From owner-freebsd-security@FreeBSD.ORG Mon Nov 17 15:10:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39A1716A4CE for ; Mon, 17 Nov 2003 15:10:09 -0800 (PST) Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id 20FEE43FE0 for ; Mon, 17 Nov 2003 15:10:08 -0800 (PST) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 1ALsVT-0003lp-00 for security@freebsd.org; Mon, 17 Nov 2003 18:10:07 -0500 Date: Mon, 17 Nov 2003 18:10:07 -0500 From: Peter Radcliffe To: FreeBSD Security List Message-ID: <20031117231007.GL4132@pir.net> Mail-Followup-To: FreeBSD Security List Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Subject: Hang on boot with 4.9-STABLE X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: security@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2003 23:10:09 -0000 Yet another hang on boot issue wqith 4.9. I havn't seen anything the same go through the list and I've searched the archives but not found anything appropriate. Box that has been rock solid under 4.8-P3, took it to 4.9-R and 4.9-STABLE (as of today) and it hangs on boot after the apm0 line. It's doing SMP and the motherboard has hyperthreading enabled. It won't break out to the kernel debugger so I can't get a kernel dump. Clues ? Known issue ? P. FreeBSD 4.9-STABLE #6: Mon Nov 17 18:02:33 EST 2003 pir@falcon:/usr/src/sys/compile/SWORKS Timecounter "i8254" frequency 1193182 Hz CPU: Intel(R) XEON(TM) CPU 2.40GHz (2395.92-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0xf24 Stepping = 4 Features=0x3febfbff Hyperthreading: 2 logical CPUs real memory = 1073217536 (1048064K bytes) avail memory = 1041133568 (1016732K bytes) Programming 24 pins in IOAPIC #0 IOAPIC #0 intpin 2 -> irq 0 Programming 24 pins in IOAPIC #1 Programming 24 pins in IOAPIC #2 FreeBSD/SMP: Multiprocessor motherboard: 4 CPUs cpu0 (BSP): apic id: 0, version: 0x00050014, at 0xfee00000 cpu1 (AP): apic id: 1, version: 0x00050014, at 0xfee00000 cpu2 (AP): apic id: 6, version: 0x00050014, at 0xfee00000 cpu3 (AP): apic id: 7, version: 0x00050014, at 0xfee00000 io0 (APIC): apic id: 2, version: 0x00178020, at 0xfec00000 io1 (APIC): apic id: 3, version: 0x00178020, at 0xfec80000 io2 (APIC): apic id: 4, version: 0x00178020, at 0xfec80400 Preloaded elf kernel "kernel" at 0xc03cc000. Warning: Pentium 4 CPU: PSE disabled Pentium Pro MTRR support enabled md0: Malloc disk Using $PIR table, 24 entries at 0xc00fde40 apm0: on motherboard -- pir From owner-freebsd-security@FreeBSD.ORG Mon Nov 17 15:50:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E73D16A561 for ; Mon, 17 Nov 2003 15:50:22 -0800 (PST) Received: from mail.opensourcegroup.com (mail.opensourcegroup.com [66.207.128.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 647C943FEC for ; Mon, 17 Nov 2003 15:50:17 -0800 (PST) (envelope-from jason@sopko.net) Received: from localhost (localhost [127.0.0.1]) by mail.opensourcegroup.com (Postfix) with ESMTP id 4F7795B62E; Mon, 17 Nov 2003 18:50:21 -0500 (EST) Received: from sopko.net (hades.cirqular.com [66.207.137.3]) by mail.opensourcegroup.com (Postfix) with ESMTP id 9E40B5B611 for ; Mon, 17 Nov 2003 18:50:20 -0500 (EST) Message-ID: <3FB95EB1.9070707@sopko.net> Date: Mon, 17 Nov 2003 18:50:09 -0500 From: Jason Sopko User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031105 Thunderbird/0.3 X-Accept-Language: en-us, en MIME-Version: 1.0 To: security@freebsd.org References: <20031117231007.GL4132@pir.net> In-Reply-To: <20031117231007.GL4132@pir.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by SecurManage Mail Gateway Subject: Re: Hang on boot with 4.9-STABLE X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2003 23:50:23 -0000 begin Peter Radcliffe wrote: >Yet another hang on boot issue wqith 4.9. I havn't seen anything the >same go through the list and I've searched the archives but not found >anything appropriate. > >Box that has been rock solid under 4.8-P3, took it to 4.9-R and >4.9-STABLE (as of today) and it hangs on boot after the apm0 >line. It's doing SMP and the motherboard has hyperthreading enabled. > >It won't break out to the kernel debugger so I can't get a kernel dump. > >Clues ? Known issue ? > > What does this have to do with FreeBSD security? ///Jason From owner-freebsd-security@FreeBSD.ORG Mon Nov 17 16:14:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3812516A4CE for ; Mon, 17 Nov 2003 16:14:17 -0800 (PST) Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B9B143F3F for ; Mon, 17 Nov 2003 16:14:16 -0800 (PST) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 1ALtVX-0004Ca-00 for security@freebsd.org; Mon, 17 Nov 2003 19:14:15 -0500 Date: Mon, 17 Nov 2003 19:14:15 -0500 From: Peter Radcliffe To: security@freebsd.org Message-ID: <20031118001415.GB15325@pir.net> Mail-Followup-To: security@freebsd.org References: <20031117231007.GL4132@pir.net> <3FB95EB1.9070707@sopko.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3FB95EB1.9070707@sopko.net> User-Agent: Mutt/1.4.1i X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Subject: Re: Hang on boot with 4.9-STABLE X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: security@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2003 00:14:17 -0000 Jason Sopko probably said: > What does this have to do with FreeBSD security? Sorry, list-replied to the wrong message, it was intended for -stable. P. -- pir From owner-freebsd-security@FreeBSD.ORG Fri Nov 21 12:36:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D660116A4CE for ; Fri, 21 Nov 2003 12:36:37 -0800 (PST) Received: from presence-group.net (c-67-161-75-31.client.comcast.net [67.161.75.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id F412F43FE3 for ; Fri, 21 Nov 2003 12:36:36 -0800 (PST) (envelope-from freebsd-security.20.openmacnews@spamgourmet.com) X-VirusScan: SUBMITTED Received: by presence-group.net (CommuniGate Pro PIPE 4.1.8) with PIPE id 30511; Fri, 21 Nov 2003 12:36:27 -0800 Received: from [172.30.11.6] (HELO tiedgar.internal.presence-group.net) by presence-group.net (CommuniGate Pro SMTP 4.1.8) with SMTP id 30510; Fri, 21 Nov 2003 12:36:14 -0800 Date: Fri, 21 Nov 2003 12:36:13 -0800 From: OpenMacNews To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 8bit User-Agent: Thoth/1.7.1 (Carbon/OS X) Message-ID: Subject: how to get IPFW rules for SMTP server behind NAT server "right"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-security.20.openmacnews@spamgourmet.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2003 20:36:37 -0000 hi all, i've been struggling with setting appropriate rules for an SMTP-server behind by NAT'd firewall. it's not that there is too little info on the web -- or here, for that matter -- there's scads of it for seemingly endless configs/req'ts -- none that seem to be exactly my own. bottom line: i'm a bit confused, and looking for some experienced advice. my goals (for now) are to: (a) setup my firewall as tight as possible -- deny, then allow (b) log all transactions (c) keep the firewall as performance efficient as possible. (yes, i recognize that these may 'tug' at one another ...) my question: what are the most appropriate ipfw rules for SMTP traffic to meet my goals above? here's my environment: -- i have three machines in this scenario: a gateway, a mail server, and a client -- all boxes are running OSX 10.2.8 -- Gateway/Firewall is the kernel's BSD ipfw(8) -- gateway box has two ethernet interfaces inif="en1" # internal gateway interface name exif="en2" # external gateway interface name innr="10.0.0.0/24" # LOCAL network range inip="10.0.0.1" # gateway's internal (NAT) IP address exip="any" gateway_server="10.0.0.1" # the gateway/firewall box, 2 interfaces smtp_server="10.0.0.2" # SMTP server behind NAT firewall client_machine="10.0.0.3" # a client machine inside the NAT firewall i've launched NATD as follows: /usr/sbin/natd \ -interface ${exif} -dynamic -port 8668 \ -log -log_denied \ -unregistered_only \ -use_sockets \ -redirect_port tcp ${smtp_server}:25 25 tme SMTP server listens ONLY on port 25, IP address = 10.0.0.2 currently, my SMTP ipfw rules are as follows (snip'd from my startup script) ============================================= # allow connections to/from internal smtp_server ipfw add 7000 allow log tcp from any to ${smtp_server} 25 ipfw add 7001 allow log tcp from ${smtp_server} 25 to any # allow clients to communicate with external smtp servers ipfw add 7002 allow log tcp from ${innr} 1024-65535 to ${exip} 25 ipfw add 7003 allow log tcp from ${exip} 25 to ${innr} 1024-65535 ============================================= it seems to me that everything's working. question is, are these too open, too closed, incomplete, risky, etc? i appreciate any comments/suggestions y'all may have! thanks, richard From owner-freebsd-security@FreeBSD.ORG Fri Nov 21 13:01:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3795516A4CE for ; Fri, 21 Nov 2003 13:01:34 -0800 (PST) Received: from presence-group.net (c-67-161-75-31.client.comcast.net [67.161.75.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BB5C43F75 for ; Fri, 21 Nov 2003 13:01:31 -0800 (PST) freebsd-security.20.openmacnewsREMOVETHIS@spamgourmet.com) X-VirusScan: SUBMITTED Received: from [172.30.11.6] (account blakers HELO [172.30.11.6]) by presence-group.net (CommuniGate Pro SMTP 4.1.8) with ESMTP-TLS id 30531 for freebsd-security@freebsd.org; Fri, 21 Nov 2003 13:01:25 -0800 Date: Fri, 21 Nov 2003 13:01:25 -0800 From: OpenMacNews To: freebsd-security@freebsd.org Message-ID: <2147483647.1069419685@[172.30.11.6]> In-Reply-To: <200311212048.hALKmNCM061651@bunrab.catwhisker.org> References: <200311212048.hALKmNCM061651@bunrab.catwhisker.org> X-Mailer: Mulberry/3.1.0 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Re: how to get IPFW rules for SMTP server behind NAT server "right"? (freebsd-security: message 1 of 20) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: OpenMacNews List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2003 21:01:34 -0000 -- On Friday, November 21, 2003 12:48 PM -0800 "David Wolfskill - david@catwhisker.org" <+freebsd-security+openmacnews+0459602105.david#catwhisker.org@spamgourmet.com> wrote: David, thanks for your reply! >> i've been struggling with setting appropriate rules for an SMTP-server >> behind by NAT'd firewall. > > OK.... > >> currently, my SMTP ipfw rules are as follows (snip'd from my startup >> script) > >> ============================================= >># allow connections to/from internal smtp_server >> ipfw add 7000 allow log tcp from any to ${smtp_server} 25 > > I suggest appending " setup" to that. Unless I'm very confused, you > don't really want to see *every* incoming SMTP packet -- just those that > initiate an SMTP conversation. (Note that -- at least in FreeBSD -- the > mail traffic gets logged to /var/log/maillog anyway.) > >> ipfw add 7001 allow log tcp from ${smtp_server} 25 to any > > Again, you may wish to append " setup" to that, for the same reasons. > > In conjunction with the above, you'd likely want to (silently) permit > "established" connections. hadn't dawned on me to this, so: ipfw add 7000 allow log tcp from any to ${smtp_server} 25 setup ipfw add 7001 allow tcp from any to ${smtp_server} 25 established ipfw add 7002 allow log tcp from ${smtp_server} 25 to any setup ipfw add 7003 allow tcp from ${smtp_server} 25 to any established right? >># allow clients to communicate with external smtp servers >> ipfw add 7002 allow log tcp from ${innr} 1024-65535 to ${exip} 25 >> ipfw add 7003 allow log tcp from ${exip} 25 to ${innr} 1024-65535 > > Why? Wouldn't you want them to send their mail to your internal mail > server, which would then send it out? usually, yes BUT, sometimes i want to be able to use a local LAN mail client to directly access on offsite SMTP server. my understanding is that usually a client uses "high ports" to communicate to those servers at THEIR port 25 -- just like to my internal svr, but internal lan traffic is "all open" in this case would you recommend the "setup & established" approach as above? >> it seems to me that everything's working. question is, are these too >> open, too closed, incomplete, risky, etc? > > Have you actually looked at your security log? yes i have of course, i've had little DENIED on port 25 ( and a LOT of entries ....) other than servers/connection attempts that clearly are failing SMTP 'transactions', i'm frankly not sure what to look for for 'unauthorized' access to port25/my server ... because of its "open" nature, what are the legit triggers for "suspicious" activity for SMTP? > Peace, > david > -- cheers, richard From owner-freebsd-security@FreeBSD.ORG Fri Nov 21 14:29:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D26B716A4E8 for ; Fri, 21 Nov 2003 14:29:07 -0800 (PST) Received: from presence-group.net (c-67-161-75-31.client.comcast.net [67.161.75.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 215B743F75 for ; Fri, 21 Nov 2003 14:29:07 -0800 (PST) freebsd-security.20.openmacnewsREMOVETHIS@spamgourmet.com) Received: by presence-group.net (CommuniGate Pro PIPE 4.1.8) with PIPE id 30555; Fri, 21 Nov 2003 14:29:07 -0800 Received: from [172.30.11.6] (account blakers HELO [172.30.11.6]) by presence-group.net (CommuniGate Pro SMTP 4.1.8) with ESMTP-TLS id 30553; Fri, 21 Nov 2003 14:29:06 -0800 Date: Fri, 21 Nov 2003 14:29:05 -0800 From: OpenMacNews To: blakers@presence-group.com, freebsd-security@freebsd.org Message-ID: <2147483647.1069424945@[172.30.11.6]> X-Mailer: Mulberry/3.1.0 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: teet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: OpenMacNews List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2003 22:29:08 -0000 tewt From owner-freebsd-security@FreeBSD.ORG Fri Nov 21 14:32:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 058F616A4CE for ; Fri, 21 Nov 2003 14:32:08 -0800 (PST) Received: from presence-group.net (c-67-161-75-31.client.comcast.net [67.161.75.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E84E43FA3 for ; Fri, 21 Nov 2003 14:32:07 -0800 (PST) freebsd-security.20.openmacnewsREMOVETHIS@spamgourmet.com) Received: by presence-group.net (CommuniGate Pro PIPE 4.1.8) with PIPE id 30554; Fri, 21 Nov 2003 14:32:07 -0800 Received: from [172.30.11.6] (account blakers HELO [172.30.11.6]) by presence-group.net (CommuniGate Pro SMTP 4.1.8) with ESMTP-TLS id 30552; Fri, 21 Nov 2003 14:31:57 -0800 Date: Fri, 21 Nov 2003 14:31:55 -0800 From: OpenMacNews To: blakers@presence-group.com, freebsd-security@freebsd.org Message-ID: <2147483647.1069425115@[172.30.11.6]> X-Mailer: Mulberry/3.1.0 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: asdfasdf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: OpenMacNews List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2003 22:32:08 -0000 asdfasdf From owner-freebsd-security@FreeBSD.ORG Sat Nov 22 17:14:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5140416A4CE for ; Sat, 22 Nov 2003 17:14:18 -0800 (PST) Received: from web12602.mail.yahoo.com (web12602.mail.yahoo.com [216.136.173.225]) by mx1.FreeBSD.org (Postfix) with SMTP id A426843F75 for ; Sat, 22 Nov 2003 17:14:17 -0800 (PST) (envelope-from bj93542@yahoo.com) Message-ID: <20031123011405.80292.qmail@web12602.mail.yahoo.com> Received: from [128.226.68.47] by web12602.mail.yahoo.com via HTTP; Sat, 22 Nov 2003 17:14:05 PST Date: Sat, 22 Nov 2003 17:14:05 -0800 (PST) From: Dorin H To: OpenMacNews In-Reply-To: <2147483647.1069419685@[172.30.11.6]> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: how to get IPFW rules for SMTP server behind NAT server "right"? (freebsd-security: message 1 of 20) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2003 01:14:18 -0000 > > > hadn't dawned on me to this, so: > > ipfw add 7000 allow log tcp from any to > ${smtp_server} 25 setup > ipfw add 7001 allow tcp from any to ${smtp_server} > 25 established > ipfw add 7002 allow log tcp from ${smtp_server} 25 > to any setup > ipfw add 7003 allow tcp from ${smtp_server} 25 to > any established > > right? Better with dynamic rules... you don't want any packet directed to ${smtp_server} 25 going inside, just those corresponding to a previous initiated connection (dropping SYN will allow the packet to pass your firewall, and it will not even be logged :)) 2c. /Dorin. __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/