMM1l4rGoXRFt 2jpImSKbuVMre0sB4RdkRH0OQ+1kQfjv/dIZjFDdJ7xqyhpRp5C9ERDZqDI4pTA9VDGhBBn4fh5P XfNUAPotLNGY8RhfRNDKLiphvXXiZXAc3LUOM1wFAhyHrZWO1d34cDtJ5/g7oOxr7bQ3A8hTWa7C 8uOI+XKkDijQ2K+ztYIs/wOyljkkdVJR8lu6qGLqxBGQiFE+H+I1ilKz515IV9CNJ3DZpv8Gw4mQ kSjY5rUVKoGlQhT0dkldrpRtxL9zXUfE4XRpcgolj+Ci0E+KulbLhL3ZxP3Qu/A0QPS++oSvv5Yi i9fTZJXT9wij0dsQEOl80OKBwelk4JJmPn+uxB/w8t0jHjkntj79sSBCXlO1g7KW1VKp9JwTohnP 7/K8rE40WDNNGVJQz7KvKkZawKfi+Q5WvevPpJjdkWf8Xed6jgeK3o/iTe5USo4f8o9GPvki0v+6 4jzChelzEeXpujAy90wuOV3Jv0i05k6gFRran/ToyuOs2qcMNOpXvoOEYHPPN9+a7SJBkkqLVfpn d8ojREnPuFBnyF2CBs0PEjnKE3zmiXXvzHKXfpFwp6AgFp6At+4ZeuVJm2osx2jClKmkwQqBig9i H4Jes8lX4bFd0jzMZCZnVjBuQkVXq4LlXfxdIsQf02UuI47KGhfvhdGeMaQvp6ogCZ+YdvcT+ZyG orOdIwXCOEcTI6d0Q+7uDPpwWa5SUtMDLnv/OpOxhuc08eI3HhnOjhC6kBhGbqms+XcNKUJx97yS FW3jLvo3GQxPIOl4qZs9Lo2eI/9YSumvoDaZpWI9ytiwCt8jHIDXL7tP7glQJ03AuLdVkCWsqbX2 Kfr5SY7ObYCVIDmU0WK6UtOoszVW69Af+pK9u/aeJ1NgRDrlFBOD9AJT85FvB4K0c1n0EShpm4JS gCBNrgwSEYxwIju24nekxDNt1Nw6IJlhNd+nBe9P3k5NZ/7Jx5WAmYV4jZKw+acIiuYrsPIUrquB FO0dk/NvPJ4Xg+cAOizCQJ981Qjg6u+0ojAaI2Bnl2QCe4QBDol6PhizkQSwK8C7GTR8gYcAYeh6 8dT8L37+08VYieRwCYk/wzLS+71LpvcN409K+4OqZo06VDjOkMb/53l7dwhMrWBAe4xIfGpwGAzj 6FAntjxDXtUDPQ4OyWeezvU57oT8vAAiTdKSx7p6D/sCnoE6BaoD9pqD+pB536Wl1voIP2hTzjw9 G6MlHKxuc8yvSkLearM+M0iH+H+aQmaao8gVC+87XFvnFUEkayo79vl7KCboj5ojXCX/5M+fj4No X07FAWn5lAz1JBAAUBFbPuJ/HqDLAAY4aT2yIkvxwDfDFm2/nQXkc0FU+un49iVk3oF/J4uBEJXh 644Ziz51vzUZkaw1Up3X3eSve0JGE9B7uczCWCEIhCoPzmTgsuDIf8G2lNqwYsR3woMN4+UE0pXJ 62Y5H9qdsfCBhHkunKhz1Cy74KLqzT2+ce7cFbGUSdmuSpAciJ8nGlm+iiseiv6sYFe90lnzp2aP Uc8AG47Sgc0hzluhWGoEncd8dVo0WY872k40yAiI7iS6DOxbs8Prm8vrVzePx+zWmQR2XVE0IQ+P VEWP5hYRWZCTunbJxHy8TyQ1YSLZuf9raw3R303WdQbxiVzBQ8iEke0P7G2yt+ipFsOUM20hshQ2 cXps5sLNDleEEonC/JAfTGNm9OobekucYavt5fHfWoz93dQpBKSvEAQU1z2GO29S10VLSSRlj7ly /CUiZ38zaxGhfU0B9v/DAZOIAHjLdC9r7A7Vjxs0LGUW2BhOtFUITXlms9WBShYIg2wje26bDYOy rL6+UpCaHChJ7h/Jbhe3MLEJHMEnAKns/qsp8DZgzsvnkHCWZ57FQZ2oNBuBJWU9+NIvCzVK/3Xw HiK41sq8usz2wMRtGZYlDxyzXYmT6DNv/mRPoyC0qKDRUecgyrY2VXjvyoxMYCNkWsf+Ka08sujh TiU5Sar7olNeQoNKHckvc61StvfxzB4KDiLERtm0h3MCG+ZXn35WobbJQmrL8mCoJ6ouaWl4+zOl KpAYdqgHud3ilPjfJYIy34H9UkMBoSJOa2KorjNusy1gn9lRGhUmOTYJQx+yaW0oXXyiMMi7MzbB PbSNjUcLnyiZGQJ0slrFaAXvby/72CzqMY74NQ95jQvfk2q7+QzAOK2ydUJtXsD84v39ujEWja4n YWIwvOIKmY4CBcFTwdc7BLak8/uCtEtiwjqr+WQFVJJ5It2Ai7Rc5wShf4oFCra5tHSEdAtRB2no 6GU3ncI8IPpKnaNrqGwK7CpMJz8PwmwvyhegTdAtgdTpJU5d1pGxl5HIhl1f5jXvfClFYhWnRGbr kVWJP8tj7lMVYG4Cdob6wfCf0o37oXcr4NnUOk7bpFBnvXKMLuzJdIAQyPEP11HGc8HCulGNs420 ub/w0WOwhoPLKvPT2UKhXWaYdxZBB5+NZODrXgOt0He/87A7ytu/kQjzLqfCza+AbG8X1jQRsWfF V41bx0KdxOXUVGiuy8F48P2JstR51rCKA2MpJcU32gUqO1sS1j0kbfdbbEK6IozfX/XlgSU4wizC 9ZzM6LaC94cUqxpCi1UEnsOWczltvGn28XHYoLx35TTJ0FLKdVc5addsFftTk3U5nJKwYX24NyVA lTEUWydWLvutglDyENbnb+d1QQWZZgDXIkQ7E2KVA4HKTtLnp3v7LKsarPRKK4WqYubi6IaYgjcn zQWud/ZjxfKcD95glvn6eWYtFUKMbxtXsAa7qBqeE2IxFapSDuYBX3tp08xvfLjjdr5ncVSKf4wn aml1CSzBzAS7nE723ko/eIULtU1VatYBRrWHAkpfjG/KTuh2DoTBvoA6iktaduO8CXqtrGPvbszI p4oTu7p7VhrTITj4bCRffyTN5hoh5xvNXrWdLcvBnLj6nO9fEfLOkgzX4Z6Ls1wzC7j6KPpMozDN COn/Es5vuSlDW57qx0FgDW/WhmeVTC9sym4e8SWYNo9ux/odedv09ZxVhtdKasLHyWkeR7MUac8f wXICN1tbG8tuwNd78ilF4TSxTR7sL/TQPAS8rRZelhGyNlea4PgbXYwLJOk3j4GblDjGNx1ydnW+ 5BKfrzVMmWDCD9dbizZ15hepxMTMciXoo/S8mM/neH1NwR9bOC8mxIgSNZQzGFg+k4rokJ67tHlu TcihLmbpXbDhm26ZyrO+Mr5E3WoSR3wKlHQrC0dRklI3IBAXuymbBQ1gBL2A1SPjhX+f00F3Wbj6 iNyI8aa/rayTeOdiJTHvIhepHvpNzbw+YKgVLHdb5UUOP1hTOnoCjiXFBXd9/einDw+CdRilJkgU 6iZvIuw5oz2LtLBjdBVDvWvDu2qgR9dgfDiw57W9WkiUXBzIK6uKtrrOEWHQ3T8SgCtt0RwCvrV/ FYtvydirlGFE4n2z6qWdY7+xS6Lg29CZuH63tpK2EFBcetKwxnmMdzHbdlmfLhONmP09d+8niYps EPzLI6s9qrotMCDfqUOMIVnogwXfSOK9c079KXbMRTc66ZBb/sKaxDl3UJGkIrcZgiIEbCbZWJXD sfZcIwyZrjd7DJmK2OvtlUdeHKnud+DpZPLQ/scZpBrhSN0IqbxJudPx5nYgOL6bShMgE3QJnxnX Y2Td3abenPrCLNDiHgN4ZpAiklRfZw473uVInYOni9ipHVH4HFXunKOS2M/8BCQYI3I+OfhSCt+x NFXk9fjbYwXpaGepBBBYjAKCtiJ844CkkwHbHjYrLqoDNu4m83uVLUNdp8qHhGC1Tza8EpCfrJQN xYmSVBRCvYz1tVvYyucJ/tUaG/mk9Rh85+eYelFNpJe1poW+aEjMEDpqZ4iqsGgIa+y3jDbscKCJ qXteY1QBJf7OfeL/hHItK3rr4rFITL7PzgPrVEhOVwGVhwP2ZA7zkQtORgs6tvu3Aebd3f5TjD/f YecZEYxneDAIBd3eKld50dgtG1M8SHf9pDwc3jNJndmIOmBUeUYWmS6QGTReCWIK3lNn4GKqph/5 ZpPzTnsplqTjMSxbqr9T3BZdHp/NL/RLSUnts5RYKEYvr69NohMfJ3oXoG7YLv+tq2b4jl950p+r Pd5VSMHRXGpavnKhQ+qm0ce+u+Xa1tiHJydE33VrKix4KgZ/HcfB9sWfO3Fzo+74SUw1aNphvEUQ XpOC/UNax7jRXMlJ5JXl9wku4c/vJ096ZuZYl13nG96HkdeJbWNxPxQHrBPsrOKxrzEIMB6TarI5 SlfL7aeGMf1mnLfgjU3T77dvRAKj5TZyk4t+aAxjYVQgTECRQQ/qUXyC1b09HgSDrG23fJudyy3X Gk6wT7pydaXWiokDL1q4OmOS3b+R7zvVvk7GIwyW3QeqRNchEsg55hVrw9UptXybncJ7sFrRfC7c zKzb2Zd8Uuo4+IPJF9AwkSkTajPT68lclnIprG2XsY31S1oqaEY9KqYnq/4Hi56B2U5/vT47Snow navBAE1hMjH7OlBcV03lVCjjuMb1H8/zwFRpkJcg78FmWELnQjMgAzd3rVq5AN8P/rsvIzE9VVLQ w7ChJWerpnYfRpszyRHPNXVy79SwD9cD+qG1KeYNbpXUQlUWSnMr5gE69Ly707fidImVWJPP4BiO /REgX4x4swm90gfHiUUg6lR7KxjfSW8lXRoq4/9yjV8f7zW3uKrt5nafb7K3vyMAAcW7QlFZYtyY V2+3KCQK33AVnYk+34bC1Er2XkIF32ODNJYvNF/AwsxAriLFUjzirOg/07xcw539M8LkNI9B1FPU 4k1JEYlz9Ietduxbd4zxSPyjdbIiuFlnO/7WTMmCBa6sHoML+7/0oJSNEWN2HZ/GbtfsR4hP+LIH olRoYtpaCLkfuW2jYLgwsaj/EW4rDOjlqxMmQEdU3rQmIxpxic/QfAhp2U1uKSW/THKrkfDhcW2J Pq+Ok8AQqkmj+7ZWj+qPJ4qy3nPWu/WVivgJJkfrCca1h9MMh0MWHdNGm6oHOT9qifIx4J1pDIff TcyFHbVgk5HRQcoYEm2rctGZBCVX5+l6LSkIvXwSkp48L6qXzZRI0lvtdyuJzxqnu4f7szt+W0ft 6vzGzl5yb0iS7B29wPCE7XcCr5lK4pxk5vGqDUvEqjt08Um9+UJ9ZzfVMXTLAlWFAZZXlbbZ/N+z clxfmF5IQ3+npIVAWNgZxRgjdvbBGyI7/0u4kKFHPUYCbrn1OZ3+tXPYO3aoY1X0eOYEtKWBuJXh T4GrGgKZx60jtqfw96VvJiK+N8yGNSeskkz2gUaDamzCR9Lcz7sTvtUzMHTrta6A+0zPg2MC3V+n rmKocHA1zBBpnu99/HBY0mOkrwjbf+8NOHgebw3cM9hztml/2TYu3BYWH6F5U7igT5CgLZZVPYpw DsEd7X8b4C2tDCbPbevEhQo+kdlmA8JKlUljBtSlaKDX8S1KmOLu/5YVK+Jf1TRxqlY9nqbRr/0+ +7X7KXPCs970jMNerVKyY36m91fZXV/A3EDYrQO/byrunLgMx7GS948Q4xYNpcc61kkc88RWL36k l7BpSnFCSSI7PuvGwjhygncWBLAIXOfpowY80gbloDymmYWdzo8VwVnYLObi/NTVLh8x+AQbSUrG gLTASUO8s0z0ZNGyr6CRKI3RtYRXp1guZa0MItfHALRPxEwFzo0TRdIMSafWUjzUS2SQ6dt4pkdd 4zBP2Chlf/a4BklBRV1ikQqc/8CjaCFOZFPldpBD9L6UIdOd1UFQWxX70Ur3r+LwdIOaWLnxFxC3 sbY3PElW6AtSRr36IMOES1bF2vtWl58+B6bq/4t5+83ar/XuPw6NG+cAMyoKdYb7rAZ3tNZDI8IK N+rW+cFFHwnIrnz3SJjXda/GPsuBe07EdYwmIG2v+cidcjppryLP0z/QTrPZ1hWzkGzYFZIABwkd sZ0r+zytgdg+6Jn+ZkqS4Ps91enbMKDITxZJ+D5q9JoUNL9JCZNaf0LRDlVfqNoZOO75YWlgnejA l8A46NEc4mkggmEDYOhDO5EmjTMrbWJFs8ZWJ4o3uPouToB/yMpHFmCoskLSxBX/ATAOFs193ySJ 6fp9lyED6L1P0VZMs8lYa8r6xi9LZTjW0f6eRKqUddhyeUS9yf6vgFw+uv/dTeYwdEzrN67fLBzP zsEBawo+BnjMHVJcIbmcl85SvGs6yMZtDTB6Ql05eu6rWdwzbojdbn/zIjzeVr7v9XljVB9tADAX i/muWshJT648yaz7LbGocqSJsMy0m64RPZEfUt7hqDGUwNczZq7DkRSbiSsCpPGBdxvYOLGAMcI3 9uNV78DO82ZbydXjpvXJw31fNEjPb6R76faXQCWZ3Orgby9z9i4iuE/XP//IBsynh1hdBSJuacyJ NCNeQDfB9hhBpkRJgkgui7QCtVGsuWM5elw58xBgvpbiA/XLZPqR1CqXsLwT+YDP0dcQmwqtRFpM E9reW68CIowa10VH314nOawNWhpjLvkJVTIwHyJTYDy0laxWt8REJCaT4nxg/ngfQw9R/H7abZyd J7iW76urDaTLDPPPMGLeo8Qfmf54iMVPcZJhrO1wFPASy0YOB3DgVf0a2NH3TaMOpMn+ooO7f2v+ vBkzPI/mO0tyPzJbKnLg2PGiY/XIijVwIHzGy+GI6tA6yBkRBVWttY6mNzJKqqpIz4M6uPnMR5se mYQmd0PEGjyTRe5bzy6TaBzh5W24DUTVnuvWz6sZo4qCU1ejDmt1SfqgAYNguXcnYh8W3CNYRJAA /yuZIaO7oNA6pWd8WEwaSrw6j1PPlnezEAfPt8y//jwHuBGAnBZUwQJeJzkvidGizDuEUZe503fl UeF0EzpyQ98i0VxtfBEHf3pQUO+Y3zP929my9rAoBh9+l+XNLlX/gy1nN6Tg98B9epPwwa9yX/hY KOPKOAtKWv2bIjD7WQo7Xf16/PTp/2n0F/oSj4ea2RRF3gElx0IRG3thCptoodPnytNI79M71dfm /EJe/0mwpdv/L1NviTFIeVkJrKr3lrJrju4guCrHI6kBZvIKKY4bWgFd4ztTS1B3OffbbnEhMpnR KfamPe0gCb7fJe8Xfw0PL6jCb2K/TqBwS2wYcjC5lskUM5kqH7QbqigeJwriT+izb2p9sxz6zbcB 9yQYVOjCEyloZ9CWz8Sghlw0dfQ2GwpUv7+m37lHINsV7vtufb18aCDZX04Ni3mAn9Pw/mhnXdG0 A8HsKmfga8ZljWiXs7Bvdj3Rbhadq+4DR4oYHQhjDRNVDHEVXI/jzYIogc45yD/a3d8xibTVbOVF KCpIxo/sb0A9XPnxGW8YrWIsHEsOe7HJlgfv9pUGzLzHow3xYbq8UJStQELcy9adOfAkjQcUVapp f9X6o1DKuKln6sL5E1hJRkqaIan7x267C1WE9LnNBXGWBSk9zKMNg89v9D/mHJ4iFulIGkFF7JN+ X1XgA//AbvuNNBRLXS1FaDHFjO0lPzcKdS9MI8HMHXW84qRR1zSVC0snOT/Nwua2KbXKORWE/H/U KcNt1pZtT7kH6G1hbl8a49riWyLWhlPdWZLFlFwdhyNsq7cRzvbB81wnwVZ+59dyu0NQeHOqF2pf x9uesGi3ufesbfXRJSsfifscwxGTJy3Fhd5ADb+IWXA0crmIUuoSLLtzLRHjiLNgQs44JO53GR+6 WmOIXqM+DMbFNl8TVe/1pcXlkvrMrTBdmIyMjs2I4PNecDJFfhSxuPQlBn2s8u4WFRF1nCk+Ci0o MNQK5TDGDRrxyGgsYOAJsKIZPR2/rEajL9snsE9mlrA2dWhHxB+j6W0hx+P/664GvZe4yCi1BUSG aN4DlSH4i0bJuEzvewhMPaH0HI4vAAePxa24DYVRzfZ/uXH9UEDOygkw9rKA+40cXgM47DxVfv// XwajQL+9SF7ygnWfHJuwrWc3J7bCxDSdKFx0s0UTB3DhUs3DrDv3Vg+SH7TxUE6Q6EHQCBdDAglN 6P+Jv6lf0ReLxoAsb7vFrT0a+qRUcCSao12FN11e41y/Id16yfad+w2H6zbwIpTozS0yqorSSp+o c+hUt2FLHLnc/uujYZ7J7f3rF8rUVFvoV2x94OBFzZGFLxFzSjRZEyo6YTThJmdMx2oGKhFNiDdR ZpX2i7nCUzlMz2U0Rm3m/4BSJeDxeN0oXXANQdyQ1AY69/k+Kc48w3xmosXieS8N8NQvZTmfVzKt zFN8/lBpD7hdNR/xMz0/TFpW2B7rA+xXUQOyB2yJHqDivvgWKRDzX9NITEZD0lC8zPGXPOOF+WlI S9eg2Aup5zzUpzmpJ1f/SdldD/MRHC9kx2Y1xDmSk2zxqWarGjtQvEtcwBwDN6KP1zVZuViuF540 W4m2zq4I/kpLCZOymG9YeweaYkgrD9z9OFv6tQqQIDzOORzfIv/r9OiEXa2g2iRbEX2z+loGPe+Y aPKnozefRYR0CRWetem0VadIFF4hBqt6De4HkY6YejNGRhxJizYTYGO8B/55mkpqp4AZ2MFRtfwn vZkZsejYQAWKrCtC1qDBCuOOTmIflB3wqC5CFinjfTLIiP7AALRPGPxiUBY9lEkMeuDuJ7CbE+z3 Qw6gNQn3EigQw1+TrzJfwlevuxdKrJ0u40xlAxvUjHlD7U0Zq5Gtt3XL/nvgABWp6x7VWa2LCb7T LBh7Yj4wqfNuwR/vKP6XjbAaQl/AuJtDW3yP3wSKXkZyXhuruJ4rFxxPVzutV4+blkSVB61cv80J u8m96PSpfkZUfUy4rf1Fr48kEtg8bUghBhYAn8/JEFlKPSa6Bwv2n6woHXWqLUJo+k6S5/qGpPAN HJB1eiGIjFsO+pTzxBzGU5iHrsfZ+Yg6ByUTxlSV5GGotwtNs1zU9BGh/Ob12kmZgFxt+jUd+4ZR ARC+v8IKUlvdWbGjh/DZ8tJ1NKLv6yGAtgGMB0Rz5nWEX9XDj8fUxrVq42SCUtCI23hBYOP0K4Zu 1QcoFEL6OXPKQnzr0twfQd0c8dn7xZ2MIQcfGerMROzsfKdv2VR/4eb5u452G4naBzrSyS6UN9LW ze8K6/5+LilfXrfJ2hsnj4prSbDG+wWC3SMuMDBI+2R4IbcNuSydNyZTuro/G1RUpWV5iWm8y0QH a2xuAwwCXXma9UvdvEmzSi45HE4NQ4X5hp+wA5P360sZxPDCzFX5mKpKHvuYR9kDRew4OyGRkACw 4kmWtEXQynZ9E3i7NW0nRXIr8GYsd0Q9gT3L9cFLpVxSeTCkZkqbdtR/ERnZRJxq6zt4b6guv7OZ gR0TxevWWCA4kwmNUxyLN/Icx/WYEeje9dd58QGQNR435mDsO5L/0uFAnmVAc+RH+uyQp2K9MKay rWx27GCo5yrRsECDlNv5EwNgSOjPMVwnap5xeCovmlr+WCJpZLRyX6CGRMbJAgHeNC1udvtX7hpG Ol42IY8aXeeSacgn2C2iHvBThMFYa8pvi+8kwBpSidCcHsHEjumEtjtN88QB6lB/qUQVaZuTM5W9 9xlkII6bsbpfbdkOAEmS5nnZ1yeI/XsKfzFt38qBHskos3Tx1isRCPWYpS/wRJVkee38D6kDhXHV AFTRMCSg6Kb99Nh+QModAd1xeasRdwQggS5NTGjm9YXeaTRaSR0hZR22GE4/qiXbJgmZGAsw8kot LbuET+EwQXuS7FOvbP9RVeN0VT9wC8+c8BvshFHy64Nh2dth0XO4wY6rPubRnCpSe3Yl/gbxOZjd X5ocUmU6Vpcp/VEfU6MZj6vGT9S5svQw1B0wesE3c4jBh5OWRXnIXBud8z7p+7019cnhw6G8O5qu 4YnBAuIEGlKsyAF7t/LUaL+tkXJGBfkl67c1kahhyJ4HPX6nupN5DINYcBl2gG1Tw05OQwdIA7Cu CDg2Kr/td0MWjzA4CbtksEV9UFzZ/YwpMK6dwUCmf1zfttZ2DKcZptcSGDzG+Tqr3u5yaEHY3iSG poyukz/LDWkTqBH+80Ra7weaCa2GsMyguLx9iLq7hNWhD5bHxDjg2YNkbqiCt7lBkRwFvITFeZds btQ8+INnIdEw0e/BeMpl0pyxBq16ciqzfdaTjd/h14bRui4s8h4w7DcoRn0S4dhUIuJy80+k/Vo/ 3jXgwCu56Zr1RcuSTKMetopYyQUDYa4EXnDODnGQBijaI/vqMhL4aJXjV5G92ydjOUMoFqHJH0I4 8THcf0Ru3/IOQ0xAjvcehSaSLUVMm8qaG5BwFQ2pKz/cY3kc5i5wDcJxNbGu29PPkkMz7YWSocEN 7SVMVtK9mpNPyT7Y9BzrCRWbVZTQwoHeCMXGNub4N4lHiw8hGp+a1SElvkwse7tJOWdtMSjPoDXb WXo/NmwwCiHi5aSiS/YZhgON29h1bBhXGdyq5LIof4wfaXnTcHqAf5evxUMNrK98NvVu8Q7r641v oNwWQU7Eh9ECGr00rFP6eoE9VuVxRp7kvcozSPsYHTHXJde8Dmzznj5G8vS8dqWNAXf/+4srClVz GTvHV7XuWgUSOaEMvvvSvTxD0SjqF3mX5Dm8z4YjZgs0n1IB8Nv3jaTlpMkm3lISd8R6iIoZlDaI +uoWS/h+NEV1pSUNCrGzw+5L8+pmOG/v90VVcM5KDPVEPDbgUSKY8idbt7hyCEQax3SLXF2DAwPm c0rh44xf2qIQTN+o9tK4VOPQnBGAfgIpbpeB8jiX1oAwwKuM6q5WTOOKZMRvD+0fWqdG6vda+UGo kD3QcJ62hrHOinMO8T8UUazTO2GGbprHaWPywGEaJmgCdmjlAqHKY43ni6MLBHSHSkh2juLoQww0 oQqlRTXz41Gg7VuNVOrAKwmp70zLlr3Lkz9m/Oremu3HcV/7MVK8LYjTkL0Vw0rzSd7ZNlyHbYcB JlWu3oNDmo8fi4PmYp6PG0mvBf5OF/WUBLE2OLVYmCHfFZmWtcWYtpk9HEx+24wO1d35IkZyeJ9w tPCcv3sJojc5IWAEbZNGJXTeriUj9RbgPiF5i5R2nDfR/379B+ZFKPf6jbzNMX/D0IKA125dx/M4 /6kzNBAJVCgmWX43WwZuh/Z9lRH6yK83XbdzGVMToUJS6dV72aec1ku8bV+x4kmiQKkKTxxl48KH RYUBBvRhCwWojl/A8svC2lNjijsb6iSsuNDc0R5PmIXvbKpo2CYcvFbyDBsVqe1M05W9y5cBQuNZ uQLpW/g6BPbDLMHn378cFjoKWhCom3VcGnTJhMjeU9LuN6oJ8FAAMSrZA2U/C2gFpoHVQJTmxlOy 6Lpat82OlWcYAYPQpZfA8zT9jESlyQTl9YVPduHuF0IBzRWhyZUPH06jy1L4DiKrbvtkrVRWRA6i yRO9QfoB+tdlBVNNnD9TUOTIATAWmqQTOv+0Oa3s0/AAwKI3PlZx7usEo3Qa4Hk3j0ql2l+aBH0p +RryATAWM7/m/buzJ2jVYXYZn/4qDw9744LPplWHzJ971KQCAncLu7fhwp7G+2pDsW21zRipQb4J +PpK0TIp4TcA7uzef9sgEAr0qVGUvPYkxt1ybUVeudOoh3PTtWz19FcDLXO03wSiagati2MVtLf8 iudDf6etQW3FQAEz1Ism/x2UG3uK2/2uZdX8wZi1m6EYvVhhyaNx5x6py+5LIluuOSmSDajCgBY+ SuTEkGIZoo2jP6sZoV8HYKwUiIf/kSysO9V25fwqQ8yPMrzudlpP40m4IV+LnNHxSxopb4mHB8X8 RNAwgeKGiKKnj+/1vvt01uZsZ4p2LJ9a6s67A9ysNwn2VKOgZ/67jqY7onSOmyJG00eB+5fN4L4d F0Eu8yLJo3J/JqbSkf4psaP/30CeY8mc7Uz7F3DbF7U6lCal6+ZU0n8brIfNBxUfhlipRN01HxlD zOyGDNV1EFO8VKIxMv3c0YTaFSlUcCmCS9pq7bryto9Iqp0OTAGRY1EPUr4x9wqrR+fDC2IlFdow uy9ixWqFrt5mQEI3oTCXzsPOjNqp4tDlWlCHBks9ihud1cdhDO8suwPbgSdVPh6DzqYoJWdatF1M a4jejNK4WwOwuAD+fzw+i2YSwxQwYmIKb4wf/khA4CpshogSKqNs4kskFVSBcFC41flL6gLzStUQ YKiSl1d0gCc4A9qCz+lRqpMqvmuVyu5FnC+34GMKYjUCmisruF9OonVb+YD0tzHbLfuXPDMBlJwE PhExgw2Kq+isVMI1UFSQJwEVwedJn3Ty1Pj60VwqRySUBpsBOllrEo2FJbIJl0IqbWVD38M3D+Rs h2rNdU7G1WGMlDNXjDra1GHvXD/KKzv7KtnJEPbRznu3WD0R168AXmLbR/IWSKB0gxJozk+q/8Wn lWNq54JILyv6EQQDIYEQnrebGGkqQKT4nDNQzC7M6p63UfaipZ9z57BembDjifvOOszi98GrMA6r GUfxVUspFu8ck5DrCxSXbSXXuaPytov2jX4CgfuokvcL6yS7NJFhWfrhbthkt9/t1SG+pXi5qqVb /qs29l8qMx6Yqlboc00kHICpkxzjuDSQqkkXuK85tjKPvWSgb/85xo6LdVckMCXrufe5Fd2pZHy7 gH4lcWGodhnSko81Ypo5YiWkKAbj8E7KN5N1msIIhoU4xhLGM+TzRDHwGvvjgHXcmnV8VJhtoU4m BJDIVA8UVIC7tSnVgLBUXF6sPCYNY7VfxEvirlTBrJlSI8Q9CRsQcyXBKoJdH4N8uwTb2AxgBBq5 UTZuy6x3D9xV4Nb+ulUaNuVUXXWlFDE91E7HqFKwHgSDpo7ucFusqX3z6H18MQ8w3N+FiwHSRnc1 CQ+obnxUZx6RNDOsqp6iti88EGdVjrX0NgdKvysXWxTN3W9GcwIZ8SgpW3CE/CFFKwrG+irT3td2 vb0PkEXzofQRrAt+76TyFMKy+0YSb+qKeGPVidpg2/GMWHrdWzAv98YRifh3FOBi9WtPP0DhXVmC ndginkf2rk9JxzePnSk03EK2gU17zTcWQNBiMnklfJRPADzlSfEMIe8lLa2+7fclGBXlMF8Zwvee mW7CF6+51S8TkBskgqRWKCw+pkvMEl+6iIOzwRLot1/et5ccXol+AR5JICi3H/ObnjVvPdiienYq zORakgc+x7RkyMFLs+wpAM5c99BgrsfCK4p6w81qlcBAZb0f9sJ/QtTgH2v9Xb7pq/bUbQf5IwSv 5DQXN4DonnKZVxgZgagxxce0YCfXND+qLwCvm91tsx2RJQ4HN6xhv9CLlseReGiEjHUjKW3dVFS8 FNViNpWaOWp0L/fNDXr8NxKlMxhPDk7kzNGO0eDwEYOI+X/356dkdPSr9T6HA18ckyKn6VnV0YgF blDUTQN8b4XCgdGLmMfWfvDy7JzHS6Ah2bLwaGqqDxcQWso5u7xAiVqmHx58k/N9ZZ6dXTV8zDgt WHZBlsOLz9qHjgM+1vlnckhMlOdjwLmYS0xT4DTbce4Mf/2tkFOmYWh7lclGj554pKVCCvUdAzkg RBKiee7f5z2IKPgk31VfcZyvaJdqtkx3OKXAnF/1NV0iRs8BBNMpLdYoAzCYcV8RQcj7qtyIV78d LbRpuj12AeSy/cNOpoKmYRJ8hDgPxG3pERTx8KCa4uYWWLkpYDiKgthobjUwIYOGcj9LdGin/sVj Y1pO7YjeB1nePctoqKX4hI4pXCQy1VRceorNSvW0lVkD/AViKd6R1supGArn9X0hXXivJdn97Of6 Oq8ANzfgUlIYtfJdiPaUz3I9hddhoeT+sQvQbJeUwEQ1uDUjQywUvmvktx7ozX9/rf1ZQWA415ms D5DH4WcbNnX9+98q6MFMTtliQzSmEQ3HSd/E61fqJQ62WxHHt+PQf+MC67aOVrQXIMpgiXvPZIVR zYOmXIPXQW57+NwNOp2AOEfCif7DOe8QiSUiVi4c0vp7/XATxS1AvTrruUAPgRwgFmuy2O5X/5rL 3uyigBNAK5nxm0LxjEIblm5HnPhnHwuXFGOFpx8KysdbWdXaAmSn+0CuBp6Kf1z6UO58PS9Mmkp4 UQR+I1y0Hez4oseJrNgaJKy0nbjqsw2OY58Jf/Pmni8b0cYytF5HRo07H8vQqfi2QcobUqRvj/Qp CLl6JhmwgT5BSL5qepskSM2Dfm8neVIAqFdollvYxi0Y0xvQ3OxGzOSBqdNlYRqP5z+KHu3L4Eya +yYCH4wwCCumBhE023F/TWMoFgpLNZT4cmoTtZQOv77VV1Fi/Qj4Bv+SoCcvSbia8Jo/I6zuJ71r bQxIkm1rFCWV/LLmn/PsgcAOW542NdkivkLbeJ5o487wECt7PH3msQHzn/Uvh7FmOHE0Jtb3FQuW MOznePK8vpFEhDLDNq8wU8QD9Jmi+L1aWUvVAfC/HiNBijOJn2aZbqtKuo8HkQ0sanoleDJttqx7 jXW2stHKIsOO5tgevSjMjtY1uSW8EwvCmnYUzajU6FeJMKJSskDKYuqyqNrmlSq6VZl9Qeql0sQ1 PMSOEQ0sHyQih93rQJJSusG4emO6R7t+hQIM6VyxfXiv3FolnCh8x/dilV4sl0h1WaUVcfJi1H8k iU1vBztKZoBzGIW9uwH45zX9iUS7FoTKIsY0a3Xce8v8ElLE5HUx/cpVjxKBk+u3N4lZAuX7dTzS NqifcZE+0HgHP1elNSBjqxC/7ozf2b9MN4p9GMXayZHgApcNJGqHvJ9PIUPg/asjim+BPENvIXLk 1f3IM+aWjS9RrqDrbus45qzPcXDMb+Qy9JmMH6D78dM6bsgji/iNnz2qrml7NXyXd0Zf/4m3AtvB Dbs6M59Og0Fp9/xcJswvuskr+i7Sv/XyaQBhlMiXsSghhk9OoFeSp83emw2Y/ErpKcl6RB98S7MX ym7u2qeZXlgjNlSZWzpdsFfZ52zkj3xAZ2FxZdFcZ7qiVMUkg7VH/4qeTl7xZ5rIKIb4HCKwvoX5 6n7ibzptxvSk6iCj9LkjtTA/BNdlhASX4ZbAnXmqK1KiOHFsKzb2b1yAUD4KO4Kl2eVxfVdUE97H jnaSMIIkPAWuV8/lmjPoZCtsz8tvAI1fCcBH79j9QXOFdaXElaq9SXLLvKokxkThTSprSy09oDQ1 L8ki7+KYONusb28yf7hKbuIB8/nQEoCPgNgSEmhLag67PbeqQT6BAwskBI3aOstMCnvb+NqFHYkU G5Iyj0KSEI7EXbXQX47niYVRHIAv4VbeD+JO1PpqCmAJnZ15pqG9K2zXadZL8+jflgdyXewpV0km VYJZXsmM9URqJANP7qE7ivUBLuwRA/1mhccJSzHGNA5eZn6kYesvYGhnI6WQbCUrhp/pcIrEHrVc XWdVkbjEcQP2fuPeI2Z1Zoo78JlYLRUI3W2N0yCA1gSnDglGvXjfbyC3U1khIBfjpgIgGZOQFfhb 7SXFcfnebUXwhUbs77+pgYxG2tnGIURbdTOEQ1k57RM3prEauwNkcr1rK70yv7c4CP1+Pwmkx4m6 yB5O+7+kepip0P30FwcyQyZibtM7Wka7BZvzOZwz6rdr/XdURLLa/jOpRf+7u5h5ALA5cUxsvrIM jQ6F1p3LahPVdGl92w9UnK85GIZI3i+WafLok4tQ6Tc25rgYo2RiClybiNwJe+BPpTUDCLaXVHD1 fbv4gFTNoA/ni/DKyurPgAZLG7WvHDnPa45PIkdVZGjB7CHw8IrTgRcYOx+qYAFZVyMwN748Has4 Au+/BtGbn9LX5smrKpNKyK4SJnbz3WMzEfq+tFh1nU2puVa8voXsJvG/QHrfDvMahmFRNGLdOySa Ofjj3wz+Vt/uKzK8VvPtd2AESWWapuPJy8KnB6wChr7CLNGD8QRtM1eky9pQWK09uDqRRouAya2n UL5J3bP/gDy53yYyKTSH60p85lMm9ZLP6LmoF9c2YgYN437bNsr2F9uzvqmsDJ++PTxFVdINF6PF vL+nWePIKxOihuQP679PwPLbYZS8SXMVB/XRhNrBnOwl+w2ISS2w+HBffiawpKN2FOMzwrpxhZG3 k20ROcb7wybkcz+vgx3fH2TjwsjubVyN4o8DqKWkQx1Q/FOaDbZpd0imrEjun0ivCQ3zXAs8XrQy OtIi+kVIgMCW/OM8MnjBH59QD41AD3KeIQRKasJDEDAza4GDgCxBvCo6bSLMngXnPFju1piTt0YD mkIEV7050vobMBwD/AgdJeOXWisaDKHR0UhBMopXd1Z3Me6VLa9ZPSrOMlFdaHycBOhh+lNGVPM7 tagGDW0cpFllff5Y2clnvjkMqn6UpWKGEtu2hhfE9PDZ42ANKXG6Mn8v4k7WV5YCeH2Si500Ubtn zBfCmgSLBxINfUU/eKK0iw2+N98Sa0vIHia5ajaqLsPkAk0TQmX4IuiSqSDvLm5bRmcrtnJ8gJRS czXrfm/OL67b0kLTRmOs793g99jbJBMaUwkH8EiyEmgzh2ViViu/6+XKM8P6BrudMTuh9lxlKTap w0ZLfIvohMdSSP6fVc5GUGP7nTeUqDnW56fsyB7vSsosOujFuG1kixKUrCqwAR17s4VKiR7jtW7/ 00q185sV7F3vIne/tjeKWax4GpdpLtSCtlC64r+R0Z9d9PBMhEwu1+TQgUH8IJN9DJBpWxzBg0Xo YL/NV8Y66wKI3oau2btLmbfq0BBLQAzUN4KOWcz++2U8J1vxv/D4RCb33nAVr00/QlhCPpjh18Ls x9E8O4WMErXic6efz9cf74RdWGloFCk8HUPwCBHAPg9V+UKGz7KwJ8OAIBt8MPaREN7swlZBwDqu CqvGkm9oVmlQQ8kH94GGNqVYL4sGy5u48oLcswM0Nwg4H/YeazLMSsIIzZpTTpBfu1dZs8iEw3ed etFhbDqcgehtZMcBbZhYcdZe8I2hORy8yfH8wbpI7nRPx+QNMCfE2RUi6kphMsew6eG7+LdQqiX7 x+ZNHPxF0eV9/0ezq65uqN9dva8vlpaBgtXtX0Y0yfgRVH4kAyGkrb/y0BLZYZQqXasAXJYJzgPm +7bjKDQhAZAPTV10obTPDGcC3zIbn7cu/it+DhfBrVWAS0uicfQi4G2bH+9v01GurY3J8ZiITFgR EOkldT+Z4voqor9LXEIbCDH1lWL2l9dXQaDWFk3S/i3yNcj/AxhPCjzjYJ6cSP65Csv88eDrsaZt 0o9U/vB4NNH0SYzEvfJkE06MT7dnXbPIhL932AIrY2w6i9oGCQusU7SoEmIyG3vXqVEsXolB6BWG I5vpb4SUrUxXwMgREutKZwMLg+mhdm9Fr5oJWf5anYu8unygTzzbDzp95zlSS+JzkGm+r/LZ+njW kiJ4mNQx3S28k8oUgOiFt6L0vc/jA9d1jt+k8zpY+msUzfKll3s3COK0hOGrGg+yROpLjrpZZ/bg jCmVEGy8iZP3ssQUTSPBsh5Vjhk40blqUHixgtC/UEis0pfanjmZ2AUmOw+ftaGL8wtzdlkKwtwW TProgIFrQLx0UEqubSR48zZHu7T6/LL409vKIthrCf6SzMt65quldfKy9PnIJgFTMKpaUq+CtB5H ktL193fSIU30TyRUaj73RuHFnaiwzGkNxUw3nkjEthUOxC3wSSV5HRdENmFdVTCi6DE9iA/KZ542 w01u5okcUAHN5naMonxOVg6qHduqnSbrnc1d28sXZeSYIq2nYOh2AHaaAGXqH3A3C37Wi/uLUAyT 7co88bVr5PAF8IresrBsd57kEL0rcQd77i80VVhFjp3/ptGn0uN4VTf3EFy0YQhtx3XSH8AsJ7Zp CuqkWAzHZb9NRtyDP6wA5APVxa1brGPLobBb+sMdnAoePmMIlVCZ7sEoUWG8TkKZYwoQTJIm7hPp u9vZ+EDwhLy7PRB3ds4M2kKuv2T+ZUsi7+Hbhwi0wAih4QBxiBzTFgu8a49MtmlNgKnrXGlx5Gja OIlPUjdRq4Uuv5x7UDkuzNCwsehYFr4gC+lOHS14pSnSOfonU/nymPliatzk3YJ6bkNTp2NgGjsL MifjEZ5OTZ9z05yeprBqMaxHqm8rOIcFgwFQ0FmED7apicq4dNieWMIeebkqo4iIJJyPBT2ytSX2 wRtXKxRBeaLmX1RWVb6ZImo9JYZ7IBt8QaUpOsOjKqddu35gTMojxBnDcVzBIPmCH2xTRcFuJxZi oRGobCOtWwxB2rHgdaKYj9uACCD3BM2UjFgsRYsOabiO6ehXu6n29NNzWS5BjQ90Ah+kXsnH51Gb BcbHF+kRAr8sl/8mKJOnZUFiLbzsfGiVdzjwNLK/nGPJ7iNKHP1dBZI6dw1TsfZZkw6O5Eq9OGLK grZcrl+/RwSoxxuYg/KNutaTmOzRbAylBifgIGd7YBTr+s/km0UNK19MeeK/0/6OAVuqwJwspC3a mU4erjhjukYQTOpm/Ob0MOOPonP1KINBsl53IA1tQVzTJk3EM69S0krDKR23KbLUj8ufa7wcyEao CK2AdUPqgGS9oI+Ex2Eo0ZfsePCZNLvOtTF2ecrBx64ol4msQdpxb4biTC9fNYSlIthePFggzBlY 85Bfn2hWM+15ppjo7YOUsc8fdO4TZ3qDWFqcVQJfCfrD1JrC+Ui3DcRW3ONgrc2O7Gt9iWG+dFBZ +tBjISAxCtqPfYJZEvZ84cwInJxM6UTK3iN7ubNqb+SaKxXNX/OhgsXKBLICCfbGgMNndGYtSziq mCsqvytMp5ouBfGZS2Y2seO000vwQGhiphLCJ2RYlsndA3BcaRmohqYKUwqpVcNeNO+1X5qU0nJr VGJEmzMqEcN/AlGQ73PBmAm3AnoAXjHvdrG4MSmiMqUZPFvCwXSMCssBHQxD1grcjXa10vEtcb3b 0L1eWmKwvoEdMyM0Nz5cBiL5NDbus2AaIlaEn+otbITYSWxV1BB+l1ll4kf5HRh0vGvbCFny35XS N4kdf5XuWYBfqoFo7mlpxatAAE0PdB7OOPngtooQZMy6sPKLHrKL1T/60tT6A+9s9grkL8+/muuK j0d1GTkDssug9CRbPoS/F4HpnDiE+OY7VGywTVHu23I2gHTlf3OS8Y6Qf1n82rs54KWcpIxP0vA6 RUYJLrA+VYWysywRa3qa4KNoF1nK4OYmLLHvMISxFJE0dUBw9HpH8CtC89SaeJb7m3Ekh5qdTrbG NMlSF9PuJHt7ey4SJiFQ0tzGsfq21Y+3bLpYPkTh9hFWsPCmAh8vjJwLeAY3F5vnXoRwOd/fsgfp fpZaUPyLE+X0P/pbfk+pJ+ypGuR0/YHJrmSnEgDedQv7180UjYbgtcrhqn7vfXTMgzVlz273Ynoa u6janukFHjaubekY9xNTDQ5FNpmfgXtGiJ7/K6UZfMnogJ1Ug5Rm6Z42RuKAn+QJJ9aR8Zr6A1M8 XEX47zUhTo1kN7mgQm26HP+wVDVLiYv7ZrREXt9pvHfzuVbG91MttCyb7k+v1z3CU30nx4NVXfA1 8AS/Ea+jxxcRjLSVgxCpwtrS8ORhKIuYspzA7Xhf5zNNo5kbxnibtBSBQRYfNJZSr2kvm49c8VE4 Iqp8qzabwcDA/GpNbm1yGN8m/XTLpe39Vl3PPfchw5munNqV5SJpyCuBTyy77jMqdQM6ZUt/m5zr HB2vgsiid+HTqVa8uvyf+J5yjs1Joru6QeOkv+GY4565Dph0RQFNqrsU/0Y8JXeZ1yTrSrjfuF+N rHqiRu/1t1mEpgFqXBPRd9aQT6S3uSFpug6TLUA1ovcxOjq0rMgiXykWTe17RMBBI8Gs59vh8Uyw thVDOn3uT6TO95pQHO4kL2lwts+Ad581UqFDWfHB1z7bDRNfhd/6PJPAOv2WkAqKp3Sca09w4XHZ G5YtIubxT1BAriuOtSgahvR1d9Jr8BPjjs2CYBewGYLQmz5UkUKpLOWGpxy3Lay/67wOCZOOIe60 oSkbJFDZgScnesiTgYxQvF5zubQW3Do2Tg9qfBwONLt06ckevS4NlflvA7xPSNLYAd7/lUg26orw nrAXaZwJSLN0CqwrkLv6g7UDEiGm/0fSkJRdOAQGC4lYPdGaWYlM0pp0yeu7PXMHsL2mEPi4B71a 6mw7qtnFL5TMSDpkx93ocqB4qb8ues4f3jtbiunmi2gsClS//CfU+wF9ukcnhdHTHl/PSvYFmB67 dhe+2DJofGrPuYU7IX8G8lCjncx347zLu4iukGCaCGBEqo0UQWgXdWXSvn9G1Nf9a3HFYK9dEg4J y3ELgvSoGNLPLDCNVzgVZsZM/2toiYh7ThP+51ypGpnUfVwMikrIRbQYVL0Ypv1Qvd27YWuSyVYt 644pFzGK9iCrsfASebiyCSfPC6VkW5Kf9OqKB3Csk86s6ia49DQJlxx/Z+TuV8kg07VdoXPCnKoD 4245UFRYUtsWqWb0ITbT/xHHWw4OszScjsfA6cCaNNYmsogbx0FzONDFeja+C9U/KRsGUGEEXUch F+PtrsLRtPEQhVAM7FZX6RHqeKO0POk3Nc8RGQj+vtgk4cCwmc9B+W+etf0iVPNoLFGLMgexV2ue ru7NY5pySLVrTfbJsM2z5ll5vms+/92zqMTPJlMONyAe0el8r67H5ujiMBQrbAzX9g29awmx97+E wjlOkKnDsYf73KP05N7+S/NGsIjdTM7+0WQSJmZA83PEya5xDDQb3gKr+9E8MhgFEEgC6Lebd+Lg f5N+KL/NSPB0mTpdjv5YFSlZIKzniVb7asmoGGY4UFRT0OAfLcqkHnbgTJA5yhi8/dV1t9LEQuQw rbRDGdWv2zdVfFbN6BZSgwRnPXVJWVDVnffLYLY/Lb8Xc31KasRPboA+SMkWYbvJNwh2J125Zz4T Hwycn2++ssD4hWGUvaKygJe1RwxeTt8zfPhsJS9UD3uJ5VdjSTbrdp+yHZ3GBvqqvP9vsF2FESi5 L9Ow5NFHOl7vBn0WKrfWwWyd/n6eTT/i0vzp0pcKYrUhu0irddCsjnacEJyjRuHbfRBhiD5lEs34 A7zH7Dn88UhdoF9dJkXeJ7XoA15OatNmCf7E8suuAoLt4vWyCw3EgtF3x6VaUm8Ed2dLchCMp77t ttKs359wdBMn115vVnms6coYeZI/dD8pByKYVO0n88fTHTwmeWw2+aSf8WTpN9H1bCN41p0+asXy j+YRWHXzRjHbnjjWDk/5hqbxcnT1/7WV5GQy3wUFu9byU5mW+7tGF0SDY+abVIsSx49nKLr7dZk7 kf8QK3oPRwpd37OgEVHUiGeSRrZx1Wyg2VXBp2sdULIAKWxl/RXqGj+9V3TqFEOp5lrRw69BurQv +Q++SKP5pxffo0LVv/PLZwkIT1UGyLTG6RAoqZDsG3u0s8FZLjuVTkbFTQ1QVOk4odeGRJluTrkm nFAqWTpi4tk20tJnmX6tysJi83VxaI4vL/cCsqhmHEPsDwvuUxiy/8esbANYiPXR6dnY/wfEVhTN iIQ1EOnltumeAv1HPLFNJ6FRunod7aCF7Qos8V0/+jYa0Bblbw91FuU3PNYl0mlyw/+2leSjOMfj k7rWKXMcojYAyBTJAenUl6JZjcdcMrTUWYIdO/svE1xVYCi3eMeoX/1+YxQDER0Zjt4EB9lVwR2b +mVijHQPzUpUAckAFwhNz95w8MNNxkq9kk5Ch15/fklc05y3n6N6H+lyi2gN83cNXC3bqT33rZ8A PIwL7tiTWS87TXqEEogNU3xbL74y/cmZxDo1Qm6hzVJmd+BGClmi/jvZLcRSAVycFuPmiB43c8Wm qmSrLHL5Pnfqthg0vBXryjg7ryz9Ee4LKph4Rm1EJHlVvIvgnl7tSzxxCH2N0RfccRBGDNkp1l3l AQSWkV9GoXVPfsXKy/kGtUYVC6xjt5XkTLHVBhC51vpTQhiH/UaU9CDyBAdWxIZzJkg+xWwEXv/f 9Hsm8fS3QjF3JTCishzXZckr+R7fsaj0OlFWjoIpNWfGdYhsKyURaKnDsqsdQ1vVjNMTIQ23ADJR Q98n03BJzpgz1RAwLzBHUnRDHqRBdbxCw1Q+Kz98s7iq4Vmc7+6CJxU6eD0T8Gbplm2qmInHEUyj opuWVOMNt3GxT3k3FnrQgq3veiQGHMyuOojk9J/1kyCV7ttLw259Wxy5BU3YvUPgUjxDC56HlAET 2PR5UfwMl9yGXf87nfoLe8EKcoBOZJ07+tDwFePrP3WjRgXKT65bnuJAJDz6uZZYU3aIYkhd/+LC 4E7scDfhcKzyBOz3twN/58tuV89aDDn3FA1rafMJsB4PRw+/JaopVqUYdYlqKmkGITXlBdaR4C3C EqZUDQmyf4aRwhued/KkbkS4g4vSwlueRxvEPhW9nJIIp7VYJq+w32Ob93VZo4HWOLf/IEwFeAC9 TYrqDSHJtSIm1qcgI2IpW6xdGQHQpKm+0sJ2uKHLslSZ0qKO411LB9LfWrrqQqbtgWMJpXd46XC2 3i5fYPMlnJLyi6jzBty/KGkTg/Rb7AvCmAPozl7z6GcGGgIHFE0jDKZ9rToNyuKdgonLO1Gk/fWV cQMJctex4l1O2jNHClYqJ7Fu2DAdiJvn5j8zAzvBBpd2nwGTnfMBSnZTl1kmZsVMpxeLC94evg/5 t2g1sGiwhzqalFKCXJ2JNk9MYfWR1Fiv305Bw0HSgGnCa3TqlL1edkR/u8DLY/dbAue855BOPDeg OW6WNJL0qk6J+aDsNNR6WndVFcC2u1h2tfgClPMTcJjhhRzPYEpZsDckL89XDYladZsKxqYABr1A hi3IoXY9sU7kD9dtVWqeJzLmPQWeLQUjqRP/My+cEbEZ3KgwEpSBaZpeXbQyxwHXx4Tsvb1XPbn4 qEkcOrSKDt6OcMm2mQqgOQr+hKZB9E14haJxrxPA3esrGK2hGtKhbmoWZz1fecmo2NqNC4bColWD vPRQ0hjUxFECGAvPTM4jrfKnnOgVcfPB7q9pfmcr1K8HNUjm3l+tF7c9yEYOd9r0kRVax/l2u5gu ch85wAKx6Z3h3r6Xjk1PTXRanhDxjBiOc1c5rrEVUVQMGiJ31M/Z+KOTGpn2PfgW2dNh6FMhB3wQ 1qYRoov3qdbq8W7H6pRxJGAAdI5QGSXO5fn4gAZMWgHmXqQ9B8qixd+Uia0OJg2PqFNJv3kbTrq3 uKIqczPuB7sOT2W3uqs5zPv+NMgUjcVhQvU8u6traNnMaOzJnm2Dnv8a61/anvneyomqBcWdxtNC KP3jNolhGG49Ao/5hm/v3SaHL+P8DJk+8/MG23WvbIz5oj+lANh/YBf6RyU9YRF1eigUn/l5/pf6 j/4lzfHCib/LF+x1kpeRFMRrF9FWKqTlq/kXU2vwunQH8d23Tr2bjIA6QiaEkcWMAcfNpBbIl5ge 3KMv+mVw8aJnzTdcnsvNK2JaZZa5/sMEC4a34eWT8Ia73baKZQkH5AiA53ktXPLEsWo7PxkIPE00 eFrRArK7WQofCFX3Z501lhw2/B6zKD8piKpfpiy7OvUCQlwQj1a4axbNWslbQX5NBaMSvogu7feM /QEr3636eSeOCu6shfOfDiHIE4ge6igiJ/oUOrI6JmuJIaBEexRgevJ78Yke3xcyVLr85VcL61Yi lLPnSe+JbjKGf2UVKhcxP/kEpft2FELAg2+mWY3Cjidb1xwDqM+LdMAvsKXLSyY6JabLXH/+oPQF fLB2KpBA9F7TcWyIi9l6ExqpiJX+Jd4muxDLyksTXGE8HkuWKvMnH65Wz6Po3SPYk52VxDV2R0Up 5OqrM8/vH8F1s31mY5yAB9bSi2jUxWa4DI9F0rHS6YhLqd4Mj6+GbJfCnlWbfJvOV/2yumASjzoM lephIasNn1w0NIKK7mehOgouzpuWLtGJbrdjDv+l9EpO8nUMVQbxGpj3PaDuaEQxUp6mwWb3oRhY PNBfyXhPYP6UGmyieavDXHP4d2zfKVj2RkgbSVyX8cbDUrkC1qsJxi0JYnGAER/3ocbmyYMgG2cW A001Wkecm0CEN/SZ2BTpjy5f0cxarZtMdSRFdRiYvu2KSzRuicnQgVL3fehqouQExh/bLvH3OxhI IVrnoSZHzLsSAeVPafeV7kPS4xUhVNkhgWWEyumsCygbhen6y+46OzXXjsPe4jqzUt0iivvTRhyj FhV4hZa0YbJUbLesj7gwEIiBqkDz0Kko8p+c4/z6cMgbotREYd2YRu9P+XYQa2qmktRxIlZyo7GF Wh7NjoL1ZamW9LHEDsg2XtHu+4YCH20i9q93wiX+rz+SCA8N3BcZGOKqgAJ4wi0WLJuHBNlasBr/ mDVZ09ejowc4zjix6MBpdRFy96v+NmlgkQEuGcYVoaZPxOCLEBSBzQQ3Ei1vWvm9S63brDrwyxAj WHPETIse/BcrVMX+p9D05zN0y2qbu+h9ojbZeWFhC62S7OegVagCu2kvUbrCPx4OjBuN3rAy2Jnp YGDJ4IEADkSbnNO1OVYDD78A4G31WuUfk1xwHjqT6ZVAG6fmQ0fBHSsjJIV33b8rOl0Mb3PdWstN KR1YI3ZxvXFe/0duAUL6XCL44eS47rZHCuCNHicPitJqqruM6DAAzGSqXnLP83tKUkoMSXneNb77 5LlWyqDCiSM4+uSFZz/bXyuxu1ZXkqRmnel4Blm2gaWZxzXHiODFYC0fC1VJ8Ljvpq3IDA4nLZh+ it6B4j5kaqCA1XKACeeaoQqlYutrB3at8ldV87dz0rtwQnBBNJADCr7kyMKLeR+0MHqEfd5j98n0 kX8CghDY+bUMSZgMzxDinpFZVDQUJXGc89yc0uU/zbwAC3bVkZuF+X0wTfGQ8cilknbytBWTHT14 U+7Sl7HLbQeRBgg4aGQk8atSCo4PL5+jqVWl0dfa3KOHhRMnEkal4k6qOlZkdeb7eDlJMqWxzfjY Qyp43h0810/bBOpRKevCkZwLqadAr2gy9bw3oyIasCXLTm8kzbOe5XB/m/AEiUOXbde31mT7xrOV eMy65i1+aNnOcg0GUASyGD4tEGPEnQxYI1kd/VtXLEMl1KMhBfS+eF26UZ9A8kQSiIe1XRXoYNPa N0nQ0sXbyGlfszKDRSgcuehz8INKm5UuV+Q+h2SvE2JrERDCzZeCnNzRTrNo5xP1drMffUVplqm2 mDPj91/HBdgaHpIsDelQblThtYDWofAhptwJO9ebXpLyPH2+ds67A0DL8XqDtpc3pxEfE8VFJlCQ y6Bb3wxQ8Rt8Hod+veDIv9ZAebeNjIGGCE5/KSeDry0jvzmWC5fJKzgIcjGH2c1eYgpnP16Qibh2 GkdBAI1h4bk6d5Lfg6NfBx3iCVzeDF8+bFYzlDkH73O5g0BHAcSnBZ/Bfd3zqE7TvDkcmK0sZWgr Zb1MOG3SgkV9RkcEby21yh54zwKs+qIuagoBZnaFI96Ur3A62lziDRVBcLrmtw/7P8tUbqjjwbMJ CM33nCOoQuasb2ynldDYqNBbzKVzSShN2wniNmvJaTqwP0xoZ3JBvBOHJoXhLlPQ015RJDY8Cc4a wBgC4Wi1k7MvLYc/486g3zN64dF71pcZLTAgdxxx4e2E13iLJElELi6xejuJf/sLGR1QnTyxOvKq AUzpwjU9RayMe+9IGaMGnuv/btoOZlAq0g7TvyZlMoXJiXPkk7BzJETc0RzY076eHnhSVM4WQ2oK b9dnaEmE/6wMjEcHJMDZtDgbBsx42wRSGTB9lLGx2YFoavpi9qgHV7jRV+ut8DwDSZ7XqsOA1n1y xjeqhDtTS769Y/+CYnSAY5tJzh8Vo/3H6tHsmoHAyrvDKMgJZaA8m/4x18+ZG+alXEzoymzBYLMF 6rg68+MDqPmxQLy9QDLQRtWT4Brb7QbqnYkYnyq+QiotwHiOl33LMah7J0LyOmFVQrWzhdohTicH uJZ8UeuWdPjVwO5j/0ftQ9TAKHFiv5TQHg9w0XnJZu90iXb2U3xEt3ct1ny7ut1aLX4GHeYeOJOu bj+VfeH11odRyvq/e6Li4oW5D7oWHDUhtVQdH+hvu6naxBzHvnlUonSyvP4HX0aZ1iE952WG/CWY 7EjRMR6vYyiu0TAVWJGCrJ0aKRsNHR3faDSyAcpacbSSSZguyhF4pnIlePvgnBhv2uYZaz9Y8KID VRCc7twn3TqzAsqJJQ7zYqkf9Isg9N+a8lo6Sf69dna4vyo1p8vP/ZO535dFRqEN2dqtGQ2I31NA Vb364IcAhKfO3+BRO9h6zqthPzEZjh7ky+K5Tnets9SloejIR7W7OP/iyJVeOOwCwBW3uQYBrLQS kBfzphlGkPlcyfcS6KgtvfY7kOw2FbCe0oBLNLzZRpQt9ApajwY/lOCb2EFg+jKlOFUmWsISRluA 8/uuYAAv3N+edzCUxW5WJE/YRdOODUc1SPgQOmgYkHBsd/EkHhEkIpp2dbBc58BQSd2N79PXbeeu awf9v5vrjxFmnyl2OtuekB3mhDbq2AbtE7yX32VvC5N6a5f6ehCMiFolkOn89N4d1S3sglZUOG5p /Uf3okz/E++Gz/KMxxowtJVxR0PdOzfIgTSQqsQTrOJ8Z90ZSrIXWRVRSOdMb0aKyy6ZFPNRnu6+ xGZdPbel4PiiXLEKNRe4hbciR4qs6LVBTNXMrrT5B+Q360MzGKyIayJ4O/KfxBNA/PGIvxTxRP7c g7VDvMEbEj7heBrpRUq3QKeTNrPP7+Yrag4KxsutrsdAJV2sEVGlfYdwiuPFiJUAIKVrgQbT6+tv 5t0HOnlJYfy97dlcLlMlMBNJHK3c2Y4jVzEmgt1qHKmh850iFLPBn6wuaCiSgui4i7rCrHPK8iZB DH814l7ReJG/zmgz3r11qIC3Hfwj9Y3gEyh/qIHdTQYcxR1GEihzTXifTQPFwrM8dX8XT3RiN6rJ t8xjOnwypUBGifNWhzSldrn0OCy5tyo4l6WK4o3P+RZvJ6bCp/922LUON5WQqI/Q3K909Dcn8ykg b6CJpnQrnLpzqkdA+qha2mJP5leU5U9TU6FZiynnqhUlNCw0JiahRV7JoyMqTmI+/tHQDkpsMehE Z8vB5viamnAR4oTKNLjG5Gsxvzsh+BWfIQmv7nK08ev2x9BHK3Rn0IDx74nLCn5DEDXXYobCDZSa AUfbYGJiFst6hmMIl3Ua2f772Msddf6hq/poZXUXshXt+dD30ZZAyf3MsTMG5V58p9VMFx3W+G/q m6uloystb6R/Z+zoEQuAVkmUaHR/y8UibhNUGtFkg05ujI3ZorcNwjDBvZv3B5aVF2fkwPDWMQYB FpOsgKzgW8HStSDUd8eI96IC1rS+MYRTvzC5ZECAYOpMz2SPRqWr2nS1pv+MQ1QRFHW3VxVGz8H7 jYU7IhVTmrZN08Aee895ghXCJiXoKhcLtW1ZVus2dwFt8HSxMQoTc+v+LUKQVZKp4nyBXSCVkz5+ /N2O6LcznhK5UBjTj4viApOKx3y1mYidBhisT6vl1VmtSb4VNSwrzUpyO5TdP3L15f1iFAkIy/yJ jOTaHbkRG199RKSYyGSwuPnxe9ZfcSd2oU/DgWED5dJidK9HnY48bTVlH0xPLuSAfrB/70QPKkAQ 1cRQ/fuzdnqNstKswtl691Hv+xhLqwE4a2kx5UWRnbEOHm3FK+/9iPzZ7uciuagBis0VbA/7JyNT 97LF89KXOWNdYt4HOU+bqPbgARiIZ0hHYAg9VD8lR+WmNAvLkB8DKL1dW9yMRBhOZ3X0jdfXBuUc 3jYgueRwckjxc0VwVGU3XlRR7l/unGyYueyfylmCm3apaJErUSz2GrZ4Dgqmwl4vjm7fqvBhQEha 8+ol1YagFPRq3r4ak4R6Tku6mRnQZQRDGstQF1HYUlZ7Rq6a/ZOAYhz3hAKu+4Q+zw4BN0lEwDQh OyD//7vXC/IFL1OZC3+vNalJpCHrNOj25aB7rfA/eVqKbXTeWBW2FYKYXPMTHatWabhmJjkYV/EE iIa/qQUtZDq4+XpU9uTeXGgcI+CFxSG20bf9w0vXHvTe19xvXo4kl4J/NJ75ngLwlsu5J9gK1Fw1 Cl/FaqxRcDwul9f0FRoySTPJGZpJijBofg2wRjkCKT2XoWdjqzEPt2SaAAG936+llo3jZuJFIX7y 55uGMoVM00ZrVB2HGGjw2k2DSBHi4M2xYT95oD+x0fYKnktoS/HKUbEr4YSV8VfPRjh/THj0lEyV QgQ4IQ6M7fCYM5J31ztcJd1E+zUGl1pDrrWHhxUAzXLRc4vS657IipCCxl41Ft0xwKxxQqG+aLYu XoO4P1iRq/Hd56eDThlROw60qnGXTnCz8rJw/NjIs2ey56DFl6GabjpmQF20ge3QlH47AHoYCskt 8l7AP4G0VAdHCRqIhc4DmeE21Y8je3Z/hFwAtie/TqYwHnbTlRNw1SEwkg5bwe+DH4tKRYtVARWb 458L7FaGWdJ7r5KYxt1oxcU6RH1PnCMF0fZbuyN6idxMeL0Ed1BDo5UCJvFJRqnBt3bOfed/g4yi Xbek/rprHkyocV+yhkJ4INBGUqqaud0BvxUyddOQXhnopmgphcmVP6JquJsSegfwVmz5vWZPzxqC u99g/gD5BGSOtaU0INxYN6mnuQ8h8Z99fZTtfn49SkBUh0q6fWMYYKf5naFzU+VnRjrOuTX5j3xj j5glzk89UFGozoOXEwy9VRdkL2LBsMMfF7lqrR2PhIfl2IOt7c0X0nrEv6umcIauEkfM+8Ckz5tf +EUOATVFLZAZXaVQI3rhrSobBqxAgTJ6aLp8UxqopHHnhp5qjpiYaOtZVvfIId/BbVG13AwXYJ57 hzMS3OxXAjLXy8Ux+qi4tdZb+wvJi8beQAMS7hIM65WHPJdfIYw+Rx5wm39xD7gN5+IOF/peIaCb RiWIg8qOnq+jn44WTKIvptLCCCD9w+DKUD7Wgl+mbHGt7+GjvVZuW9G08f5GhX3ToTAQ+4xuDp6y FE2LJWuKryLu5E9lPA2zLTEXwgxIaUgHjF7whkPxQRfLqq/g+Sy/cNivAKGEPvkXXk4CURVftmv1 nxsnDIDd+ofvopgWX45xLRq73VmtBjRgKDa0Rv6gRDM2Nu/+qL2aCt7T9idGuUgD1zcEMFUY1ATw ebWi1+emPxXKLu/ly/IhefTHIOKIShVF4oW/6WVaVotp9+HTgvETyQJCZFfy5AwZRUUevf/cI33Q Ng6wKK+z+4zR3dE9rXpf0dTKFBw+TmI4H0wTB9xw0jQ3QNmA066MtvAEtBP5rsGLsHlrM1y1XVWf fRI0U6J1xuYuLGX5KTbgpscEae++gGrt+UBGlduhX1zUTV1V8MpRV08c8hMKLKc/KhNEMeYvqZto 231E5YmVjcUHiWqMpu/C1h/CPTpP7D8latY7xqxWMCu4g8e1seWlO7WMKgYix6woZyRAa2UVlzxg gANjRSKzkvuRsRzz7uMxWcydStMaLQx5eEVh2QWZgYthVzzMoN620evSHfnZrFTj9WtVQtzKoa53 WVCdc9idnMyGra997gc7r/0gJST9caimPS4hUW0jo0ah1txV28zXedBSJu+eyAnkKF9HHyhjSfPY cdndCcXQkqWi3L7C7cEp7vrDq1g5TDoraJtTSWYMbVFomreyvc6D6Ds9lfcrN7Wej0Ei6ioSbLdR VWC3/aJuOcYEXpz9MOrFMgDjJzo8fzoYDvJatogrfOqOn4TaB4Ph8/W5D6o27jYtfO0gDmcaLLZp nzEEl9PJwsHMyEe7wGM0WL3Z/U4ZLm5dSjR5UcM08w0YE0O2ModLrrbXbSOpjF54hzy7E34lwNdI yMb5BCtH6p4BhZmavE+srKBWZLc9Zv/0dQTwCC4zjRTwwteR34PVwP8ZaZ6TFEVM6VrCVD8WEYa/ A8zCx+OkJs3hpIPCU9AWvAQ7fm1bLydJaIj6giAyHnWN1b3PufDyytDNM+wx5uJH+QFaR0ktcl1s EVeEOpxcGozFjtnhOZS+Eyb+8rYdbKlcej9acXJA2rvnOD75ZWiemMrOwjc88G9+Yil+SkcEB+up IJZ/k72O30LYwMISkGrDFu3XTSXhIGNnEXKJF7ohq5hXt6OelIlElc8sVZC4Dw4/CShnWjthJ33Q nYMVs31T52SN2M6uxl209f9mHKXHwEkRI8WcCSRnnUJwX7wIHwP5lgpe9v3sIjH+qTnrqCxoTF5d 1Z9cmZqYBJ2h7b3I3jDD/BYx4eV7xT46M+t2DCG1UtO/g0SZ3lPOjIXWfpFIM50geQmpdnQ6var0 YHyEfK55oc3Qz73QxXUsCvIpgIwAO1J5auBbOxzEa2gITGn5s9G7wO6j9TFny/DsT6PoqVdxRBYj MvMJoVxCFXZSXuvZmcH9OfiWcBakbkQibjcSI2RKac0dwY8nqIfASYlrzRCR4Rzq+zpoqywg6HOZ HOWpTW6ihITRm83WAHmqjEQUO847ByhJrUQEuLIVLJseKsT/2bbvSo0CgjXBDrnQ/F1UDSR2LRlk aQpDQ1e8EptT+5f0Dvrx3qAj/b+Ky/i4QWgSbJGHWl2H+TwWr4g9p30MzOUHFdLWN+RELiTiOdoY oWX8i11VmP1NjJyN0Fmn7SDzNHgy8Tz7avSK0g47xHikaKumgOJbzMdFegibeN3XBDwOagO+WSMr s2tkXzBTm9Zuy6NejoU0tsmewgiC4cZDKARlARyc/bZdNkRqU12iwZGwGf7pSzEgra9DK6M4FxUX fW7xx5KZcget6p9B//QAy/cEvfnoTeMEPPNk6wFEn19sgYBKxlHCiFbfobGGLj7bDUsqPLcNdoV4 tFARUTyljKv8zB/m64po5Rn4zpnWRSwSQukUWWVJcWESuOBflriyiBnvr++GGtyw7M+OjH5IPm5Q b0EQqp8BXKRCUqa/u+n8ByBi+jHgois5JDqYyroysXglX5TVqmOCivlNSssmoPRVP+Ee7Ezm7DY+ 3jQUhCugrryQWMTAXqwytL/ExQMaXW1mojQsIBB8cdw8LE2KgtKsWLCMPPbOu8IPuvUsfUwvglsD nOa9WmSJVx/WtsMA7h3z+FT3BPj5VKr6LvxSemcJ3dVFglBBobzHIEWSEcrDfbim43g3AC62S7bk L6s6Y6BZR9kX44tL+IYUgBIuxQ8LITy44Gu9OIAcFHNgpGaol84QQ8+QpX8d/c20ox08NSnsu1hh kHZ0NeweDdjZiqy6RoLrixvQ3i/3ffJAZSNqcHRdEPimUoO8FUvDmsVn0A50Q0Ur4fNuSDk+6aFP JpRyLaySwqhxr4nRdQTBA87Osg7jKL1TDOZqW/s2YacnDKCFh1jo5w3wGTuu2fxCnCp3Z65KKisz aYlVJVYdfmjW2Vi5hzgy1PrYEudh/0RsORS6D4riuSgt0YrMUbCMj38M6+hSNiOsKl+noTIxDcZ4 Z9rUopk5lqHKkHawSLaLxQajE/B5bg0/dgEBpSyuVXZQ90C1QeemXH/yJ68PPv7VXCNJrZVM5J2K wRZygot/ol7ZFRDQ5P336YDPZGLlNCJV8GtcaMk2T6igSM4VyQzusBbB75+evLt3NnD7W3RpDhh0 Qae8FxLBoVpKw/3McNANJnaHMvYpGa2/d1RsHyaTlntngVkLZFOZ16KKy9jP7/VQ8ieqF7v/oUIh OxWgSF5u2IwW5fxRKq3DgN/8O97BPWVrd25ikAdXeTdCeJpGt9kL1sE6M2m2vg/WiRYnJDe1tzKL o20KWRexPnSyzYz50Nj4DFHmqGjK3PE+QHvtJCnake1ljcQPhJaYznrbgcNFcQeCe7CFGylmDKQo MFSQdOZT2h4YfpVw51fLF3f13R46Jwu8EuTREDjrKISRaG7Rx9oW14A9fKSVrB7Z2towIvBsIGke wx4noXQjTauMhmxag/FPrmCT+QKWg19v7uwrZ1q+/EERF0FrD6a9z1egQjwLUAv7B6ob+D8HEXQp jiTsppjfW1ZrlNaInpnayYSwi88jm9fe6+Z40pF/tAMpd6+G60WpS3xnoUvLFrqOzj1za7puJt3Y TEYvfG4jJcKCFgC3Or1wouoXyMmiAC7+FfookLSRJ0tVuztStM1An8CsnW/xhLu/bBGDMkw2zTJs 02zqZb4YxnxunZC9gMyiwktCnRq8O7JkElNLXi9RVyA9Utr0ciGVst9oigo4n4sOJSlzzQ7kVtoF 4TYQPo0Jiqmyd7TVeT+tns3Po5nFfy+8gihGW4kSI6xvBjjw5chJaYj6ATn236di9N0pOu+CR29R pwh5AV8FcR2D1oQDqQM9ASoA+6o/c/85PVymWPx5jZjCsNT4bYTcrHma28+Vh9fPNsSX06AwZo6S O6cHrBamjOZ47yLfbNAmkWmqS9FvenmdfDASiG0rKmFINTDOgQ320XH14vmfBPmvjVpLjJqlS8fU zTZYnpEBSKXBUSut7OQTahOyoyj9711rUbMuaNlo+SbAIejmMvLQ6wqT1MJSKcp2LQg2KHvu7Oxt WGn+BwS0vZxvgf/Ed0xBadssQltII71X4BabFaRmb4iQf8bM1HTemOKSukDI6fhXzG9Z0pF7YI8Y ZkfNMXCL4oOV7HOL7UoouoM1J2YIQ2jzQklkUbxVfAfNoyTW7cjVhdRiVFwVZ6noWha1OynzuAe8 YBDcYpzBv2SXyrJ/QqfG7wbK+2C/QJuLBf2+zxT9XbmMlswBRKpD/uCfBcA8N0QZbD0HtX82QRYi hCndXfgtuK4nVetfb93Jwgipt4UaDD+G2+6d7LNxLMKWaQrqy66+0fDyM3Ty0E05ihJiBcFWDmTd 2c44faKxsAaUs48be8ErvCqeNGQVRGwXXK62Agbz0bCOtC67bW89OmcIBjziK7qOJqloUMHWhQY8 EtbaMWe2qTOELbyifZwjpk3RTJ8gZgkhl3H9clZepMwD7miB7KLKDbG/AODEGQJgMEV2DWp5mjNz DGCYDzE1I2VrAYP4PQ8C/jUAaWsBM8UzxfiQi8ADwTPEPUdzawEbxTPHqXp2awEbwCPB+CPA6A8A AAAFa3trAekMAAAAMQpAi8cjx/zDK8f8+HIo6EAAAADoDQAAACvH/OkLAAAAMQvB2GYzxsP8M8Lo 8v///xvEQA8C+egNAAAA+HJe6QsAAAAxDoPgT4vHw5ATw+kXAAAAC8FkZ/82AACLxGRnowAAK8CB GH2b67E9YRxrAYtEJAiL4LkAAAAAZI8BWegAAAAA6AoAAAD5c1HpCQAAADEK+YvBw/lzQuj0//// iwwkWIHp8XJ3AIPgZLj0q+uxi/iB78+rdLED+bortOuxgfKqqOuxSCvbgfMacuaxmDEfkkiSG8bB w+a4fHLmsQPY+IvHBQQAAACXQCPD+SvASAPCeAXp1v///2FAM8fDAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAwCMeAGgCAAB8AgAA3IAgACBLGAAAAAAAyMAdAAAAAAAAAAAACMEdAAAAAAAAAAAA RMEdAAAAAAAAAAAAgMEdAAAAAAAAAAAAvMEdAAAAAAAAAAAAAMIdAAAAAAAAAAAAPMIdAAAAAAAA AAAAuMIdAAAAAAAAAAAAmMMdAAAAAAAAAAAA1MMdAAAAAAAAAAAAGMQdAAAAAAAAAAAApMQdAAAA AAAAAAAA3MYdAAAAAAAAAAAAUMcdAAAAAAAAAAAARMgdAAAAAAAAAAAArM8dAAAAAAAAAAAA8M8d AAAAAAAAAAAAKNAdAAAAAAAAAAAAZNAdAAAAAAAAAAAAoNAdAAAAAAAAAAAASNEdAAAAAAAAAAAA UNIdAAAAAAAAAAAAxNIdAAAAAAAAAAAA0NQdAAAAAAAAAAAALNYdAAAAAAAAAAAALNYdAAAAAAAA AAAALNYdAAAAAAAAAAAALNYdAAAAAAAAAAAALNYdAAAAAAAAAAAALNYdAAAAAAAAAAAALNYdAAAA AAAAAAAALNYdAAAAAAAAAAAALNYdAAAAAAAAAAAALNYdAAAAAAAAAAAALNYdAAAAAAAAAAAALNYd AAAAAAAAAAAALNYdAAAAAAAAAAAALNYdAAAAAAAAAAAALNYdAAAAAAAAAAAALNYdAAAAAAAAAAAA LNYdAAAAAAAAAAAALNYdAAAAAAAAAAAALNYdAAAAAAAAAAAALNYdAAAAAAAAAAAALNYdAAAAAAAA AAAALNYdAAAAAAAAAAAAPNgdAAAAAAAAAAAAPNgdAAAAAAAAAAAAPNgdAAAAAAAAAAAAPNgdAAAA AAAAAAAAAAAAAAAAAAAAAAAAPCYeAGgCAAB8AgAAkLQCAPSUGwAAAAAACMsVAAAAAAAAAAAAjAIb AAAAAAAAAAAAbDIGAAAAAAAAAAAAwAIbAAAAAAAAAAAALAMbAAAAAAAAAAAA4CQgAAAAAAAAAAAA jFQmAAAAAAAAAAAAcEUiAAAAAAAAAAAA7NAWAAAAAAAAAAAAfEQiAAAAAAAAAAAA4DIGAAAAAAAA AAAAgCYcAAAAAAAAAAAAqDIGAAAAAAAAAAAAnEciAAAAAAAAAAAAhDMGAAAAAAAAAAAAEDMGAAAA AAAAAAAATDMGAAAAAAAAAAAA2IciAAAAAAAAAAAAtDMGAAAAAAAAAAAAdKAhAAAAAAAAAAAAPMsV AAAAAAAAAAAAaPMYAAAAAAAAAAAAFOsYAAAAAAAAAAAAeMsVAAAAAAAAAAAAdAMbAAAAAAAAAAAA dAMbAAAAAAAAAAAAdAMbAAAAAAAAAAAAdAMbAAAAAAAAAAAAdAMbAAAAAAAAAAAAdAMbAAAAAAAA AAAAdAMbAAAAAAAAAAAAdAMbAAAAAAAAAAAAdAMbAAAAAAAAAAAAdAMbAAAAAAAAAAAAdAMbAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuCgeAGgCAAB8AgAA3IAgAAgUIgAAAAAAmLsdAAAA AAAAAAAA1LsdAAAAAAAAAAAAFLwdAAAAAAAAAAAAVLwdAAAAAAAAAAAAlLwdAAAAAAAAAAAA0Lwd AAAAAAAAAAAAEL0dAAAAAAAAAAAAVL0dAAAAAAAAAAAAkL0dAAAAAAAAAAAAyL0dAAAAAAAAAAAA FL4dAAAAAAAAAAAAYL4dAAAAAAAAAAAAlL4dAAAAAAAAAAAAxL4dAAAAAAAAAAAA+L4dAAAAAAAA AAAARL8dAAAAAAAAAAAAkL8dAAAAAAAAAAAA2L8dAAAAAAAAAAAAGMAdAAAAAAAAAAAAUMAdAAAA AAAAAAAAiMAdAAAAAAAAAAAAyMAdAAAAAAAAAAAACMEdAAAAAAAAAAAARMEdAAAAAAAAAAAAgMEd AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANCseAGgCAAB8AgAAkLQCAPDgJAAA AAAATM4dAAAAAAAAAAAAhM0dAAAAAAAAAAAAwMQYAAAAAAAAAAAAlP4dAAAAAAAAAAAAuOQdAAAA AAAAAAAAOMUZAAAAAAAAAAAAeMUZAAAAAAAAAAAAjJsmAAAAAAAAAAAAJEsiAAAAAAAAAAAA5D0C AAAAAAAAAAAAJD4CAAAAAAAAAAAAYD4CAAAAAAAAAAAAoD4CAAAAAAAAAAAA3D4CAAAAAAAAAAAA FD8CAAAAAAAAAAAASD8CAAAAAAAAAAAAfD8CAAAAAAAAAAAAyDEmAAAAAAAAAAAAeE8mAAAAAAAA AAAAPOAfAAAAAAAAAAAAsMUZAAAAAAAAAAAApDgmAAAAAAAAAAAAUEECAAAAAAAAAAAAQF4WAAAA AAAAAAAAtD8CAAAAAAAAAAAAtD8CAAAAAAAAAAAAtD8CAAAAAAAAAAAAtD8CAAAAAAAAAAAAtD8C AAAAAAAAAAAAtD8CAAAAAAAAAAAAtD8CAAAAAAAAAAAAtD8CAAAAAAAAAAAAtD8CAAAAAAAAAAAA tD8CAAAAAAAAAAAAtD8CAAAAAAAAAAAAtD8CAAAAAAAAAAAAtD8CAAAAAAAAAAAAtD8CAAAAAAAA AAAAtD8CAAAAAAAAAAAAtD8CAAAAAAAAAAAAtD8CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsC0eAGgCAAB8AgAA 3IAgAPxNHgAAAAAAkL0dAAAAAAAAAAAA2L8dAAAAAAAAAAAAGMAdAAAAAAAAAAAAUMAdAAAAAAAA AAAAiMAdAAAAAAAAAAAAyMAdAAAAAAAAAAAACMEdAAAAAAAAAAAARMEdAAAAAAAAAAAAgMEdAAAA AAAAAAAAvMEdAAAAAAAAAAAAAMIdAAAAAAAAAAAAPMIdAAAAAAAAAAAAuMIdAAAAAAAAAAAAmMMd AAAAAAAAAAAA1MMdAAAAAAAAAAAAGMQdAAAAAAAAAAAAXMQdAAAAAAAAAAAApMQdAAAAAAAAAAAA ZMUdAAAAAAAAAAAAGMYdAAAAAAAAAAAA3MYdAAAAAAAAAAAAHMcdAAAAAAAAAAAAUMcdAAAAAAAA AAAA0McdAAAAAAAAAAAABMgdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA== ------=_NextPart_000_001D_01B1A2C7.1AA2C7D0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 2 17:14:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe49.law8.hotmail.com [216.33.240.21]) by hub.freebsd.org (Postfix) with ESMTP id 910B237B405 for ; Sat, 2 Mar 2002 17:13:52 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 2 Mar 2002 17:13:52 -0800 X-Originating-IP: [68.60.230.69] From: "John Hines" To: Subject: trying to set up PGPNet Date: Sat, 2 Mar 2002 20:13:39 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_008F_01C1C226.BE38E4F0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 03 Mar 2002 01:13:52.0495 (UTC) FILETIME=[AE904FF0:01C1C250] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_008F_01C1C226.BE38E4F0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, I'm looking for help/documentation to set up a remote vpn client = (PGPNet) to connect to my internal network behind a FreeBSD fw. I've = been able to set up a vpn between two FreeBSD firewalls, but I'm unable = to find any docs on how to have a remote PC connect to my internal net's = using PGPNet. =20 I assume the setup for PGPNet would be similar to setting up a vpn = between two FreeBSD firewalls. This is my current network topology: =20 External = Interface X.X.X.X | +--> Remote PC <--> Internet <--> FreeBSD GW=20 | = | Cable Modem Y.Y.Y.Y 192.168.1.0/24 Win98 box Internal Nets I'm assuming that I need to add a line to my psk.txt file with the IP = Y.Y.Y.Y and a password abc123. I'm also assuming that my raccoon.conf = file will not need to change. Would this be the correct way to set up = my kame-bsd.sh script to run the setkey tool? #!/bin/sh # # IP addresses # # External Interface External Interface # 1.2.3.4 5.6.7.8 # | | # +--> Firewall-1 <--> Internet <--> FreeBSD GW <--+ # | | # 172.16.1.0/24 192.168.0.0/24 # FW-1 Protected Nets Internal Nets # setkey -FP setkey -F # Configure the Policy setkey -c << END spdadd 192.168.1.0/24 Y.Y.Y.Y/32 any -P out ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/require; spdadd Y.Y.Y.Y 192.168.1.0/24 any -P in ipsec esp/tunnel/Y.Y.Y.Y-X.X.X.X; Also would this be the correct way add the gif funnel? ifconfig gif0 create gifconfig gif0 inet X.X.X.X Y.Y.Y.Y ifconfig gif0 inet 192.168.1.1 Y.Y.Y.Y 255.255.255.0 Is there anything I missed? Thanks in advance, John Hines =20 ------=_NextPart_000_008F_01C1C226.BE38E4F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello,
 
 I'm looking for help/documentation to set up a remote vpn = client=20 (PGPNet) to connect to my internal network behind a FreeBSD fw.  = I've been=20 able to set up a vpn between two FreeBSD firewalls, but I'm unable to = find any=20 docs on how to have a remote PC connect to my internal net's using = PGPNet.=20    
    I assume the setup for PGPNet would be similar = to=20 setting up a vpn between two FreeBSD firewalls.  This is my current = network=20 topology:
 
   =20

       =20             =    =20             =    =20            &n= bsp;      =20 External Interface

                  &nbs= p;                    &nbs= p;            = ;            = =20 X.X.X.X

           &n= bsp;           =20                   &n= bsp;           &nb= sp;           &nbs= p;   =20 |

      =20 +--> Remote PC <--> Internet <--> = FreeBSD GW=20

       = |           &n= bsp;           &nb= sp;           &nbs= p;           =20             =    =20 |

     Cable = Modem =20 Y.Y.Y.Y              &nbs= p;    192.168.1.0/24

      Win98=20 box           &nbs= p;                         &nbs= p;=20    Internal Nets

 

 

I'm = assuming=20 that I need to add a line to my psk.txt file with the IP Y.Y.Y.Y and a = password=20 abc123.  I'm also assuming that my raccoon.conf file will not need = to=20 change.  Would this be the correct way to set up my kame-bsd.sh = script to=20 run the setkey tool?

 

#!/bin/sh
#
# IP = addresses
#
#    =20 External=20 Interface          &nbs= p;        =20 External=20 Interface
#          = ;    =20 1.2.3.4           =      =20 5.6.7.8
#          &= nbsp;          =20 |            =        =20 |
#        +--> Firewall-1 = <-->=20 Internet <--> FreeBSD GW=20 <--+
#       =20 |            =             &= nbsp;           &n= bsp;          =20 |
#      =20 172.16.1.0/24          =             &= nbsp;   =20 192.168.0.0/24
#       FW-1 Protected=20 Nets           &nb= sp;        =20 Internal Nets
#
setkey -FP
setkey -F
# Configure the=20 Policy
setkey -c << END
spdadd = 192.168.1.0/24 Y.Y.Y.Y/32 any -P=20 out ipsec
esp/tunnel/X.X.X.X-Y.Y.Y.Y/require;
spdadd Y.Y.Y.Y=20 192.168.1.0/24 any -P in=20 ipsec
esp/tunnel/Y.Y.Y.Y-X.X.X.X;

 
Also=20 would this be the correct way add the gif funnel?

ifconfig gif0=20 create

gifconfig gif0=20 inet X.X.X.X Y.Y.Y.Y

ifconfig gif0=20 inet 192.168.1.1 Y.Y.Y.Y 255.255.255.0

 

Is = there=20 anything I missed?

 

Thanks in=20 advance,

 

John = Hines

 

 

 

 

 


------=_NextPart_000_008F_01C1C226.BE38E4F0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 2 19:40:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from smnolde.com (att-98-60-141.atl.mediaone.net [24.98.60.141]) by hub.freebsd.org (Postfix) with ESMTP id AA94E37B405 for ; Sat, 2 Mar 2002 19:40:33 -0800 (PST) Received: from bsd ([192.168.10.7] helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.30 #1) id 16hMrS-00096p-00; Sat, 02 Mar 2002 22:40:34 -0500 Received: from scott by bsd.smnolde.com with local (Exim 3.33 #1) id 16hMrR-000Pmi-00; Sat, 02 Mar 2002 22:40:33 -0500 Date: Sat, 2 Mar 2002 22:40:33 -0500 From: "Scott M. Nolde" To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: ipfw and DHCP Message-ID: <20020302224033.D32060@smnolde.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Fri, Mar 01, 2002 at 07:52:26AM -0600 X-Disclaimer: If you can read this you're looking for too much Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org George.Giles@mcmail.vanderbilt.edu(George.Giles@mcmail.vanderbilt.edu)@2002.03.01 07:52:26 +0000: > How do you get ipfw to pick-up DHCP value for oif in the rc.firewall script > ? > This is what I do: onet=`/sbin/ifconfig dc0 | grep -w inet | awk '{print $2}' | awk -F. \ '{print $1 "." $2 "." $3 ".0"}'` omask=`grep subnet-mask /var/db/dhclient.leases | tail -1 | sed \ "s/[,;]//g" | awk '{print $3}'` oip=`grep fixed-address /var/db/dhclient.leases | tail -1 | sed \ "s/[,;]//g" | awk '{print $2}'` dns1=`grep domain-name-servers /var/db/dhclient.leases | tail -1 | sed \ "s/[,;]/ /g" | awk '{print $3}'` dns2=`grep domain-name-servers /var/db/dhclient.leases | tail -1 | sed \ "s/[,;]/ /g" | awk '{print $4}'` dhcp=`grep dhcp-server /var/db/dhclient.leases | tail -1 | sed "s/;//g" |\ awk '{print $3}'` -- Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 2 20:37:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.af-inet.net (ip68-6-186-205.sd.sd.cox.net [68.6.186.205]) by hub.freebsd.org (Postfix) with ESMTP id A527C37B431 for ; Sat, 2 Mar 2002 20:37:21 -0800 (PST) Received: (from jaron@localhost) by mail.af-inet.net (8.11.6/8.11.6) id g234bB384704; Sat, 2 Mar 2002 20:37:11 -0800 (PST) (envelope-from jaron@af-inet.net) Date: Sat, 2 Mar 2002 20:37:10 -0800 From: Jaron Omega To: "Scott M. Nolde" Cc: freebsd-security@freebsd.org Subject: Re: ipfw and DHCP Message-ID: <20020303043710.GC26985@af-inet.net> References: <20020302224033.D32060@smnolde.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020302224033.D32060@smnolde.com> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Mar 02, 2002 at 10:40:33PM -0500, Scott M. Nolde wrote: > George.Giles@mcmail.vanderbilt.edu(George.Giles@mcmail.vanderbilt.edu)@2002.03.01 07:52:26 +0000: > > How do you get ipfw to pick-up DHCP value for oif in the rc.firewall script > > ? > > > This is what I do: > onet=`/sbin/ifconfig dc0 | grep -w inet | awk '{print $2}' | awk -F. \ > '{print $1 "." $2 "." $3 ".0"}'` or so you don't call the same command twice.. onet=`/sbin/ifconfig dc0 | grep inet\ | awk '{split($2, x, /\./); printf("%s.%s.%s.0", x[1], x[2], x[3])}'` Jaron Omega jaron@{af-inet.net,sock-stream.net} To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 2 21:32:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id 1588237B416 for ; Sat, 2 Mar 2002 21:32:50 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020303053244.YXSB1214.rwcrmhc54.attbi.com@blossom.cjclark.org>; Sun, 3 Mar 2002 05:32:44 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g235Wg383676; Sat, 2 Mar 2002 21:32:42 -0800 (PST) (envelope-from cjc) Date: Sat, 2 Mar 2002 21:32:42 -0800 From: "Crist J. Clark" To: "Scott M. Nolde" Cc: George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG Subject: Re: ipfw and DHCP Message-ID: <20020302213242.Q66092@blossom.cjclark.org> References: <20020302224033.D32060@smnolde.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020302224033.D32060@smnolde.com>; from scott@smnolde.com on Sat, Mar 02, 2002 at 10:40:33PM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Mar 02, 2002 at 10:40:33PM -0500, Scott M. Nolde wrote: > George.Giles@mcmail.vanderbilt.edu(George.Giles@mcmail.vanderbilt.edu)@2002.03.01 07:52:26 +0000: > > How do you get ipfw to pick-up DHCP value for oif in the rc.firewall script > > ? > > Ahhhhhhhhh!!! Are you all _trying_ to hurt me? > This is what I do: > onet=`/sbin/ifconfig dc0 | grep -w inet | awk '{print $2}' | awk -F. \ > '{print $1 "." $2 "." $3 ".0"}'` onet=`/sbin/ifconfig dc0 | awk '/inet / { split($2, ip, /\./); print ip[1]"."ip[2]"."ip[3]".0"; exit }'` > omask=`grep subnet-mask /var/db/dhclient.leases | tail -1 | sed \ > "s/[,;]//g" | awk '{print $3}'` omask=`awk '/subnet-mask/ { sub(/;/, "", $3); sm = $3; } END { print sm; }' /var/db/dhclient.leases` Piping grep(1) into awk(1)... *shiver* It just looks so icky. And piping grep(1) into awk(1) and then into another awk(1) well, I just... just... *faint* *thunk* -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message