From owner-freebsd-security Sun Feb 9 14: 7: 1 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CBC437B401 for ; Sun, 9 Feb 2003 14:06:59 -0800 (PST) Received: from murmeldjur.it.su.se (murmeldjur.it.su.se [130.237.95.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA22743FBF for ; Sun, 9 Feb 2003 14:06:53 -0800 (PST) (envelope-from rnyberg@murmeldjur.it.su.se) Received: from murmeldjur.it.su.se (localhost [127.0.0.1]) by murmeldjur.it.su.se (8.12.6/8.12.6) with ESMTP id h19M6pde076900 for ; Sun, 9 Feb 2003 23:06:51 +0100 (CET) (envelope-from rnyberg@murmeldjur.it.su.se) Received: (from rnyberg@localhost) by murmeldjur.it.su.se (8.12.6/8.12.6/Submit) id h19M6p2G076899 for freebsd-security@freebsd.org; Sun, 9 Feb 2003 23:06:51 +0100 (CET) Date: Sun, 9 Feb 2003 23:06:51 +0100 From: Richard Nyberg To: freebsd-security@freebsd.org Subject: pam_opieaccess Message-ID: <20030209220651.GA76848@murmeldjur.it.su.se> Mail-Followup-To: Richard Nyberg , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi there! The man page for pam_opieaccess(8) states that "To prop- erly use this module, pam_opie(8) should be marked ``sufficient'', and pam_opieaccess should be listed right below it and marked ``requisite''." However in the pam configuration files for sshd ant telnetd pam_opieaccess is listed with 'required' instead of 'requisite'. Misconfiguration or not? --- Happy hacking! -Richard To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 10 8:39:22 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A31337B401 for ; Mon, 10 Feb 2003 08:39:19 -0800 (PST) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D53343FAF for ; Mon, 10 Feb 2003 08:39:18 -0800 (PST) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (IDENT:brdavis@localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.12.3/8.12.3) with ESMTP id h1AGd36F002093; Mon, 10 Feb 2003 08:39:03 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.12.3/8.12.3/Submit) id h1AGd3to002092; Mon, 10 Feb 2003 08:39:03 -0800 Date: Mon, 10 Feb 2003 08:39:03 -0800 From: Brooks Davis To: Deepak Cc: freebsd-security@FreeBSD.ORG Subject: Re: hardware encryption under freebsd Message-ID: <20030210083903.A453@Odin.AC.HMC.Edu> References: <20030207202127.CD4D73E5D@xmxpita.excite.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="5vNYLRcllDrimb99" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030207202127.CD4D73E5D@xmxpita.excite.com>; from dvaidya@excite.com on Fri, Feb 07, 2003 at 03:21:27PM -0500 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) on odin.ac.hmc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --5vNYLRcllDrimb99 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 07, 2003 at 03:21:27PM -0500, Deepak wrote: >=20 >=20 > Would any one happen to know a source that you can get the Broadcom > cards from? Hi/Fn cards can be had from http://www.soekris.com/, have > not used any of the cards from Soekris, just came across the site on > OpenBSD list. I found a custom hardware manufacture that produces them: http://www.interfacemasters.com/products/index.html I haven't ordered any yet though. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --5vNYLRcllDrimb99 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+R9WmXY6L6fI4GtQRAvaOAKCtMvbBmhL33xIlJMEIf1/WA58CFgCfV/tt rZmpSyjcoMVvWYMmnbnLJMg= =wWzE -----END PGP SIGNATURE----- --5vNYLRcllDrimb99-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 10 8:43:21 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5ED4037B405; Mon, 10 Feb 2003 08:43:18 -0800 (PST) Received: from mta10.srv.hcvlny.cv.net (mta10.srv.hcvlny.cv.net [167.206.5.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 807C643F85; Mon, 10 Feb 2003 08:43:16 -0800 (PST) (envelope-from agapon@cv-nj.com) Received: from asv10.srv.hcvlny.cv.net (asv10.srv.hcvlny.cv.net [167.206.5.38]) by mta10.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 1.05 (built Nov 6 2002)) with ESMTP id <0HA300H23QG1K1@mta10.srv.hcvlny.cv.net>; Mon, 10 Feb 2003 11:43:16 -0500 (EST) Received: from terminus.foundation.invalid (ool-4355489e.dyn.optonline.net [67.85.72.158]) by asv10.srv.hcvlny.cv.net (8.12.6/8.11.6) with ESMTP id h1AGh566028297; Mon, 10 Feb 2003 11:43:10 -0500 (EST) Received: from edge.foundation.invalid (edge.foundation.invalid [192.168.1.12]) by terminus.foundation.invalid (8.12.6/8.12.3) with ESMTP id h1AGh4Eb038324; Mon, 10 Feb 2003 11:43:04 -0500 (EST envelope-from agapon@cv-nj.com) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.6) with ESMTP id h1AGh4Wl053498; Mon, 10 Feb 2003 11:43:04 -0500 (EST envelope-from agapon@cv-nj.com) Date: Mon, 10 Feb 2003 11:43:04 -0500 (EST) From: Andriy Gapon Subject: ipsec & ipfw: 4.7-release vs -stable X-X-Sender: avg@edge.foundation.invalid To: freebsd-ipfw@freebsd.org, freebsd-security@freebsd.org Message-id: <20030210114213.P53494@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is there any remedy expected before 4.8 release for the situation with ipsec & ipfw interaction that was created after 'ip_input.c 1.130.2.40, MFC: 1.214' ? The reason I am asking this question with such a big crosspost is that it seems that all previous discussions on this topic resulted in nothing. And this change definetely breaks things for those who use ipsec without extra stuff like gif tunnels. It definetely doesn't look like a kind of change welcomed in -stable branch, not mentioning a potential security vulnaribity for those who can not use gif. I apologize in the case I have missed any latest developments in this area. -- Andriy Gapon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 10 9:30: 2 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D9AF37B401 for ; Mon, 10 Feb 2003 09:30:00 -0800 (PST) Received: from pals.one.pl (pb136.mielec.sdi.tpnet.pl [80.49.1.136]) by mx1.FreeBSD.org (Postfix) with SMTP id 1C1FA43FB1 for ; Mon, 10 Feb 2003 09:29:55 -0800 (PST) (envelope-from gizmen@pals.one.pl) Received: (qmail 10361 invoked by uid 1000); 10 Feb 2003 17:37:57 -0000 Date: Mon, 10 Feb 2003 18:37:57 +0100 From: GiZmen To: freebsd-security@FreeBSD.ORG Subject: some problems with login.conf Message-ID: <20030210173757.GA10346@pals.one.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I am trying to set up login.conf under FreeBSD 5.0-R. Resource limits working OK but i try to set up minpasswordlen to 8 chars and mixpasswordcase to true value. None of these setings do nothing. I stil can enter passwd with 2 chars and system do not refuse this. Can anybody tell mi why i cant do this. It is a bug in 5.0 or something? -- Best Regards: GiZmen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 10 11:24:14 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 424B637B401 for ; Mon, 10 Feb 2003 11:24:11 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 584A843FAF for ; Mon, 10 Feb 2003 11:24:08 -0800 (PST) (envelope-from nectar@celabo.org) Received: from opus.celabo.org (opus.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id D141C38; Mon, 10 Feb 2003 13:24:07 -0600 (CST) Received: by opus.celabo.org (Postfix, from userid 1001) id 4AE845866; Mon, 10 Feb 2003 13:22:07 -0600 (CST) Date: Mon, 10 Feb 2003 13:22:07 -0600 From: "Jacques A. Vidrine" To: Andriy Gapon Cc: freebsd-security@freebsd.org Subject: Re: ipsec & ipfw: 4.7-release vs -stable Message-ID: <20030210192207.GC5292@opus.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Andriy Gapon , freebsd-security@freebsd.org References: <20030210114213.P53494@edge.foundation.invalid> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030210114213.P53494@edge.foundation.invalid> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Feb 10, 2003 at 11:43:04AM -0500, Andriy Gapon wrote: > > Is there any remedy expected before 4.8 release for the situation with > ipsec & ipfw interaction that was created after 'ip_input.c 1.130.2.40, > MFC: 1.214' ? > > The reason I am asking this question with such a big crosspost is that it > seems that all previous discussions on this topic resulted in nothing. And > this change definetely breaks things for those who use ipsec without extra > stuff like gif tunnels. It definetely doesn't look like a kind of change > welcomed in -stable branch, not mentioning a potential security > vulnaribity for those who can not use gif. > > I apologize in the case I have missed any latest developments in this > area. Hello Andriy, What is the problem you are having, exactly? What is the `potential security vulnaribity'? Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 10 12:16:35 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3464037B401; Mon, 10 Feb 2003 12:16:32 -0800 (PST) Received: from mta10.srv.hcvlny.cv.net (mta10.srv.hcvlny.cv.net [167.206.5.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9806443FBD; Mon, 10 Feb 2003 12:16:26 -0800 (PST) (envelope-from agapon@cv-nj.com) Received: from asv7.srv.hcvlny.cv.net (asv7.srv.hcvlny.cv.net [167.206.5.43]) by mta10.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 1.05 (built Nov 6 2002)) with ESMTP id <0HA4009GD0BDWL@mta10.srv.hcvlny.cv.net>; Mon, 10 Feb 2003 15:16:26 -0500 (EST) Received: from terminus.foundation.invalid (ool-4355489e.dyn.optonline.net [67.85.72.158]) by asv7.srv.hcvlny.cv.net (8.12.6/8.12.5) with ESMTP id h1AKFwNW023980; Mon, 10 Feb 2003 15:15:59 -0500 (EST) Received: from edge.foundation.invalid (edge.foundation.invalid [192.168.1.12]) by terminus.foundation.invalid (8.12.6/8.12.3) with ESMTP id h1AKGLEb043872; Mon, 10 Feb 2003 15:16:21 -0500 (EST envelope-from agapon@cv-nj.com) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.6) with ESMTP id h1AKGJWl053772; Mon, 10 Feb 2003 15:16:21 -0500 (EST envelope-from agapon@cv-nj.com) Date: Mon, 10 Feb 2003 15:16:19 -0500 (EST) From: Andriy Gapon Subject: Re: ipsec & ipfw: 4.7-release vs -stable In-reply-to: <20030210192207.GC5292@opus.celabo.org> X-X-Sender: avg@edge.foundation.invalid To: "Jacques A. Vidrine" Cc: freebsd-security@FreeBSD.org Message-id: <20030210150116.R53750@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT References: <20030210114213.P53494@edge.foundation.invalid> <20030210192207.GC5292@opus.celabo.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 10 Feb 2003, Jacques A. Vidrine wrote: > What is the problem you are having, exactly? What is the `potential > security vulnaribity'? Jacques, maybe this is not a 'security vulnaribity' per se, there were several lengthy discussions of this problem in the past, links to mailing list archives follow. In a few words, a packet coming from an ipsec tunnel would go through ipfw twice, before and after decryption; because of that an administrator is quite restricted in filtering of incoming traffic, potentially allowing undesired traffic "masked" as decrypted traffic from an ipsec tunnel. http://docs.freebsd.org/cgi/getmsg.cgi?fetch=9204+0+archive/2003/freebsd-net/20030105.freebsd-net http://docs.freebsd.org/cgi/getmsg.cgi?fetch=582949+0+archive/2002/freebsd-stable/20021124.freebsd-stable -- Andriy Gapon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 10 12:24:25 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 801F037B401 for ; Mon, 10 Feb 2003 12:24:23 -0800 (PST) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id DAAC343F75 for ; Mon, 10 Feb 2003 12:24:22 -0800 (PST) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id CBA4815333; Mon, 10 Feb 2003 12:21:58 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id C96A615315 for ; Mon, 10 Feb 2003 12:21:58 -0800 (PST) Date: Mon, 10 Feb 2003 12:21:58 -0800 (PST) From: Mike Hoskins To: freebsd-security@freebsd.org Subject: Re: The way forward In-Reply-To: <20030130024520.GJ83557@smnolde.com> Message-ID: <20030210121510.J23524-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 29 Jan 2003, Scott M. Nolde wrote: > Not to start a flame war either, but I like both and use both ipfw and ipf > together. Is it better to eat apples or oranges? Surely the question depends on a lot... Is the target hungry? Do they like red/green/yellow or orange more? What is the current phase of the moon? So, "ipfw or ipf?" Surely this question also depends on a lot. Read the man pages, and decide for yourself! I encourage this, because most people I know that have used both walk away saying "there are reasons to use both" and not "I love X and Y sucks." If there was no reason for ipf, I doubt it would have been developed. If there was no reason for ipfw, I doubt it would be maintained and updated (ipfw2). I've also heard some untrue statements here, which once again points to the need to read the man page. Also, perhaps the authors of the code should refrain from comment so long as it's simply "mine is better." ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 10 12:32:58 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0547337B401 for ; Mon, 10 Feb 2003 12:32:56 -0800 (PST) Received: from mta10.srv.hcvlny.cv.net (mta10.srv.hcvlny.cv.net [167.206.5.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 982E943F93 for ; Mon, 10 Feb 2003 12:32:54 -0800 (PST) (envelope-from agapon@cv-nj.com) Received: from asv16.srv.hcvlny.cv.net (asv16.srv.hcvlny.cv.net [167.206.5.170]) by mta10.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 1.05 (built Nov 6 2002)) with ESMTP id <0HA400B5G12T4P@mta10.srv.hcvlny.cv.net> for freebsd-security@FreeBSD.ORG; Mon, 10 Feb 2003 15:32:54 -0500 (EST) Received: from terminus.foundation.invalid (ool-4355489e.dyn.optonline.net [67.85.72.158]) by asv16.srv.hcvlny.cv.net (8.12.6/8.12.5) with ESMTP id h1AKWNDS015941 for ; Mon, 10 Feb 2003 15:32:25 -0500 (EST) Received: from edge.foundation.invalid (edge.foundation.invalid [192.168.1.12]) by terminus.foundation.invalid (8.12.6/8.12.3) with ESMTP id h1AKWnEb044397 for ; Mon, 10 Feb 2003 15:32:49 -0500 (EST envelope-from agapon@cv-nj.com) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.6) with ESMTP id h1AKWlWl053800 for ; Mon, 10 Feb 2003 15:32:48 -0500 (EST envelope-from agapon@cv-nj.com) Date: Mon, 10 Feb 2003 15:32:47 -0500 (EST) From: Andriy Gapon Subject: Re: ipsec & ipfw: 4.7-release vs -stable In-reply-to: <20030210150116.R53750@edge.foundation.invalid> X-X-Sender: avg@edge.foundation.invalid To: freebsd-security@FreeBSD.ORG Message-id: <20030210153043.A53799@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT References: <20030210114213.P53494@edge.foundation.invalid> <20030210192207.GC5292@opus.celabo.org> <20030210150116.R53750@edge.foundation.invalid> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 10 Feb 2003, Andriy Gapon wrote: > maybe this is not a 'security vulnaribity' per se, of course, in all prior posts "vulnaribity" should read as "vulnerability". time to install ispell. -- Andriy Gapon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 10 16:32:11 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 73ED337B401 for ; Mon, 10 Feb 2003 16:32:03 -0800 (PST) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70CE343F93 for ; Mon, 10 Feb 2003 16:32:02 -0800 (PST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (35c798dc3f12721764ab1e6df420ce99@localhost.medill.northwestern.edu [127.0.0.1]) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6) with ESMTP id h1B0Mv74000875 for ; Mon, 10 Feb 2003 18:22:57 -0600 (CST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6/Submit) id h1B0Mvbp000874 for freebsd-security@freebsd.org; Mon, 10 Feb 2003 18:22:57 -0600 (CST) Date: Mon, 10 Feb 2003 18:22:56 -0600 From: Redmond Militante To: freebsd-security@freebsd.org Subject: n00b ipf/ipnat questions Message-ID: <20030211002256.GA824@darkpossum> Reply-To: Redmond Militante Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK" Content-Disposition: inline User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Favorite-Food: Pizza Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi all i've been trying to set up an ipf/ipnat gateway machine, to protect an inte= rnal network of two machines: webserver and a mysql server. i've been havi= ng some problems. my gateway machine has two nics - an external and internal nic. the intern= al nic is hooked up to a switch. the switch is hooked up to client machine= s on the internal network /etc/rc.conf on the gateway ------- ifconfig_lo0=3D"inet 127.0.0.1" ifconfig_xl0=3D"inet 129.x.x.35 netmask 255.255.255.0" network_interfaces=3D"xl0 xl1 lo0" #aliasing herald's ip to the outside nic of gateway box ifconfig_xl0_alias0=3D"inet 129.x.x.6 netmask 255.255.255.255" #inside nic of gateway box ifconfig_xl1=3D"inet 192.168.1.1 netmask 255.255.255.0" ipfilter_enable=3D"YES" ipfilter_flags=3D"" ipfilter_rules=3D"/etc/ipf.rules" ipmon_enable=3D"YES" ipmon_flags=3D"-Dsvn" ipnat_enable=3D"YES" ipnat_rules=3D"/etc/ipnat.rules" icmp_drop_redirects=3D"YES" gateway_enable=3D"YES" ------- kernel on gateway compiled with ------- options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK ------- /etc/ipf.rules on gateway -------#################################################################=20 # Outside Interface =20 #################################################################=20 =20 #----------------------------------------------------------------=20 # Allow out all TCP, UDP, and ICMP traffic & keep state on it=20 # so that it's allowed back in.=20 #=20 # If you wanted to do egress filtering...here's where you'd do it.=20 # You'd change the lines below so that rather than allowing out any=20 # arbitrary TCP connection, it would only allow out mail, pop3, and http=20 # connections (for example). So, the first line, below, would be =20 # replaced with:=20 # pass out quick on xl0 proto tcp from any to any port =3D 25 keep state= =20 # pass out quick on xl0 proto tcp from any to any port =3D 110 keep state= =20 # pass out quick on xl0 proto tcp from any to any port =3D 80 keep state= =20 # ...and then do the same for the remaining lines so that you allow=20 # only specified protocols/ports 'out' of your network=20 #----------------------------------------------------------------=20 pass out quick on xl0 proto tcp from any to any keep state=20 pass out quick on xl0 proto udp from any to any keep state=20 pass out quick on xl0 proto icmp from any to any keep state=20 block out quick on xl0 all=20 =20 #-----------------------------------------------------------------------=20 # Block all inbound traffic from non-routable or reserved address spaces=20 #-----------------------------------------------------------------------=20 block in log quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP= =20 block in log quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP=20 block in log quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP=20 block in log quick on xl0 from 127.0.0.0/8 to any #loopback=20 block in log quick on xl0 from 0.0.0.0/8 to any #loopback=20 block in log quick on xl0 from 169.254.0.0/16 to any #DHCP auto-config=20 block in log quick on xl0 from 192.0.2.0/24 to any #reserved for doc's=20 block in log quick on xl0 from 204.152.64.0/23 to any #Sun cluster intercon= nect=20 block in quick on xl0 from 224.0.0.0/3 to any #Class D & E multicast=20 =20 #----------------------------------------------------------------=20 # Allow bootp traffic in from your ISP's DHCP server only. =20 #----------------------------------------------------------------=20 pass in quick on xl0 proto udp from 129.105.49.1/32 to any port =3D 53 keep= state=20 pass in quick on xl0 proto udp from 129.105.49.10/32 to any port =3D 68 kee= p state=20 #----------------------------------------------------------------=20 # If you wanted to set up a web server or mail server on your box=20 # (which is outside the scope of this howto), or allow another system=20 # on the Internet to externally SSH into your firewall, you'd want to =20 # uncomment the following lines and modify as appropriate. If you =20 # have other services running that you need to allow external access=20 # to, just add more lines using these as examples.=20 #=20 # If the services are on a box on your internal network (rather than=20 # the firewall itself), you'll have to add both the filter listed below,=20 # plus a redirect rule in your /etc/ipnat.rules file.=20 # plus a redirect rule in your /etc/ipnat.rules file. #---------------------------------------------------------------- #the following allows httpd traffic, smtp, sendmail, ftp and webmin traffic pass in quick on xl0 proto tcp from any to 192.168.1.50/24 port =3D 80 flag= s S kee p state keep frags pass in quick on xl0 proto tcp from any to any port =3D 25 flags S keep st= ate kee p frags pass in quick on xl0 proto tcp from any to any port =3D 22 flags S keep st= ate kee p frags pass in quick on xl0 proto tcp from any to 192.168.1.50/24 port =3D 21 fla= gs S ke ep state keep frags pass in quick on xl0 proto tcp from any to any port =3D 443 flags S keep s= tate pass in quick on xl0 proto tcp from any to any port =3D 3306 flags S keep = state pass in quick on xl0 proto tcp from any to 192.168.1.50/24 port =3D 10000 = flags S keep state keep frags pass in quick on xl0 proto tcp from any to 192.168.1.50/24 port > 1023 fla= gs S keep state pass in quick on xl0 proto tcp from 129.x.x.32/24 to any keep state pass in quick on xl0 proto udp from 129.x.x.32/24 to any keep state #----------------------------------------------------------------=20 # Block and log all remaining traffic coming into the firewall=20 # - Block TCP with a RST (to make it appear as if the service =20 # isn't listening)=20 # - Block UDP with an ICMP Port Unreachable (to make it appear =20 # as if the service isn't listening)=20 # - Block all remaining traffic the good 'ol fashioned way=20 #----------X.X.X.X------------------------------------------------------=20 block return-rst in log quick on xl0 proto tcp from any to any=20 block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from any = to any=20 block in log quick on xl0 all =20 =20 ################################################################# =20 # Inside Interface =20 ################################################################# =20 =20 #---------------------------------------------------------------- =20 # Allow out all TCP, UDP, and ICMP traffic & keep state =20 #---------------------------------------------------------------- =20 pass out quick on xl1 proto tcp from any to any keep state =20 pass out quick on xl1 proto udp from any to any keep state =20 pass out quick on xl1 proto icmp from any to any keep state =20 block out quick on xl1 all =20 =20 #----------------------------------------------------------------=20 # Allow in all TCP, UDP, and ICMP traffic & keep state =20 #---------------------------------------------------------------- =20 pass in quick on xl1 proto tcp from any to any keep state =20 pass in quick on xl1 proto udp from any to any keep state =20 pass in quick on xl1 proto icmp from any to any keep state =20 block in quick on xl1 all =20 =20 ################################################################# =20 # Loopback Interface =20 ################################################################# =20 =20 #---------------------------------------------------------------- =20 # Allow everything to/from your loopback interface so you =20 # can ping yourself (e.g. ping localhost) =20 #---------------------------------------------------------------- =20 pass in quick on lo0 all =20 pass out quick on lo0 all=20 /etc/ipnat.rules on gateway ------- #-------------------------------------------------------------------- # Do 'normal' IP address translation. This line will take all packets # going out on your external NIC (ed0) that have a source address coming # from your internal network (192.168.1.0), and translate it to whatever # IP address your external NIC happens to have at that time #-------------------------------------------------------------------- map xl0 192.168.1.0/24 -> 0/32 map xl0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp #-------------------------------------------------------------------- # If you have a system on your internal network that needs to be # 'reachable' by external systems on the internet, you'll nexl a rule # similar to the one below. This one takes all inbound http traffic # (TCP port 80) that hits the firewall's external interface (xl0) and # rxlirects it to port 80 on the 192.168.1.50 system on the internal networ= k. # Simply uncomment the rule, change the IP address and port number so that # it does what you nexl. Remember that you have to enable the corresponding # inbound filter in your /etc/ipf.rules file, too. #-------------------------------------------------------------------- rdr xl0 0.0.0.0/0 port 21 -> 192.168.1.50 port 21 tcp rdr xl0 0.0.0.0/0 port 22 -> any port 22 tcp rdr xl0 0.0.0.0/0 port 25 -> any port 25 tcp rdr xl0 0.0.0.0/0 port 80 -> 192.168.1.50 port 80 tcp rdr xl0 0.0.0.0/0 port 10000 -> 192.168.1.50 port 10000 tcp rdr xl0 0.0.0.0/0 port > 1023 -> 192.168.1.50 port > 1023 tcp rdr xl0 0.0.0.0/0 port 3306 -> any port 3306 tcp rdr xl0 129.x.x.32/24 -> any tcp rdr xl0 129.x.x.32/24 -> any udp ------- /etc/sysctl.conf on gateway ------- et.inet.tcp.blackhole=3D2 net.inet.udp.blackhole=3D1 ------- i've managed to get it nat'ing one machine so far, the webserver. the publi= c ip of the webserver is aliased to the external nic on the gateway machine= . httpd and ftp work ok behind the gateway box. i have many questions, how= ever. the first being why - despite the firewall rules i have in place on = the gateway, when i nmap the public ip of the webserver it shows me all sor= ts of ports being open. i can't make out from my gateway configuration whe= re this is happening. any advice would be appreciated thanks redmond=20 --CE+1k2dSO48ffgeK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+SEJgFNjun16SvHYRAmJaAKCCcrLqWW91RBotZB6JiJ5YMz9TJQCgnUlR E+RrlbKLFrEuVoeoIlK08UY= =AsND -----END PGP SIGNATURE----- --CE+1k2dSO48ffgeK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 10 17:48:18 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E31737B401 for ; Mon, 10 Feb 2003 17:48:16 -0800 (PST) Received: from out7.mx.nwbl.wi.voyager.net (out7.mx.nwbl.wi.voyager.net [169.207.3.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE86943F85 for ; Mon, 10 Feb 2003 17:48:15 -0800 (PST) (envelope-from silby@silby.com) Received: from [10.1.1.6] (d186.as9.nwbl0.wi.voyager.net [169.207.133.252]) by out7.mx.nwbl.wi.voyager.net (Postfix) with ESMTP id 2B685947BB; Mon, 10 Feb 2003 19:47:34 -0600 (CST) Date: Mon, 10 Feb 2003 19:55:26 -0600 (CST) From: Mike Silbersack To: Nicholas Esborn Cc: Marc Spitzer , "" Subject: Re: The way forward In-Reply-To: <20030205192433.GB59212@carbon.berkeley.netdot.net> Message-ID: <20030210195158.P4682-100000@patrocles.silby.com> References: <20030128085617.L167@woody.ops.uunet.co.za> <3E415602.30669.FF9FC2@localhost> <20030205182601.GA59212@carbon.berkeley.netdot.net> <20030205140532.4ff4390c.mspitze1@optonline.net> <20030205192433.GB59212@carbon.berkeley.netdot.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 5 Feb 2003, Nicholas Esborn wrote: > Sadly, most of the discussion I've seen here about pf on FreeBSD is > basically "Why would we need another packet filter?" > > -nick You misheard the question. It's really: "Why should I spend time importing PF for Nick when I have other things to work on?" If you take the time to create a patchset which allows PF to work on FreeBSD, there's a much greater chance that PF could end up in FreeBSD. (Assuming that the changes are structured in a way such that future imports of PF would not be an overly complicated matter.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 10 23:11:26 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E91037B401 for ; Mon, 10 Feb 2003 23:11:23 -0800 (PST) Received: from cts04.webone.com.au (cts04.webone.com.au [210.9.240.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0F6143F93 for ; Mon, 10 Feb 2003 23:11:18 -0800 (PST) (envelope-from kieran@aus-1.au.nu) Received: from dial-ctt04-20.webone.com.au (dial-ctt04-20.webone.com.au [210.11.49.20]) by cts04.webone.com.au (8.11.6/8.11.6) with ESMTP id h1B7B1L29787; Tue, 11 Feb 2003 18:11:03 +1100 Date: Tue, 11 Feb 2003 18:10:05 +1100 (EST) From: Kieran Moore X-X-Sender: uneex@oasis.uneex.net To: GiZmen Cc: freebsd-security@FreeBSD.ORG Subject: Re: some problems with login.conf In-Reply-To: <20030210173757.GA10346@pals.one.pl> Message-ID: <20030211180923.U4613-100000@oasis.uneex.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Are you logged in as root? Rgds, Kieran Moore On Mon, 10 Feb 2003, GiZmen wrote: > Hello, > > I am trying to set up login.conf under FreeBSD 5.0-R. > Resource limits working OK > but i try to set up minpasswordlen to 8 chars and mixpasswordcase to true > value. None of these setings do nothing. > I stil can enter passwd with 2 chars and system do not refuse this. > Can anybody tell mi why i cant do this. > > It is a bug in 5.0 or something? > > -- > Best Regards: > GiZmen > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 11 4:10:24 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 754FC37B401 for ; Tue, 11 Feb 2003 04:10:22 -0800 (PST) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 20ECE43F3F for ; Tue, 11 Feb 2003 04:10:21 -0800 (PST) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.12.3/8.12.3) with ESMTP id h1BC7pvn030367; Tue, 11 Feb 2003 09:07:51 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Tue, 11 Feb 2003 09:07:51 -0300 (ART) From: Fernando Gleiser To: Redmond Militante Cc: freebsd-security@freebsd.org Subject: Re: n00b ipf/ipnat questions In-Reply-To: <20030211002256.GA824@darkpossum> Message-ID: <20030211090154.R30313-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-100.5 required=5.0 tests=IN_REP_TO,DOUBLE_CAPSWORD,USER_IN_WHITELIST,NO_MX_FOR_FROM version=2.31 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 10 Feb 2003, Redmond Militante wrote: > > i've managed to get it nat'ing one machine so far, the webserver. the public > ip of the webserver is aliased to the external nic on the gateway machine. > httpd and ftp work ok behind the gateway box. i have many questions, > however. the first being why - despite the firewall rules i have in place > on the gateway, when i nmap the public ip of the webserver it shows me all > sorts of ports being open. i can't make out from my gateway configuration > where this is happening. What ports? is it TCP or UDP? UDP scanning is very prone to false positives. It would help if you post the nmap flags line you're using and the results, obsfuscate the IP if you don't want us to know it. Another posibility is some interception/transparent proxy on your ISP. Fer > > any advice would be appreciated > > thanks > redmond > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 11 4:39: 8 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1351A37B401 for ; Tue, 11 Feb 2003 04:39:05 -0800 (PST) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id 9F69D43FBD for ; Tue, 11 Feb 2003 04:39:03 -0800 (PST) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 68702 invoked by uid 0); 11 Feb 2003 12:39:02 -0000 Received: from greg.panula@dolaninformation.com by proxy by uid 82 with qmail-scanner-1.15 ( Clear:. Processed in 1.128995 secs); 11 Feb 2003 12:39:02 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: freebsd-security@freebsd.org,agapon@cv-nj.com,freebsd-ipfw@freebsd.org X-Qmail-Scanner: 1.15 (Clear:. Processed in 1.128995 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 11 Feb 2003 12:39:01 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 11 Feb 2003 06:39:01 -0600 Message-ID: <3E48EEE4.AEFC0B4C@dolaninformation.com> Date: Tue, 11 Feb 2003 06:39:00 -0600 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Cc: Andriy Gapon , freebsd-ipfw@freebsd.org Subject: Re: ipsec & ipfw: 4.7-release vs -stable References: <20030210114213.P53494@edge.foundation.invalid> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Andriy Gapon wrote: > > Is there any remedy expected before 4.8 release for the situation with > ipsec & ipfw interaction that was created after 'ip_input.c 1.130.2.40, > MFC: 1.214' ? > > The reason I am asking this question with such a big crosspost is that it > seems that all previous discussions on this topic resulted in nothing. And > this change definetely breaks things for those who use ipsec without extra > stuff like gif tunnels. It definetely doesn't look like a kind of change > welcomed in -stable branch, not mentioning a potential security > vulnaribity for those who can not use gif. > > I apologize in the case I have missed any latest developments in this > area. > > -- Would it be possible to extend the sysctl variable 'net.inet.ip.fw.one_pass' to include ipsec(esp) traffic? Or maybe create a new similar sysctl variable, e.g. net.inet.ip.fw.ipsec.one_pass? When enabled it would allow ipsec gateways to filter decrypted rfc1918 network traffic on their internal interface(s) and have the all encompassing block rfc1918 traffic on their external interface(s). In the case of non-gateway/single interface boxes using ipsec, the multiple passes thru ipfw behavior could still be used to filter decrypted traffic. Not sure how do-able this is, but it avoids the hassle gif/ipip tunnels(thus keeping interoperability with other non-bsd/linux devices) and also avoids the possible quagmire of a "dedicated" ipsec/esp interface. Just my two bits, greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 11 6:28: 5 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E108637B405 for ; Tue, 11 Feb 2003 06:27:58 -0800 (PST) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EC1943FDD for ; Tue, 11 Feb 2003 06:27:56 -0800 (PST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (0fbd3d47b35a023b3695b6d5070af2a7@localhost.medill.northwestern.edu [127.0.0.1]) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6) with ESMTP id h1BEIV74002579; Tue, 11 Feb 2003 08:18:31 -0600 (CST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6/Submit) id h1BEIVPv002578; Tue, 11 Feb 2003 08:18:31 -0600 (CST) Date: Tue, 11 Feb 2003 08:18:31 -0600 From: Redmond Militante To: Fernando Gleiser Cc: freebsd-security@freebsd.org Subject: Re: n00b ipf/ipnat questions Message-ID: <20030211141831.GB824@darkpossum> Reply-To: Redmond Militante References: <20030211002256.GA824@darkpossum> <20030211090154.R30313-100000@cactus.fi.uba.ar> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XF85m9dhOBO43t/C" Content-Disposition: inline In-Reply-To: <20030211090154.R30313-100000@cactus.fi.uba.ar> User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Favorite-Food: Pizza Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --XF85m9dhOBO43t/C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi thanks for responding i made a few changes last night to my config, but i still see open ports wh= en i run nmap , despite my ipf.rules. if you like, i can post my updated c= onfig, although it's not that different... tcp ports seem to be open. i'm using: nmap -sS -v -O my.hostname.org here's the results of an nmap run=20 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Host my.hostname.org (129.x.x.x) appears to be up ... good. Initiating SYN Stealth Scan against my.hostname.org (129.x.x.x) Adding open port 32774/tcp Adding open port 15/tcp Adding open port 31337/tcp Adding open port 1524/tcp Adding open port 111/tcp Adding open port 1/tcp Adding open port 32771/tcp Adding open port 79/tcp Adding open port 54320/tcp Adding open port 22/tcp Adding open port 540/tcp Adding open port 587/tcp Adding open port 12346/tcp Adding open port 1080/tcp Adding open port 25/tcp Adding open port 119/tcp Adding open port 11/tcp Adding open port 27665/tcp Adding open port 6667/tcp Adding open port 80/tcp Adding open port 635/tcp Adding open port 21/tcp Adding open port 32773/tcp Adding open port 143/tcp Adding open port 32772/tcp Adding open port 12345/tcp Adding open port 2000/tcp The SYN Stealth Scan took 157 seconds to scan 1601 ports. Warning: OS detection will be MUCH less reliable because we did not find a= t least 1 open and 1 closed TCP port For OSScan assuming that port 1 is open and port 35689 is closed and neithe= r are firewalled For OSScan assuming that port 1 is open and port 44468 is closed and neithe= r are firewalled For OSScan assuming that port 1 is open and port 31999 is closed and neithe= r are firewalled Interesting ports on herald.medill.northwestern.edu (129.105.51.6): (The 1574 ports scanned but not shown below are in state: filtered) Port State Service 1/tcp open tcpmux =20 11/tcp open systat =20 15/tcp open netstat =20 21/tcp open ftp =20 22/tcp open ssh =20 25/tcp open smtp =20 79/tcp open finger =20 80/tcp open http =20 111/tcp open sunrpc =20 119/tcp open nntp =20 143/tcp open imap2 =20 540/tcp open uucp =20 587/tcp open submission =20 635/tcp open unknown =20 1080/tcp open socks =20 1524/tcp open ingreslock =20 2000/tcp open callbook =20 6667/tcp open irc =20 12345/tcp open NetBus =20 12346/tcp open NetBus =20 27665/tcp open Trinoo_Master =20 31337/tcp open Elite =20 32771/tcp open sometimes-rpc5 =20 32772/tcp open sometimes-rpc7 =20 32773/tcp open sometimes-rpc9 =20 32774/tcp open sometimes-rpc11 =20 54320/tcp open bo2k =20 No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: SInfo(V=3D3.00%P=3Di386-portbld-freebsd4.7%D=3D2/11%Time=3D3E490979%O=3D1%C= =3D-1) TSeq(Class=3DTR%IPID=3DI%TS=3D100HZ) T1(Resp=3DY%DF=3DY%W=3DE000%ACK=3DS++%Flags=3DAS%Ops=3DMNWNNT) T2(Resp=3DN) T3(Resp=3DY%DF=3DY%W=3DE000%ACK=3DS++%Flags=3DAS%Ops=3DMNWNNT) T4(Resp=3DY%DF=3DN%W=3D0%ACK=3DO%Flags=3DR%Ops=3D) T5(Resp=3DN) T6(Resp=3DN) T7(Resp=3DN) PU(Resp=3DN) Uptime 0.007 days (since Tue Feb 11 08:21:40 2003) TCP Sequence Prediction: Class=3Dtruly random Difficulty=3D9999999 (Good luck!) IPID Sequence Generation: Incremental Nmap run completed -- 1 IP address (1 host up) scanned in 179 seconds any advice you could give would be appreciated.=20 thanks redmond > > > > i've managed to get it nat'ing one machine so far, the webserver. the p= ublic > > ip of the webserver is aliased to the external nic on the gateway machi= ne. > > httpd and ftp work ok behind the gateway box. i have many questions, > > however. the first being why - despite the firewall rules i have in pl= ace > > on the gateway, when i nmap the public ip of the webserver it shows me = all > > sorts of ports being open. i can't make out from my gateway configurat= ion > > where this is happening. >=20 > What ports? is it TCP or UDP? UDP scanning is very prone to false positiv= es. > It would help if you post the nmap flags line you're using and the result= s, > obsfuscate the IP if you don't want us to know it. >=20 > Another posibility is some interception/transparent proxy on your ISP. >=20 >=20 > Fer >=20 > > > > any advice would be appreciated > > > > thanks > > redmond > > >=20 --XF85m9dhOBO43t/C Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+SQY2FNjun16SvHYRAoxuAJwKHyfKEK1AMewDvGASHLOvO3FpEgCgqPSv yoPwdyHSjTxhs9YjlB7PZ90= =Hhgg -----END PGP SIGNATURE----- --XF85m9dhOBO43t/C-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 11 7:12:57 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 395B937B401 for ; Tue, 11 Feb 2003 07:12:54 -0800 (PST) Received: from users.munk.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 231C543F3F for ; Tue, 11 Feb 2003 07:12:53 -0800 (PST) (envelope-from munk@users.munk.nu) Received: from users.munk.nu (munk@localhost [127.0.0.1]) by users.munk.nu (8.12.6/8.12.6) with ESMTP id h1BFDZAx068639 for ; Tue, 11 Feb 2003 15:13:35 GMT (envelope-from munk@users.munk.nu) Received: (from munk@localhost) by users.munk.nu (8.12.6/8.12.6/Submit) id h1BFDZYI068638 for freebsd-security@FreeBSD.ORG; Tue, 11 Feb 2003 15:13:35 GMT Date: Tue, 11 Feb 2003 15:13:35 +0000 From: Jez Hancock To: freebsd-security@FreeBSD.ORG Subject: Re: some problems with login.conf Message-ID: <20030211151335.GB68575@users.munk.nu> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20030210173757.GA10346@pals.one.pl> <20030211180923.U4613-100000@oasis.uneex.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030211180923.U4613-100000@oasis.uneex.net> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There are stacks of issues regarding login capabilities on FreeBSD 4.x (not sure about 5.0). David Schultz recently posted to this list about it: http://marc.theaimsgroup.com/?l=freebsd-security&m=104427971127934&w=2 Regards, Jez On Tue, Feb 11, 2003 at 06:10:05PM +1100, Kieran Moore wrote: > Are you logged in as root? > > Rgds, > > Kieran Moore > > On Mon, 10 Feb 2003, GiZmen wrote: > > > Hello, > > > > I am trying to set up login.conf under FreeBSD 5.0-R. > > Resource limits working OK > > but i try to set up minpasswordlen to 8 chars and mixpasswordcase to true > > value. None of these setings do nothing. > > I stil can enter passwd with 2 chars and system do not refuse this. > > Can anybody tell mi why i cant do this. > > > > It is a bug in 5.0 or something? > > > > -- > > Best Regards: > > GiZmen > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 11 8: 7:57 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D03637B401 for ; Tue, 11 Feb 2003 08:07:50 -0800 (PST) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id E476543FA3 for ; Tue, 11 Feb 2003 08:07:48 -0800 (PST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (1f1386d3cce4b6e4c0b694add8da0feb@localhost.medill.northwestern.edu [127.0.0.1]) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6) with ESMTP id h1BFwf74002757; Tue, 11 Feb 2003 09:58:41 -0600 (CST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6/Submit) id h1BFwe6Z002756; Tue, 11 Feb 2003 09:58:40 -0600 (CST) Date: Tue, 11 Feb 2003 09:58:40 -0600 From: Redmond Militante To: Stephen Hilton , freebsd-security@freebsd.org Subject: Re: n00b ipf/ipnat questions Message-ID: <20030211155840.GA2733@darkpossum> Reply-To: Redmond Militante References: <20030211002256.GA824@darkpossum> <20030211090154.R30313-100000@cactus.fi.uba.ar> <20030211141831.GB824@darkpossum> <20030211090331.2e16f1c0.nospam@hiltonbsd.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+QahgC5+KEYLbs62" Content-Disposition: inline In-Reply-To: <20030211090331.2e16f1c0.nospam@hiltonbsd.com> User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Favorite-Food: Pizza Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --+QahgC5+KEYLbs62 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi ok. netstat -na | grep LISTEN on the box i'm nmapping from ------- tcp4 0 0 *.10000 *.* LISTEN tcp4 0 0 *.3306 *.* LISTEN tcp4 0 0 *.21 *.* LISTEN tcp4 0 0 *.80 *.* LISTEN tcp4 0 0 *.587 *.* LISTEN tcp4 0 0 *.25 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp46 0 0 *.22 *.* LISTEN netstat -na | grep LISTEN on the gateway box ------- tcp4 0 0 *.587 *.* LISTEN tcp4 0 0 *.25 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp46 0 0 *.22 *.* LISTEN tcp4 0 0 *.54320 *.* LISTEN tcp4 0 0 *.49724 *.* LISTEN tcp4 0 0 *.40421 *.* LISTEN tcp4 0 0 *.32774 *.* LISTEN tcp4 0 0 *.32773 *.* LISTEN tcp4 0 0 *.32772 *.* LISTEN tcp4 0 0 *.32771 *.* LISTEN tcp4 0 0 *.31337 *.* LISTEN tcp4 0 0 *.27665 *.* LISTEN tcp4 0 0 *.20034 *.* LISTEN tcp4 0 0 *.12346 *.* LISTEN tcp4 0 0 *.12345 *.* LISTEN tcp4 0 0 *.6667 *.* LISTEN tcp4 0 0 *.5742 *.* LISTEN tcp4 0 0 *.2000 *.* LISTEN tcp4 0 0 *.1524 *.* LISTEN tcp4 0 0 *.1080 *.* LISTEN tcp4 0 0 *.635 *.* LISTEN tcp4 0 0 *.540 *.* LISTEN tcp4 0 0 *.143 *.* LISTEN tcp4 0 0 *.119 *.* LISTEN tcp4 0 0 *.111 *.* LISTEN tcp4 0 0 *.79 *.* LISTEN tcp4 0 0 *.15 *.* LISTEN tcp4 0 0 *.11 *.* LISTEN tcp4 0 0 *.1 *.* LISTEN netstat -na | grep LISTEN on the webserver behind gateway ------- tcp4 0 0 *.21 *.* LISTEN tcp4 0 0 *.80 *.* LISTEN tcp4 0 0 *.587 *.* LISTEN tcp4 0 0 *.25 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp46 0 0 *.22 *.* LISTEN thanks redmond > Redmond Militante wrote: >=20 > > hi > >=20 > > thanks for responding > > i made a few changes last night to my config, but i still see open port= s when i run nmap , despite my ipf.rules. if you like, i can post my updat= ed config, although it's not that different... > >=20 > > tcp ports seem to be open. i'm using: nmap -sS -v -O my.hostname.org > > here's the results of an nmap run=20 > >=20 > >=20 > > Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) > > Host my.hostname.org (129.x.x.x) appears to be up ... good. > > Initiating SYN Stealth Scan against my.hostname.org (129.x.x.x) > > Adding open port 32774/tcp > > Adding open port 15/tcp > > Adding open port 31337/tcp > > Adding open port 1524/tcp > > Adding open port 111/tcp > > Adding open port 1/tcp > > Adding open port 32771/tcp > > Adding open port 79/tcp > > Adding open port 54320/tcp > > Adding open port 22/tcp > > Adding open port 540/tcp > > Adding open port 587/tcp > > Adding open port 12346/tcp > > Adding open port 1080/tcp > > Adding open port 25/tcp > > Adding open port 119/tcp > > Adding open port 11/tcp > > Adding open port 27665/tcp > > Adding open port 6667/tcp > > Adding open port 80/tcp > > Adding open port 635/tcp > > Adding open port 21/tcp > > Adding open port 32773/tcp > > Adding open port 143/tcp > > Adding open port 32772/tcp > > Adding open port 12345/tcp > > Adding open port 2000/tcp > > The SYN Stealth Scan took 157 seconds to scan 1601 ports. > > Warning: OS detection will be MUCH less reliable because we did not fi= nd at least 1 open and 1 closed TCP port > > For OSScan assuming that port 1 is open and port 35689 is closed and ne= ither are firewalled > > For OSScan assuming that port 1 is open and port 44468 is closed and ne= ither are firewalled > > For OSScan assuming that port 1 is open and port 31999 is closed and ne= ither are firewalled > > Interesting ports on herald.medill.northwestern.edu (129.105.51.6): > > (The 1574 ports scanned but not shown below are in state: filtered) > > Port State Service > > 1/tcp open tcpmux =20 > > 11/tcp open systat =20 > > 15/tcp open netstat =20 > > 21/tcp open ftp =20 > > 22/tcp open ssh =20 > > 25/tcp open smtp =20 > > 79/tcp open finger =20 > > 80/tcp open http =20 > > 111/tcp open sunrpc =20 > > 119/tcp open nntp =20 > > 143/tcp open imap2 =20 > > 540/tcp open uucp =20 > > 587/tcp open submission =20 > > 635/tcp open unknown =20 > > 1080/tcp open socks =20 > > 1524/tcp open ingreslock =20 > > 2000/tcp open callbook =20 > > 6667/tcp open irc =20 > > 12345/tcp open NetBus =20 > > 12346/tcp open NetBus =20 > > 27665/tcp open Trinoo_Master =20 > > 31337/tcp open Elite =20 > > 32771/tcp open sometimes-rpc5 =20 > > 32772/tcp open sometimes-rpc7 =20 > > 32773/tcp open sometimes-rpc9 =20 > > 32774/tcp open sometimes-rpc11 =20 > > 54320/tcp open bo2k =20 > > No exact OS matches for host (test conditions non-ideal). > > TCP/IP fingerprint: > > SInfo(V=3D3.00%P=3Di386-portbld-freebsd4.7%D=3D2/11%Time=3D3E490979%O= =3D1%C=3D-1) > > TSeq(Class=3DTR%IPID=3DI%TS=3D100HZ) > > T1(Resp=3DY%DF=3DY%W=3DE000%ACK=3DS++%Flags=3DAS%Ops=3DMNWNNT) > > T2(Resp=3DN) > > T3(Resp=3DY%DF=3DY%W=3DE000%ACK=3DS++%Flags=3DAS%Ops=3DMNWNNT) > > T4(Resp=3DY%DF=3DN%W=3D0%ACK=3DO%Flags=3DR%Ops=3D) > > T5(Resp=3DN) > > T6(Resp=3DN) > > T7(Resp=3DN) > > PU(Resp=3DN) > >=20 > >=20 > > Uptime 0.007 days (since Tue Feb 11 08:21:40 2003) > > TCP Sequence Prediction: Class=3Dtruly random > > Difficulty=3D9999999 (Good luck!) > > IPID Sequence Generation: Incremental > >=20 > > Nmap run completed -- 1 IP address (1 host up) scanned in 179 seconds > >=20 > >=20 > > any advice you could give would be appreciated.=20 > >=20 > > thanks > > redmond > >=20 > >=20 > > > > > > > > i've managed to get it nat'ing one machine so far, the webserver. t= he public > > > > ip of the webserver is aliased to the external nic on the gateway m= achine. > > > > httpd and ftp work ok behind the gateway box. i have many question= s, > > > > however. the first being why - despite the firewall rules i have i= n place > > > > on the gateway, when i nmap the public ip of the webserver it shows= me all > > > > sorts of ports being open. i can't make out from my gateway config= uration > > > > where this is happening. > > >=20 > > > What ports? is it TCP or UDP? UDP scanning is very prone to false pos= itives. > > > It would help if you post the nmap flags line you're using and the re= sults, > > > obsfuscate the IP if you don't want us to know it. > > >=20 > > > Another posibility is some interception/transparent proxy on your ISP. >=20 >=20 > How about a 'netstat -na | grep LISTEN' output from each box.=20 > I think this may help the gurus get a better picture.=20 > Again, sanitize IP's if necessary. ;-) >=20 > Regards, >=20 > Stephen Hilton > nospam@hiltonbsd.com >=20 --+QahgC5+KEYLbs62 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+SR2wFNjun16SvHYRAvViAJ94aFOc8466ic8EIJD6Or7usXt31QCgvuaV XtCQNcwEsbusABkk+yBgnGM= =GucJ -----END PGP SIGNATURE----- --+QahgC5+KEYLbs62-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 11 10:47:12 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D013A37B401 for ; Tue, 11 Feb 2003 10:47:07 -0800 (PST) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id E997843F93 for ; Tue, 11 Feb 2003 10:47:06 -0800 (PST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (de1e7068681359bf3c5e671c94e7d365@localhost.medill.northwestern.edu [127.0.0.1]) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6) with ESMTP id h1BIbw74003333 for ; Tue, 11 Feb 2003 12:37:58 -0600 (CST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6/Submit) id h1BIbw9B003332 for freebsd-security@FreeBSD.ORG; Tue, 11 Feb 2003 12:37:58 -0600 (CST) Date: Tue, 11 Feb 2003 12:37:58 -0600 From: Redmond Militante To: freebsd-security@FreeBSD.ORG Subject: Re: n00b ipf/ipnat questions Message-ID: <20030211183758.GA791@darkpossum> Reply-To: Redmond Militante References: <20030211002256.GA824@darkpossum> <20030211090154.R30313-100000@cactus.fi.uba.ar> <20030211141831.GB824@darkpossum> <20030211090331.2e16f1c0.nospam@hiltonbsd.com> <20030211155840.GA2733@darkpossum> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="oyUTqETQ0mS9luUI" Content-Disposition: inline In-Reply-To: <20030211155840.GA2733@darkpossum> User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Favorite-Food: Pizza Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --oyUTqETQ0mS9luUI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi any comments? :) i'm thinking that it's probably a good thing the box behind the gateway is = only listening on a select number of ports, but i don't understand why the = gateway itself seems to be listening on a large number of ports. is this normal? =20 thanks redmond > hi >=20 > ok. > netstat -na | grep LISTEN on the box i'm nmapping from > ------- > tcp4 0 0 *.10000 *.* LISTEN > tcp4 0 0 *.3306 *.* LISTEN > tcp4 0 0 *.21 *.* LISTEN > tcp4 0 0 *.80 *.* LISTEN > tcp4 0 0 *.587 *.* LISTEN > tcp4 0 0 *.25 *.* LISTEN > tcp4 0 0 *.22 *.* LISTEN > tcp46 0 0 *.22 *.* LISTEN >=20 >=20 > netstat -na | grep LISTEN on the gateway box > ------- > tcp4 0 0 *.587 *.* LISTEN > tcp4 0 0 *.25 *.* LISTEN > tcp4 0 0 *.22 *.* LISTEN > tcp46 0 0 *.22 *.* LISTEN > tcp4 0 0 *.54320 *.* LISTEN > tcp4 0 0 *.49724 *.* LISTEN > tcp4 0 0 *.40421 *.* LISTEN > tcp4 0 0 *.32774 *.* LISTEN > tcp4 0 0 *.32773 *.* LISTEN > tcp4 0 0 *.32772 *.* LISTEN > tcp4 0 0 *.32771 *.* LISTEN > tcp4 0 0 *.31337 *.* LISTEN > tcp4 0 0 *.27665 *.* LISTEN > tcp4 0 0 *.20034 *.* LISTEN > tcp4 0 0 *.12346 *.* LISTEN > tcp4 0 0 *.12345 *.* LISTEN > tcp4 0 0 *.6667 *.* LISTEN > tcp4 0 0 *.5742 *.* LISTEN > tcp4 0 0 *.2000 *.* LISTEN > tcp4 0 0 *.1524 *.* LISTEN > tcp4 0 0 *.1080 *.* LISTEN > tcp4 0 0 *.635 *.* LISTEN > tcp4 0 0 *.540 *.* LISTEN > tcp4 0 0 *.143 *.* LISTEN > tcp4 0 0 *.119 *.* LISTEN > tcp4 0 0 *.111 *.* LISTEN > tcp4 0 0 *.79 *.* LISTEN > tcp4 0 0 *.15 *.* LISTEN > tcp4 0 0 *.11 *.* LISTEN > tcp4 0 0 *.1 *.* LISTEN >=20 > netstat -na | grep LISTEN on the webserver behind gateway > ------- > tcp4 0 0 *.21 *.* LISTEN > tcp4 0 0 *.80 *.* LISTEN > tcp4 0 0 *.587 *.* LISTEN > tcp4 0 0 *.25 *.* LISTEN > tcp4 0 0 *.22 *.* LISTEN > tcp46 0 0 *.22 *.* LISTEN >=20 >=20 > thanks >=20 > redmond --oyUTqETQ0mS9luUI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+SUMFFNjun16SvHYRAuUHAJ9eQ/qnrdt90MtQAqAefAzBbavEGACgwdkk uPsUnw53VAXyqmXoQ+bzqno= =Ezb0 -----END PGP SIGNATURE----- --oyUTqETQ0mS9luUI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 11 11: 1:50 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7DFFB37B401 for ; Tue, 11 Feb 2003 11:01:36 -0800 (PST) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5BD1143FBD for ; Tue, 11 Feb 2003 11:01:35 -0800 (PST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (6f4c9ede6e622da6a17737340a562287@localhost.medill.northwestern.edu [127.0.0.1]) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6) with ESMTP id h1BIqR74003419; Tue, 11 Feb 2003 12:52:27 -0600 (CST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6/Submit) id h1BIqR1E003418; Tue, 11 Feb 2003 12:52:27 -0600 (CST) Date: Tue, 11 Feb 2003 12:52:26 -0600 From: Redmond Militante To: John Fulcher , freebsd-security@freebsd.org Subject: Re: n00b ipf/ipnat questions Message-ID: <20030211185226.GA3385@darkpossum> Reply-To: Redmond Militante References: <20030211183758.GA791@darkpossum> <005201c2d1fe$1ff1e4c0$1113020a@uss.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="T4sUOijqQbZv57TR" Content-Disposition: inline In-Reply-To: <005201c2d1fe$1ff1e4c0$1113020a@uss.net> User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Favorite-Food: Pizza Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --T4sUOijqQbZv57TR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable ok. =20 sockstat on the machine i'm running nmap from ------- USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS = =20 root sshd 29207 5 tcp4 129.x.x.20:22 129.x.x.22:49176 =20 root ssh 28858 3 tcp4 129.x.x.20:2641 129.x.x.35:22 =20 root sshd 27242 5 tcp4 129.x.x.20:22 129.x.x.23:1076 =20 www httpd 25325 16 tcp4 *:80 *:* = =20 www httpd 25324 16 tcp4 *:80 *:* = =20 www httpd 6649 16 tcp4 *:80 *:* = =20 www httpd 407 16 tcp4 *:80 *:* = =20 www httpd 378 16 tcp4 *:80 *:* = =20 root perl 182 3 tcp4 *:10000 *:* = =20 root perl 182 4 udp4 *:10000 *:* = =20 mysql mysqld 181 5 tcp4 *:3306 *:* = =20 www httpd 178 16 tcp4 *:80 *:* = =20 www httpd 177 16 tcp4 *:80 *:* = =20 www httpd 176 16 tcp4 *:80 *:* = =20 www httpd 175 16 tcp4 *:80 *:* = =20 www httpd 174 16 tcp4 *:80 *:* = =20 nobody proftpd 168 0 tcp4 *:21 *:* = =20 root httpd 150 16 tcp4 *:80 *:* = =20 root sendmail 96 3 tcp4 *:25 *:* = =20 root sendmail 96 5 tcp4 *:587 *:* = =20 root sshd 91 4 tcp4 *:22 *:* = =20 root syslogd 72 5 udp4 *:514 *:* = =20 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS = =20 root sshd 91 3 tcp46 *:22 *:* = =20 root syslogd 72 4 udp6 *:514 *:* = =20 USER COMMAND PID FD PROTO ADDRESS = =20 www httpd 407 5 stream (none) = =20 www httpd 378 5 stream (none) = =20 root login 186 3 dgram syslogd[72]:3 = =20 root login 185 3 dgram syslogd[72]:3 = =20 mysql mysqld 181 6 stream /tmp/mysql.sock = =20 www httpd 177 5 stream (none) = =20 www httpd 176 5 stream (none) = =20 www httpd 175 5 stream (none) = =20 nobody proftpd 168 3 dgram syslogd[72]:3 = =20 smmsp sendmail 99 3 dgram syslogd[72]:3 = =20 root sendmail 96 4 dgram syslogd[72]:3 = =20 root syslogd 72 3 dgram /var/run/log =20 sockstat on the gateway machine ------- USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS = =20 root sshd 825 5 tcp4 129.x.x.35:22 129.x.x.20:2666 =20 root ssh 491 3 tcp4 192.168.1.1:1151 192.168.1.50:22 = =20 root sshd 482 5 tcp4 129.x.x.35:22 129.x.x.20:2641 =20 root sendmail 105 3 tcp4 *:25 *:* = =20 root sendmail 105 5 tcp4 *:587 *:* = =20 root sshd 100 4 tcp4 *:22 *:* = =20 root portsent 99 0 tcp4 *:1 *:* = =20 root portsent 99 1 tcp4 *:11 *:* = =20 root portsent 99 2 tcp4 *:15 *:* = =20 root portsent 99 3 tcp4 *:79 *:* = =20 root portsent 99 4 tcp4 *:111 *:* = =20 root portsent 99 5 tcp4 *:119 *:* = =20 root portsent 99 6 tcp4 *:143 *:* = =20 root portsent 99 7 tcp4 *:540 *:* = =20 root portsent 99 8 tcp4 *:635 *:* = =20 root portsent 99 9 tcp4 *:1080 *:* = =20 root portsent 99 10 tcp4 *:1524 *:* = =20 root portsent 99 11 tcp4 *:2000 *:* = =20 root portsent 99 12 tcp4 *:5742 *:* = =20 root portsent 99 13 tcp4 *:6667 *:* = =20 root portsent 99 14 tcp4 *:12345 *:* = =20 root portsent 99 15 tcp4 *:12346 *:* = =20 root portsent 99 16 tcp4 *:20034 *:* = =20 root portsent 99 17 tcp4 *:27665 *:* = =20 root portsent 99 18 tcp4 *:31337 *:* = =20 root portsent 99 19 tcp4 *:32771 *:* = =20 root portsent 99 20 tcp4 *:32772 *:* = =20 root portsent 99 21 tcp4 *:32773 *:* = =20 root portsent 99 22 tcp4 *:32774 *:* = =20 root portsent 99 23 tcp4 *:40421 *:* = =20 root portsent 99 24 tcp4 *:49724 *:* = =20 root portsent 99 25 tcp4 *:54320 *:* = =20 root portsent 98 0 udp4 *:1 *:* = =20 root portsent 98 1 udp4 *:7 *:* = =20 root portsent 98 2 udp4 *:9 *:* = =20 root portsent 98 3 udp4 *:69 *:* = =20 root portsent 98 4 udp4 *:161 *:* = =20 root portsent 98 5 udp4 *:162 *:* = =20 root portsent 98 6 udp4 *:513 *:* = =20 root portsent 98 7 udp4 *:635 *:* = =20 root portsent 98 8 udp4 *:640 *:* = =20 root portsent 98 9 udp4 *:641 *:* = =20 root portsent 98 10 udp4 *:700 *:* = =20 root portsent 98 11 udp4 *:37444 *:* = =20 root portsent 98 12 udp4 *:34555 *:* = =20 root portsent 98 13 udp4 *:31335 *:* = =20 root portsent 98 14 udp4 *:32770 *:* = =20 root portsent 98 15 udp4 *:32771 *:* = =20 root portsent 98 16 udp4 *:32772 *:* = =20 root portsent 98 17 udp4 *:32773 *:* = =20 root portsent 98 18 udp4 *:32774 *:* = =20 root portsent 98 19 udp4 *:31337 *:* = =20 root portsent 98 20 udp4 *:54321 *:* = =20 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS = =20 root sshd 100 3 tcp46 *:22 *:* = =20 USER COMMAND PID FD PROTO ADDRESS = =20 smmsp sendmail 108 3 dgram syslogd[81]:3 = =20 root sendmail 105 4 dgram syslogd[81]:3 = =20 root syslogd 81 3 dgram /var/run/log = =20 root ipmon 53 0 dgram syslogd[81]:3 =20 sockstat on the webserver behind the gateway machine ------- USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS = =20 root sshd 2287 5 tcp4 192.168.1.50:22 192.168.1.1:1186 = =20 user1 proftpd 2283 0 tcp4 192.168.1.50:21 12.249.95.65:2595 = =20 user1 proftpd 2283 1 tcp4 192.168.1.50:21 12.249.95.65:2595 = =20 www httpd 2277 16 tcp4 *:80 *:* = =20 www httpd 2276 16 tcp4 *:80 *:* = =20 user2 proftpd 2180 0 tcp4 192.168.1.50:21 129.x.x.115:1845= =20 user2 proftpd 2180 1 tcp4 192.168.1.50:21 129.x.x.115:1845= =20 www httpd 1906 5 tcp4 192.168.1.50:1541 129.x.x.5:3306 = =20 www httpd 1906 16 tcp4 *:80 *:* = =20 www httpd 1905 5 tcp4 192.168.1.50:1539 129.x.x.5:3306 = =20 www httpd 1905 16 tcp4 *:80 *:* = =20 www httpd 1904 3 tcp4 192.168.1.50:80 65.56.131.11:3601= =20 www httpd 1904 5 tcp4 192.168.1.50:1543 129.x.x.5:3306 = =20 www httpd 1904 16 tcp4 *:80 *:* = =20 www httpd 1903 5 tcp4 192.168.1.50:1530 129.x.x.5:3306 = =20 www httpd 1903 16 tcp4 *:80 *:* = =20 www httpd 1902 5 tcp4 192.168.1.50:1544 129.x.x.5:3306 = =20 www httpd 1902 16 tcp4 *:80 *:* = =20 www httpd 1901 5 tcp4 192.168.1.50:1538 129.x.x.5:3306 = =20 www httpd 1901 16 tcp4 *:80 *:* = =20 www httpd 1900 5 tcp4 192.168.1.50:1522 129.x.x.5:3306 = =20 www httpd 1900 16 tcp4 *:80 *:* = =20 www httpd 1899 5 tcp4 192.168.1.50:1549 129.x.x.5:3306 = =20 www httpd 1899 16 tcp4 *:80 *:* = =20 www httpd 1898 5 tcp4 192.168.1.50:1540 129.x.x.5:3306 = =20 www httpd 1898 16 tcp4 *:80 *:* = =20 www httpd 1897 3 tcp4 192.168.1.50:80 65.56.131.11:3603= =20 www httpd 1897 5 tcp4 192.168.1.50:1521 129.x.x.5:3306 = =20 www httpd 1897 16 tcp4 *:80 *:* = =20 root sshd 1144 5 tcp4 192.168.1.50:22 192.168.1.1:1151 = =20 root snmpd 159 6 udp4 *:161 *:* = =20 nobody proftpd 153 0 tcp4 *:21 *:* = =20 root httpd 146 16 tcp4 *:80 *:* = =20 root sendmail 98 3 tcp4 *:25 *:* = =20 root sendmail 98 5 tcp4 *:587 *:* = =20 root sshd 93 4 tcp4 *:22 *:* = =20 root syslogd 73 5 udp4 *:514 *:* = =20 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS = =20 root sshd 93 3 tcp46 *:22 *:* = =20 root syslogd 73 4 udp6 *:514 *:* = =20 USER COMMAND PID FD PROTO ADDRESS = =20 user1 proftpd 2283 2 dgram syslogd[73]:3 = =20 user1 proftpd 2283 3 dgram syslogd[73]:3 = =20 user1 proftpd 2283 6 dgram syslogd[73]:3 = =20 user1 proftpd 2283 7 dgram syslogd[73]:3 = =20 user2 proftpd 2180 2 dgram syslogd[73]:3 = =20 user2 proftpd 2180 3 dgram syslogd[73]:3 = =20 user2 proftpd 2180 6 dgram syslogd[73]:3 = =20 user2 proftpd 2180 7 dgram syslogd[73]:3 = =20 smmsp sendmail 101 3 dgram syslogd[73]:3 = =20 root sendmail 98 4 dgram syslogd[73]:3 = =20 root syslogd 73 3 dgram /var/run/log =20 thanks for your help=20 redmond >t Try running a sockstat and see what it says for the programs that are > running on those ports.. =20 >=20 > -----Original Message----- > From: r-militante@northwestern.edu [mailto:r-militante@northwestern.edu] >=20 > Sent: Tuesday, February 11, 2003 1:38 PM > To: freebsd-security@FreeBSD.ORG > Subject: Re: n00b ipf/ipnat questions >=20 > hi >=20 > any comments? :) > i'm thinking that it's probably a good thing the box behind the gateway > is > only listening on a select number of ports, but i don't understand why > the > gateway itself seems to be listening on a large number of ports. > is this normal? =20 >=20 > thanks > redmond >=20 >=20 >=20 > > hi > >=20 > > ok. > > netstat -na | grep LISTEN on the box i'm nmapping from > > ------- > > tcp4 0 0 *.10000 *.* > LISTEN > > tcp4 0 0 *.3306 *.* > LISTEN > > tcp4 0 0 *.21 *.* > LISTEN > > tcp4 0 0 *.80 *.* > LISTEN > > tcp4 0 0 *.587 *.* > LISTEN > > tcp4 0 0 *.25 *.* > LISTEN > > tcp4 0 0 *.22 *.* > LISTEN > > tcp46 0 0 *.22 *.* > LISTEN > >=20 > >=20 > > netstat -na | grep LISTEN on the gateway box > > ------- > > tcp4 0 0 *.587 *.* > LISTEN > > tcp4 0 0 *.25 *.* > LISTEN > > tcp4 0 0 *.22 *.* > LISTEN > > tcp46 0 0 *.22 *.* > LISTEN > > tcp4 0 0 *.54320 *.* > LISTEN > > tcp4 0 0 *.49724 *.* > LISTEN > > tcp4 0 0 *.40421 *.* > LISTEN > > tcp4 0 0 *.32774 *.* > LISTEN > > tcp4 0 0 *.32773 *.* > LISTEN > > tcp4 0 0 *.32772 *.* > LISTEN > > tcp4 0 0 *.32771 *.* > LISTEN > > tcp4 0 0 *.31337 *.* > LISTEN > > tcp4 0 0 *.27665 *.* > LISTEN > > tcp4 0 0 *.20034 *.* > LISTEN > > tcp4 0 0 *.12346 *.* > LISTEN > > tcp4 0 0 *.12345 *.* > LISTEN > > tcp4 0 0 *.6667 *.* > LISTEN > > tcp4 0 0 *.5742 *.* > LISTEN > > tcp4 0 0 *.2000 *.* > LISTEN > > tcp4 0 0 *.1524 *.* > LISTEN > > tcp4 0 0 *.1080 *.* > LISTEN > > tcp4 0 0 *.635 *.* > LISTEN > > tcp4 0 0 *.540 *.* > LISTEN > > tcp4 0 0 *.143 *.* > LISTEN > > tcp4 0 0 *.119 *.* > LISTEN > > tcp4 0 0 *.111 *.* > LISTEN > > tcp4 0 0 *.79 *.* > LISTEN > > tcp4 0 0 *.15 *.* > LISTEN > > tcp4 0 0 *.11 *.* > LISTEN > > tcp4 0 0 *.1 *.* > LISTEN > >=20 > > netstat -na | grep LISTEN on the webserver behind gateway > > ------- > > tcp4 0 0 *.21 *.* > LISTEN > > tcp4 0 0 *.80 *.* > LISTEN > > tcp4 0 0 *.587 *.* > LISTEN > > tcp4 0 0 *.25 *.* > LISTEN > > tcp4 0 0 *.22 *.* > LISTEN > > tcp46 0 0 *.22 *.* > LISTEN > >=20 > >=20 > > thanks > >=20 > > redmond >=20 --T4sUOijqQbZv57TR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+SUZqFNjun16SvHYRAgJcAJ0XjodYXeFQ/eIgvUoB7QaKMFn63QCguvLR E5+hfqOyw/iWu9GiLGXoftw= =TZH9 -----END PGP SIGNATURE----- --T4sUOijqQbZv57TR-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 11 11:11:41 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80C0937B401 for ; Tue, 11 Feb 2003 11:11:35 -0800 (PST) Received: from gi.sourcefire.com (gi.sourcefire.com [206.103.225.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93E6C43F75 for ; Tue, 11 Feb 2003 11:11:34 -0800 (PST) (envelope-from nigel.houghton@sourcefire.com) Received: from ds9.sourcefire.com ([10.1.1.24]) (AUTH: PLAIN nhoughton, ) by gi.sourcefire.com with esmtp; Tue, 11 Feb 2003 14:11:33 -0500 Subject: Re: n00b ipf/ipnat questions From: Nigel Houghton To: Redmond Militante Cc: freebsd-security@freebsd.org In-Reply-To: <20030211141831.GB824@darkpossum> References: <20030211002256.GA824@darkpossum> <20030211090154.R30313-100000@cactus.fi.uba.ar> <20030211141831.GB824@darkpossum> X-Mailer: Ximian Evolution 1.0.8 Date: 11 Feb 2003 14:11:31 -0500 Message-Id: <1044990692.294.26.camel@ds9.sourcefire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Are you running Portsentry by any chance? On Tue, 2003-02-11 at 09:18, Redmond Militante wrote: > hi > > thanks for responding > i made a few changes last night to my config, but i still see open ports when i run nmap , despite my ipf.rules. if you like, i can post my updated config, although it's not that different... > > tcp ports seem to be open. i'm using: nmap -sS -v -O my.hostname.org > here's the results of an nmap run > > > Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) > Host my.hostname.org (129.x.x.x) appears to be up ... good. > Initiating SYN Stealth Scan against my.hostname.org (129.x.x.x) > Adding open port 32774/tcp > Adding open port 15/tcp > Adding open port 31337/tcp > Adding open port 1524/tcp > Adding open port 111/tcp > Adding open port 1/tcp > Adding open port 32771/tcp > Adding open port 79/tcp > Adding open port 54320/tcp > Adding open port 22/tcp > Adding open port 540/tcp > Adding open port 587/tcp > Adding open port 12346/tcp > Adding open port 1080/tcp > Adding open port 25/tcp > Adding open port 119/tcp > Adding open port 11/tcp > Adding open port 27665/tcp > Adding open port 6667/tcp > Adding open port 80/tcp > Adding open port 635/tcp > Adding open port 21/tcp > Adding open port 32773/tcp > Adding open port 143/tcp > Adding open port 32772/tcp > Adding open port 12345/tcp > Adding open port 2000/tcp > The SYN Stealth Scan took 157 seconds to scan 1601 ports. > Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port > For OSScan assuming that port 1 is open and port 35689 is closed and neither are firewalled > For OSScan assuming that port 1 is open and port 44468 is closed and neither are firewalled > For OSScan assuming that port 1 is open and port 31999 is closed and neither are firewalled > Interesting ports on herald.medill.northwestern.edu (129.105.51.6): > (The 1574 ports scanned but not shown below are in state: filtered) > Port State Service > 1/tcp open tcpmux > 11/tcp open systat > 15/tcp open netstat > 21/tcp open ftp > 22/tcp open ssh > 25/tcp open smtp > 79/tcp open finger > 80/tcp open http > 111/tcp open sunrpc > 119/tcp open nntp > 143/tcp open imap2 > 540/tcp open uucp > 587/tcp open submission > 635/tcp open unknown > 1080/tcp open socks > 1524/tcp open ingreslock > 2000/tcp open callbook > 6667/tcp open irc > 12345/tcp open NetBus > 12346/tcp open NetBus > 27665/tcp open Trinoo_Master > 31337/tcp open Elite > 32771/tcp open sometimes-rpc5 > 32772/tcp open sometimes-rpc7 > 32773/tcp open sometimes-rpc9 > 32774/tcp open sometimes-rpc11 > 54320/tcp open bo2k > No exact OS matches for host (test conditions non-ideal). > TCP/IP fingerprint: > SInfo(V=3.00%P=i386-portbld-freebsd4.7%D=2/11%Time=3E490979%O=1%C=-1) > TSeq(Class=TR%IPID=I%TS=100HZ) > T1(Resp=Y%DF=Y%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) > T2(Resp=N) > T3(Resp=Y%DF=Y%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) > T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) > T5(Resp=N) > T6(Resp=N) > T7(Resp=N) > PU(Resp=N) > > > Uptime 0.007 days (since Tue Feb 11 08:21:40 2003) > TCP Sequence Prediction: Class=truly random > Difficulty=9999999 (Good luck!) > IPID Sequence Generation: Incremental > > Nmap run completed -- 1 IP address (1 host up) scanned in 179 seconds > > > any advice you could give would be appreciated. > > thanks > redmond > > > > > > > > i've managed to get it nat'ing one machine so far, the webserver. the public > > > ip of the webserver is aliased to the external nic on the gateway machine. > > > httpd and ftp work ok behind the gateway box. i have many questions, > > > however. the first being why - despite the firewall rules i have in place > > > on the gateway, when i nmap the public ip of the webserver it shows me all > > > sorts of ports being open. i can't make out from my gateway configuration > > > where this is happening. > > > > What ports? is it TCP or UDP? UDP scanning is very prone to false positives. > > It would help if you post the nmap flags line you're using and the results, > > obsfuscate the IP if you don't want us to know it. > > > > Another posibility is some interception/transparent proxy on your ISP. > > > > > > Fer > > > > > > > > any advice would be appreciated > > > > > > thanks > > > redmond > > > > > -- Nigel Houghton Security Engineer Sourcefire Inc. Specifications are for the weak and timid! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 11 11:16:59 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6158E37B4A6 for ; Tue, 11 Feb 2003 11:16:51 -0800 (PST) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 651EC43F93 for ; Tue, 11 Feb 2003 11:16:50 -0800 (PST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (45a414d322b3f209a0f980e35e120e59@localhost.medill.northwestern.edu [127.0.0.1]) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6) with ESMTP id h1BJ7c74003497; Tue, 11 Feb 2003 13:07:38 -0600 (CST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6/Submit) id h1BJ7cWD003496; Tue, 11 Feb 2003 13:07:38 -0600 (CST) Date: Tue, 11 Feb 2003 13:07:38 -0600 From: Redmond Militante To: Nigel Houghton , freebsd-security@freebsd.org Subject: Re: n00b ipf/ipnat questions Message-ID: <20030211190738.GB791@darkpossum> Reply-To: Redmond Militante References: <20030211002256.GA824@darkpossum> <20030211090154.R30313-100000@cactus.fi.uba.ar> <20030211141831.GB824@darkpossum> <1044990692.294.26.camel@ds9.sourcefire.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="9zSXsLTf0vkW971A" Content-Disposition: inline In-Reply-To: <1044990692.294.26.camel@ds9.sourcefire.com> User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Favorite-Food: Pizza Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --9zSXsLTf0vkW971A Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable yeah the reason i didn't think that portsentry would be causing this type of beh= avioris that i'm also running it on a couple of standalone workstations tha= t i have firewalled with ipfilter, and when i nmap these machines, it doesn= 't show a variety of ports being open due to portsentry listening on them. = =20 i'm not sure why nmap would show these ports that portsentry's listening on= being open when behind a ipf/ipnat configuration... thanks redmond >=20 > Are you running Portsentry by any chance? >=20 > On Tue, 2003-02-11 at 09:18, Redmond Militante wrote: > > hi > >=20 > > thanks for responding > > i made a few changes last night to my config, but i still see open port= s when i run nmap , despite my ipf.rules. if you like, i can post my updat= ed config, although it's not that different... > >=20 > > tcp ports seem to be open. i'm using: nmap -sS -v -O my.hostname.org > > here's the results of an nmap run=20 > >=20 > >=20 > > Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) > > Host my.hostname.org (129.x.x.x) appears to be up ... good. > > Initiating SYN Stealth Scan against my.hostname.org (129.x.x.x) > > Adding open port 32774/tcp > > Adding open port 15/tcp > > Adding open port 31337/tcp > > Adding open port 1524/tcp > > Adding open port 111/tcp > > Adding open port 1/tcp > > Adding open port 32771/tcp > > Adding open port 79/tcp > > Adding open port 54320/tcp > > Adding open port 22/tcp > > Adding open port 540/tcp > > Adding open port 587/tcp > > Adding open port 12346/tcp > > Adding open port 1080/tcp > > Adding open port 25/tcp > > Adding open port 119/tcp > > Adding open port 11/tcp > > Adding open port 27665/tcp > > Adding open port 6667/tcp > > Adding open port 80/tcp > > Adding open port 635/tcp > > Adding open port 21/tcp > > Adding open port 32773/tcp > > Adding open port 143/tcp > > Adding open port 32772/tcp > > Adding open port 12345/tcp > > Adding open port 2000/tcp > > The SYN Stealth Scan took 157 seconds to scan 1601 ports. > > Warning: OS detection will be MUCH less reliable because we did not fi= nd at least 1 open and 1 closed TCP port > > For OSScan assuming that port 1 is open and port 35689 is closed and ne= ither are firewalled > > For OSScan assuming that port 1 is open and port 44468 is closed and ne= ither are firewalled > > For OSScan assuming that port 1 is open and port 31999 is closed and ne= ither are firewalled > > Interesting ports on herald.medill.northwestern.edu (129.105.51.6): > > (The 1574 ports scanned but not shown below are in state: filtered) > > Port State Service > > 1/tcp open tcpmux =20 > > 11/tcp open systat =20 > > 15/tcp open netstat =20 > > 21/tcp open ftp =20 > > 22/tcp open ssh =20 > > 25/tcp open smtp =20 > > 79/tcp open finger =20 > > 80/tcp open http =20 > > 111/tcp open sunrpc =20 > > 119/tcp open nntp =20 > > 143/tcp open imap2 =20 > > 540/tcp open uucp =20 > > 587/tcp open submission =20 > > 635/tcp open unknown =20 > > 1080/tcp open socks =20 > > 1524/tcp open ingreslock =20 > > 2000/tcp open callbook =20 > > 6667/tcp open irc =20 > > 12345/tcp open NetBus =20 > > 12346/tcp open NetBus =20 > > 27665/tcp open Trinoo_Master =20 > > 31337/tcp open Elite =20 > > 32771/tcp open sometimes-rpc5 =20 > > 32772/tcp open sometimes-rpc7 =20 > > 32773/tcp open sometimes-rpc9 =20 > > 32774/tcp open sometimes-rpc11 =20 > > 54320/tcp open bo2k =20 > > No exact OS matches for host (test conditions non-ideal). > > TCP/IP fingerprint: > > SInfo(V=3D3.00%P=3Di386-portbld-freebsd4.7%D=3D2/11%Time=3D3E490979%O= =3D1%C=3D-1) > > TSeq(Class=3DTR%IPID=3DI%TS=3D100HZ) > > T1(Resp=3DY%DF=3DY%W=3DE000%ACK=3DS++%Flags=3DAS%Ops=3DMNWNNT) > > T2(Resp=3DN) > > T3(Resp=3DY%DF=3DY%W=3DE000%ACK=3DS++%Flags=3DAS%Ops=3DMNWNNT) > > T4(Resp=3DY%DF=3DN%W=3D0%ACK=3DO%Flags=3DR%Ops=3D) > > T5(Resp=3DN) > > T6(Resp=3DN) > > T7(Resp=3DN) > > PU(Resp=3DN) > >=20 > >=20 > > Uptime 0.007 days (since Tue Feb 11 08:21:40 2003) > > TCP Sequence Prediction: Class=3Dtruly random > > Difficulty=3D9999999 (Good luck!) > > IPID Sequence Generation: Incremental > >=20 > > Nmap run completed -- 1 IP address (1 host up) scanned in 179 seconds > >=20 > >=20 > > any advice you could give would be appreciated.=20 > >=20 > > thanks > > redmond > >=20 > >=20 > > > > > > > > i've managed to get it nat'ing one machine so far, the webserver. t= he public > > > > ip of the webserver is aliased to the external nic on the gateway m= achine. > > > > httpd and ftp work ok behind the gateway box. i have many question= s, > > > > however. the first being why - despite the firewall rules i have i= n place > > > > on the gateway, when i nmap the public ip of the webserver it shows= me all > > > > sorts of ports being open. i can't make out from my gateway config= uration > > > > where this is happening. > > >=20 > > > What ports? is it TCP or UDP? UDP scanning is very prone to false pos= itives. > > > It would help if you post the nmap flags line you're using and the re= sults, > > > obsfuscate the IP if you don't want us to know it. > > >=20 > > > Another posibility is some interception/transparent proxy on your ISP. > > >=20 > > >=20 > > > Fer > > >=20 > > > > > > > > any advice would be appreciated > > > > > > > > thanks > > > > redmond > > > > > > >=20 > --=20 > Nigel Houghton Security Engineer Sourcefire Inc. >=20 > Specifications are for the weak and timid! >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 --9zSXsLTf0vkW971A Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+SUn4FNjun16SvHYRAgHIAJ41BSnr7dajxVymxhaIamhsRNXK1wCfa8n0 LwymV8e6COhAxd/iPKJTzFE= =NEoH -----END PGP SIGNATURE----- --9zSXsLTf0vkW971A-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 11 11:37:21 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5CEA337B401 for ; Tue, 11 Feb 2003 11:37:19 -0800 (PST) Received: from office.LF.net (office.LF.net [212.9.190.165]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A62843F93 for ; Tue, 11 Feb 2003 11:37:18 -0800 (PST) (envelope-from krion@voodoo.oberon.net) Received: from voodoo.oberon.net ([212.118.165.100]) by office.LF.net with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.04) id 18igDP-000Ls8-00 for freebsd-security@freebsd.org; Tue, 11 Feb 2003 20:37:11 +0100 Received: from krion by voodoo.oberon.net with local (Exim 4.10) id 18igDS-000J8L-00; ΧΤ, 11 ΖΕΧ 2003 20:37:14 +0100 Date: Tue, 11 Feb 2003 20:37:14 +0100 From: Kirill Ponomarew To: Redmond Militante Cc: Fernando Gleiser , freebsd-security@freebsd.org Subject: Re: n00b ipf/ipnat questions Message-ID: <20030211193714.GA73452@krion> Mail-Followup-To: Kirill Ponomarew , Redmond Militante , Fernando Gleiser , freebsd-security@freebsd.org References: <20030211002256.GA824@darkpossum> <20030211090154.R30313-100000@cactus.fi.uba.ar> <20030211141831.GB824@darkpossum> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030211141831.GB824@darkpossum> X-PGP-Fingerprint: 58E7 B953 57A2 D9DD 4960 2A2D 402D 46E9 AEB4 26E5 X-NCC-Regid: de.oberon Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, On Tue, Feb 11, 2003 at 08:18:31AM -0600, Redmond Militante wrote: > thanks for responding i made a few changes last night to my > config, but i still see open ports when i run nmap , despite > my ipf.rules. if you like, i can post my updated config, > although it's not that different... > > tcp ports seem to be open. i'm using: nmap -sS -v -O > my.hostname.org here's the results of an nmap run it's known issue with ipf/nmap ;-) Try to use "return-rst" in ipf rules. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 12 0: 2:52 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3741B37B401 for ; Wed, 12 Feb 2003 00:02:51 -0800 (PST) Received: from male.aldigital.co.uk (male.aldigital.co.uk [213.129.64.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D61043F3F for ; Wed, 12 Feb 2003 00:02:48 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk (host217-36-83-133.in-addr.btopenworld.com [217.36.83.133]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by male.aldigital.co.uk (Postfix) with ESMTP id 74437985B5; Wed, 12 Feb 2003 08:02:46 +0000 (GMT) Message-ID: <3E49FFFD.4000104@algroup.co.uk> Date: Wed, 12 Feb 2003 08:04:13 +0000 From: Adam Laurie User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org, Alan Larson Subject: Re: encryption export Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org sorry for very late posting on this, but my earlier post got blocked by a fussy freebsd smtp gateway... i think what you need to know should be found here: http://www.bxa.doc.gov/Encryption/Default.htm cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 The Stores http://www.thebunker.net 2 Bath Road http://www.aldigital.co.uk London W4 1LT mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 12 8: 3: 1 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFBB937B406 for ; Wed, 12 Feb 2003 08:02:57 -0800 (PST) Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85B1C43FB1 for ; Wed, 12 Feb 2003 08:02:55 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-b146.otenet.gr [212.205.244.154]) by mailsrv.otenet.gr (8.12.6/8.12.6) with ESMTP id h1CG2q4A004227; Wed, 12 Feb 2003 18:02:53 +0200 (EET) Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.7/8.12.7) with ESMTP id h1CG2pNQ003412; Wed, 12 Feb 2003 18:02:51 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.7/8.12.7/Submit) id h1CFtwqK003190; Wed, 12 Feb 2003 17:55:58 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Wed, 12 Feb 2003 17:55:58 +0200 From: Giorgos Keramidas To: Redmond Militante Cc: freebsd-security@FreeBSD.org Subject: Re: n00b ipf/ipnat questions Message-ID: <20030212155558.GB2237@gothmog.gr> References: <20030211002256.GA824@darkpossum> <20030211090154.R30313-100000@cactus.fi.uba.ar> <20030211141831.GB824@darkpossum> <1044990692.294.26.camel@ds9.sourcefire.com> <20030211190738.GB791@darkpossum> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030211190738.GB791@darkpossum> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2003-02-11 13:07, Redmond Militante wrote: > yeah > the reason i didn't think that portsentry would be causing this type > of behavioris that i'm also running it on a couple of standalone > workstations that i have firewalled with ipfilter, and when i nmap > these machines, it doesn't show a variety of ports being open due to > portsentry listening on them. That depends on what the default policy of the firewall is. If you use a ruleset that blocks all ports and allows only certain incoming packets, portsentry won't ever get a chance of seeing the blocked packets. This will not show anything to an nmap scan. If, on the other hand, you use a ruleset that allows everything through and only blocks certain ports or port-ranges, then portsentry will receive a lot more packets that before. This will show up as a huge list of open ports in an nmap scan. > i'm not sure why nmap would show these ports that portsentry's > listening on being open when behind a ipf/ipnat configuration... I'm not sure what your exact setup is (I have missed the beginning of this thread) so I can't answer this. - Giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 12 13: 3:14 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0333237B401; Wed, 12 Feb 2003 13:03:11 -0800 (PST) Received: from hotmail.com (dav64.sea1.hotmail.com [207.68.162.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70A8243FAF; Wed, 12 Feb 2003 13:03:10 -0800 (PST) (envelope-from kenzo_chin@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 12 Feb 2003 13:03:10 -0800 X-Originating-IP: [209.187.233.156] From: "Kenzo" To: , Subject: wireless discovery Date: Wed, 12 Feb 2003 15:03:08 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Message-ID: X-OriginalArrivalTime: 12 Feb 2003 21:03:10.0259 (UTC) FILETIME=[26088030:01C2D2DA] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I was wondering if you guys knew of any good programs or scripts that would be capable of finding cloaked and uncloaked wireless network. Kismet is great, but doesn't work very well under FBSD. I believe bsd-airtools is the same as netstumbler and will only find uncloaked network. Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 15 20:36:41 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 940E137B401; Sat, 15 Feb 2003 20:36:36 -0800 (PST) Received: from HAL9000.homeunix.com (12-233-57-224.client.attbi.com [12.233.57.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 014E743F93; Sat, 15 Feb 2003 20:36:36 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id h1G4aZQb001181; Sat, 15 Feb 2003 20:36:35 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id h1G4aYIS001180; Sat, 15 Feb 2003 20:36:34 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Sat, 15 Feb 2003 20:36:34 -0800 From: David Schultz To: Charles Sprickman Cc: security@FreeBSD.ORG Subject: Re: chrooted non-priv ntpd Message-ID: <20030216043634.GB733@HAL9000.homeunix.com> Mail-Followup-To: Charles Sprickman , security@FreeBSD.ORG References: <20030215025035.F80945@shell.inch.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030215025035.F80945@shell.inch.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [from stable@] Thus spake Charles Sprickman : > I saw this article on DaemonNews: > > http://www.onlamp.com/lpt/a/3221 > > Is there any such clock-setting trickery planned or in progress in -stable > or -current? Pretty nifty idea given ntpd's sordid history. Without volunteering to do anything about it for lack of time, I'd like to profess my support for this idea. ntpd has problems. I recommended running the part of ntpd that talks to the network as non-root when I audited it last year. I know of at least three buffer overflows (in the input from the user who starts ntpd, not remotely exploitable), a possible bug in the crypto code that causes one of the session keys used to be predictable, two sloppy off-by-one errors (on the safe side, fortunately), and a failure to null-terminate a string that is passed to printf() when debug mode is used. Rather than actually using those brand new and terribly unportable interfaces like snprintf(3) and strncpy(3), the author tries to precompute maximum possible buffer sizes and occasionally seems to get it wrong. I have to share the following excerpt from ntpd with you, partly because it's some of the most screwed up non-IOCCC code I have ever seen, and partly because if I had to suffer through it, I figure others might as well, too. It's actually a lot worse than it looks, given that approximately 55% of the text-containing lines in the file are either #ifdef, #elif, #else, or #endif, or #if. Audit that! 285 int 286 ntpdmain( 287 int argc, 288 char *argv[] 289 ) 290 { ... 345 # ifdef DEBUG 346 if (!debug && !nofork) 347 # else /* DEBUG */ 348 if (!nofork) 349 # endif /* DEBUG */ 350 { ... 439 } 440 # endif /* NODETACH */ 441 # if defined(SYS_WINNT) && !defined(NODETACH) 442 else 443 service_main(argc, argv); 444 return 0; /* must return a value */ 445 } /* end main */ 446 /* 447 * If this runs as a service under NT, the main thread will block at 448 * StartServiceCtrlDispatcher() and another thread will be started by th e 449 * Service Control Dispatcher which will begin execution at the routine 450 * specified in that call (viz. service_main) 451 */ 452 void 453 service_main( 454 DWORD argc, 455 LPTSTR *argv 456 ) 457 { ... 490 # endif /* defined(SYS_WINNT) && !defined(NODETACH) */ ... 503 #if !defined(SYS_WINNT) && !defined(VMS) ... 518 #endif /* !SYS_WINNT && !VMS */ ... 837 } (In case you didn't catch that, notice that there are two possible places where main() can end, and they're several hundred lines apart. There's actually a third possibility, which is not shown above. I just noticed that the 'if' I excerpted from line 346 might not be the right one, but it seems to be the only one at the correct indentation. I'd have to run the code through cpp again to be sure.) P.S. Did I read correctly that Niels Provos is now with NetBSD? Did Theo scare him off? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 15 22:22:30 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D8CE37B401 for ; Sat, 15 Feb 2003 22:22:27 -0800 (PST) Received: from HAL9000.homeunix.com (12-233-57-224.client.attbi.com [12.233.57.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9D0043F3F for ; Sat, 15 Feb 2003 22:22:24 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id h1G6MOQb001808; Sat, 15 Feb 2003 22:22:24 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id h1G6MOsg001807; Sat, 15 Feb 2003 22:22:24 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Sat, 15 Feb 2003 22:22:24 -0800 From: David Schultz To: John Hay Cc: Charles Sprickman , security@FreeBSD.ORG Subject: Re: chrooted non-priv ntpd Message-ID: <20030216062224.GA1646@HAL9000.homeunix.com> Mail-Followup-To: John Hay , Charles Sprickman , security@FreeBSD.ORG References: <20030215025035.F80945@shell.inch.com> <20030216043634.GB733@HAL9000.homeunix.com> <20030216052534.GA50026@zibbi.icomtek.csir.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030216052534.GA50026@zibbi.icomtek.csir.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake John Hay : > Well I don't want to comment on the chroot part, but did you also bring > these problems under the attention of the ntp people? I can't remember > having seen anything about it on bugs@ntp.org. Preferably with patches > against the development version. :-))) I sent a note to David Mills back in October, but I didn't get a response. Most of the implementation problems (in my eyes, anyway) are going to be a major pain in the butt to fix, e.g. the hundreds of uses of sprintf() and strcpy(). I assume people know about these, and there's a reason why nobody has bothered to fix them. The crypto problem is probably not known, but simpler to fix. There's basically an off-by-one error where the last key[1] in the session key sequence generated by ntpd isn't based on the shared secret from the Diffie-Hellman exchange; it's just a random value from a PRNG seeded off of the system time. I expect it would be nearly impossible to exploit, but I could be wrong. One of these days I'll see if I still have my notes on ntpd and send off a report to bugs@ntp.org. [1] IIRC, the keys are used in reverse order for the same reason that you use S/Key passwords in reverse order, so it's really the first key in the sequence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message