From owner-freebsd-security Sun Jun 16 16:20:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA26335 for security-outgoing; Sun, 16 Jun 1996 16:20:58 -0700 (PDT) Received: from mojo.calyx.net (root@mojo.calyx.net [204.137.148.2]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA26330 for ; Sun, 16 Jun 1996 16:20:54 -0700 (PDT) Received: from localhost (twc@localhost) by mojo.calyx.net (8.7.5/8.7.3) with SMTP id TAA09034 for ; Sun, 16 Jun 1996 19:20:48 -0400 (EDT) Date: Sun, 16 Jun 1996 19:20:48 -0400 (EDT) From: TWC To: freebsd-security@freebsd.org Subject: Secure way to do mail Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi. I have been trying to come up with a (more) secure way to do email. I was wondering if it was possible as far as anyone knows to have smap (from the TIS firewall toolkit) answer on port25, take the mail, then hand it over directly to procmail (which would be setuid) for local delivery. Then sendmail could be non-setuid and still used for outgoing email. My reason for not using the standard smap implementation (smap takes the incoming mail then smapd collects and runs sendmail on it) is that I'd like to leave a setuid sendmail out of the equation entirely. Local users could still exploit it, and there are certain sendmail holes that could be a problem even in a non-interactive chroot'ed environment. -- -- TWC -- twc@netpimp.com -- From owner-freebsd-security Sun Jun 16 16:36:42 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA28054 for security-outgoing; Sun, 16 Jun 1996 16:36:42 -0700 (PDT) Received: from palmer.demon.co.uk (palmer.demon.co.uk [158.152.50.150]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA28043 for ; Sun, 16 Jun 1996 16:36:36 -0700 (PDT) Received: from palmer.demon.co.uk (localhost [127.0.0.1]) by palmer.demon.co.uk (sendmail/PALMER-1) with ESMTP id AAA26498; Mon, 17 Jun 1996 00:35:12 +0100 (BST) To: TWC cc: freebsd-security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: Secure way to do mail In-reply-to: Your message of "Sun, 16 Jun 1996 19:20:48 EDT." Date: Mon, 17 Jun 1996 00:35:11 +0100 Message-ID: <26496.834968111@palmer.demon.co.uk> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk TWC wrote in message ID : > > Hi. I have been trying to come up with a (more) secure way to do email. > I was wondering if it was possible as far as anyone knows to have smap > (from the TIS firewall toolkit) answer on port25, take the mail, then hand > it over directly to procmail (which would be setuid) for local delivery. > Then sendmail could be non-setuid and still used for outgoing email. No, you can't do that, as procmail is only a delivery agent. sendmail (or some other MTA) is still needed for the address parsing abilities. > My reason for not using the standard smap implementation (smap takes the > incoming mail then smapd collects and runs sendmail on it) is that I'd > like to leave a setuid sendmail out of the equation entirely. Local users > could still exploit it, and there are certain sendmail holes that could be > a problem even in a non-interactive chroot'ed environment. Why not still use procmail for local delivery and leave sendmail non-suid? Won't that fit your requirements? You can configure sendmail to use procmail rather than mail.local for delivery... Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Sun Jun 16 19:48:11 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA06614 for security-outgoing; Sun, 16 Jun 1996 19:48:11 -0700 (PDT) Received: from mojo.calyx.net (mojo.calyx.net [204.137.148.2]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA06608; Sun, 16 Jun 1996 19:48:06 -0700 (PDT) Received: from localhost (twc@localhost) by mojo.calyx.net (8.7.5/8.7.3) with SMTP id WAA10812; Sun, 16 Jun 1996 22:47:20 -0400 (EDT) Date: Sun, 16 Jun 1996 22:47:20 -0400 (EDT) From: TWC To: Gary Palmer cc: TWC , freebsd-security@FreeBSD.ORG Subject: Re: Secure way to do mail In-Reply-To: <26496.834968111@palmer.demon.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -- -- TWC -- twc@netpimp.com -- On Mon, 17 Jun 1996, Gary Palmer wrote: > TWC wrote in message ID > : > > > > > My reason for not using the standard smap implementation (smap takes the > > incoming mail then smapd collects and runs sendmail on it) is that I'd > > like to leave a setuid sendmail out of the equation entirely. Local users > > could still exploit it, and there are certain sendmail holes that could be > > a problem even in a non-interactive chroot'ed environment. > > Why not still use procmail for local delivery and leave sendmail > non-suid? Won't that fit your requirements? You can configure sendmail > to use procmail rather than mail.local for delivery... Doesn't sendmail need to be setuid at least to bind to the priveleged port? I'm under the impression that starting it from inetd is a "bad idea" in that inetd craps out when many connections are opened at one (a situation that happens commonsly as lists come into our shell machine.) I have procmail installed now as the sendmail local delivery agent. I was hoping to somehow take advantage of smap's extreme simplicity. I like the idea of a very simple, reliable, solidly coded program answering on port 25. > > Gary > -- > Gary Palmer FreeBSD Core Team Member > FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info > From owner-freebsd-security Sun Jun 16 21:29:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA11707 for security-outgoing; Sun, 16 Jun 1996 21:29:59 -0700 (PDT) Received: from palmer.demon.co.uk (palmer.demon.co.uk [158.152.50.150]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA11701 for ; Sun, 16 Jun 1996 21:29:51 -0700 (PDT) Received: from palmer.demon.co.uk (localhost [127.0.0.1]) by palmer.demon.co.uk (sendmail/PALMER-1) with ESMTP id FAA26932; Mon, 17 Jun 1996 05:29:17 +0100 (BST) To: TWC cc: freebsd-security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: Secure way to do mail In-reply-to: Your message of "Sun, 16 Jun 1996 22:47:20 EDT." Date: Mon, 17 Jun 1996 05:29:15 +0100 Message-ID: <26930.834985755@palmer.demon.co.uk> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk TWC wrote in message ID : > Doesn't sendmail need to be setuid at least to bind to the priveleged > port? I'm under the impression that starting it from inetd is a "bad > idea" in that inetd craps out when many connections are opened at one (a > situation that happens commonsly as lists come into our shell machine.) I was meaning that you use SMAP as the mail collection agent to pass through to a non-setuid sendmail, and use procmail for local delivery. There is no way to keep a MTA out of the equation, I'm afraid. > I have procmail installed now as the sendmail local delivery agent. I was > hoping to somehow take advantage of smap's extreme simplicity. I like the > idea of a very simple, reliable, solidly coded program answering on port > 25. See above. But because smap is so simple, it cannot do half the work that sendmail actually does, and you still need to invoke a lot more complicated piece of code than either smap or procmail. If you hate sendmail so much tho, there are alternative MTA's you can use. smail, MMDF and PP all spring to mind, and a friend recently pointed me at qmail as a new MTA. (you'll have to archie for these, sorry) Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Sun Jun 16 22:47:47 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA14583 for security-outgoing; Sun, 16 Jun 1996 22:47:47 -0700 (PDT) Received: from ns2.harborcom.net (root@ns2.harborcom.net [206.158.4.4]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA14578 for ; Sun, 16 Jun 1996 22:47:45 -0700 (PDT) Received: from bunghole.dunn.org (bunghole.dunn.org [206.158.7.243]) by ns2.harborcom.net (8.7.4/8.6.12) with SMTP id BAA05549; Mon, 17 Jun 1996 01:47:43 -0400 (EDT) Message-Id: <199606170547.BAA05549@ns2.harborcom.net> Comments: Authenticated sender is From: "Bradley Dunn" Organization: Harbor Communications To: TWC Date: Mon, 17 Jun 1996 01:43:44 -0500 Subject: Re: Secure way to do mail Reply-to: dunn@harborcom.net CC: freebsd-security@FreeBSD.ORG Priority: normal X-mailer: Pegasus Mail for Win32 (v2.31) Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Wait a sec... Doesn't sendmail bind to port 25 during startup, at which point it is invoked by root from rc right? Why would it need to be setuid if it is being run by root? On 16 Jun 96 at 22:47, TWC wrote: > Doesn't sendmail need to be setuid at least to bind to the > priveleged port? I'm under the impression that starting it from > inetd is a "bad idea" in that inetd craps out when many connections > are opened at one (a situation that happens commonsly as lists come > into our shell machine.) Bradley Dunn Harbor Communications -- www.haborcom.net From owner-freebsd-security Fri Jun 21 00:34:47 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA29289 for security-outgoing; Fri, 21 Jun 1996 00:34:47 -0700 (PDT) Received: from uu.elvisti.kiev.ua (acc0.elvisti.kiev.ua [193.125.28.132]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA29190 for ; Fri, 21 Jun 1996 00:34:01 -0700 (PDT) Received: from office.elvisti.kiev.ua (office.elvisti.kiev.ua [193.125.28.129]) by uu.elvisti.kiev.ua (8.7.5/8.7.3) with ESMTP id KAA09969 for ; Fri, 21 Jun 1996 10:44:32 +0300 (EET DST) Received: (from stesin@localhost) by office.elvisti.kiev.ua (8.6.12/8.ElVisti) id KAA26711 for security@freebsd.org; Fri, 21 Jun 1996 10:44:32 +0300 From: "Andrew V. Stesin" Message-Id: <199606210744.KAA26711@office.elvisti.kiev.ua> Subject: split-brain DNS (fwd) -- anyone cares to look and comment? To: security@freebsd.org Date: Fri, 21 Jun 1996 10:44:32 +0300 (EET DST) X-Mailer: ELM [version 2.4 PL24alpha5] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Forwarded message: From: "Marcus J. Ranum" Message-Id: <199606202017.QAA23317@clark.net> Subject: split-brain DNS To: Firewalls@GreatCircle.COM Date: Thu, 20 Jun 1996 16:17:21 -0400 (EDT) Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve Bellovin writes: > The split-brain DNS is a problem when you have a domain and > subdomains behind the firewall. The solution we know is to declare > the DNS server of the parent domain as a secondary server for every > existing subdomain. This solution is not really great since we can't > resolve Internet names from a subdomain. > We are currently using the 4.9.3-REV and testing the 4.9.4 of BIND > but no improvement seems to be done... > >There will be a paper by Bill Cheswick and myself addressing some of >these issues, to be presented at the Usenix UNIX Security Conference 7/22-25. I just recently got sick of the problem, and did a short term hack that works pretty nicely. Basically, you extend the syntax of resolv.conf to include specifiers saying "this domain resolves against this server" and run all the applications on the firewall linked against the modified resolver library. The firewall runs a nameserver with a partial database that is public and you insert patterns telling the firewall's applications to resolve yourdomain.domain against your internal nameserver. It just works. I've put a brief write-up how it works, and a patch file (against some version or other of bind) on http://www.clark.net/pub/mjr under the section entitled "stuff." It's completely unsupported, etc, etc. Do not take internally, consult a doctor if accidentally ingested, etc, etc. mjr. -- With best regards -- Andrew Stesin. +380 (44) 2760188 +380 (44) 2713457 +380 (44) 2713560 "You may delegate authority, but not responsibility." Frank's Management Rule #1. From owner-freebsd-security Sat Jun 22 06:53:42 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA01042 for security-outgoing; Sat, 22 Jun 1996 06:53:42 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA01037 for ; Sat, 22 Jun 1996 06:53:40 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id JAA24925 for ; Sat, 22 Jun 1996 09:50:50 -0400 (EDT) Date: Sat, 22 Jun 1996 09:51:50 -0400 (EDT) From: Brian Tao To: FREEBSD-SECURITY-L Subject: IPFW vs. IP Filter? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I'm setting up a FreeBSD-based firewall here, and my original plan was to go with IPFW in the kernel. However, it seems there isn't any recent documentation for it (both the man page and the handbook entry are out of date). IP Filter 3.0.4 (http://coombs.anu.edu.au/~avalon/) also looks very nice, and Andrew Stesin recently recommended it here. Should I disable IPFW in the kernel and put IP Filter in its place then, or can (should?) the two coexist? My main beef is that the IPFW documentation is rather lacking, and /usr/src/sbin/ipfw/ipfw.c isn't helpfully commented. Suggestions appreciated. Thanks. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Sat Jun 22 08:19:35 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA10353 for security-outgoing; Sat, 22 Jun 1996 08:19:35 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA10331 for ; Sat, 22 Jun 1996 08:19:20 -0700 (PDT) Received: by gvr.win.tue.nl (8.6.12/1.53) id RAA05233; Sat, 22 Jun 1996 17:19:04 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199606221519.RAA05233@gvr.win.tue.nl> Subject: Re: IPFW vs. IP Filter? To: taob@io.org (Brian Tao) Date: Sat, 22 Jun 1996 17:19:02 +0200 (MET DST) Cc: freebsd-security@FreeBSD.org In-Reply-To: from Brian Tao at "Jun 22, 96 09:51:50 am" X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Brian Tao wrote: > I'm setting up a FreeBSD-based firewall here, and my original plan > was to go with IPFW in the kernel. However, it seems there isn't any > recent documentation for it (both the man page and the handbook entry > are out of date). IP Filter 3.0.4 (http://coombs.anu.edu.au/~avalon/) > also looks very nice, and Andrew Stesin recently recommended it here. > > Should I disable IPFW in the kernel and put IP Filter in its place > then, or can (should?) the two coexist? My main beef is that the IPFW > documentation is rather lacking, and /usr/src/sbin/ipfw/ipfw.c isn't > helpfully commented. Suggestions appreciated. Thanks. I have a router with both ipfilter and ipfw. However, it is an early version of ipfilter. I think it can cooperate well, though I havent looked at the sources recently. You can ask Daren Reed, the auithor of ipfilter (avalon@coombs.anu.edu.au). I think he's also using FreeBSD these days. -Guido From owner-freebsd-security Sat Jun 22 08:58:02 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA14329 for security-outgoing; Sat, 22 Jun 1996 08:58:02 -0700 (PDT) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA14322 for ; Sat, 22 Jun 1996 08:57:58 -0700 (PDT) Message-Id: <199606221557.IAA14322@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA263449054; Sun, 23 Jun 1996 01:57:34 +1000 From: Darren Reed Subject: Re: IPFW vs. IP Filter? To: guido@gvr.win.tue.nl (Guido van Rooij) Date: Sun, 23 Jun 1996 01:57:34 +1000 (EST) Cc: taob@io.org, freebsd-security@FreeBSD.org In-Reply-To: <199606221519.RAA05233@gvr.win.tue.nl> from "Guido van Rooij" at Jun 22, 96 05:19:02 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk In some mail from Guido van Rooij, sie said: > > Brian Tao wrote: > > I'm setting up a FreeBSD-based firewall here, and my original plan > > was to go with IPFW in the kernel. However, it seems there isn't any > > recent documentation for it (both the man page and the handbook entry > > are out of date). IP Filter 3.0.4 (http://coombs.anu.edu.au/~avalon/) > > also looks very nice, and Andrew Stesin recently recommended it here. > > > > Should I disable IPFW in the kernel and put IP Filter in its place > > then, or can (should?) the two coexist? My main beef is that the IPFW > > documentation is rather lacking, and /usr/src/sbin/ipfw/ipfw.c isn't > > helpfully commented. Suggestions appreciated. Thanks. > > I have a router with both ipfilter and ipfw. However, it is an early > version of ipfilter. I think it can cooperate well, though I havent looked > at the sources recently. You can ask Daren Reed, the auithor of There's 2 r's in Darren :-) > ipfilter (avalon@coombs.anu.edu.au). I think he's also using FreeBSD > these days. He is indeed (but currently bitching about how Linux kernels - 2.0 - still builds in a brain dead fashion, so you can rest easy there, folks). It is quite possible that both could be put on and work (ipfilter & ipfw). It might make it a bit difficult on the human side to work out which is doing what, however, so I'd be tempted to use one or the other. Cheers, Darren From owner-freebsd-security Sat Jun 22 09:44:01 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA17804 for security-outgoing; Sat, 22 Jun 1996 09:44:01 -0700 (PDT) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id JAA17787 for ; Sat, 22 Jun 1996 09:43:59 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by who.cdrom.com (8.6.12/8.6.11) with ESMTP id JAA27454 for ; Sat, 22 Jun 1996 09:43:57 -0700 Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id MAA25903; Sat, 22 Jun 1996 12:39:45 -0400 (EDT) Date: Sat, 22 Jun 1996 12:40:44 -0400 (EDT) From: Brian Tao To: Darren Reed cc: FREEBSD-SECURITY-L Subject: Re: IPFW vs. IP Filter? In-Reply-To: <199606221557.LAA16392@io.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 23 Jun 1996, Darren Reed wrote: > > It might make it a bit difficult on the human side to work out which > is doing what, however, so I'd be tempted to use one or the other. Yeah... I think I'm going to try ipfilter out, since some of the local NetBSD security folks in town recommend it highly. Now to figure out how to get it installed here. I'm not groking how lkm's are supposed to be built... the INSTALL.xBSD instructions don't work. I'll fiddle with it some more before I pester you with more questions. :) BTW, this is in the ipfw man page: | There is one kind of packet that the firewall will always discard, that | is an IP fragment with a fragment offset of one. This is a valid packet, | but it only has one use, to try to circumvent firewalls. I assume ipfilter does this as well? -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Sat Jun 22 10:22:07 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA20228 for security-outgoing; Sat, 22 Jun 1996 10:22:07 -0700 (PDT) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA20217 for ; Sat, 22 Jun 1996 10:22:05 -0700 (PDT) Message-Id: <199606221722.KAA20217@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA279424114; Sun, 23 Jun 1996 03:21:54 +1000 From: Darren Reed Subject: Re: IPFW vs. IP Filter? To: taob@io.org (Brian Tao) Date: Sun, 23 Jun 1996 03:21:53 +1000 (EST) Cc: freebsd-security@freebsd.org In-Reply-To: from "Brian Tao" at Jun 22, 96 12:40:44 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In some mail from Brian Tao, sie said: > > BTW, this is in the ipfw man page: > > | There is one kind of packet that the firewall will always discard, that > | is an IP fragment with a fragment offset of one. This is a valid packet, > | but it only has one use, to try to circumvent firewalls. > > I assume ipfilter does this as well? Not automatically, but you can tell it to do so. In the author's mind, there might be occasions where you don't want to discard those packets although you probably want to know they existed. Darren From owner-freebsd-security Sat Jun 22 10:32:20 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA20794 for security-outgoing; Sat, 22 Jun 1996 10:32:20 -0700 (PDT) Received: from palmer.demon.co.uk (palmer.demon.co.uk [158.152.50.150]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA20725 for ; Sat, 22 Jun 1996 10:31:38 -0700 (PDT) Received: from palmer.demon.co.uk (localhost [127.0.0.1]) by palmer.demon.co.uk (sendmail/PALMER-2) with ESMTP id SAA19363; Sat, 22 Jun 1996 18:26:59 +0100 (BST) To: Brian Tao cc: FREEBSD-SECURITY-L From: "Gary Palmer" Subject: Re: IPFW vs. IP Filter? In-reply-to: Your message of "Sat, 22 Jun 1996 09:51:50 EDT." Date: Sat, 22 Jun 1996 18:26:58 +0100 Message-ID: <19361.835464418@palmer.demon.co.uk> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Brian Tao wrote in message ID : > I'm setting up a FreeBSD-based firewall here, and my original plan > was to go with IPFW in the kernel. However, it seems there isn't any > recent documentation for it (both the man page and the handbook entry > are out of date). I thought Alex Nash recently updated both? Have you tried our WWW pages to get the latest version? Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Sat Jun 22 10:52:38 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA23174 for security-outgoing; Sat, 22 Jun 1996 10:52:38 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA23169; Sat, 22 Jun 1996 10:52:35 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id NAA26264; Sat, 22 Jun 1996 13:49:42 -0400 (EDT) Date: Sat, 22 Jun 1996 13:50:41 -0400 (EDT) From: Brian Tao To: Gary Palmer cc: FREEBSD-SECURITY-L Subject: Re: IPFW vs. IP Filter? In-Reply-To: <19361.835464418@palmer.demon.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sat, 22 Jun 1996, Gary Palmer wrote: > > I thought Alex Nash recently updated both? Have you tried our WWW > pages to get the latest version? Nope, not AFAIK. I'm checking my local copy of the Web site (http://www.io.org/freebsd/), which is mirrored from wcarchive's /pub/FreeBSD/FreeBSD-current/www/data directory every night. The man page in -current's ipfw is dated Feb 24, 1996 (which is what my 2.2-SNAP machines say). The default /etc/rc.firewalls script needs updating too. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Sat Jun 22 12:44:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA04831 for security-outgoing; Sat, 22 Jun 1996 12:44:29 -0700 (PDT) Received: from zen.nash.org (nash.pr.mcs.net [204.95.47.72]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA04825; Sat, 22 Jun 1996 12:44:21 -0700 (PDT) Received: (from alex@localhost) by zen.nash.org (8.7.5/8.6.12) id OAA15871; Sat, 22 Jun 1996 14:41:55 -0500 (CDT) Date: Sat, 22 Jun 1996 14:41:55 -0500 (CDT) Message-Id: <199606221941.OAA15871@zen.nash.org> From: Alex Nash To: taob@io.org Cc: gpalmer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: IPFW vs. IP Filter? Reply-to: nash@mcs.com Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > I thought Alex Nash recently updated both? Have you tried our WWW > > pages to get the latest version? > > Nope, not AFAIK. I'm checking my local copy of the Web site > (http://www.io.org/freebsd/), which is mirrored from wcarchive's > /pub/FreeBSD/FreeBSD-current/www/data directory every night. The man > page in -current's ipfw is dated Feb 24, 1996 (which is what my > 2.2-SNAP machines say). The default /etc/rc.firewalls script needs > updating too. That's not a current -current :) # ls -l /usr/src/sbin/ipfw/ipfw.8 -rw-r--r-- 1 root wheel 7396 Jun 15 18:01 /usr/src/sbin/ipfw/ipfw.8 Alex From owner-freebsd-security Sat Jun 22 13:32:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA07419 for security-outgoing; Sat, 22 Jun 1996 13:32:43 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA07409 for ; Sat, 22 Jun 1996 13:32:37 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id QAA27055; Sat, 22 Jun 1996 16:29:43 -0400 (EDT) Date: Sat, 22 Jun 1996 16:30:42 -0400 (EDT) From: Brian Tao To: nash@mcs.com cc: FREEBSD-SECURITY-L Subject: Re: IPFW vs. IP Filter? In-Reply-To: <199606221941.OAA15871@zen.nash.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sat, 22 Jun 1996, Alex Nash wrote: > > That's not a current -current :) > > # ls -l /usr/src/sbin/ipfw/ipfw.8 > -rw-r--r-- 1 root wheel 7396 Jun 15 18:01 /usr/src/sbin/ipfw/ipfw.8 Ah, that's the one I have in my mirror... on closer inspection, it *is* newer than the ones on my 2.2-SNAP servers. :) I just nroff'd it and looked at the date in the page footers (which still say "February 24, 1996"). My mistake -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Sat Jun 22 15:16:04 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA13221 for security-outgoing; Sat, 22 Jun 1996 15:16:04 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id PAA13180 for ; Sat, 22 Jun 1996 15:15:57 -0700 (PDT) Received: by gvr.win.tue.nl (8.6.12/1.53) id AAA06193; Sun, 23 Jun 1996 00:15:23 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199606222215.AAA06193@gvr.win.tue.nl> Subject: Re: IPFW vs. IP Filter? To: avalon@coombs.anu.edu.au (Darren Reed) Date: Sun, 23 Jun 1996 00:15:22 +0200 (MET DST) Cc: taob@io.org, freebsd-security@FreeBSD.org In-Reply-To: <199606221558.RAA05319@gvr.win.tue.nl> from Darren Reed at "Jun 23, 96 01:57:34 am" X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > > It might make it a bit difficult on the human side to work out which is doing > what, however, so I'd be tempted to use one or the other. We use ipfilter for filtering and ipfw to do accounting. Is there accounting in the latest version of ipgilter, DarRen? (;-)) -Guido From owner-freebsd-security Sat Jun 22 15:54:44 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA14599 for security-outgoing; Sat, 22 Jun 1996 15:54:44 -0700 (PDT) Received: from uu.elvisti.kiev.ua (acc0.elvisti.kiev.ua [193.125.28.132]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA14569 for ; Sat, 22 Jun 1996 15:54:03 -0700 (PDT) Received: from office.elvisti.kiev.ua (office.elvisti.kiev.ua [193.125.28.129]) by uu.elvisti.kiev.ua (8.7.5/8.7.3) with ESMTP id CAA16051; Sun, 23 Jun 1996 02:05:19 +0300 (EET DST) Received: (from stesin@localhost) by office.elvisti.kiev.ua (8.6.12/8.ElVisti) id CAA15185; Sun, 23 Jun 1996 02:05:14 +0300 From: "Andrew V. Stesin" Message-Id: <199606222305.CAA15185@office.elvisti.kiev.ua> Subject: Re: IPFW vs. IP Filter? To: avalon@coombs.anu.edu.au (Darren Reed) Date: Sun, 23 Jun 1996 02:05:13 +0300 (EET DST) Cc: taob@io.org, freebsd-security@FreeBSD.org In-Reply-To: <199606221722.KAA20217@freefall.freebsd.org> from "Darren Reed" at Jun 23, 96 03:21:53 am X-Mailer: ELM [version 2.4 PL24alpha5] Content-Type: text Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk # # In some mail from Brian Tao, sie said: # > # > BTW, this is in the ipfw man page: # > # > | There is one kind of packet that the firewall will always discard, that # > | is an IP fragment with a fragment offset of one. This is a valid packet, # > | but it only has one use, to try to circumvent firewalls. # > # > I assume ipfilter does this as well? # # Not automatically, but you can tell it to do so. # # In the author's mind, there might be occasions where you don't want to # discard those packets although you probably want to know they existed. # # Darren # Hello people, as for me, I'm happy with IPfilter so far and observed only two noticeable problems yet: 1. Sending TCP RST in reply to unsolicited TCP SYN didn't work. That was solved, thanks Darren, but I'm not 100% sure that this patch is included in 3.0.4 distribution. 2. With "in-kernel" version, "log body" doesn't work for me; I discovered the fact too late, when fighting with crashes of our firewall. Disabling all "log body" clauses in filtering rules cured that mysterious crashes, too, firewall is working for weeks just now, as I see. Now when I'm just 90% sure I found the source of trouble, which tortured me for weeks, probably it's time to go check where exactly it lives. Building IPfilter. Generally the instructions worked for me; I did minor modifications to the makefiles to suit my local needs. Than cd FreeBSD; kinstall; cd BSD; make all install was the correct sequence, I recall. -- With best regards -- Andrew Stesin. +380 (44) 2760188 +380 (44) 2713457 +380 (44) 2713560 "You may delegate authority, but not responsibility." Frank's Management Rule #1. From owner-freebsd-security Sat Jun 22 20:19:51 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA26051 for security-outgoing; Sat, 22 Jun 1996 20:19:51 -0700 (PDT) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA26042 for ; Sat, 22 Jun 1996 20:19:47 -0700 (PDT) Message-Id: <199606230319.UAA26042@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA088349977; Sun, 23 Jun 1996 13:19:37 +1000 From: Darren Reed Subject: Re: IPFW vs. IP Filter? To: guido@gvr.win.tue.nl (Guido van Rooij) Date: Sun, 23 Jun 1996 13:19:37 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199606222215.AAA06193@gvr.win.tue.nl> from "Guido van Rooij" at Jun 23, 96 00:15:22 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In some mail from Guido van Rooij, sie said: > > > > > It might make it a bit difficult on the human side to work out which is > > doing what, however, so I'd be tempted to use one or the other. > > We use ipfilter for filtering and ipfw to do accounting. Is there accounting > in the latest version of ipgilter, DarRen? (;-)) ;) Yes. Darren From owner-freebsd-security Sat Jun 22 21:52:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA29604 for security-outgoing; Sat, 22 Jun 1996 21:52:40 -0700 (PDT) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA29599 for ; Sat, 22 Jun 1996 21:52:38 -0700 (PDT) Message-Id: <199606230452.VAA29599@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA108135467; Sun, 23 Jun 1996 14:51:07 +1000 From: Darren Reed Subject: Re: IPFW vs. IP Filter? To: stesin@elvisti.kiev.ua (Andrew V. Stesin) Date: Sun, 23 Jun 1996 14:51:07 +1000 (EST) Cc: freebsd-security@FreeBSD.org In-Reply-To: <199606222305.CAA15185@office.elvisti.kiev.ua> from "Andrew V. Stesin" at Jun 23, 96 02:05:13 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk In some mail from Andrew V. Stesin, sie said: [...] > 1. Sending TCP RST in reply to unsolicited TCP SYN > didn't work. That was solved, thanks Darren, > but I'm not 100% sure that this patch is included > in 3.0.4 distribution. Just a minor nit, you can send a TCP RST in reply to any TCP packet except one containing an RST (feedback loop :-). > 2. With "in-kernel" version, "log body" doesn't work for > me; I discovered the fact too late, when fighting > with crashes of our firewall. Disabling all "log body" > clauses in filtering rules cured that mysterious crashes, > too, firewall is working for weeks just now, as I see. > Now when I'm just 90% sure I found the source of trouble, > which tortured me for weeks, probably it's time to > go check where exactly it lives. Thanks, I'll have a look too. Darren