From owner-freebsd-security Mon Apr 8 11:28:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from prometheus.vh.laserfence.net (prometheus.laserfence.net [196.44.73.116]) by hub.freebsd.org (Postfix) with ESMTP id 6DBCD37B433 for ; Mon, 8 Apr 2002 11:28:05 -0700 (PDT) Received: from phoenix.vh.laserfence.net ([192.168.0.10]) by prometheus.vh.laserfence.net with esmtp (Exim 3.34 #1) id 16udqq-0003EG-00; Mon, 08 Apr 2002 20:26:48 +0200 Date: Mon, 8 Apr 2002 20:26:48 +0200 (SAST) From: Willie Viljoen X-X-Sender: will@phoenix.vh.laserfence.net To: "Peter C. Lai" Cc: Michael Sharp , Subject: Re: Berkley Packet Filter In-Reply-To: <20020408181419.9260.qmail@d188h80.mcb.uconn.edu> Message-ID: <20020408202441.W3388-100000@phoenix.vh.laserfence.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org My advise on BPF would be to use it selectively. It can come in very handy for certain tasks, amongst other things, doing security audits on your own network, as apps like nmap and most sniffers need BPF. As for servers, I would _NEVER_ really turn it on, unless there is a very specific need for its use. Also running at securelevel 1 or higher, to prevent somebody with a root shell from loading BPF-like modules into your kernel. Servers should never be using things like DHCP or PPP (unless they happen to be dialin servers), and you should not be using your servers to run network security audits. In short summary, I would say: For a security administrator's work station, turn it on. For anything else, turn it off. Will On Mon, 8 Apr 2002, Peter C. Lai wrote: > disabling bpf only prevents someone from running a sniffer on > *your* box should they obtain a shell. I don't see how disabling > it prevents nmap from running syn/fin scans. > > Furthermore, if someone obtains root shell, they could just > load a kernel module to enable bpf-like capabilities. > > In addition, disabling bpf also breaks DHCP (and/or PPP?). If your host gets > an IP via DHCP (e.g you are running dhclient(1)) you need to enable bpf. > > Michael Sharp writes: > > > It is my understanding that if you comment OUT the bpf line in the kernel > > and re-compile, this disables things like nmap and prevents a sniffer from > > running on the network * easily * correct? > > > > The reason I put * easily * in there is because I am aware of other ways to > > bypass bpf, but I believe disabling would defeat 99% of the script kiddies. > > > > Michael > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > ----------- > Peter C. Lai > University of Connecticut > Dept. of Residential Life | Programmer > Dept. of Molecular and Cell Biology | Undergraduate Research Assistant > http://cowbert.2y.net/ > 860.427.4542 (Room) > 860.486.1899 (Lab) > 203.206.3784 (Cellphone) > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > -- Willie Viljoen Private IT Consultant 214 Paul Kruger Avenue Universitas Bloemfontein 9321 South Africa +27 51 522 15 60, a/h +27 51 522 44 36 +27 82 404 03 27 will@laserfence.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message