From owner-freebsd-security@FreeBSD.ORG Mon May 5 11:02:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22F3F37B401 for ; Mon, 5 May 2003 11:02:39 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1934643FBF for ; Mon, 5 May 2003 11:02:36 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h45I2ZUp081418 for ; Mon, 5 May 2003 11:02:35 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h45I2ZqP081412 for security@freebsd.org; Mon, 5 May 2003 11:02:35 -0700 (PDT) Date: Mon, 5 May 2003 11:02:35 -0700 (PDT) Message-Id: <200305051802.h45I2ZqP081412@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2003 18:02:39 -0000 Current FreeBSD problem reports No matches to your query From owner-freebsd-security@FreeBSD.ORG Tue May 6 02:43:20 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E95B37B401 for ; Tue, 6 May 2003 02:43:20 -0700 (PDT) Received: from mail.dannysplace.net (allxs.xs4all.nl [194.109.223.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6FA9543F85 for ; Tue, 6 May 2003 02:43:19 -0700 (PDT) (envelope-from fbsd@dannysplace.net) Received: from [192.168.1.3] (helo=localhost) by mail.dannysplace.net with esmtp (Exim 4.12) id 19Cyyh-000EkB-00; Tue, 06 May 2003 11:43:15 +0200 Received: from pr2.ing.nl (pr2.ing.nl [145.221.92.41]) by www.dannysplace.com (Horde) with HTTP for ; Tue, 6 May 2003 11:43:14 +0200 Message-ID: <1052214194.d45fa9082ef35@www.dannysplace.com> Date: Tue, 6 May 2003 11:43:14 +0200 From: Danny Carroll To: Guy Middleton References: <20030430190040.A78C937B407@hub.freebsd.org> <1051788543.641.31.camel@thoreau.sohotech.ca> <20030501104614.A29056@chaos.obstruction.com> In-Reply-To: <20030501104614.A29056@chaos.obstruction.com> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.0-cvs X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *19Cyyh-000EkB-00*0ETTCwEmHSs* cc: "freebsd-security@freebsd.org" Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 09:43:20 -0000 Quoting Guy Middleton : > Until now (and as recommended in the Handbook), I have been using ifpw > and natd. Everybody here who has IPSec client passthrough working seems > to use ifw/ipnat. Is ipf/ipnat more flexible? And why is there more than > one firewalling scheme in FreeBSD? FYI I have done this in ipfw/natd... It's just as easy. I think I only added one rule to my firewall and nothing to my natd.conf Now I can vpn from any machine on the internal lan to multiple vpn's. If you want I can send you the ruleset. ipfw and ipf are different. I started with ipf but now I like ipfw a lot more because I feel that it's more flexible (other do not). I particularly like the QOS stuff provided by dummynet so I think it would be hard for me to ever go back. -D From owner-freebsd-security@FreeBSD.ORG Tue May 6 06:25:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A600C37B401 for ; Tue, 6 May 2003 06:25:28 -0700 (PDT) Received: from gigatrex.com (graceland.gigatrex.com [209.10.113.211]) by mx1.FreeBSD.org (Postfix) with SMTP id 69CA343FB1 for ; Tue, 6 May 2003 06:25:27 -0700 (PDT) (envelope-from piechota@argolis.org) Received: (qmail 16330 invoked from network); 6 May 2003 13:26:13 -0000 Received: from unknown (HELO cithaeron.argolis.org) (138.88.116.73) by graceland.gigatrex.com with SMTP; 6 May 2003 13:26:13 -0000 Received: from cithaeron.argolis.org (localhost [127.0.0.1]) h46DR3iN056348; Tue, 6 May 2003 09:27:03 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)h46DR3bf056345; Tue, 6 May 2003 09:27:03 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 6 May 2003 09:27:03 -0400 (EDT) From: Matt Piechota To: Danny Carroll In-Reply-To: <1052214194.d45fa9082ef35@www.dannysplace.com> Message-ID: <20030506092623.I56271@cithaeron.argolis.org> References: <20030430190040.A78C937B407@hub.freebsd.org> <20030501104614.A29056@chaos.obstruction.com> <1052214194.d45fa9082ef35@www.dannysplace.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: "freebsd-security@freebsd.org" Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 13:25:29 -0000 On Tue, 6 May 2003, Danny Carroll wrote: > FYI I have done this in ipfw/natd... It's just as easy. I think I only added > one rule to my firewall and nothing to my natd.conf > > Now I can vpn from any machine on the internal lan to multiple vpn's. > If you want I can send you the ruleset. Please do! I was just working up to converting, but if it works, this'll be much easier. -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Tue May 6 15:07:51 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A9D337B401 for ; Tue, 6 May 2003 15:07:51 -0700 (PDT) Received: from mail.dannysplace.net (allxs.xs4all.nl [194.109.223.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2541D43FB1 for ; Tue, 6 May 2003 15:07:50 -0700 (PDT) (envelope-from fbsd@dannysplace.net) Received: from [192.168.1.3] (helo=localhost) by mail.dannysplace.net with esmtp (Exim 4.12) id 19DAbD-000Gly-00; Wed, 07 May 2003 00:07:47 +0200 Received: from 192.168.100.228 ([192.168.100.228]) by www.dannysplace.com (Horde) with HTTP for ; Wed, 7 May 2003 00:07:47 +0200 Message-ID: <1052258867.b640e23b86613@www.dannysplace.com> Date: Wed, 7 May 2003 00:07:47 +0200 From: Danny Carroll To: Matt Piechota References: <20030430190040.A78C937B407@hub.freebsd.org> <1051788543.641.31.camel@thoreau.sohotech.ca> <20030501104614.A29056@chaos.obstruction.com> <1052214194.d45fa9082ef35@www.dannysplace.com> <20030506092623.I56271@cithaeron.argolis.org> In-Reply-To: <20030506092623.I56271@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.0-cvs X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *19DAbD-000Gly-00*Y.u/kaicGCA* cc: "freebsd-security@freebsd.org" Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 22:07:51 -0000 > On Tue, 6 May 2003, Danny Carroll wrote: > > FYI I have done this in ipfw/natd... It's just as easy. I think I only added > > one rule to my firewall and nothing to my natd.conf > > > > Now I can vpn from any machine on the internal lan to multiple vpn's. > > If you want I can send you the ruleset. > > Please do! I was just working up to converting, but if it works, this'll > be much easier. > Matt Piechota Umm I looked at my ruleset and I found nothing... Then I remembered what I needed to do.. Basically 90% of the rulesets out there work on allowing IP and UDP But since esp is a different protocol to IP, it gets dropped. I think those that wanted my ruleset do not really need it... Just look for the lines that you have saying "allow ip from..." and add similar ones that say "allow esp from" or change them to "allow tcp from" That last one is what I have done and it occurs to me now that it might just be a little to open... So, here is the ruleset I would write for a standard home gateway with an internal network of 192.168.100.x and an external IP address of 1.2.3.4 xl0 is the outside interface, xl1 is the inside. Now, this minute, I have left my laptop at work so I have no way to test the VPN, but I am pretty sure that normal udp/tcp keep state rules allow esp.... Someone hit me over the head if I have muddled this up... It's a little late. -D p.s. Will send my ruleset if you *really* want it. But not to the list. From owner-freebsd-security@FreeBSD.ORG Tue May 6 15:52:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7952637B401 for ; Tue, 6 May 2003 15:52:04 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4ABA43F3F for ; Tue, 6 May 2003 15:52:03 -0700 (PDT) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com[24.147.188.198]) by attbi.com (sccrmhc02) with ESMTP id <2003050622520300200fk6mee>; Tue, 6 May 2003 22:52:03 +0000 Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198] (may be forged)) by be-well.ilk.org (8.12.9/8.12.7) with ESMTP id h46Mq2TU006784 for ; Tue, 6 May 2003 18:52:02 -0400 (EDT) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.9/8.12.6/Submit) id h46Mq2Lj006781; Tue, 6 May 2003 18:52:02 -0400 (EDT) X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-security-local@be-well.ilk.org using -f Sender: lowell@be-well.no-ip.com To: freebsd-security@freebsd.org References: <20030430094537.A20710@chaos.obstruction.com> <44k7dbn7jv.fsf@be-well.ilk.org> <1052212274.58c5ef8d5376c@www.dannysplace.com> From: Lowell Gilbert Date: 06 May 2003 18:52:02 -0400 In-Reply-To: <1052212274.58c5ef8d5376c@www.dannysplace.com> Message-ID: <44r87bpu25.fsf@be-well.ilk.org> Lines: 6 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 22:52:04 -0000 danny@dannysplace.net writes: > Ummm.. I do it... I would have to check my config, but I think it's AH esp. Okay, so how does this work? When NAT munges the TCP header, how do you manage to confirm the ESP header? From owner-freebsd-security@FreeBSD.ORG Tue May 6 22:53:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FB4B37B401 for ; Tue, 6 May 2003 22:53:02 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 5D5BE43FA3 for ; Tue, 6 May 2003 22:53:00 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 19115 invoked from network); 7 May 2003 05:47:04 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 7 May 2003 05:47:04 -0000 Received: (qmail 5589 invoked by uid 1000); 7 May 2003 05:50:36 -0000 Date: Wed, 7 May 2003 08:50:36 +0300 From: Peter Pentchev To: Danny Carroll Message-ID: <20030507055036.GA665@straylight.oblivion.bg> Mail-Followup-To: Danny Carroll , Matt Piechota , "freebsd-security@freebsd.org" References: <20030430190040.A78C937B407@hub.freebsd.org> <1051788543.641.31.camel@thoreau.sohotech.ca> <20030501104614.A29056@chaos.obstruction.com> <1052214194.d45fa9082ef35@www.dannysplace.com> <20030506092623.I56271@cithaeron.argolis.org> <1052258867.b640e23b86613@www.dannysplace.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline In-Reply-To: <1052258867.b640e23b86613@www.dannysplace.com> User-Agent: Mutt/1.5.4i cc: "freebsd-security@freebsd.org" Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2003 05:53:02 -0000 --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 07, 2003 at 12:07:47AM +0200, Danny Carroll wrote: > > On Tue, 6 May 2003, Danny Carroll wrote: > > > FYI I have done this in ipfw/natd... It's just as easy. I think I o= nly > added > > > one rule to my firewall and nothing to my natd.conf > > > > > > Now I can vpn from any machine on the internal lan to multiple vpn's. > > > If you want I can send you the ruleset. > > > > Please do! I was just working up to converting, but if it works, this'= ll > > be much easier. > > Matt Piechota >=20 >=20 > Umm I looked at my ruleset and I found nothing... > Then I remembered what I needed to do.. >=20 > Basically 90% of the rulesets out there work on allowing IP and UDP > But since esp is a different protocol to IP, it gets dropped. You have a very good point here, if by 'IP and UDP' you actually meant to say 'TCP and UDP', and 'ESP is a different protocol from TCP'. TCP, UDP, and ESP are all protocols that are based on IP - any TCP, UDP, or ESP packet is an IP packet at the same time. If you meant to say that most firewalls only allow TCP and UDP packets, then this is absolutely true: a firewall that only allows TCP and UDP, then denies all the rest of IP traffic without special provisions for ICMP or ESP, would certainly not let any IPsec traffic through. Come to think of it, a firewall that only allows TCP and UDP traffic and then denies any other IP traffic, including ICMP, is doing a great disservice to both itself, its internal network, and the Internet at large. This has been said many, many times in many forums, but still: some ICMP messages are not only beneficial, they are essential for the correct operation of the network. Firewalling all ICMP traffic is a very bad idea. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am the meaning of this sentence. --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+uJ6s7Ri2jRYZRVMRAkWHAJ0ZwTQEKJTL1PMxWa+e+BeAI4vfqACcC6qM Jiw94KGpLbAq2vUZ0TwUUT4= =e7Fl -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA-- From owner-freebsd-security@FreeBSD.ORG Wed May 7 02:27:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58A9837B401 for ; Wed, 7 May 2003 02:27:48 -0700 (PDT) Received: from mail.dannysplace.net (allxs.xs4all.nl [194.109.223.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5649E43FDD for ; Wed, 7 May 2003 02:27:47 -0700 (PDT) (envelope-from fbsd@dannysplace.net) Received: from [192.168.1.3] (helo=localhost) by mail.dannysplace.net with esmtp (Exim 4.12) id 19DLDD-000IG7-00; Wed, 07 May 2003 11:27:43 +0200 Received: from pr2.ing.nl (pr2.ing.nl [145.221.92.41]) by www.dannysplace.com (Horde) with HTTP for ; Wed, 7 May 2003 11:27:43 +0200 Message-ID: <1052299663.086db7b178457@www.dannysplace.com> Date: Wed, 7 May 2003 11:27:43 +0200 From: Danny Carroll To: Peter Pentchev References: <20030430190040.A78C937B407@hub.freebsd.org> <1051788543.641.31.camel@thoreau.sohotech.ca> <20030501104614.A29056@chaos.obstruction.com> <1052214194.d45fa9082ef35@www.dannysplace.com> <20030506092623.I56271@cithaeron.argolis.org> <1052258867.b640e23b86613@www.dannysplace.com> <20030507055036.GA665@straylight.oblivion.bg> In-Reply-To: <20030507055036.GA665@straylight.oblivion.bg> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.0-cvs X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *19DLDD-000IG7-00*Sr3GoAHLFuE* cc: "freebsd-security@freebsd.org" Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2003 09:27:48 -0000 Quoting Peter Pentchev : > You have a very good point here, if by 'IP and UDP' you actually meant > to say 'TCP and UDP', and 'ESP is a different protocol from TCP'. TCP, > UDP, and ESP are all protocols that are based on IP - any TCP, UDP, or > ESP packet is an IP packet at the same time. If you meant to say that > most firewalls only allow TCP and UDP packets, then this is absolutely > true: a firewall that only allows TCP and UDP, then denies all the rest > of IP traffic without special provisions for ICMP or ESP, would > certainly not let any IPsec traffic through. You see:, I knew I was writing that the wrong way round... Of course I meant tcp and udp. > Come to think of it, a firewall that only allows TCP and UDP traffic > and then denies any other IP traffic, including ICMP, is doing a great > disservice to both itself, its internal network, and the Internet at > large. This has been said many, many times in many forums, but still: > some ICMP messages are not only beneficial, they are essential for > the correct operation of the network. Firewalling all ICMP traffic > is a very bad idea. Agreed! To those that want my rules... I will post them tonight, when I can make sure that they are actually working. From memory I was adding a "allow esp" rule temporarilly when I needed vpn support. -D From owner-freebsd-security@FreeBSD.ORG Wed May 7 06:03:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3097337B401 for ; Wed, 7 May 2003 06:03:58 -0700 (PDT) Received: from thunder.xecu.net (thunder.xecu.net [216.127.136.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id A293043F75 for ; Wed, 7 May 2003 06:03:57 -0700 (PDT) (envelope-from chris@xecu.net) Received: by thunder.xecu.net (Postfix, from userid 278) id 3AB9A24E17; Wed, 7 May 2003 09:03:55 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by thunder.xecu.net (Postfix) with ESMTP id 30CAC24E07 for ; Wed, 7 May 2003 09:03:55 -0400 (EDT) Date: Wed, 7 May 2003 09:03:55 -0400 (EDT) From: Chris McGee To: freebsd-security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: IPFW Bandwidth throttling? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2003 13:03:58 -0000 I am trying to limit outgoing SMTP traffic to about 14 Mbps and these are the IPFW rules I am using. ${fwcmd} add pipe 1 tcp from 192.168.0.0/24 to any 25 out via dc0 ${fwcmd} pipe 1 config bw 14Mbit/s I've tried multiple tweaks to the pipe rule and I seem to be missing something. I only get about half the bandwidth I specify. Is this normal behavior? Is there something wrong with the rule I'm running? Thanks, Chris xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Chris McGee 301-682-9972 Xecunet www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access From owner-freebsd-security@FreeBSD.ORG Wed May 7 06:18:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C699037B401 for ; Wed, 7 May 2003 06:18:26 -0700 (PDT) Received: from mail.munk.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D3B143F75 for ; Wed, 7 May 2003 06:18:26 -0700 (PDT) (envelope-from munk@mail.munk.nu) Received: from munk by mail.munk.nu with local (Exim 4.14) id 19DOoT-000G2A-Lh; Wed, 07 May 2003 14:18:25 +0100 Date: Wed, 7 May 2003 14:18:25 +0100 From: Jez Hancock To: Chris McGee Message-ID: <20030507131825.GE59479@users.munk.nu> Mail-Followup-To: Chris McGee , FreeBSD Security List References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i Sender: User Munk cc: FreeBSD Security List Subject: Re: IPFW Bandwidth throttling? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2003 13:18:27 -0000 On Wed, May 07, 2003 at 09:03:55AM -0400, Chris McGee wrote: > > I am trying to limit outgoing SMTP traffic to about 14 Mbps and these are > the IPFW rules I am using. > > ${fwcmd} add pipe 1 tcp from 192.168.0.0/24 to any 25 out via dc0 > ${fwcmd} pipe 1 config bw 14Mbit/s > > I've tried multiple tweaks to the pipe rule and I seem to be missing > something. I only get about half the bandwidth I specify. Is this normal > behavior? Is there something wrong with the rule I'm running? Are you sure you mean Mbit/s and not MByte/s? From owner-freebsd-security@FreeBSD.ORG Wed May 7 06:32:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 76B5D37B401 for ; Wed, 7 May 2003 06:32:58 -0700 (PDT) Received: from avgw.vxserver.com (mail.ridgeway-sys.com [194.128.67.178]) by mx1.FreeBSD.org (Postfix) with SMTP id 1F8E743F3F for ; Wed, 7 May 2003 06:32:55 -0700 (PDT) (envelope-from raqlist@fareham.org) Received: from disney.internal.ridgewaysystems.com ([10.1.1.52]) by avgw.vxserver.com (NAVGW 2.5.2.12) with SMTP id M2003050714304102116 for ; Wed, 07 May 2003 14:30:41 +0100 Received: from Unknown [10.1.2.27] by disney.internal.ridgewaysystems.com - SurfControl E-mail Filter (4.5); Wednesday, 07 May 2003, 14:33:46 Message-ID: <3EB91913.3069.4E3B6B49@localhost> From: "Roger " To: freebsd-security@freebsd.org Date: Wed, 7 May 2003 14:32:51 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT X-mailer: Pegasus Mail for Windows (v4.01) Priority: normal In-reply-to: Content-description: Mail message body Subject: Re: IPFW Bandwidth throttling? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2003 13:32:58 -0000 Date sent: Wed, 7 May 2003 09:03:55 -0400 (EDT) From: Chris McGee Subject: IPFW Bandwidth throttling? > I am trying to limit outgoing SMTP traffic to about 14 Mbps and these are > the IPFW rules I am using. > > ${fwcmd} add pipe 1 tcp from 192.168.0.0/24 to any 25 out via dc0 > ${fwcmd} pipe 1 config bw 14Mbit/s > > I've tried multiple tweaks to the pipe rule and I seem to be missing > something. I only get about half the bandwidth I specify. Is this normal > behavior? Is there something wrong with the rule I'm running? > > Thanks, > Chris man ipfw, didn't show anything obvious, have you checked your net.inet.ip.fw.one_pass sysctl var. If it's 0 then the rest of your rules run on the packet as well (I think). Have you got a return rule set as well ? Is anything limiting what the outside world is sending back ? Roger. From owner-freebsd-security@FreeBSD.ORG Wed May 7 06:50:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D87A37B401 for ; Wed, 7 May 2003 06:50:32 -0700 (PDT) Received: from web14102.mail.yahoo.com (web14102.mail.yahoo.com [216.136.172.132]) by mx1.FreeBSD.org (Postfix) with SMTP id 8853743FBD for ; Wed, 7 May 2003 06:50:29 -0700 (PDT) (envelope-from cguttesen@yahoo.dk) Message-ID: <20030507135029.50565.qmail@web14102.mail.yahoo.com> Received: from [193.212.28.158] by web14102.mail.yahoo.com via HTTP; Wed, 07 May 2003 15:50:29 CEST Date: Wed, 7 May 2003 15:50:29 +0200 (CEST) From: =?iso-8859-1?q?Claus=20Guttesen?= To: Chris McGee , freebsd-security@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: IPFW Bandwidth throttling? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2003 13:50:32 -0000 Hi. > I am trying to limit outgoing SMTP traffic to about > 14 Mbps and these are > the IPFW rules I am using. > > ${fwcmd} add pipe 1 tcp from 192.168.0.0/24 to any > 25 out via dc0 > ${fwcmd} pipe 1 config bw 14Mbit/s > > something. I only get about half the bandwidth I had the same problem until I was told to add 'out xmit' to my config. You may want to change your line to: ${fwcmd} add pipe 1 tcp from 192.168.0.0/24 to any out xmit dc0 This should inform ipfw to parse the rule only once. > behavior? Is there something wrong with the rule > I'm running? > If the proposed change isn't a valid ipfw-syntax, you have to upgrade to ipfw2 which is the default in FreeBSD 5.x, whereas FreeBSD 4.x defaults to ipfw ver. 1. Read the man-page for ipfw on how to upgrade. There is probably a different approach staying with ipfw ver. 1, but I'm unaware of that. Regards Claus Yahoo! Mail (http://dk.mail.yahoo.com) - Gratis: 6 MB lagerplads, spamfilter og virusscan From owner-freebsd-security@FreeBSD.ORG Wed May 7 06:55:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE35D37B401 for ; Wed, 7 May 2003 06:55:52 -0700 (PDT) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id CDA6143F75 for ; Wed, 7 May 2003 06:55:50 -0700 (PDT) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 61776 invoked by uid 0); 7 May 2003 13:55:50 -0000 Received: from greg.panula@dolaninformation.com by proxy by uid 82 with qmail-scanner-1.15 ( Clear:. Processed in 2.735137 secs); 07 May 2003 13:55:50 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: chris@xecu.net,freebsd-security@freebsd.org X-Qmail-Scanner: 1.15 (Clear:. Processed in 2.735137 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 7 May 2003 13:55:46 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 7 May 2003 08:55:46 -0500 Sender: pang@FreeBSD.ORG Message-ID: <3EB91062.22408FB8@dolaninformation.com> Date: Wed, 07 May 2003 08:55:46 -0500 From: Greg Panula Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Chris McGee References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: IPFW Bandwidth throttling? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: greg.panula@dolaninformation.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2003 13:55:53 -0000 Chris McGee wrote: > > I am trying to limit outgoing SMTP traffic to about 14 Mbps and these are > the IPFW rules I am using. > > ${fwcmd} add pipe 1 tcp from 192.168.0.0/24 to any 25 out via dc0 > ${fwcmd} pipe 1 config bw 14Mbit/s > > I've tried multiple tweaks to the pipe rule and I seem to be missing > something. I only get about half the bandwidth I specify. Is this normal > behavior? Is there something wrong with the rule I'm running? > The pipe config & pipe rule look correct. Try 'ipfw pipe list' to confirm the pipe is configured for the correct bandwidth and not dropping excessive amounts of packets. Is dc0 configured for 100Mbps or 10Mbps? 7Mbps is close to the ceiling for a 10Mbps link. Are you sure you have ~2MBps worth of smtp traffic to pass when you're watching? If you increase the bandwidth on the pipe do you see more than the ~7Mbps you're currently seeing? good luck, greg From owner-freebsd-security@FreeBSD.ORG Wed May 7 07:02:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9801A37B404 for ; Wed, 7 May 2003 07:02:49 -0700 (PDT) Received: from mx1.dev.itouchnet.net (itouchlabs.com [196.15.188.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB11A43F3F for ; Wed, 7 May 2003 07:02:46 -0700 (PDT) (envelope-from bvi@itouchlabs.com) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.35 #1) id 19DPYu-000F97-00 for freebsd-security@freebsd.org; Wed, 07 May 2003 16:06:24 +0200 X-TLS: TLSv1:RC4-MD5:128 itouchlabs.com -> mx1.dev.itouchnet.net Received: from itouchlabs.com ([196.15.188.2] helo=Beastie) by mx1.dev.itouchnet.net with esmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 19DPYt-000F8w-00 for freebsd-security@freebsd.org; Wed, 07 May 2003 16:06:23 +0200 Message-ID: <007b01c314a1$174b0af0$4508a8c0@Beastie> From: "Barry Irwin" To: References: <3EB91062.22408FB8@dolaninformation.com> Date: Wed, 7 May 2003 15:57:54 +0200 Organization: iTouch Labs MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 58217-1052316383-09603@unconfigured version $Name: REL_2_0_4 $ Subject: Re: IPFW Bandwidth throttling? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2003 14:02:49 -0000 Another thing to maybe try is up the HZ setting in your kernel. Have a look at the dummynet page. Barry -- Barry Irwin bvi@itouchlabs.com Tel: +27214875178 Systems Administrator: Networks And Security iTouch Technology iTouch TAS http://www.itouchlabs.com Mobile: +27824457210 ----- Original Message ----- From: "Greg Panula" To: "Chris McGee" Cc: Sent: Wednesday, May 07, 2003 3:55 PM Subject: Re: IPFW Bandwidth throttling? > Chris McGee wrote: > > > > I am trying to limit outgoing SMTP traffic to about 14 Mbps and these are > > the IPFW rules I am using. > > > > ${fwcmd} add pipe 1 tcp from 192.168.0.0/24 to any 25 out via dc0 > > ${fwcmd} pipe 1 config bw 14Mbit/s > > > > I've tried multiple tweaks to the pipe rule and I seem to be missing > > something. I only get about half the bandwidth I specify. Is this normal > > behavior? Is there something wrong with the rule I'm running? > > > > The pipe config & pipe rule look correct. > > Try 'ipfw pipe list' to confirm the pipe is configured for the correct > bandwidth and not dropping excessive amounts of packets. > > Is dc0 configured for 100Mbps or 10Mbps? 7Mbps is close to the ceiling > for a 10Mbps link. > > Are you sure you have ~2MBps worth of smtp traffic to pass when you're > watching? If you increase the bandwidth on the pipe do you see more > than the ~7Mbps you're currently seeing? > > > good luck, > greg > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > From owner-freebsd-security@FreeBSD.ORG Wed May 7 09:19:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A55837B401 for ; Wed, 7 May 2003 09:19:02 -0700 (PDT) Received: from thunder.xecu.net (thunder.xecu.net [216.127.136.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8956343FAF for ; Wed, 7 May 2003 09:19:01 -0700 (PDT) (envelope-from chris@xecu.net) Received: by thunder.xecu.net (Postfix, from userid 278) id 341A224E17; Wed, 7 May 2003 12:18:58 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by thunder.xecu.net (Postfix) with ESMTP id 2A1F224E07; Wed, 7 May 2003 12:18:58 -0400 (EDT) Date: Wed, 7 May 2003 12:18:58 -0400 (EDT) From: Chris McGee To: Barry Irwin In-Reply-To: <007b01c314a1$174b0af0$4508a8c0@Beastie> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: IPFW Bandwidth throttling? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2003 16:19:02 -0000 Yes, there is definitely more traffic being sent than what it is limiting. If I delete the pipe, the bandwidth will peak at the maximum bandwidth that we have. Nothing is limiting the return traffic which is minimal anyway. I'm going to change the HZ setting and see if that changes anything. On Wed, 7 May 2003, Barry Irwin wrote: > Another thing to maybe try is up the HZ setting in your kernel. Have a look > at the dummynet page. > > Barry > > > -- > Barry Irwin bvi@itouchlabs.com Tel: > +27214875178 > Systems Administrator: Networks And Security > iTouch Technology > iTouch TAS http://www.itouchlabs.com Mobile: +27824457210 > > > ----- Original Message ----- > From: "Greg Panula" > To: "Chris McGee" > Cc: > Sent: Wednesday, May 07, 2003 3:55 PM > Subject: Re: IPFW Bandwidth throttling? > > > > Chris McGee wrote: > > > > > > I am trying to limit outgoing SMTP traffic to about 14 Mbps and these > are > > > the IPFW rules I am using. > > > > > > ${fwcmd} add pipe 1 tcp from 192.168.0.0/24 to any 25 out via > dc0 > > > ${fwcmd} pipe 1 config bw 14Mbit/s > > > > > > I've tried multiple tweaks to the pipe rule and I seem to be missing > > > something. I only get about half the bandwidth I specify. Is this > normal > > > behavior? Is there something wrong with the rule I'm running? > > > > > > > The pipe config & pipe rule look correct. > > > > Try 'ipfw pipe list' to confirm the pipe is configured for the correct > > bandwidth and not dropping excessive amounts of packets. > > > > Is dc0 configured for 100Mbps or 10Mbps? 7Mbps is close to the ceiling > > for a 10Mbps link. > > > > Are you sure you have ~2MBps worth of smtp traffic to pass when you're > > watching? If you increase the bandwidth on the pipe do you see more > > than the ~7Mbps you're currently seeing? > > > > > > good luck, > > greg > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > > > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Chris McGee 301-682-9972 Xecunet www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access From owner-freebsd-security@FreeBSD.ORG Wed May 7 12:33:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C53737B401 for ; Wed, 7 May 2003 12:33:49 -0700 (PDT) Received: from mail.dannysplace.net (allxs.xs4all.nl [194.109.223.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9274543F3F for ; Wed, 7 May 2003 12:33:47 -0700 (PDT) (envelope-from fbsd@dannysplace.net) Received: from [192.168.100.228] (helo=llama) by mail.dannysplace.net with smtp (Exim 4.12) id 19DUfi-000Jxe-00; Wed, 07 May 2003 21:33:46 +0200 Message-ID: <003101c314cf$930ceef0$e464a8c0@llama> From: "Danny Carroll" To: "Peter Pentchev" References: <20030430190040.A78C937B407@hub.freebsd.org><1051788543.641.31.camel@thoreau.sohotech.ca><20030501104614.A29056@chaos.obstruction.com><1052214194.d45fa9082ef35@www.dannysplace.com><20030506092623.I56271@cithaeron.argolis.org><1052258867.b640e23b86613@www.dannysplace.com><20030507055036.GA665@straylight.oblivion.bg> <1052299663.086db7b178457@www.dannysplace.com> Date: Wed, 7 May 2003 21:33:45 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *19DUfi-000Jxe-00*cdl/arJLPcs* cc: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Danny Carroll List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2003 19:33:49 -0000 As promised, my ruleset that works.. I've removed the lines that are important for me to keep a secret... But they are only things like ftp... My Natd.conf only has some port redirects for web/ftp etc... p.s. Sorry for the top-post... allow ip from any to any via lo0 deny ip from any to 127.0.0.0/8 deny ip from 127.0.0.0/8 to any # Spoof protection. deny log logamount 500 ip from 192.168.50.0/24 to any in recv xl0 deny log logamount 500 ip from any to 10.0.0.0/8 via xl0 deny log logamount 500 ip from any to 172.16.0.0/12 via xl0 deny log logamount 500 ip from any to 192.168.0.0/24 via xl0 deny log logamount 500 ip from 0.0.0.0/8 to any via xl0 deny log logamount 500 ip from 169.254.0.0/16 to any via xl0 deny log logamount 500 ip from 192.0.2.0/24 to any via xl0 deny log logamount 500 ip from 224.0.0.0/4 to any via xl0 deny log logamount 500 ip from 240.0.0.0/4 to any via xl0 #Disallow smb/nmb deny log logamount 500 tcp from any to any 137-139 via xl0 deny log logamount 500 tcp from any 137-139 to any via xl0 deny log logamount 500 udp from any to any 137-139 via xl0 deny log logamount 500 udp from any 137-139 to any via xl0 # Now divert, and setup my pipes... (These are so my web/ftp server leaves me some bandwidth) pipe 1 ip from 192.168.10.0/24 to any out xmit xl0 divert 8668 ip from any to any via xl0 pipe 2 ip from any to 192.168.10.0/24 in recv xl0 allow tcp from any to any established allow tcp from any to any 25 setup allow tcp from any to any 21 setup allow tcp from any to any 80 setup allow tcp from any to any 443 setup allow udp from 192.168.50.0/24 to any keep-state allow tcp from 192.168.50.0/24 to any setup deny log logamount 500 tcp from any to any in recv xl0 setup allow icmp from any to any deny log logamount 500 ip from any to any 65535 deny ip from any to any ----- Original Message ----- From: "Danny Carroll" To: "Peter Pentchev" Cc: Sent: Wednesday, May 07, 2003 11:27 AM Subject: Re: how to configure a FreeBSD firewall to pass IPSec? > Quoting Peter Pentchev : > > You have a very good point here, if by 'IP and UDP' you actually meant > > to say 'TCP and UDP', and 'ESP is a different protocol from TCP'. TCP, > > UDP, and ESP are all protocols that are based on IP - any TCP, UDP, or > > ESP packet is an IP packet at the same time. If you meant to say that > > most firewalls only allow TCP and UDP packets, then this is absolutely > > true: a firewall that only allows TCP and UDP, then denies all the rest > > of IP traffic without special provisions for ICMP or ESP, would > > certainly not let any IPsec traffic through. > > You see:, I knew I was writing that the wrong way round... Of course I meant > tcp and udp. > > > Come to think of it, a firewall that only allows TCP and UDP traffic > > and then denies any other IP traffic, including ICMP, is doing a great > > disservice to both itself, its internal network, and the Internet at > > large. This has been said many, many times in many forums, but still: > > some ICMP messages are not only beneficial, they are essential for > > the correct operation of the network. Firewalling all ICMP traffic > > is a very bad idea. > > Agreed! > > To those that want my rules... I will post them tonight, when I can make sure > that they are actually working. From memory I was adding a "allow esp" rule > temporarilly when I needed vpn support. > -D > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Wed May 7 19:21:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70D5037B401 for ; Wed, 7 May 2003 19:21:58 -0700 (PDT) Received: from pimout1-ext.prodigy.net (pimout1-ext.prodigy.net [207.115.63.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D2D143F85 for ; Wed, 7 May 2003 19:21:55 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metlap (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9]) h482LsPg090964 for ; Wed, 7 May 2003 22:21:54 -0400 From: Michael Collette To: FreeBSD Security Date: Wed, 7 May 2003 19:21:33 -0700 User-Agent: KMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305071921.33596.metrol@metrol.net> Subject: VPN through BSD for Win2k, totally baffled X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 02:21:58 -0000 Scenario: FreeBSD box running IPFW acting as a gateway to private network. The private network is made up of entirely routeable IP addresses. External users running Win2k and XP on DSL connections with dynamic IPs. Goal: To have the FreeBSD gateway securely authenticate and encrypt the traffic between the outside users and the internal network. I've spent the last 3 days running up and down Google and reading any books that approach the subject of setting up a VPN. The further down this road I've travelled the more confused I am. I assume the following: * Need to have a certificate setup with OpenSSL. * Racoon needs to deal with a key exchange. * Some kind of tunneling gets put into play. * Setkey needs appropriate policies. I happened across the Google cache of a tutorial that seems to cover this subject. There seems to be a couple of key points missing, as well as some apparently out of date syntax. I did manage to create a CA and client cert from a mix of this tutorial and the AbsoluteBSD book. http://216.239.37.104/search?q=cache:mFG0kB-ghLoC:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-2.html+FreeBSD-WIN2K-IPSEC-HOWTO-2.html&hl=en&lr=lang_en&ie=UTF-8 Managed to get a certificate generated from that process installed on a test XP box per the following... http://216.239.33.104/search?q=cache:FFxjH0VQGD0C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-4.html+FreeBSD-WIN2K-IPSEC-HOWTO-4.html&hl=en&lr=lang_en&ie=UTF-8 Where I totally lost it was on the FreeBSD setup. The author is referring to certificates that he never described how they should be created. I didn't know what in the heck to do here. http://216.239.33.104/search?q=cache:oNMJe4EHOu4C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-3.html+FreeBSD-WIN2K-IPSEC-HOWTO-3.html&hl=en&lr=lang_en&ie=UTF-8 Am I even on the right path? Aside from this one tutorial I've been through several others, as well as looking at a variety of IPSec related pages. There's obviously a number of different approaches out there to take, but I'm simply looking for one that works. Just to know that I'm heading in the correct direction or not would be an incredible help. Thanks, -- "Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark to read." - Groucho Marx From owner-freebsd-security@FreeBSD.ORG Wed May 7 21:04:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E47337B401 for ; Wed, 7 May 2003 21:04:46 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB02843F85 for ; Wed, 7 May 2003 21:04:45 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA25687; Wed, 7 May 2003 22:04:34 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030507220032.00bcec10@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 07 May 2003 22:04:32 -0600 To: Michael Collette , FreeBSD Security From: Brett Glass In-Reply-To: <200305071921.33596.metrol@metrol.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Re: VPN through BSD for Win2k, totally baffled X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 04:04:47 -0000 I've been using PPTP for this purpose. Microsoft's PPTP implementation is pretty brain dead, but if you're willing to bend the configuration of your network a little to accommodate it and configure your clients carefully, you can set up a VPN that's accessible from most versions of Windows. Not super-secure, but secure enough for most purposes. I have been interested in trying L2TP, but am not sure about the stability of the server software for FreeBSD. And I can't find a FreeBSD client. (There's an L2TP netgraph node, but there are no docs on how to use it with mpd and likewise nothing on how to use it with userland PPP.) --Brett At 08:21 PM 5/7/2003, Michael Collette wrote: >Scenario: >FreeBSD box running IPFW acting as a gateway to private network. The private >network is made up of entirely routeable IP addresses. External users >running Win2k and XP on DSL connections with dynamic IPs. > >Goal: >To have the FreeBSD gateway securely authenticate and encrypt the traffic >between the outside users and the internal network. > > >I've spent the last 3 days running up and down Google and reading any books >that approach the subject of setting up a VPN. The further down this road >I've travelled the more confused I am. > >I assume the following: > * Need to have a certificate setup with OpenSSL. > * Racoon needs to deal with a key exchange. > * Some kind of tunneling gets put into play. > * Setkey needs appropriate policies. > >I happened across the Google cache of a tutorial that seems to cover this >subject. There seems to be a couple of key points missing, as well as some >apparently out of date syntax. I did manage to create a CA and client cert >from a mix of this tutorial and the AbsoluteBSD book. > >http://216.239.37.104/search?q=cache:mFG0kB-ghLoC:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-2.html+FreeBSD-WIN2K-IPSEC-HOWTO-2.html&hl=en&lr=lang_en&ie=UTF-8 > >Managed to get a certificate generated from that process installed on a test >XP box per the following... > >http://216.239.33.104/search?q=cache:FFxjH0VQGD0C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-4.html+FreeBSD-WIN2K-IPSEC-HOWTO-4.html&hl=en&lr=lang_en&ie=UTF-8 > >Where I totally lost it was on the FreeBSD setup. The author is referring to >certificates that he never described how they should be created. I didn't >know what in the heck to do here. > >http://216.239.33.104/search?q=cache:oNMJe4EHOu4C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-3.html+FreeBSD-WIN2K-IPSEC-HOWTO-3.html&hl=en&lr=lang_en&ie=UTF-8 > >Am I even on the right path? Aside from this one tutorial I've been through >several others, as well as looking at a variety of IPSec related pages. >There's obviously a number of different approaches out there to take, but I'm >simply looking for one that works. Just to know that I'm heading in the >correct direction or not would be an incredible help. > >Thanks, >-- >"Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark >to read." > - Groucho Marx >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu May 8 03:39:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDA0237B401 for ; Thu, 8 May 2003 03:39:18 -0700 (PDT) Received: from kremilek.gyrec.cz (kremilek.gyrec.cz [62.168.40.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5911043FDD for ; Thu, 8 May 2003 03:39:17 -0700 (PDT) (envelope-from xskoba1@gyrec.cz) Received: from xskoba1 (helo=localhost) by kremilek.gyrec.cz with local-esmtp (Exim 3.35 #1 (Debian)) id 19Dinw-0008PG-00 for ; Thu, 08 May 2003 12:39:12 +0200 Date: Thu, 8 May 2003 12:39:11 +0200 (CEST) From: xskoba1@kremilek.gyrec.cz To: freebsd-security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Subject: bridge and firewall X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 10:39:19 -0000 Can anyone help with this. Bridge is enabled, even in sysctl. Firewall is enabled and configured. But my reality is done this way.. Cisco (NATing 192.168.1.0/24) ---- Freebsd Bridge (Public IP) ------ stations (Public IP) (NATing 172.16.0.0/24 192.168.1.xx or something similar) 172.16.0.xx and on one public IP one private witch even one public IP... ok... it looks horribly, but I am not having time to change it... we are going to change IPS and so on... so... what are the rules which should be added users are permited to connect inside.... to public IP trough SSH named is on FreeBSD and used by inner adress (192... 172...) and firewall than behaves strangely... thanks for any idea, unless you want me to reconfigure it at all... it is a school and I am not having time until holiday cheers Rene Skoba From owner-freebsd-security@FreeBSD.ORG Thu May 8 04:39:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E815F37B401 for ; Thu, 8 May 2003 04:39:20 -0700 (PDT) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id EDC4043FE0 for ; Thu, 8 May 2003 04:39:19 -0700 (PDT) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 1367 invoked by uid 0); 8 May 2003 11:39:19 -0000 Received: from greg.panula@dolaninformation.com by proxy by uid 82 with qmail-scanner-1.15 ( Clear:. Processed in 1.234187 secs); 08 May 2003 11:39:19 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: metrol@metrol.net,freebsd-security@FreeBSD.org X-Qmail-Scanner: 1.15 (Clear:. Processed in 1.234187 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 8 May 2003 11:39:17 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 8 May 2003 06:39:15 -0500 Sender: pang@FreeBSD.ORG Message-ID: <3EBA41E3.46C0AEA8@dolaninformation.com> Date: Thu, 08 May 2003 06:39:15 -0500 From: Greg Panula Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Michael Collette References: <200305071921.33596.metrol@metrol.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: FreeBSD Security Subject: Re: VPN through BSD for Win2k, totally baffled X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: greg.panula@dolaninformation.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 11:39:21 -0000 Michael Collette wrote: > > Scenario: > FreeBSD box running IPFW acting as a gateway to private network. The private > network is made up of entirely routeable IP addresses. External users > running Win2k and XP on DSL connections with dynamic IPs. > > Goal: > To have the FreeBSD gateway securely authenticate and encrypt the traffic > between the outside users and the internal network. > > I've spent the last 3 days running up and down Google and reading any books > that approach the subject of setting up a VPN. The further down this road > I've travelled the more confused I am. > > I assume the following: > * Need to have a certificate setup with OpenSSL. > * Racoon needs to deal with a key exchange. > * Some kind of tunneling gets put into play. > * Setkey needs appropriate policies. > > I happened across the Google cache of a tutorial that seems to cover this > subject. There seems to be a couple of key points missing, as well as some > apparently out of date syntax. I did manage to create a CA and client cert > from a mix of this tutorial and the AbsoluteBSD book. > > http://216.239.37.104/search?q=cache:mFG0kB-ghLoC:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-2.html+FreeBSD-WIN2K-IPSEC-HOWTO-2.html&hl=en&lr=lang_en&ie=UTF-8 > > Managed to get a certificate generated from that process installed on a test > XP box per the following... > > http://216.239.33.104/search?q=cache:FFxjH0VQGD0C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-4.html+FreeBSD-WIN2K-IPSEC-HOWTO-4.html&hl=en&lr=lang_en&ie=UTF-8 > > Where I totally lost it was on the FreeBSD setup. The author is referring to > certificates that he never described how they should be created. I didn't > know what in the heck to do here. > > http://216.239.33.104/search?q=cache:oNMJe4EHOu4C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-3.html+FreeBSD-WIN2K-IPSEC-HOWTO-3.html&hl=en&lr=lang_en&ie=UTF-8 > > Am I even on the right path? Aside from this one tutorial I've been through > several others, as well as looking at a variety of IPSec related pages. > There's obviously a number of different approaches out there to take, but I'm > simply looking for one that works. Just to know that I'm heading in the > correct direction or not would be an incredible help. > Handy links, thanks. Haven't done certs+ipsec, yet... only pre-shared secrets It looks like you are on the right path. The first link walks one thru creating the needed certs; CA aka Certificate Authority(_the_ source for all certs), cert for the gateway(vpn server) and cert for the user. Second link walks one thru importing two Certs into the windows box; CA and user cert. Third link where you get lost talks about where to put the gateway & CA cert. The gateway certificate is the one you created under section 2.4 on the first link. Look at the last two openssl lines in section 2.4 on that first link. It is creating a certificate for the vpn server(server-signed.pem) signed by the CA you created and the last line outputs a decrypted private key(server-key.pem) for racoon to use with the signed certificate. Hope that helps, greg From owner-freebsd-security@FreeBSD.ORG Thu May 8 05:20:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6458337B401 for ; Thu, 8 May 2003 05:20:12 -0700 (PDT) Received: from PIKES.panasas.com (gw2.panasas.com [65.194.124.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D83F43FA3 for ; Thu, 8 May 2003 05:20:10 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from waumbek.panasas.com ([172.17.2.36]) by PIKES.panasas.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 2AZLNTFH; Thu, 8 May 2003 08:20:08 -0400 From: Chris BeHanna Organization: Western Pennsylvania Pizza Disposal Unit Date: Thu, 8 May 2003 08:20:08 -0400 User-Agent: KMail/1.5.1 To: security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305080820.08338.behanna@zbzoom.net> Subject: Fwd: Re: VPN through BSD for Win2k, totally baffled X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: behanna@zbzoom.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 12:20:13 -0000 On Wednesday 07 May 2003 22:21, Michael Collette wrote: > Scenario: > FreeBSD box running IPFW acting as a gateway to private network. The > private network is made up of entirely routeable IP addresses. External > users running Win2k and XP on DSL connections with dynamic IPs. > > Goal: > To have the FreeBSD gateway securely authenticate and encrypt the traffic > between the outside users and the internal network. You might try mpd, which should let the Windows users get in via PPTP. At least, if I read the docs right, mpd should be useful for allowing inbound PPTP connections as well as making output PPTP connections. Then you need to allow inbound traffic on port 1723, protocol GRE. (Take with salt; I haven't yet had my morning coffee.) -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net Turning coffee into software since 1990. From owner-freebsd-security@FreeBSD.ORG Thu May 8 05:26:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5548E37B401 for ; Thu, 8 May 2003 05:26:39 -0700 (PDT) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E89D43F93 for ; Thu, 8 May 2003 05:26:38 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.nectar.cc (Postfix) with ESMTP id 0E47154839; Thu, 8 May 2003 07:26:38 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 9BB6E6D461; Thu, 8 May 2003 07:26:37 -0500 (CDT) Date: Thu, 8 May 2003 07:26:37 -0500 From: "Jacques A. Vidrine" To: Michael Collette Message-ID: <20030508122637.GA97715@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Michael Collette , FreeBSD Security References: <200305071921.33596.metrol@metrol.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200305071921.33596.metrol@metrol.net> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 cc: FreeBSD Security Subject: Re: VPN through BSD for Win2k, totally baffled X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 12:26:39 -0000 On Wed, May 07, 2003 at 07:21:33PM -0700, Michael Collette wrote: > Scenario: > FreeBSD box running IPFW acting as a gateway to private network. The private > network is made up of entirely routeable IP addresses. External users > running Win2k and XP on DSL connections with dynamic IPs. [...] > Where I totally lost it was on the FreeBSD setup. The author is referring to > certificates that he never described how they should be created. I didn't > know what in the heck to do here. [...] It's hard to tell from your message where you are getting lost, but I'll give it a shot. Assuming you have all your certificates (let's call them client.crt/client.key, server.crt/server.key, and ca-local.crt): (1) Add a `path certificate' directive to racoon.conf, e.g. path certificate "/usr/local/etc/racoon/cert" ; (2) Create that directory (3) Store your CA's certficate in that directory in PEM format, e.g. /usr/local/etc/racoon/cert/ca-local.pem. (4) Create a symlink in that directory based on the CA cert's hash, e.g. cd /usr/local/etc/racoon/cert ln -s ca-local.pem `openssl x509 -noout -hash -in ca-local.pem`.0 Heh, I found some pages that might be useful to you while I was Google'ing to double-check my openssl syntax: Hope this helps, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Thu May 8 07:52:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8931837B405 for ; Thu, 8 May 2003 07:52:02 -0700 (PDT) Received: from mail2.qc.uunet.ca (mail2.qc.uunet.ca [198.168.54.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 728C343FDD for ; Thu, 8 May 2003 07:51:59 -0700 (PDT) (envelope-from anarcat@espresso-com.com) Received: from xtanbul.studio.espresso-com.com ([216.94.147.57]) by mail2.qc.uunet.ca (8.12.9/8.12.9) with ESMTP id h48EpubX021651; Thu, 8 May 2003 10:51:57 -0400 Received: from anarcat by xtanbul.studio.espresso-com.com with local (Exim 3.36 #1 (Debian)) id 19DmkX-000088-00; Thu, 08 May 2003 10:51:57 -0400 Date: Thu, 8 May 2003 10:51:57 -0400 From: The Anarcat To: Brett Glass Message-ID: <20030508145156.GA442@xtanbul> Mail-Followup-To: Brett Glass , Michael Collette , FreeBSD Security References: <200305071921.33596.metrol@metrol.net> <4.3.2.7.2.20030507220032.00bcec10@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20030507220032.00bcec10@localhost> User-Agent: Mutt/1.5.4i Sender: The Anarcat cc: FreeBSD Security cc: Michael Collette Subject: Re: VPN through BSD for Win2k, totally baffled X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 14:52:03 -0000 On mer mai 07, 2003 at 10:04:32 -0600, Brett Glass wrote: > I've been using PPTP for this purpose. Microsoft's PPTP implementation > is pretty brain dead, but if you're willing to bend the configuration > of your network a little to accommodate it and configure your clients > carefully, you can set up a VPN that's accessible from most versions > of Windows. Not super-secure, but secure enough for most purposes. > > I have been interested in trying L2TP, but am not sure about the > stability of the server software for FreeBSD. And I can't find > a FreeBSD client. (There's an L2TP netgraph node, but there are > no docs on how to use it with mpd and likewise nothing on how to > use it with userland PPP.) I found that the mpd client is pretty easy to setup and really powerful. PPTP has the advantage of working out of the box over NAT or whatever odd network you can have. A. From owner-freebsd-security@FreeBSD.ORG Thu May 8 09:29:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E11337B401 for ; Thu, 8 May 2003 09:29:47 -0700 (PDT) Received: from prioris.mini.pw.edu.pl (prioris.mini.pw.edu.pl [194.29.178.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id A586643FAF for ; Thu, 8 May 2003 09:29:44 -0700 (PDT) (envelope-from zaks@prioris.mini.pw.edu.pl) Received: from localhost (localhost.mini.pw.edu.pl [127.0.0.1]) by prioris.mini.pw.edu.pl (Postfix) with ESMTP id 79F48243C8 for ; Thu, 8 May 2003 18:29:43 +0200 (CEST) Received: by prioris.mini.pw.edu.pl (Postfix, from userid 250) id A9E9C243CB; Thu, 8 May 2003 18:29:38 +0200 (CEST) Date: Thu, 8 May 2003 18:29:38 +0200 From: Slawek Zak To: security@freebsd.org Message-ID: <20030508162938.GB460@prioris.mini.pw.edu.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i X-Virus-Scanned: by AMaViS (prioris) Subject: Problem with -c switch for ssh-add in OpenSSH 3.6.1 on CURRENT X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 16:29:47 -0000 Hi, I tried to use this new -c switch for ssh-add, which makes ssh-agent ask every time particular key is going to be used for user's permission. It seems to fail for me. When I add some key to the agent and logon to remote host, I get this message when ssh tries to authenticate the user: "Agent admitted failure to sign using the key". The key added to agent without the -c switch works, of course. The SSH_ASKPASS variale is set to ssh-askpass, which also works for me. What might be the problem? /S From owner-freebsd-security@FreeBSD.ORG Thu May 8 11:50:15 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 965BB37B401 for ; Thu, 8 May 2003 11:50:15 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42DFC43FA3 for ; Thu, 8 May 2003 11:50:14 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA03282; Thu, 8 May 2003 12:50:02 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030508124919.02d2ed20@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 08 May 2003 12:49:59 -0600 To: The Anarcat From: Brett Glass In-Reply-To: <20030508145156.GA442@xtanbul> References: <4.3.2.7.2.20030507220032.00bcec10@localhost> <200305071921.33596.metrol@metrol.net> <4.3.2.7.2.20030507220032.00bcec10@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: FreeBSD Security cc: Michael Collette Subject: Re: VPN through BSD for Win2k, totally baffled X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 18:50:15 -0000 At 08:51 AM 5/8/2003, The Anarcat wrote: >I found that the mpd client is pretty easy to setup and really >powerful. You've found a way to do L2TP with mpd? Please post information. --Brett From owner-freebsd-security@FreeBSD.ORG Thu May 8 12:00:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F7F837B401 for ; Thu, 8 May 2003 12:00:09 -0700 (PDT) Received: from mail1.qc.uunet.ca (mail1.qc.uunet.ca [198.168.54.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A13743FB1 for ; Thu, 8 May 2003 12:00:01 -0700 (PDT) (envelope-from anarcat@espresso-com.com) Received: from xtanbul.studio.espresso-com.com ([216.94.147.57]) by mail1.qc.uunet.ca (8.12.9/8.12.9) with ESMTP id h48IxwLn027962; Thu, 8 May 2003 14:59:58 -0400 Received: from anarcat by xtanbul.studio.espresso-com.com with local (Exim 3.36 #1 (Debian)) id 19DqcZ-0000S6-00; Thu, 08 May 2003 14:59:59 -0400 Date: Thu, 8 May 2003 14:59:59 -0400 From: The Anarcat To: Brett Glass Message-ID: <20030508185959.GE442@xtanbul> Mail-Followup-To: Brett Glass , Michael Collette , FreeBSD Security References: <4.3.2.7.2.20030507220032.00bcec10@localhost> <200305071921.33596.metrol@metrol.net> <4.3.2.7.2.20030507220032.00bcec10@localhost> <4.3.2.7.2.20030508124919.02d2ed20@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20030508124919.02d2ed20@localhost> User-Agent: Mutt/1.5.4i Sender: The Anarcat cc: FreeBSD Security cc: Michael Collette Subject: Re: VPN through BSD for Win2k, totally baffled X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 19:00:10 -0000 On Thu May 08, 2003 at 12:49:59PM -0600, Brett Glass wrote: > At 08:51 AM 5/8/2003, The Anarcat wrote: > > >I found that the mpd client is pretty easy to setup and really > >powerful. > > You've found a way to do L2TP with mpd? Please post information. No. I've used mpd to setup a PPTP. Sorry for the confusion. a. From owner-freebsd-security@FreeBSD.ORG Thu May 8 12:21:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7CD237B401 for ; Thu, 8 May 2003 12:21:36 -0700 (PDT) Received: from mail2.qc.uunet.ca (mail2.qc.uunet.ca [198.168.54.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA4D443F3F for ; Thu, 8 May 2003 12:21:35 -0700 (PDT) (envelope-from anarcat@espresso-com.com) Received: from xtanbul.studio.espresso-com.com ([216.94.147.57]) by mail2.qc.uunet.ca (8.12.9/8.12.9) with ESMTP id h48JLWbX005742; Thu, 8 May 2003 15:21:33 -0400 Received: from anarcat by xtanbul.studio.espresso-com.com with local (Exim 3.36 #1 (Debian)) id 19DqxS-0000Tt-00; Thu, 08 May 2003 15:21:34 -0400 Date: Thu, 8 May 2003 15:21:34 -0400 From: The Anarcat To: Patrick Muldoon Message-ID: <20030508192133.GF442@xtanbul> Mail-Followup-To: Patrick Muldoon , FreeBSD Security References: <4.3.2.7.2.20030507220032.00bcec10@localhost> <4.3.2.7.2.20030508124919.02d2ed20@localhost> <20030508185959.GE442@xtanbul> <200305081507.43662.doon@inoc.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200305081507.43662.doon@inoc.net> User-Agent: Mutt/1.5.4i Sender: The Anarcat cc: FreeBSD Security Subject: Re: VPN through BSD for Win2k, totally baffled X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 19:21:37 -0000 On Thu May 08, 2003 at 03:07:43PM -0400, Patrick Muldoon wrote: > On Thursday 08 May 2003 02:59 pm, The Anarcat wrote: > > On Thu May 08, 2003 at 12:49:59PM -0600, Brett Glass wrote: > > > At 08:51 AM 5/8/2003, The Anarcat wrote: > > > >I found that the mpd client is pretty easy to setup and really > > > >powerful. > > > > > > You've found a way to do L2TP with mpd? Please post information. > > > > No. I've used mpd to setup a PPTP. Sorry for the confusion. > > IF you don't mind me asking, what is it connecting to? I have been having a > heck of a time connecting to a PIX on the far end. Hehehe.. I got it to connect to.. mpd! :) dynamic ip + nat on one end, static + nat on the other. I tried to make it work with MacOS X, but somehow, OSX doesn't respond to LQR pings or there's some routing problems in there, I don't know. Haven't tried with Windows VPN either yet. A. From owner-freebsd-security@FreeBSD.ORG Thu May 8 13:40:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C039137B401 for ; Thu, 8 May 2003 13:40:14 -0700 (PDT) Received: from pimout1-ext.prodigy.net (pimout1-ext.prodigy.net [207.115.63.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1730F43F85 for ; Thu, 8 May 2003 13:40:14 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metlap (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9]) h48KeCPg055572 for ; Thu, 8 May 2003 16:40:13 -0400 From: Michael Collette To: FreeBSD Security Date: Thu, 8 May 2003 13:39:43 -0700 User-Agent: KMail/1.5.1 References: <200305071921.33596.metrol@metrol.net> <20030508122637.GA97715@madman.celabo.org> In-Reply-To: <20030508122637.GA97715@madman.celabo.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305081339.43667.metrol@metrol.net> Subject: Re: VPN through BSD for Win2k, totally baffled X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 20:40:15 -0000 On Thursday 08 May 2003 05:26 am, Jacques A. Vidrine wrote: > It's hard to tell from your message where you are getting lost, but I'll > give it a shot. Assuming you have all your certificates (let's call > them client.crt/client.key, server.crt/server.key, and ca-local.crt): Took me a while to figure out how to even ask the question! After heading down a bunch of dead ends and all. A couple of follow up questions to this. If I go the route of handing out certificates to end users, is there a mechanism for revoking their rights to enter? Employees do get other jobs, and almost all of them are using laptops which they travel with. We've had folks get laptops stolen. Is the cert an all or nothing kinda deal. For instance, I need a different level of access than a salesperson. We have a programmer who needs access to different resources than myself or sales. All of these outside folks are on dynamic IPs. With these additional needs in play am I still wise to head down the road of IPSec certificates? Later on, -- "Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark to read." - Groucho Marx From owner-freebsd-security@FreeBSD.ORG Thu May 8 13:47:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6288A37B40E for ; Thu, 8 May 2003 13:47:05 -0700 (PDT) Received: from mail.XtremeDev.com (xtremedev.com [216.241.38.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id B208343F3F for ; Thu, 8 May 2003 13:47:02 -0700 (PDT) (envelope-from bsd@xtremedev.com) Received: by mail.XtremeDev.com (Postfix, from userid 1001) id 7B70570601; Thu, 8 May 2003 14:47:01 -0600 (MDT) Date: Thu, 8 May 2003 14:47:01 -0600 From: BSD To: FreeBSD Security Message-ID: <20030508204701.GA32131@Amber.XtremeDev.com> References: <200305071921.33596.metrol@metrol.net> <20030508122637.GA97715@madman.celabo.org> <200305081339.43667.metrol@metrol.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200305081339.43667.metrol@metrol.net> User-Agent: Mutt/1.5.4i Subject: Re: VPN through BSD for Win2k, totally baffled X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 20:47:05 -0000 On Thu, May 08, 2003 at 01:39:43PM -0700, Michael Collette wrote: > A couple of follow up questions to this. If I go the route of handing out > certificates to end users, is there a mechanism for revoking their rights to > enter? Employees do get other jobs, and almost all of them are using laptops > which they travel with. We've had folks get laptops stolen. You can revoke certificates. This is builtin. > Is the cert an all or nothing kinda deal. For instance, I need a different > level of access than a salesperson. We have a programmer who needs access to > different resources than myself or sales. All of these outside folks are on > dynamic IPs. Dunno about this one... Does anyone know how to setup L2TP+IPSec on FreeBSD? Preferably with either mpd or ng_p2tp(4)? Please share examples if you can, or atleast a broad overview how how the whole thing would fit together on FreeBSD. Anything would help at this point. Thanks. From owner-freebsd-security@FreeBSD.ORG Thu May 8 17:22:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4146A37B404 for ; Thu, 8 May 2003 17:22:03 -0700 (PDT) Received: from PIKES.panasas.com (gw2.panasas.com [65.194.124.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB26443FBF for ; Thu, 8 May 2003 17:22:01 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from waumbek.panasas.com ([172.17.2.36]) by PIKES.panasas.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 2AZL3D40; Thu, 8 May 2003 20:22:00 -0400 From: Chris BeHanna Organization: Western Pennsylvania Pizza Disposal Unit To: security@freebsd.org Date: Thu, 8 May 2003 20:22:00 -0400 User-Agent: KMail/1.5.1 References: <200305071921.33596.metrol@metrol.net> <20030508122637.GA97715@madman.celabo.org> <200305081339.43667.metrol@metrol.net> In-Reply-To: <200305081339.43667.metrol@metrol.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305082022.00173.behanna@zbzoom.net> Subject: Re: VPN through BSD for Win2k, totally baffled X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: behanna@zbzoom.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 00:22:03 -0000 On Thursday 08 May 2003 16:39, Michael Collette wrote: > On Thursday 08 May 2003 05:26 am, Jacques A. Vidrine wrote: > > It's hard to tell from your message where you are getting lost, but I'll > > give it a shot. Assuming you have all your certificates (let's call > > them client.crt/client.key, server.crt/server.key, and ca-local.crt): > > Took me a while to figure out how to even ask the question! After heading > down a bunch of dead ends and all. > > A couple of follow up questions to this. If I go the route of handing out > certificates to end users, is there a mechanism for revoking their rights > to enter? Employees do get other jobs, and almost all of them are using > laptops which they travel with. We've had folks get laptops stolen. > > Is the cert an all or nothing kinda deal. For instance, I need a different > level of access than a salesperson. We have a programmer who needs access > to different resources than myself or sales. All of these outside folks > are on dynamic IPs. Unless I miss my mark, all IPsec gets you is a secure tunnel to the office network. It does not circumvent the usual user- and group- based permissions, nor will it circumvent NTFS ACLs. IOW, even after the IPsec link is established, the user *still* has to log in, in which case you should be able to provide the kinds of access controls you want via ACLs, netgroups, permissions masks, etc. Right? -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net Turning coffee into software since 1990. From owner-freebsd-security@FreeBSD.ORG Thu May 8 22:50:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 685E637B401 for ; Thu, 8 May 2003 22:50:01 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 57C2243F93 for ; Thu, 8 May 2003 22:49:59 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 5304 invoked from network); 9 May 2003 05:44:01 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 9 May 2003 05:44:00 -0000 Received: (qmail 82138 invoked by uid 1000); 9 May 2003 05:47:34 -0000 Date: Fri, 9 May 2003 08:47:34 +0300 From: Peter Pentchev To: Patrick Muldoon Message-ID: <20030509054734.GA13112@straylight.oblivion.bg> Mail-Followup-To: Patrick Muldoon , FreeBSD Security References: <4.3.2.7.2.20030507220032.00bcec10@localhost> <4.3.2.7.2.20030508124919.02d2ed20@localhost> <20030508185959.GE442@xtanbul> <200305081507.43662.doon@inoc.net> <20030508192133.GF442@xtanbul> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="sm4nu43k4a2Rpi4c" Content-Disposition: inline In-Reply-To: <20030508192133.GF442@xtanbul> User-Agent: Mutt/1.5.4i cc: FreeBSD Security Subject: Re: VPN through BSD for Win2k, totally baffled X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 05:50:01 -0000 --sm4nu43k4a2Rpi4c Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 08, 2003 at 03:21:34PM -0400, The Anarcat wrote: > On Thu May 08, 2003 at 03:07:43PM -0400, Patrick Muldoon wrote: > > On Thursday 08 May 2003 02:59 pm, The Anarcat wrote: > > > On Thu May 08, 2003 at 12:49:59PM -0600, Brett Glass wrote: > > > > At 08:51 AM 5/8/2003, The Anarcat wrote: > > > > >I found that the mpd client is pretty easy to setup and really > > > > >powerful. > > > > > > > > You've found a way to do L2TP with mpd? Please post information. > > > > > > No. I've used mpd to setup a PPTP. Sorry for the confusion. > >=20 > > IF you don't mind me asking, what is it connecting to? I have been hav= ing a=20 > > heck of a time connecting to a PIX on the far end. >=20 > Hehehe.. I got it to connect to.. mpd! :) dynamic ip + nat on one end, > static + nat on the other. >=20 > I tried to make it work with MacOS X, but somehow, OSX doesn't respond > to LQR pings or there's some routing problems in there, I don't know. >=20 > Haven't tried with Windows VPN either yet. FWIW, mpd versions 3.7 through 3.13 on FreeBSD 4.7-STABLE, 4.8-RELEASE and 4.8-STABLE work just fine for both incoming connections from Win2K clients and outgoing connections to a Win2K RRAS (sorry, I don't have enough information about the RRAS itself, all they've given us is an IP address, username and password :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Nostalgia ain't what it used to be. --sm4nu43k4a2Rpi4c Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+u0D17Ri2jRYZRVMRAsDpAJ9WktJ6hr8sCIgMo/WAntGee4dShwCff4vP 2ZNbBrNn+h5A0GchlOyZeE8= =xD6v -----END PGP SIGNATURE----- --sm4nu43k4a2Rpi4c-- From owner-freebsd-security@FreeBSD.ORG Fri May 9 03:18:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1645937B404 for ; Fri, 9 May 2003 03:18:05 -0700 (PDT) Received: from mx1.dev.itouchnet.net (itouchlabs.com [196.15.188.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F12343F75 for ; Fri, 9 May 2003 03:18:02 -0700 (PDT) (envelope-from bvi@itouchlabs.com) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.35 #1) id 19E50e-000OWF-00 for freebsd-security@freebsd.org; Fri, 09 May 2003 12:21:48 +0200 X-TLS: TLSv1:RC4-MD5:128 itouchlabs.com -> mx1.dev.itouchnet.net Received: from itouchlabs.com ([196.15.188.2] helo=Beastie) by mx1.dev.itouchnet.net with esmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 19E50c-000OVo-00; Fri, 09 May 2003 12:21:46 +0200 Message-ID: <03b901c31614$06686dd0$4508a8c0@Beastie> From: "Barry Irwin" To: "Danny Carroll" , "Peter Pentchev" References: <20030430190040.A78C937B407@hub.freebsd.org><1051788543.641.31.camel@thoreau.sohotech.ca><20030501104614.A29056@chaos.obstruction.com><1052214194.d45fa9082ef35@www.dannysplace.com><20030506092623.I56271@cithaeron.argolis.org><1052258867.b640e23b86613@www.dannysplace.com><20030507055036.GA665@straylight.oblivion.bg><1052299663.086db7b178457@www.dannysplace.com> <003101c314cf$930ceef0$e464a8c0@llama> Date: Fri, 9 May 2003 12:16:15 +0200 Organization: iTouch Labs MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 94249-1052475707-18230@unconfigured version $Name: REL_2_0_4 $ cc: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 10:18:05 -0000 You just need to allow esp and ah depending on what you are using. Also remember port 500 for IKE. Barry -- Barry Irwin bvi@itouchlabs.com Tel: +27214875178 Systems Administrator: Networks And Security iTouch Technology iTouch TAS http://www.itouchlabs.com Mobile: +27824457210 ----- Original Message ----- From: "Danny Carroll" To: "Peter Pentchev" Cc: Sent: Wednesday, May 07, 2003 9:33 PM Subject: Re: how to configure a FreeBSD firewall to pass IPSec? > As promised, my ruleset that works.. > I've removed the lines that are important for me to keep a secret... But > they are only things like ftp... > My Natd.conf only has some port redirects for web/ftp etc... > p.s. Sorry for the top-post... > > allow ip from any to any via lo0 > deny ip from any to 127.0.0.0/8 > deny ip from 127.0.0.0/8 to any > > # Spoof protection. > deny log logamount 500 ip from 192.168.50.0/24 to any in recv xl0 > deny log logamount 500 ip from any to 10.0.0.0/8 via xl0 > deny log logamount 500 ip from any to 172.16.0.0/12 via xl0 > deny log logamount 500 ip from any to 192.168.0.0/24 via xl0 > deny log logamount 500 ip from 0.0.0.0/8 to any via xl0 > deny log logamount 500 ip from 169.254.0.0/16 to any via xl0 > deny log logamount 500 ip from 192.0.2.0/24 to any via xl0 > deny log logamount 500 ip from 224.0.0.0/4 to any via xl0 > deny log logamount 500 ip from 240.0.0.0/4 to any via xl0 > > #Disallow smb/nmb > deny log logamount 500 tcp from any to any 137-139 via xl0 > deny log logamount 500 tcp from any 137-139 to any via xl0 > deny log logamount 500 udp from any to any 137-139 via xl0 > deny log logamount 500 udp from any 137-139 to any via xl0 > > # Now divert, and setup my pipes... (These are so my web/ftp server leaves > me some bandwidth) > pipe 1 ip from 192.168.10.0/24 to any out xmit xl0 > divert 8668 ip from any to any via xl0 > pipe 2 ip from any to 192.168.10.0/24 in recv xl0 > > allow tcp from any to any established > allow tcp from any to any 25 setup > allow tcp from any to any 21 setup > allow tcp from any to any 80 setup > allow tcp from any to any 443 setup > allow udp from 192.168.50.0/24 to any keep-state > allow tcp from 192.168.50.0/24 to any setup > deny log logamount 500 tcp from any to any in recv xl0 setup > allow icmp from any to any > deny log logamount 500 ip from any to any > 65535 deny ip from any to any > > ----- Original Message ----- > From: "Danny Carroll" > To: "Peter Pentchev" > Cc: > Sent: Wednesday, May 07, 2003 11:27 AM > Subject: Re: how to configure a FreeBSD firewall to pass IPSec? > > > > Quoting Peter Pentchev : > > > You have a very good point here, if by 'IP and UDP' you actually meant > > > to say 'TCP and UDP', and 'ESP is a different protocol from TCP'. TCP, > > > UDP, and ESP are all protocols that are based on IP - any TCP, UDP, or > > > ESP packet is an IP packet at the same time. If you meant to say that > > > most firewalls only allow TCP and UDP packets, then this is absolutely > > > true: a firewall that only allows TCP and UDP, then denies all the rest > > > of IP traffic without special provisions for ICMP or ESP, would > > > certainly not let any IPsec traffic through. > > > > You see:, I knew I was writing that the wrong way round... Of course I > meant > > tcp and udp. > > > > > Come to think of it, a firewall that only allows TCP and UDP traffic > > > and then denies any other IP traffic, including ICMP, is doing a great > > > disservice to both itself, its internal network, and the Internet at > > > large. This has been said many, many times in many forums, but still: > > > some ICMP messages are not only beneficial, they are essential for > > > the correct operation of the network. Firewalling all ICMP traffic > > > is a very bad idea. > > > > Agreed! > > > > To those that want my rules... I will post them tonight, when I can make > sure > > that they are actually working. From memory I was adding a "allow esp" > rule > > temporarilly when I needed vpn support. > > -D > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > From owner-freebsd-security@FreeBSD.ORG Fri May 9 06:40:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DB6437B404; Fri, 9 May 2003 06:40:46 -0700 (PDT) Received: from spxgate.servplex.com (ip66-105-58-82.z58-105-66.customer.algx.net [66.105.58.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4956D43F75; Fri, 9 May 2003 06:40:36 -0700 (PDT) (envelope-from peter@servplex.com) Received: from peter.servplex.com ([192.168.0.10]) by spxgate.servplex.com (8.12.8/8.12.6) with ESMTP id h49DpPIM092280; Fri, 9 May 2003 08:51:25 -0500 (CDT) (envelope-from peter@servplex.com) Message-Id: <5.2.0.9.2.20030509083519.01813eb8@mail.servplex.com> X-Sender: peter@mail.servplex.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Fri, 09 May 2003 08:40:34 -0500 To: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG From: Peter Elsner Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 13:40:46 -0000 This morning, I noticed in my security email, that my entire /usr/bin directory had setuid diff's set on them. I think I've been hacked. So I installed chkrootkit from ports and ran it. It showed not infected for everything, except NETSTAT. NETSTAT showed infected... I ran chkrootkit for another machine (at my office), and it showed not infected for everything. Both machines are running 4.7-STABLE. I can re-install and restore my data, that's not a problem, but I am a little confused... When listing any directories, I see the following: drwxr-xr-x 3 root wheel 18944 f 16:35 dev drwxr-xr-x 2 root wheel 512 f 2002 dist drwxr-xr-x 17 root wheel 4608 f 08:35 etc lrwxr-xr-x 1 root wheel 9 f 2002 home -> /usr/home -r-xr-xr-x 1 root wheel 2326346 f 06:51 kernel -r-xr-xr-x 1 root wheel 3258128 f 2000 kernel.GENERIC -r-xr-xr-x 1 root wheel 2301572 f 2002 kernel.old drwxrwxrwx 2 root wheel 512 f 2002 lib drwxrwxrwx 3 root wheel 512 f 2002 log lrwxr-xr-x 1 root wheel 19 f 2002 logfiles -> /usr/local/www/logs drwxr-xr-x 2 root wheel 512 f 2000 mnt drwxr-xr-x 2 root wheel 4096 f 06:52 modules drwxr-xr-x 2 root wheel 4096 f 06:51 modules.old drwxr-xr-x 2 root wheel 512 f 2002 old dr-xr-xr-x 1 root wheel 512 f 08:37 proc drwxrwxrwx 2 root wheel 512 f 18:58 ris_datalogs drwxr-xr-x 4 root wheel 512 f 2002 root drwxr-xr-x 2 root wheel 2048 f 04:36 sbin drwxr-xr-x 5 root wheel 1024 f 2002 stand lrwxr-xr-x 1 root wheel 11 f 18:04 sys -> usr/src/sys drwxrwxrwt 4 root wheel 512 f 08:36 tmp drwxr-xr-x 19 root wheel 512 f 2002 usr drwxr-xr-x 22 root wheel 512 f 2002 var lrwxr-xr-x 1 root wheel 19 f 2002 www -> /usr/local/www/data Notice the f in place of the date? What does that mean? Does it look like I've been hacked? I've already changed all my passwords. Any insight on the f in the date would be appreciated. Thanks in advance Peter ---------------------------------------------------------------------------------------------------------- Peter Elsner Vice President Of Customer Service (And System Administrator) 1835 S. Carrier Parkway Grand Prairie, Texas 75051 (972) 263-2080 - Voice (972) 263-2082 - Fax (972) 489-4838 - Cell Phone (425) 988-8061 - eFax I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin Unix IS user friendly... It's just selective about who its friends are. System Administration - It's a dirty job, but somebody said I had to do it. If you receive something that says 'Send this to everyone you know, pretend you don't know me. Standard $500/message proofreading fee applies for UCE. From owner-freebsd-security@FreeBSD.ORG Fri May 9 06:45:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF29C37B401 for ; Fri, 9 May 2003 06:45:58 -0700 (PDT) Received: from sollube.sarenet.es (sollube.sarenet.es [192.148.167.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0509443FA3 for ; Fri, 9 May 2003 06:45:58 -0700 (PDT) (envelope-from borjamar@sarenet.es) Received: from sarenet.es (zaphod2.sarenet.es [194.30.32.23]) by sollube.sarenet.es (Postfix) with ESMTP id 48F96982C99; Fri, 9 May 2003 15:45:56 +0200 (CEST) Date: Fri, 9 May 2003 15:46:35 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v552) To: Peter Elsner From: Borja Marcos In-Reply-To: <5.2.0.9.2.20030509083519.01813eb8@mail.servplex.com> Message-Id: Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.552) cc: freebsd-security@freebsd.org Subject: Re: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 13:45:59 -0000 > Notice the f in place of the date? What does that mean? Perhaps someone has installed a different ls command (and, presumably, others). Try doing "truss ls" to see if it is reading any sort of strange file. Rootkits use to have configuration files hidden in weird places. Borja. From owner-freebsd-security@FreeBSD.ORG Fri May 9 07:07:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFFE137B401 for ; Fri, 9 May 2003 07:07:41 -0700 (PDT) Received: from spxgate.servplex.com (ip66-105-58-82.z58-105-66.customer.algx.net [66.105.58.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 770DF43F3F for ; Fri, 9 May 2003 07:07:36 -0700 (PDT) (envelope-from peter@servplex.com) Received: from peter.servplex.com ([192.168.0.10]) by spxgate.servplex.com (8.12.8/8.12.6) with ESMTP id h49EIQIM092564; Fri, 9 May 2003 09:18:26 -0500 (CDT) (envelope-from peter@servplex.com) Message-Id: <5.2.0.9.2.20030509090341.01796b58@mail.servplex.com> X-Sender: peter@mail.servplex.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Fri, 09 May 2003 09:07:35 -0500 To: Borja Marcos From: Peter Elsner In-Reply-To: References: <5.2.0.9.2.20030509083519.01813eb8@mail.servplex.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-security@FreeBSD.ORG Subject: Re: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 14:07:42 -0000 Thanks, Here's the output of truss ls mmap(0x0,1968,0x3,0x1000,-1,0x0) = 671490048 (0x28062000) munmap(0x28062000,0x7b0) = 0 (0x0) __sysctl(0xbfbffab4,0x2,0x280609a8,0xbfbffab0,0x0,0x0) = 0 (0x0) mmap(0x0,32768,0x3,0x1002,-1,0x0) = 671490048 (0x28062000) geteuid() = 0 (0x0) getuid() = 0 (0x0) getegid() = 0 (0x0) getgid() = 0 (0x0) open("/var/run/ld-elf.so.hints",0x0,00) = 3 (0x3) read(0x3,0xbfbffa94,0x80) = 128 (0x80) lseek(3,0x80,0) = 128 (0x80) read(0x3,0x28067000,0x53) = 83 (0x53) close(3) = 0 (0x0) access("/usr/lib/libncurses.so.5",0) = 0 (0x0) open("/usr/lib/libncurses.so.5",0x0,027757775414) = 3 (0x3) fstat(3,0xbfbffadc) = 0 (0x0) read(0x3,0xbfbfeaac,0x1000) = 4096 (0x1000) mmap(0x0,266240,0x5,0x2,3,0x0) = 671522816 (0x2806a000) mmap(0x2809f000,36864,0x3,0x12,3,0x34000) = 671739904 (0x2809f000) mmap(0x280a8000,12288,0x3,0x1012,-1,0x0) = 671776768 (0x280a8000) close(3) = 0 (0x0) access("/usr/lib/libc.so.4",0) = 0 (0x0) open("/usr/lib/libc.so.4",0x0,027757775414) = 3 (0x3) fstat(3,0xbfbffadc) = 0 (0x0) read(0x3,0xbfbfeaac,0x1000) = 4096 (0x1000) mmap(0x0,626688,0x5,0x2,3,0x0) = 671789056 (0x280ab000) mmap(0x2812c000,20480,0x3,0x12,3,0x80000) = 672317440 (0x2812c000) mmap(0x28131000,77824,0x3,0x1012,-1,0x0) = 672337920 (0x28131000) close(3) = 0 (0x0) mmap(0x0,608,0x3,0x1000,-1,0x0) = 672415744 (0x28144000) munmap(0x28144000,0x260) = 0 (0x0) mmap(0x0,4576,0x3,0x1000,-1,0x0) = 672415744 (0x28144000) munmap(0x28144000,0x11e0) = 0 (0x0) mmap(0x0,13304,0x3,0x1000,-1,0x0) = 672415744 (0x28144000) munmap(0x28144000,0x33f8) = 0 (0x0) sigaction(SIGILL,0xbfbffb34,0xbfbffb1c) = 0 (0x0) sigprocmask(0x1,0x0,0x280608dc) = 0 (0x0) sigaction(SIGILL,0xbfbffb1c,0x0) = 0 (0x0) sigprocmask(0x1,0x280608a0,0xbfbffb5c) = 0 (0x0) sigprocmask(0x3,0x280608b0,0x0) = 0 (0x0) readlink("/etc/malloc.conf",0xbfbff3d8,63) ERR#2 'No such file or director y' mmap(0x0,4096,0x3,0x1002,-1,0x0) = 672415744 (0x28144000) break(0x804f000) = 0 (0x0) break(0x8050000) = 0 (0x0) open("/dev/fd/.99/.ttyf00",0x0,0666) = 3 (0x3) fstat(3,0xbfbff348) = 0 (0x0) break(0x8054000) = 0 (0x0) read(0x3,0x8050000,0x4000) = 70 (0x46) break(0x8055000) = 0 (0x0) read(0x3,0x8050000,0x4000) = 0 (0x0) close(3) = 0 (0x0) ioctl(1,TIOCGETA,0xbfbff54c) = 0 (0x0) ioctl(1,TIOCGWINSZ,0xbfbff5b0) = 0 (0x0) getuid() = 0 (0x0) stat(".",0xbfbff498) = 0 (0x0) open(".",0x0,00) = 3 (0x3) fchdir(0x3) = 0 (0x0) open(".",0x0,00) = 4 (0x4) stat(".",0xbfbff448) = 0 (0x0) open(".",0x4,05001215475) = 5 (0x5) fstat(5,0xbfbff448) = 0 (0x0) fcntl(0x5,0x2,0x1) = 0 (0x0) __sysctl(0xbfbff300,0x2,0x28142300,0xbfbff2fc,0x0,0x0) = 0 (0x0) fstatfs(0x5,0xbfbff348) = 0 (0x0) getdirentries(0x5,0x8053000,0x1000,0x804e0f4) = 1024 (0x400) break(0x8056000) = 0 (0x0) getdirentries(0x5,0x8053000,0x1000,0x804e0f4) = 0 (0x0) lseek(5,0x0,0) = 0 (0x0) close(5) = 0 (0x0) fchdir(0x4) = 0 (0x0) close(4) = 0 (0x0) fstat(1,0xbfbff278) = 0 (0x0) break(0x8057000) = 0 (0x0) ioctl(1,TIOCGETA,0xbfbff2ac) = 0 (0x0) ._Lonetar cgi kernel.GENERIC modules.old sys write(1,0x8056000,46) = 46 (0x2e) .cshrc compat kernel.old old tmp write(1,0x8056000,36) = 36 (0x24) .profile dev lib proc usr write(1,0x8056000,29) = 29 (0x1d) COPYRIGHT dist log ris_datalogs var write(1,0x8056000,38) = 38 (0x26) bin etc logfiles root www write(1,0x8056000,29) = 29 (0x1d) boot home mnt sbin write(1,0x8056000,22) = 22 (0x16) cdrom kernel modules stand write(1,0x8056000,30) = 30 (0x1e) exit(0x0) process exit, rval = 0 I'm not exactly sure what I'm looking at... Do you see anything out of the ordinary? Thanks again... PS: I also did an md5 /usr/bin/netstat and got back the following: MD5 (/usr/bin/netstat) = b008226a10f92a397b2d3a045116343c Then I went back to my other box (at the office), and did the same thing... MD5 (/usr/bin/netstat) = 9fdb023cf58ded3cb03fabe0acf04145 They are different... I also just noticed that one of our customers got the same security email this morning, with the setuid differences... Also running 4.7-RELEASE... Peter At 03:46 PM 5/9/2003 +0200, you wrote: >>Notice the f in place of the date? What does that mean? > > Perhaps someone has installed a different ls command (and, > presumably, others). Try doing "truss ls" to see if it is reading any > sort of strange file. Rootkits use to have configuration files hidden in > weird places. > > > > > Borja. ---------------------------------------------------------------------------------------------------------- Peter Elsner Vice President Of Customer Service (And System Administrator) 1835 S. Carrier Parkway Grand Prairie, Texas 75051 (972) 263-2080 - Voice (972) 263-2082 - Fax (972) 489-4838 - Cell Phone (425) 988-8061 - eFax I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin Unix IS user friendly... It's just selective about who its friends are. System Administration - It's a dirty job, but somebody said I had to do it. If you receive something that says 'Send this to everyone you know, pretend you don't know me. Standard $500/message proofreading fee applies for UCE. From owner-freebsd-security@FreeBSD.ORG Fri May 9 07:21:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54AD737B401 for ; Fri, 9 May 2003 07:21:16 -0700 (PDT) Received: from sollube.sarenet.es (sollube.sarenet.es [192.148.167.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id B78D543FBF for ; Fri, 9 May 2003 07:21:15 -0700 (PDT) (envelope-from borjamar@sarenet.es) Received: from sarenet.es (zaphod2.sarenet.es [194.30.32.23]) by sollube.sarenet.es (Postfix) with ESMTP id B6268982DCE; Fri, 9 May 2003 16:21:14 +0200 (CEST) Date: Fri, 9 May 2003 16:21:54 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v552) To: Peter Elsner From: Borja Marcos In-Reply-To: <5.2.0.9.2.20030509090341.01796b58@mail.servplex.com> Message-Id: <955A21A2-8229-11D7-B2CA-000393C94468@sarenet.es> Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.552) cc: freebsd-security@freebsd.org Subject: Re: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 14:21:16 -0000 On Friday, May 9, 2003, at 16:07 Europe/Madrid, Peter Elsner wrote: > open("/dev/fd/.99/.ttyf00",0x0,0666) = 3 (0x3) Look at this. This is a rootkit. What is this file? :-) Probably the typical rootkit config file. The "strings" command was good at this, but I have seen lately some rootkits replacing the strings command. Truss seems to be safer, at least for now. > I'm not exactly sure what I'm looking at... Do you see anything out of > the ordinary? Yes, something like that :-) If you "truss" commands like netstat, ps, etc, I am sure you will find similar operations. Look for open system calls with weird filenames or files in weird places, like above. Borja. From owner-freebsd-security@FreeBSD.ORG Fri May 9 07:28:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E67C37B401 for ; Fri, 9 May 2003 07:28:46 -0700 (PDT) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72A0343FB1 for ; Fri, 9 May 2003 07:28:42 -0700 (PDT) (envelope-from bzeeb-lists@zabbadoz.net) Received: from localhost (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id AB14B1FFBD5; Fri, 9 May 2003 16:28:40 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id 9EE961FFBCA; Fri, 9 May 2003 16:28:39 +0200 (CEST) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id BAE261537D; Fri, 9 May 2003 14:25:48 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id B0B5A15350; Fri, 9 May 2003 14:25:48 +0000 (UTC) Date: Fri, 9 May 2003 14:25:48 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: Borja Marcos In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300 cc: freebsd-security@freebsd.org Subject: Re: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 14:28:46 -0000 On Fri, 9 May 2003, Borja Marcos wrote: > > Notice the f in place of the date? What does that mean? > > Perhaps someone has installed a different ls command (and, presumably, > others). Try doing "truss ls" to see if it is reading any sort of > strange file. Rootkits use to have configuration files hidden in weird > places. this asumes that truss is ok ;-) perhaps take the truss from your other 4.7 machine ... -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ From owner-freebsd-security@FreeBSD.ORG Fri May 9 08:45:43 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FE6D37B401 for ; Fri, 9 May 2003 08:45:43 -0700 (PDT) Received: from spxgate.servplex.com (ip66-105-58-82.z58-105-66.customer.algx.net [66.105.58.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A28943F3F for ; Fri, 9 May 2003 08:45:34 -0700 (PDT) (envelope-from peter@servplex.com) Received: from peter.servplex.com ([192.168.0.10]) by spxgate.servplex.com (8.12.8/8.12.6) with ESMTP id h49FuCIM093639; Fri, 9 May 2003 10:56:12 -0500 (CDT) (envelope-from peter@servplex.com) Message-Id: <5.2.0.9.2.20030509104258.017c6b50@mail.servplex.com> X-Sender: peter@mail.servplex.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Fri, 09 May 2003 10:45:20 -0500 To: Julian Elischer From: Peter Elsner In-Reply-To: References: <5.2.0.9.2.20030509090341.01796b58@mail.servplex.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-security@FreeBSD.ORG Subject: Re: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 15:45:43 -0000 here's what's in /dev/fd/.99 # cd /dev/fd/.99 # ll -rw-r--r-- 1 root wheel 70 May 2 18:05 .ttyf00 The contents of that file are: # more .ttyf00 .99 .ttyf00 .ttyp00 in.inetd sshd /sbin/sshd /usr/sbin/in.inetd .fx I have already restored my ls and now my dates are back to normal... I have also restored netstat. I am now going to do a complete re-install of all binaries... Before I do, let me know if there's anything else you need... Peter At 08:40 AM 5/9/2003 -0700, you wrote: >Back your system up before wiping it (to maintain eveidence) >then run New copies of netstat and ps to look for hidden backdoor >programs. In particular loook for anything that might install >kernel modules.. There are now malicious kernel modules :-( > >the contents of the config file in /dev/fd/99 would be interesting ;-) > >On Fri, 9 May 2003, Peter Elsner wrote: > > > Thanks, > > > > Here's the output of truss ls > > > > mmap(0x0,1968,0x3,0x1000,-1,0x0) = 671490048 (0x28062000) > > munmap(0x28062000,0x7b0) = 0 (0x0) > > __sysctl(0xbfbffab4,0x2,0x280609a8,0xbfbffab0,0x0,0x0) = 0 (0x0) > > mmap(0x0,32768,0x3,0x1002,-1,0x0) = 671490048 (0x28062000) > > geteuid() = 0 (0x0) > > getuid() = 0 (0x0) > > getegid() = 0 (0x0) > > getgid() = 0 (0x0) > > open("/var/run/ld-elf.so.hints",0x0,00) = 3 (0x3) > > read(0x3,0xbfbffa94,0x80) = 128 (0x80) > > lseek(3,0x80,0) = 128 (0x80) > > read(0x3,0x28067000,0x53) = 83 (0x53) > > close(3) = 0 (0x0) > > access("/usr/lib/libncurses.so.5",0) = 0 (0x0) > > open("/usr/lib/libncurses.so.5",0x0,027757775414) = 3 (0x3) > > fstat(3,0xbfbffadc) = 0 (0x0) > > read(0x3,0xbfbfeaac,0x1000) = 4096 (0x1000) > > mmap(0x0,266240,0x5,0x2,3,0x0) = 671522816 (0x2806a000) > > mmap(0x2809f000,36864,0x3,0x12,3,0x34000) = 671739904 (0x2809f000) > > mmap(0x280a8000,12288,0x3,0x1012,-1,0x0) = 671776768 (0x280a8000) > > close(3) = 0 (0x0) > > access("/usr/lib/libc.so.4",0) = 0 (0x0) > > open("/usr/lib/libc.so.4",0x0,027757775414) = 3 (0x3) > > fstat(3,0xbfbffadc) = 0 (0x0) > > read(0x3,0xbfbfeaac,0x1000) = 4096 (0x1000) > > mmap(0x0,626688,0x5,0x2,3,0x0) = 671789056 (0x280ab000) > > mmap(0x2812c000,20480,0x3,0x12,3,0x80000) = 672317440 (0x2812c000) > > mmap(0x28131000,77824,0x3,0x1012,-1,0x0) = 672337920 (0x28131000) > > close(3) = 0 (0x0) > > mmap(0x0,608,0x3,0x1000,-1,0x0) = 672415744 (0x28144000) > > munmap(0x28144000,0x260) = 0 (0x0) > > mmap(0x0,4576,0x3,0x1000,-1,0x0) = 672415744 (0x28144000) > > munmap(0x28144000,0x11e0) = 0 (0x0) > > mmap(0x0,13304,0x3,0x1000,-1,0x0) = 672415744 (0x28144000) > > munmap(0x28144000,0x33f8) = 0 (0x0) > > sigaction(SIGILL,0xbfbffb34,0xbfbffb1c) = 0 (0x0) > > sigprocmask(0x1,0x0,0x280608dc) = 0 (0x0) > > sigaction(SIGILL,0xbfbffb1c,0x0) = 0 (0x0) > > sigprocmask(0x1,0x280608a0,0xbfbffb5c) = 0 (0x0) > > sigprocmask(0x3,0x280608b0,0x0) = 0 (0x0) > > readlink("/etc/malloc.conf",0xbfbff3d8,63) ERR#2 'No such file or > > director > > y' > > mmap(0x0,4096,0x3,0x1002,-1,0x0) = 672415744 (0x28144000) > > break(0x804f000) = 0 (0x0) > > break(0x8050000) = 0 (0x0) > > open("/dev/fd/.99/.ttyf00",0x0,0666) = 3 (0x3) > > fstat(3,0xbfbff348) = 0 (0x0) > > break(0x8054000) = 0 (0x0) > > read(0x3,0x8050000,0x4000) = 70 (0x46) > > break(0x8055000) = 0 (0x0) > > read(0x3,0x8050000,0x4000) = 0 (0x0) > > close(3) = 0 (0x0) > > ioctl(1,TIOCGETA,0xbfbff54c) = 0 (0x0) > > ioctl(1,TIOCGWINSZ,0xbfbff5b0) = 0 (0x0) > > getuid() = 0 (0x0) > > stat(".",0xbfbff498) = 0 (0x0) > > open(".",0x0,00) = 3 (0x3) > > fchdir(0x3) = 0 (0x0) > > open(".",0x0,00) = 4 (0x4) > > stat(".",0xbfbff448) = 0 (0x0) > > open(".",0x4,05001215475) = 5 (0x5) > > fstat(5,0xbfbff448) = 0 (0x0) > > fcntl(0x5,0x2,0x1) = 0 (0x0) > > __sysctl(0xbfbff300,0x2,0x28142300,0xbfbff2fc,0x0,0x0) = 0 (0x0) > > fstatfs(0x5,0xbfbff348) = 0 (0x0) > > getdirentries(0x5,0x8053000,0x1000,0x804e0f4) = 1024 (0x400) > > break(0x8056000) = 0 (0x0) > > getdirentries(0x5,0x8053000,0x1000,0x804e0f4) = 0 (0x0) > > lseek(5,0x0,0) = 0 (0x0) > > close(5) = 0 (0x0) > > fchdir(0x4) = 0 (0x0) > > close(4) = 0 (0x0) > > fstat(1,0xbfbff278) = 0 (0x0) > > break(0x8057000) = 0 (0x0) > > ioctl(1,TIOCGETA,0xbfbff2ac) = 0 (0x0) > > ._Lonetar cgi kernel.GENERIC modules.old sys > > write(1,0x8056000,46) = 46 (0x2e) > > .cshrc compat kernel.old old tmp > > write(1,0x8056000,36) = 36 (0x24) > > .profile dev lib proc usr > > write(1,0x8056000,29) = 29 (0x1d) > > COPYRIGHT dist log ris_datalogs var > > write(1,0x8056000,38) = 38 (0x26) > > bin etc logfiles root www > > write(1,0x8056000,29) = 29 (0x1d) > > boot home mnt sbin > > write(1,0x8056000,22) = 22 (0x16) > > cdrom kernel modules stand > > write(1,0x8056000,30) = 30 (0x1e) > > exit(0x0) process exit, rval = 0 > > > > I'm not exactly sure what I'm looking at... Do you see anything out of the > > ordinary? > > > > Thanks again... > > > > PS: I also did an md5 /usr/bin/netstat and got back the following: > > > > MD5 (/usr/bin/netstat) = b008226a10f92a397b2d3a045116343c > > > > Then I went back to my other box (at the office), and did the same thing... > > > > MD5 (/usr/bin/netstat) = 9fdb023cf58ded3cb03fabe0acf04145 > > > > They are different... I also just noticed that one of our customers got > the > > same security email this morning, > > with the setuid differences... Also running 4.7-RELEASE... > > > > Peter > > > > > > > > > > At 03:46 PM 5/9/2003 +0200, you wrote: > > >>Notice the f in place of the date? What does that mean? > > > > > > Perhaps someone has installed a different ls command (and, > > > presumably, others). Try doing "truss ls" to see if it is reading any > > > sort of strange file. Rootkits use to have configuration files hidden in > > > weird places. > > > > > > > > > > > > > > > Borja. > > > > > ---------------------------------------------------------------------------------------------------------- > > Peter Elsner > > Vice President Of Customer Service (And System Administrator) > > 1835 S. Carrier Parkway > > Grand Prairie, Texas 75051 > > (972) 263-2080 - Voice > > (972) 263-2082 - Fax > > (972) 489-4838 - Cell Phone > > (425) 988-8061 - eFax > > > > I worry about my child and the Internet all the time, even though she's > > too young to have logged on yet. Here's what I worry about. I worry > > that 10 or 15 years from now, she will come to me and say "Daddy, where > > were you when they took freedom of the press away from the Internet?" > > -- Mike Godwin > > > > Unix IS user friendly... It's just selective about who its friends are. > > System Administration - It's a dirty job, but somebody said I had to do it. > > If you receive something that says 'Send this to everyone you know, > > pretend you don't know me. > > > > Standard $500/message proofreading fee applies for UCE. > > > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > ---------------------------------------------------------------------------------------------------------- Peter Elsner Vice President Of Customer Service (And System Administrator) 1835 S. Carrier Parkway Grand Prairie, Texas 75051 (972) 263-2080 - Voice (972) 263-2082 - Fax (972) 489-4838 - Cell Phone (425) 988-8061 - eFax I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin Unix IS user friendly... It's just selective about who its friends are. System Administration - It's a dirty job, but somebody said I had to do it. If you receive something that says 'Send this to everyone you know, pretend you don't know me. Standard $500/message proofreading fee applies for UCE. From owner-freebsd-security@FreeBSD.ORG Fri May 9 08:50:35 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1D8D37B401 for ; Fri, 9 May 2003 08:50:35 -0700 (PDT) Received: from sparky.acsmail.com (acsmail.com [66.73.61.222]) by mx1.FreeBSD.org (Postfix) with ESMTP id B328B43F3F for ; Fri, 9 May 2003 08:50:34 -0700 (PDT) (envelope-from tgeier@acsmail.com) Received: from phoenix ([192.168.254.17]) by sparky.acsmail.com (8.12.5/8.12.5) with ESMTP id h49FoU2G018229; Fri, 9 May 2003 11:50:31 -0400 From: "Timothy R. Geier" Organization: Advanced Communications Systems To: Peter Elsner Date: Fri, 9 May 2003 11:50:19 -0400 User-Agent: KMail/1.5.1 References: <955A21A2-8229-11D7-B2CA-000393C94468@sarenet.es> In-Reply-To: <955A21A2-8229-11D7-B2CA-000393C94468@sarenet.es> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_G58u+bZCGK47jWt"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200305091150.30237.tgeier@acsmail.com> cc: freebsd-security@freebsd.org Subject: Re: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 15:50:36 -0000 --Boundary-02=_G58u+bZCGK47jWt Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 09 May 2003 10:21, Borja Marcos wrote: > On Friday, May 9, 2003, at 16:07 Europe/Madrid, Peter Elsner wrote: > > open("/dev/fd/.99/.ttyf00",0x0,0666) =3D 3 (0x3) > > Look at this. This is a rootkit. What is this file? :-) Probably the > typical rootkit config file. > > The "strings" command was good at this, but I have seen lately some > rootkits replacing the strings command. Truss seems to be safer, at > least for now. > > > I'm not exactly sure what I'm looking at... Do you see anything out of > > the ordinary? > > Yes, something like that :-) > > If you "truss" commands like netstat, ps, etc, I am sure you will find > similar operations. Look for open system calls with weird filenames or > files in weird places, like above. > > > > > Borja. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" To add a few more thoughts to this, the most likely places for rootkit=20 configurations and possibly executables are hidden directories under /tmp,= =20 /dev/, and /var/tmp. Of course, these are not the only possible places, bu= t=20 they are the most popular. =20 Also, the use of nmap or another port scanner from a remote machine can=20 discover if the rootkit has left any backdoor ports open. Since you've=20 restored netstat, though, "netstat -l" should work just as well. After=20 determining if there are any backdoors, I would recommend removing the=20 compromised machine from any network(s) it is on and then performing a=20 detailed analysis, restoration, and hardening. An article on this process= =20 can be found at http://www.securityfocus.com/infocus/1692. =2D-=20 Timothy R. Geier, Systems Administrator Advanced Communications Systems tgeier@acsmail.com --Boundary-02=_G58u+bZCGK47jWt Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQA+u85FBkUJ7Q/wZqgRAqF+AKCLoPvI7rKzEqtI5+44Y+USfjKbTACfXkYF Kp7/k5nf80vu+3TQilK39/A= =Ytfy -----END PGP SIGNATURE----- --Boundary-02=_G58u+bZCGK47jWt-- From owner-freebsd-security@FreeBSD.ORG Fri May 9 10:01:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3125B37B401 for ; Fri, 9 May 2003 10:01:37 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E5B843FA3 for ; Fri, 9 May 2003 10:01:36 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA14875; Fri, 9 May 2003 11:01:26 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030509110012.03940680@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 09 May 2003 11:01:21 -0600 To: "Bjoern A. Zeeb" , Borja Marcos From: Brett Glass In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: freebsd-security@freebsd.org Subject: Re: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 17:01:37 -0000 At 08:25 AM 5/9/2003, Bjoern A. Zeeb wrote: >this asumes that truss is ok ;-) perhaps take the truss from your >other 4.7 machine ... Yes, you do have to be careful of this. I recently investigated a machine that had been "owned," and when truss was applied to some commands (e.g. netstat) it produced no output. --Brett From owner-freebsd-security@FreeBSD.ORG Fri May 9 10:22:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFBB237B401 for ; Fri, 9 May 2003 10:22:30 -0700 (PDT) Received: from PIKES.panasas.com (gw2.panasas.com [65.194.124.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB89343F85 for ; Fri, 9 May 2003 10:22:29 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from waumbek.panasas.com ([172.17.2.36]) by PIKES.panasas.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 2AZL3NVN; Fri, 9 May 2003 13:22:29 -0400 From: Chris BeHanna Organization: Western Pennsylvania Pizza Disposal Unit To: security@freebsd.org Date: Fri, 9 May 2003 13:22:28 -0400 User-Agent: KMail/1.5.1 References: <5.2.0.9.2.20030509090341.01796b58@mail.servplex.com> <5.2.0.9.2.20030509104258.017c6b50@mail.servplex.com> In-Reply-To: <5.2.0.9.2.20030509104258.017c6b50@mail.servplex.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305091322.28708.behanna@zbzoom.net> Subject: Re: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: behanna@zbzoom.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 17:22:31 -0000 On Friday 09 May 2003 11:45, Peter Elsner wrote: > here's what's in /dev/fd/.99 > > # cd /dev/fd/.99 > # ll > -rw-r--r-- 1 root wheel 70 May 2 18:05 .ttyf00 > > The contents of that file are: > > # more .ttyf00 > .99 > .ttyf00 > .ttyp00 > in.inetd > sshd > /sbin/sshd > /usr/sbin/in.inetd > .fx > > I have already restored my ls and now my dates are back to normal... I > have also restored netstat. > > I am now going to do a complete re-install of all binaries... *AFTER* you boot from CD-ROM and newfs every partition on the disk, right? That is the *only* way you can be sure you've removed all of the noisome pieces of the rootkit. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net Turning coffee into software since 1990. From owner-freebsd-security@FreeBSD.ORG Fri May 9 13:50:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32CE537B401 for ; Fri, 9 May 2003 13:50:03 -0700 (PDT) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id E7C3143F75 for ; Fri, 9 May 2003 13:50:01 -0700 (PDT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.12.3/8.12.3) with ESMTP id h49KlkQD062827; Fri, 9 May 2003 17:47:46 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Fri, 9 May 2003 17:47:46 -0300 (ART) From: Fernando Gleiser To: "Bjoern A. Zeeb" In-Reply-To: Message-ID: <20030509173844.O50632-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-120.1 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, QUOTE_TWICE_1,REPLY_WITH_QUOTES,USER_IN_WHITELIST version=2.53 X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) cc: freebsd-security@freebsd.org Subject: Re: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 20:50:03 -0000 On Fri, 9 May 2003, Bjoern A. Zeeb wrote: > > this asumes that truss is ok ;-) perhaps take the truss from your > other 4.7 machine ... Better yet, move the disk to some off-line, clean system and mount the compromised disk there. You don't know if the rootkit messed with the system libraries or if it loaded a KLD. Or boot from CD and use the CD's binaries. Fer From owner-freebsd-security@FreeBSD.ORG Fri May 9 17:25:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 468C237B401 for ; Fri, 9 May 2003 17:25:30 -0700 (PDT) Received: from praetor.linc-it.com (hardtime.linuxman.net [66.147.26.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F0BC43FDD for ; Fri, 9 May 2003 17:25:29 -0700 (PDT) (envelope-from fullermd@over-yonder.net) Received: from mortis.over-yonder.net (adsl-33-236-134.jan.bellsouth.net [67.33.236.134]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by praetor.linc-it.com (Postfix) with ESMTP id 9D3CD1543B; Fri, 9 May 2003 19:25:27 -0500 (CDT) Received: by mortis.over-yonder.net (Postfix, from userid 100) id DE1A520F03; Fri, 9 May 2003 19:25:25 -0500 (CDT) Date: Fri, 9 May 2003 19:25:25 -0500 From: "Matthew D. Fuller" To: Danny Carroll Message-ID: <20030510002525.GC97056@over-yonder.net> References: <1052299663.086db7b178457@www.dannysplace.com> <003101c314cf$930ceef0$e464a8c0@llama> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <003101c314cf$930ceef0$e464a8c0@llama> User-Agent: Mutt/1.4i-fullermd.1 X-Editor: vi X-OS: FreeBSD cc: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2003 00:25:30 -0000 On Wed, May 07, 2003 at 09:33:45PM +0200 I heard the voice of Danny Carroll, and lo! it spake thus: > > deny log logamount 500 ip from any to 192.168.0.0/24 via xl0 ^^ Shouldn't that be /16? Which would also obviate the need for: > deny log logamount 500 ip from 192.168.50.0/24 to any in recv xl0 -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Systems/Network Administrator | http://www.over-yonder.net/~fullermd/ "The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet" From owner-freebsd-security@FreeBSD.ORG Sat May 10 04:16:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 638AF37B401 for ; Sat, 10 May 2003 04:16:28 -0700 (PDT) Received: from boyes.its.utas.edu.au (boyes.its.utas.edu.au [144.6.1.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5B7A43FDF for ; Sat, 10 May 2003 04:16:25 -0700 (PDT) (envelope-from apdewis@postoffice.utas.edu.au) Received: from boyes.its.utas.edu.au (localhost [127.0.0.1]) h4ABGMH21903 for ; Sat, 10 May 2003 21:16:22 +1000 (EST) Message-Id: <200305101116.h4ABGMH21903@boyes.its.utas.edu.au> Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary To: freebsd-security@freebsd.org From: Adam Dewis Organization: University of Tasmania X-Originating-Ip: 144.137.28.205 MIME-Version: 1.0 Date: Sat, 10 May 2003 21:16:18 EAST X-Mailer: EMUmail 5.1 X-Http_host: postoffice.newnham.utas.edu.au X-Webmail-User: apdewis@postoffice.newnham.utas.edu.au Subject: Re: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Adam Dewis List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2003 11:16:28 -0000 On Fri, 09 May 2003 10:45:20 -0500 Peter Elsner wrote: > here's what's in /dev/fd/.99 > > # cd /dev/fd/.99 > # ll > -rw-r--r-- 1 root wheel 70 May 2 18:05 .ttyf00 > > The contents of that file are: > > # more .ttyf00 > .99 > .ttyf00 > .ttyp00 > in.inetd > sshd > /sbin/sshd > /usr/sbin/in.inetd > .fx > > I have already restored my ls and now my dates are back to normal... I > have also restored netstat. > > I am now going to do a complete re-install of all binaries... > > Before I do, let me know if there's anything else you need... > > Peter > Doing a complete reeinstall is all good and well, but Installing a rootkit means that the cracker used a hole to gain the required permissions to do so. Whcih in praticality means that you will need to patch the hole as well, unfortunatly I cannot offer any advice on finding the hole, but mayhaps some other security guru on this list may be able to steer you in the right direction? Adam From owner-freebsd-security@FreeBSD.ORG Sat May 10 06:18:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5024637B401 for ; Sat, 10 May 2003 06:18:04 -0700 (PDT) Received: from pimout3-ext.prodigy.net (pimout3-ext.prodigy.net [207.115.63.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 835B543FD7 for ; Sat, 10 May 2003 06:18:03 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metlap (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9]) h4ADI1J9122864 for ; Sat, 10 May 2003 09:18:02 -0400 From: Michael Collette To: FreeBSD Security Date: Sat, 10 May 2003 06:17:43 -0700 User-Agent: KMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305100617.44245.metrol@metrol.net> Subject: Down the MPD road X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2003 13:18:04 -0000 Well, after working through the various options it looked like MPD would be my best bet here. I've got it sort of working, but there's obviously some tweaky I'm missing here. Recap of the scenario: Full class C of static IPs segmented into 3 networks. Outside, DMZ, Inside. Trying to get remote Windows users through securely to the Inside. Remote users have dynamic IPs. What's working: MPD is running, and authenticating my test XP box via PPTP. No certificates or any IPSec involved here. I can hit boxes on the Inside really solid now. The probs: Apparently PPTP actually puts the remote machine IN the target network. Sorry, I'm still pretty green on this PPTP stuff. Works a good bit different than IPSec. Anyhow, once the remote box is connected all the connections to the rest of the Internet are now coming from behind the firewall. That'd be cool if it worked reliably. While connected, when I attempt to browse around the public Internet some pages just don't load, where others do. No rhyme or reason, and nothing showing up in my logging of all denied packets via ipfw. For example, I can hit CNN without a problem, then when I try news.google it never loads a page. I can hit the main Yahoo page, but any of their other sites won't go. Really odd. I'm not sure if I've got an ipfw or mpd problem at this point. I've tried a dozen different ways to open up ipfw a LOT while still keeping it reasonably closed. This thing is in production and all. If it'd help, I'll post the relevant rule list here. Here is what I'm running for an mpd.conf file. Both mpd.links and mpd.secret I'm guessing are okay due to their simplicity. ----------------------------------------------------------------------------- default: load pptp_client0 pptp_client0: new -i ng0 pptp0 pptp0 set ipcp ranges {InsideIF}/32 {AssignedIP}/25 set iface disable on-demand set iface enable proxy-arp set iface idle 3600 set bundle disable multilink set bundle enable compression set bundle yes crypt-reqd set link mtu 1440 set link no pap chap set link enable chap set link keep-alive 10 60 set link yes acfcomp protocomp set ipcp dns {InsideDNS} set ipcp nbns {NTServer} set ipcp yes vjcomp set ccp yes mppc # set ccp yes mpp-e40 set ccp yes mpp-e128 set ccp yes mpp-stateless set ccp enable mpp-compress ----------------------------------------------------------------------------- I've played with tweaking a number of these settings, but with the same basic glitchiness. Was hoping one of you folks swearing by mpd might be able to point out some goofball thing I did here. BTW, the ng0 interface has permissions to every darn thing in ipfw. That includes tcp, udp, icmp, and even igmp. I've run out of things to try here. Later on, -- "Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark to read." - Groucho Marx From owner-freebsd-security@FreeBSD.ORG Sat May 10 07:18:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D9F3B37B401 for ; Sat, 10 May 2003 07:18:14 -0700 (PDT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E0F943F85 for ; Sat, 10 May 2003 07:18:14 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from centtech.com ([204.177.173.226]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h4AEID56030542; Sat, 10 May 2003 09:18:13 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <3EBD0A81.50305@centtech.com> Date: Sat, 10 May 2003 09:19:45 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Michael Collette References: <200305100617.44245.metrol@metrol.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD Security Subject: Re: Down the MPD road X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2003 14:18:15 -0000 Michael Collette wrote: >[..snip good stuff..] >The probs: > Apparently PPTP actually puts the remote machine IN the target network. >Sorry, I'm still pretty green on this PPTP stuff. Works a good bit different >than IPSec. Anyhow, once the remote box is connected all the connections to >the rest of the Internet are now coming from behind the firewall. That'd be >cool if it worked reliably. > While connected, when I attempt to browse around the public Internet some >pages just don't load, where others do. No rhyme or reason, and nothing >showing up in my logging of all denied packets via ipfw. For example, I can >hit CNN without a problem, then when I try news.google it never loads a page. >I can hit the main Yahoo page, but any of their other sites won't go. Really >odd. > >I'm not sure if I've got an ipfw or mpd problem at this point. I've tried a >dozen different ways to open up ipfw a LOT while still keeping it reasonably >closed. This thing is in production and all. If it'd help, I'll post the >relevant rule list here. > [..more snipping..] Ok, I saw these problems too.. Remember that the vpn'd client's data is coming through the firewall, to the ng0 interface, and then leaving from there (when "surfing the net"), so you will have to have NAT set up (of some sort) and make sure your rules are open enough to allow the firewall to send packets from the ng0 interface on out and have them natted.. Some of your pages are probably loading from a cache, and not others... also, you may want to add these lines to mpd.conf: set iface enable proxy-arp set iface mtu 1440 I found it fixed all my odd problems that I was having with XP clients.. Eric From owner-freebsd-security@FreeBSD.ORG Sat May 10 07:22:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6787937B401 for ; Sat, 10 May 2003 07:22:31 -0700 (PDT) Received: from topperwein.pennasoft.com (acs-24-154-51-127.zoominternet.net [24.154.51.127]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02CC143FE1 for ; Sat, 10 May 2003 07:22:28 -0700 (PDT) (envelope-from behanna@topperwein.pennasoft.com) Received: from topperwein.pennasoft.com (localhost [127.0.0.1]) h4AEMjT5081171 for ; Sat, 10 May 2003 10:22:45 -0400 (EDT) (envelope-from behanna@topperwein.pennasoft.com) Received: from localhost (localhost [[UNIX: localhost]]) by topperwein.pennasoft.com (8.12.9/8.12.9/Submit) id h4AEMewF081170 for freebsd-security@freebsd.org; Sat, 10 May 2003 10:22:40 -0400 (EDT) From: Chris BeHanna To: FreeBSD Security Date: Sat, 10 May 2003 10:22:40 -0400 User-Agent: KMail/1.5.1 References: <200305100617.44245.metrol@metrol.net> In-Reply-To: <200305100617.44245.metrol@metrol.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305101022.40307.behanna@zbzoom.net> Subject: Re: Down the MPD road X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: behanna@zbzoom.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2003 14:22:31 -0000 On Saturday 10 May 2003 09:17, Michael Collette wrote: > Well, after working through the various options it looked like MPD would be > my best bet here. I've got it sort of working, but there's obviously some > tweaky I'm missing here. > > Recap of the scenario: > Full class C of static IPs segmented into 3 networks. Outside, DMZ, > Inside. Trying to get remote Windows users through securely to the Inside. > Remote users have dynamic IPs. > > What's working: > MPD is running, and authenticating my test XP box via PPTP. No > certificates or any IPSec involved here. > I can hit boxes on the Inside really solid now. > > The probs: > Apparently PPTP actually puts the remote machine IN the target network. > Sorry, I'm still pretty green on this PPTP stuff. Works a good bit > different than IPSec. Anyhow, once the remote box is connected all the > connections to the rest of the Internet are now coming from behind the > firewall. That'd be cool if it worked reliably. > While connected, when I attempt to browse around the public Internet some > pages just don't load, where others do. No rhyme or reason, and nothing > showing up in my logging of all denied packets via ipfw. For example, I > can hit CNN without a problem, then when I try news.google it never loads a > page. I can hit the main Yahoo page, but any of their other sites won't go. > Really odd. Here is where we descend into Windows-bashing. For some STUPID reason, when a Windows box connects to a VPN via PPTP, the Windows box's default route is adjusted to go through the VPN connection. This is fortunately fixable (Windows has a ROUTE command), but it requires your users to have half a clue: route delete 0.0.0.0 route add 0.0.0.0 mask 0.0.0.0 gateway metric 1 route add [InsideNetwork] mask [InsideMask] gateway [far end of VPN tunnel] metric 1 > I'm not sure if I've got an ipfw or mpd problem at this point. I've tried > a dozen different ways to open up ipfw a LOT while still keeping it > reasonably closed. This thing is in production and all. If it'd help, > I'll post the relevant rule list here. That would help, undoubtedly. One thing that I did (using my FreeBSD box as an mpd client to a Windows RAS box) was this: ${fwcmd} add check-state ${fwcmd} add pass all from any to ${vpnbox} keep-state That made it possible for me to VPN in from FreeBSD. You may need to add some similar stateful rule for the other direction, so that all packets destined to the outbound machines are just let through, period (because you don't know their IP addresses in advance). That may be too wide open; someone else can comment. Another thing you could try is to explicitly pass all out over ng0. > [...mpd config...] I didn't see anything glaringly obviously wrong there. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net Turning coffee into software since 1990. From owner-freebsd-security@FreeBSD.ORG Sat May 10 08:01:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A87CD37B401 for ; Sat, 10 May 2003 08:01:45 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id A13D143F3F for ; Sat, 10 May 2003 08:01:43 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 23376 invoked from network); 10 May 2003 14:55:42 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 10 May 2003 14:55:41 -0000 Received: (qmail 7620 invoked by uid 1000); 10 May 2003 14:59:15 -0000 Date: Sat, 10 May 2003 17:59:15 +0300 From: Peter Pentchev To: Chris BeHanna Message-ID: <20030510145915.GB79233@straylight.oblivion.bg> Mail-Followup-To: Chris BeHanna , FreeBSD Security References: <200305100617.44245.metrol@metrol.net> <200305101022.40307.behanna@zbzoom.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="kORqDWCi7qDJ0mEj" Content-Disposition: inline In-Reply-To: <200305101022.40307.behanna@zbzoom.net> User-Agent: Mutt/1.5.4i cc: FreeBSD Security Subject: Re: Down the MPD road X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2003 15:01:46 -0000 --kORqDWCi7qDJ0mEj Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 10, 2003 at 10:22:40AM -0400, Chris BeHanna wrote: > On Saturday 10 May 2003 09:17, Michael Collette wrote: > > Well, after working through the various options it looked like MPD woul= d be > > my best bet here. I've got it sort of working, but there's obviously s= ome > > tweaky I'm missing here. > > > > Recap of the scenario: > > Full class C of static IPs segmented into 3 networks. Outside, DMZ, > > Inside. Trying to get remote Windows users through securely to the Insi= de. > > Remote users have dynamic IPs. > > > > What's working: > > MPD is running, and authenticating my test XP box via PPTP. No > > certificates or any IPSec involved here. > > I can hit boxes on the Inside really solid now. > > > > The probs: > > Apparently PPTP actually puts the remote machine IN the target networ= k. > > Sorry, I'm still pretty green on this PPTP stuff. Works a good bit > > different than IPSec. Anyhow, once the remote box is connected all the > > connections to the rest of the Internet are now coming from behind the > > firewall. That'd be cool if it worked reliably. > > While connected, when I attempt to browse around the public Internet = some > > pages just don't load, where others do. No rhyme or reason, and nothing > > showing up in my logging of all denied packets via ipfw. For example, I > > can hit CNN without a problem, then when I try news.google it never loa= ds a > > page. I can hit the main Yahoo page, but any of their other sites won't= go. > > Really odd. >=20 > Here is where we descend into Windows-bashing. For some STUPID > reason, when a Windows box connects to a VPN via PPTP, the Windows > box's default route is adjusted to go through the VPN connection. > This is fortunately fixable (Windows has a ROUTE command), but it > requires your users to have half a clue: >=20 > route delete 0.0.0.0 > route add 0.0.0.0 mask 0.0.0.0 gateway metric 1 > route add [InsideNetwork] mask [InsideMask] gateway [far end of VPN= =20 > tunnel] metric 1 I cannot test this right now, so it is quite probable that you are right, but couldn't this be controlled by the Properties >> Networking >> Internet Protocol (TCP/IP) >> Properties >> Advanced >> General >> >> Use default gateway on remote network? Granted, that's a hell of a place to bury a little checkbox, but could this possibly help? :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence claims to be an Epimenides paradox, but it is lying. --kORqDWCi7qDJ0mEj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+vRPC7Ri2jRYZRVMRArGfAJ9Od7XrJQjDjPWzI1VVUyiNx+9YTQCdGRIy r3RfY45WC2gUdLT1Ka0RVfA= =w5tO -----END PGP SIGNATURE----- --kORqDWCi7qDJ0mEj-- From owner-freebsd-security@FreeBSD.ORG Sat May 10 08:05:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E10A37B401 for ; Sat, 10 May 2003 08:05:02 -0700 (PDT) Received: from sirius.pbegames.com (sirius.pbegames.com [38.144.126.107]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4BB2743FBF for ; Sat, 10 May 2003 08:05:01 -0700 (PDT) (envelope-from thomas@pbegames.com) Received: from leviathan.pbegames.com (medusa.pbegames.com [141.156.213.86]) by sirius.pbegames.com (8.12.9/8.12.9) with ESMTP id h4AF4x2b075232; Sat, 10 May 2003 11:05:00 -0400 (EDT) (envelope-from thomas@pbegames.com) Message-Id: <5.1.0.14.2.20030510110309.04a451d0@pbegames.com> X-Sender: thomas@pbegames.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sat, 10 May 2003 11:04:17 -0400 To: Peter Pentchev From: Mark Thomas In-Reply-To: <20030510145915.GB79233@straylight.oblivion.bg> References: <200305101022.40307.behanna@zbzoom.net> <200305100617.44245.metrol@metrol.net> <200305101022.40307.behanna@zbzoom.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: FreeBSD Security Subject: Re: Down the MPD road X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2003 15:05:02 -0000 At 05:59 PM 5/10/03 +0300, Peter Pentchev wrote: >I cannot test this right now, so it is quite probable that you are >right, but couldn't this be controlled by the Properties >> Networking > >> Internet Protocol (TCP/IP) >> Properties >> Advanced >> General >> > >> Use default gateway on remote network? > >Granted, that's a hell of a place to bury a little checkbox, but could >this possibly help? :) It's available on the VPN dialog page under TCP/IP properties, at least in W98/2000. Mark --- thomas@pbegames.com ----> http://www.pbegames.com/~thomas Play by Electron Games -> http://www.pbegames.com Free Trial Games From owner-freebsd-security@FreeBSD.ORG Sat May 10 11:05:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34BD837B401 for ; Sat, 10 May 2003 11:05:09 -0700 (PDT) Received: from smtp-27.ig.com.br (smtp-27.ig.com.br [200.226.132.159]) by mx1.FreeBSD.org (Postfix) with SMTP id B14A343F3F for ; Sat, 10 May 2003 11:05:07 -0700 (PDT) (envelope-from none@superig.com.br) Received: (qmail 23236 invoked from network); 10 May 2003 18:05:13 -0000 Received: from unknown (HELO superig.com.br) (200.179.208.42) by smtp-27.ig.com.br with SMTP; 10 May 2003 18:05:13 -0000 Message-ID: <3EBD3FBD.2030007@superig.com.br> Date: Sat, 10 May 2003 15:06:53 -0300 From: Tony Meman User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1 X-Accept-Language: en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org References: <200305101116.h4ABGMH21903@boyes.its.utas.edu.au> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2003 18:05:09 -0000 You should search the logs for weird exit msgs from the daemons. You could also look for core dumped files in the file system. If you still can't find a good bet would be in Samba (were you running it? which version?) and OpenSSL/apache. -- none Adam Dewis wrote: > > Doing a complete reeinstall is all good and well, but Installing a > rootkit means that the cracker used a hole to gain the required > permissions to do so. Whcih in praticality means that you will need to > patch the hole as well, unfortunatly I cannot offer any advice on > finding the hole, but mayhaps some other security guru on this list may > be able to steer you in the right direction? > > Adam > From owner-freebsd-security@FreeBSD.ORG Sat May 10 13:30:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5833437B401 for ; Sat, 10 May 2003 13:30:06 -0700 (PDT) Received: from spxgate.servplex.com (ip66-105-58-82.z58-105-66.customer.algx.net [66.105.58.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 71AA043FE3 for ; Sat, 10 May 2003 13:30:00 -0700 (PDT) (envelope-from peter@servplex.com) Received: from peter.servplex.com ([192.168.0.10]) by spxgate.servplex.com (8.12.8/8.12.6) with ESMTP id h4AKesIM010882 for ; Sat, 10 May 2003 15:40:56 -0500 (CDT) (envelope-from peter@servplex.com) Message-Id: <5.2.0.9.2.20030510151347.017a2f48@mail.servplex.com> X-Sender: peter@mail.servplex.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Sat, 10 May 2003 15:29:58 -0500 To: freebsd-security@FreeBSD.ORG From: Peter Elsner Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Hacked? (UPDATE) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2003 20:30:06 -0000 Update, for those that want to know... The attacker used a worm or bot that tried hundreds (if not thousands) of connections through SMBD. (Samba). I was running 2.2.7. I noticed the attempts for a week, but the log file always showed "access denied" so I wasn't too worried about it. Well, obviously, one of those attempts got through... At this time, the worm (or bot) modified the modification date with a program called systemf (in the /usr/bin directory). This prevented me from listing last modification dates (all dates in ls were replaced with the letter f ). Then he created an /etc/rc.local file and added an entry to start inetd and a trojaned sshd (on port 44444). I put everything in /usr/local/etc/rc.d so I didn't originally have an /etc/rc.local. netstat (in /usr/bin) was renamed to netstats and a new netstat (much smaller in size) was placed in the /usr/bin directory. I'm not really sure what this new netstat did. I believe only the /usr/bin directory and /usr/sbin directory were affected (after doing quite a bit of research), plus the 2 hidden directories that were created and the /etc/rc.local file. The trojaned sshd was stored in /dev/fd/.99 or in /usr/lib/.fx (not sure which). I suspect that the passwd and master.passwd files were then emailed or ftp'd to the hacker for later inspection. This way, even if I close the Samba hole (which I've done), the trojaned sshd that he/she put in place would allow the attacker to get back in using any of the passwords in the passwd/master.passwd list. Anyway, Thanks to all who answered my request for help and more info (both on this list and privately). I have completely fdisk'ed the drive and re-installed. I'm now restoring from last weeks master backup. Peter ---------------------------------------------------------------------------------------------------------- Peter Elsner Vice President Of Customer Service (And System Administrator) 1835 S. Carrier Parkway Grand Prairie, Texas 75051 (972) 263-2080 - Voice (972) 263-2082 - Fax (972) 489-4838 - Cell Phone (425) 988-8061 - eFax I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin Unix IS user friendly... It's just selective about who its friends are. System Administration - It's a dirty job, but somebody said I had to do it. If you receive something that says 'Send this to everyone you know, pretend you don't know me. Standard $500/message proofreading fee applies for UCE. From owner-freebsd-security@FreeBSD.ORG Sat May 10 13:52:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2EA137B401 for ; Sat, 10 May 2003 13:52:02 -0700 (PDT) Received: from brisefer.cediti.be (porquepix.cediti.be [213.189.188.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 530F843F85 for ; Sat, 10 May 2003 13:52:01 -0700 (PDT) (envelope-from Olivier.Cherrier@cediti.be) Received: by brisefer.nat.cediti.be with Internet Mail Service (5.5.2653.19) id ; Sat, 10 May 2003 22:49:00 +0200 Message-ID: From: Olivier Cherrier To: 'Peter Pentchev' , Chris BeHanna Date: Sat, 10 May 2003 22:48:58 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="windows-1251" cc: FreeBSD Security Subject: RE: Down the MPD road X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2003 20:52:03 -0000 > > Here is where we descend into Windows-bashing. For some STUPID > > reason, when a Windows box connects to a VPN via PPTP, the Windows > > box's default route is adjusted to go through the VPN connection. > > This is fortunately fixable (Windows has a ROUTE command), but it > > requires your users to have half a clue: > > > > route delete 0.0.0.0 > > route add 0.0.0.0 mask 0.0.0.0 gateway metric 1 > > route add [InsideNetwork] mask [InsideMask] gateway > [far end of VPN > > tunnel] metric 1 > > I cannot test this right now, so it is quite probable that you are > right, but couldn't this be controlled by the Properties >> Networking > >> Internet Protocol (TCP/IP) >> Properties >> Advanced >> General >> > >> Use default gateway on remote network? Yes, this checkbox allows to NOT route all the traffic to the VPN server. No need of 'route delete, route add ...' scripts. oc From owner-freebsd-security@FreeBSD.ORG Sat May 10 15:19:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24B3B37B401 for ; Sat, 10 May 2003 15:19:44 -0700 (PDT) Received: from pimout1-ext.prodigy.net (pimout1-ext.prodigy.net [207.115.63.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id 575F643FAF for ; Sat, 10 May 2003 15:19:43 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metlap (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9]) h4AMJfPg142926 for ; Sat, 10 May 2003 18:19:42 -0400 From: Michael Collette To: FreeBSD Security Date: Sat, 10 May 2003 15:19:22 -0700 User-Agent: KMail/1.5.1 References: <200305100617.44245.metrol@metrol.net> <3EBD0A81.50305@centtech.com> In-Reply-To: <3EBD0A81.50305@centtech.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305101519.22567.metrol@metrol.net> Subject: Re: Down the MPD road X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2003 22:19:44 -0000 On Saturday 10 May 2003 07:19 am, Eric Anderson wrote: > Ok, I saw these problems too.. Remember that the vpn'd client's data is > coming through the firewall, to the ng0 interface, and then leaving from > there (when "surfing the net"), so you will have to have NAT set up (of > some sort) and make sure your rules are open enough to allow the > firewall to send packets from the ng0 interface on out and have them > natted.. No NAT involved here. I'm dealing with an entirely routeable class C pool of addresses. Came with the T1, so we used 'em. I've considered setting up a NAT for the office, but that is way off in the future. > Some of your pages are probably loading from a cache, and not > others... I considered that, which is why I kept attempting to hit news.google.com. Lots of domains that I know this browser has never seen. The XP load on this box is pretty fresh, as I never did deploy this to an end user. I've also ran through and cleared the cache several times in the browser config. Also, while watching the link's property box I can see when I'm getting actual traffic through or not. > also, you may want to add these lines to mpd.conf: > set iface enable proxy-arp > set iface mtu 1440 I have the proxy line in there already. Tried turning that off, then back on during testing. It really wants it on. Setting the mtu for the iface made things extra unstable. Had problems connecting to the server at all. When it did connect I was getting a lot of the following... [pptp0] LCP: no reply to 1 echo request(s) [pptp0] LCP: no reply to 1 echo request(s) [pptp0] LCP: no reply to 2 echo request(s) [pptp0] LCP: no reply to 3 echo request(s) [pptp0] LCP: no reply to 4 echo request(s) In ipfw I have a rule to specifically log any denied icmp requests. Nothing is showing up there. > I found it fixed all my odd problems that I was having with XP clients.. Is it possible that mpd expects natd to be there to help route packets? That'd be fine, except the darn thing isn't totally dead. It is routing some packets, which is what is totally throwing me here. Thanks for the reply. I'll keep at it here and if I do stumble across a solution I'll be sure to post it up. Later on, -- "Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark to read." - Groucho Marx From owner-freebsd-security@FreeBSD.ORG Sat May 10 15:21:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C98737B401 for ; Sat, 10 May 2003 15:21:13 -0700 (PDT) Received: from pimout2-ext.prodigy.net (pimout2-ext.prodigy.net [207.115.63.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C95943F85 for ; Sat, 10 May 2003 15:21:12 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metlap (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9]) h4AMLB3T110650 for ; Sat, 10 May 2003 18:21:11 -0400 From: Michael Collette To: FreeBSD Security Date: Sat, 10 May 2003 15:20:52 -0700 User-Agent: KMail/1.5.1 References: <200305101022.40307.behanna@zbzoom.net> <5.1.0.14.2.20030510110309.04a451d0@pbegames.com> In-Reply-To: <5.1.0.14.2.20030510110309.04a451d0@pbegames.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305101520.52513.metrol@metrol.net> Subject: Re: Down the MPD road X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2003 22:21:13 -0000 On Saturday 10 May 2003 08:04 am, Mark Thomas wrote: > At 05:59 PM 5/10/03 +0300, Peter Pentchev wrote: > >I cannot test this right now, so it is quite probable that you are > >right, but couldn't this be controlled by the Properties >> Networking > > > > >> Internet Protocol (TCP/IP) >> Properties >> Advanced >> General >> > > >> Use default gateway on remote network? > > > >Granted, that's a hell of a place to bury a little checkbox, but could > >this possibly help? :) > > It's available on the VPN dialog page under TCP/IP properties, at least in > W98/2000. That checkbox is also in XP. The default is checked. Later on, -- "Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark to read." - Groucho Marx From owner-freebsd-security@FreeBSD.ORG Sat May 10 22:49:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A88CA37B401 for ; Sat, 10 May 2003 22:49:14 -0700 (PDT) Received: from swisseasy.net (dns1.swisseasy.net [195.134.144.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11F5343FCB for ; Sat, 10 May 2003 22:49:13 -0700 (PDT) (envelope-from arie@gerszt.ch) Received: (qmail 57470 invoked by uid 85); 11 May 2003 05:01:01 -0000 Received: from arie@gerszt.ch by caramba.gerszt.ch by uid 82 with qmail-scanner-1.16 (sweep: 2.14/3.66 NSV. spamassassin: 2.44. Clear:. Processed in 3.764471 secs); 11 May 2003 05:01:01 -0000 Received: from unknown (HELO DELLARIE) (212.41.85.210) by mail.swisseasy.net with SMTP; 11 May 2003 05:00:57 -0000 From: "Arie J. Gerszt" To: Date: Sun, 11 May 2003 07:49:06 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: md5 hash request: X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 May 2003 05:49:14 -0000 Hi Does anybody have the md5 has value of /usr/bin/netstat of a FreeBSD 4.4 RELEASE #0 which whas securely boxed? Thank you Arie