From owner-freebsd-security@FreeBSD.ORG Sun Dec 23 14:04:03 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A05C716A418 for ; Sun, 23 Dec 2007 14:04:03 +0000 (UTC) (envelope-from trashy_bumper@yahoo.com) Received: from web36310.mail.mud.yahoo.com (web36310.mail.mud.yahoo.com [209.191.91.187]) by mx1.freebsd.org (Postfix) with SMTP id 616D213C46E for ; Sun, 23 Dec 2007 14:04:03 +0000 (UTC) (envelope-from trashy_bumper@yahoo.com) Received: (qmail 81376 invoked by uid 60001); 23 Dec 2007 14:04:02 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=TpsLs+Qn0Q50/KkEBYoaYkeeezcsfamEwhEyPaNWoTYf0VHkNFi6YJCD6TyybbbXtB/xo8ODBFvLFCf9BBVojuE2wDuLqDf1PfXs90GggJSuYtEyQKZ1e2jzrHHjTzdzELEvhLGF205W2JY9nk6t7AkvWTRJO/uJ9Bddr5p+wqQ=; X-YMail-OSG: l7gcF.wVM1niHmZdi6kj7OUdubLZkpYH.PyCQrOYGImty2HSExuhLVcVGM_hOtGVduyuVBX1tFlLVXXcNtVVVLKSj4A3mc0UCcWQSpuMULhCy.2Rg3LxsB1aXJnKVWKkkMXaREy0.NXbK1oAFtjWSM1PUb5rNKm6g0z.XIY5gKY3wxo_mpIiGrpzQKjrTVf.33sdZ4Z_5VRS Received: from [77.122.205.244] by web36310.mail.mud.yahoo.com via HTTP; Sun, 23 Dec 2007 06:04:02 PST X-Mailer: YahooMailRC/818.31 YahooMailWebService/0.7.158.1 Date: Sun, 23 Dec 2007 06:04:02 -0800 (PST) From: Nash Nipples To: freebsd-security@freebsd.org MIME-Version: 1.0 Message-ID: <644350.78923.qm@web36310.mail.mud.yahoo.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: IPFW: Blocking me out. How to debug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Dec 2007 14:04:03 -0000 Dear W.D.=0A=0Aoh come on. i have the same problem. cut and paste logic:=0A= =0A#!/bin/sh=0A#1. count packets=0A#2. allow everything on lo0 (loopback)= =0A#3. slow down and deny packets to buffer overflow enabled daemons=0A#3.5= to list all the buffer overflow enabled daemons use this sockstat -46ul=0A= #4. allow everything in and out on the Ethernet interface fxp0. Remember - = wires are long things!=0A#5. switch sshd to a different port like 55 and us= e keys to authenticate =0A#6. do ipfw show every morning=0A#7. do ipfw zero= every evening or as often as your boss wants that=0A#8. learn how to modif= y this script quickly just to plumb all the other things that leak=0A#9. yo= u cant block yourself out if you run this script with a trailing '&' e.g. s= h /etc/ipfw.rules &=0A#TODO: write a program that sends bills to customers= =0A#BUGS: it cant smile=0A=0Acmd=3D"/sbin/ipfw"=0Aext1=3D"fxp0"=0Agentlepor= ts=3D"21,25,514"=0A=0A#accounting=0A#i need these figures to see how bad th= ings are going=0A$cmd 100 count ip from any to any in via lo0=0A$cmd 110 co= unt ip from any to any out via lo0=0A$cmd 120 count ip from any to any in v= ia $ext1=0A=0A=0A=0A$cmd 130 count ip from any to any out via $ext1=0A=0A#i= f counters below grow too high u are screwed=0A #this counter should not v= ary much comparing to the next one=0A$cmd 210 count icmp from any to any ou= t via $ext1 =0A #if there is an obvious difference someone's digging holes= in the yard=0A $cmd 220 count icmp from any to any in via $ext1 =0A #to= o much of dns.=0A$cmd 230 count ip from any to any 53 out via $ext1=0A$cmd = 240 count ip from any to any 53 in via $ext1=0A=0A#if counters below grow t= oo high you have screwed someone else=0A#oh yes. someone's got mail.=0A$cmd= 300 count ip from any to any 25 out via $ext1=0A#which way did it go=0A$cm= d 310 count ip from any to any 25 via lo0=0A=0A#policy=0A$cmd 1000 allow al= l from any to any via lo0=0A/sbin/ipfw add 1110 pipe 1 ip from any to me $g= entleports in via $ext1=0A/sbin/ipfw pipe 1 config bw 1Kbit/s queue 1Kbytes= =0A=0A$cmd 1120 deny ip from any to me $gentleports in via $ext1=0A$cmd 113= 0 allow all from any to any via ext1=0A#you will wonder but the next rule s= till has a match=0A$cmd 1140 deny log all from any to any=0A=0AI'm sorry bu= t i cant draw pretty pictures to make it any more obvious=0A=0ANash=0A=0A= =0A----- Original Message ----=0AFrom: W. D. =0ATo: F= reeBSD-Security@FreeBSD.org=0ACc: Ian Smith =0ASent: Friday, = December 21, 2007 9:30:11 AM=0ASubject: Re: IPFW: Blocking me out. How to = debug?=0A=0A=0AAt 05:45 12/20/2007, Ian Smith, wrote:=0A=0AThanks for your = reply Ian. This is the kind of =0Ainformation I am looking for.=0A=0A=0A>F= irstly, this really belongs over on freebsd-net@ if not =0A>freebsd-questio= ns@, but anyway ..=0A=0AI'll be glad to move it there if you would like. I= =0Afigured that since IPFW/Firewalls are security=0Arelated, that FreeBSD-S= ecurity would be the most=0Aappropriate place.=0A=0A=0A>On Thu, 20 Dec 2007= , W. D. wrote:=0A>=0A> > At 03:49 12/17/2007, Tuomo Latto wrote:=0A> > >W. = D. wrote:=0A> > >> How do I tell which rule is blocking me out? SSH *is* w= orking,=0A> > >> but others are not.=0A> > >=0A> > >It all depends on what = you mean by "blocking you out" and=0A "others".=0A>=0A>True; it's not reall= y clear what you're trying to do, whether this is=0A a=0A>single server wit= h a single net interface with no NAT or what, but=0A based=0A>on your prese= nt rules I'll have to make that assumption.=0A=0AOK, sorry. I guess I just= assumed that it would be obvious =0Athat this is a Web server. ("Never as= sume anything, my good =0Afellow" - Sherlock Holmes). =0A=0ABy the way, it= is/will be running Plesk server management=0Asoftware, if it matters:=0Aht= tp://www.swsoft.com/en/products/plesk/reqs/=0A=0AAlso, this server is on an= internal LAN before I subject=0Ait to the wild, untamed, InterWeb, with it= s dangerous=0Ainternets darting back and forth inside all of the tubes.=0A= =0A=0A> > >> # Loopback:=0A> > >> # Allow anything on the l= ocal loopback:=0A> > >> add allow all from any to any via lo0=0A> >= >> add deny ip from any to 127.0.0.0/8=0A> > >> add deny i= p from 127.0.0.0/8 to any=0A>=0A>Meaning, these rules are ok and not the pr= oblem. Ignore Mr. Nipples.=0A=0AWith a name like that, it's hard to take h= im seriously. ;^)=0A=0A=0A>=0A> > >> # Allow established connectio= ns:=0A> > >> add allow tcp from any to any established=0A>=0A>That'= s ok. It may help you in debugging what's happening to use:=0A>=0A> allow= [log] tcp from any to any in established=0A> allow [log] tcp from any to = any out established=0A=0AI assume here that "[log]" means to insert "log" f= or=0Adebugging like this:=0A=0A allow log tcp from any to any in establish= ed=0A allow log tcp from any to any out established=0A =0Arather than inc= luding the square brackets, "[" & "]",=0Acorrect?=0A=0AI have done that and= have included my latest ruleset=0Abelow.=0A=0A=0A=0A>and really, using 'an= y to any' without specifying on which interfaces=0A or=0A>whether 'any' is = your box or the outside world is a bit too general,=0A but=0A>moving on .. = =0A=0AOK. What should I do? I only plan on having one=0AEthernet interfac= e. What would be more secure?=0A=0A=0A=0A> > >> # Deny fragmented = packets:=0A> > >> add deny ip from any to any frag=0A=0A> > >> = # Show pings:=0A> > >> add count icmp from any to any icmptypes= 8 in=0A> > >=0A>=0A>That's inbound ping requests. Don't forget that 'inbo= und' means=0A coming=0A>into the firewall, not necessarily from the outside= world. Your own=0A>ping requests _from_ this box also have to both come i= n, and go out. =0A=0AHmmm. OK. Outbound Ping will be rarely used, but sho= uld=0Abe allowed. Isn't that included in the next rule?=0A=0A=0A> > >> = # Allow pings, ping replies, and host unreach:=0A> > >> add al= low icmp from any to any icmptypes 0,8,3=0A> > >=0A>=0A>Add icmptype 11 as = well if you want traceroutes to work ..=0A>=0A> > >> # Allow UDP tr= aceroutes:=0A> > >> add allow udp from any to any 33434-34458 in=0A= > > >> add allow udp from any 33434-34458 to any out=0A> > >=0A>=0A= >Ok, though udp rules are often better done statefully. See below.=0A>=0A>= > >> # Allow DNS with name server=0A> > >> add allow udp f= rom any to any domain out=0A> > >> add allow udp from any domain to= any in=0A> > >Nope.=0A>=0A>You want to watch out here. This allows udp pa= ckets from any address=0A>with source port 53 to connect with any open udp = port on your system,=0A>and allows the responses as well. It's a simple ma= tter using such as=0A>netcat to source packets from port 53. =0A=0AShould I= restrict it by specifically stating the service?=0AHow can I be safe? Wha= t would the rule look like? =0A=0A=0A>I gather from this that you're not ru= nning a DNS server yourself, but=0A>using upstream server/s? In that case = a stateful rule is safer:=0A=0AAgain, I apologize for not being clear. I w= ill be running=0ADNS on this box for the domains being hosted. So, it will= =0Abe polled whenever a request for a hosted domain is needed.=0A=0A=0A=0A>= allow udp from me to any 53 keep-state =0A>=0A>which allows after the ret= urn packets but denies connections not=0A>initiated from your box. =0A>=0A>= > >> # SSH=0A> > >> # Note that /etc/hosts.allow has rest= rictions=0A> > >> # on which IP addresses are allowed.=0A> > >> = #=0A> > >> # Allow SSH:=0A> > >> add allow tcp from a= ny to any ssh in setup=0A> > >=0A>=0A>By 'ssh working', I guess you mean ss= h connections to this box from=0A>elsewhere, rather than ssh connections fr= om this box? Not clear.=0A=0ASorry! I am using SSH into this box, since i= t is easier to=0Acut and paste for editing and configuration.=0A=0AI can't = really see a situation where I would normally need to SSH=0Aoutbound, can y= ou? I use the Windoze boxes for that.=0A=0A=0A> > >> # HTTP & HTTP= S:=0A> > >> add allow tcp from any to any https in setup=0A> > >> = add allow tcp from any to any http in setup=0A> > >=0A>=0A>So, you h= ave a webserver running on this box, listening on ports 80=0A and=0A>443? = You've verified with 'netstat -finet -a' that this is the case?=0A=0AYes:= =0A=0A# netstat -finet -a=0AActive Internet connections (including servers)= =0AProto Recv-Q Send-Q Local Address Foreign Address =0A (s= tate)=0Atcp4 0 0 192.168.1.109.ssh 192.168.1.107.3502 = =0A ESTABLISHED=0Atcp4 0 52 192.168.1.109.ssh 192.168.1.107= .2266 =0A ESTABLISHED=0Atcp4 0 0 *.poppassd *.* = =0A LISTEN=0Atcp4 0 0 *.ftp = *.* =0A LISTEN=0Atcp4 0 0 *.smtps = *.* =0A LISTEN=0Atcp4 0 0 *.smtp = *.* =0A LISTEN=0Atcp4 0 0 localhost.l= ocald.3000 *.* =0A LISTEN=0Atcp4 0 0 *.pop3s= *.* =0A LISTEN=0Atcp4 0 0 *.p= op3 *.* =0A LISTEN=0Atcp4 0 0 = *.imaps *.* =0A LISTEN=0Atcp4 0 = 0 *.imap *.* =0A LISTEN=0Atcp4 0= 0 *.8443 *.* =0A LISTEN=0Atcp4 = 0 0 *.8880 *.* =0A LISTEN=0Atcp4= 0 0 *.3306 *.* =0A LISTEN=0A= tcp4 0 0 localhost.locald.8005 *.* =0A LISTE= N=0Atcp4 0 0 *.9008 *.* =0A L= ISTEN=0Atcp4 0 0 *.8009 *.* = =0A LISTEN=0Atcp46 0 0 *.https *.* = =0A LISTEN=0Atcp46 0 0 *.http *.* = =0A LISTEN=0Atcp4 0 0 *.9080 *.* = =0A LISTEN=0Atcp4 0 0 *.8180 *.* = =0A LISTEN=0Atcp4 0 0 localhost.locald.postg *= .* =0A LISTEN=0Atcp4 0 0 localhost.locald.rnd= c *.* =0A LISTEN=0Atcp4 0 0 localhost.locald= .domai *.* =0A LISTEN=0Atcp4 0 0 192.168.1.10= 9.domain *.* =0A LISTEN=0Atcp4 0 0 *.ssh = *.* =0A LISTEN=0Audp4 0 0 192.= 168.1.109.24889 ns1.ournameserver.net.53=0Audp4 0 0 *.51750 = *.*=0Audp4 0 0 localhost.locald.domai *.*=0Audp4= 0 0 192.168.1.109.domain *.*=0Audp4 0 0 *.syslog= *.*=0A=0A=0A=0A=0A>=0A> > >> # Mail: SMTP & IMAP:=0A= > > >> add allow tcp from any to any smtp in setup=0A> > >> = add allow tcp from any to any imap in setup=0A> > >=0A>=0A>You're running = SMTP and IMAP servers, verified as above?=0A>=0A>You see, this also allows = you (as 'any') to connect to any outside=0A SMTP=0A>server too. It really = helps to differentiate connections into your=0A box=0A>from those you're ma= king to outside boxes, which these don't do.=0A> =0A>Have a close look at t= he 'simple' section in rc.firewall. =0A=0AI have scanned various versions = of "rc.firewall". I kinda understand=0Awhat is going on, but there are so = many places that seem anti-intuitive=0Ato me.=0A=0AAlso, what are the diffe= rences between running a script and loading=0Athese rules on bootup? =0A=0A= =0A=0A>There are=0A>advantages to running a script such as that rather than= rules in a=0A file,=0A>like variable substitution, at least while getting = it all working=0A right. =0A=0AI have mixed feelings about variables. I gu= ess they make=0Ait easier if you change a network card or IP addresses--you= =0Aonly have to do it in one place. =0A=0AHowever, a search and replace co= mmand doesn't take much=0Atime at all. Also, they add a level of complexit= y to=0Aa situation that (to me) is complex enough already.=0AAnd, I wonder = if by not using variables, I can save a=0Afew microseconds when processing = traffic. ;^)=0A=0A=0A=0A> > >> # FTP:=0A> > >> add allow t= cp from any to any ftp in setup=0A> > >> add allow tcp from any to = any ftp\-data in setup=0A> > >> add allow tcp from any ftp\-data to= any setup out=0A> > >=0A>=0A>Mmm, I prefer using and enforcing FTP passive= mode, but YMMV.=0A=0AHow would I do that? This guy doesn't think it's eve= n =0Apossible:=0Ahttp://tinyurl.com/2z6ynr=0A =0A=0A> > >> # Allow = NTP in and out=0A> > >> add allow udp from any ntp to 128.252.19.1 = ntp out=0A> > >> add allow udp from 128.252.19.1 ntp to any ntp in= =0A> > >=0A>=0A>Unless running a time service for other boxes, something li= ke:=0A>=0A> allow udp from me to any ntp keep-state # or to a specific ser= ver=0A=0AWell, I think that since NTP is such a minimal user=0Aof resources= , that I would like to rely on this=0Abox for the correct time. That way, = I don't have=0Ato bug the stratum 1 boxes. Shall I use my original?=0A=0A= =0A>=0A> > >> # Deny and log everything else:=0A> > >> add = deny log all from any to any=0A> > >Bingo!=0A>=0A>Ok, so you got rid of int= erface 'all', great.=0A=0AIs this better?=0A=0A add deny log ip from any t= o any=0A =0AIf so, I just don't understand this. Here is what the=0A"Fine= Manual" says:=0A=0A =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A protocol: = [not] protocol-name | protocol-number=0A An IP protocol specified by numbe= r or name (for a complete list=0A see /etc/protocols), or one of the follo= wing keywords:=0A=0A ip4 | ipv4=0A Matches IPv4 packets.=0A=0A i= p6 | ipv6=0A Matches IPv6 packets.=0A=0A ip | all=0A Match= es any packet.=0A =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A = =0AAccording to this, "ip" and "all" are synonymous. Criminy!=0AWhat am I = missing here?=0A =0A=0A=0A> > >"ipfw -a list" may also help (packet counts= ).=0A>=0A>It's only a short ruleset, it may help us if you show the output = of=0A say=0A>'ipfw -t show' (or ipfw -at list, same thing), if you're still= having=0A>problems, but see below re 'inness' and 'outness'.=0A>=0A> > I'v= e been banging my head against this for the past few=0A> > days. I don't g= et it. =0A> > =0A> > My understanding of the way this is supposed to work = is=0A> > that:=0A> > =0A> > # HTTP & HTTPS:=0A> > add allow tcp from an= y to any https in setup=0A> > add allow tcp from any to any http in setup= =0A> > =0A> > should let initial HTTP & HTTPS requests through,=0A> > and t= hat:=0A> > =0A> > # Allow established connections:=0A> > add allow tcp fr= om any to any established=0A>=0A>Not quite. Looks like you're allowing htt= p/https setup packets in=0A (ie,=0A>into the firewall) but not letting them= out (of the firewall, to the=0A>webserver). For example in the 'simple' r= uleset mentioned, we have:=0A>=0A> # Allow access to our WWW=0A> = ${fwcmd} add pass tcp from any to ${oip} 80 setup=0A>=0A> # Reje= ct&Log all setup of incoming connections from the=0A outside=0A> ${f= wcmd} add deny log tcp from any to any in via ${oif} setup=0A>=0A> #= Allow setup of any other TCP connection=0A> ${fwcmd} add pass tcp f= rom any to any setup=0A=0AI really don't get the above rule. Isn't it sayi= ng that=0A*any* kind of TCP connection can come in or go out initially?=0A= =0A=0A=0A>Note there's no 'in' or 'out' on the port 80 rule, so this allows= the=0A>packets on both the in and out pass of the firewall. Also, the IP = is=0A>specified as our IP - 'me' will do fine if it's just this box. =0A=0A= In my set, should I include some "out" rules like this:=0A=0A add allow tc= p from any to any https out setup=0A add allow tcp from any to any http ou= t setup=0A =0A=0A>=0A> > should allow connections that are "setup" to =0A> = > continue. Do I need a "check-state" or "keep-state"=0A> > statement some= where?=0A>=0A>No, though you can use stateful TCP rules if you want to, in = which=0A case=0A>you'll want to DENY established connections. Personally I= find=0A relying=0A>on the TCP state established by using 'setup' and 'esta= blished' fine=0A for=0A>TCP, but tend to use keep-state for UDP and some IC= MP rules. =0A=0AThat sounds reasonable.=0A=0A=0A> > I don't understand what= is wrong with the last rule:=0A> > =0A> > # Deny and log everything else= :=0A> > add deny log all from any to any=0A> > =0A> > My understanding is= that anything that doesn't match=0A> > the previous rules will match this = one and hence=0A> > be logged and denied. Is this not correct?=0A>=0A>That= 's correct. Aren't you seeing any? Try show rather than tell.=0A=0AShowin= g:=0A=0A# ipfw -a -S -N -t list=0A00100 688 173384 Thu Dec 20 15:32:17 20= 07 set 0 allow log logamount=0A 10 ip from any to any via lo0=0A00200 0 = 0 set 0 deny log logamount 10=0A ip from any = to 127.0.0.0/8=0A00300 0 0 set 0 deny log = logamount 10=0A ip from 127.0.0.0/8 to any=0A00400 4344 1712050 Fri Dec 21 = 00:23:37 2007 set 0 allow log logamount=0A 10 tcp from any to any establish= ed=0A00500 0 0 set 0 deny log logamount 10= =0A ip from any to any frag=0A00600 4 240 Wed Dec 19 23:05:31 2007 s= et 0 count icmp from any=0A to any icmptypes 8 in=0A00700 8 480 Wed = Dec 19 23:05:31 2007 set 0 allow log logamount=0A 10 icmp from any to any i= cmptypes 0,3,8=0A00800 0 0 set 0 allow log= logamount 10=0A udp from any to any dst-port 33434-34458 in=0A00900 0 = 0 set 0 allow log logamount 10=0A udp from any= 33434-34458 to any out=0A01000 366 24038 Fri Dec 21 00:02:00 2007 set 0= allow log logamount=0A 10 udp from any to any dst-port domain out=0A01100 = 364 59582 Fri Dec 21 00:02:00 2007 set 0 allow log logamount=0A 10 udp f= rom any domain to any in=0A01200 1 48 Thu Dec 20 16:49:47 2007 set = 0 allow log logamount=0A 10 tcp from any to any dst-port ssh in setup=0A013= 00 0 0 set 0 allow log logamount 10=0A tcp= from any to any dst-port https in setup=0A01400 6 288 Thu Dec 20 14= :43:38 2007 set 0 allow log logamount=0A 10 tcp from any to any dst-port ht= tp in setup=0A01500 98 6272 Fri Dec 21 00:02:00 2007 set 0 allow log l= ogamount=0A 10 tcp from any to any dst-port http=0A01600 1 64 Thu D= ec 20 15:25:01 2007 set 0 allow log logamount=0A 10 tcp from any to any dst= -port https=0A01700 0 0 set 0 allow log lo= gamount 10=0A tcp from any to any dst-port smtp in setup=0A01800 0 = 0 set 0 allow log logamount 10=0A tcp from any to = any dst-port imap in setup=0A01900 43 2064 Wed Dec 19 23:16:18 2007 se= t 0 allow log logamount=0A 10 tcp from any to any dst-port ftp in setup=0A0= 2000 0 0 set 0 allow log logamount 10=0A t= cp from any to any dst-port ftp-data in setup=0A02100 0 0 = set 0 allow log logamount 10=0A tcp from any ftp-data to an= y setup out=0A02200 100 7600 Thu Dec 20 23:47:00 2007 set 0 allow log l= ogamount=0A 10 udp from any ntp to navobs1.wustl.edu dst-port ntp out=0A023= 00 100 7600 Thu Dec 20 23:47:00 2007 set 0 allow log logamount=0A 10 ud= p from navobs1.wustl.edu ntp to any dst-port ntp in=0A02400 2058 226123 Fr= i Dec 21 00:17:20 2007 set 0 deny log logamount 10=0A ip from any to any=0A= 65535 7 909 Wed Dec 19 22:58:29 2007 set 31 deny ip from any to=0A a= ny=0A=0ALot of stuff being denied. I think some of that=0Ais my HTTP and H= TTPS initial requests. What to do?=0A=0A>=0A> > Again, I am having a great= deal of difficulty=0A> > understanding why these rules don't work as expec= ted.=0A> > I've scoured the 'Net and printed out just about=0A> > every coh= erent ruleset out there.=0A> > =0A> > Besides adding the "log" keyword on a= ll of the rules,=0A> > these are the debugging tools I have been using:=0A>= > =0A> > ipfw disable firewall=0A> > ipfw -f flush=0A> > ipfw enable= firewall=0A> > /etc/rc.d/ipfw start=0A> > ipfw -a -S -N -t list=0A> > = ipfw list =0A> > tail -f /var/log/ipfw/ipfw.log=0A> > tcpdump= -i nve0 'proto \tcp && port http'=0A netstat -finet -a=0A> > =0A> > C= ould anyone please throw this tired dog a bone?=0A>=0A>Getting the two-pass= nature of ipfw understood seems to be your main=0A>difficulty. =0A=0AI wo= uld definitely agree with you. I am completely lost.=0A=0ABy "two-pass" do= you mean "in" to the firewall, and then=0A"in" to the webserver, and anoth= er "two-pass": "out" from the=0Awebserver, and "out" from the firewall?=0A= =0A=0A>I know it was for me back then. Have a look at the section=0A>in ip= fw(8) regarding packet flows, and although it sounds trite, RTFM=0A>about 1= 0 times :)=0A>=0A>Cheers, Ian=0A=0ALove the "Fine Manual" --not! Just not = enough examples for=0Ame to understand everything. Too much abstraction--A= AArrrrgh!=0A=0AAm using this link, since "man ipfw" doesn't work on 6.2. (= I dare=0Asomeone to explain to me how to get it to work):=0Ahttp://www.free= bsd.org/cgi/man.cgi?query=3Dipfw&sektion=3D8=0A=0AThanks for your help, Ian= . Would appreciate it if you would=0Akick my butt in the proper direction = again.=0A=0AAny other takers/kickers?=0A=0A=0ALatest grope in the dark:=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A# ipfw.rules=0A# ipfw firewall ru= leset=0A# 2007 Dec 20=0A=0A# By default, everything is denied access. You= =0A# need to specifically allow something for it=0A# to work.=0A=0A# Loopba= ck: =0A# Allow anything on the local loopback:=0Aadd allow log all from any= to any via lo0=0A=0A# Disallow spoofed access to local:=0Aadd deny log ip = from any to 127.0.0.0/8=0Aadd deny log ip from 127.0.0.0/8 to any=0A=0A# Al= low established connections:=0Aadd allow log tcp from any to any establishe= d=0A=0A# Deny fragmented packets:=0Aadd deny log ip from any to any frag=0A= =0A# Show pings:=0Aadd count icmp from any to any icmptypes 8 in=0A=0A# All= ow pings, ping replies, and host unreach:=0Aadd allow log icmp from any to = any icmptypes 0,8,3=0A=0A# Allow UDP traceroutes:=0Aadd allow log udp from = any to any 33434-34458 in=0Aadd allow log udp from any 33434-34458 to any o= ut=0A=0A# Allow DNS with name server=0Aadd allow log udp from any to any do= main out=0Aadd allow log udp from any domain to any in=0A=0A# SSH=0A# Note= that /etc/hosts.allow has restrictions=0A# on which IP addresses are allo= wed.=0A#=0A# Allow SSH:=0Aadd allow log tcp from any to any ssh in setup=0A= =0A# HTTP & HTTPS:=0Aadd allow log tcp from any to any https in setup=0Aadd= allow log tcp from any to any http in setup=0A=0Aadd allow log tcp from an= y to any dst-port 80=0Aadd allow log tcp from any to any dst-port 443=0A=0A= # Mail: SMTP & IMAP:=0Aadd allow log tcp from any to any smtp in setup=0Aad= d allow log tcp from any to any imap in setup=0A=0A# FTP:=0Aadd allow log t= cp from any to any ftp in setup=0Aadd allow log tcp from any to any ftp\-da= ta in setup=0Aadd allow log tcp from any ftp\-data to any setup out=0A=0A# = Allow NTP in and out=0Aadd allow log udp from any ntp to 128.252.19.1 ntp o= ut=0Aadd allow log udp from 128.252.19.1 ntp to any ntp in=0A=0A=0A# Deny a= nd log everything else:=0A# add deny log all from any to any=0Aadd deny log= ip from any to any=0A=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=0A=0A=0A= =0A=0AStart Here to Find It Fast!=99 ->=0A http://www.US-Webmasters.com/bes= t-start-page/=0A$8.77 Domain Names -> http://domains.us-webmasters.com/=0A= =0A_______________________________________________=0Afreebsd-security@freeb= sd.org mailing list=0Ahttp://lists.freebsd.org/mailman/listinfo/freebsd-sec= urity=0ATo unsubscribe, send any mail to=0A "freebsd-security-unsubscribe@f= reebsd.org"=0A=0A=0A=0A=0A=0A=0A _____________________________________= _______________________________________________=0ANever miss a thing. Make= Yahoo your home page. =0Ahttp://www.yahoo.com/r/hs From owner-freebsd-security@FreeBSD.ORG Mon Dec 24 11:10:50 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 926BE16A418 for ; Mon, 24 Dec 2007 11:10:50 +0000 (UTC) (envelope-from trashy_bumper@yahoo.com) Received: from web36308.mail.mud.yahoo.com (web36308.mail.mud.yahoo.com [209.191.91.185]) by mx1.freebsd.org (Postfix) with SMTP id 3DF1313C46B for ; Mon, 24 Dec 2007 11:10:50 +0000 (UTC) (envelope-from trashy_bumper@yahoo.com) Received: (qmail 69054 invoked by uid 60001); 24 Dec 2007 11:10:49 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=b4SZZ5ZmKiT7zAFJgRibxvTE+bYPBWPdfcrXV2e4nTK8IUNmt/zXzkXb8F71LQwAlghmS3xGqKoYTaO4jsX3dPRAf8IXLt/9c3IAtFqdH8xkifncyBgGCh8X/zl0PCoYmn8dhjiodf3na9nqGJicdbjLZ7ipqqQ56unrZpLQXf8=; X-YMail-OSG: r9kA.TAVM1kkhUWD.fwXnCr._1MzZA0UuRzP81YkNgx_t7t.ROPhjivQKTb_sgXOolVbPBcXwAaZZOqCFwpcfAvYxHpT1iXupxhmPW486fdCEWhlnJvM1Lrw.iQ1d5j.ZwyiquFDvChnr4glsQxP.djYSQizHAxmJ1tHktffsVzTpl3TpERjPtrxUzhWHezxC2gdBcnv6P6r Received: from [77.122.205.244] by web36308.mail.mud.yahoo.com via HTTP; Mon, 24 Dec 2007 03:10:49 PST X-Mailer: YahooMailRC/818.31 YahooMailWebService/0.7.158.1 Date: Mon, 24 Dec 2007 03:10:49 -0800 (PST) From: Nash Nipples To: freebsd-security@freebsd.org MIME-Version: 1.0 Message-ID: <596925.68009.qm@web36308.mail.mud.yahoo.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Fwd: Re: IPFW: Blocking me out. How to debug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Dec 2007 11:10:50 -0000 >Date: Sun, 23 Dec 2007 06:04:02 -0800 (PST)=0A>From: Nash Nipples =0A>To: freebsd-security@freebsd.org=0A>Subject: Re: IPFW:= Blocking me out. How to debug?=0A>=0A>Dear W.D.=0A>=0A>oh come on. i have= the same problem. =0A=0AWhich problem are we talking about?=0A=0Acut and p= aste problem.=0A=0A>cut and paste logic:=0A>=0A>#!/bin/sh=0A>#1. count pack= ets=0A>#2. allow everything on lo0 (loopback)=0A>#3. slow down and deny pac= kets to buffer overflow enabled daemons=0A>#3.5 to list all the buffer over= flow enabled daemons use this sockstat=0A -46ul=0A>#4. allow everything in = and out on the Ethernet interface fxp0. =0A>Remember - wires are long thing= s!=0A=0AWhat does this mean?=0Athis means that instead of speaking of poli= cies its rather more important to keep your wires safe=0A=0A>#5. switch ssh= d to a different port like 55 and use keys to=0A authenticate =0A>#6. do ip= fw show every morning=0A=0AWhy?=0Ayou will be surprised but moving sshd to = a non-standard port will make your logs cleaner instantly. it is really exc= iting to read the passwords files in your /var/log/auth.log but this again = a traffic and load issue. some people just think its fun to abuse the sshd = daemon.=0A=0Aso you better keep a hand on the heartbeat and maintain good b= ackups. that's probably a thing to practice prior to ipfw facility=0A=0A>#7= . do ipfw zero every evening or as often as your boss wants that=0A=0AHow a= bout a cron job that sends out a report then zero's ipfw?=0Aofcourse you ca= n read reports. but you will become cron dependant. and that makes you look= like a paper monkey.=0Aplus someone will think you don't really hang on th= e box too often.=0A=0A>#8. learn how to modify this script quickly just to = plumb all the =0A>other things that leak=0A=0AWhat other things? =0Athere = are always some things that u just cant predict at this very moment so you = need to make decisions and which is more important take some actions. for e= xample blocking out some script kiddie who's sending you a list of ftp pass= words.=0A=0A>#9. you cant block yourself out if you run this script with a = trailing=0A =0A>'&' e.g. sh /etc/ipfw.rules &=0A=0AHmmm. I'll have to try = that. Would something like this =0Awork to reload the rules?=0A=0Aipfw dis= able firewall; sh /etc/ipfw.rules &=0A=0Ajust sh /etc/ipfw.rules & thats e= nough to survive the ipfw -f flush and reload afterwards=0A=0A>#TODO: write= a program that sends bills to customers=0A>#BUGS: it cant smile=0A>=0A>cmd= =3D"/sbin/ipfw"=0A>ext1=3D"fxp0"=0A>gentleports=3D"21,25,514"=0A=0AWhy are = these ports "gentle"?=0Aall open ports are gentle and potentially insecure.= if you are not using them for a reason don't leave them hanging open=0Atho= se 3 ports are most likely to be left open. try sockstat -46ul to list em= =0A=0A>=0A>#accounting=0A>#i need these figures to see how bad things are g= oing=0A>$cmd 100 count ip from any to any in via lo0=0A>$cmd 110 count ip f= rom any to any out via lo0=0A>$cmd 120 count ip from any to any in via $ext= 1=0A>=0A>=0A>=0A>$cmd 130 count ip from any to any out via $ext1=0A>=0A>#if= counters below grow too high u are screwed=0A=0AHow so?=0Athere is such th= ing as icmp tunnels. i don't really know how they work but i don't want som= eone to dig one through my box cuz im gona have to pay for the traffic. kee= ping an eye on these counters will give you a hint when something wrong is = happening. =0Adaily report you get by cron is a security funerals=0A=0A> #= this counter should not vary much comparing to the next one=0A>$cmd 210 cou= nt icmp from any to any out via $ext1 =0A=0A> #if there is an obvious diff= erence someone's digging holes in the=0A yard=0A=0AWhat does this mean? =0A= that means icmp tunnels and sanity check. you shouldn't have more pings tha= n tcp frames.=0AIm only giving you basic ideas emphasizing importance of pe= rsonal experience. the way you go from here is your own paranoid activity= =0A=0A> $cmd 220 count icmp from any to any in via $ext1 =0A> #too much = of dns.=0A>$cmd 230 count ip from any to any 53 out via $ext1=0A>$cmd 240 c= ount ip from any to any 53 in via $ext1=0A=0AWhy too much? =0Abecause you w= ant to remember how much of dns you had at this time yesterday and how much= of dns you see now.=0Ayou might still have a chance to bump a worm or a tr= ojan isnt it cool? ofcourse you can go the other way. and just say to your = boss "oh i think we had a little too much of dns last month". its okay that= most of dns requests one day were pointless=0A=0A>=0A>#if counters below g= row too high you have screwed someone else=0A=0AWho? Why? =0Asendmail frea= ked out. it couldn't have resolved something and kept trying. all night unt= ill u get the cron report. no one's fault. traffic wasted. what if someone = was sending out spam? anywho for whatever reason.=0A=0A>#oh yes. someone's = got mail.=0A>$cmd 300 count ip from any to any 25 out via $ext1=0A>#which w= ay did it go=0A>$cmd 310 count ip from any to any 25 via lo0=0A>=0A>#policy= =0A>$cmd 1000 allow all from any to any via lo0=0A>/sbin/ipfw add 1110 pipe= 1 ip from any to me $gentleports in via $ext1=0A>/sbin/ipfw pipe 1 config = bw 1Kbit/s queue 1Kbytes=0A>=0A>$cmd 1120 deny ip from any to me $gentlepor= ts in via $ext1=0A>$cmd 1130 allow all from any to any via ext1=0A>#you wil= l wonder but the next rule still has a match=0A>$cmd 1140 deny log all from= any to any=0A=0AWhat is it?=0Amaybe i have made a few syntax mistakes but = i like the idea here. allow everything on lo0. =0Aset up a pipe (traffic sh= aper routine) to the ports u are trying to protect on $ext1. and reject on = a slow link=0Awhat if there is some idiot who will just keep trying to acce= ss your syslog daemon all night on a gigabit link?=0A=0A>=0A>I'm sorry but = i cant draw pretty pictures to make it any more obvious=0Athats a statement= =0A>=0A>Nash=0A>=0A>=0A>----- Original Message ----=0A>From: W. D. =0A>To: FreeBSD-Security@FreeBSD.org=0A>Cc: Ian Smith =0A>Sent: Friday, December 21, 2007 9:30:11 AM=0A>Subject: Re: IPFW:= Blocking me out. How to debug?=0A>=0A>=0A>At 05:45 12/20/2007, Ian Smith,= wrote:=0A>=0A>Thanks for your reply Ian. This is the kind of =0A>informat= ion I am looking for.=0A>=0A>=0A>>Firstly, this really belongs over on free= bsd-net@ if not =0A>>freebsd-questions@, but anyway ..=0A>=0A>I'll be glad = to move it there if you would like. I=0A>figured that since IPFW/Firewalls= are security=0A>related, that FreeBSD-Security would be the most=0A>approp= riate place.=0A>=0A>=0A>>On Thu, 20 Dec 2007, W. D. wrote:=0A>>=0A>> > At 0= 3:49 12/17/2007, Tuomo Latto wrote:=0A>> > >W. D. wrote:=0A>> > >> How do I= tell which rule is blocking me out? SSH *is* working,=0A>> > >> but other= s are not.=0A>> > >=0A>> > >It all depends on what you mean by "blocking yo= u out" and=0A> "others".=0A>>=0A>>True; it's not really clear what you're t= rying to do, whether this is=0A> a=0A>>single server with a single net inte= rface with no NAT or what, but=0A> based=0A>>on your present rules I'll hav= e to make that assumption.=0A>=0A>OK, sorry. I guess I just assumed that i= t would be obvious =0A>that this is a Web server. ("Never assume anything,= my good =0A>fellow" - Sherlock Holmes). =0A>=0A>By the way, it is/will be= running Plesk server management=0A>software, if it matters:=0A>http://www.= swsoft.com/en/products/plesk/reqs/=0A>=0A>Also, this server is on an intern= al LAN before I subject=0A>it to the wild, untamed, InterWeb, with its dang= erous=0A>internets darting back and forth inside all of the tubes.=0A>=0A>= =0A>> > >> # Loopback:=0A>> > >> # Allow anything on the lo= cal loopback:=0A>> > >> add allow all from any to any via lo0=0A>> = > >> add deny ip from any to 127.0.0.0/8=0A>> > >> add deny= ip from 127.0.0.0/8 to any=0A>>=0A>>Meaning, these rules are ok and not th= e problem. Ignore Mr. Nipples.=0A>=0A>With a name like that, it's hard to = take him seriously. ;^)=0A>=0A>=0A>>=0A>> > >> # Allow established= connections:=0A>> > >> add allow tcp from any to any established= =0A>>=0A>>That's ok. It may help you in debugging what's happening to use:= =0A>>=0A>> allow [log] tcp from any to any in established=0A>> allow [log= ] tcp from any to any out established=0A>=0A>I assume here that "[log]" mea= ns to insert "log" for=0A>debugging like this:=0A>=0A> allow log tcp from = any to any in established=0A> allow log tcp from any to any out establishe= d=0A> =0A>rather than including the square brackets, "[" & "]",=0A>correct= ?=0A>=0A>I have done that and have included my latest ruleset=0A>below.=0A>= =0A>=0A>=0A>>and really, using 'any to any' without specifying on which int= erfaces=0A> or=0A>>whether 'any' is your box or the outside world is a bit = too general,=0A> but=0A>>moving on .. =0A>=0A>OK. What should I do? I onl= y plan on having one=0A>Ethernet interface. What would be more secure?=0A>= =0A>=0A>=0A>> > >> # Deny fragmented packets:=0A>> > >> add= deny ip from any to any frag=0A>=0A>> > >> # Show pings:=0A>> > >>= add count icmp from any to any icmptypes 8 in=0A>> > >=0A>>=0A>>Th= at's inbound ping requests. Don't forget that 'inbound' means=0A> coming= =0A>>into the firewall, not necessarily from the outside world. Your own= =0A>>ping requests _from_ this box also have to both come in, and go out. = =0A>=0A>Hmmm. OK. Outbound Ping will be rarely used, but should=0A>be all= owed. Isn't that included in the next rule?=0A>=0A>=0A>> > >> # Al= low pings, ping replies, and host unreach:=0A>> > >> add allow icmp= from any to any icmptypes 0,8,3=0A>> > >=0A>>=0A>>Add icmptype 11 as well = if you want traceroutes to work ..=0A>>=0A>> > >> # Allow UDP trace= routes:=0A>> > >> add allow udp from any to any 33434-34458 in=0A>>= > >> add allow udp from any 33434-34458 to any out=0A>> > >=0A>>= =0A>>Ok, though udp rules are often better done statefully. See below.=0A>= >=0A>> > >> # Allow DNS with name server=0A>> > >> add allo= w udp from any to any domain out=0A>> > >> add allow udp from any d= omain to any in=0A>> > >Nope.=0A>>=0A>>You want to watch out here. This al= lows udp packets from any address=0A>>with source port 53 to connect with a= ny open udp port on your system,=0A>>and allows the responses as well. It'= s a simple matter using such as=0A>>netcat to source packets from port 53. = =0A>=0A>Should I restrict it by specifically stating the service?=0A>How ca= n I be safe? What would the rule look like? =0A>=0A>=0A>>I gather from thi= s that you're not running a DNS server yourself, but=0A>>using upstream ser= ver/s? In that case a stateful rule is safer:=0A>=0A>Again, I apologize fo= r not being clear. I will be running=0A>DNS on this box for the domains be= ing hosted. So, it will=0A>be polled whenever a request for a hosted domai= n is needed.=0A>=0A>=0A>=0A>> allow udp from me to any 53 keep-state =0A>>= =0A>>which allows after the return packets but denies connections not=0A>>i= nitiated from your box. =0A>>=0A>> > >> # SSH=0A>> > >> # = Note that /etc/hosts.allow has restrictions=0A>> > >> # on which I= P addresses are allowed.=0A>> > >> #=0A>> > >> # Allow SSH:= =0A>> > >> add allow tcp from any to any ssh in setup=0A>> > >=0A>>= =0A>>By 'ssh working', I guess you mean ssh connections to this box from=0A= >>elsewhere, rather than ssh connections from this box? Not clear.=0A>=0A>= Sorry! I am using SSH into this box, since it is easier to=0A>cut and past= e for editing and configuration.=0A>=0A>I can't really see a situation wher= e I would normally need to SSH=0A>outbound, can you? I use the Windoze box= es for that.=0A>=0A>=0A>> > >> # HTTP & HTTPS:=0A>> > >> ad= d allow tcp from any to any https in setup=0A>> > >> add allow tcp = from any to any http in setup=0A>> > >=0A>>=0A>>So, you have a webserver ru= nning on this box, listening on ports 80=0A> and=0A>>443? You've verified = with 'netstat -finet -a' that this is the case?=0A>=0A>Yes:=0A>=0A># netsta= t -finet -a=0A>Active Internet connections (including servers)=0A>Proto Rec= v-Q Send-Q Local Address Foreign Address =0A> (state)=0A>tc= p4 0 0 192.168.1.109.ssh 192.168.1.107.3502 =0A> ESTABL= ISHED=0A>tcp4 0 52 192.168.1.109.ssh 192.168.1.107.2266 = =0A> ESTABLISHED=0A>tcp4 0 0 *.poppassd *.* = =0A> LISTEN=0A>tcp4 0 0 *.ftp *.* = =0A> LISTEN=0A>tcp4 0 0 *.smtps = *.* =0A> LISTEN=0A>tcp4 0 0 *.smtp = *.* =0A> LISTEN=0A>tcp4 0 0 localhost.= locald.3000 *.* =0A> LISTEN=0A>tcp4 0 0 *.po= p3s *.* =0A> LISTEN=0A>tcp4 0 0= *.pop3 *.* =0A> LISTEN=0A>tcp4 0 = 0 *.imaps *.* =0A> LISTEN=0A>tcp4 = 0 0 *.imap *.* =0A> LISTEN=0A>t= cp4 0 0 *.8443 *.* =0A> LISTE= N=0A>tcp4 0 0 *.8880 *.* =0A> = LISTEN=0A>tcp4 0 0 *.3306 *.* = =0A> LISTEN=0A>tcp4 0 0 localhost.locald.8005 *.* = =0A> LISTEN=0A>tcp4 0 0 *.9008 *.* = =0A> LISTEN=0A>tcp4 0 0 *.8009 *.= * =0A> LISTEN=0A>tcp46 0 0 *.https = *.* =0A> LISTEN=0A>tcp46 0 0 *.http = *.* =0A> LISTEN=0A>tcp4 0 0 *.9080 = *.* =0A> LISTEN=0A>tcp4 0 0 *= .8180 *.* =0A> LISTEN=0A>tcp4 0 = 0 localhost.locald.postg *.* =0A> LISTEN=0A>tcp4 = 0 0 localhost.locald.rndc *.* =0A> LISTEN=0A>tcp4= 0 0 localhost.locald.domai *.* =0A> LISTEN= =0A>tcp4 0 0 192.168.1.109.domain *.* =0A> = LISTEN=0A>tcp4 0 0 *.ssh *.* = =0A> LISTEN=0A>udp4 0 0 192.168.1.109.24889 ns1.ournameserv= er.net.53=0A>udp4 0 0 *.51750 *.*=0A>udp4 = 0 0 localhost.locald.domai *.*=0A>udp4 0 0 192.168.1.109.= domain *.*=0A>udp4 0 0 *.syslog *.*=0A>=0A>=0A>= =0A>=0A>>=0A>> > >> # Mail: SMTP & IMAP:=0A>> > >> add allo= w tcp from any to any smtp in setup=0A>> > >> add allow tcp from an= y to any imap in setup=0A>> > >=0A>>=0A>>You're running SMTP and IMAP serve= rs, verified as above?=0A>>=0A>>You see, this also allows you (as 'any') to= connect to any outside=0A> SMTP=0A>>server too. It really helps to differ= entiate connections into your=0A> box=0A>>from those you're making to outsi= de boxes, which these don't do.=0A>> =0A>>Have a close look at the 'simple'= section in rc.firewall. =0A>=0A>I have scanned various versions of "rc.fi= rewall". I kinda understand=0A>what is going on, but there are so many pla= ces that seem=0A anti-intuitive=0A>to me.=0A>=0A>Also, what are the differe= nces between running a script and loading=0A>these rules on bootup? =0A>=0A= >=0A>=0A>>There are=0A>>advantages to running a script such as that rather = than rules in a=0A> file,=0A>>like variable substitution, at least while ge= tting it all working=0A> right. =0A>=0A>I have mixed feelings about variabl= es. I guess they make=0A>it easier if you change a network card or IP addr= esses--you=0A>only have to do it in one place. =0A>=0A>However, a search a= nd replace command doesn't take much=0A>time at all. Also, they add a leve= l of complexity to=0A>a situation that (to me) is complex enough already.= =0A>And, I wonder if by not using variables, I can save a=0A>few microsecon= ds when processing traffic. ;^)=0A>=0A>=0A>=0A>> > >> # FTP:=0A>> = > >> add allow tcp from any to any ftp in setup=0A>> > >> a= dd allow tcp from any to any ftp\-data in setup=0A>> > >> add allow= tcp from any ftp\-data to any setup out=0A>> > >=0A>>=0A>>Mmm, I prefer us= ing and enforcing FTP passive mode, but YMMV.=0A>=0A>How would I do that? = This guy doesn't think it's even =0A>possible:=0A>http://tinyurl.com/2z6ynr= =0A> =0A>=0A>> > >> # Allow NTP in and out=0A>> > >> add al= low udp from any ntp to 128.252.19.1 ntp out=0A>> > >> add allow ud= p from 128.252.19.1 ntp to any ntp in=0A>> > >=0A>>=0A>>Unless running a ti= me service for other boxes, something like:=0A>>=0A>> allow udp from me to= any ntp keep-state # or to a specific server=0A>=0A>Well, I think that sin= ce NTP is such a minimal user=0A>of resources, that I would like to rely on= this=0A>box for the correct time. That way, I don't have=0A>to bug the st= ratum 1 boxes. Shall I use my original?=0A>=0A>=0A>>=0A>> > >> # D= eny and log everything else:=0A>> > >> add deny log all from any to= any=0A>> > >Bingo!=0A>>=0A>>Ok, so you got rid of interface 'all', great.= =0A>=0A>Is this better?=0A>=0A> add deny log ip from any to any=0A> =0A>I= f so, I just don't understand this. Here is what the=0A>"Fine Manual" says= :=0A>=0A> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A> protocol: [not] proto= col-name | protocol-number=0A> An IP protocol specified by number or name = (for a complete list=0A> see /etc/protocols), or one of the following keyw= ords:=0A>=0A> ip4 | ipv4=0A> Matches IPv4 packets.=0A>=0A> ip6 |= ipv6=0A> Matches IPv6 packets.=0A>=0A> ip | all=0A> Match= es any packet.=0A> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A> = =0A>According to this, "ip" and "all" are synonymous. Criminy!=0A>What am= I missing here?=0A> =0A>=0A>=0A>> > >"ipfw -a list" may also help (packet= counts).=0A>>=0A>>It's only a short ruleset, it may help us if you show th= e output of=0A> say=0A>>'ipfw -t show' (or ipfw -at list, same thing), if y= ou're still having=0A>>problems, but see below re 'inness' and 'outness'.= =0A>>=0A>> > I've been banging my head against this for the past few=0A>> >= days. I don't get it. =0A>> > =0A>> > My understanding of the way this i= s supposed to work is=0A>> > that:=0A>> > =0A>> > # HTTP & HTTPS:=0A>> > = add allow tcp from any to any https in setup=0A>> > add allow tcp from = any to any http in setup=0A>> > =0A>> > should let initial HTTP & HTTPS req= uests through,=0A>> > and that:=0A>> > =0A>> > # Allow established connect= ions:=0A>> > add allow tcp from any to any established=0A>>=0A>>Not quite.= Looks like you're allowing http/https setup packets in=0A> (ie,=0A>>into = the firewall) but not letting them out (of the firewall, to the=0A>>webserv= er). For example in the 'simple' ruleset mentioned, we have:=0A>>=0A>> = # Allow access to our WWW=0A>> ${fwcmd} add pass tcp from any to= ${oip} 80 setup=0A>>=0A>> # Reject&Log all setup of incoming connec= tions from the=0A> outside=0A>> ${fwcmd} add deny log tcp from any t= o any in via ${oif} setup=0A>>=0A>> # Allow setup of any other TCP c= onnection=0A>> ${fwcmd} add pass tcp from any to any setup=0A>=0A>I = really don't get the above rule. Isn't it saying that=0A>*any* kind of TCP= connection can come in or go out initially?=0A>=0A>=0A>=0A>>Note there's n= o 'in' or 'out' on the port 80 rule, so this allows the=0A>>packets on both= the in and out pass of the firewall. Also, the IP is=0A>>specified as our= IP - 'me' will do fine if it's just this box. =0A>=0A>In my set, should I = include some "out" rules like this:=0A>=0A> add allow tcp from any to any = https out setup=0A> add allow tcp from any to any http out setup=0A> =0A>= =0A>>=0A>> > should allow connections that are "setup" to =0A>> > continue.= Do I need a "check-state" or "keep-state"=0A>> > statement somewhere?=0A>= >=0A>>No, though you can use stateful TCP rules if you want to, in which=0A= > case=0A>>you'll want to DENY established connections. Personally I find= =0A> relying=0A>>on the TCP state established by using 'setup' and 'establi= shed' fine=0A> for=0A>>TCP, but tend to use keep-state for UDP and some ICM= P rules. =0A>=0A>That sounds reasonable.=0A>=0A>=0A>> > I don't understand = what is wrong with the last rule:=0A>> > =0A>> > # Deny and log everythin= g else:=0A>> > add deny log all from any to any=0A>> > =0A>> > My underst= anding is that anything that doesn't match=0A>> > the previous rules will m= atch this one and hence=0A>> > be logged and denied. Is this not correct?= =0A>>=0A>>That's correct. Aren't you seeing any? Try show rather than tel= l.=0A>=0A>Showing:=0A>=0A># ipfw -a -S -N -t list=0A>00100 688 173384 Thu= Dec 20 15:32:17 2007 set 0 allow log logamount=0A> 10 ip from any to any v= ia lo0=0A>00200 0 0 set 0 deny log logamou= nt 10=0A> ip from any to 127.0.0.0/8=0A>00300 0 0 = set 0 deny log logamount 10=0A> ip from 127.0.0.0/8 to any=0A>00400= 4344 1712050 Fri Dec 21 00:23:37 2007 set 0 allow log logamount=0A> 10 tcp= from any to any established=0A>00500 0 0 = set 0 deny log logamount 10=0A> ip from any to any frag=0A>00600 4 2= 40 Wed Dec 19 23:05:31 2007 set 0 count icmp from any=0A> to any icmptypes = 8 in=0A>00700 8 480 Wed Dec 19 23:05:31 2007 set 0 allow log logamou= nt=0A> 10 icmp from any to any icmptypes 0,3,8=0A>00800 0 0 = set 0 allow log logamount=0A 10=0A> udp from any to any d= st-port 33434-34458 in=0A>00900 0 0 set 0 = allow log logamount=0A 10=0A> udp from any 33434-34458 to any out=0A>01000 = 366 24038 Fri Dec 21 00:02:00 2007 set 0 allow log logamount=0A> 10 udp = from any to any dst-port domain out=0A>01100 364 59582 Fri Dec 21 00:02:= 00 2007 set 0 allow log logamount=0A> 10 udp from any domain to any in=0A>0= 1200 1 48 Thu Dec 20 16:49:47 2007 set 0 allow log logamount=0A> 10= tcp from any to any dst-port ssh in setup=0A>01300 0 0 = set 0 allow log logamount=0A 10=0A> tcp from any to any dst-p= ort https in setup=0A>01400 6 288 Thu Dec 20 14:43:38 2007 set 0 all= ow log logamount=0A> 10 tcp from any to any dst-port http in setup=0A>01500= 98 6272 Fri Dec 21 00:02:00 2007 set 0 allow log logamount=0A> 10 tcp= from any to any dst-port http=0A>01600 1 64 Thu Dec 20 15:25:01 20= 07 set 0 allow log logamount=0A> 10 tcp from any to any dst-port https=0A>0= 1700 0 0 set 0 allow log logamount=0A 10= =0A> tcp from any to any dst-port smtp in setup=0A>01800 0 0 = set 0 allow log logamount=0A 10=0A> tcp from any to any = dst-port imap in setup=0A>01900 43 2064 Wed Dec 19 23:16:18 2007 set 0= allow log logamount=0A> 10 tcp from any to any dst-port ftp in setup=0A>02= 000 0 0 set 0 allow log logamount=0A 10=0A= > tcp from any to any dst-port ftp-data in setup=0A>02100 0 0 = set 0 allow log logamount=0A 10=0A> tcp from any ftp-da= ta to any setup out=0A>02200 100 7600 Thu Dec 20 23:47:00 2007 set 0 al= low log logamount=0A> 10 udp from any ntp to navobs1.wustl.edu dst-port ntp= out=0A>02300 100 7600 Thu Dec 20 23:47:00 2007 set 0 allow log logamou= nt=0A> 10 udp from navobs1.wustl.edu ntp to any dst-port ntp in=0A>02400 20= 58 226123 Fri Dec 21 00:17:20 2007 set 0 deny log logamount=0A 10=0A> ip f= rom any to any=0A>65535 7 909 Wed Dec 19 22:58:29 2007 set 31 deny i= p from any to=0A> any=0A>=0A>Lot of stuff being denied. I think some of th= at=0A>is my HTTP and HTTPS initial requests. What to do?=0A>=0A>>=0A>> > A= gain, I am having a great deal of difficulty=0A>> > understanding why these= rules don't work as expected.=0A>> > I've scoured the 'Net and printed out= just about=0A>> > every coherent ruleset out there.=0A>> > =0A>> > Besides= adding the "log" keyword on all of the rules,=0A>> > these are the debuggi= ng tools I have been using:=0A>> > =0A>> > ipfw disable firewall=0A>> > = ipfw -f flush=0A>> > ipfw enable firewall=0A>> > /etc/rc.d/ipfw start= =0A>> > ipfw -a -S -N -t list=0A>> > ipfw list =0A>> > tail -f = /var/log/ipfw/ipfw.log=0A>> > tcpdump -i nve0 'proto \tcp && port http'= =0A> netstat -finet -a=0A>> > =0A>> > Could anyone please throw this t= ired dog a bone?=0A>>=0A>>Getting the two-pass nature of ipfw understood se= ems to be your main=0A>>difficulty. =0A>=0A>I would definitely agree with = you. I am completely lost.=0A>=0A>By "two-pass" do you mean "in" to the fi= rewall, and then=0A>"in" to the webserver, and another "two-pass": "out" fr= om the=0A>webserver, and "out" from the firewall?=0A>=0A>=0A>>I know it was= for me back then. Have a look at the section=0A>>in ipfw(8) regarding pac= ket flows, and although it sounds trite, RTFM=0A>>about 10 times :)=0A>>=0A= >>Cheers, Ian=0A>=0A>Love the "Fine Manual" --not! Just not enough example= s for=0A>me to understand everything. Too much abstraction--AAArrrrgh!=0A>= =0A>Am using this link, since "man ipfw" doesn't work on 6.2. (I dare=0A>s= omeone to explain to me how to get it to work):=0A>http://www.freebsd.org/c= gi/man.cgi?query=3Dipfw&sektion=3D8=0A>=0A>Thanks for your help, Ian. Woul= d appreciate it if you would=0A>kick my butt in the proper direction again.= =0A>=0A>Any other takers/kickers?=0A>=0A>=0A>Latest grope in the dark:=0A>= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A># ipfw.rules=0A># ipfw firewall = ruleset=0A># 2007 Dec 20=0A>=0A># By default, everything is denied access.= You=0A># need to specifically allow something for it=0A># to work.=0A>=0A= ># Loopback: =0A># Allow anything on the local loopback:=0A>add allow log a= ll from any to any via lo0=0A>=0A># Disallow spoofed access to local:=0A>ad= d deny log ip from any to 127.0.0.0/8=0A>add deny log ip from 127.0.0.0/8 t= o any=0A>=0A># Allow established connections:=0A>add allow log tcp from any= to any established=0A>=0A># Deny fragmented packets:=0A>add deny log ip fr= om any to any frag=0A>=0A># Show pings:=0A>add count icmp from any to any i= cmptypes 8 in=0A>=0A># Allow pings, ping replies, and host unreach:=0A>add = allow log icmp from any to any icmptypes 0,8,3=0A>=0A># Allow UDP tracerout= es:=0A>add allow log udp from any to any 33434-34458 in=0A>add allow log ud= p from any 33434-34458 to any out=0A>=0A># Allow DNS with name server=0A>ad= d allow log udp from any to any domain out=0A>add allow log udp from any do= main to any in=0A>=0A># SSH=0A># Note that /etc/hosts.allow has restrictio= ns=0A># on which IP addresses are allowed.=0A>#=0A># Allow SSH:=0A>add all= ow log tcp from any to any ssh in setup=0A>=0A># HTTP & HTTPS:=0A>add allow= log tcp from any to any https in setup=0A>add allow log tcp from any to an= y http in setup=0A>=0A>add allow log tcp from any to any dst-port 80=0A>add= allow log tcp from any to any dst-port 443=0A>=0A># Mail: SMTP & IMAP:=0A>= add allow log tcp from any to any smtp in setup=0A>add allow log tcp from a= ny to any imap in setup=0A>=0A># FTP:=0A>add allow log tcp from any to any = ftp in setup=0A>add allow log tcp from any to any ftp\-data in setup=0A>add= allow log tcp from any ftp\-data to any setup out=0A>=0A># Allow NTP in an= d out=0A>add allow log udp from any ntp to 128.252.19.1 ntp out=0A>add allo= w log udp from 128.252.19.1 ntp to any ntp in=0A>=0A>=0A># Deny and log eve= rything else:=0A># add deny log all from any to any=0A>add deny log ip from= any to any=0A>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A>=0A>=0A>=0A>=0A>= =0A>Start Here to Find It Fast!=99 ->=0A> http://www.US-Webmasters.com/best= -start-page/=0A>$8.77 Domain Names -> http://domains.us-webmasters.com/=0A>= =0A>_______________________________________________=0A>freebsd-security@fre= ebsd.org mailing list=0A>http://lists.freebsd.org/mailman/listinfo/freebsd-= security=0A>To unsubscribe, send any mail to=0A> "freebsd-security-unsubscr= ibe@freebsd.org"=0A>=0A>=0A>=0A>=0A>=0A>=0A> =0A>_____________________= _________________________________________________=0A>______________=0A>Neve= r miss a thing. Make Yahoo your home page. =0A>http://www.yahoo.com/r/hs= =0A>_______________________________________________=0A>freebsd-security@fre= ebsd.org mailing list=0A>http://lists.freebsd.org/mailman/listinfo/freebsd-= security=0A>To unsubscribe, send any mail to=0A "freebsd-security-unsubscri= be@freebsd.org"=0A=0AStart Here to Find It Fast!=99 ->=0A http://www.US-Web= masters.com/best-start-page/=0A$8.77 Domain Names -> http://domains.us-webm= asters.com/=0A=0A=0A=0A=0A=0A=0A=0A __________________________________= __________________________________________________=0ABe a better friend, ne= wshound, and =0Aknow-it-all with Yahoo! Mobile. Try it now. http://mobile= .yahoo.com/;_ylt=3DAhu06i62sR8HDtDypao8Wcj9tAcJ =0A From owner-freebsd-security@FreeBSD.ORG Tue Dec 25 15:08:32 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 189C816A41B for ; Tue, 25 Dec 2007 15:08:32 +0000 (UTC) (envelope-from gunther.mayer@googlemail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.freebsd.org (Postfix) with ESMTP id AE51B13C4E3 for ; Tue, 25 Dec 2007 15:08:31 +0000 (UTC) (envelope-from gunther.mayer@googlemail.com) Received: by ug-out-1314.google.com with SMTP id y2so1725831uge.37 for ; Tue, 25 Dec 2007 07:08:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:user-agent:mime-version:to:subject:content-type:content-transfer-encoding:from; bh=PNn9otbkzUqP0hUXZYBgh4SBLVfMp4U609Tla/GSSyo=; b=vAqSjd4iqp1uHeNZLVgzDpipm56mXLm6HXStwPfeznbfxmGA1ojGYROgJhR8q5obnq0bTsR+PGRwAVgTUltVxw0GBo5ZVQdOsAkP6ImgzgSctyanEoIHAk/zMb/mZw5+898UE63106QeV4yTP6Vv8sk9zRrhs1lbV2R5RzNP/lU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:user-agent:mime-version:to:subject:content-type:content-transfer-encoding:from; b=uCNDs3H5TnJCSyuS/TK120pfs/Lfdy3CiYbQTr2PsQo5PRBhSVLW5S5XiLNF5XGnc010AzoPhlKnXI1gYbBYj2BnG7KWHtXUlMbW0sOgwoWaFmz5EJI+8w6TTZNE2TUzLRoMop9HM12IngE49Tg8Dnr2VuvYLU57YM9A1HEhtiI= Received: by 10.67.22.2 with SMTP id z2mr4528318ugi.1.1198593616176; Tue, 25 Dec 2007 06:40:16 -0800 (PST) Received: from ?192.168.0.7? ( [41.241.94.65]) by mx.google.com with ESMTPS id a1sm23645966ugf.78.2007.12.25.06.40.09 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 25 Dec 2007 06:40:14 -0800 (PST) Message-ID: <477115FE.2070705@gmail.com> Date: Tue, 25 Dec 2007 16:38:54 +0200 User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit From: Gunther Mayer X-Mailman-Approved-At: Tue, 25 Dec 2007 15:24:52 +0000 Subject: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Dec 2007 15:08:32 -0000 Hi there, I'm still running 6.2 on various servers without any tweaks (GENERIC kernel, binary updates via freebsd-update etc.) but lots of ports (apache, postgresql, diablo-jdk etc.) and would like to use stack smashing protection in order to harden my boxes and avoid many potential exploits. I've known about ProPolice/SSP for a while now (from the Gentoo world) and am aware that FreeBSD 7.0 doesn't yet support it though I know of Jeremy Le Hen's patches (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). Some time after 7.0 is released I'd like to upgrade and apply SSP throughout kernel, userland and ports while I'm at it. However, being an unsupported patchset and all, I have some concerns which I'd like some feedback on well before I embark on this project: 1. Will FreeBSD ever support SSP natively? 2. How good is the kernel patch and how many people out there are using it? 3. Does using the kernel and userland patch mean that I am eternally stuck to compiling from source if I want to keep SSP on all the time (gone are the days of freebsd-update luxury)? 4. What's the story with libssp? Jeremy reckons that it's a lost cause and causes more trouble than it's worth. Yet libssp seems to be the only thing that actually fully integrated in 7.0 Gunther From owner-freebsd-security@FreeBSD.ORG Wed Dec 26 15:50:34 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2247F16A419 for ; Wed, 26 Dec 2007 15:50:34 +0000 (UTC) (envelope-from gunther.mayer@googlemail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172]) by mx1.freebsd.org (Postfix) with ESMTP id B760213C4E5 for ; Wed, 26 Dec 2007 15:50:33 +0000 (UTC) (envelope-from gunther.mayer@googlemail.com) Received: by ug-out-1314.google.com with SMTP id y2so1944784uge.37 for ; Wed, 26 Dec 2007 07:50:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; bh=PNn9otbkzUqP0hUXZYBgh4SBLVfMp4U609Tla/GSSyo=; b=gx2m4tsBAnf1afiY2TLYg/l0EDxedHIBeKUbzcrOxXDJ4lLR9LNlyFt8BTREjzp/BIkKmEK0iEYYCZrZr1CMbb5rV+eoA5/cPBxhUEBsMC8SWQg1Y6DKU30w6L1ymRmYx8QnIqWNX082PgDrLzifp4ddNb9MJ3oNA9IDPCZdM9c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=mAcbtOz7mjC8SlZWU+qzxqYnD08JF3y0WVvZT5tOBy9i722xzZTLf44+FgCR6cvssz3Xp1nCbZ2v/k9CZlsYZ0A1ABzUVme6l7ImiG+gW+yrdJNkj4StO+JV9PjigTHMSCJ2FL5hy1YH7n+Jr3IFNK+emoSPzLTCWYZbr1zJrIc= Received: by 10.67.106.13 with SMTP id i13mr6030874ugm.49.1198684231950; Wed, 26 Dec 2007 07:50:31 -0800 (PST) Received: from ?172.25.0.24? ( [196.7.14.186]) by mx.google.com with ESMTPS id b39sm26870315ugf.27.2007.12.26.07.50.29 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 26 Dec 2007 07:50:30 -0800 (PST) Message-ID: <477277FF.30504@googlemail.com> Date: Wed, 26 Dec 2007 17:49:19 +0200 From: Gunther Mayer User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 26 Dec 2007 16:58:45 +0000 Subject: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Dec 2007 15:50:34 -0000 Hi there, I'm still running 6.2 on various servers without any tweaks (GENERIC kernel, binary updates via freebsd-update etc.) but lots of ports (apache, postgresql, diablo-jdk etc.) and would like to use stack smashing protection in order to harden my boxes and avoid many potential exploits. I've known about ProPolice/SSP for a while now (from the Gentoo world) and am aware that FreeBSD 7.0 doesn't yet support it though I know of Jeremy Le Hen's patches (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). Some time after 7.0 is released I'd like to upgrade and apply SSP throughout kernel, userland and ports while I'm at it. However, being an unsupported patchset and all, I have some concerns which I'd like some feedback on well before I embark on this project: 1. Will FreeBSD ever support SSP natively? 2. How good is the kernel patch and how many people out there are using it? 3. Does using the kernel and userland patch mean that I am eternally stuck to compiling from source if I want to keep SSP on all the time (gone are the days of freebsd-update luxury)? 4. What's the story with libssp? Jeremy reckons that it's a lost cause and causes more trouble than it's worth. Yet libssp seems to be the only thing that actually fully integrated in 7.0 Gunther From owner-freebsd-security@FreeBSD.ORG Wed Dec 26 17:20:18 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 386F016A50B for ; Wed, 26 Dec 2007 17:20:18 +0000 (UTC) (envelope-from venture37@hotmail.com) Received: from bay0-omc2-s13.bay0.hotmail.com (bay0-omc2-s13.bay0.hotmail.com [65.54.246.149]) by mx1.freebsd.org (Postfix) with ESMTP id 3297313C459 for ; Wed, 26 Dec 2007 17:20:18 +0000 (UTC) (envelope-from venture37@hotmail.com) Received: from BAY117-W31 ([207.46.8.66]) by bay0-omc2-s13.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 26 Dec 2007 09:08:17 -0800 Message-ID: X-Originating-IP: [217.22.88.121] From: Sevan / Venture37 To: Date: Wed, 26 Dec 2007 17:08:14 +0000 Importance: Normal In-Reply-To: <477277FF.30504@googlemail.com> References: <477277FF.30504@googlemail.com> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 26 Dec 2007 17:08:17.0880 (UTC) FILETIME=[E8C99D80:01C847E1] Subject: RE: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Dec 2007 17:20:18 -0000 > 3. Does using the kernel and userland patch mean that I am eternally > stuck to compiling from source if I want to keep SSP on all the > time (gone are the days of freebsd-update luxury)? You could always use another box to generate the builds & patches & point a= ll your servers to the build box in the freebsd-update.conf to fetch patche= s. _________________________________________________________________ Telly addicts unite! http://www.searchgamesbox.com/tvtown.shtml= From owner-freebsd-security@FreeBSD.ORG Thu Dec 27 22:52:16 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6153B16A41B for ; Thu, 27 Dec 2007 22:52:16 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id DA8AA13C45B for ; Thu, 27 Dec 2007 22:52:14 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id C26FB209C; Thu, 27 Dec 2007 23:52:02 +0100 (CET) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: -0.1/3.0 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on tim.des.no Received: from ds4.des.no (des.no [80.203.243.180]) by smtp.des.no (Postfix) with ESMTP id B57C4207E; Thu, 27 Dec 2007 23:52:02 +0100 (CET) Received: by ds4.des.no (Postfix, from userid 1001) id 9842084488; Thu, 27 Dec 2007 23:52:02 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Gunther Mayer References: <477277FF.30504@googlemail.com> Date: Thu, 27 Dec 2007 23:52:02 +0100 In-Reply-To: <477277FF.30504@googlemail.com> (Gunther Mayer's message of "Wed\, 26 Dec 2007 17\:49\:19 +0200") Message-ID: <86myrvhht9.fsf@ds4.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Dec 2007 22:52:16 -0000 Gunther Mayer writes: > I've known about ProPolice/SSP for a while now (from the Gentoo world) > and am aware that FreeBSD 7.0 doesn't yet support it though I know of > Jeremy Le Hen's patches (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). Wrong. FreeBSD 7 has had SSP support since May; the patch you mention just turns it on by default. You can probably achieve the same effect by adding -fstack-protector to CFLAGS and COPTFLAGS in make.conf. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Dec 28 00:44:35 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4360316A418 for ; Fri, 28 Dec 2007 00:44:35 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 2C7B813C442 for ; Fri, 28 Dec 2007 00:44:34 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 3FABA4A765; Thu, 27 Dec 2007 19:44:34 -0500 (EST) Date: Fri, 28 Dec 2007 00:44:34 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= In-Reply-To: <86myrvhht9.fsf@ds4.des.no> Message-ID: <20071228004249.C43798@fledge.watson.org> References: <477277FF.30504@googlemail.com> <86myrvhht9.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="621616949-1225384271-1198802674=:43798" Cc: Gunther Mayer , freebsd-security@freebsd.org Subject: Re: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Dec 2007 00:44:35 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --621616949-1225384271-1198802674=:43798 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Thu, 27 Dec 2007, Dag-Erling Sm=F8rgrav wrote: > Gunther Mayer writes: >> I've known about ProPolice/SSP for a while now (from the Gentoo world) a= nd=20 >> am aware that FreeBSD 7.0 doesn't yet support it though I know of Jeremy= Le=20 >> Hen's patches (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). > > Wrong. FreeBSD 7 has had SSP support since May; the patch you mention ju= st=20 > turns it on by default. You can probably achieve the same effect by addi= ng=20 > -fstack-protector to CFLAGS and COPTFLAGS in make.conf. I'd very much like us to think about turning it on by default -- while stac= k=20 protection is necessarily imperfect, it is increasingly considered a standa= rd=20 compiler feature to have enabled on operating systems. In fact, I know of= =20 relatively few that don't enable it by default... Robert N M Watson Computer Laboratory University of Cambridge --621616949-1225384271-1198802674=:43798-- From owner-freebsd-security@FreeBSD.ORG Fri Dec 28 01:23:09 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99BE516A418 for ; Fri, 28 Dec 2007 01:23:09 +0000 (UTC) (envelope-from kabaev@gmail.com) Received: from hs-out-2122.google.com (hs-out-0708.google.com [64.233.178.244]) by mx1.freebsd.org (Postfix) with ESMTP id 4812113C461 for ; Fri, 28 Dec 2007 01:23:09 +0000 (UTC) (envelope-from kabaev@gmail.com) Received: by hs-out-2122.google.com with SMTP id j58so2620496hsj.11 for ; Thu, 27 Dec 2007 17:23:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer:mime-version:content-type; bh=7NNMXLrcWrzQw5el5aXjYLjVDY+pdHxWUPGgntDF5ww=; b=PPanUXVUibvq890xVtw8sOgTGZ9CXrEVJWPM0wev0kv6N5caJ8xhlcuxj9KMtYFiIZ6JQyskQa7Q3FCh7qR9J8dW3OGbD2K8bg9SV/CBHZpxOjXKO5qwySb1aO6SzIBHzgd3+m2F21tuEUCcMdwsw2iG4QfvaAx4Lj5LjvgQUtE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer:mime-version:content-type; b=jfqREBC/+O5lkCzgyESvPclMvwNh/PLmBl0u6FvqoDnOpxX/v7rs0bKjQ53MPjDL0Pz+HC4c6dHgnlikNXU49aNUyGdv5CXZySdRdGXq2Wc9hVBUTfh5rwNNCebnR8AIf9pP3VKeIujaFdJgP1ltXP+S4OoNJNr/3364YOJ4jxU= Received: by 10.150.54.6 with SMTP id c6mr2409130yba.43.1198803520970; Thu, 27 Dec 2007 16:58:40 -0800 (PST) Received: from kan.dnsalias.net ( [24.218.183.247]) by mx.google.com with ESMTPS id i38sm33945711wxd.16.2007.12.27.16.58.39 (version=SSLv3 cipher=OTHER); Thu, 27 Dec 2007 16:58:40 -0800 (PST) Date: Thu, 27 Dec 2007 19:58:33 -0500 From: Alexander Kabaev To: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= Message-ID: <20071227195833.154b41ae@kan.dnsalias.net> In-Reply-To: <86myrvhht9.fsf@ds4.des.no> References: <477277FF.30504@googlemail.com> <86myrvhht9.fsf@ds4.des.no> X-Mailer: Claws Mail 3.0.2 (GTK+ 2.12.1; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/LKw0X7NIO2GYv=l5wQ4iB_a"; protocol="application/pgp-signature"; micalg=PGP-SHA1 Cc: Gunther Mayer , freebsd-security@freebsd.org Subject: Re: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Dec 2007 01:23:09 -0000 --Sig_/LKw0X7NIO2GYv=l5wQ4iB_a Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Thu, 27 Dec 2007 23:52:02 +0100 Dag-Erling Sm=C3=B8rgrav wrote: > Gunther Mayer writes: > > I've known about ProPolice/SSP for a while now (from the Gentoo > > world) and am aware that FreeBSD 7.0 doesn't yet support it though > > I know of Jeremy Le Hen's patches > > (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). >=20 > Wrong. FreeBSD 7 has had SSP support since May; the patch you mention > just turns it on by default. You can probably achieve the same effect > by adding -fstack-protector to CFLAGS and COPTFLAGS in make.conf. >=20 > DES > --=20 > Dag-Erling Sm=C3=B8rgrav - des@des.no Wrong. Actually, FreeBSD 7 _compiler_ has SSP support, but a lot of necessary changes from Jeremy to enable it by default for 'make buildworld' and allow switching of SSP on/off for subsequent builds never made it to the tree. --=20 Alexander Kabaev --Sig_/LKw0X7NIO2GYv=l5wQ4iB_a Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFHdEo5Q6z1jMm+XZYRAlS7AKCDXMNHhD1MfkiMtYjb9C9l1CHWKQCg7K7R gJxf0JPhDDLgv2IFjkK1yNA= =Y8qJ -----END PGP SIGNATURE----- --Sig_/LKw0X7NIO2GYv=l5wQ4iB_a-- From owner-freebsd-security@FreeBSD.ORG Fri Dec 28 12:26:15 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B69516A417 for ; Fri, 28 Dec 2007 12:26:15 +0000 (UTC) (envelope-from gunther.mayer@googlemail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172]) by mx1.freebsd.org (Postfix) with ESMTP id 2289B13C4E5 for ; Fri, 28 Dec 2007 12:26:14 +0000 (UTC) (envelope-from gunther.mayer@googlemail.com) Received: by ug-out-1314.google.com with SMTP id y2so2322467uge.37 for ; Fri, 28 Dec 2007 04:26:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; bh=BQBesdrZHcodCZmaNcZJOWUXWLteW7a0ztm5ynQSSak=; b=Mmw25I6dHvjX0RMtHVxsYTT+oVWSVGkhbXsOppWAA8ZTTBM64W+vBQVGs9I32KOKv5W5AXEOF/gr5/Q36V8FnE0SJe76TMoXNO/Xi45PgBqqJhrBmaVx2HqouzpHo/ZkvVt6OAjQxS9aVfZ6WDmw0eaCI09cJHmRloLM7rg4j3I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=MpZQcDPc8JmsmoltW2EnuMASkdg07NNYUQOpDu7BZ2Kzf9e+fyEMLRgnQWbwTfI5sVKYtUO//BCG6y83KmCZpOarlB74Jj7QWULiSQrEmUdzvhkQsuvB46s/Ap57hEecipRqozqrB4R29TkG4Jk0c1jbZUYc31o58557DisdfIw= Received: by 10.66.255.7 with SMTP id c7mr8044049ugi.43.1198844766695; Fri, 28 Dec 2007 04:26:06 -0800 (PST) Received: from ?192.168.0.7? ( [41.241.118.229]) by mx.google.com with ESMTPS id 28sm10666911ugc.21.2007.12.28.04.26.03 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 28 Dec 2007 04:26:05 -0800 (PST) Message-ID: <4774EB0F.90103@googlemail.com> Date: Fri, 28 Dec 2007 14:24:47 +0200 From: Gunther Mayer User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <477277FF.30504@googlemail.com> <86myrvhht9.fsf@ds4.des.no> <20071227195833.154b41ae@kan.dnsalias.net> In-Reply-To: <20071227195833.154b41ae@kan.dnsalias.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Fri, 28 Dec 2007 12:31:00 +0000 Subject: Re: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Dec 2007 12:26:15 -0000 Alexander Kabaev wrote: > On Thu, 27 Dec 2007 23:52:02 +0100 > Dag-Erling Smørgrav wrote: > > >> Gunther Mayer writes: >> >>> I've known about ProPolice/SSP for a while now (from the Gentoo >>> world) and am aware that FreeBSD 7.0 doesn't yet support it though >>> I know of Jeremy Le Hen's patches >>> (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). >>> >> Wrong. FreeBSD 7 has had SSP support since May; the patch you mention >> just turns it on by default. You can probably achieve the same effect >> by adding -fstack-protector to CFLAGS and COPTFLAGS in make.conf. >> >> DES >> -- >> Dag-Erling Smørgrav - des@des.no >> > > Wrong. > > Actually, FreeBSD 7 _compiler_ has SSP support, but a lot of necessary > changes from Jeremy to enable it by default for 'make buildworld' and > allow switching of SSP on/off for subsequent builds never made it to the > tree. > That's what I thought. I'm not sure if CFLAGS and COPTFLAGS work the same for both ports and buildworld but then again I don't know enough about FreeBSD's build system. Besides, I'm still waiting for some feedback regarding the kernel patch, I'm a bit hesitant to apply it in a production environment. Another thing I'm wondering about, applying the patches and recompiling is all fair and well but what do I do when I need to apply a security patch and there happens to be a merge conflict because I'm now working off a non-standard (patched) set of sources? I just want a hassle free way to add SSP to my systems... Btw, I second the motion of having SSP enabled by default in FreeBSD, other OS's have been doing this for years at a negligible performance overhead. Gunther From owner-freebsd-security@FreeBSD.ORG Sat Dec 29 02:47:05 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFC1716A420 for ; Sat, 29 Dec 2007 02:47:05 +0000 (UTC) (envelope-from silby@silby.com) Received: from relay03.pair.com (relay03.pair.com [209.68.5.17]) by mx1.freebsd.org (Postfix) with SMTP id 62E9413C45D for ; Sat, 29 Dec 2007 02:47:05 +0000 (UTC) (envelope-from silby@silby.com) Received: (qmail 6137 invoked from network); 29 Dec 2007 02:20:24 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 29 Dec 2007 02:20:24 -0000 X-pair-Authenticated: 209.68.2.70 Date: Fri, 28 Dec 2007 20:20:20 -0600 (CST) From: Mike Silbersack To: Gunther Mayer In-Reply-To: <4774EB0F.90103@googlemail.com> Message-ID: <20071228200428.J6052@odysseus.silby.com> References: <477277FF.30504@googlemail.com> <86myrvhht9.fsf@ds4.des.no> <20071227195833.154b41ae@kan.dnsalias.net> <4774EB0F.90103@googlemail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Dec 2007 02:47:05 -0000 On Fri, 28 Dec 2007, Gunther Mayer wrote: > Btw, I second the motion of having SSP enabled by default in FreeBSD, other > OS's have been doing this for years at a negligible performance overhead. > > Gunther It's too late to make that sort of change for FreeBSD 7.0, but I think that's a good goal for FreeBSD 8.0. Here's what I think you could do: 1. Verify that enabling SSP works properly. 2. Convince Kris Kennaway to run his mysql benchmarks on a FreeBSD 8 system both with and without SSP to verify that there is no significant slowdown. 3. Get it enabled on FreeBSD 8 by default. 4. Request that the change be made to FreeBSD 7.1 or 7.2 after it has proven to not cause problems on FreeBSD 8. Since the subject came up, I just tried using it, and it's not giving me the results I expected. Take the following program: #include #include #include void overrun(void); int main(void) { overrun(); } void overrun(void) { int x; char a[4]; int y; strcpy(a, "ABCDE"); printf("hi"); } If I compile it like so: > cc -g -fstack-protector-all overrun.c The overrun is detected and the program is aborted. > ./a.out Abort (core dumped) But if I compile it like so: > cc -g -fstack-protector overrun.c The overrun is not caught. > ./a.out hi> Either I'm doing something wrong, or we have gcc misconfigured and it's not detecting that strcpy is a function which needs to be watched closedly. Mike "Silby" Silbersack