From owner-freebsd-security@FreeBSD.ORG Wed Nov 10 06:39:01 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1890116A4CE for ; Wed, 10 Nov 2004 06:39:01 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id A23C743D3F for ; Wed, 10 Nov 2004 06:39:00 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 1D62054846 for ; Wed, 10 Nov 2004 00:39:00 -0600 (CST) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 99742-10 for ; Wed, 10 Nov 2004 00:38:49 -0600 (CST) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))verified)) by gw.celabo.org (Postfix) with ESMTP id 5F68454840 for ; Wed, 10 Nov 2004 00:38:49 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 1D5A16D452; Wed, 10 Nov 2004 00:38:34 -0600 (CST) Resent-From: nectar@celabo.org Resent-Date: Wed, 10 Nov 2004 00:38:33 -0600 Resent-Message-ID: <20041110063833.GA32461@madman.celabo.org> Resent-To: freebsd-security@freebsd.org X-Original-To: nectar+freebsd@gw.celabo.org Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 44D7454846 for ; Tue, 9 Nov 2004 21:11:43 -0600 (CST) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 98257-03 for ; Tue, 9 Nov 2004 21:11:32 -0600 (CST) Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by gw.celabo.org (Postfix) with ESMTP id AA49554840 for ; Tue, 9 Nov 2004 21:11:31 -0600 (CST) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 86C1656F4E for ; Wed, 10 Nov 2004 03:10:39 +0000 (GMT) (envelope-from owner-secteam@freebsd.org) Received: by hub.freebsd.org (Postfix) id 587D416A4D4; Wed, 10 Nov 2004 03:10:39 +0000 (GMT) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 486EB16A4CE; Wed, 10 Nov 2004 03:10:39 +0000 (GMT) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E7F816A4CF for ; Wed, 10 Nov 2004 03:10:36 +0000 (GMT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 51E5B43D49 for ; Wed, 10 Nov 2004 03:10:35 +0000 (GMT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.org (8.9.3/8.9.3) id UAA12654 for security@freebsd.org; Tue, 9 Nov 2004 20:10:30 -0700 (MST) Date: Tue, 9 Nov 2004 20:10:30 -0700 (MST) From: Brett Glass Message-Id: <200411100310.UAA12654@lariat.org> To: freebsd-security@freebsd.org Subject: Firewall rules that discriminate by connection duration X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Nov 2004 06:39:01 -0000 I'm interested in crafting firewall rules that throttle connections that have lasted more than a certain amount of time. (Most such connections are P2P traffic, which should be given a lower priority than other connections and may constitute network abuse.) Alas, it doesn't appear that FreeBSD's IPFW can keep tabs on how long a connection has been established. Is there another firewall for FreeBSD that can? --Brett Glass _______________________________________________________ Please think twice when forwarding, cc:ing, or bcc:ing security-team messages. Ask if you are unsure. From owner-freebsd-security@FreeBSD.ORG Wed Nov 10 11:23:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C036A16A4CE for ; Wed, 10 Nov 2004 11:23:24 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 634E243D48 for ; Wed, 10 Nov 2004 11:23:24 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: by rproxy.gmail.com with SMTP id b11so203323rne for ; Wed, 10 Nov 2004 03:23:21 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=gBNMOSIpSc4rjdfisqvhBydunpQL62MhSsi7nC5hA3fIKGyf4zu0Jc8Hh4oVBmV7RnIvUz8iPBwC1egxZhMULz8SPXW9Z6RqmGL3b/4FGvB3rYpnz8rhewl2F4BXniR3gQ7OMTMyrNKNeIFon5WwLFvNkDMIu6aXecyCJeo+l0Q= Received: by 10.38.165.55 with SMTP id n55mr1054514rne; Wed, 10 Nov 2004 03:23:21 -0800 (PST) Received: by 10.38.149.19 with HTTP; Wed, 10 Nov 2004 03:23:21 -0800 (PST) Message-ID: <79722fad041110032364055ae7@mail.gmail.com> Date: Wed, 10 Nov 2004 13:23:21 +0200 From: Vlad GALU To: Brett Glass , freebsd-security@freebsd.org In-Reply-To: <200411100310.UAA12654@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200411100310.UAA12654@lariat.org> Subject: Re: Firewall rules that discriminate by connection duration X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Vlad GALU List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Nov 2004 11:23:24 -0000 On Tue, 9 Nov 2004 20:10:30 -0700 (MST), Brett Glass wrote: > I'm interested in crafting firewall rules that throttle connections > that have lasted more than a certain amount of time. (Most such > connections are P2P traffic, which should be given a lower priority > than other connections and may constitute network abuse.) Alas, it > doesn't appear that FreeBSD's IPFW can keep tabs on how long a > connection has been established. Is there another firewall for > FreeBSD that can? > All firewalls in FreeBSD can, actually. It's part of the stateful inspection feature. The only thing they lack is a match parameter based on the timer. > --Brett Glass > > _______________________________________________________ > Please think twice when forwarding, cc:ing, or bcc:ing > security-team messages. Ask if you are unsure. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it. From owner-freebsd-security@FreeBSD.ORG Wed Nov 10 17:35:37 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4CFF16A4CE for ; Wed, 10 Nov 2004 17:35:37 +0000 (GMT) Received: from mail.freebsd.org.cn (dns3.freebsd.org.cn [61.129.66.75]) by mx1.FreeBSD.org (Postfix) with SMTP id 8A10443D2F for ; Wed, 10 Nov 2004 17:35:30 +0000 (GMT) (envelope-from delphij@frontfree.net) Received: (qmail 43970 invoked by uid 0); 10 Nov 2004 17:29:59 -0000 Received: from unknown (HELO beastie.frontfree.net) (219.239.98.7) by mail.freebsd.org.cn with SMTP; 10 Nov 2004 17:29:59 -0000 Received: from localhost (localhost.frontfree.net [127.0.0.1]) by beastie.frontfree.net (Postfix) with ESMTP id E8B651322EB; Thu, 11 Nov 2004 01:35:22 +0800 (CST) Received: from beastie.frontfree.net ([127.0.0.1]) by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 02460-10; Thu, 11 Nov 2004 01:35:12 +0800 (CST) Received: by beastie.frontfree.net (Postfix, from userid 1001) id E2C0513207D; Thu, 11 Nov 2004 01:35:11 +0800 (CST) Date: Thu, 11 Nov 2004 01:35:11 +0800 From: Xin LI To: freebsd-hackers@FreeBSD.org, freebsd-security@FreeBSD.org Message-ID: <20041110173511.GA2940@frontfree.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="45Z9DzgjV8m4Oswq" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-GPG-key-ID/Fingerprint: 0xCAEEB8C0 / 43B8 B703 B8DD 0231 B333 DC28 39FB 93A0 CAEE B8C0 X-GPG-Public-Key: http://www.delphij.net/delphij.asc X-Operating-System: FreeBSD beastie.frontfree.net 5.3-delphij FreeBSD 5.3-delphij #11: Tue Oct 26 14:12:03 CST 2004 delphij@beastie.frontfree.net:/usr/obj/usr/src/sys/BEASTIE i386 X-URL: http://www.delphij.net X-By: delphij@beastie.frontfree.net X-Location: Beijing, China X-Virus-Scanned: by amavisd-new at frontfree.net Subject: Is there any way to know if userland is patched? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Nov 2004 17:35:37 -0000 --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dear folks, I'm recently investigating large scale deployment and upgrading FreeBSD RELEASE. It's our tradition to bump "RELEASE-pN" after a security patch is applied, however, it seems that there is less method to determine whether the userland is patched, which is somewhat important for large site managements. So is "uname -sr" the only way to differencate the patchlevel of a security branch? I have read Colin's freebsd-update script and to my best of knowledge this is the only way (and, on condition that we have re-compiled the kernel and installed it, and reboot'ed). Given the nature of a security or errata branch, we can expect that no API/ABI changes will occour and it should be safe to do make installworld/installkernel in any order, and bump= ing patchlevel does not mean that a reboot must be done. Please correct me if I was wrong, thanks. Cheers, --=20 Xin LI http://www.delphij.net/ See complete headers for GPG key and other information. --45Z9DzgjV8m4Oswq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBklFP/cVsHxFZiIoRArNMAJoDQ8xvgqMxDxlw3A8UtWMF1Wrg3gCePf52 1pfxXnFZvhYmn0saK1iOh88= =h7f6 -----END PGP SIGNATURE----- --45Z9DzgjV8m4Oswq-- From owner-freebsd-security@FreeBSD.ORG Wed Nov 10 18:31:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE88316A4CF for ; Wed, 10 Nov 2004 18:31:12 +0000 (GMT) Received: from mail.freebsd.org.cn (dns3.freebsd.org.cn [61.129.66.75]) by mx1.FreeBSD.org (Postfix) with SMTP id 3339943D4C for ; Wed, 10 Nov 2004 18:31:02 +0000 (GMT) (envelope-from delphij@frontfree.net) Received: (qmail 44244 invoked by uid 0); 10 Nov 2004 18:25:32 -0000 Received: from unknown (HELO beastie.frontfree.net) (219.239.98.7) by mail.freebsd.org.cn with SMTP; 10 Nov 2004 18:25:32 -0000 Received: from localhost (localhost.frontfree.net [127.0.0.1]) by beastie.frontfree.net (Postfix) with ESMTP id 2F4EE132553; Thu, 11 Nov 2004 02:30:59 +0800 (CST) Received: from beastie.frontfree.net ([127.0.0.1]) by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01910-02; Thu, 11 Nov 2004 02:30:48 +0800 (CST) Received: by beastie.frontfree.net (Postfix, from userid 1001) id 231BA13254F; Thu, 11 Nov 2004 02:30:47 +0800 (CST) Date: Thu, 11 Nov 2004 02:30:46 +0800 From: Xin LI To: Julian Elischer Message-ID: <20041110183046.GA3518@frontfree.net> References: <20041110173511.GA2940@frontfree.net> <4192539C.6040403@elischer.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="rwEMma7ioTxnRzrJ" Content-Disposition: inline In-Reply-To: <4192539C.6040403@elischer.org> User-Agent: Mutt/1.4.2.1i X-GPG-key-ID/Fingerprint: 0xCAEEB8C0 / 43B8 B703 B8DD 0231 B333 DC28 39FB 93A0 CAEE B8C0 X-GPG-Public-Key: http://www.delphij.net/delphij.asc X-Operating-System: FreeBSD beastie.frontfree.net 5.3-delphij FreeBSD 5.3-delphij #11: Tue Oct 26 14:12:03 CST 2004 delphij@beastie.frontfree.net:/usr/obj/usr/src/sys/BEASTIE i386 X-URL: http://www.delphij.net X-By: delphij@beastie.frontfree.net X-Location: Beijing, China X-Virus-Scanned: by amavisd-new at frontfree.net cc: freebsd-hackers@freebsd.org cc: freebsd-security@freebsd.org Subject: Re: Is there any way to know if userland is patched? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Nov 2004 18:31:13 -0000 --rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, Julian, On Wed, Nov 10, 2004 at 09:45:00AM -0800, Julian Elischer wrote: > X-Sieve: CMU Sieve 2.2 > Date: Wed, 10 Nov 2004 09:45:00 -0800 > From: Julian Elischer > User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8a3) Gecko/200= 41017 > X-Accept-Language: en, hu > To: Xin LI > Cc: freebsd-hackers@freebsd.org, freebsd-security@freebsd.org > Subject: Re: Is there any way to know if userland is patched? > In-Reply-To: <20041110173511.GA2940@frontfree.net> > X-Virus-Scanned: by amavisd-new at frontfree.net >=20 > Xin LI wrote: [snip] > I upgrade systems by creating packages which contain all upgraded files > I have a set of makefiles etc. checked into my local CVS tree that check = out > a freeBSD tree at a given revision and build it (withlocal patches added) > and then extracts out fies according to a list I supply. On completion I= =20 > check the list in too, so I can theoretically recreate that patch.. Hmm... Thanks for the comments. That's somewhat like the way I am current= ly using at company. We maintain a local CVS tree with a subset of ports/ tree as well as src/ tree containing some of our local changes. The tree is has several frozen branches that is maintained by a small group of staff, they make packages for the upgrades. For me, I think it might be beneficial if we can keep track of system patch= level in some other way that can be easily detected, so some ``guardian'' scripts would be easier to create. I have an idea that is somewhat too complex to be included in FreeBSD - we maintain a ``master'' patchlevel, and two patchlevels indicating the least ``master'' patchlevel that touches kernel or userland. It might be somethi= ng like this: Master | Userland | Kernel =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D+= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D+=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 4.10-RELEASE | 4.10-RELEASE | 4.10-RELEASE 4.10-RELEASE-p1 | 4.10-RELEASE | 4.10-RELEASE-p1 4.10-RELEASE-p2 | 4.10-RELEASE | 4.10-RELEASE-p2 4.10-RELEASE-p3 | 4.10-RELEASE-p3 | 4.10-RELEASE-p2 And propograte it somewhere. This is somewhat complex as the security offi= cer must bump two version when he is doing a security update and I'm not sure w= hether this is beneficial enough so I hesitate to proposal a patch of this, as I f= ound that Colin has a simpler solution in his excellent freebsd-update program, = which tracks binary changes by checking $FreeBSD$ changes. While this is sometim= es not enough to detect every changes, but it requires less human interactions. Cheers, --=20 Xin LI http://www.delphij.net/ See complete headers for GPG key and other information. --rwEMma7ioTxnRzrJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBkl5W/cVsHxFZiIoRAg3XAKCFC20RJQ3FN0BTvZrI1t+QPI4zmwCfex+q Ljs+8h9tdR1gEta0ejXDD9g= =u/p+ -----END PGP SIGNATURE----- --rwEMma7ioTxnRzrJ-- From owner-freebsd-security@FreeBSD.ORG Wed Nov 10 18:53:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6C5A16A4CE for ; Wed, 10 Nov 2004 18:53:00 +0000 (GMT) Received: from mail17.syd.optusnet.com.au (mail17.syd.optusnet.com.au [211.29.132.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2E5B43D58 for ; Wed, 10 Nov 2004 18:52:59 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229]) iAAIqvfc011285 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 11 Nov 2004 05:52:58 +1100 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])iAAIqvxP024032; Thu, 11 Nov 2004 05:52:57 +1100 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost)iAAIa6dm024006; Thu, 11 Nov 2004 05:36:06 +1100 (EST) (envelope-from pjeremy) Date: Thu, 11 Nov 2004 05:36:06 +1100 From: Peter Jeremy To: Vlad GALU Message-ID: <20041110183606.GN79646@cirb503493.alcatel.com.au> References: <200411100310.UAA12654@lariat.org> <79722fad041110032364055ae7@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <79722fad041110032364055ae7@mail.gmail.com> User-Agent: Mutt/1.4.2i cc: freebsd-security@freebsd.org Subject: Re: Firewall rules that discriminate by connection duration X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Nov 2004 18:53:00 -0000 On Wed, 2004-Nov-10 13:23:21 +0200, Vlad GALU wrote: >On Tue, 9 Nov 2004 20:10:30 -0700 (MST), Brett Glass wrote: >> I'm interested in crafting firewall rules that throttle connections >> that have lasted more than a certain amount of time. (Most such >> connections are P2P traffic, which should be given a lower priority >> than other connections and may constitute network abuse.) Alas, it >> doesn't appear that FreeBSD's IPFW can keep tabs on how long a >> connection has been established. Is there another firewall for >> FreeBSD that can? > > All firewalls in FreeBSD can, actually. It's part of the stateful >inspection feature. The only thing they lack is a match parameter >based on the timer. That's a bit of a stretch. Stateful inspection associates a single timeout with each connection. The timeout is reset when a valid packet is seen on that connection and the connection blocked if the timeout expires. Brett needs a timeout that is initialised when the connection is setup and not reset. When it expires, you need to perform some different action rather than just block the connection. You might be able to reuse some of the existing stateful inspection code but I don't believe it's a trivial change. -- Peter Jeremy From owner-freebsd-security@FreeBSD.ORG Wed Nov 10 19:53:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB35816A4CE; Wed, 10 Nov 2004 19:53:26 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59ACA43D1F; Wed, 10 Nov 2004 19:53:26 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id CF6B15486E; Wed, 10 Nov 2004 13:53:25 -0600 (CST) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 07457-04; Wed, 10 Nov 2004 13:53:14 -0600 (CST) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id DC87A5485D; Wed, 10 Nov 2004 13:53:14 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id C44A66D468; Wed, 10 Nov 2004 13:52:59 -0600 (CST) Date: Wed, 10 Nov 2004 13:52:59 -0600 From: "Jacques A. Vidrine" To: Xin LI Message-ID: <20041110195259.GB74491@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Xin LI , Julian Elischer , freebsd-hackers@freebsd.org, freebsd-security@freebsd.org References: <20041110173511.GA2940@frontfree.net> <4192539C.6040403@elischer.org> <20041110183046.GA3518@frontfree.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041110183046.GA3518@frontfree.net> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-hackers@freebsd.org cc: Julian Elischer cc: freebsd-security@freebsd.org Subject: Re: Is there any way to know if userland is patched? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Nov 2004 19:53:27 -0000 On Thu, Nov 11, 2004 at 02:30:46AM +0800, Xin LI wrote: > I have an idea that is somewhat too complex to be included in FreeBSD - we > maintain a ``master'' patchlevel, and two patchlevels indicating the least > ``master'' patchlevel that touches kernel or userland. It might be something > like this: > > Master | Userland | Kernel > ========================+=======================+======================= > 4.10-RELEASE | 4.10-RELEASE | 4.10-RELEASE > 4.10-RELEASE-p1 | 4.10-RELEASE | 4.10-RELEASE-p1 > 4.10-RELEASE-p2 | 4.10-RELEASE | 4.10-RELEASE-p2 > 4.10-RELEASE-p3 | 4.10-RELEASE-p3 | 4.10-RELEASE-p2 > > And propograte it somewhere. This is somewhat complex as the security officer > must bump two version when he is doing a security update and I'm not sure whether > this is beneficial enough so I hesitate to proposal a patch of this, Actually, some time ago I thought of doing something quite similar. At first, I wanted to alter uname(3) to return not the kernel version, but a userland version string. Borrowing from the way Solaris does it, I thought we'd just stick the version in /etc/release. That way "patching" /etc/release would be sufficient for userland issues. But of course that doesn't help us with kernel issues, and the fact that kernel and userland can accidently get out of sync. So I thought perhaps we'd have a patch level for userland, and a patch level for the kernel. Some patches would touch only the userland patch level, and some the kernel patch level. There would also be recorded in userland what the latest kernel patch level should be. Then uname(3) would display the patch level according to whether the latest kernel is loaded. (I know, this is a hard to follow description.) Something like so: userland_pl Patch level of currently installed userland. expected_kernel_pl Patch level of currently installed kernel. kernel_pl Patch level of currently running kernel. Then, uname(3) will choose what patch level to display like so: if (kernel_pl < expected_kernel_pl || kernel_pl > userland_pl) return kernel_pl; else return userland_pl; (Actually, we would probably make patch level bumps such that the "kernel_pl > userland_pl" case never happens.) In the end, what we want is for a user to type `uname -r' and to see what patch level is running. Anything more complicated (checking RCS Ids and such) just gets in the way, I think. Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From owner-freebsd-security@FreeBSD.ORG Wed Nov 10 20:15:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DFFA16A4D0 for ; Wed, 10 Nov 2004 20:15:24 +0000 (GMT) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id B4C3943D2D for ; Wed, 10 Nov 2004 20:15:07 +0000 (GMT) (envelope-from sirmoo@cowbert.net) Received: (qmail 27661 invoked by uid 1001); 10 Nov 2004 20:15:06 -0000 Date: Wed, 10 Nov 2004 15:15:06 -0500 From: "Peter C. Lai" To: "Jacques A. Vidrine" Message-ID: <20041110201506.GD283@cowbert.net> References: <20041110173511.GA2940@frontfree.net> <4192539C.6040403@elischer.org> <20041110183046.GA3518@frontfree.net> <20041110195259.GB74491@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041110195259.GB74491@madman.celabo.org> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: Is there any way to know if userland is patched? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Nov 2004 20:15:24 -0000 On Wed, Nov 10, 2004 at 01:52:59PM -0600, Jacques A. Vidrine wrote: > In the end, what we want is for a user to type `uname -r' and to see > what patch level is running. Anything more complicated (checking RCS > Ids and such) just gets in the way, I think. That is how many other major unix suppliers do it (sun/solaris, and sgi/irix). -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ From owner-freebsd-security@FreeBSD.ORG Thu Nov 11 12:27:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DED316A4CE for ; Thu, 11 Nov 2004 12:27:27 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9017943D3F for ; Thu, 11 Nov 2004 12:27:26 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 055FF347BA8; Thu, 11 Nov 2004 13:19:11 +0100 (CET) Date: Thu, 11 Nov 2004 13:19:11 +0100 From: Pawel Malachowski To: Brett Glass Message-ID: <20041111121911.GB21054@shellma.zin.lublin.pl> References: <200411100310.UAA12654@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <200411100310.UAA12654@lariat.org> User-Agent: Mutt/1.4.2i cc: freebsd-security@freebsd.org Subject: Re: Firewall rules that discriminate by connection duration X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Nov 2004 12:27:27 -0000 On Tue, Nov 09, 2004 at 08:10:30PM -0700, Brett Glass wrote: > I'm interested in crafting firewall rules that throttle connections > that have lasted more than a certain amount of time. (Most such > connections are P2P traffic, which should be given a lower priority > than other connections and may constitute network abuse.) Alas, it > doesn't appear that FreeBSD's IPFW can keep tabs on how long a > connection has been established. Is there another firewall for > FreeBSD that can? Problem with P2P is not that connections take long time, but that there are plenty of them. You may consider using patch I posted on freebsd-ipfw@ few days ago to lower weight of flows using dummynet, if number of connections is greater than N per host, for example. -- Paweł Małachowski From owner-freebsd-security@FreeBSD.ORG Thu Nov 11 12:52:14 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B68DD16A4CE; Thu, 11 Nov 2004 12:52:14 +0000 (GMT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2813843D2F; Thu, 11 Nov 2004 12:52:14 +0000 (GMT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 7393E65219; Thu, 11 Nov 2004 12:52:12 +0000 (GMT) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 38819-03-4; Thu, 11 Nov 2004 12:52:12 +0000 (GMT) Received: from empiric.dek.spc.org (dhcp120.icir.org [192.150.187.120]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 8E64465213; Thu, 11 Nov 2004 12:52:11 +0000 (GMT) Received: by empiric.dek.spc.org (Postfix, from userid 1001) id DC60F6482; Thu, 11 Nov 2004 04:52:00 -0800 (PST) Date: Thu, 11 Nov 2004 04:52:00 -0800 From: Bruce M Simpson To: "Peter C. Lai" Message-ID: <20041111125200.GH723@empiric.icir.org> Mail-Followup-To: "Peter C. Lai" , "Jacques A. Vidrine" , freebsd-security@freebsd.org References: <20041110173511.GA2940@frontfree.net> <4192539C.6040403@elischer.org> <20041110183046.GA3518@frontfree.net> <20041110195259.GB74491@madman.celabo.org> <20041110201506.GD283@cowbert.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041110201506.GD283@cowbert.net> cc: "Jacques A. Vidrine" cc: freebsd-security@freebsd.org Subject: Re: Is there any way to know if userland is patched? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Nov 2004 12:52:14 -0000 On Wed, Nov 10, 2004 at 03:15:06PM -0500, Peter C. Lai wrote: > On Wed, Nov 10, 2004 at 01:52:59PM -0600, Jacques A. Vidrine wrote: > > In the end, what we want is for a user to type `uname -r' and to see > > what patch level is running. Anything more complicated (checking RCS > > Ids and such) just gets in the way, I think. > > That is how many other major unix suppliers do it (sun/solaris, and sgi/irix). Actually no; Solaris can have many different system patches installed. See the showrev manpage, in particular the -p option. Or docs: http://docs.sun.com/db/doc/817-1985/6mhm8o5va?a=view In particular, the ability to manage base system patches under Solaris much like packages is very useful. BMS From owner-freebsd-security@FreeBSD.ORG Wed Nov 10 17:45:38 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5439216A4CE; Wed, 10 Nov 2004 17:45:38 +0000 (GMT) Received: from pimout1-ext.prodigy.net (pimout1-ext.prodigy.net [207.115.63.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id D479343D31; Wed, 10 Nov 2004 17:45:35 +0000 (GMT) (envelope-from julian@elischer.org) Received: from [192.168.1.102] (adsl-68-123-122-146.dsl.snfc21.pacbell.net [68.123.122.146])iAAHj1GO063288; Wed, 10 Nov 2004 12:45:28 -0500 Message-ID: <4192539C.6040403@elischer.org> Date: Wed, 10 Nov 2004 09:45:00 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8a3) Gecko/20041017 X-Accept-Language: en, hu MIME-Version: 1.0 To: Xin LI References: <20041110173511.GA2940@frontfree.net> In-Reply-To: <20041110173511.GA2940@frontfree.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 11 Nov 2004 13:40:07 +0000 cc: freebsd-hackers@freebsd.org cc: freebsd-security@freebsd.org Subject: Re: Is there any way to know if userland is patched? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Nov 2004 17:45:38 -0000 Xin LI wrote: > Dear folks, > > I'm recently investigating large scale deployment and upgrading FreeBSD > RELEASE. It's our tradition to bump "RELEASE-pN" after a security patch > is applied, however, it seems that there is less method to determine > whether the userland is patched, which is somewhat important for large > site managements. > > So is "uname -sr" the only way to differencate the patchlevel of a security > branch? I have read Colin's freebsd-update script and to my best of > knowledge this is the only way (and, on condition that we have re-compiled > the kernel and installed it, and reboot'ed). Given the nature of a security > or errata branch, we can expect that no API/ABI changes will occour and it > should be safe to do make installworld/installkernel in any order, and bumping > patchlevel does not mean that a reboot must be done. > > Please correct me if I was wrong, thanks. I upgrade systems by creating packages which contain all upgraded files I have a set of makefiles etc. checked into my local CVS tree that check out a freeBSD tree at a given revision and build it (withlocal patches added) and then extracts out fies according to a list I supply. On completion I check the list in too, so I can theoretically recreate that patch.. I use the package system to keep track of which packages are loaded onto a system, and newer upgrade packages always have earlier ones as dependencies.. > > Cheers, From owner-freebsd-security@FreeBSD.ORG Wed Nov 10 19:16:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 005B816A4CE for ; Wed, 10 Nov 2004 19:16:46 +0000 (GMT) Received: from postal3.es.net (postal3.es.net [198.128.3.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9E7E43D55 for ; Wed, 10 Nov 2004 19:16:45 +0000 (GMT) (envelope-from webster@es.net) Received: from vortex.es.net ([198.128.1.16]) by postal3.es.net (Postal Node 3) with ASMTP (SSL) id IBA74465; Wed, 10 Nov 2004 11:16:45 -0800 Date: Wed, 10 Nov 2004 11:16:45 -0800 From: John Webster To: Peter Jeremy , Vlad GALU Message-ID: <7E5FC181A8962BB3C53C3757@vortex.es.net> In-Reply-To: <20041110183606.GN79646@cirb503493.alcatel.com.au> References: <200411100310.UAA12654@lariat.org> <79722fad041110032364055ae7@mail.gmail.com> <20041110183606.GN79646@cirb503493.alcatel.com.au> X-Mailer: Mulberry/3.1.5 (Linux/x86) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="==========D1FB360EAB979C9318E2==========" X-Mailman-Approved-At: Thu, 11 Nov 2004 13:40:07 +0000 cc: freebsd-security Subject: Re: Firewall rules that discriminate by connection duration X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Nov 2004 19:16:46 -0000 --==========D1FB360EAB979C9318E2========== Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline --On Thursday, November 11, 2004 05:36:06 +1100 Peter Jeremy wrote: > On Wed, 2004-Nov-10 13:23:21 +0200, Vlad GALU wrote: >> On Tue, 9 Nov 2004 20:10:30 -0700 (MST), Brett Glass wrote: >>> I'm interested in crafting firewall rules that throttle connections >>> that have lasted more than a certain amount of time. (Most such >>> connections are P2P traffic, which should be given a lower priority >>> than other connections and may constitute network abuse.) Alas, it >>> doesn't appear that FreeBSD's IPFW can keep tabs on how long a >>> connection has been established. Is there another firewall for >>> FreeBSD that can? >> >> All firewalls in FreeBSD can, actually. It's part of the stateful >> inspection feature. The only thing they lack is a match parameter >> based on the timer. > > That's a bit of a stretch. Stateful inspection associates a single > timeout with each connection. The timeout is reset when a valid > packet is seen on that connection and the connection blocked if the > timeout expires. > > Brett needs a timeout that is initialised when the connection is setup > and not reset. When it expires, you need to perform some different > action rather than just block the connection. You might be able to > reuse some of the existing stateful inspection code but I don't > believe it's a trivial change. How about ipfw and dummynet? Maybe set up pipes for p2p traffic? --==========D1FB360EAB979C9318E2========== Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBkmkdBf+aYL5/Y60RApCGAJ0UEFkhsqgHCDxa1Q0KKdVJ09gS5wCfT8Iv QxTkNXO40OM+iZAl2qgl3Rs= =33/n -----END PGP SIGNATURE----- --==========D1FB360EAB979C9318E2==========-- From owner-freebsd-security@FreeBSD.ORG Thu Nov 11 14:43:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C0F516A4CE for ; Thu, 11 Nov 2004 14:43:27 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4E3643D41 for ; Thu, 11 Nov 2004 14:43:26 +0000 (GMT) (envelope-from xlr8me@gmail.com) Received: by rproxy.gmail.com with SMTP id a36so316165rnf for ; Thu, 11 Nov 2004 06:43:26 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=EhcbuwemV6XOFX+f2eGrPj7cArfpplJc5tFd8PkMh6/7AJzUgdQZSJZ7glNNJMug9LgcfLW0R/K2buNAtBqcxc0X7+ZM2WlohTsbeekrs2SpJ5GrvjuMjHMjAyzJvDx+FttqFK13wvQbs4OjxlgF30pTyDbgEuhIfVnpGObgpBI= Received: by 10.38.78.13 with SMTP id a13mr834981rnb; Thu, 11 Nov 2004 06:43:25 -0800 (PST) Received: by 10.39.2.25 with HTTP; Thu, 11 Nov 2004 06:43:25 -0800 (PST) Message-ID: <2472a6830411110643671554cf@mail.gmail.com> Date: Thu, 11 Nov 2004 09:43:25 -0500 From: "D ." To: John Webster In-Reply-To: <7E5FC181A8962BB3C53C3757@vortex.es.net> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200411100310.UAA12654@lariat.org> <79722fad041110032364055ae7@mail.gmail.com> <20041110183606.GN79646@cirb503493.alcatel.com.au> <7E5FC181A8962BB3C53C3757@vortex.es.net> cc: Vlad GALU cc: freebsd-security Subject: Re: Firewall rules that discriminate by connection duration X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "D ." List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Nov 2004 14:43:27 -0000 I already suggested ipfw & dummynet to him, I attached his response. I couldn't see any other way to do it which wouldn't mess up all other persistent connections (http1.1, etc). On Wed, 10 Nov 2004 14:45:43 -0700, Brett Glass wrote: > > Yes. It's persistent connections that you want to throttle. You cannot > throttle P2P on the basis of port number, because many P2P systems use > well known ports such as 80. > > --Brett Glass > On Wed, 10 Nov 2004 11:16:45 -0800, John Webster wrote: > > > > > --On Thursday, November 11, 2004 05:36:06 +1100 Peter Jeremy wrote: > > > On Wed, 2004-Nov-10 13:23:21 +0200, Vlad GALU wrote: > >> On Tue, 9 Nov 2004 20:10:30 -0700 (MST), Brett Glass wrote: > >>> I'm interested in crafting firewall rules that throttle connections > >>> that have lasted more than a certain amount of time. (Most such > >>> connections are P2P traffic, which should be given a lower priority > >>> than other connections and may constitute network abuse.) Alas, it > >>> doesn't appear that FreeBSD's IPFW can keep tabs on how long a > >>> connection has been established. Is there another firewall for > >>> FreeBSD that can? > >> > >> All firewalls in FreeBSD can, actually. It's part of the stateful > >> inspection feature. The only thing they lack is a match parameter > >> based on the timer. > > > > That's a bit of a stretch. Stateful inspection associates a single > > timeout with each connection. The timeout is reset when a valid > > packet is seen on that connection and the connection blocked if the > > timeout expires. > > > > Brett needs a timeout that is initialised when the connection is setup > > and not reset. When it expires, you need to perform some different > > action rather than just block the connection. You might be able to > > reuse some of the existing stateful inspection code but I don't > > believe it's a trivial change. > > > How about ipfw and dummynet? Maybe set up pipes for p2p traffic? > > > -- Want Gmail? Just ask, and I'll hook you up.