From owner-freebsd-security@FreeBSD.ORG Mon Dec 17 06:51:44 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0E1A16A41B for ; Mon, 17 Dec 2007 06:51:44 +0000 (UTC) (envelope-from WD@US-Webmasters.com) Received: from server1.grabweb.com (split.grabweb.net [67.15.22.16]) by mx1.freebsd.org (Postfix) with ESMTP id 83F6013C447 for ; Mon, 17 Dec 2007 06:51:44 +0000 (UTC) (envelope-from WD@US-Webmasters.com) Received: (qmail 5111 invoked from network); 17 Dec 2007 00:51:43 -0600 Received: from batv-01-192.dsl.netins.net (HELO Sabrina.US-Webmasters.com) (207.199.193.192) by uswdns.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 17 Dec 2007 00:51:43 -0600 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 17 Dec 2007 00:51:39 -0600 To: freebsd-security@freebsd.org From: "W. D." In-Reply-To: <20071213183957.B348013C469@mx1.freebsd.org> References: <20071213081155.ABBC813C4D5@mx1.freebsd.org> <20071213110009.GB986@in-addr.com> <20071213183957.B348013C469@mx1.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <20071217065144.83F6013C447@mx1.freebsd.org> Subject: IPFW: Blocking me out. How to debug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2007 06:51:44 -0000 How do I tell which rule is blocking me out? SSH *is* working, but others are not. ############################################################### # ipfw.rules # ipfw firewall ruleset # Location: /etc/ipfw.rules # 2007 Dec 16 21:41 =20 # By default, everything is denied access. You # need to specifically allow something for it # to work. =20 # Loopback: # Allow anything on the local loopback: add allow all from any to any via lo0 add deny ip from any to 127.0.0.0/8 add deny ip from 127.0.0.0/8 to any =20 # Allow established connections: add allow tcp from any to any established =20 # Deny fragmented packets: add deny ip from any to any frag =20 # Show pings: add count icmp from any to any icmptypes 8 in =20 # Allow pings, ping replies, and host unreach: add allow icmp from any to any icmptypes 0,8,3 =20 # Allow UDP traceroutes: add allow udp from any to any 33434-34458 in add allow udp from any 33434-34458 to any out =20 # Allow DNS with name server add allow udp from any to any domain out add allow udp from any domain to any in =20 # SSH # Note that /etc/hosts.allow has restrictions # on which IP addresses are allowed. # # Allow SSH: add allow tcp from any to any ssh in setup =20 # HTTP & HTTPS: add allow tcp from any to any https in setup add allow tcp from any to any http in setup =20 # Mail: SMTP & IMAP: add allow tcp from any to any smtp in setup add allow tcp from any to any imap in setup =20 # FTP: add allow tcp from any to any ftp in setup add allow tcp from any to any ftp\-data in setup add allow tcp from any ftp\-data to any setup out =20 # Allow NTP in and out add allow udp from any ntp to 128.252.19.1 ntp out add allow udp from 128.252.19.1 ntp to any ntp in =20 # Deny and log everything else: add deny log all from any to any ############################################################### I tested the syntax using: ipfw -n /etc/ipfw.rules I've got logging working: /etc/rc.conf: Make certain you have an entry similar to: # Log exceptions: firewall_logging=3D"YES" /etc/syslog.conf: # Log ipfw events to their own log file: !ipfw *.* /var/log/ipfw/ipfw.log In the kernel config file, is a limit of 10 too small? options IPFIREWALL # Required for IPFW options IPFIREWALL_VERBOSE # Optional - logging options IPFIREWALL_VERBOSE_LIMIT=3D10 # Optional - don't get too= many log entries options IPDIVERT # Needed for natd Any help on this would be greatly appreciated. Start Here to Find It Fast!=99 ->= http://www.US-Webmasters.com/best-start-page/ $8.77 Domain Names -> http://domains.us-webmasters.com/ From owner-freebsd-security@FreeBSD.ORG Mon Dec 17 10:05:02 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8024316A417 for ; Mon, 17 Dec 2007 10:05:02 +0000 (UTC) (envelope-from djv@iki.fi) Received: from gw03.mail.saunalahti.fi (gw03.mail.saunalahti.fi [195.197.172.111]) by mx1.freebsd.org (Postfix) with ESMTP id 20B8413C45A for ; Mon, 17 Dec 2007 10:05:02 +0000 (UTC) (envelope-from djv@iki.fi) Received: from [192.168.1.5] (a91-153-148-73.elisa-laajakaista.fi [91.153.148.73]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gw03.mail.saunalahti.fi (Postfix) with ESMTP id 5E08A216A3E for ; Mon, 17 Dec 2007 11:49:24 +0200 (EET) Message-ID: <47664621.50909@iki.fi> Date: Mon, 17 Dec 2007 11:49:21 +0200 From: Tuomo Latto User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071031 Thunderbird/2.0.0.9 Mnenhy/0.7.5.666 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20071213081155.ABBC813C4D5@mx1.freebsd.org> <20071213110009.GB986@in-addr.com> <20071213183957.B348013C469@mx1.freebsd.org> <20071217065144.83F6013C447@mx1.freebsd.org> In-Reply-To: <20071217065144.83F6013C447@mx1.freebsd.org> X-Enigmail-Version: 0.95.5 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Subject: Re: IPFW: Blocking me out. How to debug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2007 10:05:02 -0000 W. D. wrote: > How do I tell which rule is blocking me out? SSH *is* working, > but others are not. It all depends on what you mean by "blocking you out" and "others". Did you try *reading* your fw config? > # Loopback: > # Allow anything on the local loopback: > add allow all from any to any via lo0 > add deny ip from any to 127.0.0.0/8 > add deny ip from 127.0.0.0/8 to any Nope. > # Allow established connections: > add allow tcp from any to any established Nope. > # Deny fragmented packets: > add deny ip from any to any frag Nope. > # Show pings: > add count icmp from any to any icmptypes 8 in Nope. > # Allow pings, ping replies, and host unreach: > add allow icmp from any to any icmptypes 0,8,3 Nope. > # Allow UDP traceroutes: > add allow udp from any to any 33434-34458 in > add allow udp from any 33434-34458 to any out Nope. > # Allow DNS with name server > add allow udp from any to any domain out > add allow udp from any domain to any in Nope. > # SSH > # Note that /etc/hosts.allow has restrictions > # on which IP addresses are allowed. > # > # Allow SSH: > add allow tcp from any to any ssh in setup Nope, but this explains SSH working. > # HTTP & HTTPS: > add allow tcp from any to any https in setup > add allow tcp from any to any http in setup Nope. > # Mail: SMTP & IMAP: > add allow tcp from any to any smtp in setup > add allow tcp from any to any imap in setup Nope. > # FTP: > add allow tcp from any to any ftp in setup > add allow tcp from any to any ftp\-data in setup > add allow tcp from any ftp\-data to any setup out Nope. > # Allow NTP in and out > add allow udp from any ntp to 128.252.19.1 ntp out > add allow udp from 128.252.19.1 ntp to any ntp in Nope. > # Deny and log everything else: > add deny log all from any to any Bingo! "ipfw -a list" may also help (packet counts). > In the kernel config file, is a limit of 10 too small? You tell us. http://www.defcon1.org/html/NATD-config/firewall-setup/ipfw-2.html -- Tuomo ... She's dead, Jim. Should we bury her or have some fun? From owner-freebsd-security@FreeBSD.ORG Tue Dec 18 11:12:17 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B83716A419 for ; Tue, 18 Dec 2007 11:12:17 +0000 (UTC) (envelope-from freebsd001@pc.jgr.de) Received: from pc.jgr.de (pc.jgr.de [194.233.111.194]) by mx1.freebsd.org (Postfix) with ESMTP id 851A613C467 for ; Tue, 18 Dec 2007 11:12:16 +0000 (UTC) (envelope-from freebsd001@pc.jgr.de) Received: from pc.jgr.de (localhost [127.0.0.1]) by pc.jgr.de (8.13.6/8.13.6) with ESMTP id lBIBCFFI046342 for ; Tue, 18 Dec 2007 12:12:15 +0100 (CET) (envelope-from freebsd001@pc.jgr.de) Received: (from root@localhost) by pc.jgr.de (8.13.6/8.13.6/Submit) id lBIBBKrx046341 for freebsd-security@freebsd.org; Tue, 18 Dec 2007 12:11:20 +0100 (CET) (envelope-from freebsd001@pc.jgr.de) Date: Tue, 18 Dec 2007 12:11:20 +0100 (CET) From: freebsd001@pc.jgr.de Message-Id: <200712181111.lBIBBKrx046341@pc.jgr.de> To: freebsd-security@freebsd.org Subject: Portaudit database truncated? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2007 11:12:17 -0000 December 18, 2007 Dear Madam, dear Sir, the portaudit database is very small: >portaudit -F auditfile.tbz 100% of 5688 B 9737 Bps New database installed. > In addition, portaudit does not complain about what it did complain a few days ago. It seems to me that the database is truncated. By the way: How do I post to a mailing list without being later spammed by the bad guys who harvest e-mail addresses from the mailing list archives? With best regards Joachim Griesche freebsd001@pc.jgr.de From owner-freebsd-security@FreeBSD.ORG Tue Dec 18 13:27:04 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 036D316A418 for ; Tue, 18 Dec 2007 13:27:04 +0000 (UTC) (envelope-from simon@benji.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id A6D2813C459 for ; Tue, 18 Dec 2007 13:27:03 +0000 (UTC) (envelope-from simon@benji.nitro.dk) Received: from benji.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id DAD0F1E8C1F; Tue, 18 Dec 2007 13:09:23 +0000 (UTC) Received: by benji.nitro.dk (Postfix, from userid 2000) id ED066FD47; Tue, 18 Dec 2007 14:09:22 +0100 (CET) Date: Tue, 18 Dec 2007 14:09:22 +0100 From: "Simon L. Nielsen" To: freebsd001@pc.jgr.de Message-ID: <20071218130922.GD1226@zaphod.nitro.dk> References: <200712181111.lBIBBKrx046341@pc.jgr.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200712181111.lBIBBKrx046341@pc.jgr.de> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-security@freebsd.org Subject: Re: Portaudit database truncated? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2007 13:27:04 -0000 On 2007.12.18 12:11:20 +0100, freebsd001@pc.jgr.de wrote: > Dear Madam, dear Sir, > > the portaudit database is very small: > > >portaudit -F > auditfile.tbz 100% of 5688 B 9737 Bps > New database installed. Bleh, it was broken by a bad entry in the VuXML document. I have fixed it so the portaudit db should be working again shortly (after next build). Thanks for the report! > By the way: How do I post to a mailing list without being > later spammed by the bad guys who harvest e-mail addresses > from the mailing list archives? Personally I recomend spam filters instead of trying to hide email addresses. For specific problems like this, the workaround is to contact the FreeBSD Security Team directly as those emails won't be published. [Further dicussion on anti-spam filters to some other list than freebsd-security]. -- Simon L. Nielsen FreeBSD Security Team From owner-freebsd-security@FreeBSD.ORG Tue Dec 18 16:16:27 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D38F116A4C4 for ; Tue, 18 Dec 2007 16:16:27 +0000 (UTC) (envelope-from mailman.msc@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.182]) by mx1.freebsd.org (Postfix) with ESMTP id 928A413C469 for ; Tue, 18 Dec 2007 16:16:27 +0000 (UTC) (envelope-from mailman.msc@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so4274102waf.3 for ; Tue, 18 Dec 2007 08:16:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=yyqDAMhvE+MGwshatEUtjVtxzm9TUr6wGqVguzrSwYk=; b=qCtlcCsVh3ptJANpD++35aCjoa239eqdqu7SfQ7Qs13jlwE29J9XfSJ46QbZdIAg8PN+ECzmvpmDDQ4q/iVuYkhkSzqP7jRtowVMMjQ2r2iUxcun0R6OXSkBtNugjjrpHt4xzbT2Staf8rDrYv8DRcelASPZ7VBlAvPmasgsL6g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=GoluklyUnfnw7GkDM8BPvw03yxB/idTtxBDkv+ts0LXYBOuIQsgnPZRDVL/nL+ZIYeQ4pSCJ36fJbihzmT1YJ+j96vW81UCncJOfE6l9b5snWcksqb2P43E7JVP/tA0iyJZCWqRbgqQmrlfvXTjut5wLrimK52hX3sk7dWb6+Og= Received: by 10.115.111.1 with SMTP id o1mr4071991wam.87.1197993135968; Tue, 18 Dec 2007 07:52:15 -0800 (PST) Received: by 10.115.110.4 with HTTP; Tue, 18 Dec 2007 07:52:15 -0800 (PST) Message-ID: Date: Tue, 18 Dec 2007 23:52:15 +0800 From: "Anjang Aki" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Google DNS hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2007 16:16:28 -0000 Hi! all, I dont have any idea how to contact google but if any of you know how to or if is there google staff here they might want to know about this: http://img443.imageshack.us/img443/2903/googlewhoislolliif6.png i found this while whoising google.com domain sorry if i had posted wrongly here regards -- -- Anjang Aki -- From owner-freebsd-security@FreeBSD.ORG Tue Dec 18 16:41:28 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5CBF16A468 for ; Tue, 18 Dec 2007 16:41:28 +0000 (UTC) (envelope-from luke@digital-crocus.com) Received: from tau.digital-crocus.com (tau.digital-crocus.com [208.101.15.162]) by mx1.freebsd.org (Postfix) with ESMTP id B058013C43E for ; Tue, 18 Dec 2007 16:41:28 +0000 (UTC) (envelope-from luke@digital-crocus.com) Received: from luke by tau.digital-crocus.com with local (Exim 4.66 (FreeBSD)) (envelope-from ) id 1J4fGI-0000Vj-F9 for freebsd-security@freebsd.org; Tue, 18 Dec 2007 16:25:42 +0000 Received: from cpc1-cmbg3-0-0-cust216.cmbg.cable.ntl.com ([86.7.20.217] helo=[10.0.0.105]) by tau.digital-crocus.com with esmtpa (Exim 4.66 (FreeBSD)) (envelope-from ) id 1J4fGD-0000UK-Ia; Tue, 18 Dec 2007 16:25:42 +0000 From: Luke Marsden To: Anjang Aki In-Reply-To: References: Content-Type: text/plain Date: Tue, 18 Dec 2007 16:27:16 +0000 Message-Id: <1197995237.6839.84.camel@glow> Mime-Version: 1.0 X-Mailer: Evolution 2.12.1 Content-Transfer-Encoding: 7bit X-Spam-Score: -3.0 X-Digital-Crocus-Maillimit: done X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: luke@digital-crocus.com X-SA-Exim-Scanned: No (on tau.digital-crocus.com); SAEximRunCond expanded to false X-Authenticated-Sender: luke X-Complaints: abuse@digital-crocus.com X-Admin: admin@digital-crocus.com X-Abuse: abuse@digital-crocus.com (Please include full headers in abuse reports) Cc: freebsd-security@freebsd.org Subject: Re: Google DNS hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2007 16:41:29 -0000 Hi, This is the result of a prefix search on all domains which *start* with GOOGLE.COM. Hence Google's DNS has not been hacked - rather whoever owns WEB-HACK.COM (for example) has a scary looking registered sub-(sub-sub-) domain. This actually has nothing to do with Google since all sub-domains of WEB-HACK.COM are authoritative for the owners of that domain. Hope this clears it up. Cheers, Luke Marsden Digital Crocus www.digital-crocus.com On Tue, 2007-12-18 at 23:52 +0800, Anjang Aki wrote: > Hi! all, > > I dont have any idea how to contact google but if any of you know how > to or if is there google staff here they might want to know about > this: > http://img443.imageshack.us/img443/2903/googlewhoislolliif6.png > > i found this while whoising google.com domain > > sorry if i had posted wrongly here > > regards > From owner-freebsd-security@FreeBSD.ORG Tue Dec 18 17:04:04 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E948A16A418 for ; Tue, 18 Dec 2007 17:04:04 +0000 (UTC) (envelope-from rob.gallagher@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.191]) by mx1.freebsd.org (Postfix) with ESMTP id AA33713C45D for ; Tue, 18 Dec 2007 17:04:03 +0000 (UTC) (envelope-from rob.gallagher@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so2567327rvb.43 for ; Tue, 18 Dec 2007 09:04:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=R09XKLp1Fvmthz/+Dz95yLggWybjwyxXXz9PcnIFs8k=; b=jVnarmw49yxsbGmYqPW1DMUQGyDRKcgKmJgshWl1ouS4NtjFh/K0LbMeJmkM6qk3pZa2ShK2ZGVvlSYInqJ4sgN2JyKYoOl5GuMOAwFf+kxHek+xHYpJHGZ1Zg2cfFF09cXhuzVQli3Y1af+KbhM32E4TQm1oWbqocQlU2zaMQU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=WCYOFPCXv7siy+ua9l9c/iZHenP+D8t22Jrcl0TN/DaZ00W4+VcfGLlZP5cOPv/sj/xJXG8SiUsRy4WE1YIm5obNYIy8FZ/upOJZCDMGpbHQAYlOS30kuGKCATaqHtHOcsSxlSAcuSXrOjbnbOrnsd6f7rQETPoab1HCt2rlzmM= Received: by 10.140.172.6 with SMTP id u6mr5055529rve.192.1197995772966; Tue, 18 Dec 2007 08:36:12 -0800 (PST) Received: by 10.141.133.6 with HTTP; Tue, 18 Dec 2007 08:36:12 -0800 (PST) Message-ID: <1d7a7b9d0712180836s70207fecm734507da70f95856@mail.gmail.com> Date: Tue, 18 Dec 2007 16:36:12 +0000 From: "Rob Gallagher" To: "Anjang Aki" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Cc: freebsd-security@freebsd.org Subject: Re: Google DNS hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2007 17:04:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 18/12/2007, Anjang Aki wrote: > Hi! all, > > I dont have any idea how to contact google but if any of you know how > to or if is there google staff here they might want to know about > this: > http://img443.imageshack.us/img443/2903/googlewhoislolliif6.png > > i found this while whoising google.com domain > > sorry if i had posted wrongly here > > regards > That whois is a substring search, it's effectively looking for google.com.* I'm only surprised theres that few of them :) rg - -- rob.gallagher (at) gmail.com || www.spoofedpacket.net || PK: 0x1DD13A78 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: http://firegpg.tuxfamily.org iD8DBQFHZ/b8iSgypR3ROngRAtVOAJ911dH87pyno7IJc9ur2ipv+TYymwCgsE+W yKk2fbnFMa+MeUkor8azkmE= =dk9y -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Dec 18 17:08:56 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CDF4A16A46B for ; Tue, 18 Dec 2007 17:08:56 +0000 (UTC) (envelope-from jerry@syslog.org) Received: from www2.stelesys.com (www2.stelesys.com [69.61.61.170]) by mx1.freebsd.org (Postfix) with ESMTP id 9243F13C4E3 for ; Tue, 18 Dec 2007 17:08:56 +0000 (UTC) (envelope-from jerry@syslog.org) Received: from [127.0.0.1] (helo=www.stelesys.com) by www2.stelesys.com with esmtpa (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J4fQ9-0003e2-0Y; Tue, 18 Dec 2007 11:35:53 -0500 Received: from 209.134.164.18 ([209.134.164.18]) (SquirrelMail authenticated user jerry@syslog.org) by www.stelesys.com with HTTP; Tue, 18 Dec 2007 11:35:53 -0500 (EST) Message-ID: <1504.209.134.164.18.1197995753.squirrel@www.stelesys.com> In-Reply-To: References: Date: Tue, 18 Dec 2007 11:35:53 -0500 (EST) From: jerry@syslog.org To: "Anjang Aki" User-Agent: SquirrelMail/1.4.9a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - www2.stelesys.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [26 6] / [26 6] X-AntiAbuse: Sender Address Domain - syslog.org Cc: freebsd-security@freebsd.org Subject: Re: Google DNS hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2007 17:08:56 -0000 That comes around every now and then. It has to do with the way that the whois databse is searched, so it's relatively easy to get a record on the list. If you look carefully, you will see that google.com is at the front of the domain: GOOGLE.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM There are many domains picked on - take a look at microsoft.com as well. Jerry http://www.syslog.org > Hi! all, > > I dont have any idea how to contact google but if any of you know how > to or if is there google staff here they might want to know about > this: > http://img443.imageshack.us/img443/2903/googlewhoislolliif6.png > > i found this while whoising google.com domain > > sorry if i had posted wrongly here > > regards > > -- > -- Anjang Aki -- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Dec 18 17:26:17 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2882816A417 for ; Tue, 18 Dec 2007 17:26:17 +0000 (UTC) (envelope-from mdh@solitox.net) Received: from email-alpha.solitox.net (maelstrom.solitox.net [88.191.39.82]) by mx1.freebsd.org (Postfix) with ESMTP id D4A3913C45B for ; Tue, 18 Dec 2007 17:26:16 +0000 (UTC) (envelope-from mdh@solitox.net) Received: from mdh@solitox.net by email-alpha.solitox.net with esmtpsa (TLSv1:AES256-SHA:256) ; Tue, 18 Dec 2007 18:10:29 +0100 Message-ID: <4767FF03.50803@solitox.net> Date: Tue, 18 Dec 2007 12:10:27 -0500 From: "Matt D. Harris" User-Agent: Thunderbird 1.5.0.10 (X11/20070424) MIME-Version: 1.0 To: Anjang Aki References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Google DNS hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2007 17:26:17 -0000 Those are other entities in the whois, not related to google itself. Read again what the whois output says... Anjang Aki wrote: > Hi! all, > > I dont have any idea how to contact google but if any of you know how > to or if is there google staff here they might want to know about > this: > http://img443.imageshack.us/img443/2903/googlewhoislolliif6.png > > i found this while whoising google.com domain > > sorry if i had posted wrongly here > > regards > -- /* * mdh - Solitox Networks (Lead Project Engineer) * This is where heroes and cowards part ways. */ From owner-freebsd-security@FreeBSD.ORG Tue Dec 18 21:25:58 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D052F16A418 for ; Tue, 18 Dec 2007 21:25:58 +0000 (UTC) (envelope-from tim1timau@yahoo.com) Received: from web50305.mail.re2.yahoo.com (web50305.mail.re2.yahoo.com [206.190.38.59]) by mx1.freebsd.org (Postfix) with SMTP id 5902313C43E for ; Tue, 18 Dec 2007 21:25:58 +0000 (UTC) (envelope-from tim1timau@yahoo.com) Received: (qmail 86266 invoked by uid 60001); 18 Dec 2007 20:59:17 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=Cc5DKJZUTiV+RU5e/EzUz4YhLNUXBVytrwEEqeoxoBVYFT1dPVfeYkxValnGROqhtUIC7F5/zCNHQauW3VqTRFUIYyBg5zlunCRtdnr28EjefqgtkzEztqp1BMovPOQSmN8MEt+BaIivnaEBa+J3f9tYb0szFFNtmAyWXqtQCvg=; X-YMail-OSG: k4YZm38VM1nqDUih8rJJehyR.k9WZLpbzZXUYxo5pzaPKXwPF8BGpbZc6veu5bwhwg-- Received: from [203.49.197.51] by web50305.mail.re2.yahoo.com via HTTP; Tue, 18 Dec 2007 12:59:17 PST Date: Tue, 18 Dec 2007 12:59:17 -0800 (PST) From: Tim Clewlow To: Rob Gallagher , Anjang Aki In-Reply-To: <1d7a7b9d0712180836s70207fecm734507da70f95856@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <815115.78272.qm@web50305.mail.re2.yahoo.com> Cc: freebsd-security@freebsd.org Subject: Re: Google DNS hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2007 21:25:58 -0000 --- Rob Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 18/12/2007, Anjang Aki wrote: > > Hi! all, > > > > I dont have any idea how to contact google but if any of you know how > > to or if is there google staff here they might want to know about > > this: > > http://img443.imageshack.us/img443/2903/googlewhoislolliif6.png > > > > i found this while whoising google.com domain > > > > sorry if i had posted wrongly here > > > > regards > > > > That whois is a substring search, it's effectively looking for google.com.* > > I'm only surprised theres that few of them :) > > rg > To get the individual name servers do: whois =microsoft.com This will list all the dns info for each subbed name. Cheers, Tim ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ From owner-freebsd-security@FreeBSD.ORG Thu Dec 20 06:39:26 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 791A616A417 for ; Thu, 20 Dec 2007 06:39:26 +0000 (UTC) (envelope-from WD@US-Webmasters.com) Received: from server1.grabweb.com (split.grabweb.net [67.15.22.16]) by mx1.freebsd.org (Postfix) with ESMTP id 4B2D113C457 for ; Thu, 20 Dec 2007 06:39:26 +0000 (UTC) (envelope-from WD@US-Webmasters.com) Received: (qmail 9380 invoked from network); 20 Dec 2007 00:39:24 -0600 Received: from batv-01-192.dsl.netins.net (HELO Sabrina.US-Webmasters.com) (207.199.193.192) by uswdns.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 20 Dec 2007 00:39:24 -0600 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 20 Dec 2007 00:39:16 -0600 To: freebsd-security@freebsd.org From: "W. D." In-Reply-To: <47664621.50909@iki.fi> References: <20071213081155.ABBC813C4D5@mx1.freebsd.org> <20071213110009.GB986@in-addr.com> <20071213183957.B348013C469@mx1.freebsd.org> <20071217065144.83F6013C447@mx1.freebsd.org> <47664621.50909@iki.fi> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <20071220063926.4B2D113C457@mx1.freebsd.org> Cc: Tuomo Latto Subject: Re: IPFW: Blocking me out. How to debug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Dec 2007 06:39:26 -0000 At 03:49 12/17/2007, Tuomo Latto wrote: >W. D. wrote: >> How do I tell which rule is blocking me out? SSH *is* working, >> but others are not. > >It all depends on what you mean by "blocking you out" and "others". > > >Did you try *reading* your fw config? > >> # Loopback: >> # Allow anything on the local loopback: >> add allow all from any to any via lo0 >> add deny ip from any to 127.0.0.0/8 >> add deny ip from 127.0.0.0/8 to any >Nope. >> # Allow established connections: >> add allow tcp from any to any established >Nope. >> # Deny fragmented packets: >> add deny ip from any to any frag >Nope. >> # Show pings: >> add count icmp from any to any icmptypes 8 in >Nope. >> # Allow pings, ping replies, and host unreach: >> add allow icmp from any to any icmptypes 0,8,3 >Nope. >> # Allow UDP traceroutes: >> add allow udp from any to any 33434-34458 in >> add allow udp from any 33434-34458 to any out >Nope. >> # Allow DNS with name server >> add allow udp from any to any domain out >> add allow udp from any domain to any in >Nope. >> # SSH >> # Note that /etc/hosts.allow has restrictions >> # on which IP addresses are allowed. >> # >> # Allow SSH: >> add allow tcp from any to any ssh in setup >Nope, but this explains SSH working. >> # HTTP & HTTPS: >> add allow tcp from any to any https in setup >> add allow tcp from any to any http in setup >Nope. >> # Mail: SMTP & IMAP: >> add allow tcp from any to any smtp in setup >> add allow tcp from any to any imap in setup >Nope. >> # FTP: >> add allow tcp from any to any ftp in setup >> add allow tcp from any to any ftp\-data in setup >> add allow tcp from any ftp\-data to any setup out >Nope. >> # Allow NTP in and out >> add allow udp from any ntp to 128.252.19.1 ntp out >> add allow udp from 128.252.19.1 ntp to any ntp in >Nope. >> # Deny and log everything else: >> add deny log all from any to any >Bingo! > > >"ipfw -a list" may also help (packet counts). I've been banging my head against this for the past few days. I don't get it. =20 My understanding of the way this is supposed to work is that: # HTTP & HTTPS: add allow tcp from any to any https in setup add allow tcp from any to any http in setup should let initial HTTP & HTTPS requests through, and that: # Allow established connections: add allow tcp from any to any established should allow connections that are "setup" to=20 continue. Do I need a "check-state" or "keep-state" statement somewhere? I don't understand what is wrong with the last rule: # Deny and log everything else: add deny log all from any to any My understanding is that anything that doesn't match the previous rules will match this one and hence be logged and denied. Is this not correct? Again, I am having a great deal of difficulty understanding why these rules don't work as expected. I've scoured the 'Net and printed out just about every coherent ruleset out there. Besides adding the "log" keyword on all of the rules, these are the debugging tools I have been using: ipfw disable firewall ipfw -f flush ipfw enable firewall /etc/rc.d/ipfw start ipfw -a -S -N -t list ipfw list =20 tail -f /var/log/ipfw/ipfw.log tcpdump -i nve0 'proto \tcp && port http' Could anyone please throw this tired dog a bone? Start Here to Find It Fast!=99 ->= http://www.US-Webmasters.com/best-start-page/ $8.77 Domain Names -> http://domains.us-webmasters.com/ From owner-freebsd-security@FreeBSD.ORG Thu Dec 20 10:12:22 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DDE3D16A468 for ; Thu, 20 Dec 2007 10:12:22 +0000 (UTC) (envelope-from trashy_bumper@yahoo.com) Received: from n9a.bullet.mail.re3.yahoo.com (n9a.bullet.mail.re3.yahoo.com [68.142.236.47]) by mx1.freebsd.org (Postfix) with SMTP id 91BFA13C45B for ; Thu, 20 Dec 2007 10:12:22 +0000 (UTC) (envelope-from trashy_bumper@yahoo.com) Received: from [68.142.230.28] by n9.bullet.re3.yahoo.com with NNFMP; 20 Dec 2007 09:59:19 -0000 Received: from [66.196.97.156] by t1.bullet.re2.yahoo.com with NNFMP; 20 Dec 2007 09:59:19 -0000 Received: from [127.0.0.1] by omp209.mail.re3.yahoo.com with NNFMP; 20 Dec 2007 09:59:19 -0000 X-Yahoo-Newman-Property: ymail-5 X-Yahoo-Newman-Id: 476453.8254.bm@omp209.mail.re3.yahoo.com Received: (qmail 71763 invoked by uid 60001); 20 Dec 2007 09:59:18 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=k98jCGZOxa1GJUaV/ZS3/8bRaaGyXDWkfRSh7zq839uIetdeFXqikm12bjE7jUnibGIy25kOwq2TW5udho7dBhHWjFCKJ5ELGiEIhVlByXe3B43a/C0fKxa7joYgdeHVxTGokcJ3Ub+wooHI6KNC3MI4ng5BR1AxePl66GUiIHk=; X-YMail-OSG: 7C5T4REVM1nFBB_R9m1xfRp5sKyty2.23jmUfGoRQo1RO8gsrey1Xl6BWuZRjMD1fWraYpKHDJsKkvU4bKG_.vFKQr5S_OcpZav0GwY3310Ma9.CbTBx5ejkPSAKTGTfPX0NNyO1pyOglDFeSyS9lRfqOJiO19kPoxFqS9kjbx7Y Received: from [77.122.205.244] by web36312.mail.mud.yahoo.com via HTTP; Thu, 20 Dec 2007 01:59:17 PST X-Mailer: YahooMailRC/818.31 YahooMailWebService/0.7.158.1 Date: Thu, 20 Dec 2007 01:59:17 -0800 (PST) From: Nash Nipples To: freebsd-security@freebsd.org MIME-Version: 1.0 Message-ID: <921476.70553.qm@web36312.mail.mud.yahoo.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: IPFW: Blocking me out. How to debug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Dec 2007 10:12:23 -0000 Dear W.D. =0ADo you understand that by adding the rules into kernel space n= umbered from zero to sixty five thousand five hundred thirty four=0Ayou may= alter the behavior of the rule number sixty five thousand five hundred thi= rty five =0Acan you please define and list the goals you are trying to achi= eve by altering default rule in the terms you can both explain and understa= nd.=0A=0A----- Original Message ----=0AFrom: W. D. = =0ATo: freebsd-security@freebsd.org=0ACc: Tuomo Latto =0ASent: = Thursday, December 20, 2007 8:39:16 AM=0ASubject: Re: IPFW: Blocking me out= .. How to debug?=0A=0A=0AAt 03:49 12/17/2007, Tuomo Latto wrote:=0A>W. D. w= rote:=0A>> How do I tell which rule is blocking me out? SSH *is* working,= =0A>> but others are not.=0A>=0A>It all depends on what you mean by "blocki= ng you out" and "others".=0A>=0A>=0A>Did you try *reading* your fw config?= =0A>=0A>> # Loopback:=0A>> # Allow anything on the local lo= opback:=0A>> add allow all from any to any via lo0=0A>> add= deny ip from any to 127.0.0.0/8=0A>> add deny ip from 127.0.0.0/8 = to any=0A>Nope.=0A>> # Allow established connections:=0A>> = add allow tcp from any to any established=0A>Nope.=0A>> # Deny frag= mented packets:=0A>> =0A add deny ip from any to any frag=0A>Nope.= =0A>> # Show pings:=0A>> add count icmp from any to any icm= ptypes 8 in=0A>Nope.=0A>> # Allow pings, ping replies, and host unr= each:=0A>> add allow icmp from any to any icmptypes 0,8,3=0A>Nope.= =0A>> # Allow UDP traceroutes:=0A>> add allow udp from any = to any 33434-34458 in=0A>> add allow udp from any 33434-34458 to an= y out=0A>Nope.=0A>> # Allow DNS with name server=0A>> add a= llow udp from any to any domain out=0A>> add allow udp from any dom= ain to any in=0A>Nope.=0A>> # SSH=0A>> =0A # Note that /etc= /hosts.allow has restrictions=0A>> # on which IP addresses are all= owed.=0A>> #=0A>> # Allow SSH:=0A>> add allow tcp f= rom any to any ssh in setup=0A>Nope, but this explains SSH working.=0A>> = # HTTP & HTTPS:=0A>> add allow tcp from any to any https in s= etup=0A>> add allow tcp from any to any http in setup=0A>Nope.=0A>>= # Mail: SMTP & IMAP:=0A>> add allow tcp from any to any sm= tp in setup=0A>> add allow tcp from any to any imap in setup=0A>Nop= e.=0A>> # FTP:=0A>> add allow tcp from any to=0A any ftp in= setup=0A>> add allow tcp from any to any ftp\-data in setup=0A>> = add allow tcp from any ftp\-data to any setup out=0A>Nope.=0A>> = # Allow NTP in and out=0A>> add allow udp from any ntp to 128.2= 52.19.1 ntp out=0A>> add allow udp from 128.252.19.1 ntp to any ntp= in=0A>Nope.=0A>> # Deny and log everything else:=0A>> add = deny log all from any to any=0A>Bingo!=0A>=0A>=0A>"ipfw -a list" may also h= elp (packet counts).=0A=0AI've been banging my head against this for the pa= st few=0Adays. I don't get it. =0A=0AMy understanding of the way this is = supposed to work is=0Athat:=0A=0A # HTTP & HTTPS:=0A add allow tcp from a= ny to any https in setup=0A =0A add allow tcp from any to any http in setup= =0A=0Ashould let initial HTTP & HTTPS requests through,=0Aand that:=0A=0Ath= ats correct! but you also probably would like firewall to create a dynamic = rule upon match =0Aso keep-state option is required=0A=0A=0A # Allow establ= ished connections:=0A add allow tcp from any to any established=0A=0Avery i= nteresting.=0A=0A=0Ashould allow connections that are "setup" to =0Acontinu= e. Do I need a "check-state" or "keep-state"=0Astatement somewhere?=0A=0Ac= heck-state should be applied to incoming packets only not the dynamically a= dded ones=0A=0A=0AI don't understand what is wrong with the last rule:=0A= =0A # Deny and log everything else:=0A add deny log all from any to any= =0A=0Ait may lead to console lockup and there is no other way to log in unt= il you have a physical access to the console=0A=0A=0AMy understanding is th= at anything that doesn't match=0Athe previous rules will match this one and= hence=0Abe logged and denied. Is this not correct?=0A=0Ayes this is very = correct. what is recommended is adding a temporary rule=0Athat will allow e= verything prior to denying everything so you can see in the log files what = is it literally allowing=0Amaybe your own log files will tell you more than= mine cat /var/log/security for details=0Abut after all its only a filterin= g facility don't expect there are some overframed packets marching on the w= ires and seeking they way in=0A=0A=0AAgain, I am having a great deal of dif= ficulty=0Aunderstanding why these rules don't work as expected.=0AI've scou= red the 'Net and printed out just about=0Aevery coherent ruleset out there.= =0A=0Athis is true to me as well. nothing ever works as expected. it only m= alfunction when least expected. a good ruleset for starters with little exp= ectations is the one u can read in the handbook. i cant wait for you to sta= rt quoting its firewall section http://www.freebsd.org/doc/en_US.ISO8859-1/= books/handbook/firewalls-ipfw.html=0A=0A=0ABesides adding the "log" keyword= on all of the rules,=0Athese are the debugging tools I have been=0A using:= =0A=0A ipfw disable firewall=0A ipfw -f flush=0A ipfw enable firewall=0A= /etc/rc.d/ipfw start=0A ipfw -a -S -N -t list=0A ipfw list =0A ta= il -f /var/log/ipfw/ipfw.log=0A tcpdump -i nve0 'proto \tcp && port htt= p'=0A=0Amaybe that is your way, but not the syslogd way. tail /var/log/secu= rity or less=0A=0A=0ACould anyone please throw this tired dog a bone?=0A=0A= to be honest its quiet difficult to read someone else's code but if you def= ine the goals you are trying to achieve =0A=0Afor example what is this?=0A>= > add deny ip from any to 127.0.0.0/8=0A>> add deny ip from= 127.0.0.0/8 to any=0A=0A=0A=0A=0AStart Here to Find It Fast!=99 ->=0A http= ://www.US-Webmasters.com/best-start-page/=0A$8.77 Domain Names -> http://do= mains.us-webmasters.com/=0A=0A_____________________________________________= __=0Afreebsd-security@freebsd.org mailing list=0Ahttp://lists.freebsd.org/m= ailman/listinfo/freebsd-security=0ATo unsubscribe, send any mail to=0A "fre= ebsd-security-unsubscribe@freebsd.org"=0A=0A=0A=0A=0A=0A=0A Looking fo= r last minute shopping deals? =0AFind them fast with Yahoo! Search.=0A=0A= =0A __________________________________________________________________= __________________=0ALooking for last minute shopping deals? =0AFind them = fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.= php?category=3Dshopping From owner-freebsd-security@FreeBSD.ORG Thu Dec 20 10:38:11 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 358C916A469 for ; Thu, 20 Dec 2007 10:38:11 +0000 (UTC) (envelope-from djv@iki.fi) Received: from gw02.mail.saunalahti.fi (gw02.mail.saunalahti.fi [195.197.172.116]) by mx1.freebsd.org (Postfix) with ESMTP id BECA313C455 for ; Thu, 20 Dec 2007 10:38:10 +0000 (UTC) (envelope-from djv@iki.fi) Received: from [192.168.1.5] (a91-153-148-73.elisa-laajakaista.fi [91.153.148.73]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gw02.mail.saunalahti.fi (Postfix) with ESMTP id B0A98176031 for ; Thu, 20 Dec 2007 12:38:08 +0200 (EET) Message-ID: <476A4614.9000106@iki.fi> Date: Thu, 20 Dec 2007 12:38:12 +0200 From: Tuomo Latto User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071031 Thunderbird/2.0.0.9 Mnenhy/0.7.5.666 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20071213081155.ABBC813C4D5@mx1.freebsd.org> <20071213110009.GB986@in-addr.com> <20071213183957.B348013C469@mx1.freebsd.org> <20071217065144.83F6013C447@mx1.freebsd.org> <47664621.50909@iki.fi> <200712200639.lBK6dQnw002982@seuraava.iki.fi> In-Reply-To: <200712200639.lBK6dQnw002982@seuraava.iki.fi> X-Enigmail-Version: 0.95.5 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Subject: Re: IPFW: Blocking me out. How to debug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Dec 2007 10:38:11 -0000 W. D. wrote: > At 03:49 12/17/2007, Tuomo Latto wrote: >> W. D. wrote: >>> How do I tell which rule is blocking me out? SSH *is* working, >>> but others are not. >> It all depends on what you mean by "blocking you out" and "others". > > I've been banging my head against this for the past few > days. I don't get it. To be fair, you never actually said what exactly your problem is or what it is you are trying to achieve. That makes it very difficult to help. > My understanding of the way this is supposed to work is > that: > > # HTTP & HTTPS: > add allow tcp from any to any https in setup > add allow tcp from any to any http in setup > > should let initial HTTP & HTTPS requests through, Yes, *into* your box. On to the lap of a listening server there. > and that: > > # Allow established connections: > add allow tcp from any to any established > > should allow connections that are "setup" to > continue. Do I need a "check-state" or "keep-state" > statement somewhere? Not for TCP. TCP state can be deduced from the status bits in packets. TCP stack will take care of any false "established" packets. "setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''." > I don't understand what is wrong with the last rule: > > # Deny and log everything else: > add deny log all from any to any > > My understanding is that anything that doesn't match > the previous rules will match this one and hence > be logged and denied. Is this not correct? Yes. It blocks everything else. There is nothing wrong with it. See /var/log/security for logged packets. The problem is that the allow rules are not working as you would expect. You could see if dropping out the "in setup" in HTTP/HTTPS rules makes any difference. But seriously, I don't know what you are *trying* to do, I only see what you are *doing*, so it is difficult to say anything. Just so you know, I'm hardly an expert myself. -- Tuomo ... When in doubt, mumble.. From owner-freebsd-security@FreeBSD.ORG Thu Dec 20 12:13:50 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0622016A41A for ; Thu, 20 Dec 2007 12:13:50 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.freebsd.org (Postfix) with ESMTP id 9BC5813C457 for ; Thu, 20 Dec 2007 12:13:47 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id WAA17846; Thu, 20 Dec 2007 22:45:24 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 20 Dec 2007 22:45:23 +1100 (EST) From: Ian Smith To: "W. D." In-Reply-To: <20071220063926.4B2D113C457@mx1.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org, Tuomo Latto Subject: Re: IPFW: Blocking me out. How to debug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Dec 2007 12:13:50 -0000 Firstly, this really belongs over on freebsd-net@ if not freebsd-questions@, but anyway .. On Thu, 20 Dec 2007, W. D. wrote: > At 03:49 12/17/2007, Tuomo Latto wrote: > >W. D. wrote: > >> How do I tell which rule is blocking me out? SSH *is* working, > >> but others are not. > > > >It all depends on what you mean by "blocking you out" and "others". True; it's not really clear what you're trying to do, whether this is a single server with a single net interface with no NAT or what, but based on your present rules I'll have to make that assumption. > >Did you try *reading* your fw config? > > > >> # Loopback: > >> # Allow anything on the local loopback: > >> add allow all from any to any via lo0 > >> add deny ip from any to 127.0.0.0/8 > >> add deny ip from 127.0.0.0/8 to any > >Nope. Meaning, these rules are ok and not the problem. Ignore Mr. Nipples. > >> # Allow established connections: > >> add allow tcp from any to any established > >Nope. That's ok. It may help you in debugging what's happening to use: allow [log] tcp from any to any in established allow [log] tcp from any to any out established and really, using 'any to any' without specifying on which interfaces or whether 'any' is your box or the outside world is a bit too general, but moving on .. > >> # Deny fragmented packets: > >> add deny ip from any to any frag > >Nope. > >> # Show pings: > >> add count icmp from any to any icmptypes 8 in > >Nope. That's inbound ping requests. Don't forget that 'inbound' means coming into the firewall, not necessarily from the outside world. Your own ping requests _from_ this box also have to both come in, and go out. > >> # Allow pings, ping replies, and host unreach: > >> add allow icmp from any to any icmptypes 0,8,3 > >Nope. Add icmptype 11 as well if you want traceroutes to work .. > >> # Allow UDP traceroutes: > >> add allow udp from any to any 33434-34458 in > >> add allow udp from any 33434-34458 to any out > >Nope. Ok, though udp rules are often better done statefully. See below. > >> # Allow DNS with name server > >> add allow udp from any to any domain out > >> add allow udp from any domain to any in > >Nope. You want to watch out here. This allows udp packets from any address with source port 53 to connect with any open udp port on your system, and allows the responses as well. It's a simple matter using such as netcat to source packets from port 53. I gather from this that you're not running a DNS server yourself, but using upstream server/s? In that case a stateful rule is safer: allow udp from me to any 53 keep-state which allows after the return packets but denies connections not initiated from your box. > >> # SSH > >> # Note that /etc/hosts.allow has restrictions > >> # on which IP addresses are allowed. > >> # > >> # Allow SSH: > >> add allow tcp from any to any ssh in setup > >Nope, but this explains SSH working. By 'ssh working', I guess you mean ssh connections to this box from elsewhere, rather than ssh connections from this box? Not clear. > >> # HTTP & HTTPS: > >> add allow tcp from any to any https in setup > >> add allow tcp from any to any http in setup > >Nope. So, you have a webserver running on this box, listening on ports 80 and 443? You've verified with 'netstat -finet -a' that this is the case? > >> # Mail: SMTP & IMAP: > >> add allow tcp from any to any smtp in setup > >> add allow tcp from any to any imap in setup > >Nope. You're running SMTP and IMAP servers, verified as above? You see, this also allows you (as 'any') to connect to any outside SMTP server too. It really helps to differentiate connections into your box from those you're making to outside boxes, which these don't do. Have a close look at the 'simple' section in rc.firewall. There are advantages to running a script such as that rather than rules in a file, like variable substitution, at least while getting it all working right. > >> # FTP: > >> add allow tcp from any to any ftp in setup > >> add allow tcp from any to any ftp\-data in setup > >> add allow tcp from any ftp\-data to any setup out > >Nope. Mmm, I prefer using and enforcing FTP passive mode, but YMMV. > >> # Allow NTP in and out > >> add allow udp from any ntp to 128.252.19.1 ntp out > >> add allow udp from 128.252.19.1 ntp to any ntp in > >Nope. Unless running a time service for other boxes, something like: allow udp from me to any ntp keep-state # or to a specific server > >> # Deny and log everything else: > >> add deny log all from any to any > >Bingo! Ok, so you got rid of interface 'all', great. > >"ipfw -a list" may also help (packet counts). It's only a short ruleset, it may help us if you show the output of say 'ipfw -t show' (or ipfw -at list, same thing), if you're still having problems, but see below re 'inness' and 'outness'. > I've been banging my head against this for the past few > days. I don't get it. > > My understanding of the way this is supposed to work is > that: > > # HTTP & HTTPS: > add allow tcp from any to any https in setup > add allow tcp from any to any http in setup > > should let initial HTTP & HTTPS requests through, > and that: > > # Allow established connections: > add allow tcp from any to any established Not quite. Looks like you're allowing http/https setup packets in (ie, into the firewall) but not letting them out (of the firewall, to the webserver). For example in the 'simple' ruleset mentioned, we have: # Allow access to our WWW ${fwcmd} add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup Note there's no 'in' or 'out' on the port 80 rule, so this allows the packets on both the in and out pass of the firewall. Also, the IP is specified as our IP - 'me' will do fine if it's just this box. > should allow connections that are "setup" to > continue. Do I need a "check-state" or "keep-state" > statement somewhere? No, though you can use stateful TCP rules if you want to, in which case you'll want to DENY established connections. Personally I find relying on the TCP state established by using 'setup' and 'established' fine for TCP, but tend to use keep-state for UDP and some ICMP rules. > I don't understand what is wrong with the last rule: > > # Deny and log everything else: > add deny log all from any to any > > My understanding is that anything that doesn't match > the previous rules will match this one and hence > be logged and denied. Is this not correct? That's correct. Aren't you seeing any? Try show rather than tell. > Again, I am having a great deal of difficulty > understanding why these rules don't work as expected. > I've scoured the 'Net and printed out just about > every coherent ruleset out there. > > Besides adding the "log" keyword on all of the rules, > these are the debugging tools I have been using: > > ipfw disable firewall > ipfw -f flush > ipfw enable firewall > /etc/rc.d/ipfw start > ipfw -a -S -N -t list > ipfw list > tail -f /var/log/ipfw/ipfw.log > tcpdump -i nve0 'proto \tcp && port http' > > Could anyone please throw this tired dog a bone? Getting the two-pass nature of ipfw understood seems to be your main difficulty. I know it was for me back then. Have a look at the section in ipfw(8) regarding packet flows, and although it sounds trite, RTFM about 10 times :) Cheers, Ian From owner-freebsd-security@FreeBSD.ORG Thu Dec 20 18:35:21 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2FDF16A419 for ; Thu, 20 Dec 2007 18:35:21 +0000 (UTC) (envelope-from piechota@argolis.org) Received: from kythira.argolis.org (kythira.argolis.org [64.22.103.203]) by mx1.freebsd.org (Postfix) with ESMTP id 6070513C45D for ; Thu, 20 Dec 2007 18:35:12 +0000 (UTC) (envelope-from piechota@argolis.org) Received: from kythira.argolis.org (localhost.localdomain [127.0.0.1]) by kythira.argolis.org (8.13.1/8.13.1) with ESMTP id lBKHoJKh026337; Thu, 20 Dec 2007 12:50:20 -0500 Received: (from apache@localhost) by kythira.argolis.org (8.13.1/8.13.1/Submit) id lBKHoHZn026336; Thu, 20 Dec 2007 12:50:17 -0500 X-Authentication-Warning: kythira.argolis.org: apache set sender to piechota@argolis.org using -f Received: from 192.35.35.35 (SquirrelMail authenticated user piechota) by webmail.argolis.org with HTTP; Thu, 20 Dec 2007 12:50:16 -0500 (EST) Message-ID: <18704.192.35.35.35.1198173016.squirrel@webmail.argolis.org> In-Reply-To: <20071220063926.4B2D113C457@mx1.freebsd.org> References: <20071213081155.ABBC813C4D5@mx1.freebsd.org> <20071213110009.GB986@in-addr.com> <20071213183957.B348013C469@mx1.freebsd.org> <20071217065144.83F6013C447@mx1.freebsd.org> <47664621.50909@iki.fi> <20071220063926.4B2D113C457@mx1.freebsd.org> Date: Thu, 20 Dec 2007 12:50:16 -0500 (EST) From: "Matt Piechota" To: "W. D." User-Agent: SquirrelMail/1.4.8-4.0.1.el4.centos MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-security@freebsd.org, Tuomo Latto Subject: Re: IPFW: Blocking me out. How to debug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Dec 2007 18:35:21 -0000 On Thu, December 20, 2007 1:39 am, W. D. wrote: I'm no expert on firewalls, so take this with a grain of salt. >>> # Loopback: >>> # Allow anything on the local loopback: >>> add allow all from any to any via lo0 >>> add deny ip from any to 127.0.0.0/8 >>> add deny ip from 127.0.0.0/8 to any >>Nope. >>> # Allow established connections: >>> add allow tcp from any to any established >>Nope. >>> # Deny fragmented packets: >>> add deny ip from any to any frag Perhaps this is the issue? I would think that if an IP fragment comes in, it's specifically *not* an established TCP connection (yet), so it would be blocked by this rule. No IP fragments means they don't have a chance to be reassembled into an actual packet. All the profiles in rc.firewall specifically allow ip frags, so I'd think they're required. > Could anyone please throw this tired dog a bone? Fetch! :) -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Fri Dec 21 07:30:23 2007 Return-Path: Delivered-To: FreeBSD-Security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B698416A417 for ; Fri, 21 Dec 2007 07:30:23 +0000 (UTC) (envelope-from WD@US-Webmasters.com) Received: from server1.grabweb.com (split.grabweb.net [67.15.22.16]) by mx1.freebsd.org (Postfix) with ESMTP id 70F3113C447 for ; Fri, 21 Dec 2007 07:30:23 +0000 (UTC) (envelope-from WD@US-Webmasters.com) Received: (qmail 7752 invoked from network); 21 Dec 2007 01:30:21 -0600 Received: from batv-01-192.dsl.netins.net (HELO Sabrina.US-Webmasters.com) (207.199.193.192) by uswdns.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 21 Dec 2007 01:30:21 -0600 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 21 Dec 2007 01:30:11 -0600 To: FreeBSD-Security@FreeBSD.org From: "W. D." In-Reply-To: References: <20071220063926.4B2D113C457@mx1.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <20071221073023.70F3113C447@mx1.freebsd.org> Cc: Ian Smith Subject: Re: IPFW: Blocking me out. How to debug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Dec 2007 07:30:23 -0000 At 05:45 12/20/2007, Ian Smith, wrote: Thanks for your reply Ian. This is the kind of=20 information I am looking for. >Firstly, this really belongs over on freebsd-net@ if not=20 >freebsd-questions@, but anyway .. I'll be glad to move it there if you would like. I figured that since IPFW/Firewalls are security related, that FreeBSD-Security would be the most appropriate place. >On Thu, 20 Dec 2007, W. D. wrote: > > > At 03:49 12/17/2007, Tuomo Latto wrote: > > >W. D. wrote: > > >> How do I tell which rule is blocking me out? SSH *is* working, > > >> but others are not. > > > > > >It all depends on what you mean by "blocking you out" and "others". > >True; it's not really clear what you're trying to do, whether this is a >single server with a single net interface with no NAT or what, but based >on your present rules I'll have to make that assumption. OK, sorry. I guess I just assumed that it would be obvious=20 that this is a Web server. ("Never assume anything, my good=20 fellow" - Sherlock Holmes). =20 By the way, it is/will be running Plesk server management software, if it matters: http://www.swsoft.com/en/products/plesk/reqs/ Also, this server is on an internal LAN before I subject it to the wild, untamed, InterWeb, with its dangerous internets darting back and forth inside all of the tubes. > > >> # Loopback: > > >> # Allow anything on the local loopback: > > >> add allow all from any to any via lo0 > > >> add deny ip from any to 127.0.0.0/8 > > >> add deny ip from 127.0.0.0/8 to any > >Meaning, these rules are ok and not the problem. Ignore Mr. Nipples. With a name like that, it's hard to take him seriously. ;^) > > > >> # Allow established connections: > > >> add allow tcp from any to any established > >That's ok. It may help you in debugging what's happening to use: > > allow [log] tcp from any to any in established > allow [log] tcp from any to any out established I assume here that "[log]" means to insert "log" for debugging like this: allow log tcp from any to any in established allow log tcp from any to any out established =20 rather than including the square brackets, "[" & "]", correct? I have done that and have included my latest ruleset below. >and really, using 'any to any' without specifying on which interfaces or >whether 'any' is your box or the outside world is a bit too general, but >moving on ..=20 OK. What should I do? I only plan on having one Ethernet interface. What would be more secure? > > >> # Deny fragmented packets: > > >> add deny ip from any to any frag > > >> # Show pings: > > >> add count icmp from any to any icmptypes 8 in > > > > >That's inbound ping requests. Don't forget that 'inbound' means coming >into the firewall, not necessarily from the outside world. Your own >ping requests _from_ this box also have to both come in, and go out.=20 Hmmm. OK. Outbound Ping will be rarely used, but should be allowed. Isn't that included in the next rule? > > >> # Allow pings, ping replies, and host unreach: > > >> add allow icmp from any to any icmptypes 0,8,3 > > > > >Add icmptype 11 as well if you want traceroutes to work .. > > > >> # Allow UDP traceroutes: > > >> add allow udp from any to any 33434-34458 in > > >> add allow udp from any 33434-34458 to any out > > > > >Ok, though udp rules are often better done statefully. See below. > > > >> # Allow DNS with name server > > >> add allow udp from any to any domain out > > >> add allow udp from any domain to any in > > >Nope. > >You want to watch out here. This allows udp packets from any address >with source port 53 to connect with any open udp port on your system, >and allows the responses as well. It's a simple matter using such as >netcat to source packets from port 53.=20 Should I restrict it by specifically stating the service? How can I be safe? What would the rule look like?=20 >I gather from this that you're not running a DNS server yourself, but >using upstream server/s? In that case a stateful rule is safer: Again, I apologize for not being clear. I will be running DNS on this box for the domains being hosted. So, it will be polled whenever a request for a hosted domain is needed. > allow udp from me to any 53 keep-state=20 > >which allows after the return packets but denies connections not >initiated from your box.=20 > > > >> # SSH > > >> # Note that /etc/hosts.allow has restrictions > > >> # on which IP addresses are allowed. > > >> # > > >> # Allow SSH: > > >> add allow tcp from any to any ssh in setup > > > > >By 'ssh working', I guess you mean ssh connections to this box from >elsewhere, rather than ssh connections from this box? Not clear. Sorry! I am using SSH into this box, since it is easier to cut and paste for editing and configuration. I can't really see a situation where I would normally need to SSH outbound, can you? I use the Windoze boxes for that. > > >> # HTTP & HTTPS: > > >> add allow tcp from any to any https in setup > > >> add allow tcp from any to any http in setup > > > > >So, you have a webserver running on this box, listening on ports 80 and >443? You've verified with 'netstat -finet -a' that this is the case? Yes: # netstat -finet -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 192.168.1.109.ssh 192.168.1.107.3502 = ESTABLISHED tcp4 0 52 192.168.1.109.ssh 192.168.1.107.2266 = ESTABLISHED tcp4 0 0 *.poppassd *.* LISTEN tcp4 0 0 *.ftp *.* LISTEN tcp4 0 0 *.smtps *.* LISTEN tcp4 0 0 *.smtp *.* LISTEN tcp4 0 0 localhost.locald.3000 *.* LISTEN tcp4 0 0 *.pop3s *.* LISTEN tcp4 0 0 *.pop3 *.* LISTEN tcp4 0 0 *.imaps *.* LISTEN tcp4 0 0 *.imap *.* LISTEN tcp4 0 0 *.8443 *.* LISTEN tcp4 0 0 *.8880 *.* LISTEN tcp4 0 0 *.3306 *.* LISTEN tcp4 0 0 localhost.locald.8005 *.* LISTEN tcp4 0 0 *.9008 *.* LISTEN tcp4 0 0 *.8009 *.* LISTEN tcp46 0 0 *.https *.* LISTEN tcp46 0 0 *.http *.* LISTEN tcp4 0 0 *.9080 *.* LISTEN tcp4 0 0 *.8180 *.* LISTEN tcp4 0 0 localhost.locald.postg *.* LISTEN tcp4 0 0 localhost.locald.rndc *.* LISTEN tcp4 0 0 localhost.locald.domai *.* LISTEN tcp4 0 0 192.168.1.109.domain *.* LISTEN tcp4 0 0 *.ssh *.* LISTEN udp4 0 0 192.168.1.109.24889 ns1.ournameserver.net.53 udp4 0 0 *.51750 *.* udp4 0 0 localhost.locald.domai *.* udp4 0 0 192.168.1.109.domain *.* udp4 0 0 *.syslog *.* > > > >> # Mail: SMTP & IMAP: > > >> add allow tcp from any to any smtp in setup > > >> add allow tcp from any to any imap in setup > > > > >You're running SMTP and IMAP servers, verified as above? > >You see, this also allows you (as 'any') to connect to any outside SMTP >server too. It really helps to differentiate connections into your box >from those you're making to outside boxes, which these don't do. >=20 >Have a close look at the 'simple' section in rc.firewall. =20 I have scanned various versions of "rc.firewall". I kinda understand what is going on, but there are so many places that seem anti-intuitive to me. Also, what are the differences between running a script and loading these rules on bootup?=20 >There are >advantages to running a script such as that rather than rules in a file, >like variable substitution, at least while getting it all working right.=20 I have mixed feelings about variables. I guess they make it easier if you change a network card or IP addresses--you only have to do it in one place. =20 However, a search and replace command doesn't take much time at all. Also, they add a level of complexity to a situation that (to me) is complex enough already. And, I wonder if by not using variables, I can save a few microseconds when processing traffic. ;^) > > >> # FTP: > > >> add allow tcp from any to any ftp in setup > > >> add allow tcp from any to any ftp\-data in setup > > >> add allow tcp from any ftp\-data to any setup out > > > > >Mmm, I prefer using and enforcing FTP passive mode, but YMMV. How would I do that? This guy doesn't think it's even=20 possible: http://tinyurl.com/2z6ynr =20 > > >> # Allow NTP in and out > > >> add allow udp from any ntp to 128.252.19.1 ntp out > > >> add allow udp from 128.252.19.1 ntp to any ntp in > > > > >Unless running a time service for other boxes, something like: > > allow udp from me to any ntp keep-state # or to a specific server Well, I think that since NTP is such a minimal user of resources, that I would like to rely on this box for the correct time. That way, I don't have to bug the stratum 1 boxes. Shall I use my original? > > > >> # Deny and log everything else: > > >> add deny log all from any to any > > >Bingo! > >Ok, so you got rid of interface 'all', great. Is this better? add deny log ip from any to any =20 If so, I just don't understand this. Here is what the "Fine Manual" says: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D protocol: [not] protocol-name | protocol-number An IP protocol specified by number or name (for a complete list see /etc/protocols), or one of the following keywords: ip4 | ipv4 Matches IPv4 packets. ip6 | ipv6 Matches IPv6 packets. ip | all Matches any packet. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 According to this, "ip" and "all" are synonymous. Criminy! What am I missing here? =20 > > >"ipfw -a list" may also help (packet counts). > >It's only a short ruleset, it may help us if you show the output of say >'ipfw -t show' (or ipfw -at list, same thing), if you're still having >problems, but see below re 'inness' and 'outness'. > > > I've been banging my head against this for the past few > > days. I don't get it. =20 > >=20 > > My understanding of the way this is supposed to work is > > that: > >=20 > > # HTTP & HTTPS: > > add allow tcp from any to any https in setup > > add allow tcp from any to any http in setup > >=20 > > should let initial HTTP & HTTPS requests through, > > and that: > >=20 > > # Allow established connections: > > add allow tcp from any to any established > >Not quite. Looks like you're allowing http/https setup packets in (ie, >into the firewall) but not letting them out (of the firewall, to the >webserver). For example in the 'simple' ruleset mentioned, we have: > > # Allow access to our WWW > ${fwcmd} add pass tcp from any to ${oip} 80 setup > > # Reject&Log all setup of incoming connections from the outside > ${fwcmd} add deny log tcp from any to any in via ${oif} setup > > # Allow setup of any other TCP connection > ${fwcmd} add pass tcp from any to any setup I really don't get the above rule. Isn't it saying that *any* kind of TCP connection can come in or go out initially? >Note there's no 'in' or 'out' on the port 80 rule, so this allows the >packets on both the in and out pass of the firewall. Also, the IP is >specified as our IP - 'me' will do fine if it's just this box.=20 In my set, should I include some "out" rules like this: add allow tcp from any to any https out setup add allow tcp from any to any http out setup =20 > > > should allow connections that are "setup" to=20 > > continue. Do I need a "check-state" or "keep-state" > > statement somewhere? > >No, though you can use stateful TCP rules if you want to, in which case >you'll want to DENY established connections. Personally I find relying >on the TCP state established by using 'setup' and 'established' fine for >TCP, but tend to use keep-state for UDP and some ICMP rules.=20 That sounds reasonable. > > I don't understand what is wrong with the last rule: > >=20 > > # Deny and log everything else: > > add deny log all from any to any > >=20 > > My understanding is that anything that doesn't match > > the previous rules will match this one and hence > > be logged and denied. Is this not correct? > >That's correct. Aren't you seeing any? Try show rather than tell. Showing: # ipfw -a -S -N -t list 00100 688 173384 Thu Dec 20 15:32:17 2007 set 0 allow log logamount 10 ip= from any to any via lo0 00200 0 0 set 0 deny log logamount 10 ip= from any to 127.0.0.0/8 00300 0 0 set 0 deny log logamount 10 ip= from 127.0.0.0/8 to any 00400 4344 1712050 Fri Dec 21 00:23:37 2007 set 0 allow log logamount 10 tcp= from any to any established 00500 0 0 set 0 deny log logamount 10 ip= from any to any frag 00600 4 240 Wed Dec 19 23:05:31 2007 set 0 count icmp from any to any= icmptypes 8 in 00700 8 480 Wed Dec 19 23:05:31 2007 set 0 allow log logamount 10= icmp from any to any icmptypes 0,3,8 00800 0 0 set 0 allow log logamount 10 udp= from any to any dst-port 33434-34458 in 00900 0 0 set 0 allow log logamount 10 udp= from any 33434-34458 to any out 01000 366 24038 Fri Dec 21 00:02:00 2007 set 0 allow log logamount 10 udp= from any to any dst-port domain out 01100 364 59582 Fri Dec 21 00:02:00 2007 set 0 allow log logamount 10 udp= from any domain to any in 01200 1 48 Thu Dec 20 16:49:47 2007 set 0 allow log logamount 10 tcp= from any to any dst-port ssh in setup 01300 0 0 set 0 allow log logamount 10 tcp= from any to any dst-port https in setup 01400 6 288 Thu Dec 20 14:43:38 2007 set 0 allow log logamount 10 tcp= from any to any dst-port http in setup 01500 98 6272 Fri Dec 21 00:02:00 2007 set 0 allow log logamount 10 tcp= from any to any dst-port http 01600 1 64 Thu Dec 20 15:25:01 2007 set 0 allow log logamount 10 tcp= from any to any dst-port https 01700 0 0 set 0 allow log logamount 10 tcp= from any to any dst-port smtp in setup 01800 0 0 set 0 allow log logamount 10 tcp= from any to any dst-port imap in setup 01900 43 2064 Wed Dec 19 23:16:18 2007 set 0 allow log logamount 10 tcp= from any to any dst-port ftp in setup 02000 0 0 set 0 allow log logamount 10 tcp= from any to any dst-port ftp-data in setup 02100 0 0 set 0 allow log logamount 10 tcp= from any ftp-data to any setup out 02200 100 7600 Thu Dec 20 23:47:00 2007 set 0 allow log logamount 10 udp= from any ntp to navobs1.wustl.edu dst-port ntp out 02300 100 7600 Thu Dec 20 23:47:00 2007 set 0 allow log logamount 10 udp= from navobs1.wustl.edu ntp to any dst-port ntp in 02400 2058 226123 Fri Dec 21 00:17:20 2007 set 0 deny log logamount 10 ip= from any to any 65535 7 909 Wed Dec 19 22:58:29 2007 set 31 deny ip from any to any Lot of stuff being denied. I think some of that is my HTTP and HTTPS initial requests. What to do? > > > Again, I am having a great deal of difficulty > > understanding why these rules don't work as expected. > > I've scoured the 'Net and printed out just about > > every coherent ruleset out there. > >=20 > > Besides adding the "log" keyword on all of the rules, > > these are the debugging tools I have been using: > >=20 > > ipfw disable firewall > > ipfw -f flush > > ipfw enable firewall > > /etc/rc.d/ipfw start > > ipfw -a -S -N -t list > > ipfw list =20 > > tail -f /var/log/ipfw/ipfw.log > > tcpdump -i nve0 'proto \tcp && port http' netstat -finet -a > >=20 > > Could anyone please throw this tired dog a bone? > >Getting the two-pass nature of ipfw understood seems to be your main >difficulty. =20 I would definitely agree with you. I am completely lost. By "two-pass" do you mean "in" to the firewall, and then "in" to the webserver, and another "two-pass": "out" from the webserver, and "out" from the firewall? >I know it was for me back then. Have a look at the section >in ipfw(8) regarding packet flows, and although it sounds trite, RTFM >about 10 times :) > >Cheers, Ian Love the "Fine Manual" --not! Just not enough examples for me to understand everything. Too much abstraction--AAArrrrgh! Am using this link, since "man ipfw" doesn't work on 6.2. (I dare someone to explain to me how to get it to work): http://www.freebsd.org/cgi/man.cgi?query=3Dipfw&sektion=3D8 Thanks for your help, Ian. Would appreciate it if you would kick my butt in the proper direction again. Any other takers/kickers? Latest grope in the dark: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # ipfw.rules # ipfw firewall ruleset # 2007 Dec 20 # By default, everything is denied access. You # need to specifically allow something for it # to work. # Loopback:=20 # Allow anything on the local loopback: add allow log all from any to any via lo0 # Disallow spoofed access to local: add deny log ip from any to 127.0.0.0/8 add deny log ip from 127.0.0.0/8 to any # Allow established connections: add allow log tcp from any to any established # Deny fragmented packets: add deny log ip from any to any frag # Show pings: add count icmp from any to any icmptypes 8 in # Allow pings, ping replies, and host unreach: add allow log icmp from any to any icmptypes 0,8,3 # Allow UDP traceroutes: add allow log udp from any to any 33434-34458 in add allow log udp from any 33434-34458 to any out # Allow DNS with name server add allow log udp from any to any domain out add allow log udp from any domain to any in # SSH # Note that /etc/hosts.allow has restrictions # on which IP addresses are allowed. # # Allow SSH: add allow log tcp from any to any ssh in setup # HTTP & HTTPS: add allow log tcp from any to any https in setup add allow log tcp from any to any http in setup add allow log tcp from any to any dst-port 80 add allow log tcp from any to any dst-port 443 # Mail: SMTP & IMAP: add allow log tcp from any to any smtp in setup add allow log tcp from any to any imap in setup # FTP: add allow log tcp from any to any ftp in setup add allow log tcp from any to any ftp\-data in setup add allow log tcp from any ftp\-data to any setup out # Allow NTP in and out add allow log udp from any ntp to 128.252.19.1 ntp out add allow log udp from 128.252.19.1 ntp to any ntp in # Deny and log everything else: # add deny log all from any to any add deny log ip from any to any =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Start Here to Find It Fast!=99 ->= http://www.US-Webmasters.com/best-start-page/ $8.77 Domain Names -> http://domains.us-webmasters.com/ From owner-freebsd-security@FreeBSD.ORG Fri Dec 21 11:35:56 2007 Return-Path: Delivered-To: FreeBSD-Security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2CEE216A419 for ; Fri, 21 Dec 2007 11:35:56 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.freebsd.org (Postfix) with ESMTP id CFC0A13C465 for ; Fri, 21 Dec 2007 11:35:54 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id WAA26604; Fri, 21 Dec 2007 22:35:47 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 21 Dec 2007 22:35:46 +1100 (EST) From: Ian Smith To: "W. D." In-Reply-To: <20071221073023.70F3113C447@mx1.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: FreeBSD-Security@freebsd.org Subject: Re: IPFW: Blocking me out. How to debug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Dec 2007 11:35:56 -0000 On Fri, 21 Dec 2007, W. D. wrote: > At 05:45 12/20/2007, Ian Smith, wrote: > > Thanks for your reply Ian. This is the kind of > information I am looking for. > > >Firstly, this really belongs over on freebsd-net@ if not > >freebsd-questions@, but anyway .. > > I'll be glad to move it there if you would like. I > figured that since IPFW/Firewalls are security > related, that FreeBSD-Security would be the most > appropriate place. http://lists.freebsd.org/mailman/listinfo/freebsd-security My bad, I should have properly redirected it myself before posting. It's a usage issue which I'll follow up to questions@ later on, ok? cheers, Ian From owner-freebsd-security@FreeBSD.ORG Fri Dec 21 12:43:42 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 777B816A41A for ; Fri, 21 Dec 2007 12:43:42 +0000 (UTC) (envelope-from jon.passki@hursk.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.186]) by mx1.freebsd.org (Postfix) with ESMTP id 05C5713C442 for ; Fri, 21 Dec 2007 12:43:36 +0000 (UTC) (envelope-from jon.passki@hursk.com) Received: by mu-out-0910.google.com with SMTP id w9so298887mue.6 for ; Fri, 21 Dec 2007 04:43:35 -0800 (PST) Received: by 10.78.134.2 with SMTP id h2mr1509791hud.77.1198239448890; Fri, 21 Dec 2007 04:17:28 -0800 (PST) Received: by 10.78.192.11 with HTTP; Fri, 21 Dec 2007 04:17:28 -0800 (PST) Message-ID: Date: Fri, 21 Dec 2007 06:17:28 -0600 From: "Jon Passki" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: freebsd-update-server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Dec 2007 12:43:42 -0000 Hello All, I will be embarking on setting up a freebsd-update-server [1] to push out updates on custom builds based upon 6.2-R or 6.3-RCX/6.3-R (more likely). For the Security Officers: --) Has there been any changes to the code that has not made its way back into /projects/freebsd-update-server? If so, if/when will those changes make their way back into a public repository? --) The USAGE [2] doc states "as of 6.1-RELEASE, cross-building releases doesn't work." Does this hold true for 6.2-R or 6.3-RCX? I would be cross-building from amd64 to i386... --) Is the USAGE document up-to-date? ;-) [1] http://www.freebsd.org/cgi/cvsweb.cgi/projects/freebsd-update-server [2] http://www.freebsd.org/cgi/cvsweb.cgi/projects/freebsd-update-server/USAGE?rev=1.1 -- Cheers, Jon Passki, Partner The Hursk Group, LLC "Obvia conspicimus, nubem pellente Mathesi." e: jon.passki@hursk.com ph: 651/222.3020 cal: http://www.google.com/calendar/hosted/hursk.com/embed?src=jon.passki%40hursk.com pgp: 1BB0 A946 927B 93C3 ED6A 0466 6692 6C2C 84BE 4122 From owner-freebsd-security@FreeBSD.ORG Fri Dec 21 18:16:30 2007 Return-Path: Delivered-To: FreeBSD-Security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 40BED16A417 for ; Fri, 21 Dec 2007 18:16:30 +0000 (UTC) (envelope-from WD@US-Webmasters.com) Received: from server1.grabweb.com (split.grabweb.net [67.15.22.16]) by mx1.freebsd.org (Postfix) with ESMTP id D387A13C447 for ; Fri, 21 Dec 2007 18:16:29 +0000 (UTC) (envelope-from WD@US-Webmasters.com) Received: (qmail 24399 invoked from network); 21 Dec 2007 12:16:27 -0600 Received: from batv-01-192.dsl.netins.net (HELO Sabrina.US-Webmasters.com) (207.199.193.192) by uswdns.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 21 Dec 2007 12:16:27 -0600 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 21 Dec 2007 12:16:22 -0600 To: FreeBSD-Security@freebsd.org From: "W. D." In-Reply-To: References: <20071221073023.70F3113C447@mx1.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <20071221181629.D387A13C447@mx1.freebsd.org> Cc: Ian Smith Subject: Re: IPFW: Blocking me out. How to debug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Dec 2007 18:16:30 -0000 At 05:35 12/21/2007, Ian Smith wrote: >On Fri, 21 Dec 2007, W. D. wrote: > > At 05:45 12/20/2007, Ian Smith, wrote: > >=20 > > Thanks for your reply Ian. This is the kind of=20 > > information I am looking for. > >=20 > > >Firstly, this really belongs over on freebsd-net@ if not=20 > > >freebsd-questions@, but anyway .. > >=20 > > I'll be glad to move it there if you would like. I > > figured that since IPFW/Firewalls are security > > related, that FreeBSD-Security would be the most > > appropriate place. > >http://lists.freebsd.org/mailman/listinfo/freebsd-security > >My bad, I should have properly redirected it myself before posting.=20 >It's a usage issue which I'll follow up to questions@ later on, ok?=20 > >cheers, Ian OK. I am very much anticipating your reply, since I seem to be dead in the water right now. Start Here to Find It Fast!=99 ->= http://www.US-Webmasters.com/best-start-page/ $8.77 Domain Names -> http://domains.us-webmasters.com/