From owner-freebsd-security@FreeBSD.ORG Sat May 31 21:05:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A3F3037B401 for ; Sat, 31 May 2003 21:05:59 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id E5E2C43F3F for ; Sat, 31 May 2003 21:05:58 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.org (8.9.3/8.9.3) id WAA03959; Sat, 31 May 2003 22:04:24 -0600 (MDT) Date: Sat, 31 May 2003 22:04:24 -0600 (MDT) From: Brett Glass Message-Id: <200306010404.WAA03959@lariat.org> To: duke@irpen.kiev.ua, freebsd-security@freebsd.org In-Reply-To: <20030531122028.A16361@irpen.kiev.ua> Subject: Re: Packet flow through IPFW+IPF+IPNAT ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jun 2003 04:05:59 -0000 I don't use IPFW and IPFilter together, but IIRC IPFilter steps between everything else (except for bpf) and the interface. Same for IPNAT, which integrates with IPFilter. Since the advent of pf and altq, OpenBSD has had a better firewall architecture than any of the other BSDs, IMHO. pf can do things which are awkward in other systems because features were kludged in later. I've always thought that it would be cool to be able to integrate firewall components into FreeBSD via its unique NetGraph system. This would let you filter specific flows of packets very efficiently. --Brett From owner-freebsd-security@FreeBSD.ORG Sun Jun 1 03:01:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7176237B401 for ; Sun, 1 Jun 2003 03:01:25 -0700 (PDT) Received: from mail-pm.star.spb.ru (mail-pm.star.spb.ru [217.195.82.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C6FD43F3F for ; Sun, 1 Jun 2003 03:00:02 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from pink.star.spb.ru ([217.195.82.10]) by mail-pm.star.spb.ru (8.12.9/8.12.8) with ESMTP id h519xxPW026544; Sun, 1 Jun 2003 13:59:59 +0400 (MSD) Received: from IBMKA ([217.195.82.7]) by pink.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id K74KPRWV; Sun, 1 Jun 2003 13:59:59 +0400 Date: Sun, 1 Jun 2003 13:59:08 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal X-Priority: 3 (Normal) Message-ID: <13228662178.20030601135908@internethelp.ru> To: Avleen Vig In-reply-To: <20030530222255.GZ294@silverwraith.com> References: <20030530222255.GZ294@silverwraith.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: IPFW logging brokeness? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Nickolay A. Kritsky" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jun 2003 10:01:25 -0000 Hello Avleen, Saturday, May 31, 2003, 2:22:55 AM, you wrote: AV> My rule: AV> add 100 allow log tcp from any to limit src-addr 2 AV> I want connecting parties to be able to form no more than 2 connection. AV> This works perfectly, jsut as I'd expect it to. AV> Except for 'log'. AV> All I want is to have the first packet match of a connection match, like AV> IPF's "log first" capability. Try this: 90 pass tcp from any to any established 100 allow log tcp from any to limit src-addr 2 ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru From owner-freebsd-security@FreeBSD.ORG Sun Jun 1 06:28:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56EF637B401 for ; Sun, 1 Jun 2003 06:28:30 -0700 (PDT) Received: from saul.cis.upenn.edu (SAUL.CIS.UPENN.EDU [158.130.12.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 494BC43FE3 for ; Sun, 1 Jun 2003 06:27:09 -0700 (PDT) (envelope-from agoodloe@saul.cis.upenn.edu) Received: from saul.cis.upenn.edu (localhost [127.0.0.1]) by saul.cis.upenn.edu (8.12.9/8.12.9) with ESMTP id h51DR7mV028465 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sun, 1 Jun 2003 09:27:08 -0400 (EDT) Received: from localhost (agoodloe@localhost)h51DR72x028461; Sun, 1 Jun 2003 09:27:07 -0400 (EDT) Date: Sun, 1 Jun 2003 09:27:06 -0400 (EDT) From: Alwyn Goodloe To: Nielsen In-Reply-To: <20030530195629.2282B3FF312@mail.npubs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@FreeBSD.ORG Subject: Re: IP SEC filtering issue X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jun 2003 13:28:30 -0000 Thanks for your advice. Alwyn On Fri, 30 May 2003, Nielsen wrote: > >From experience I've found you have to break these things up on > different machines. I don't have an intimate knowledge of how and when > the IPSEC processing gets done it the kernel, and maybe if someone did > they could figure out how and if you could do all of this on single > machines. > > But in our case, we break down the tasks between machines (traffic > splitter, ipsec processing, etc...) and it works like a charm. It's > also *much* easier to figure out what's wrong, heh. The machines don't > have to be powerful. > > Nate > > ----- Original Message ----- > From: "Alwyn Goodloe" > To: > Sent: Wednesday, May 28, 2003 14:44 > Subject: IP SEC filtering issue > > > > First thing to note is that I am using FreeBSD 4.8 . > > > > We would like to send only the syn packet of a tcp connection > through > > certain ipsec tunnels and the rest of the packets in a connection > though > > a simple transport mode setup. Yeah, I know it's strange but what > can I > > say -- we do a lot of strange things. From the best I can tell, the > > setkey/spadd filtering capability isn't sophisticated enough to > detect > > syn packets. Since ipfw does do this sort of thing we can use this > to > > filter out the syn packet and using divert sockets (we have a lot > of > > experience at writing divert sockets) we can put a wrapper > > around it so that it goes to a particular port. Since ip sec can > filter on > > ports, we can just filter that out. The process should look > something > > like: > > > > > > > > syn ---> diverted and wrapped to head for port X ----> > > ipsec filters on port X sends it into tunnel ......... > > > > > > ........... ipsec does its thing ---> divert socket unwraps ---> > sends > > the packet on its way (not passing though ip sec again). > > > > > > > > The divert socket solution seems to work fine on the sending side, > but > > there seems to be problems on the receiving side. I suspect that > ipfw is > > looking at the packet before ipsec or some such thing. I know that > there > > were postings about the interaction of ipfw and ipsec and that some > of > > these were going to be fixed in 4.8. > > > > If any of you know of a way to get ipsec to filter on syn packets > let me > > know. If you have ever tried to get divert sockets and ip sec > working at > > the same time let me know the secret. I suspect I'm just going to > have > > to hack the ipsec filter to get it to filter on syn packets. Any > ideas as > > to how hard this will be > > > > > > Alwyn Goodloe > > > > agoodloe@saul.cis.upenn.edu > > > > > > > > > > > > > > > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 05:56:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 417C837B401 for ; Mon, 2 Jun 2003 05:56:30 -0700 (PDT) Received: from alice.netmint.com (alice.netmint.com [207.106.37.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7619C43F75 for ; Mon, 2 Jun 2003 05:56:29 -0700 (PDT) (envelope-from support@netmint.com) Received: from alice.netmint.com (localhost.netmint.com [127.0.0.1]) by alice.netmint.com (8.12.8p1/8.12.8) with ESMTP id h52CuTxI084216 for ; Mon, 2 Jun 2003 08:56:29 -0400 (EDT) (envelope-from support@netmint.com) Received: from localhost (support@localhost)h52CuT5t084213 for ; Mon, 2 Jun 2003 08:56:29 -0400 (EDT) (envelope-from support@netmint.com) X-Authentication-Warning: alice.netmint.com: support owned process doing -bs Date: Mon, 2 Jun 2003 08:56:29 -0400 (EDT) From: Support To: freebsd-security@freebsd.org Message-ID: <20030602085600.B84160@alice.netmint.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: quick poppassd question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 12:56:30 -0000 Hello, I did a quick change to the patched port of poppassd and am wondering if you think my code would introduce any potential problems. The idea is right after we check if the username exists, also check if the UID of that username is over 1000. I wanted to make sure that no one monkeys around with priveleged users once poppassd is running. So, the middle chunk of code is mine, everything else has been there before me. What's the general feeling about the security of poppassd provided that users with valid passwords already have shell access to the system, and now nobody can try to change priveleged accounts' passwords? --- cut --- if ((pw = getpwnam (user)) == NULL) { syslog (LOG_ERR, "Unknown user, %s", user); sleep (5); WriteToClient ("500 Old password is incorrect."); exit(1); } /* begin added code */ if ((pw->pw_uid) < 1001) { syslog (LOG_ERR, "Priveleged user, %s", user); sleep (5); WriteToClient ("500 Old password is incorrect."); exit(1); } /* end added code */ if (chkPass (user, oldpass, pw) == FAILURE) { syslog (LOG_ERR, "Incorrect password from %s", user); sleep (5); WriteToClient ("500 Old password is incorrect."); exit(1); } --- cut --- Perhaps if this passes everyone's scrutiny, it could be added as yet another patch to poppassd with the min UID defined somewhere in the Makefile or poppassd.c. Thanks for your help, Andrew From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 06:04:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35EC837B401 for ; Mon, 2 Jun 2003 06:04:01 -0700 (PDT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7127543F85 for ; Mon, 2 Jun 2003 06:04:00 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from centtech.com (dhcp-187.centtech.com [204.177.173.187]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h52D3x56010733; Mon, 2 Jun 2003 08:03:59 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <3EDB4AE0.8060408@centtech.com> Date: Mon, 02 Jun 2003 08:02:24 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Support References: <20030602085600.B84160@alice.netmint.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: quick poppassd question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 13:04:01 -0000 Support wrote: > Hello, > > I did a quick change to the patched port of poppassd and am wondering if > you think my code would introduce any potential problems. > > The idea is right after we check if the username exists, also check if the > UID of that username is over 1000. I wanted to make sure that no one > monkeys around with priveleged users once poppassd is running. > > So, the middle chunk of code is mine, everything else has been there > before me. > > What's the general feeling about the security of poppassd provided that > users with valid passwords already have shell access to the system, and > now nobody can try to change priveleged accounts' passwords? I usually don't give pop user's shell access, unless they really need it. That's just me though. > --- cut --- > > if ((pw = getpwnam (user)) == NULL) > { > syslog (LOG_ERR, "Unknown user, %s", user); > sleep (5); > WriteToClient ("500 Old password is incorrect."); > exit(1); > } > > /* begin added code */ > if ((pw->pw_uid) < 1001) > { > syslog (LOG_ERR, "Priveleged user, %s", user); > sleep (5); > WriteToClient ("500 Old password is incorrect."); Wouldn't it be better to send a more descriptive error message back? Maybe something like "500 Denied for priveleged user"? Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Attitudes are contagious, is yours worth catching? ------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 06:20:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 344B637B404 for ; Mon, 2 Jun 2003 06:20:57 -0700 (PDT) Received: from alice.netmint.com (alice.netmint.com [207.106.37.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 610C843F85 for ; Mon, 2 Jun 2003 06:20:56 -0700 (PDT) (envelope-from support@netmint.com) Received: from alice.netmint.com (localhost.netmint.com [127.0.0.1]) by alice.netmint.com (8.12.8p1/8.12.8) with ESMTP id h52DKnxI085543; Mon, 2 Jun 2003 09:20:49 -0400 (EDT) (envelope-from support@netmint.com) Received: from localhost (support@localhost)h52DKmYN085538; Mon, 2 Jun 2003 09:20:48 -0400 (EDT) (envelope-from support@netmint.com) X-Authentication-Warning: alice.netmint.com: support owned process doing -bs Date: Mon, 2 Jun 2003 09:20:48 -0400 (EDT) From: Support To: Eric Anderson In-Reply-To: <3EDB4AE0.8060408@centtech.com> Message-ID: <20030602091702.J85433@alice.netmint.com> References: <20030602085600.B84160@alice.netmint.com> <3EDB4AE0.8060408@centtech.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: quick poppassd question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 13:20:57 -0000 > I usually don't give pop user's shell access, unless they really need > it. That's just me though. You're absolutely right. Neither do I. I was speaking from the standpoint of: if at least one user has shell access... > > > --- cut --- > > > > if ((pw = getpwnam (user)) == NULL) > > { > > syslog (LOG_ERR, "Unknown user, %s", user); > > sleep (5); > > WriteToClient ("500 Old password is incorrect."); > > exit(1); > > } > > > > /* begin added code */ > > if ((pw->pw_uid) < 1001) > > { > > syslog (LOG_ERR, "Priveleged user, %s", user); > > sleep (5); > > WriteToClient ("500 Old password is incorrect."); > > Wouldn't it be better to send a more descriptive error message back? > Maybe something like "500 Denied for priveleged user"? Just wanted to let people infinitely try to guess the root password, if they really wanted to. How is most recent patched poppassd port security in general? Is doing the UID comparison a potential problem? I'm trying to be as conservative as possible with changes to code that runs as root and changes people's passwords. :) Andrew From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 07:43:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49A4E37B413 for ; Mon, 2 Jun 2003 07:43:09 -0700 (PDT) Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155]) by mx1.FreeBSD.org (Postfix) with SMTP id 6963B43F85 for ; Mon, 2 Jun 2003 07:43:08 -0700 (PDT) (envelope-from mdg@secureworks.net) Received: (qmail 87524 invoked from network); 2 Jun 2003 14:40:49 -0000 Received: from unknown (HELO HOST-192-168-17-31.internal.secureworks.net) (209.101.212.253) by mail.secureworks.net with SMTP; 2 Jun 2003 14:40:49 -0000 Date: Mon, 2 Jun 2003 10:43:07 -0400 (EDT) From: Matthew George X-X-Sender: mdg@localhost To: Vandyuk Eugene In-Reply-To: <20030531122028.A16361@irpen.kiev.ua> Message-ID: <20030602104108.Q40213@localhost> References: <20030531122028.A16361@irpen.kiev.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Packet flow through IPFW+IPF+IPNAT ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 14:43:09 -0000 On Sat, 31 May 2003, Vandyuk Eugene wrote: > Hi. > > On my FreeBSD 4.8 configured IPFW2+IPF+IPNAT and I use them all: > - IPFW - traffic accounting, shaping, balancing and filtering; > - IPFilter - policy routing; > - IPNAT - masquerading. > I want to know, how IP-packets flow through all of this components? > What's the path? > incoming: IPFW Layer2 -> IPFW&Dummynet -> IPNAT -> IPFilter ? > outgoing: IPFW Layer2 -> IPFW&Dummynet -> IPFilter -> IPNAT ? > Is this correct? Or IPNAT on the incoming packets run before IPFW L3: > incoming: IPFW Layer2 -> IPNAT -> IPFW&Dummynet -> IPFilter ? > I think this path is more preferable, because IPFW always use not > masqueraded IP-headers. > > Any help appreciated. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > I have ipfw compiled in and run ipfilter as a kld the way it works is ipfw -> ipnat -> ipfilter ipnat and all state matching for ipfilter is performed prior to ruleset processing -- Matthew George SecureWorks Technical Operations From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 07:48:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6397637B404 for ; Mon, 2 Jun 2003 07:48:29 -0700 (PDT) Received: from mx.vipnet.ro (cosmic.vipnet.ro [193.230.219.1]) by mx1.FreeBSD.org (Postfix) with SMTP id 678EB43F93 for ; Mon, 2 Jun 2003 07:48:28 -0700 (PDT) (envelope-from vladg@vipnet.ro) Received: (qmail 12927 invoked from network); 2 Jun 2003 14:49:22 -0000 Received: from unknown (HELO rtfm.vipnet.ro) (193.230.219.12) by cosmic.vipnet.ro with SMTP; 2 Jun 2003 14:49:22 -0000 Date: Mon, 2 Jun 2003 17:47:58 +0300 From: Vlad GALU To: freebsd-security@freebsd.org Message-Id: <20030602174758.3f85db72.vladg@vipnet.ro> In-Reply-To: <20030602104108.Q40213@localhost> References: <20030531122028.A16361@irpen.kiev.ua> <20030602104108.Q40213@localhost> Organization: VipNET Bucharest X-Mailer: Sylpheed version 0.8.11 (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Packet flow through IPFW+IPF+IPNAT ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 14:48:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 2 Jun 2003 10:43:07 -0400 (EDT) Matthew George wrote: > On Sat, 31 May 2003, Vandyuk Eugene wrote: > > > Hi. > > > > On my FreeBSD 4.8 configured IPFW2+IPF+IPNAT and I use them all: > > - IPFW - traffic accounting, shaping, balancing and filtering; > > - IPFilter - policy routing; > > - IPNAT - masquerading. > > I want to know, how IP-packets flow through all of this components? > > What's the path? > > incoming: IPFW Layer2 -> IPFW&Dummynet -> IPNAT -> IPFilter ? > > outgoing: IPFW Layer2 -> IPFW&Dummynet -> IPFilter -> IPNAT ? > > Is this correct? Or IPNAT on the incoming packets run before IPFW L3: > > incoming: IPFW Layer2 -> IPNAT -> IPFW&Dummynet -> IPFilter ? > > I think this path is more preferable, because IPFW always use not > > masqueraded IP-headers. > > > > Any help appreciated. Example one: IPF is compiled in kernel, IPFW is a module. In this case IPFW stands 'outside' of IPF. Example two: viceversa: the order in which they take action is reversed too. IPNAT is always 'outside' IPF. > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > > > I have ipfw compiled in and run ipfilter as a kld > > the way it works is ipfw -> ipnat -> ipfilter > > ipnat and all state matching for ipfilter is performed prior to ruleset > processing > > -- > Matthew George > SecureWorks Technical Operations > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > - -- Vlad Galu Network Administrator VipNET Bucharest tel: 021/3039940 email: vladg@vipnet.ro web: http://www.vipnet.ro PGP: http://mirapoint.vipnet.ro/public_key.pgp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+22OeBQlxy6GegvARArZcAKDna8UnnCFkI3QJmxYcEynliRYV5QCfSoJY afb5pCCY5ZJpEfwKLs4oMYU= =tR6I -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 08:19:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 477E837B401 for ; Mon, 2 Jun 2003 08:19:33 -0700 (PDT) Received: from irpen.kiev.ua (irpen.kiev.ua [195.178.133.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B97143F85 for ; Mon, 2 Jun 2003 08:19:30 -0700 (PDT) (envelope-from duke@irpen.kiev.ua) Received: from irpen.kiev.ua (localhost.irpen.kiev.ua [127.0.0.1]) by irpen.kiev.ua (8.12.8p1/8.12.8) with ESMTP id h52FI2rt027862; Mon, 2 Jun 2003 18:19:25 +0300 (EEST) (envelope-from duke@irpen.kiev.ua) Received: (from duke@localhost) by irpen.kiev.ua (8.12.8p1/8.12.8/Submit) id h52FHr6e027859; Mon, 2 Jun 2003 18:17:53 +0300 (EEST) (envelope-from duke) Date: Mon, 2 Jun 2003 18:17:53 +0300 From: Vandyuk Eugene To: Matthew George Message-ID: <20030602181753.A27202@irpen.kiev.ua> References: <20030531122028.A16361@irpen.kiev.ua> <20030602104108.Q40213@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20030602104108.Q40213@localhost>; from mdg@secureworks.net on Mon, Jun 02, 2003 at 10:43:07AM -0400 cc: freebsd-security@freebsd.org Subject: Re: Packet flow through IPFW+IPF+IPNAT ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 15:19:33 -0000 On Mon, Jun 02, 2003 at 10:43:07AM -0400, Matthew George wrote: > On Sat, 31 May 2003, Vandyuk Eugene wrote: > > > What's the path? > > incoming: IPFW Layer2 -> IPFW&Dummynet -> IPNAT -> IPFilter ? > > outgoing: IPFW Layer2 -> IPFW&Dummynet -> IPFilter -> IPNAT ? > > Is this correct? Or IPNAT on the incoming packets run before IPFW L3: > > incoming: IPFW Layer2 -> IPNAT -> IPFW&Dummynet -> IPFilter ? > > I think this path is more preferable, because IPFW always use not > > masqueraded IP-headers. > > > > I have ipfw compiled in and run ipfilter as a kld > > the way it works is ipfw -> ipnat -> ipfilter > > ipnat and all state matching for ipfilter is performed prior to ruleset > processing > But this way only for incoming packets. And wat's the way for outgoing? IPFW -> IPFilter -> IPNAT OR IPFilter -> IPNAT -> IPFW ??? From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 08:21:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F97D37B401 for ; Mon, 2 Jun 2003 08:21:08 -0700 (PDT) Received: from mx.vipnet.ro (cosmic.vipnet.ro [193.230.219.1]) by mx1.FreeBSD.org (Postfix) with SMTP id DE69943F85 for ; Mon, 2 Jun 2003 08:21:06 -0700 (PDT) (envelope-from vladg@vipnet.ro) Received: (qmail 39130 invoked from network); 2 Jun 2003 15:22:02 -0000 Received: from unknown (HELO snakepit.halted.net) (141.85.1.89) by cosmic.vipnet.ro with SMTP; 2 Jun 2003 15:22:02 -0000 Date: Mon, 2 Jun 2003 18:22:31 +0300 From: Vlad Galu To: freebsd-security@freebsd.org Message-Id: <20030602182231.47fec3ea.vladg@vipnet.ro> In-Reply-To: <20030602181753.A27202@irpen.kiev.ua> References: <20030531122028.A16361@irpen.kiev.ua> <20030602104108.Q40213@localhost> <20030602181753.A27202@irpen.kiev.ua> Organization: VipNET Bucharest X-Mailer: Sylpheed version 0.9.0 (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Packet flow through IPFW+IPF+IPNAT ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 15:21:08 -0000 On Mon, 2 Jun 2003 18:17:53 +0300 Vandyuk Eugene wrote: > On Mon, Jun 02, 2003 at 10:43:07AM -0400, Matthew George wrote: > > On Sat, 31 May 2003, Vandyuk Eugene wrote: > > > > > What's the path? > > > incoming: IPFW Layer2 -> IPFW&Dummynet -> IPNAT -> IPFilter ? > > > outgoing: IPFW Layer2 -> IPFW&Dummynet -> IPFilter -> IPNAT ? > > > Is this correct? Or IPNAT on the incoming packets run before IPFW L3: > > > incoming: IPFW Layer2 -> IPNAT -> IPFW&Dummynet -> IPFilter ? > > > I think this path is more preferable, because IPFW always use not > > > masqueraded IP-headers. > > > > > > > I have ipfw compiled in and run ipfilter as a kld > > > > the way it works is ipfw -> ipnat -> ipfilter > > > > ipnat and all state matching for ipfilter is performed prior to ruleset > > processing > > > > But this way only for incoming packets. And wat's the way for outgoing? > IPFW -> IPFilter -> IPNAT OR IPFilter -> IPNAT -> IPFW ??? > It's the same way as for input, only in reverse order. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 08:37:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B10637B401 for ; Mon, 2 Jun 2003 08:37:28 -0700 (PDT) Received: from pyroxene.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8091243F93 for ; Mon, 2 Jun 2003 08:37:27 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by pyroxene.sentex.ca (8.12.9/8.12.8) with ESMTP id h52FbQ8D020096 for ; Mon, 2 Jun 2003 11:37:26 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030602113454.047e4088@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Mon, 02 Jun 2003 11:36:53 -0400 To: security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Subject: sbsize and local DoS issue via kernel panic X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 15:37:28 -0000 I noticed with active ftp clients (specifically IMP's .forward modification plugin), an sbsize of something under 32M in /etc/login.conf on the target server now gives Can't create data socket (M-^A> (^A,_^R(^C): No buffer space available. in the ftp logs. What is a safe value to prevent users from abusing the system by eating up all mbufs ? There is a local DoS if sbsize was left as unlimited. (http://groups.google.ca/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=20000603234039.X17973_fw.wintelcom.net%40ns.sol.net&rnum=2&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Dsbsize%2Bfreebsd%2Bdos) 32MB seems like an oddly large number for just a small ftp session. This changed sometime between Jan 21st and Feb 15th it would seem. Previously an sbzise of :sbsize=512K:\ would work just fine. Not sure if its ftpd or something in the kernel ? Is there any way for an active ftp session to work as well as protecting my system from a local DoS ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 09:38:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F85A37B404 for ; Mon, 2 Jun 2003 09:38:33 -0700 (PDT) Received: from analog.databits.net (analog.databits.net [198.78.65.155]) by mx1.FreeBSD.org (Postfix) with SMTP id AB96A43F85 for ; Mon, 2 Jun 2003 09:38:32 -0700 (PDT) (envelope-from petef@analog.databits.net) Received: (qmail 22299 invoked by uid 1000); 2 Jun 2003 16:34:34 -0000 Date: Mon, 2 Jun 2003 11:34:34 -0500 From: Pete Fritchman To: Troy Settle Message-ID: <20030602163434.GB33375@absolutbsd.org> References: <1054567925.17084.7.camel@xyzzy.wireless.snsonline.net> <001b01c3291e$80b3ca90$23fbab3f@psknet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001b01c3291e$80b3ca90$23fbab3f@psknet.com> User-Agent: Mutt/1.4i cc: 'Support' cc: 'Mark Sergeant' cc: 'Wolfpaw - Dale Corse' cc: isp@freebsd.org cc: security@freebsd.org Subject: Re: quick poppassd question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 16:38:33 -0000 ++ 02/06/03 11:49 -0400 - Troy Settle: | Perhaps someone can shed more light on the subject, but it's my | impression that most system process run with a UID/GID under 100. So a | uid < 100 should deny the change request. UIDs up to and including 999 are reserved for system use. For example, see this section in the porters handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/dads-uid.html --pete From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 09:44:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDBC337B401; Mon, 2 Jun 2003 09:44:25 -0700 (PDT) Received: from mail.lambertfam.org (www.lambertfam.org [216.223.208.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D5B543F93; Mon, 2 Jun 2003 09:44:25 -0700 (PDT) (envelope-from lambert@lambertfam.org) Received: from laptop.lambertfam.org (laptop.int.lambertfam.org [10.1.0.2]) by mail.lambertfam.org (Postfix) with ESMTP id 3F75034D28; Mon, 2 Jun 2003 12:44:23 -0400 (EDT) Received: by laptop.lambertfam.org (Postfix, from userid 1000) id 813BD89DD; Mon, 2 Jun 2003 12:43:52 -0400 (EDT) Date: Mon, 2 Jun 2003 12:43:52 -0400 From: Scott Lambert To: isp@freebsd.org, security@freebsd.org Message-ID: <20030602164352.GA80586@laptop.lambertfam.org> Mail-Followup-To: isp@freebsd.org, security@freebsd.org References: <001b01c3291e$80b3ca90$23fbab3f@psknet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i Subject: Re: quick poppassd question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 16:44:26 -0000 On Mon, Jun 02, 2003 at 10:50:38AM -0600, Wolfpaw - Dale Corse wrote: > > Perhaps someone can shed more light on the subject, but it's my > > impression that most system process run with a UID/GID > > under 100. So a > > uid < 100 should deny the change request. > > Perhaps, though the trend is running most things as non-priv > users, because it minimizes the damage to the server if a > process is compromised. Generally "non-system" accounts seem > to start at 1000 (BSD, and most Linux), or 500 (notably Redhat) > so.. you may want to use 500 as the magic number for portability > reasons. Make it configurable!!! Set a default but don't make hard coded assumptions about someone else's systems. On FreeBSD, the default should probably be 1000. make NON_SYSTEM_ACCT_START=4321 From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 09:55:50 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C47537B404 for ; Mon, 2 Jun 2003 09:55:50 -0700 (PDT) Received: from analog.databits.net (analog.databits.net [198.78.65.155]) by mx1.FreeBSD.org (Postfix) with SMTP id 3AA2743F75 for ; Mon, 2 Jun 2003 09:55:49 -0700 (PDT) (envelope-from petef@analog.databits.net) Received: (qmail 54585 invoked by uid 1000); 2 Jun 2003 16:51:53 -0000 Date: Mon, 2 Jun 2003 11:51:53 -0500 From: Pete Fritchman To: Wolfpaw - Dale Corse Message-ID: <20030602165153.GD33375@absolutbsd.org> References: <20030602163434.GB33375@absolutbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i cc: isp@freebsd.org cc: security@freebsd.org Subject: Re: quick poppassd question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 16:55:50 -0000 [ cc list trimmed some ] ++ 02/06/03 10:56 -0600 - Wolfpaw - Dale Corse: | In freebsd.. and most other things.. but some *cough* large corporate | linux distro's *cough*redhat*cough* ignore such defaco standards.. we | must consider portability especially if the patch will be submitted | for integration into the package..no? :) Right, so in config.h (or wherever), '#define MAX_SYSTEM_UID 999' and allow people to tweak it. --pete From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 10:07:20 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25F3037B401 for ; Mon, 2 Jun 2003 10:07:20 -0700 (PDT) Received: from mail.silverwraith.com (66-214-182-79.la-cbi.charterpipeline.net [66.214.182.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 308EB43F85 for ; Mon, 2 Jun 2003 10:07:19 -0700 (PDT) (envelope-from avleen@silverwraith.com) Received: from avleen by mail.silverwraith.com with local (Exim 4.14) id 19MsmE-000Emg-UI for security@freebsd.org; Mon, 02 Jun 2003 10:07:18 -0700 Date: Mon, 2 Jun 2003 10:07:18 -0700 From: Avleen Vig To: security@freebsd.org Message-ID: <20030602170718.GU294@silverwraith.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.4i Sender: Avleen Vig Subject: Exim as default MTA? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 17:07:20 -0000 Yes, I've been reading /. :) But this isn't the first time this has occured to me. With all the security vulnerbilties, would it be unreasonable to either change the default MTA from sendmail to Exim/Qmail/Postfix, or give people the option of installing something instead of Sendmail at install time? -- Avleen Vig "Say no to cheese-eating surrender-monkeys" Systems Admin "Fast, Good, Cheap. Pick any two." www.silverwraith.com "Move BSD. For great justice!" From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 10:17:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DE5537B401 for ; Mon, 2 Jun 2003 10:17:54 -0700 (PDT) Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0BA243F93 for ; Mon, 2 Jun 2003 10:17:52 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh by axl.seasidesoftware.co.za with local (Exim 4.20) id 19MswH-00044o-Ja; Mon, 02 Jun 2003 19:17:41 +0200 Date: Mon, 2 Jun 2003 19:17:41 +0200 From: Sheldon Hearn To: Avleen Vig Message-ID: <20030602171741.GW84604@starjuice.net> References: <20030602170718.GU294@silverwraith.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030602170718.GU294@silverwraith.com> User-Agent: Mutt/1.5.4i Sender: Sheldon Hearn cc: security@FreeBSD.org Subject: Re: Exim as default MTA? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 17:17:54 -0000 On (2003/06/02 10:07), Avleen Vig wrote: > Yes, I've been reading /. :) > But this isn't the first time this has occured to me. > > With all the security vulnerbilties, would it be unreasonable to either > change the default MTA from sendmail to Exim/Qmail/Postfix, or give > people the option of installing something instead of Sendmail at install > time? Please check this subject out in the mailing list archives before dredging it up again. The short answer is no. The long answer is that the project would be willing to accept a change sysinstall so that it allowed a choice of MTA at install time, with sendmail being the default. This requires work which nobody has stepped up to perform. :-) Ciao, Sheldon. From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 10:48:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A72FB37B401 for ; Mon, 2 Jun 2003 10:48:23 -0700 (PDT) Received: from mail.one2netmail.co.ug (mail.one2netmail.co.ug [216.250.215.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC80A43F3F for ; Mon, 2 Jun 2003 10:48:18 -0700 (PDT) (envelope-from ziggy@one2net.co.ug) Received: from localhost (localhost [127.0.0.1]) by mail.one2netmail.co.ug (Postfix) with ESMTP id 71E3868D44; Mon, 2 Jun 2003 20:49:15 +0300 (EAT) Received: from mail.one2netmail.co.ug ([127.0.0.1]) by localhost (mail.one2netmail.co.ug [127.0.0.1:10024]) (amavisd-new) with ESMTP id 33840-09; Mon, 2 Jun 2003 20:49:05 +0300 (EAT) Received: from one2net.co.ug (localhost [127.0.0.1]) by mail.one2netmail.co.ug (Postfix) with SMTP id CBDC568CF2; Mon, 2 Jun 2003 20:49:04 +0300 (EAT) Received: from 216.250.215.27 (SquirrelMail authenticated user ziggy@one2net.co.ug) by webmail.sanyutel.com with HTTP; Mon, 2 Jun 2003 20:49:04 +0300 (EAT) Message-ID: <61371.216.250.215.27.1054576144.squirrel@webmail.sanyutel.com> Date: Mon, 2 Jun 2003 20:49:04 +0300 (EAT) From: To: In-Reply-To: <20030602170718.GU294@silverwraith.com> References: <20030602170718.GU294@silverwraith.com> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal X-Mailer: SquirrelMail (version 1.2.2) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: by amavisd-new cc: security@freebsd.org Subject: Re: Exim as default MTA? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 17:48:23 -0000 If you are not installing the MTA for them school them about the history of sendmail and other MTA's, dont make it long and boring , just for schooling purposes, touch each MTA and explain why each is used and not used if you can get into that nitty gritty detail. If you are installing the MTA for them i would suggest you go with Exim or Postfix they have proved to be very good and easy to get along with while secure also. cheers David > Yes, I've been reading /. :) > But this isn't the first time this has occured to me. > > With all the security vulnerbilties, would it be unreasonable to either > change the default MTA from sendmail to Exim/Qmail/Postfix, or give > people the option of installing something instead of Sendmail at > install time? > > -- > Avleen Vig "Say no to cheese-eating > surrender-monkeys" Systems Admin "Fast, Good, Cheap. > Pick any two." > www.silverwraith.com "Move BSD. For great justice!" > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 11:02:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 422BE37B401 for ; Mon, 2 Jun 2003 11:02:32 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91AF543F3F for ; Mon, 2 Jun 2003 11:02:31 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h52I2VUp081776 for ; Mon, 2 Jun 2003 11:02:31 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h52I2VvC081771 for security@freebsd.org; Mon, 2 Jun 2003 11:02:31 -0700 (PDT) Date: Mon, 2 Jun 2003 11:02:31 -0700 (PDT) Message-Id: <200306021802.h52I2VvC081771@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 18:02:32 -0000 Current FreeBSD problem reports No matches to your query From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 16:13:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37FBB37B401 for ; Mon, 2 Jun 2003 16:13:02 -0700 (PDT) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D1B443F93 for ; Mon, 2 Jun 2003 16:13:01 -0700 (PDT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.12.3/8.12.3) with ESMTP id h52NBemA021933; Mon, 2 Jun 2003 20:11:40 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Mon, 2 Jun 2003 20:11:40 -0300 (ART) From: Fernando Gleiser To: Vlad GALU In-Reply-To: <20030602174758.3f85db72.vladg@vipnet.ro> Message-ID: <20030602200857.T6733-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-119.5 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REPLY_WITH_QUOTES,USER_IN_WHITELIST version=2.53 X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) cc: freebsd-security@freebsd.org Subject: Re: Packet flow through IPFW+IPF+IPNAT ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 23:13:02 -0000 On Mon, 2 Jun 2003, Vlad GALU wrote: > Example one: IPF is compiled in kernel, IPFW is a module. In this case > IPFW stands 'outside' of IPF. > Example two: viceversa: the order in which they take action is reversed > too. Are you sure? Last time I saw the code (almost a year ago) it didn't make a difference if they were loaded as modules or compiled in kernel. The hooks were in the same place. > IPNAT is always 'outside' IPF. Or, in other words, IPF always 'sees' the real IPs, not the NATed ones. Fer From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 16:27:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7869337B401 for ; Mon, 2 Jun 2003 16:27:11 -0700 (PDT) Received: from web14908.mail.yahoo.com (web14908.mail.yahoo.com [216.136.225.60]) by mx1.FreeBSD.org (Postfix) with SMTP id 186A143F85 for ; Mon, 2 Jun 2003 16:27:11 -0700 (PDT) (envelope-from nirv199@yahoo.com) Message-ID: <20030602232710.20360.qmail@web14908.mail.yahoo.com> Received: from [200.181.152.41] by web14908.mail.yahoo.com via HTTP; Mon, 02 Jun 2003 16:27:10 PDT Date: Mon, 2 Jun 2003 16:27:10 -0700 (PDT) From: Paulo Roberto To: freebsd-security@freebsd.org In-Reply-To: <20030602200857.T6733-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Packet flow through IPFW+IPF+IPNAT ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 23:27:11 -0000 --- Fernando Gleiser wrote: > On Mon, 2 Jun 2003, Vlad GALU wrote: > Or, in other words, IPF always 'sees' the real IPs, not the NATed > ones. Is it also true for IPFW? Does the rules apply always to the real addresses instead of the natted ones? So why does the "divert natd" rule must be the first rule in ipfw? (in rc.firewall it is rule 00050). Is the packet reinserted on the queue, or it just wait a "pass" rule so it can be put on rule #00050 and go on? TIA Paulo Roberto __________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com From owner-freebsd-security@FreeBSD.ORG Tue Jun 3 07:36:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54D1537B401 for ; Tue, 3 Jun 2003 07:36:24 -0700 (PDT) Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155]) by mx1.FreeBSD.org (Postfix) with SMTP id 7485043FA3 for ; Tue, 3 Jun 2003 07:36:23 -0700 (PDT) (envelope-from mdg@secureworks.net) Received: (qmail 750 invoked from network); 3 Jun 2003 14:34:03 -0000 Received: from unknown (HELO HOST-192-168-17-31.internal.secureworks.net) (209.101.212.253) by mail.secureworks.net with SMTP; 3 Jun 2003 14:34:03 -0000 Date: Tue, 3 Jun 2003 10:36:20 -0400 (EDT) From: Matthew George X-X-Sender: mdg@localhost To: Paulo Roberto In-Reply-To: <20030602232710.20360.qmail@web14908.mail.yahoo.com> Message-ID: <20030603103402.A40213@localhost> References: <20030602232710.20360.qmail@web14908.mail.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Packet flow through IPFW+IPF+IPNAT ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jun 2003 14:36:24 -0000 On Mon, 2 Jun 2003, Paulo Roberto wrote: > --- Fernando Gleiser wrote: > > On Mon, 2 Jun 2003, Vlad GALU wrote: > > Or, in other words, IPF always 'sees' the real IPs, not the NATed > > ones. > > Is it also true for IPFW? Does the rules apply always to the real > addresses instead of the natted ones? So why does the "divert natd" > rule must be the first rule in ipfw? (in rc.firewall it is rule 00050). > Is the packet reinserted on the queue, or it just wait a "pass" rule so > it can be put on rule #00050 and go on? > > TIA > > Paulo Roberto > It depends on where the divert rule is. If it's the first rule, then yes. You can do pre-nat filtering by placing rules before the divert if you want. I typically do all my RFC1918 et al. filtering on my external interfaces pre-nat. -- Matthew George SecureWorks Technical Operations From owner-freebsd-security@FreeBSD.ORG Tue Jun 3 12:56:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2073537B40B for ; Tue, 3 Jun 2003 12:56:46 -0700 (PDT) Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 1169743F75 for ; Tue, 3 Jun 2003 12:56:39 -0700 (PDT) (envelope-from mlobo@nlink.com.br) Received: (qmail 51456 invoked by uid 85); 3 Jun 2003 19:56:33 -0000 Received: from mlobo@nlink.com.br by mirage.nlink.com.br by uid 82 with qmail-scanner-1.16 (clamscan: 0.54. spamassassin: 2.55. Clear:. Processed in 0.205274 secs); 03 Jun 2003 19:56:33 -0000 Received: from unknown (HELO studio-too) (200.167.177.40) by mirage.nlink.com.br with SMTP; 3 Jun 2003 19:56:33 -0000 From: "Mario Lobo" To: freebsd-security@freebsd.org Date: Tue, 03 Jun 2003 16:56:42 -0300 MIME-Version: 1.0 Message-ID: <3EDCD34A.11462.73FFB5@localhost> Priority: normal X-mailer: Pegasus Mail for Windows (v4.11) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Subject: Awfully OT Question. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jun 2003 19:56:50 -0000 Please forgive me for this terribly off-topic question but could anyone on this list point to me the proper direction on info to get the ALSA sound driver to work under FreeBSD (if that is at all possible!!)? I figured there are many kernel experts here who would an idea about this. I looked in the FreeBSD and ALSA sites and there is no mention of each other on neither. Again, sorry and Thanks! -- //| //|| // | // || -//--//--|| ARIO LOBO // // || --------------------- mlobo@nlink.com.br mallavoodoo@nlink.com.br http://www.mallavoodoo.com.br From owner-freebsd-security@FreeBSD.ORG Tue Jun 3 13:48:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B648437B401 for ; Tue, 3 Jun 2003 13:48:09 -0700 (PDT) Received: from muse.calarts.edu (muse.calarts.edu [198.182.157.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11B2943F3F for ; Tue, 3 Jun 2003 13:48:09 -0700 (PDT) (envelope-from smurphy@calarts.edu) Received: from nettechpc.calarts.edu (dhcp7159.calarts.edu [198.182.157.159]) by muse.calarts.edu (8.11.7+Sun/8.10.2) with ESMTP id h53KmBl23385 for ; Tue, 3 Jun 2003 13:48:11 -0700 (PDT) Message-Id: <5.2.1.1.0.20030603134411.00b13160@muse.calarts.edu> X-Sender: smurphy@muse.calarts.edu X-Mailer: QUALCOMM Windows Eudora Version 5.2.1 Date: Tue, 03 Jun 2003 13:48:57 -0700 To: freebsd-security@freebsd.org From: Sean Murphy Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: natd and logging X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jun 2003 20:48:10 -0000 I have setup natd, enabled logging with -l and it is working perfectly. However is there a more detailed log to see the translation tables. I need to log the ipaddress internal 172.*.*.* to the outside with what port is being used. natd just seems to log the statistics such as icmp=5 and so on. If natd does not have this function what does? From owner-freebsd-security@FreeBSD.ORG Tue Jun 3 21:55:15 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D9CA37B401 for ; Tue, 3 Jun 2003 21:55:15 -0700 (PDT) Received: from oden.exmandato.se (exmandato.se [192.71.33.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A1DE43F85 for ; Tue, 3 Jun 2003 21:55:13 -0700 (PDT) (envelope-from anderso@servicefactory.se) Received: from AOLSEN (root@oden.exmandato.se [192.71.33.1]) by oden.exmandato.se (8.12.9/8.8.5) with ESMTP id h544tArY028208 for ; Wed, 4 Jun 2003 06:55:11 +0200 (MET DST) From: =?iso-8859-1?Q?Anderso_Ols=E9n?= To: Date: Wed, 4 Jun 2003 06:55:10 +0200 Message-ID: <002001c32a55$7a739dd0$3ec8a8c0@AOLSEN> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: SecurID client lib for freebsd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jun 2003 04:55:15 -0000 Hope i'm to much OT here. Does anyone know if there is a FreeBSD version of the SecurID client lib available from RSA or elsewhere. Contents: -r--r----- 2 root wheel 70894 May 6 1999 libsdiclient.a -r--r----- 1 root wheel 1974 Jun 4 1999 sdacmvls.h -r--r----- 1 root wheel 2645 Jun 4 1999 sdconf.h -r--r----- 1 root wheel 2348 Jun 4 1999 sdi_athd.h -r--r----- 1 root wheel 3125 Jun 4 1999 sdi_defs.h -r--r----- 1 root wheel 1949 Jun 4 1999 sdi_size.h -r--r----- 1 root wheel 1780 Jun 4 1999 sdi_type.h -r--r----- 2 root wheel 70894 May 6 1999 sdiclient.a Regards Anders Olsen From owner-freebsd-security@FreeBSD.ORG Wed Jun 4 08:54:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 780DE37B401 for ; Wed, 4 Jun 2003 08:54:52 -0700 (PDT) Received: from irpen.kiev.ua (irpen.kiev.ua [195.178.133.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A17A43F3F for ; Wed, 4 Jun 2003 08:54:50 -0700 (PDT) (envelope-from duke@irpen.kiev.ua) Received: from irpen.kiev.ua (localhost.irpen.kiev.ua [127.0.0.1]) by irpen.kiev.ua (8.12.8p1/8.12.8) with ESMTP id h54Fr4rt034799; Wed, 4 Jun 2003 18:54:25 +0300 (EEST) (envelope-from duke@irpen.kiev.ua) Received: (from duke@localhost) by irpen.kiev.ua (8.12.8p1/8.12.8/Submit) id h54FqxOD034792; Wed, 4 Jun 2003 18:52:59 +0300 (EEST) (envelope-from duke) Date: Wed, 4 Jun 2003 18:52:59 +0300 From: Vandyuk Eugene To: freebsd-security@freebsd.org Message-ID: <20030604185259.E29212@irpen.kiev.ua> References: <20030602174758.3f85db72.vladg@vipnet.ro> <20030602200857.T6733-100000@cactus.fi.uba.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20030602200857.T6733-100000@cactus.fi.uba.ar>; from fgleiser@cactus.fi.uba.ar on Mon, Jun 02, 2003 at 08:11:40PM -0300 Subject: Statefull filtering with IPFW + IPFilter (was: Packet flow through IPFW+IPF+IPNAT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jun 2003 15:54:52 -0000 On Mon, Jun 02, 2003 at 08:11:40PM -0300, Fernando Gleiser wrote: > On Mon, 2 Jun 2003, Vlad GALU wrote: > > > Example one: IPF is compiled in kernel, IPFW is a module. In this case > > IPFW stands 'outside' of IPF. > > Example two: viceversa: the order in which they take action is reversed > > too. > > Are you sure? Last time I saw the code (almost a year ago) it didn't > make a difference if they were loaded as modules or compiled in kernel. > The hooks were in the same place. > > > IPNAT is always 'outside' IPF. > > Or, in other words, IPF always 'sees' the real IPs, not the NATed ones. > I have done some tests with IPFW and IPF compiled in kernel and I was confused. Packet flow was: OUTGOING: IPF -> IPNAT -> IPFW INCOMING: IPNAT -> IPF -> IPFW As the result - both outgoing/incoming packets are NAT'ed _before_ IPFW ?! Rules matching in IPFW look very strange: add count ip from NAT_IP to any out add count ip from any to REAL_IP in but in IPFilter it looks good: permit out from REAL_IP to any permit in from any to REAL_IP So I sugest that in kernel with IPFW+IPF compiled statefull filtering not work in IPFW but only work in IPFilter ??? I think it's wrong and it should be corrected in this way: OUTGOING: IPF -> IPNAT -> IPFW INCOMING: IPFW -> IPNAT -> IPF This flow of packets will give IPFW work with right statefull filtering on NAT'ed packets via IPNAT. IPFW would always be 'outside' IPNAT. Also this way will give more capabilities for building firewalls with all power and flexibility of IPFW and IPFilter in one kernel. With respect. Eugene. From owner-freebsd-security@FreeBSD.ORG Wed Jun 4 09:43:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54B4437B401 for ; Wed, 4 Jun 2003 09:43:24 -0700 (PDT) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id C13BB43FFB for ; Wed, 4 Jun 2003 09:42:22 -0700 (PDT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.12.3/8.12.3) with ESMTP id h54GedLh032268; Wed, 4 Jun 2003 13:40:39 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Wed, 4 Jun 2003 13:40:39 -0300 (ART) From: Fernando Gleiser To: Vandyuk Eugene In-Reply-To: <20030604185259.E29212@irpen.kiev.ua> Message-ID: <20030604133021.H24576-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-120.1 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, QUOTE_TWICE_1,REPLY_WITH_QUOTES,USER_IN_WHITELIST version=2.53 X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) cc: freebsd-security@freebsd.org Subject: Re: Statefull filtering with IPFW + IPFilter (was: Packet flow through IPFW+IPF+IPNAT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jun 2003 16:43:24 -0000 On Wed, 4 Jun 2003, Vandyuk Eugene wrote: > > I have done some tests with IPFW and IPF compiled in kernel and I was > confused. Packet flow was: > > OUTGOING: IPF -> IPNAT -> IPFW > INCOMING: IPNAT -> IPF -> IPFW Yes. from ip_input.c: iphack: /* * Check if we want to allow this packet to be processed. * Consider it to be bad if not. */ if (fr_checkp) { struct mbuf *m1 = m; if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1) return; ip = mtod(m = m1, struct ip *); } if (fw_enable && IPFW_LOADED) { the first 'if' checks if ipf is loaded, and calls the filter function if it is. The second one does the same for ipfw and for outgoing packets, from ip_output.c : if (fr_checkp) { struct mbuf *m1 = m; if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) goto done; ip = mtod(m = m1, struct ip *); } /* * Check with the firewall... * but not if we are already being fwd'd from a firewall. */ if (fw_enable && IPFW_LOADED && !args.next_hop) { Again, ipf gets called before ipfw. > > As the result - both outgoing/incoming packets are NAT'ed _before_ IPFW ?! Yes, if you use ipnat for NAT. > I think it's wrong and it should be corrected in this way: > > OUTGOING: IPF -> IPNAT -> IPFW > INCOMING: IPFW -> IPNAT -> IPF There was some discusion some time ago in ipf's mailing list. I don't remember Darren's position on this. Fer From owner-freebsd-security@FreeBSD.ORG Wed Jun 4 17:29:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAEE837B404 for ; Wed, 4 Jun 2003 17:29:37 -0700 (PDT) Received: from smtp-26.ig.com.br (smtp-26.ig.com.br [200.226.132.160]) by mx1.FreeBSD.org (Postfix) with SMTP id A9CC543F93 for ; Wed, 4 Jun 2003 17:29:33 -0700 (PDT) (envelope-from none@superig.com.br) Received: (qmail 26673 invoked from network); 5 Jun 2003 00:29:40 -0000 Received: from unknown (HELO superig.com.br) (200.179.208.42) by smtp-26.ig.com.br with SMTP; 5 Jun 2003 00:29:40 -0000 Message-ID: <3EDE8ECE.6040400@superig.com.br> Date: Wed, 04 Jun 2003 21:29:02 -0300 From: Tony Meman User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1 X-Accept-Language: en MIME-Version: 1.0 To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Non-Executable Stack Patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jun 2003 00:29:38 -0000 I was wondering if there's any non-executable stack patch for FreeBSD's kernel. I searched in google but all I got was some questions in freebsd-security back from 2001 and an answer saying someone heard about a project like this, but no information at all. Is there any patch like PaX or Openwall available for FreeBSD? I dont want to discuss if its useless or not since there're a lot of techniques to defeat these protections. I'm not interested in patches for gcc or alikes either. Regards, -- Marcello Azambuja From owner-freebsd-security@FreeBSD.ORG Wed Jun 4 21:23:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D46237B401 for ; Wed, 4 Jun 2003 21:23:58 -0700 (PDT) Received: from mail.panaso.com (mail.panaso.com [199.60.48.162]) by mx1.FreeBSD.org (Postfix) with SMTP id 2D19B43F3F for ; Wed, 4 Jun 2003 21:23:58 -0700 (PDT) (envelope-from tbaur@panaso.com) Received: (qmail 65205 invoked from network); 5 Jun 2003 04:23:57 -0000 Received: from unknown (HELO localhost) (127.0.0.1) by localhost.panaso.com with SMTP; 5 Jun 2003 04:23:57 -0000 Date: Wed, 4 Jun 2003 21:23:57 -0700 (PDT) From: Tim Baur To: freebsd-security@freebsd.org In-Reply-To: <3EDE8ECE.6040400@superig.com.br> Message-ID: <0306042122420.58298@neobe.cnanfb.pbz> References: <3EDE8ECE.6040400@superig.com.br> X-PGP: 0x44DB0D83 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: Non-Executable Stack Patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jun 2003 04:23:59 -0000 On Wed, 4 Jun 2003, Tony Meman wrote: > I was wondering if there's any non-executable stack patch for FreeBSD's > kernel. http://www.trl.ibm.com/projects/security/ssp/buildfreebsd.html -tbaur From owner-freebsd-security@FreeBSD.ORG Thu Jun 5 02:33:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 582D237B401 for ; Thu, 5 Jun 2003 02:33:38 -0700 (PDT) Received: from epita.fr (hermes.epita.fr [163.5.255.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2562D43FA3 for ; Thu, 5 Jun 2003 02:33:37 -0700 (PDT) (envelope-from le-hen_j@epita.fr) Received: from carpediem (carpediem.epita.fr [10.42.42.5]) by epita.fr id h559XT024600 Thu, 5 Jun 2003 11:33:29 +0200 (MEST) Date: Thu, 5 Jun 2003 11:33:28 +0200 From: jeremie le-hen To: Tim Baur Message-ID: <20030605093328.GD22086@carpediem.epita.fr> References: <3EDE8ECE.6040400@superig.com.br> <0306042122420.58298@neobe.cnanfb.pbz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0306042122420.58298@neobe.cnanfb.pbz> User-Agent: Mutt/1.4i cc: freebsd-security@freebsd.org Subject: Re: Non-Executable Stack Patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jun 2003 09:33:38 -0000 On Wed, Jun 04, 2003 at 09:23:57PM -0700, Tim Baur wrote: > On Wed, 4 Jun 2003, Tony Meman wrote: > > > I was wondering if there's any non-executable stack patch for > > FreeBSD's kernel. > > > > [...] > > > > I'm not interested in patches for gcc or alikes either. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > http://www.trl.ibm.com/projects/security/ssp/buildfreebsd.html >From http://www.trl.ibm.com/projects/security/ssp/ : << What's the stack-smashing protector? It is a GCC (Gnu Compiler Collection) extension for protecting applications from stack-smashing attacks. Applications written in C will be protected by the method that automatically inserts protection code into an application at compilation time. >> I also had a quick look to the patch, and it's clearly GCC which is mainly modified. A very few kernel source files are changed, in order to make a panic when a stack overflow occurs within it. -- Jeremie aka TtZ/TataZ jeremie.le-hen@epita.fr From owner-freebsd-security@FreeBSD.ORG Thu Jun 5 02:51:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D6DE37B401 for ; Thu, 5 Jun 2003 02:51:36 -0700 (PDT) Received: from mail.bsdtech.com (tromso-dhcp-235-148.bluecom.no [62.101.235.148]) by mx1.FreeBSD.org (Postfix) with SMTP id 55ACD43FAF for ; Thu, 5 Jun 2003 02:51:32 -0700 (PDT) (envelope-from erik@pentadon.com) Received: (qmail 4609 invoked by uid 92); 5 Jun 2003 11:52:45 -0000 Received: from tromso-dhcp-234-175.bluecom.no (HELO eps) (62.101.234.175) by tromso-dhcp-235-148.bluecom.no with SMTP; 5 Jun 2003 11:52:45 -0000 From: "Erik Paulsen Skaalerud" To: "'Tim Baur'" , Date: Thu, 5 Jun 2003 11:51:40 +0200 Message-ID: <003601c32b48$106ec380$0a00000a@eps> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <0306042122420.58298@neobe.cnanfb.pbz> Subject: RE: Non-Executable Stack Patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jun 2003 09:51:36 -0000 > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Tim Baur > Sent: Thursday, June 05, 2003 6:24 AM > To: freebsd-security@freebsd.org > On Wed, 4 Jun 2003, Tony Meman wrote: > > I was wondering if there's any non-executable stack patch for > > FreeBSD's kernel. >http://www.trl.ibm.com/projects/security/ssp/buildfreebsd.html > >-tbaur Can anyone here share their experiences with this patch? I've heard very little talk about it really, I'm looking for others oppinions before I try to patch gcc with this. Any major slowdowns on the userland? And if its major, how much? Erik. From owner-freebsd-security@FreeBSD.ORG Thu Jun 5 06:23:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC6A737B401 for ; Thu, 5 Jun 2003 06:23:38 -0700 (PDT) Received: from mail.be.ubizen.com (batty.be.ubizen.com [212.113.70.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 88A2F43F75 for ; Thu, 5 Jun 2003 06:23:31 -0700 (PDT) (envelope-from niels.heinen@ubizen.com) Received: (from local) by mail.be.ubizen.com id h55DNTf6024387 for ; Thu, 5 Jun 2003 15:23:29 +0200 Received: from UNKNOWN(10.0.0.108), claiming to be "amaya.be.ubizen.com" via SMTP by batty.netvision.be, id smtpd24380aaa; Thu Jun 5 13:23:04 2003 Received: (qmail 6275 invoked from network); 5 Jun 2003 13:23:03 -0000 Received: from unknown (HELO ubi) (10.0.0.10) by amaya.be.ubizen.com with SMTP; 5 Jun 2003 13:23:01 -0000 Received: from ubizen.com (demandred.be.ubizen.com [212.113.70.130]) <0HG0001ORFUD7A@ubi.be.ubizen.com>; Thu, 05 Jun 2003 15:23:01 +0200 (MET DST) Date: Thu, 05 Jun 2003 15:18:58 +0200 From: Niels Heinen In-reply-to: <003601c32b48$106ec380$0a00000a@eps> To: Erik Paulsen Skaalerud Message-id: <3EDF4342.808@ubizen.com> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT X-Accept-Language: en-us, en User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3) Gecko/20030502 References: <003601c32b48$106ec380$0a00000a@eps> X-Sanitizer: Out cc: freebsd-security@freebsd.org Subject: Re: Non-Executable Stack Patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jun 2003 13:23:39 -0000 Unfortunately I never got further then creating a port of gcc 3.2.3 that includes the patch (I believe this was suggested on the list a few weeks ago). Its available here: http://www.heinen.ws/freebsd/ Just fetch the tgz file, unpack it in /usr/ports/lang/ and do a make Niels Erik Paulsen Skaalerud wrote: >>From: owner-freebsd-security@freebsd.org >>[mailto:owner-freebsd-security@freebsd.org] On Behalf Of Tim Baur >>Sent: Thursday, June 05, 2003 6:24 AM >>To: freebsd-security@freebsd.org >>On Wed, 4 Jun 2003, Tony Meman wrote: >> >> >>>I was wondering if there's any non-executable stack patch for >>>FreeBSD's kernel. >>> >>> >>http://www.trl.ibm.com/projects/security/ssp/buildfreebsd.html >> >>-tbaur >> >> > >Can anyone here share their experiences with this patch? I've heard very >little talk about it really, I'm looking for others oppinions before I try >to patch gcc with this. Any major slowdowns on the userland? And if its >major, how much? > >Erik. > > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Thu Jun 5 07:36:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC39637B401 for ; Thu, 5 Jun 2003 07:36:19 -0700 (PDT) Received: from mail.panaso.com (mail.panaso.com [199.60.48.162]) by mx1.FreeBSD.org (Postfix) with SMTP id D0C9A43F93 for ; Thu, 5 Jun 2003 07:36:18 -0700 (PDT) (envelope-from tbaur@panaso.com) Received: (qmail 98243 invoked from network); 5 Jun 2003 14:36:18 -0000 Received: from unknown (HELO localhost) (127.0.0.1) by localhost.panaso.com with SMTP; 5 Jun 2003 14:36:18 -0000 Date: Thu, 5 Jun 2003 07:36:18 -0700 (PDT) From: Tim Baur To: jeremie le-hen In-Reply-To: <20030605093328.GD22086@carpediem.epita.fr> Message-ID: <0306050735240.58298@neobe.cnanfb.pbz> References: <3EDE8ECE.6040400@superig.com.br> <0306042122420.58298@neobe.cnanfb.pbz> <20030605093328.GD22086@carpediem.epita.fr> X-PGP: 0x44DB0D83 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Non-Executable Stack Patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jun 2003 14:36:20 -0000 On Thu, 5 Jun 2003, jeremie le-hen wrote: > I also had a quick look to the patch, and it's clearly GCC which is > mainly modified. A very few kernel source files are changed, in order to > make a panic when a stack overflow occurs within it. I think you may be missing the point, but nonetheless. -tbaur From owner-freebsd-security@FreeBSD.ORG Thu Jun 5 23:21:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A74637B401 for ; Thu, 5 Jun 2003 23:21:11 -0700 (PDT) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 459C043F93 for ; Thu, 5 Jun 2003 23:21:10 -0700 (PDT) (envelope-from gemini@geminix.org) Received: from pd9e10a1c.dip.t-dialin.net ([217.225.10.28] helo=geminix.org) by geminix.org with asmtp (TLSv1:RC4-MD5:128) (Exim 3.36 #1) id 19OAb6-000CAG-00; Fri, 06 Jun 2003 08:21:09 +0200 Message-ID: <3EE032CA.1060908@geminix.org> Date: Fri, 06 Jun 2003 08:20:58 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030510 X-Accept-Language: en-us, en MIME-Version: 1.0 Newsgroups: mlists.freebsd.security To: freebsd-security@freebsd.org References: <003601c32b48$106ec380$0a00000a@eps> In-Reply-To: <003601c32b48$106ec380$0a00000a@eps> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Non-Executable Stack Patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jun 2003 06:21:11 -0000 Hi Erik, Erik Paulsen Skaalerud wrote: >>From: owner-freebsd-security@freebsd.org >>[mailto:owner-freebsd-security@freebsd.org] On Behalf Of Tim Baur >>Sent: Thursday, June 05, 2003 6:24 AM >>To: freebsd-security@freebsd.org >>On Wed, 4 Jun 2003, Tony Meman wrote: >> >>>I was wondering if there's any non-executable stack patch for >>>FreeBSD's kernel. >> >>http://www.trl.ibm.com/projects/security/ssp/buildfreebsd.html >> >>-tbaur > > Can anyone here share their experiences with this patch? I've heard very > little talk about it really, I'm looking for others oppinions before I try > to patch gcc with this. Any major slowdowns on the userland? And if its > major, how much? I'm using this patch for years now, privately and at work (see signature), with no adverse effects. There are a small number of software packages that break with the stack-smashing protector. Mozilla is one of them, and I hear that there is an issue with XFree86-4.x. But then, you can always disable the protector with '-fno-stack-protector', and maybe the problem is already fixed in newer versions of the protector patch. Haven't tried that so far. As to its reliability, a number of OSs have adopted it already, including OpenBSD. So IMHO it can be considered mature enough for production use. And the potential slowdowns are neglectable (<= 8%), read: unnoticeable under real-world conditions. The downside of this approach is of course that you have to compile everything on your system with the patched GCC for the protection to take effect. If you already have a considerable amount of software installed this can be a lot of work. And you still lose the protection if you install precompiled packages that, in case of FreeBSD, naturally have been built with an unmodified GCC. However, these caveats aside, this method still gives you the best protection available for FreeBSD today. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net From owner-freebsd-security@FreeBSD.ORG Fri Jun 6 02:44:35 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90A2837B401 for ; Fri, 6 Jun 2003 02:44:35 -0700 (PDT) Received: from irpen.kiev.ua (irpen.kiev.ua [195.178.133.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 596C343FA3 for ; Fri, 6 Jun 2003 02:44:33 -0700 (PDT) (envelope-from duke@irpen.kiev.ua) Received: from irpen.kiev.ua (localhost.irpen.kiev.ua [127.0.0.1]) by irpen.kiev.ua (8.12.8p1/8.12.8) with ESMTP id h569iJrt034502; Fri, 6 Jun 2003 12:44:20 +0300 (EEST) (envelope-from duke@irpen.kiev.ua) Received: (from duke@localhost) by irpen.kiev.ua (8.12.8p1/8.12.8/Submit) id h569iIYa034501; Fri, 6 Jun 2003 12:44:18 +0300 (EEST) (envelope-from duke) Date: Fri, 6 Jun 2003 12:44:18 +0300 From: Vandyuk Eugene To: freebsd-security@freebsd.org Message-ID: <20030606124418.A33769@irpen.kiev.ua> References: <20030604133021.H24576-100000@cactus.fi.uba.ar> <200306050339.h553dPUJ002919@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200306050339.h553dPUJ002919@caligula.anu.edu.au>; from avalon@caligula.anu.edu.au on Thu, Jun 05, 2003 at 01:39:25PM +1000 cc: Darren Reed Subject: Re: Statefull filtering with IPFW + IPFilter (was: Packet flow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jun 2003 09:44:35 -0000 On Thu, Jun 05, 2003 at 01:39:25PM +1000, Darren Reed wrote: > In some mail from Fernando Gleiser, sie said: > > > > > OUTGOING: IPF -> IPNAT -> IPFW > > > INCOMING: IPFW -> IPNAT -> IPF > > > > There was some discusion some time ago in ipf's mailing list. I don't remember > > Darren's position on this. > > My perspective is that it best serves IPFilter for it to be like that. > > I'm not sure why it isn't, except to say that it's entirely possible that > I have applied a patch incorrectly. > > Darren But it's no so hard to move IpHack section in ip_input.c to call after IPFW proxessing? In this way we can keep all of the functionality all of IPFW, IPFilter and IPNAT. Because now people who want to use IPNAT with his kernel processing (versus NATd with userland processing) forced to use IPFilter and fully rebuild their firewall. It's some trouble with this changes in ip_input.c processing ? From owner-freebsd-security@FreeBSD.ORG Fri Jun 6 04:29:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFC4037B401; Fri, 6 Jun 2003 04:29:22 -0700 (PDT) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6741843F85; Fri, 6 Jun 2003 04:29:21 -0700 (PDT) (envelope-from bzeeb-lists@zabbadoz.net) Received: from localhost (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 5A8691FFF23; Fri, 6 Jun 2003 13:29:19 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id 2B0871FFBD3; Fri, 6 Jun 2003 13:29:18 +0200 (CEST) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id 89BC215380; Fri, 6 Jun 2003 11:28:51 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id 7ED5715329; Fri, 6 Jun 2003 11:28:52 +0000 (UTC) Date: Fri, 6 Jun 2003 11:28:52 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: freebsd-net@freebsd.org, freebsd-hackers@freebsd.org, freebsd-security@freebsd.org, freebsd-doc@FreeBSD.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300 Subject: Request for documenting IPSec, NAT/divert, ipfw, ipfilter ... in kernel flow ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-net@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jun 2003 11:29:23 -0000 Hi, sorry for cross-mailing. Reply-to: set to freebsd-net. I have seen some discussion on freebsd-security etc. about some parts of the subject. I have seen older messages in archives. Regularly the same questions seem to come up. I have not found an all-including description of the answer to s.th. like: "Can anybody tell me the order packets get processed in kernel related to IPSec, NAT/divert, ipfw, ipfilter, ... for incoming, outgoing, forwarding... ?". What about bpf, ... ? Is there any chance that some of the gurus can draw one or more ascii arts or xfig or whatever images that show the in kernel packet flow/processing ? Perhaps the doc project would also be happy to include it in the handbook or somewhere else. Would make life much more easier for many people. TIA -- Greetings Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ From owner-freebsd-security@FreeBSD.ORG Sat Jun 7 04:38:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD2C637B401 for ; Sat, 7 Jun 2003 04:38:00 -0700 (PDT) Received: from buexe.b-5.de (buexe.b-5.de [80.148.32.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D52943F93 for ; Sat, 7 Jun 2003 04:37:59 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: from antalya.lupe-christoph.de ([172.17.0.9])h57BbtJ09418 for ; Sat, 7 Jun 2003 13:37:57 +0200 Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id DB3425E5; Sat, 7 Jun 2003 13:15:40 +0200 (CEST) Date: Sat, 7 Jun 2003 13:15:40 +0200 To: freebsd-security@FreeBSD.ORG Message-ID: <20030607111540.GC4812@lupe-christoph.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.4i From: lupe@lupe-christoph.de (Lupe Christoph) Subject: Impossible to IPfilter this? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jun 2003 11:38:01 -0000 Hi! I'm trying to increase security on my FreeBSD 4.8 firewall/DSL router/VPN router. My problem is with firewalling the VPN part. I'm using a tunnel to a RedHat 7.1 box running FreeS/WAN. This tunnel allows traffic from my internal net (172.17.0.0/24) to that box only: spdadd 172.17.0.0/24 $REDHAT/32 any -P out ipsec esp/tunnel/$MYADDR-$REDHAT/unique; spdadd $REDHAT/32 172.17.0.0/24 any -P in ipsec esp/tunnel/$REDHAT-$MYADDR/unique; What I want to do is prohibit traffic from $REDHAT to 172.17.0.7, the internal address of this FreeBSD box. I'm using IPFilter, so I inserted a rule like this: block in log quick from any to 172.17.0.7 It is not attached to any interface, so it should supposedly work even for tunnelled traffic. Only it doesn't. I tried using GIF devices, but could not get them to work with FreeS/WAN 1.95. Did anybody accomplish this? I remember talk on this mailing list about making IPSec use an interface even when it is not run with GIFs. I have not followed the FreeBSD 5 work. Is this being integrated there? It would be very useful for this kind of situation, and I'm using it on some other FreeS/WAN box I maintain. But I want to secure my firewall against the other side being taken over, so this does not help me here. Any hints how to resolve this are welcome. I don't think this is a general IPFilter problem, hence I'm asking on this mailing list rather than that for IPFilter. Thank you, Lupe Christoph PS: There was talk about the sequence IPFW/IPNat/IPFilter get invoked. It would be interesting to put the IPSec code in this picture. Are IPSec packets going through *any* of them? With/out GIF? -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | From owner-freebsd-security@FreeBSD.ORG Sat Jun 7 17:59:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C8C937B401 for ; Sat, 7 Jun 2003 17:59:32 -0700 (PDT) Received: from HAL9000.homeunix.com (ip114.bella-vista.sfo.interquest.net [66.199.86.114]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B70A43FA3 for ; Sat, 7 Jun 2003 17:59:31 -0700 (PDT) (envelope-from das@FreeBSD.ORG) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.9/8.12.9) with ESMTP id h580xS8W039362; Sat, 7 Jun 2003 17:59:28 -0700 (PDT) (envelope-from das@FreeBSD.ORG) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.9/8.12.9/Submit) id h580xSDE039361; Sat, 7 Jun 2003 17:59:28 -0700 (PDT) (envelope-from das@FreeBSD.ORG) Date: Sat, 7 Jun 2003 17:59:27 -0700 From: David Schultz To: Erik Paulsen Skaalerud Message-ID: <20030608005927.GA39301@HAL9000.homeunix.com> Mail-Followup-To: Erik Paulsen Skaalerud , 'Tim Baur' , freebsd-security@freebsd.org References: <0306042122420.58298@neobe.cnanfb.pbz> <003601c32b48$106ec380$0a00000a@eps> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <003601c32b48$106ec380$0a00000a@eps> cc: freebsd-security@FreeBSD.ORG Subject: Re: Non-Executable Stack Patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jun 2003 00:59:32 -0000 On Thu, Jun 05, 2003, Erik Paulsen Skaalerud wrote: > > From: owner-freebsd-security@freebsd.org > > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Tim Baur > > Sent: Thursday, June 05, 2003 6:24 AM > > To: freebsd-security@freebsd.org > > On Wed, 4 Jun 2003, Tony Meman wrote: > > > I was wondering if there's any non-executable stack patch for > > > FreeBSD's kernel. > >http://www.trl.ibm.com/projects/security/ssp/buildfreebsd.html > > > >-tbaur > > Can anyone here share their experiences with this patch? I've heard very > little talk about it really, I'm looking for others oppinions before I try > to patch gcc with this. Any major slowdowns on the userland? And if its > major, how much? The original StackGuard implementation had massive overhead: several orders of magnitude for common programs. It looks like the fellows at IBM have managed to do significantly better: http://www.trl.ibm.com/projects/security/ssp/node5.html I personally am not particularly interested in a fix that makes buffer overflows harder to exploit, given that buffer overflows constitute a problem that can be completely solved without the same performance loss by switching to a safer language. Nevertheless, there's enough useful C code out there that this could be useful. It would be cool to have as an optional part of FreeBSD, assuming we wouldn't have to maintain massive diffs against gcc or something. (gcc uses this by default now, right?) From owner-freebsd-security@FreeBSD.ORG Sat Jun 7 18:21:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7309D37B401 for ; Sat, 7 Jun 2003 18:21:49 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-64-169-104-32.dsl.lsan03.pacbell.net [64.169.104.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A4AF43FCB for ; Sat, 7 Jun 2003 18:21:48 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 3EC9366E3D; Sat, 7 Jun 2003 18:21:48 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 2D0E6B34; Sat, 7 Jun 2003 18:21:48 -0700 (PDT) Date: Sat, 7 Jun 2003 18:21:48 -0700 From: Kris Kennaway To: Erik Paulsen Skaalerud , 'Tim Baur' , freebsd-security@freebsd.org Message-ID: <20030608012147.GA3017@rot13.obsecurity.org> References: <0306042122420.58298@neobe.cnanfb.pbz> <003601c32b48$106ec380$0a00000a@eps> <20030608005927.GA39301@HAL9000.homeunix.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="9amGYk9869ThD9tj" Content-Disposition: inline In-Reply-To: <20030608005927.GA39301@HAL9000.homeunix.com> User-Agent: Mutt/1.4.1i Subject: Re: Non-Executable Stack Patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jun 2003 01:21:49 -0000 --9amGYk9869ThD9tj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Jun 07, 2003 at 05:59:27PM -0700, David Schultz wrote: > could be useful. It would be cool to have as an optional part of > FreeBSD, assuming we wouldn't have to maintain massive diffs > against gcc or something. (gcc uses this by default now, right?) No..there are diffs against gcc to be maintained. Kris --9amGYk9869ThD9tj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+4o+rWry0BWjoQKURAkV8AKCZ8X3uQkIEAmJ5uT/d19woKsVfPACfebcf /6ag0Ju8klRnWFlntDxxv1o= =s0yX -----END PGP SIGNATURE----- --9amGYk9869ThD9tj--