From owner-freebsd-security Sun Jun 25 0:49: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id A1B0137B623 for ; Sun, 25 Jun 2000 00:48:59 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id AD6911C69; Sun, 25 Jun 2000 03:48:58 -0400 (EDT) Date: Sun, 25 Jun 2000 03:48:58 -0400 From: Bill Fumerola To: Mike Cc: "Fast, Daniel H (Danny), SITS" , security@FreeBSD.ORG Subject: Re: Out of Office? Message-ID: <20000625034858.N14479@jade.chc-chimes.com> References: <5D6D2EC6E987D31199EC00902799EC4A020A7BEB@mo3980po01.ems.att.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from mike@adept.org on Fri, Jun 23, 2000 at 03:24:32PM -0700 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jun 23, 2000 at 03:24:32PM -0700, Mike wrote: > If properly configured, I believe it should send to the From: (which would > be the poster, not the list) not the Reply-To: (the list), and it should > only do that once. When of course the correct thing to check is the following: Subject: Re: Out of Office? [...] Precedence: bulk This will help you filter out what is personal mail and what is mailing list mail, in which case you'd only send a reply to personal mail. This works on 99% of the mailing lists out there, with the large exception being BUGTRAQ. They're obviously too busy approving the latest 0-day Ax4000 and grep -c 'sprintf' exploits to properly configure their mailing list software. -- Bill Fumerola - Network Architect / Computer Horizons Corp - CVM e-mail: billf@chc-chimes.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 25 1:41: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (Postfix) with ESMTP id 5DFB037B85F for ; Sun, 25 Jun 2000 01:40:56 -0700 (PDT) (envelope-from narvi@haldjas.folklore.ee) Received: from localhost (narvi@localhost) by haldjas.folklore.ee (8.9.3/8.9.3) with SMTP id KAA56413; Sun, 25 Jun 2000 10:40:51 +0200 (EET) (envelope-from narvi@haldjas.folklore.ee) Date: Sun, 25 Jun 2000 10:40:51 +0200 (EET) From: Narvi To: Stephan Holtwisch Cc: freebsd-security@FreeBSD.ORG Subject: Re: jail(8) Honeypots In-Reply-To: <20000625072049.A48985@rookie.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 25 Jun 2000, Stephan Holtwisch wrote: > Hello, > [snip] > I do not know the jail implementation in FreeBSD too well. > However, to me it seems a very bad idea to run _known_ vulnerable > software within a jail, since that would mean the jail > implemenation must not have bugs. You wouldn't run buggy > software in a chrooted environment either, would you ? > In addition to this i don't see a real sense to run a 'victim' > Host as an IDS, where is the purpose of that ? > It may be fun to watch people trying to mess up your system, > but most likely you will just catch lots of script kiddies. > The thing is a booby-trap. It is somewhat similar to running a simulated "buggy" application with the sole puropse of catching the would-be attackers. I'm not sure if and how much it pays in the long run. > Stephan > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 25 8:13:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [209.98.143.44]) by hub.freebsd.org (Postfix) with ESMTP id D305F37B5B4 for ; Sun, 25 Jun 2000 08:13:14 -0700 (PDT) (envelope-from nectar@nectar.com) Received: from bone.nectar.com (bone.nectar.com [10.0.1.105]) by gw.nectar.com (Postfix) with ESMTP id C17069B37; Sun, 25 Jun 2000 10:13:12 -0500 (CDT) Received: by bone.nectar.com (Postfix, from userid 1001) id 74DD51DC6; Sun, 25 Jun 2000 10:13:12 -0500 (CDT) Date: Sun, 25 Jun 2000 10:13:12 -0500 From: "Jacques A . Vidrine" To: cjclark@alum.mit.edu Cc: freebsd-security@freebsd.org Subject: Re: jail(8) Honeypots Message-ID: <20000625101312.D16657@bone.nectar.com> Mail-Followup-To: "Jacques A . Vidrine" , cjclark@alum.mit.edu, freebsd-security@freebsd.org References: <20000624125540.A256@dialin-client.earthlink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20000624125540.A256@dialin-client.earthlink.net>; from cristjc@earthlink.net on Sat, Jun 24, 2000 at 12:55:40PM -0700 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Jun 24, 2000 at 12:55:40PM -0700, Crist J. Clark wrote: > I searched the mail archive and read the jail(8) manpage and was > surprised not to see any discussion of using jail for a honeypot, > an IDS. That might be analogous to including discussion of accounting systems in awk(1) :-) But perhaps have a look at William R. Cheswick and Steven M. Bellovin, ``Firewalls and Internet Security'' (Addison-Wesley 1994) -- Jacques Vidrine / n@nectar.com / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 25 8:59:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 12C1037BAA4 for ; Sun, 25 Jun 2000 08:59:09 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA30939; Sun, 25 Jun 2000 08:58:25 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda30937; Sun Jun 25 08:58:11 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id IAA18444; Sun, 25 Jun 2000 08:58:11 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdg18442; Sun Jun 25 08:57:22 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.2/8.9.1) id e5PFvLX65947; Sun, 25 Jun 2000 08:57:21 -0700 (PDT) Message-Id: <200006251557.e5PFvLX65947@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdL65943; Sun Jun 25 08:56:25 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: Narvi Cc: Stephan Holtwisch , freebsd-security@FreeBSD.ORG Subject: Re: jail(8) Honeypots In-reply-to: Your message of "Sun, 25 Jun 2000 10:40:51 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 25 Jun 2000 08:56:25 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Narv i writes: > > On Sun, 25 Jun 2000, Stephan Holtwisch wrote: > > > Hello, > > > > [snip] > > > I do not know the jail implementation in FreeBSD too well. > > However, to me it seems a very bad idea to run _known_ vulnerable > > software within a jail, since that would mean the jail > > implemenation must not have bugs. You wouldn't run buggy > > software in a chrooted environment either, would you ? > > In addition to this i don't see a real sense to run a 'victim' > > Host as an IDS, where is the purpose of that ? > > It may be fun to watch people trying to mess up your system, > > but most likely you will just catch lots of script kiddies. > > > > The thing is a booby-trap. It is somewhat similar to running a simulated > "buggy" application with the sole puropse of catching the would-be > attackers. > > I'm not sure if and how much it pays in the long run. I don't think it would hold up in court, as it would be entrapment. So what would the sense be in setting up a booby-trap? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 25 10:24:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from gateway.bangsplat.org (h00e02962237e.ne.mediaone.net [24.147.164.44]) by hub.freebsd.org (Postfix) with ESMTP id 48D7037BC47 for ; Sun, 25 Jun 2000 10:24:49 -0700 (PDT) (envelope-from georgeh@blowtorch.com) Received: from pentium (unknown [192.168.1.3]) by gateway.bangsplat.org (Postfix) with SMTP id 8CD96C3; Sun, 25 Jun 2000 13:24:58 -0400 (EDT) Message-ID: <000c01bfdeca$42b791f0$0301a8c0@pentium> From: "George Hartz" To: "Cy Schubert - ITSD Open Systems Group" , "Narvi" Cc: "Stephan Holtwisch" , References: <200006251557.e5PFvLX65947@cwsys.cwsent.com> Subject: Re: jail(8) Honeypots Date: Sun, 25 Jun 2000 13:24:47 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org IANAL, but I'm fairly certain that is not entrapment. Entrapment entails a situation where someone causes, one way or another, an individual to do something they would not ordinarily have done in a similar situation, with the purpose of being able to prosecute them for that activity. That's why law enforcement officers can conduct stings. In a simple example, a john can be arrested for solicitation of prostitution if he approaches the undercover officer and proposes the arrangement, but not if the interaction is prompted by the officer, because in the latter case you can't prove that its an activity that the individual would have undertaken if not prompted. Its not entrapment, in the case of setting up a fake buggy application to entice someone to attempt to break into your system because they didn't know it was fake, and were not coerced into finding or attempting the break-in as a result of your actions. Had the buggy software been a real installation, the individual in question would have still done that. That's the case in the U.S. at least, that may be different in other parts of the world. ----- Original Message ----- From: "Cy Schubert - ITSD Open Systems Group" To: "Narvi" Cc: "Stephan Holtwisch" ; Sent: Sunday, June 25, 2000 11:56 AM Subject: Re: jail(8) Honeypots > In message >, Narv > i writes: > > > > On Sun, 25 Jun 2000, Stephan Holtwisch wrote: > > > > > Hello, > > > > > > > [snip] > > > > > I do not know the jail implementation in FreeBSD too well. > > > However, to me it seems a very bad idea to run _known_ vulnerable > > > software within a jail, since that would mean the jail > > > implemenation must not have bugs. You wouldn't run buggy > > > software in a chrooted environment either, would you ? > > > In addition to this i don't see a real sense to run a 'victim' > > > Host as an IDS, where is the purpose of that ? > > > It may be fun to watch people trying to mess up your system, > > > but most likely you will just catch lots of script kiddies. > > > > > > > The thing is a booby-trap. It is somewhat similar to running a simulated > > "buggy" application with the sole puropse of catching the would-be > > attackers. > > > > I'm not sure if and how much it pays in the long run. > > I don't think it would hold up in court, as it would be entrapment. So > what would the sense be in setting up a booby-trap? > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 25 10:49:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 117AF37BC03 for ; Sun, 25 Jun 2000 10:49:07 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id MAA10611; Sun, 25 Jun 2000 12:49:00 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-106.max1.wa.cyberlynk.net(207.227.118.106) by peak.mountin.net via smap (V1.3) id sma010609; Sun Jun 25 12:48:45 2000 Message-Id: <4.3.2.20000625122615.00afbf00@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Sun, 25 Jun 2000 12:48:17 -0500 To: Cy Schubert - ITSD Open Systems Group , Narvi From: "Jeffrey J. Mountin" Subject: Re: jail(8) Honeypots Cc: security@FreeBSD.ORG In-Reply-To: <200006251557.e5PFvLX65947@cwsys.cwsent.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:56 AM 6/25/00 -0700, Cy Schubert - ITSD Open Systems Group wrote: > > The thing is a booby-trap. It is somewhat similar to running a simulated > > "buggy" application with the sole puropse of catching the would-be > > attackers. > > > > I'm not sure if and how much it pays in the long run. > >I don't think it would hold up in court, as it would be entrapment. So >what would the sense be in setting up a booby-trap? How so? Only if you are with a law enforcement agency would it be entrapment. At least in the US, but then there is a term similar to "enticement" (forget the legalese version), which may apply. Doubtful, but entirely possible that by attracting bears with a honeypot, which is surrounded by a fence, which the bear climbs, falls, and then has recourse to turn around and sue you for tempting it. Regardless, I'm fairly certain that the authorities would be interested. Other than that it does have merit if it distracts script kiddies from trying for the real stuff, as well as alerting other providers of possibly hijacked accounts or AUP violations. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 25 11:13:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id D846437BBD0 for ; Sun, 25 Jun 2000 11:13:45 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.3) with ESMTP id UAA13332; Sun, 25 Jun 2000 20:13:30 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: "Jeffrey J. Mountin" Cc: Cy Schubert - ITSD Open Systems Group , Narvi , security@FreeBSD.ORG Subject: Re: jail(8) Honeypots In-reply-to: Your message of "Sun, 25 Jun 2000 12:48:17 CDT." <4.3.2.20000625122615.00afbf00@207.227.119.2> Date: Sun, 25 Jun 2000 20:13:30 +0200 Message-ID: <13330.961956810@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.3.2.20000625122615.00afbf00@207.227.119.2>, "Jeffrey J. Mountin" writes: >At 08:56 AM 6/25/00 -0700, Cy Schubert - ITSD Open Systems Group wrote: >> > The thing is a booby-trap. It is somewhat similar to running a simulated >> > "buggy" application with the sole puropse of catching the would-be >> > attackers. >> > >> > I'm not sure if and how much it pays in the long run. >> >>I don't think it would hold up in court, as it would be entrapment. So >>what would the sense be in setting up a booby-trap? > >How so? Only if you are with a law enforcement agency would it be >entrapment. At least in the US, but then there is a term similar to >"enticement" (forget the legalese version), which may apply. Doubtful, but >entirely possible that by attracting bears with a honeypot, which is >surrounded by a fence, which the bear climbs, falls, and then has recourse >to turn around and sue you for tempting it. Regardless, I'm fairly certain >that the authorities would be interested. If you put a gold-bar on the sidewalk which activated a burglar alarm if touched, that would be illegal. If you put it inside your locked house it would be 100% legal, even if it could be seen through the window. Setting up a honey-pot host is legal, as long as you don't try to invite people to break into it. Ie: don't call it nah-nah-you-can-t-hack-me.foo.com and don't tell anybody about it. Jails(8) are probably the currently safest way to do it, but not the most "authentic" looking way. Finding out that you're in a jail is trivial and I pressume that it will become common knowledge for script-kiddies RSN. In other words: a high-fidelity honey pot should probably be a machine of its own behind a rather facist firewall, but as a tripwire/indication a jail(8) based honeypot will do just fine. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD coreteam member | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 25 11:29:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id DA69B37BBBF for ; Sun, 25 Jun 2000 11:29:37 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustident!@homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id MAA19360; Sun, 25 Jun 2000 12:29:05 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <39564FD6.4480470A@softweyr.com> Date: Sun, 25 Jun 2000 12:30:46 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Cy Schubert - ITSD Open Systems Group Cc: Narvi , Stephan Holtwisch , freebsd-security@FreeBSD.ORG Subject: Re: jail(8) Honeypots References: <200006251557.e5PFvLX65947@cwsys.cwsent.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Cy Schubert - ITSD Open Systems Group wrote: > > In message >, Narv > i writes: > > > > On Sun, 25 Jun 2000, Stephan Holtwisch wrote: > > > > > Hello, > > > > > > > [snip] > > > > > I do not know the jail implementation in FreeBSD too well. > > > However, to me it seems a very bad idea to run _known_ vulnerable > > > software within a jail, since that would mean the jail > > > implemenation must not have bugs. You wouldn't run buggy > > > software in a chrooted environment either, would you ? > > > In addition to this i don't see a real sense to run a 'victim' > > > Host as an IDS, where is the purpose of that ? > > > It may be fun to watch people trying to mess up your system, > > > but most likely you will just catch lots of script kiddies. > > > > > > > The thing is a booby-trap. It is somewhat similar to running a simulated > > "buggy" application with the sole puropse of catching the would-be > > attackers. > > > > I'm not sure if and how much it pays in the long run. > > I don't think it would hold up in court, as it would be entrapment. So > what would the sense be in setting up a booby-trap? To watch the boobies squirm when they get caught, of course. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 25 11:34:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 63C3937B856 for ; Sun, 25 Jun 2000 11:34:39 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustident!@homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id MAA19375; Sun, 25 Jun 2000 12:34:12 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <39565109.2E718593@softweyr.com> Date: Sun, 25 Jun 2000 12:35:53 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: "Jeffrey J. Mountin" Cc: Cy Schubert - ITSD Open Systems Group , Narvi , security@FreeBSD.ORG Subject: Re: jail(8) Honeypots References: <4.3.2.20000625122615.00afbf00@207.227.119.2> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jeffrey J. Mountin" wrote: > > At 08:56 AM 6/25/00 -0700, Cy Schubert - ITSD Open Systems Group wrote: > > > The thing is a booby-trap. It is somewhat similar to running a simulated > > > "buggy" application with the sole puropse of catching the would-be > > > attackers. > > > > > > I'm not sure if and how much it pays in the long run. > > > >I don't think it would hold up in court, as it would be entrapment. So > >what would the sense be in setting up a booby-trap? > > How so? Only if you are with a law enforcement agency would it be > entrapment. At least in the US, but then there is a term similar to > "enticement" (forget the legalese version), which may apply. "Attractive nuisance." -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 25 11:41:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from sivka.rdy.com (sivka.rdy.com [207.33.166.86]) by hub.freebsd.org (Postfix) with ESMTP id C29B237BCB9 for ; Sun, 25 Jun 2000 11:41:06 -0700 (PDT) (envelope-from dima@rdy.com) Received: (from dima@localhost) by sivka.rdy.com (8.9.3/8.9.3) id LAA01288; Sun, 25 Jun 2000 11:38:03 -0700 (PDT) (envelope-from dima) Message-Id: <200006251838.LAA01288@sivka.rdy.com> Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 In-Reply-To: <3954410B.5716EE5D@softweyr.com> "from Wes Peters at Jun 23, 2000 11:03:07 pm" To: Wes Peters Date: Sun, 25 Jun 2000 11:38:03 -0700 (PDT) Cc: dima@rdy.com, Koga Youichirou , wollman@khavrinen.lcs.mit.edu, silby@silby.com, freebsd-security@FreeBSD.ORG Organization: HackerDome Reply-To: dima@rdy.com From: dima@rdy.com (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL77 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wes Peters writes: > Dima Ruban wrote: > > > > What's the purpose of this patch? > > I didn't look at the code, but to me it sounds like it's pretty much > > irrelevant whether you gonna use ``foo(fmt, string)'' or ``foo(string)'' > > If string contains formatting codes, foo("%s", string) does the right > thing and just puts out the formatting codes in the string. foo(string) > tries to interpret the embedded format codes and blows the stack. > Well, if in addition to "fmt" argument, string will contain formatting code[s], the result will be just the same. (at least with printf() family). > -- > "Where am I, and what am I doing in this handbasket?" > > Wes Peters Softweyr LLC > wes@softweyr.com http://softweyr.com/ > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 25 12:25:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id DB14137B536 for ; Sun, 25 Jun 2000 12:25:48 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id OAA10967; Sun, 25 Jun 2000 14:23:42 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-106.max1.wa.cyberlynk.net(207.227.118.106) by peak.mountin.net via smap (V1.3) id sma010965; Sun Jun 25 14:23:39 2000 Message-Id: <4.3.2.20000625134808.00d97530@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Sun, 25 Jun 2000 14:23:35 -0500 To: Poul-Henning Kamp From: "Jeffrey J. Mountin" Subject: Re: jail(8) Honeypots Cc: security@FreeBSD.ORG In-Reply-To: <13330.961956810@critter.freebsd.dk> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:13 PM 6/25/00 +0200, Poul-Henning Kamp wrote: >If you put a gold-bar on the sidewalk which activated a burglar alarm >if touched, that would be illegal. Inciting a riot for the mad rush upon seeing it and disturbing the peace for the alarm. Not to mention the regulations pertaining to the ownership of large quantities of gold. >If you put it inside your locked house it would be 100% legal, even >if it could be seen through the window. Just hope your insurance agent doesn't find out. ;) >Setting up a honey-pot host is legal, as long as you don't try to >invite people to break into it. Ie: don't call it > nah-nah-you-can-t-hack-me.foo.com >and don't tell anybody about it. You can invite, but then must accept the loss of legal recourse to any and all who answer the call. Bad idea. Better that they stumble upon it. Likewise it is, IMO, best not to brag about security. Even to customers one should be somewhat vague. >Jails(8) are probably the currently safest way to do it, but not >the most "authentic" looking way. Finding out that you're in a >jail is trivial and I pressume that it will become common knowledge >for script-kiddies RSN. > >In other words: a high-fidelity honey pot should probably be a >machine of its own behind a rather facist firewall, but as a >tripwire/indication a jail(8) based honeypot will do just fine. Agreed, but some may with to leave door open just a tad more for the honeypot. Not to obvious. Still there is the issue of triggering. What if they try for a "real" server. Better if any IDS were part of the firewall itself. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 25 19:18:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 61F6E37B7AE for ; Sun, 25 Jun 2000 19:18:42 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 5293 invoked by uid 0); 26 Jun 2000 02:18:39 -0000 Received: from p3e9e7936.dip.t-dialin.net (HELO speedy.gsinet) (62.158.121.54) by mail.gmx.net with SMTP; 26 Jun 2000 02:18:39 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id WAA24991 for security@FreeBSD.ORG; Sun, 25 Jun 2000 22:35:49 +0200 Date: Sun, 25 Jun 2000 22:35:49 +0200 From: Gerhard Sittig To: security@FreeBSD.ORG Subject: Re: jail(8) Honeypots Message-ID: <20000625223549.I9883@speedy.gsinet> Mail-Followup-To: security@FreeBSD.ORG References: <4.3.2.20000625122615.00afbf00@207.227.119.2> <13330.961956810@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <13330.961956810@critter.freebsd.dk>; from phk@critter.freebsd.dk on Sun, Jun 25, 2000 at 08:13:30PM +0200 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jun 25, 2000 at 20:13 +0200, Poul-Henning Kamp wrote: > > Jails(8) are probably the currently safest way to do it, but > not the most "authentic" looking way. Finding out that you're > in a jail is trivial and I pressume that it will become common > knowledge for script-kiddies RSN. Besides the /proc/$PID/status field and the 'J' in ps' status field - which I feel to be cosmetic or for plain information and not really the final word - what else criteria would be there to check? I can't think of any -- at least not a reliable one. The lack of /dev/ directory entries or the little volume :) of the /kernel image is something one can take action against. Would it hurt to have a knob turning off the first two flags mentioned above? Is any piece of software "aware" of its being jailed? Does any piece of software _have_ to know about its running in such an environment? Failing syscalls (routing, ifconfig, etc) could fail as well because of set securelevels. So this is nothing new or distinguishing. Strictly speaking there could be a criterion: the ps output length (or its equivalent in a kernel's table). And this could be faked just as well as root kits bring their own ps and ls with them to hide some processes or files -- why not "invent" some processes in the very same way (init, swapper, gettys, etc)? This leads to the question: Was the intent behind the jail(2) mechanism to isolate a process group or was it to fake a machine? I guess it was the former, but could be turned into the latter. And I'm sure you will tell me if I'm wrong. :) virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 25 19:50: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 464E237B6C5 for ; Sun, 25 Jun 2000 19:49:58 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id UAA65959; Sun, 25 Jun 2000 20:49:52 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id UAA14432; Sun, 25 Jun 2000 20:48:05 -0600 (MDT) Message-Id: <200006260248.UAA14432@harmony.village.org> To: netch@lucky.net Subject: Re: O_NOFOLLOW Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 13 Jun 2000 15:22:11 +0300." <20000613152211.B42067@lucky.net> References: <20000613152211.B42067@lucky.net> Date: Sun, 25 Jun 2000 20:48:05 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000613152211.B42067@lucky.net> Valentin Nechayev writes: : O_NOFOLLOW flag for open() syscall exists since 3.0-CURRENT and is quite : useful for secure open, but is not documented in open(2) man page yet. : Do FreeBSD team have its disclosing in plans? I'm not sure that it works from userland. At least that's what I recall from testing at one point... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 25 21: 0:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 14DE037B659 for ; Sun, 25 Jun 2000 21:00:39 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustident!@homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id WAA20143; Sun, 25 Jun 2000 22:00:01 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <3956D5A3.1C2E8D06@softweyr.com> Date: Sun, 25 Jun 2000 22:01:39 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: dima@rdy.com Cc: Koga Youichirou , wollman@khavrinen.lcs.mit.edu, silby@silby.com, freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 References: <200006251838.LAA01288@sivka.rdy.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dima Ruban wrote: > > Wes Peters writes: > > Dima Ruban wrote: > > > > > > What's the purpose of this patch? > > > I didn't look at the code, but to me it sounds like it's pretty much > > > irrelevant whether you gonna use ``foo(fmt, string)'' or ``foo(string)'' > > > > If string contains formatting codes, foo("%s", string) does the right > > thing and just puts out the formatting codes in the string. foo(string) > > tries to interpret the embedded format codes and blows the stack. > > > > Well, if in addition to "fmt" argument, string will contain formatting code[s], > the result will be just the same. (at least with printf() family). Since when did printf try to interpret formatting codes within an argument string? In fact, it does not: wes@homer$ cat foo.c main() { char *s = "This is a %s string.\n"; printf("\nWith format string:\n"); printf("%s", s); printf("\nWithout format string:\n"); printf(s); } wes@homer$ ./foo With format string: This is a %s string. Without format string: This is a This is a %s string. string. Notice the second output is scrambled, as printf apparently finds a pointer to the string on the stack and prints it within itself. Oops. As you can see, the first printf using the %s code worked fine. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 25 21:46:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id BF1C737B69A for ; Sun, 25 Jun 2000 21:46:45 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id WAA04245; Sun, 25 Jun 2000 22:46:07 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id WAA15773; Sun, 25 Jun 2000 22:46:03 -0600 (MDT) (envelope-from nate) Date: Sun, 25 Jun 2000 22:46:03 -0600 (MDT) Message-Id: <200006260446.WAA15773@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Matt Miller Cc: Keith Stevenson , Mike Tancsa , Garrett Wollman , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 In-Reply-To: <20000623162955.A72949@daffy.mics.net> References: <4.2.2.20000622201823.0479a690@mail.sentex.net> <200006231713.NAA49665@khavrinen.lcs.mit.edu> <3.0.5.32.20000623154848.02d2d6c0@marble.sentex.ca> <20000623163411.A1412@osaka.louisville.edu> <20000623162955.A72949@daffy.mics.net> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > What about > > > > > > --enable-paranoid > > > > > > as part of the config ? As so much seems to be related to the site exec > > > command, perhaps its best to just disable this ? > > > > While I'm all for actually fixing the problems in the code, I've found that > > the --enable-paranoid options to be a good one. I've been tinkering around > > with the exploit and the paranoid option seems to defend against it. I don't > > think that any of my users will miss the SITE EXEC commands. > > > > If one were interested in improving the ftpd which ships with the base > system, which features would make it a viable replacement those > currently running wu-ftpd? I'll add a couple. 1) The ability to limit the # of active anonymous connections in a simple manner. 2) The ability to create a upload directory where files are automatically chown/chmod'd to a different user, so that it can't be used as a warez site. 3) The ability to be easily chrooted for paranoia. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 25 22: 5: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from sivka.rdy.com (sivka.rdy.com [207.33.166.86]) by hub.freebsd.org (Postfix) with ESMTP id 3856E37B956 for ; Sun, 25 Jun 2000 22:04:57 -0700 (PDT) (envelope-from dima@rdy.com) Received: (from dima@localhost) by sivka.rdy.com (8.9.3/8.9.3) id WAA00625; Sun, 25 Jun 2000 22:02:13 -0700 (PDT) (envelope-from dima) Message-Id: <200006260502.WAA00625@sivka.rdy.com> Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 In-Reply-To: <3956D5A3.1C2E8D06@softweyr.com> "from Wes Peters at Jun 25, 2000 10:01:39 pm" To: Wes Peters Date: Sun, 25 Jun 2000 22:02:13 -0700 (PDT) Cc: dima@rdy.com, Koga Youichirou , wollman@khavrinen.lcs.mit.edu, silby@silby.com, freebsd-security@FreeBSD.ORG Organization: HackerDome Reply-To: dima@rdy.com From: dima@rdy.com (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL77 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wes Peters writes: > > > > Well, if in addition to "fmt" argument, string will contain formatting code[s], > > the result will be just the same. (at least with printf() family). > > Since when did printf try to interpret formatting codes within an argument > string? In fact, it does not: It's either I have a brain fart, or it used to do it in the past. -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 25 22:55:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id F250637B916 for ; Sun, 25 Jun 2000 22:55:20 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.3) with ESMTP id HAA15312; Mon, 26 Jun 2000 07:54:54 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Gerhard Sittig Cc: security@FreeBSD.ORG Subject: Re: jail(8) Honeypots In-reply-to: Your message of "Sun, 25 Jun 2000 22:35:49 +0200." <20000625223549.I9883@speedy.gsinet> Date: Mon, 26 Jun 2000 07:54:54 +0200 Message-ID: <15310.961998894@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000625223549.I9883@speedy.gsinet>, Gerhard Sittig writes: >On Sun, Jun 25, 2000 at 20:13 +0200, Poul-Henning Kamp wrote: >> >> Jails(8) are probably the currently safest way to do it, but >> not the most "authentic" looking way. Finding out that you're >> in a jail is trivial and I pressume that it will become common >> knowledge for script-kiddies RSN. > >Besides the /proc/$PID/status field and the 'J' in ps' status >field - which I feel to be cosmetic or for plain information and >not really the final word - what else criteria would be there to >check? I can't think of any -- at least not a reliable one. Bind a socket at 127.0.0.1 and notice with getsockname() that it isn't. Ping doesn't work. I belive "kill -0 1" will also tell you. >This leads to the question: Was the intent behind the jail(2) >mechanism to isolate a process group or was it to fake a machine? >I guess it was the former, but could be turned into the latter. >And I'm sure you will tell me if I'm wrong. :) The former, and significant amounts of code will have to be written to make it the latter. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD coreteam member | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 25 23:37:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from as.tksoft.com (gyw.com [209.55.67.177]) by hub.freebsd.org (Postfix) with ESMTP id 42E6437B929 for ; Sun, 25 Jun 2000 23:37:35 -0700 (PDT) (envelope-from tjk@tksoft.com) Received: (from tjk@tksoft.com) by uno.tksoft.com (8.8.8/8.8.8) id XAA15576; Sun, 25 Jun 2000 23:44:24 -0700 From: "tjk@tksoft.com" Message-Id: <200006260644.XAA15576@uno.tksoft.com> Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 To: wes@softweyr.com (Wes Peters) Date: Sun, 25 Jun 2000 23:44:23 -0700 (PDT) Cc: dima@rdy.com, y-koga@jp.FreeBSD.org, wollman@khavrinen.lcs.mit.edu, silby@silby.com, freebsd-security@FreeBSD.ORG In-Reply-To: <3956D5A3.1C2E8D06@softweyr.com> from "Wes Peters" at Jun 25, 0 10:01:39 pm Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The bottom line is that the wu-ftpd bug is caused by a line of code which uses a user supplied string as the format string passed to printf(). printf is: int printf(const char *, ...), where the first argument is the format string. If the format string is supplied by the user, then the function can do unintended things. Troy > > Dima Ruban wrote: > > > > Wes Peters writes: > > > Dima Ruban wrote: > > > > > > > > What's the purpose of this patch? > > > > I didn't look at the code, but to me it sounds like it's pretty much > > > > irrelevant whether you gonna use ``foo(fmt, string)'' or ``foo(string)'' > > > > > > If string contains formatting codes, foo("%s", string) does the right > > > thing and just puts out the formatting codes in the string. foo(string) > > > tries to interpret the embedded format codes and blows the stack. > > > > > > > Well, if in addition to "fmt" argument, string will contain formatting code[s], > > the result will be just the same. (at least with printf() family). > > Since when did printf try to interpret formatting codes within an argument > string? In fact, it does not: > > wes@homer$ cat foo.c > main() > { > char *s = "This is a %s string.\n"; > > printf("\nWith format string:\n"); > printf("%s", s); > > printf("\nWithout format string:\n"); > printf(s); > } > wes@homer$ ./foo > > With format string: > This is a %s string. > > Without format string: > This is a This is a %s string. > string. > > Notice the second output is scrambled, as printf apparently finds a > pointer to the string on the stack and prints it within itself. Oops. > As you can see, the first printf using the %s code worked fine. > > -- > "Where am I, and what am I doing in this handbasket?" > > Wes Peters Softweyr LLC > wes@softweyr.com http://softweyr.com/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 26 0:20: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3b058.neo.rr.com [24.93.181.58]) by hub.freebsd.org (Postfix) with ESMTP id 5B42A37BA0E for ; Mon, 26 Jun 2000 00:19:57 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.10.1/8.10.1) with ESMTP id e5Q73vF10643; Mon, 26 Jun 2000 03:03:57 -0400 Date: Mon, 26 Jun 2000 03:03:57 -0400 (EDT) From: Mike Nowlin To: Poul-Henning Kamp Cc: "Jeffrey J. Mountin" , Cy Schubert - ITSD Open Systems Group , Narvi , security@FreeBSD.ORG Subject: Re: jail(8) Honeypots In-Reply-To: <13330.961956810@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In other words: a high-fidelity honey pot should probably be a > machine of its own behind a rather facist firewall, but as a > tripwire/indication a jail(8) based honeypot will do just fine. I'm sure that most people have a 386 floating around that would work nicely for this... You can make them more appealing to break into if you provide lots of fake services - a simple C program can make it accept TCP connect requests on a whole bunch of weird ports - port scanners will jump at finding these machines.... I'll even give the machines away if you pick them up - you get several for buying me a (cheap) lunch. I'm cleaning out the "dump the unused junk in here" rooms at work. :) --mike - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Understated/funny man-page sentence of the current time period: From route(4) on FreeBSD-3.4, DESCRIPTION section: "FreeBSD provides some packet routing facilities." ...duh....... Mike Nowlin, N8NVW mike@argos.org http://www.viewsnet.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 26 2:45:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from overcee.netplex.com.au (peter1.corp.yahoo.com [208.48.107.4]) by hub.freebsd.org (Postfix) with ESMTP id B69D737BBAB for ; Mon, 26 Jun 2000 02:45:45 -0700 (PDT) (envelope-from peter@netplex.com.au) Received: from netplex.com.au (localhost [127.0.0.1]) by overcee.netplex.com.au (Postfix) with ESMTP id AEE461CD7; Mon, 26 Jun 2000 02:45:44 -0700 (PDT) (envelope-from peter@netplex.com.au) X-Mailer: exmh version 2.1.1 10/15/1999 To: Warner Losh Cc: netch@lucky.net, freebsd-security@FreeBSD.ORG Subject: Re: O_NOFOLLOW In-Reply-To: Message from Warner Losh of "Sun, 25 Jun 2000 20:48:05 MDT." <200006260248.UAA14432@harmony.village.org> Date: Mon, 26 Jun 2000 02:45:44 -0700 From: Peter Wemm Message-Id: <20000626094544.AEE461CD7@overcee.netplex.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warner Losh wrote: > In message <20000613152211.B42067@lucky.net> Valentin Nechayev writes: > : O_NOFOLLOW flag for open() syscall exists since 3.0-CURRENT and is quite > : useful for secure open, but is not documented in open(2) man page yet. > : Do FreeBSD team have its disclosing in plans? > > I'm not sure that it works from userland. At least that's what I > recall from testing at one point... The original issue was what to do if you actually got a symlink. In the original implementation, you could open/read/write the symlink itself, but there were some pretty evil constraints. As I recall, the currently committed code will let you open a symlink but not read or write it. If you are intending to use it in a security role, you still need to fstat it to make sure it is the file you intended and not a handle on some symlink. This should be documented somehere.. It does not return EISLINK or something like that when pointed at a symlink. Cheers, -Peter -- Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au "All of this is for nothing if we don't go to the stars" - JMS/B5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 26 8:55:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id C77CC37B8ED for ; Mon, 26 Jun 2000 08:55:47 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id JAA09678; Mon, 26 Jun 2000 09:55:45 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id JAA18584; Mon, 26 Jun 2000 09:55:44 -0600 (MDT) (envelope-from nate) Date: Mon, 26 Jun 2000 09:55:44 -0600 (MDT) Message-Id: <200006261555.JAA18584@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: David Nugent Cc: Nate Williams , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 In-Reply-To: References: <200006260446.WAA15773@nomad.yogotech.com> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > 2) The ability to create a upload directory where files are > > automatically chown/chmod'd to a different user, so that > > it can't be used as a warez site. > > Removing visibility of the directory is the classic solution to this, but > obviously this is a "security by obscurity" technique, and therefore > wrong. It's not wrong, and it's not obscurity. It's making those files 'unavailable', since there is no other type of solution. How else would you make 'uploaded' files unavailable? Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 26 12:19:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 9558537BB63 for ; Mon, 26 Jun 2000 12:19:41 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 16744 invoked by uid 0); 26 Jun 2000 19:19:30 -0000 Received: from p3ee0b318.dip.t-dialin.net (HELO speedy.gsinet) (62.224.179.24) by mail.gmx.net with SMTP; 26 Jun 2000 19:19:30 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id UAA26619 for security@FreeBSD.ORG; Mon, 26 Jun 2000 20:31:52 +0200 Date: Mon, 26 Jun 2000 20:31:52 +0200 From: Gerhard Sittig To: security@FreeBSD.ORG Subject: Re: jail(8) Honeypots Message-ID: <20000626203152.K9883@speedy.gsinet> Mail-Followup-To: security@FreeBSD.ORG References: <20000625223549.I9883@speedy.gsinet> <15310.961998894@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <15310.961998894@critter.freebsd.dk>; from phk@critter.freebsd.dk on Mon, Jun 26, 2000 at 07:54:54AM +0200 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jun 26, 2000 at 07:54 +0200, Poul-Henning Kamp wrote: > In message <20000625223549.I9883@speedy.gsinet>, Gerhard Sittig writes: > > > > [ ... how to recognize you're jail(8)ed ... ] > > Bind a socket at 127.0.0.1 and notice with getsockname() that > it isn't. > > Ping doesn't work. Yes, that's the lesson I had to learn today. :) And I couldn't do networking at all from a jail into the host in 4.0-R, cvsupping helped against this. Now I can do "normal" connections to and fro. What I'm still missing (and what is hindered by the jail mechanism in general, I suppose) is to put packet filters in the jailed environment. This won't work. Yet? Seems I got the intent wrong and now I'm suffering from disappointed expectations. :| Luckily there are other ways to go ... :> Seems I have to setup the filter in the host environment. Which makes me ask: Do the routes between aliases go through lo0 or the "real" NIF? I still have problems reading "netstat -rn" output. Since I'm coming from Linux this looks to me like a routing and arp table mixture and dazes me a little to see entries for hosts with lo _and_ xl in the device column. > >This leads to the question: Was the intent behind the jail(2) > >mechanism to isolate a process group or was it to fake a > >machine? I guess it was the former, but could be turned into > >the latter. And I'm sure you will tell me if I'm wrong. :) > > The former, and significant amounts of code will have to be > written to make it the latter. When *you* say so I have to believe it. :) I guess providing a fake machine without sacrifying the real host one has no other chance than virtualizing every single resource. This would make jail(2) another VmWare / Bochs / pcemu / VMS / you name it. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 26 15:23:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from molybdenum.systems.cais.net (molybdenum.systems.cais.net [205.177.9.248]) by hub.freebsd.org (Postfix) with ESMTP id 9334637BCB0 for ; Mon, 26 Jun 2000 15:23:06 -0700 (PDT) (envelope-from herb@cais.net) Received: from localhost (localhost [127.0.0.1]) by molybdenum.systems.cais.net (8.9.3/8.9.3) with ESMTP id SAA27076 for ; Mon, 26 Jun 2000 18:41:47 -0400 (EDT) Date: Mon, 26 Jun 2000 18:41:47 -0400 (EDT) From: "Herbert J. McNew" X-Sender: herb@molybdenum.systems.cais.net To: freebsd-security@freebsd.org Subject: RE: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options In-Reply-To: <712384017032D411AD7B0001023D799B07C8D7@SN1EXCHMBX> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org TWIMC, An easy way around this DoS (if you don't need ip options o your network) is the following ipf rule. This will only work with ipf, thought I'm sure someone out there can translate it into ipfw... block in quick from any to any with ipopts enjoy. _____________________ Herb McNew Systems Administrator CAIS Internet (703) 247-6270 herb@cais.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 26 19:20: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id ACA8D37B6AA for ; Mon, 26 Jun 2000 19:20:01 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 3516 invoked by uid 0); 27 Jun 2000 02:19:58 -0000 Received: from p3ee0b238.dip.t-dialin.net (HELO speedy.gsinet) (62.224.178.56) by mail.gmx.net with SMTP; 27 Jun 2000 02:19:58 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id WAA27131 for security@FreeBSD.ORG; Mon, 26 Jun 2000 22:08:52 +0200 Date: Mon, 26 Jun 2000 22:08:52 +0200 From: Gerhard Sittig To: security@FreeBSD.ORG Subject: ipfilter hooks in rc.network Message-ID: <20000626220852.M9883@speedy.gsinet> Mail-Followup-To: security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lately I suggested to add hooks for ipfilter in rc.network (I did so via PM to Matt Dillon jumping on his rc.network commit). There I was heavily inspired by the "Configuration of ipfilter on FreeBSD" document at http://www.free-x.ch/pub/ipf-conf-en.html. But I failed to identify all the places where to plug the new code into. So I bundled all the three parts ipf, ipnat and ipmon in pass1 right after setting the hostname and before the network interfaces come up. Doing so was led by this reasoning: - Interfaces referenced by filter rules don't have to be up yet, the rules just get parsed and stored away to be checked against when packets actually show up - Filter rules should be established before any traffic is produced. The fact that ifconfig(8)ed interfaces automatically have a route to their locally attached networks makes me afraid packets can come in just because I bring up an interface. And in addition the answers can go out just because I brought up the interface -- the routing was done by magic! This is all untouched by enabling gatewaying or adding further routes in a later stage. - Even if there are no explicit service programs (i.e. daemons) running, the kernel's IP stack will happily accept some packets and respond to some of them. ICMP, ARP and friends come to mind. So I'm tempted to set up ipfilter parts in a *very* early stage. Best would be to do it before any interface goes up. Unless I'm wrong in any of the above assumptions. And for some details: I still don't know why one would want to separate ipf and ipnat invocation. As far as I got it ipnat is "just" a logical complement to filtering. Maybe they're even held in the same structures and handled by the same code as the packet filtering is. So I see them as _one_ ruleset in a two section notation. And how good or bad is it to start ipmon far away from the ipf process which fills the /dev/ipl and Co logging channels? Are there chances to "miss" log entries? Are there chances for the fifo(?) queues to fill up and block until the reader ipmon comes in? My (admittedly simplistic -- I'm not the expert here) approach was then to have a diff like this (for demonstration, surely it's mangled by copy&paste and mail transport): ----- :r !rcsdiff -u /etc/rc.network ---------------------------- =================================================================== RCS file: /etc/RCS/rc.network,v retrieving revision 1.1 diff -u -r1.1 /etc/rc.network --- /etc/rc.network 2000/06/21 19:15:50 1.1 +++ /etc/rc.network 2000/06/24 09:05:45 @@ -20,6 +20,28 @@ echo -n ' hostname' fi + # ----- gsi 2000/06/21: added from ipf-conf-en.html + if [ X"${ipfilter}" = X"YES" -a -f "${ipfilter_rules}" ]; then + echo -n ' ipfilter' + ipf -Fa -f ${ipfilter_rules} + else + ipfilter="NO" + fi + if [ X"${ipfilter}" = X"YES" -a X"${ipmon_flags}" != X"NO" ]; then + echo -n ' ipmon' + ipmon ${ipmon_flags} + fi + if [ X"${ipfilter}" = X"YES" -a X"${ipnat}" = X"YES" ]; then + if [ -f "${ipnat_rules}" ]; then + echo -n ' ipnat' + ipnat -CF -f ${ipnat_rules} + else + echo -n ' NO NAT RULES' + ipnat="NO" + fi + fi + # ----- end of added ipfilter code + # Set the domainname if we're using NIS # case ${nisdomainname} in ----------------------------------------------------------------- Later in the discussion it turned out that there's a need for an ${ipfilter_flags} variable with a default setting of "-E" which needs to be unset when ipfilter is in the kernel instead of being a module. This will eliminate a warning and could serve for further customization if the admin feels like doing so. :) And before I forget the real intent for all of this: what made me think this belongs into the base system (rc.network and rc.conf) is the following: - ipfilter comes together with the base in /usr/src/contrib, the programs live in /sbin, they're no "strangers" - I failed to achieve the same with the rc.firewall script or the firewall variables -- even specifying a script instead of a rule scheme I could never prevent ipfw commands from being sent out. So I would end up with _both_ ipfw and ipfilter loaded or present in the kernel. I'm not certain about the implications, but frankly speaking I just don't want to experiment with this. - Of course the above sketched modifications could always be done by an admin after installation. But it would potentially collide with _every_ future update (mergemaster run). Please help out in identifying - where to put in the new code - what the defaults for /etc/defaults/rc.conf should look like (of course the new stuff has to be disabled and LINT has the usual hint "if you enable IPFILTER_DEFAULT_BLOCK make sure you open your needed ports with filter rules") - how much of configurability is needed (does a simple ${program_to_start_in_rc_network_if_present} do already? this would be a very generic mechanism:) I cannot speak for Matt, but I feel he will be glad to commit a proven solution to CURRENT and some time later STABLE admins have one worry less to care about after installation. :> Speaking for myself loading everything in this early stage and all together works for me. But I could have missed something. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 26 21:20:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 51F6437BE02 for ; Mon, 26 Jun 2000 21:20:34 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id WAA15784; Mon, 26 Jun 2000 22:20:31 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id WAA01672; Mon, 26 Jun 2000 22:20:30 -0600 (MDT) (envelope-from nate) Date: Mon, 26 Jun 2000 22:20:30 -0600 (MDT) Message-Id: <200006270420.WAA01672@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: David Nugent Cc: Nate Williams , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 In-Reply-To: References: <200006261555.JAA18584@nomad.yogotech.com> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > 2) The ability to create a upload directory where files are > > > > automatically chown/chmod'd to a different user, so that > > > > it can't be used as a warez site. > > > > > > Removing visibility of the directory is the classic solution to this, but > > > obviously this is a "security by obscurity" technique, and therefore > > > wrong. > > > > It's not wrong, and it's not obscurity. > > 'wrong' is perhaps too strong, 'not ideal' is better. But this is > a case of obscurity. > > > It's making those files 'unavailable', since there is no other type of > > solution. > > The point is, I guess, that since the uid that put them there can also get > it from there, all that is missing is the ability to view what's there, > so the files are "available", just not advertised as such. Actually, no. Note what I wrote above. It's both chmod/chown'd so that the uploading user can't touch them. They can't over-write them or do anything to modify them once they've been uploaded. > > How else would you make 'uploaded' files unavailable? > > Permissions and ownership of course, as you originally suggested. The > ability to configure the mode on uploaded file modes as 000 without > changing ownership would not be effective unless chmod was denied for the > directory (which you can't do without removing writability or coding > around it). Otherwise a change of owner is required. Visibility or not of > the directory then becomes an administrative option rather than the only > means by which files may be 'protected'. See above. The change of owner is done. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 26 21:21:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (law-f37.hotmail.com [209.185.131.100]) by hub.freebsd.org (Postfix) with SMTP id 4574337BE45 for ; Mon, 26 Jun 2000 21:21:26 -0700 (PDT) (envelope-from ronnetron@hotmail.com) Received: (qmail 57934 invoked by uid 0); 27 Jun 2000 04:21:25 -0000 Message-ID: <20000627042125.57933.qmail@hotmail.com> Received: from 24.130.48.52 by www.hotmail.com with HTTP; Mon, 26 Jun 2000 21:21:25 PDT X-Originating-IP: [24.130.48.52] From: "Ron Smith" To: freebsd-security@FreeBSD.ORG Cc: freebsd-questions@FreeBSD.ORG Subject: ssh server for WinNT Date: Mon, 26 Jun 2000 21:21:25 PDT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All, Can anyone recommend a good 'ssh' server for WinNT4.0? I need to 'ssh' from a FreeBSD box to a WindozeNT server. TIA Ron Smith ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 26 23:41:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from dt052n3e.san.rr.com (dt052n3e.san.rr.com [204.210.33.62]) by hub.freebsd.org (Postfix) with ESMTP id 3255737BE73 for ; Mon, 26 Jun 2000 23:41:23 -0700 (PDT) (envelope-from DougB@gorean.org) Received: from gorean.org (doug@master [10.0.0.2]) by dt052n3e.san.rr.com (8.9.3/8.9.3) with ESMTP id XAA19053; Mon, 26 Jun 2000 23:41:06 -0700 (PDT) (envelope-from DougB@gorean.org) Message-ID: <39584C82.988B2F1B@gorean.org> Date: Mon, 26 Jun 2000 23:41:06 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.72 [en] (X11; U; FreeBSD 5.0-CURRENT-0603 i386) X-Accept-Language: en MIME-Version: 1.0 To: Gerhard Sittig Cc: security@FreeBSD.ORG Subject: Re: ipfilter hooks in rc.network References: <20000626220852.M9883@speedy.gsinet> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gerhard Sittig wrote: First, I'm not sure that -security is the right list for this, -current or -hackers might be better. Second, while I support adding the ability to more closely integrate ipfilter into the base, your patch's style is drastically out of synch with the changes introduced recently. The following is better style. case ${ipfilter_enable} in [Yy][Ee][Ss]) if [ -r "${ipfilter_rules}" ]; then echo -n ' ipfilter' ipf -Fa -f ${ipfilter_rules} fi case ${ipmon_flags} in [Nn][Oo] | '') ;; *) echo -n ' ipmon' ipmon ${ipmon_flags} ;; esac case ${ipnat} in [Yy][Ee][Ss]) if [ -r "${ipnat_rules}" ]; then echo -n ' ipnat' ipnat -CF -f ${ipnat_rules} else echo -n ' ipnat enabled but no rules!' fi ;; esac ;; esac If you need any help with this, just let me know. Doug -- "Live free or die" - State motto of my ancestral homeland, New Hampshire Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 0:24:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from oskar.dev.nanoteq.co.za (oskar.dev.nanoteq.co.za [196.7.114.5]) by hub.freebsd.org (Postfix) with ESMTP id CFC6C37BE32 for ; Tue, 27 Jun 2000 00:24:06 -0700 (PDT) (envelope-from rbezuide@oskar.dev.nanoteq.co.za) Received: (from rbezuide@localhost) by oskar.dev.nanoteq.co.za (8.9.3/8.9.0) id JAA06584 for freebsd-security@freebsd.org; Tue, 27 Jun 2000 09:25:36 +0200 (SAT) From: Reinier Bezuidenhout Message-Id: <200006270725.JAA06584@oskar.dev.nanoteq.co.za> Subject: Kernel options for DoS on 3-stable To: freebsd-security@freebsd.org Date: Tue, 27 Jun 2000 09:25:36 +0200 (SAT) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi ... Could anyone provide me with a list of kernel options one should add by default to a kernel to prevent DoS attacks. Thanks Reinier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 0:35:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from maynard.mail.mindspring.net (maynard.mail.mindspring.net [207.69.200.243]) by hub.freebsd.org (Postfix) with ESMTP id 8E71137B926; Tue, 27 Jun 2000 00:35:08 -0700 (PDT) (envelope-from david.dagon@mindspring.com) Received: from mindspring.com (user-38ld0e2.dialup.mindspring.com [209.86.129.194]) by maynard.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id DAA30842; Tue, 27 Jun 2000 03:34:59 -0400 (EDT) Message-ID: <39585C05.C2803BC0@mindspring.com> Date: Tue, 27 Jun 2000 03:47:17 -0400 From: David Dagon Reply-To: dagon@cc.gatech.edu X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.4.0-test2 i686) X-Accept-Language: en MIME-Version: 1.0 To: Ron Smith Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: ssh server for WinNT References: <20000627042125.57933.qmail@hotmail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ron Smith wrote: > > Hi All, > > Can anyone recommend a good 'ssh' server for WinNT4.0? I need to 'ssh' from > a FreeBSD box to a WindozeNT server. > This might sound like a Windows question, but it relates to problems in porting 'nix code to Windows. Many folks have just compiled sshd for Windows, and run it as an NT service. From my bookmarks: http://www.ugcs.caltech.edu/~liebling/cygwin.html http://www.onlinemagic.com/~bgould/sshd.html Installation Notes: http://sourceware.cygnus.com/ml/cygwin/1998-12/msg00429.html Partial Implementation (Java): http://www.mindbright.se/mindtunnel.html ssh client only (old): http://bmrc.berkeley.edu/people/chaffee/winntutil.html You might try compiling openssh from source. Now, keeping the host key files protected under Windows.... -- David dagon@cc.gatech.edu Georgia Institute of Technology To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 2:53:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from CaraCalla.htu.tuwien.ac.at (caracalla.htu.tuwien.ac.at [128.130.87.100]) by hub.freebsd.org (Postfix) with SMTP id 9D12E37BF64 for ; Tue, 27 Jun 2000 02:53:09 -0700 (PDT) (envelope-from edgar-list-freebsd@caracalla.htu.tuwien.ac.at) Received: (qmail 1479 invoked by alias); 27 Jun 2000 09:51:36 -0000 Received: from unknown (HELO caracalla.htu.tuwien.ac.at) (195.34.140.195) by caracalla.htu.tuwien.ac.at with SMTP; 27 Jun 2000 09:51:36 -0000 Message-ID: <39588784.D33DBB1E@caracalla.htu.tuwien.ac.at> Date: Tue, 27 Jun 2000 11:52:52 +0100 From: Edgar Holleis X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; U) X-Accept-Language: en,de-AT MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: ssh server for WinNT References: <20000627042125.57933.qmail@hotmail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org People at www.ssh.com state in their FAQ (http://www.ssh.com/commerce/customer_service_faq.html) "SSH Secure Shell for Servers will support also Microsoft Windows NT platforms in the near future." It is commercial of course, but they give away free licenses for private/educational purposes. For the moment use cygwin. I am not sure of security implications running a server process under cygwin as "Local System". By the way, does anyone know how I can use the SSLtelnet port in conjunction with Windows 2K's encrypted telnet-client or telnet-server? Do they inter operate at all, is it just a certificate issue? Edgar Holleis Ron Smith wrote: > > Hi All, > > Can anyone recommend a good 'ssh' server for WinNT4.0? I need to 'ssh' from > a FreeBSD box to a WindozeNT server. > > TIA > Ron Smith > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 4: 7:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.alpha.net.au (mail2.alpha.net.au [203.41.44.8]) by hub.freebsd.org (Postfix) with ESMTP id EB93537BF71; Tue, 27 Jun 2000 04:07:06 -0700 (PDT) (envelope-from dannyh@idx.com.au) Received: from dannyh.freebsd.org (surry-pool-190.alpha.net.au [203.41.44.190] (may be forged)) by mail.alpha.net.au (8.9.3/8.9.3) with SMTP id VAA03444; Tue, 27 Jun 2000 21:08:22 +1000 From: Danny To: "Ron Smith" , freebsd-security@FreeBSD.ORG Subject: Re: ssh server for WinNT Date: Tue, 27 Jun 2000 21:12:12 +1000 X-Mailer: KMail [version 1.0.21] Content-Type: text/plain Cc: freebsd-questions@FreeBSD.ORG References: <20000627042125.57933.qmail@hotmail.com> MIME-Version: 1.0 Message-Id: <00062721131301.01060@dannyh.freebsd.org> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -Hello - Check out a client a "putty" from www.tucows.com - it cost $0.00 On Tue, 27 Jun 2000, Ron Smith wrote: > Hi All, > > Can anyone recommend a good 'ssh' server for WinNT4.0? I need to 'ssh' from > a FreeBSD box to a WindozeNT server. > > TIA > Ron Smith > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- ---------------------------------------------------------------- You are not authorized to use my email address for any purpose. This is a violation of my privacy. Remove my email address from your databases immediately. ---------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 5:58:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id CD9DB37BEFE for ; Tue, 27 Jun 2000 05:58:29 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id JAA23381; Tue, 27 Jun 2000 09:57:56 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200006271257.JAA23381@ns1.via-net-works.net.ar> Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options In-Reply-To: from "Herbert J. McNew" at "Jun 26, 0 06:41:47 pm" To: herb@cais.net (Herbert J. McNew) Date: Tue, 27 Jun 2000 09:57:56 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Herbert J. McNew escribió: > I'm sure someone out there can translate it into ipfw... > > block in quick from any to any with ipopts ipfw add 1 deny ip from any to any ipoptions ssrr,lsrr,ts,rr Regards. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 6:51:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay1.inwind.it (relay1.inwind.it [212.141.53.67]) by hub.freebsd.org (Postfix) with ESMTP id 66BCF37BB1B for ; Tue, 27 Jun 2000 06:51:09 -0700 (PDT) (envelope-from bartequi@inwind.it) Received: from bartequi.ottodomain.org (212.141.78.7) by relay1.inwind.it; 27 Jun 2000 15:51:06 +0200 From: Salvo Bartolotta Date: Tue, 27 Jun 2000 14:53:05 GMT Message-ID: <20000627.14530500@bartequi.ottodomain.org> Subject: icmp type 3 code 4: a couple of questions To: freebsd-security@FreeBSD.ORG X-Mailer: SuperCalifragilis X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear FreeBSD'ers, I am running a paranoidly closed firewall (homebox). Just out of curiosity, is there an *ipfw* way to allow ONLY icmp type=20 3 code 4 packets (DF), dropping all other icmp packets onto the floor=20 ? The question may be academic, though; I seem to understand that=20 letting icmptypes 3 in (while letting NO icmp packets out) should=20 achieve the same (paranoid) goal. Am I missing anything ? =20 Thanks in advance, Salvo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 7:53: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from saturn.terahertz.net (saturn.terahertz.net [216.165.129.80]) by hub.freebsd.org (Postfix) with ESMTP id 3AB4737B9E0; Tue, 27 Jun 2000 07:52:56 -0700 (PDT) (envelope-from sideshow@terahertz.net) Received: from PCX2 (stn-on2-35.netcom.ca [207.181.100.163]) by saturn.terahertz.net (8.9.3/8.9.3) with SMTP id JAA67070; Tue, 27 Jun 2000 09:50:18 -0500 (CDT) From: "Matt Watson" To: "Danny" , "Ron Smith" , Cc: Subject: RE: ssh server for WinNT Date: Tue, 27 Jun 2000 10:39:29 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <00062721131301.01060@dannyh.freebsd.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Since when is putty a ssh server? I coulda sworn it was a telnet/ssh1/etc client... but then again i have been wrong before :P -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Danny Sent: Tuesday, June 27, 2000 7:12 AM To: Ron Smith; freebsd-security@FreeBSD.ORG Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ssh server for WinNT -Hello - Check out a client a "putty" from www.tucows.com - it cost $0.00 On Tue, 27 Jun 2000, Ron Smith wrote: > Hi All, > > Can anyone recommend a good 'ssh' server for WinNT4.0? I need to 'ssh' from > a FreeBSD box to a WindozeNT server. > > TIA > Ron Smith > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- ---------------------------------------------------------------- You are not authorized to use my email address for any purpose. This is a violation of my privacy. Remove my email address from your databases immediately. ---------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 7:57:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from alpha.root-servers.ch (alpha.root-servers.ch [195.49.62.125]) by hub.freebsd.org (Postfix) with SMTP id D8FCB37C0DF for ; Tue, 27 Jun 2000 07:57:47 -0700 (PDT) (envelope-from gabriel_ambuehl@buz.ch) Received: (qmail 26625 invoked from network); 27 Jun 2000 14:57:44 -0000 Received: from client99-59.hispeed.ch (62.2.99.59) by ns1.root-servers.ch with SMTP; 27 Jun 2000 14:57:44 -0000 Date: Tue, 27 Jun 2000 16:58:00 +0200 From: Gabriel Ambuehl X-Mailer: The Bat! (v1.44) UNREG / CD5BF9353B3B7091 Organization: BUZ Internet Services X-Priority: 3 (Normal) Message-ID: <846988849.20000627165800@buz.ch> To: "Matt Watson" Cc: "Danny" , "Ron Smith" , freebsd-security@FreeBSD.ORG, Subject: Re[2]: ssh server for WinNT In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Matt, Tuesday, June 27, 2000, 4:39:29 PM, you wrote: > Since when is putty a ssh server? I coulda sworn it was a telnet/ssh1/etc > client... but then again i have been wrong before :P You're right. It IS just a client. I'm just doubting how much sense a ssh server for NT would make. Ok, you can control many of the network stuff from CLI but beside that, you'd still have the need for a solution such as VNC or PcAnywhere to control the settings only avaiable by the GUI (one could argue that's possible to control the system by hacking the registry which should be doable from CLI but who would be so masochistic? ;-). Best regards, Gabriel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 7:58:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from po4.wam.umd.edu (po4.wam.umd.edu [128.8.10.166]) by hub.freebsd.org (Postfix) with ESMTP id 14B1D37C06D; Tue, 27 Jun 2000 07:58:43 -0700 (PDT) (envelope-from culverk@wam.umd.edu) Received: from rac4.wam.umd.edu (root@rac4.wam.umd.edu [128.8.10.144]) by po4.wam.umd.edu (8.9.3/8.9.3) with ESMTP id KAA23808; Tue, 27 Jun 2000 10:58:29 -0400 (EDT) Received: from rac4.wam.umd.edu (sendmail@localhost [127.0.0.1]) by rac4.wam.umd.edu (8.9.3/8.9.3) with SMTP id KAA23739; Tue, 27 Jun 2000 10:58:25 -0400 (EDT) Received: from localhost (culverk@localhost) by rac4.wam.umd.edu (8.9.3/8.9.3) with ESMTP id KAA23735; Tue, 27 Jun 2000 10:58:25 -0400 (EDT) X-Authentication-Warning: rac4.wam.umd.edu: culverk owned process doing -bs Date: Tue, 27 Jun 2000 10:58:24 -0400 (EDT) From: Kenneth Wayne Culver To: Matt Watson Cc: Danny , Ron Smith , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: RE: ssh server for WinNT In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org yeah, it's a client not a server. ================================================================= | Kenneth Culver | FreeBSD: The best NT upgrade | | Unix Systems Administrator | ICQ #: 24767726 | | and student at The | AIM: muythaibxr | | The University of Maryland, | Website: (Under Construction) | | College Park. | http://www.wam.umd.edu/~culverk/| ================================================================= On Tue, 27 Jun 2000, Matt Watson wrote: > Since when is putty a ssh server? I coulda sworn it was a telnet/ssh1/etc > client... but then again i have been wrong before :P > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Danny > Sent: Tuesday, June 27, 2000 7:12 AM > To: Ron Smith; freebsd-security@FreeBSD.ORG > Cc: freebsd-questions@FreeBSD.ORG > Subject: Re: ssh server for WinNT > > > > -Hello > - Check out a client a "putty" from www.tucows.com > - it cost $0.00 > > > > On Tue, 27 Jun 2000, Ron Smith wrote: > > Hi All, > > > > Can anyone recommend a good 'ssh' server for WinNT4.0? I need to 'ssh' > from > > a FreeBSD box to a WindozeNT server. > > > > TIA > > Ron Smith > > > > ________________________________________________________________________ > > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > -- > > ---------------------------------------------------------------- > You are not authorized to use my email address for any purpose. > This is a violation of my privacy. Remove my email > address from your databases immediately. > ---------------------------------------------------------------- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 8: 8:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from icg.interactivate.com (icg.interactivate.com [207.110.42.216]) by hub.freebsd.org (Postfix) with ESMTP id 65A9F37C0DE; Tue, 27 Jun 2000 08:08:37 -0700 (PDT) (envelope-from larry@interactivate.com) Received: from interactivate.com (cx408168-a.escnd1.sdca.home.com [24.15.133.36]) by icg.interactivate.com (8.10.1/8.10.1) with ESMTP id e5RFB7Q01665; Tue, 27 Jun 2000 08:11:07 -0700 (PDT) Message-ID: <3958C483.CC13F865@interactivate.com> Date: Tue, 27 Jun 2000 08:13:07 -0700 From: Lawrence Sica Organization: Interactivate, Inc X-Mailer: Mozilla 4.73 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Gabriel Ambuehl Cc: Matt Watson , Danny , Ron Smith , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: ssh server for WinNT References: <846988849.20000627165800@buz.ch> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gabriel Ambuehl wrote: > > Hello Matt, > > Tuesday, June 27, 2000, 4:39:29 PM, you wrote: > > > Since when is putty a ssh server? I coulda sworn it was a telnet/ssh1/etc > > client... but then again i have been wrong before :P > > You're right. It IS just a client. I'm just doubting how much sense a > ssh server for NT would make. Ok, you can control many of the network > stuff from CLI but beside that, you'd still have the need for a > solution such as VNC or PcAnywhere to control the settings only > avaiable by the GUI (one could argue that's possible to control the > system by hacking the registry which should be doable from CLI but who > would be so masochistic? ;-). > well you could, if your feeling unsafe about say pcAnywhere's encryption use ssh to setup a tunnel. F-secure puts out an nt ssh server i think. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 8:22:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130]) by hub.freebsd.org (Postfix) with ESMTP id 4454B37C044 for ; Tue, 27 Jun 2000 08:22:06 -0700 (PDT) (envelope-from dmartin@origen.com) Received: from origen.com (dubhe.origen [192.168.0.5]) by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id KAA32511; Tue, 27 Jun 2000 10:21:58 -0500 (CDT) (envelope-from dmartin@origen.com) Message-ID: <3958E1C5.18593553@origen.com> Date: Tue, 27 Jun 2000 10:17:57 -0700 From: Richard Martin X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Salvo Bartolotta Cc: freebsd-security@FreeBSD.ORG Subject: Re: icmp type 3 code 4: a couple of questions References: <20000627.14530500@bartequi.ottodomain.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Add: /sbin/ipfw add pass icmp from ${oip} to any icmptypes ${icmpallow} /sbin/ipfw add pass icmp from any to ${oip} icmptypes ${icmpallow} /sbin/ipfw add deny log icmp from any to any this lets the firewall machine ping in and out (used by Big Brother), but stops those not very useful, and blocks all ICMP to other machines past the firewall Substitute in the ICMP types you want to allow each way, you can specify different ones both in and out. We use icmpallow="0,3,4,5,8,11,12,14,16,18" I wonder if anyone has any comments on the appropriateness of these -- Richard Martin dmartin@origenbio.com Salvo Bartolotta wrote: > Dear FreeBSD'ers, > > I am running a paranoidly closed firewall (homebox). > > Just out of curiosity, is there an *ipfw* way to allow ONLY icmp type > 3 code 4 packets (DF), dropping all other icmp packets onto the floor > ? > > The question may be academic, though; I seem to understand that > letting icmptypes 3 in (while letting NO icmp packets out) should > achieve the same (paranoid) goal. Am I missing anything ? > > Thanks in advance, > Salvo > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 8:24:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from easeway.com (ns1.easeway.com [209.69.39.1]) by hub.freebsd.org (Postfix) with ESMTP id 02A2037C061; Tue, 27 Jun 2000 08:24:33 -0700 (PDT) (envelope-from mwlucas@easeway.com) Received: (from mwlucas@localhost) by easeway.com (8.8.8/8.8.5) id LAA23677; Tue, 27 Jun 2000 11:04:03 -0400 (EDT) Message-Id: <200006271504.LAA23677@easeway.com> Subject: Re: ssh server for WinNT In-Reply-To: <3958C483.CC13F865@interactivate.com> from Lawrence Sica at "Jun 27, 0 08:13:07 am" To: larry@interactivate.com (Lawrence Sica) Date: Tue, 27 Jun 100 11:04:02 -0400 (EDT) Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org From: mwlucas@exceptionet.com X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > ssh server for NT would make. Ok, you can control many of the network > > stuff from CLI but beside that, you'd still have the need for a > > solution such as VNC or PcAnywhere to control the settings only > > avaiable by the GUI (one could argue that's possible to control the > > system by hacking the registry which should be doable from CLI but who > > would be so masochistic? ;-). > well you could, if your feeling unsafe about say pcAnywhere's encryption > use ssh to setup a tunnel. F-secure puts out an nt ssh server i think. I find my NT SSH useful. Simply being able to start and stop services on a command line is quite helpful. I could use Telnet, but the NT Telnet daemon is a pain. Since many of our servers are development environments, console time is at a premium. Being able to connect in and make a quick change is nice. I also do things such as configure NT SNMP via SSH; that's all command-line driven. ==ml -- Michael Lucas | Exceptionet, Inc. | www.exceptionet.com "Exceptional Networking" | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 8:42:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 5E1FB37C0C2; Tue, 27 Jun 2000 08:42:41 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1865 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 27 Jun 2000 10:34:46 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Tue, 27 Jun 2000 10:34:34 -0500 (CDT) From: James Wyatt To: Gabriel Ambuehl Cc: Matt Watson , Danny , Ron Smith , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: Re[2]: ssh server for WinNT In-Reply-To: <846988849.20000627165800@buz.ch> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A lot of useful things can be done with CLI on NT, especially when your scripting is in Perl... Couldn't you also use SSH to tunnel the VNC traffic, protecting it from snooping and providing multiple passwords for multiple users? I thought VNC passwords were sent clear and not rate-limited to prevent cracking. Just my 2 bits - Jy@ On Tue, 27 Jun 2000, Gabriel Ambuehl wrote: [ ... ] > Tuesday, June 27, 2000, 4:39:29 PM, you wrote: > > Since when is putty a ssh server? I coulda sworn it was a telnet/ssh1/etc > > client... but then again i have been wrong before :P > > You're right. It IS just a client. I'm just doubting how much sense a > ssh server for NT would make. Ok, you can control many of the network > stuff from CLI but beside that, you'd still have the need for a > solution such as VNC or PcAnywhere to control the settings only > avaiable by the GUI (one could argue that's possible to control the > system by hacking the registry which should be doable from CLI but who > would be so masochistic? ;-). [ ... ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 9:38: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay2.inwind.it (relay2.inwind.it [212.141.53.73]) by hub.freebsd.org (Postfix) with ESMTP id 2DE1437C100 for ; Tue, 27 Jun 2000 09:37:58 -0700 (PDT) (envelope-from bartequi@inwind.it) Received: from bartequi.ottodomain.org (212.141.78.68) by relay2.inwind.it; 27 Jun 2000 18:37:56 +0200 From: Salvo Bartolotta Date: Tue, 27 Jun 2000 17:39:59 GMT Message-ID: <20000627.17395900@bartequi.ottodomain.org> Subject: Re: icmp type 3 code 4: a couple of questions To: Richard Martin Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3958E1C5.18593553@origen.com> References: <20000627.14530500@bartequi.ottodomain.org> <3958E1C5.18593553@origen.com> X-Mailer: SuperCalifragilis X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Richard Martin, thanks again for replying. Well, actually, my homebox will behave, as it were, like a Klingon=20 spaceship: for example, it will normally deny **all** icmptypes except=20 type 3 code 4 (DF). When I need to ping, traceroute, etc., I will=20 *temporarily* remove some restrictions. At least, this is the idea.=20 I have achieved "invisibility" as well as the desired incoming icmp=20 packets 3.4 by simply allowing all icmptypes 3, and dropping all=20 outward bound icmp packets. If I fully understand the matter, this=20 method should work without (?) side effects. If this is the case, I=20 thus obtain the same result -- just as if I were allowing icmp 3.4=20 packets and rejecting all other icmptypes. =20 Needless to say, I have CONSTANTLY been portscanned (nice packets=20 having been sent to a bunch of ports such as tcp 23) in the last few=20 weeks; which is the reason for such drastic decisions.=20 Since utilities such as Firewalk (traceroute-like program) make use of=20 ICMP, I wish to prevent this kind of scans. Back to my question: AFAICS, ipfilter can allow icmp 3.4 (blocking all=20 other icmptypes) whereas ipfw apparently cannot **exactly** do that.=20 However, if my understanding of the whole affair is correct (see=20 above), the issue is purely academic. Best regards, Salvo =20 >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 6/27/00, 6:17:57 PM, Richard Martin wrote=20 regarding Re: icmp type 3 code 4: a couple of questions: > Add: > /sbin/ipfw add pass icmp from ${oip} to any icmptypes ${icmpallow}= > /sbin/ipfw add pass icmp from any to ${oip} icmptypes ${icmpallow}= > /sbin/ipfw add deny log icmp from any to any > this lets the firewall machine ping in and out (used by Big Brother), = but > stops those not very useful, and blocks all ICMP to other machines=20 past > the firewall > Substitute in the ICMP types you want to allow each way, you can=20 specify > different ones both in and out. > We use > icmpallow=3D"0,3,4,5,8,11,12,14,16,18" > I wonder if anyone has any comments on the appropriateness of these > -- > Richard Martin dmartin@origenbio.com > Salvo Bartolotta wrote: > > Dear FreeBSD'ers, > > > > I am running a paranoidly closed firewall (homebox). > > > > Just out of curiosity, is there an *ipfw* way to allow ONLY icmp typ= e > > 3 code 4 packets (DF), dropping all other icmp packets onto the floo= r > > ? > > > > The question may be academic, though; I seem to understand that > > letting icmptypes 3 in (while letting NO icmp packets out) should > > achieve the same (paranoid) goal. Am I missing anything ? > > > > Thanks in advance, > > Salvo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 10: 7:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 040F637C158 for ; Tue, 27 Jun 2000 10:07:12 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Tue, 27 Jun 2000 11:07:09 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma009557; Tue, 27 Jun 00 11:07:05 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id LAA29572; Tue, 27 Jun 2000 11:07:01 -0600 (MDT) Date: Tue, 27 Jun 2000 11:07:00 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Salvo Bartolotta Cc: freebsd-security@FreeBSD.ORG Subject: Re: icmp type 3 code 4: a couple of questions In-Reply-To: <20000627.17395900@bartequi.ottodomain.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 27 Jun 2000, Salvo Bartolotta wrote: > Well, actually, my homebox will behave, as it were, like a Klingon > spaceship: for example, it will normally deny **all** icmptypes except > type 3 code 4 (DF). When I need to ping, traceroute, etc., I will > *temporarily* remove some restrictions. If you are using IP Filter, why not let it do the work for you? It is very easy to set up a "cloaked" firewall machine like you describe with IP Filter. In this situation, you can easily block all incoming ICMP/UDP/TCP packets as a general rule and rely entirely on IP Filter setting state rules for connections, traceroutes, or pings that were initiated from behind the firewall. That will let traceroute and ping automatically work from behind the firewall out to hosts outside the firewall, but you are otherwise 100% invisible to any other host on the Internet. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 10:23:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from lunatic.oneinsane.net (lunatic.oneinsane.net [207.113.133.231]) by hub.freebsd.org (Postfix) with ESMTP id A125137B773 for ; Tue, 27 Jun 2000 10:23:43 -0700 (PDT) (envelope-from insane@lunatic.oneinsane.net) Received: by lunatic.oneinsane.net (Postfix, from userid 1000) id 3E68315543; Tue, 27 Jun 2000 10:23:39 -0700 (PDT) Date: Tue, 27 Jun 2000 10:23:39 -0700 From: Ron 'The InSaNe One' Rosson To: Paul Hart Cc: Salvo Bartolotta , freebsd-security@FreeBSD.ORG Subject: Re: icmp type 3 code 4: a couple of questions Message-ID: <20000627102339.B861@lunatic.oneinsane.net> Reply-To: Ron Rosson Mail-Followup-To: Paul Hart , Salvo Bartolotta , freebsd-security@FreeBSD.ORG References: <20000627.17395900@bartequi.ottodomain.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from hart@iserver.com on Tue, Jun 27, 2000 at 11:07:00AM -0600 X-Operating-System: FreeBSD lunatic.oneinsane.net 4.0-STABLE X-Moon: The Moon is Waning Crescent (23% of Full) X-Opinion: What you read here is my IMHO X-Disclaimer: I am a firm believer in RTFM X-WWW: http://www.oneinsane.net X-PGP-KEY: http://www.oneinsane.net/~insane/insane2-pgp5i.txt X-Uptime: 10:22AM up 4 days, 10:29, 1 user, load averages: 0.00, 0.03, 0.00 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 27 Jun 2000, Paul Hart was heard blurting out: > On Tue, 27 Jun 2000, Salvo Bartolotta wrote: > > > Well, actually, my homebox will behave, as it were, like a Klingon > > spaceship: for example, it will normally deny **all** icmptypes except > > type 3 code 4 (DF). When I need to ping, traceroute, etc., I will > > *temporarily* remove some restrictions. > > If you are using IP Filter, why not let it do the work for you? > > It is very easy to set up a "cloaked" firewall machine like you describe > with IP Filter. In this situation, you can easily block all incoming > ICMP/UDP/TCP packets as a general rule and rely entirely on IP Filter > setting state rules for connections, traceroutes, or pings that were > initiated from behind the firewall. That will let traceroute and ping > automatically work from behind the firewall out to hosts outside the > firewall, but you are otherwise 100% invisible to any other host on the > Internet. > > Paul Hart > I would love to see your rule set that accomplishes this on a gateway firewall. (No NAT) TIA -- ------------------------------------------------------------------------------ Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was /dev/null and *void() ------------------------------------------------------------------------------ Instant sex will never be better than the kind you have to peel and cook. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 11:19: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 02D8937C28E for ; Tue, 27 Jun 2000 11:18:46 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id LAA92561; Tue, 27 Jun 2000 11:18:37 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200006271818.LAA92561@gndrsh.dnsmgr.net> Subject: Re: icmp type 3 code 4: a couple of questions In-Reply-To: <3958E1C5.18593553@origen.com> from Richard Martin at "Jun 27, 2000 10:17:57 am" To: dmartin@origen.com (Richard Martin) Date: Tue, 27 Jun 2000 11:18:36 -0700 (PDT) Cc: bartequi@inwind.it (Salvo Bartolotta), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Add: > > /sbin/ipfw add pass icmp from ${oip} to any icmptypes ${icmpallow} > /sbin/ipfw add pass icmp from any to ${oip} icmptypes ${icmpallow} > /sbin/ipfw add deny log icmp from any to any > > this lets the firewall machine ping in and out (used by Big Brother), but > stops those not very useful, and blocks all ICMP to other machines past > the firewall > > Substitute in the ICMP types you want to allow each way, you can specify > different ones both in and out. > > We use > > icmpallow="0,3,4,5,8,11,12,14,16,18" > > I wonder if anyone has any comments on the appropriateness of these > 4=ICMP_SOURCEQUENCH, useless as most machines ignore it, can be abused easily. 5=ICMP_REDIRECT, you don't want that one can be used to redirect traffic to unwanted places. 14=ICMP_TSTAMPREPLY, useless without 13=ICMP_TSTAMP. 18=ICMP_MASKREPLY, useless without 17=ICMP_MASKREQ We usually run icmpallow="0,3,8,11" with special rules to allow 5 on the inside only. We don't allow 12, and we don't see hits due to this, except for abuse. Complete rule set looks like this: 01000 23000 1969619 allow icmp from any to any icmptype 0,3,4,8,11 01010 0 0 allow icmp from any to any via dc0 icmptype 5 01010 0 0 allow icmp from any to any via dc1 icmptype 5 01010 0 0 allow icmp from any to any via dc2 icmptype 5 01010 0 0 allow icmp from any to any via dc3 icmptype 5 01020 0 0 deny log logamount 100 icmp from any to any (Note that the counts are not very high here, due to data collection resetting the rules ever few hour.) -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 11:22:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 0DE7E37B642 for ; Tue, 27 Jun 2000 11:22:16 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Tue, 27 Jun 2000 12:22:14 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma004046; Tue, 27 Jun 00 12:22:09 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id MAA29714; Tue, 27 Jun 2000 12:22:09 -0600 (MDT) Date: Tue, 27 Jun 2000 12:22:09 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: "Ron 'The InSaNe One' Rosson" Cc: freebsd-security@FreeBSD.ORG Subject: Re: icmp type 3 code 4: a couple of questions In-Reply-To: <20000627102339.B861@lunatic.oneinsane.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 27 Jun 2000, Ron 'The InSaNe One' Rosson wrote: > I would love to see your rule set that accomplishes this on a gateway > firewall. (No NAT) I'm not sure what difference NAT would make, but what's wrong with something like this? block in on fxp0 pass out quick on fxp0 proto tcp from any to any keep state pass out quick on fxp0 proto udp from any to any keep state pass out quick on fxp0 proto icmp from any to any keep state Here fxp0 is your "outside" interface. I've only used something like this in conjunction with NAT, but are you saying that something like this would not work on a non-NAT firewall? I don't know the specific requirements of the original poster, but from his Klingon analogy is sounds like he wants to remain invisible on the network (i.e. he has no inbound connections) and as far as I can tell the above rules accomplish just that. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 11:37:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from facmail.cc.gettysburg.edu (facmail.gettysburg.edu [138.234.4.150]) by hub.freebsd.org (Postfix) with ESMTP id E885237B642; Tue, 27 Jun 2000 11:37:25 -0700 (PDT) (envelope-from s467338@gettysburg.edu) Received: from jupiter2 (jupiter2.cc.gettysburg.edu [138.234.4.6]) by facmail.cc.gettysburg.edu (8.9.3/8.9.3) with SMTP id OAA29547; Tue, 27 Jun 2000 14:37:20 -0400 (EDT) Date: Tue, 27 Jun 2000 14:37:20 -0400 (EDT) From: Andrew Reiter X-Sender: s467338@jupiter2 To: Ron Smith Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: ssh server for WinNT In-Reply-To: <20000627042125.57933.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I believe people got ssh to compile under win32. Google it. On Mon, 26 Jun 2000, Ron Smith wrote: |Hi All, | |Can anyone recommend a good 'ssh' server for WinNT4.0? I need to 'ssh' from |a FreeBSD box to a WindozeNT server. | |TIA |Ron Smith | |________________________________________________________________________ |Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com | | | |To Unsubscribe: send mail to majordomo@FreeBSD.org |with "unsubscribe freebsd-security" in the body of the message | --------------------------------------------------------- Andrew Reiter Computer Security Engineer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 15:11:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay1.inwind.it (relay1.inwind.it [212.141.53.67]) by hub.freebsd.org (Postfix) with ESMTP id 728AB37BB50 for ; Tue, 27 Jun 2000 15:11:42 -0700 (PDT) (envelope-from bartequi@inwind.it) Received: from bartequi.ottodomain.org (212.141.79.66) by relay1.inwind.it; 28 Jun 2000 00:11:26 +0200 From: Salvo Bartolotta Date: Tue, 27 Jun 2000 23:13:29 GMT Message-ID: <20000627.23132900@bartequi.ottodomain.org> Subject: Re: icmp type 3 code 4: a couple of questions To: Paul Hart Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: X-Mailer: SuperCalifragilis X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 6/27/00, 6:07:00 PM, Paul Hart wrote regarding Re:= =20 icmp type 3 code 4: a couple of questions: > On Tue, 27 Jun 2000, Salvo Bartolotta wrote: > > Well, actually, my homebox will behave, as it were, like a Klingon > > spaceship: for example, it will normally deny **all** icmptypes exce= pt > > type 3 code 4 (DF). When I need to ping, traceroute, etc., I will > > *temporarily* remove some restrictions. > If you are using IP Filter, why not let it do the work for you? > It is very easy to set up a "cloaked" firewall machine like you=20 describe > with IP Filter. In this situation, you can easily block all incoming > ICMP/UDP/TCP packets as a general rule and rely entirely on IP Filter > setting state rules for connections, traceroutes, or pings that were > initiated from behind the firewall. That will let traceroute and ping= > automatically work from behind the firewall out to hosts outside the > firewall, but you are otherwise 100% invisible to any other host on=20 the > Internet. > Paul Hart Dear Paul Hart, in replying to your message, I wish to thank also all the other=20 responders very much. Actually, I have been using ipfw so far, and I've come to discover an=20 apparent (maybe immaterial) limitation which concerns icmp filtering;=20 which has made me investigate ipfilter as a viable alternative (as the=20 saying goes, there's more than one way to do it). The main difference between ipfw and ipfilter seems to be mostly ..=20 teological; yet the ipfilter docs gave me the impression it is=20 slightly more flexible (~ fine-tunable, if I may say so) than ipfw. I am running ipfw with natd right now. My current understanding is: 1) ipfw + natd can do the desired job: if I allow icmptypes 3 and=20 block all outward bound icmp packets, I make my machine invisible=20 (Firewalk & the like won't see it). 2) ipfilter (& ipnat) can do the same job: in this case, I can allow=20 only icmp type 3 code 4 (DF); as to outgoing packets, rules analogous=20 with those applied with ipfw hold. As far as the final results are concerned, both methods should achieve=20 the same goal; ipfilter seems to offer a little more control over the=20 packets to be filtered, though. Stateful rules are available with both=20 of them. Is all this correct ? Am I missing anything else ? Needless to say, a packet filter is yet another protection layer. On=20 my homebox, most services are disabled. When I play the Klingon=20 spaceship, only few restrictions are removed; forgetting to restore=20 the dark cloak will only make me visible :-) Best regards, Salvo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 16:23:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from testbed.baileylink.net (testbed.baileylink.net [63.71.213.24]) by hub.freebsd.org (Postfix) with ESMTP id 1448A37C42B for ; Tue, 27 Jun 2000 16:23:46 -0700 (PDT) (envelope-from brad@testbed.baileylink.net) Received: (from brad@localhost) by testbed.baileylink.net (8.9.3/8.9.3) id SAA46304 for freebsd-security@FreeBSD.ORG; Tue, 27 Jun 2000 18:24:14 -0500 (CDT) (envelope-from brad) Date: Tue, 27 Jun 2000 18:24:13 -0500 From: Brad Guillory To: freebsd-security@FreeBSD.ORG Subject: Re: Re[2]: ssh server for WinNT Message-ID: <20000627182413.E21071@baileylink.net> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <846988849.20000627165800@buz.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from jwyatt@rwsystems.net on Tue, Jun 27, 2000 at 10:34:34AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org VNC passwords are encrypted but the data is not. This means that if you enter a password after the session is setup (i.e. to log into the NT box) your password is snoopable. BMG On Tue, Jun 27, 2000 at 10:34:34AM -0500, James Wyatt wrote: > A lot of useful things can be done with CLI on NT, especially when your > scripting is in Perl... > > Couldn't you also use SSH to tunnel the VNC traffic, protecting it from > snooping and providing multiple passwords for multiple users? I thought > VNC passwords were sent clear and not rate-limited to prevent cracking. > > Just my 2 bits - Jy@ > > On Tue, 27 Jun 2000, Gabriel Ambuehl wrote: > [ ... ] > > Tuesday, June 27, 2000, 4:39:29 PM, you wrote: > > > Since when is putty a ssh server? I coulda sworn it was a telnet/ssh1/etc > > > client... but then again i have been wrong before :P > > > > You're right. It IS just a client. I'm just doubting how much sense a > > ssh server for NT would make. Ok, you can control many of the network > > stuff from CLI but beside that, you'd still have the need for a > > solution such as VNC or PcAnywhere to control the settings only > > avaiable by the GUI (one could argue that's possible to control the > > system by hacking the registry which should be doable from CLI but who > > would be so masochistic? ;-). > [ ... ] > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- __O | Information wants to be free! | __O Bike _-\<,_ | FreeBSD:The Power to Serve (easily) | _-\<,_ to (_)/ (_) | OpenBSD:The Power to Serve (securely) | (_)/ (_) Work To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 17: 7:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from zot.kyx.net (cr95838-a.crdva1.bc.wave.home.com [24.113.134.64]) by hub.freebsd.org (Postfix) with ESMTP id 5344A37B61E for ; Tue, 27 Jun 2000 17:07:40 -0700 (PDT) (envelope-from dr@dursec.com) Received: from smp.kyx.net (unknown [10.22.22.45]) by zot.kyx.net (Postfix) with SMTP id DF07BC4EF; Tue, 27 Jun 2000 12:57:20 -0400 (EDT) From: Dragos Ruiu Organization: kyx.net To: "Rodney W. Grimes" , dmartin@origen.com (Richard Martin) Subject: Re: icmp type 3 code 4: a couple of questions Date: Tue, 27 Jun 2000 16:57:30 -0700 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain Cc: bartequi@inwind.it (Salvo Bartolotta), freebsd-security@FreeBSD.ORG References: <200006271818.LAA92561@gndrsh.dnsmgr.net> In-Reply-To: <200006271818.LAA92561@gndrsh.dnsmgr.net> MIME-Version: 1.0 Message-Id: <00062717070013.00364@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 27 Jun 2000, Rodney W. Grimes wrote: > > We use > > > > icmpallow="0,3,4,5,8,11,12,14,16,18" > > > > I wonder if anyone has any comments on the appropriateness of these > > > > 4=ICMP_SOURCEQUENCH, useless as most machines ignore it, can be > abused easily. > 5=ICMP_REDIRECT, you don't want that one can be used to redirect > traffic to unwanted places. > 14=ICMP_TSTAMPREPLY, useless without 13=ICMP_TSTAMP. > 18=ICMP_MASKREPLY, useless without 17=ICMP_MASKREQ > > We usually run > icmpallow="0,3,8,11" > with special rules to allow 5 on the inside only. > We don't allow 12, and we don't see hits due to this, except for abuse. > > Complete rule set looks like this: > 01000 23000 1969619 allow icmp from any to any icmptype 0,3,4,8,11 > 01010 0 0 allow icmp from any to any via dc0 icmptype 5 > 01010 0 0 allow icmp from any to any via dc1 icmptype 5 > 01010 0 0 allow icmp from any to any via dc2 icmptype 5 > 01010 0 0 allow icmp from any to any via dc3 icmptype 5 > 01020 0 0 deny log logamount 100 icmp from any to any > > (Note that the counts are not very high here, due to data collection > resetting the rules ever few hour.) To chorus support of the above... IMHO The four types of magic ICMP packets to let through a firewall are: 3 - Destination Unreachable - important for many applications (I haven't seen anyone implement subtype filters yet as but this may be useful as there is a _lot_ of info to be gleaned here, and it might be nice to strip some messages out instead of just letting the whole category through. I'm also wondeing if anyone ever sees "Host Isolated" messages on their net?) 8 - Echo Request 0 - Echo Reply - ping, traceroute and friends 11 - Time Exceeded - traceroute needs this for sure and maybe RTT/window estimation and fragmentation need it The following may also be included in the allow list but may enable DOS/mapping: 4 - Source Quench 5 - Redirection (suggest blocking but may be important in multi-router env) 12 - Parameter Problem (never ever seen this meself) Should be Denied/Blocked: 2 - Undefined in rfc792 13 - timestamp request 14 - timestamp reply 15 - Info Request 16 - Info Reply 17 - Address Mask Request 18 - Address Mask Reply and anything else... And in case you were wondering about IPv6...from (rfc2463) it seems like all the crap above has been cleaned up: ICMPv6 error messages: 1 Destination Unreachable 2 Packet Too Big 3 Time Exceeded 4 Parameter Problem ICMPv6 informational messages: 128 Echo Request 129 Echo Reply (Messages 130-132 replace IGMP) Nice neat and clean.... cheers, --dr -- dursec.com ltd. / kyx.net - we're from the future http://www.dursec.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 18:56: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id 987DE37BCA3; Tue, 27 Jun 2000 18:55:48 -0700 (PDT) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id DAA12664; Wed, 28 Jun 2000 03:56:30 +0200 (CEST) Message-ID: <20000628035630.A7345@foobar.franken.de> Date: Wed, 28 Jun 2000 03:56:30 +0200 From: Harold Gutch To: Ron Smith , freebsd-security@FreeBSD.ORG Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ssh server for WinNT References: <20000627042125.57933.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <20000627042125.57933.qmail@hotmail.com>; from Ron Smith on Mon, Jun 26, 2000 at 09:21:25PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jun 26, 2000 at 09:21:25PM -0700, Ron Smith wrote: > Hi All, > > Can anyone recommend a good 'ssh' server for WinNT4.0? I need to 'ssh' from > a FreeBSD box to a WindozeNT server. I haven't tried this before, but you could check out Corinna Vinschen's port of OpenSSH in ftp://ftp.franken.de/pub/win32/develop/gnuwin32/cygwin/porters/Vinschen_Corinna/V1.1.1 Don't blame me if this doesn't work or even compile on your system, I'm just passing on this URL. bye, Harold -- Someone should do a study to find out how many human life spans have been lost waiting for NT to reboot. Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 20:12:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from sanson.reyes.somos.net (freyes.static.inch.com [216.223.199.224]) by hub.freebsd.org (Postfix) with ESMTP id 4D99037C47E for ; Tue, 27 Jun 2000 20:11:09 -0700 (PDT) (envelope-from fran@reyes.somos.net) Received: from tomasa (tomasa.reyes.somos.net [10.0.0.11]) by sanson.reyes.somos.net (8.9.3/8.9.3) with SMTP id XAA35649 for ; Tue, 27 Jun 2000 23:05:02 -0400 (EDT) (envelope-from fran@reyes.somos.net) Message-Id: <200006280305.XAA35649@sanson.reyes.somos.net> From: "Francisco Reyes" To: "freebsd-security@freebsd.org" Date: Tue, 27 Jun 2000 23:00:29 -0400 Reply-To: "Francisco Reyes" X-Mailer: PMMail 2000 Professional (2.10.2010) For Windows 98 (4.10.2222) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Subject: Secure communication with a windows box Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am on the very edge of getting my employer to try FreeBSD. I am hopefull that once they see it in action (hopefully with a real admin behind it... just send add to freebsd-jobs) that they will welcome it. One of the things I am doing is trying to identify all the areas where we could use FreeBSD. Today I just found out there is a project which consists of keeping some data on the network, but safe. I can read/research about a secure/encrypted file system myself. What I would appreciate some pointers is what is a good way to have a secure connection between a windows box (probably NT) and a FreeBSD Box. This would need to be preferably NFS or Samba. I am not sure ftp would be convenient for these users (Accounting). Is there any reasonably secure way to have secure connections to mount a freebsd directory from NT? Perhaps some kind of tunneling with NT? One thing I was thinking of proposing was Rsync, but I am not sure how this would play with them since it is almost as arcane as ftp in terms of interface. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 21: 8:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from segfault.kiev.ua (segfault.kiev.ua [193.193.193.4]) by hub.freebsd.org (Postfix) with ESMTP id 7C2ED37B59E for ; Tue, 27 Jun 2000 21:08:12 -0700 (PDT) (envelope-from netch@nn.kiev.ua) Received: from nn.kiev.ua (nn.kiev.ua [193.193.193.203]) by segfault.kiev.ua (8) with ESMTP id HDB69389; Wed, 28 Jun 2000 07:07:59 +0300 (EEST) (envelope-from netch@nn.kiev.ua) Received: (from netch@localhost) by nn.kiev.ua (8.9.3/8.9.3) id HAA02829; Wed, 28 Jun 2000 07:08:04 +0300 (EEST) (envelope-from netch) Date: Wed, 28 Jun 2000 07:08:04 +0300 From: Valentin Nechayev To: Peter Wemm Cc: Warner Losh , freebsd-security@FreeBSD.ORG Subject: Re: O_NOFOLLOW Message-ID: <20000628070804.A2076@nn.kiev.ua> Reply-To: netch@segfault.kiev.ua References: <20000626094544.AEE461CD7@overcee.netplex.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <20000626094544.AEE461CD7@overcee.netplex.com.au>; from Peter Wemm on Mon, Jun 26, 2000 at 02:45:44AM -0700 X-42: On Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mon, Jun 26, 2000 at 02:45:44, peter (Peter Wemm) wrote about "Re: O_NOFOLLOW": > > : O_NOFOLLOW flag for open() syscall exists since 3.0-CURRENT and is quite > > : useful for secure open, but is not documented in open(2) man page yet. > > : Do FreeBSD team have its disclosing in plans? > > I'm not sure that it works from userland. At least that's what I > > recall from testing at one point... Now: ==={ netch@nn:~/tmp>rm -f direntry netch@nn:~/tmp>ln -s vasya direntry netch@nn:~/tmp>./11 open(): Too many links netch@nn:~/tmp>rm -f direntry netch@nn:~/tmp>touch direntry netch@nn:~/tmp>./11 S_ISREG st_dev=0x50304 st_ino=73214 st_rdev=0x0 netch@nn:~/tmp>uname -mrs FreeBSD 5.0-CURRENT i386 netch@nn:~/tmp>fgrep __FreeBSD_version /usr/include/sys/param.h #undef __FreeBSD_version #define __FreeBSD_version 500006 /* Master, propagated to newvers */ netch@nn:~/tmp> ===} hence, attempt to open symlink with O_NOFOLLOW fails with EMLINK. This is generated by code in vn_open(): === cut src/sys/kern/vfs_vnops.c === if (vp->v_type == VLNK) { error = EMLINK; goto bad; } === end cut === netch@nn:/usr/src/sys/kern>fgrep '$FreeBSD:' vfs_vnops.c * $FreeBSD: src/sys/kern/vfs_vnops.c,v 1.94 2000/05/26 02:04:40 jake Exp $ > The original issue was what to do if you actually got a symlink. In the > original implementation, you could open/read/write the symlink itself, but > there were some pretty evil constraints. What is "original implementation"? > As I recall, the currently committed code will let you open a symlink but > not read or write it. If you are intending to use it in a security role, > you still need to fstat it to make sure it is the file you intended and not > a handle on some symlink. This should be documented somehere.. It does not > return EISLINK or something like that when pointed at a symlink. According to descibed above I say this is not correct - vn_open() disables opportunity to open symlink. (But imho ELOOP should be returned in this case instead of EMLINK.) Imho it is already safe to use. -- NVA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 22:36: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (closed-networks.com [195.153.248.242]) by hub.freebsd.org (Postfix) with SMTP id 6D5BB37B823 for ; Tue, 27 Jun 2000 22:35:51 -0700 (PDT) (envelope-from udp@closed-networks.com) Received: (qmail 17307 invoked by uid 1021); 28 Jun 2000 05:45:18 -0000 Date: Wed, 28 Jun 2000 06:45:18 +0100 From: User Datagram Protocol To: Arun Sharma Cc: security@freebsd.org Subject: Re: FreeBSD 4.0 ipsec and Nortel extranet Message-ID: <20000628064518.T41765@closed-networks.com> Reply-To: User Datagram Protocol References: <20000623081828.A963@sharmas.dhs.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-rmd160; protocol="application/pgp-signature"; boundary="/jkxxxtAhYIHVDuh" X-Mailer: Mutt 1.0.1i In-Reply-To: <20000623081828.A963@sharmas.dhs.org>; from adsharma@sharmas.dhs.org on Fri, Jun 23, 2000 at 08:18:28AM -0700 X-Echelon: MI6 Cobra GCHQ Panavia MI5 Timberline IRA NSA Mossad CIA Copperhead Organization: Closed Networks, London, UK Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --/jkxxxtAhYIHVDuh Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Arun, I can't give you a quick fix, but I did find some pointers: On Fri, Jun 23, 2000 at 08:18:28AM -0700, Arun Sharma wrote: > My work place uses Nortel extranet ipsec for VPN and I'm forced to=20 > connect using my windows box. I was wondering if anyone had any > success connecting a FreeBSD box to the Nortel server. >=20 > Any pointers would be highly appreciated. >=20 http://www.google.com/search?q=3Dcache:www.sandelman.ottawa.on.ca/linux-ips= ec/html/2000/05/msg00169.html Re: linux-ipsec: Using FreeS/Wan, Nortel Connectivity Extranet Switch, and = Radiu Possible solution: http://www.google.com/search?q=3Dcache:www.sandelman.ottawa.on.ca/linux-ips= ec/html/2000/05/msg00256.html Can't seem to get these other than via cache. The problem is that you need RADIUS support to use the Extranet Switch properly, it seems. --=20 Bruce M. Simpson aka 'udp' Security Analyst & UNIX Development Engine= er WWW: www.closed-networks.com/~u= dp=20 Dundee www.packetfactory.net/~u= dp United Kingdom email: udp@closed-networks.c= om --/jkxxxtAhYIHVDuh Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: ANH1DWAZzyjhUsnSv9LMTwjxWhpzlJgu iQA/AwUBOVmQ7qc2TvYcUURpEQL4kQCg+0Jz0ubBeggTnMjEKax0ij/RjDwAnRg5 ovyuq6wZMGs3j5biCJ6DV91X =AKq2 -----END PGP SIGNATURE----- --/jkxxxtAhYIHVDuh-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 27 23:30:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from ares.trc.adelaide.edu.au (ares.trc.adelaide.edu.au [129.127.246.5]) by hub.freebsd.org (Postfix) with ESMTP id 545FF37BA85 for ; Tue, 27 Jun 2000 23:30:16 -0700 (PDT) (envelope-from glewis@ares.trc.adelaide.edu.au) Received: (from glewis@localhost) by ares.trc.adelaide.edu.au (8.9.3/8.9.3) id PAA90412; Wed, 28 Jun 2000 15:59:14 +0930 (CST) (envelope-from glewis) From: Greg Lewis Message-Id: <200006280629.PAA90412@ares.trc.adelaide.edu.au> Subject: Re: Secure communication with a windows box In-Reply-To: <200006280305.XAA35649@sanson.reyes.somos.net> from Francisco Reyes at "Jun 27, 2000 11:00:29 pm" To: Francisco Reyes Date: Wed, 28 Jun 2000 15:59:14 +0930 (CST) Cc: "freebsd-security@freebsd.org" X-Mailer: ELM [version 2.4ME+ PL70 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Francisco Reyes wrote: > One of the things I am doing is trying to identify all the areas > where we could use FreeBSD. > Today I just found out there is a project which consists of > keeping some data on the network, but safe. > I can read/research about a secure/encrypted file system myself. > What I would appreciate some pointers is what is a good way to > have a secure connection between a windows box (probably NT) and > a FreeBSD Box. This would need to be preferably NFS or Samba. I > am not sure ftp would be convenient for these users > (Accounting). > > Is there any reasonably secure way to have secure connections to > mount a freebsd directory from NT? > Perhaps some kind of tunneling with NT? Although I haven't actually tried this, you could do this by compiling Samba with SSL and using sslproxy (see the ports collection) on the NT side so that the Samba shares were mounted over SSL. > One thing I was thinking of proposing was Rsync, but I am not > sure how this would play with them since it is almost as arcane > as ftp in terms of interface. Using rsync is quite different from mounting a file system though. -- Greg Lewis glewis@trc.adelaide.edu.au Computing Officer +61 8 8303 5083 Teletraffic Research Centre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 28 4:18:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from netvalue-gw.netvalue.fr (netvalue-gw.netvalue.fr [195.115.44.161]) by hub.freebsd.org (Postfix) with ESMTP id C53E737B8BE for ; Wed, 28 Jun 2000 04:18:38 -0700 (PDT) (envelope-from erwan@netvalue.com) Received: (from bin@localhost) by netvalue-gw.netvalue.fr (8.9.3/8.8.8) id NAA03623 for ; Wed, 28 Jun 2000 13:18:33 +0200 (CEST) (envelope-from erwan@netvalue.com) X-Authentication-Warning: netvalue-gw.netvalue.fr: bin set sender to using -f Received: from (dauphine.netvalue.fr [192.168.1.13]) by netvalue-gw.netvalue.fr via smap (V2.1) id xma003615; Wed, 28 Jun 00 13:18:05 +0200 Received: from netvalue.com ([192.168.1.100]) by mail.netvalue.fr (Netscape Messaging Server 3.6) with ESMTP id AAA4185; Wed, 28 Jun 2000 13:18:04 +0200 Message-ID: <3959DEEC.A17F35AD@netvalue.com> Date: Wed, 28 Jun 2000 13:18:04 +0200 From: Erwan Arzur Organization: NetValue S.A. X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en, fr-FR MIME-Version: 1.0 To: Greg Lewis Cc: Francisco Reyes , "freebsd-security@freebsd.org" Subject: Re: Secure communication with a windows box References: <200006280629.PAA90412@ares.trc.adelaide.edu.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greg Lewis wrote: > > Francisco Reyes wrote: > > One of the things I am doing is trying to identify all the areas > > where we could use FreeBSD. > > Today I just found out there is a project which consists of > > keeping some data on the network, but safe. > > I can read/research about a secure/encrypted file system myself. > > What I would appreciate some pointers is what is a good way to > > have a secure connection between a windows box (probably NT) and > > a FreeBSD Box. This would need to be preferably NFS or Samba. I > > am not sure ftp would be convenient for these users > > (Accounting). > > What about samba over an IPSEC link ? You'll certainly have to install the NT IPV6 stack, which can be found, if i remember well, on http://research.microsoft.com/msripv6/default.asp, it seems to support IPSEC. -- UNIX *IS* user friendly. It's just selective about who its friends are. --unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 28 6: 5:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 732DE37B71E for ; Wed, 28 Jun 2000 06:05:09 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id KAA02473; Wed, 28 Jun 2000 10:03:03 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200006281303.KAA02473@ns1.via-net-works.net.ar> Subject: Re: icmp type 3 code 4: a couple of questions In-Reply-To: from Paul Hart at "Jun 27, 0 12:22:09 pm" To: hart@iserver.com (Paul Hart) Date: Wed, 28 Jun 2000 10:03:02 -0300 (GMT) Cc: insane@lunatic.oneinsane.net, freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Paul Hart escribió: > On Tue, 27 Jun 2000, Ron 'The InSaNe One' Rosson wrote: > block in on fxp0 > pass out quick on fxp0 proto tcp from any to any keep state > pass out quick on fxp0 proto udp from any to any keep state > pass out quick on fxp0 proto icmp from any to any keep state You will also need (al least in 3.4-RELEASE): pass in quick on fxp0 proto icmp from any to any icmp-type 11 to let traceroute work. This is because when a traceroute packet goes to the destination an state entry is created which lets packet from the destination come back. The problem is, intermediate machines responde, and there's no state entry for them in the table (this was gently pointed out to me a fews ago on this same list). Good luck! Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 28 6: 6:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id AC6B237B688 for ; Wed, 28 Jun 2000 06:06:18 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id KAA03192; Wed, 28 Jun 2000 10:04:48 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200006281304.KAA03192@ns1.via-net-works.net.ar> Subject: Re: FreeBSD 4.0 ipsec and Nortel extranet In-Reply-To: <20000628064518.T41765@closed-networks.com> from User Datagram Protocol at "Jun 28, 0 06:45:18 am" To: udp@closed-networks.com Date: Wed, 28 Jun 2000 10:04:47 -0300 (GMT) Cc: adsharma@sharmas.dhs.org, security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jun 23, 2000 at 08:18:28AM -0700, Arun Sharma wrote: > My work place uses Nortel extranet ipsec for VPN and I'm forced to > connect using my windows box. I was wondering if anyone had any > success connecting a FreeBSD box to the Nortel server. > > Any pointers would be highly appreciated. You might want to try the bay-isp mailing list, where there some FreeBSD users: bay-isp@bit.net.au Regards. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 28 8:50: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from horizon.barak-online.net (horizon.barak.net.il [206.49.94.218]) by hub.freebsd.org (Postfix) with ESMTP id C322737BC5D for ; Wed, 28 Jun 2000 08:49:58 -0700 (PDT) (envelope-from bk532@iname.com) Received: from localhost.local.net (pop09-1-ras1-p196.barak.net.il [212.150.8.196]) by horizon.barak-online.net (8.9.3/8.9.1) with ESMTP id SAA28097; Wed, 28 Jun 2000 18:49:00 +0300 (IDT) Received: from iname.com (localhost.local.net [127.0.0.1]) by localhost.local.net (8.9.3/8.9.3) with ESMTP id QAA00595; Wed, 28 Jun 2000 16:26:36 +0300 (IDT) (envelope-from bk532@iname.com) Message-ID: <3959FD09.145EBF61@iname.com> Date: Wed, 28 Jun 2000 16:26:33 +0300 From: Boris Karnaukh Organization: Private person X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-STABLE i386) X-Accept-Language: en, ru MIME-Version: 1.0 To: Salvo Bartolotta Cc: freebsd-security@FreeBSD.ORG Subject: Re: icmp type 3 code 4: a couple of questions References: <20000627.14530500@bartequi.ottodomain.org> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Salvo Bartolotta wrote: > > Dear FreeBSD'ers, > > I am running a paranoidly closed firewall (homebox). > > Just out of curiosity, is there an *ipfw* way to allow ONLY icmp type > 3 code 4 packets (DF), dropping all other icmp packets onto the floor Here is quote from my ruleset: add allow icmp from any to any in icmptypes 0,3,11,12,14,16,18 add allow icmp from any to any out -- Boris Karnaukh (mailto:bk532@iname.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 28 9:40:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from shell.telemere.net (shell.telemere.net [63.224.9.3]) by hub.freebsd.org (Postfix) with ESMTP id E8BFB37BF67; Wed, 28 Jun 2000 09:39:47 -0700 (PDT) (envelope-from visigoth@telemere.net) Received: by shell.telemere.net (Postfix, from userid 1001) id 49BB570601; Wed, 28 Jun 2000 11:40:30 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by shell.telemere.net (Postfix) with ESMTP id 425FF6C801; Wed, 28 Jun 2000 11:40:30 -0500 (CDT) Date: Wed, 28 Jun 2000 11:40:22 -0500 (CDT) From: Visigoth To: freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: new ftpd feature... Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1676703771-962210422=:67967" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1676703771-962210422=:67967 Content-Type: TEXT/PLAIN; charset=US-ASCII -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sup all? In light of the recent WU-ftpd exploits and general security concearns, I decided to change to a different ftpd.(duh) The largest feature about wu-ftpd that I needed was the ability to specify the passive port range so as to be able to write firewall rulesets with default deny and only a small range of open ports for passive ftp. I decided to integrate the suppport for that into freebsd's native ftpd so that I could use an ftpd that I had faith in. So here it is. These patches are against a brand new -stable so they should work well. Flames, Praise, Wine are all welcome ;) (nothing like the napa valley or a good aussie red) I even updated the man page for easy integration. If somebody commits this, please tell me... thanks Visigoth Damieon Stark Sr. Unix Systems Administrator visigoth@telemere.net PGP Public Key: www.telemere.net/~visigoth/visigoth.asc ____________________________________________________________________________ | M$ -Where do you want to go today? | Linux -Where do you want to go tomorrow?| FreeBSD - The POWER to serve Freebsd -Are you guys comming or what? | http://www.freebsd.org | | - ---------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBOVocbjnmC/+RTnGeEQLFUgCg5sKoRD2gj7P+hIssj4zujPgdd/IAoLPk xosQMqmtehAjA6sQb8/DjTI7 =zbKS -----END PGP SIGNATURE----- --0-1676703771-962210422=:67967 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="ftpd.c.patch" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: ftpd patch Content-Disposition: attachment; filename="ftpd.c.patch" LS0tIC91c3Ivc3JjL2xpYmV4ZWMvZnRwZC9mdHBkLmMub2xkCVdlZCBKdW4g MjggMTA6MDg6NDIgMjAwMA0KKysrIC91c3Ivc3JjL2xpYmV4ZWMvZnRwZC9m dHBkLmMJV2VkIEp1biAyOCAwOTo0OTowNSAyMDAwDQpAQCAtMTI1LDggKzEy NSw5IEBADQogdW5pb24gc29ja3VuaW9uIGhpc19hZGRyOw0KIHVuaW9uIHNv Y2t1bmlvbiBwYXN2X2FkZHI7DQogDQogaW50CWRhZW1vbl9tb2RlOw0KK2lu dCAgICAgcGFzc19wb3J0X29wdCxtaW5fcHBvcnQsbWF4X3Bwb3J0Ow0KIGlu dAlkYXRhOw0KIGptcF9idWYJZXJyY2F0Y2gsIHVyZ2NhdGNoOw0KIGludAls b2dnZWRfaW47DQogc3RydWN0CXBhc3N3ZCAqcHc7DQpAQCAtMTU4LDggKzE1 OSw5IEBADQogY2hhcgl0bXBsaW5lWzddOw0KIGNoYXIJKmhvc3RuYW1lOw0K ICNpZmRlZiBWSVJUVUFMX0hPU1RJTkcNCiBjaGFyCSpmdHB1c2VyOw0KK2No YXIgICAgKm9wdF9wdHI7DQogDQogaW50CWVwc3ZhbGwgPSAwOw0KIA0KIHN0 YXRpYyBzdHJ1Y3QgZnRwaG9zdCB7DQpAQCAtMjg5LDkgKzI5MSw5IEBADQog CUxhc3RBcmd2ID0gZW52cFstMV0gKyBzdHJsZW4oZW52cFstMV0pOw0KICNl bmRpZiAvKiBPTERfU0VUUFJPQ1RJVExFICovDQogDQogDQotCXdoaWxlICgo Y2ggPSBnZXRvcHQoYXJnYywgYXJndiwgIkFkbERTVVJ0OlQ6dTp2YTpwOjQ2 IikpICE9IC0xKSB7DQorCXdoaWxlICgoY2ggPSBnZXRvcHQoYXJnYywgYXJn diwgIkFkbERTVVJ0OlQ6dTp2YTpwOlA6NDYiKSkgIT0gLTEpIHsNCiAJCXN3 aXRjaCAoY2gpIHsNCiAJCWNhc2UgJ0QnOg0KIAkJCWRhZW1vbl9tb2RlKys7 DQogCQkJYnJlYWs7DQpAQCAtMzM1LDggKzMzNywyMSBAQA0KIAkJY2FzZSAn cCc6DQogCQkJcGlkX2ZpbGUgPSBvcHRhcmc7DQogCQkJYnJlYWs7DQogDQor ICAgICAgICAgICAgICAgIGNhc2UgJ1AnOg0KKyAgICAgICAgICAgICAgICAg ICAgICAgIHBhc3NfcG9ydF9vcHQrKzsNCisgICAgICAgICAgICAgICAgICAg ICAgICBpZigobWluX3Bwb3J0ID0gc3RydG9kKG9wdGFyZywgJm9wdF9wdHIg KSkgPT0gMCApDQorICAgICAgICAgICAgICAgICAgICAgICAgZXJyeCgxLCJV bnJlY29nbml6ZWQgcGFzc2l2ZSBwb3J0IG51bWJlciFcbiIpOw0KKyAgICAg IA0KKyAgICAgICAgICAgICAgICAgICAgICAgIG9wdF9wdHIrKzsNCisgICAg ICAgICAgICAgICAgICAgICAgICBpZigobWF4X3Bwb3J0ID0gc3RydG9kKG9w dF9wdHIsTlVMTCkpID09IDAgKQ0KKyAgICAgICAgICAgICAgICAgICAgICAg IGVycngoMSwiVW5yZWNvZ25pemVkIHBhc3NpdmUgcG9ydCBudW1iZXIhXG4i KTsNCisgICAgICAgICAgICAgICAgICAgICAgICANCisgICAgICAgICAgICAg ICAgICAgICAgICBpZiggbWluX3Bwb3J0ID4gbWF4X3Bwb3J0ICkNCisgICAg ICAgICAgICAgICAgICAgICAgICBlcnJ4KDEsIlBvcnRyYW5nZSBmcm9tICVk IHRvICVkIGludmFsaWQhXG4iLG1pbl9wcG9ydCxtYXhfcHBvcnQpOw0KKyAg ICAgICAgICAgICAgICAgICAgICAgIGJyZWFrOw0KKw0KIAkJY2FzZSAndSc6 DQogCQkgICAgew0KIAkJCWxvbmcgdmFsID0gMDsNCiANCkBAIC0yMzIzLDkg KzIzMzgsOSBAQA0KICAqLw0KIHZvaWQNCiBwYXNzaXZlKCkNCiB7DQotCWlu dCBsZW47DQorCWludCBsZW4sbmV4dDsNCiAJY2hhciAqcCwgKmE7DQogDQog CWlmIChwZGF0YSA+PSAwKQkJLyogY2xvc2Ugb2xkIHBvcnQgaWYgb25lIHNl dCAqLw0KIAkJY2xvc2UocGRhdGEpOw0KQEAgLTIzMzcsMzMgKzIzNTIsNTcg QEANCiAJfQ0KIA0KIAkodm9pZCkgc2V0ZXVpZCgodWlkX3QpMCk7DQogDQor ICAgICAgICBpZiAocGFzc19wb3J0X29wdCA8IDEpIHsgIC8qIGlmIHBhc3Np dmUgcG9ydHMgYXJlIGluIHVzZSBkb24ndCBib3RoZXINCisgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIHdpdGggSVBbVjZdX1BPUlRSQU5HRS4g IERvZXNuJ3QgYWZmZWN0IHBvcnQNCisgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIGFzaWdubWVudCwgYnV0IHNhdmVzIGxpdHRsZSBjcHU/IDsp ICovDQorDQogI2lmZGVmIElQX1BPUlRSQU5HRQ0KLQlpZiAoY3RybF9hZGRy LnN1X2ZhbWlseSA9PSBBRl9JTkVUKSB7DQotCSAgICBpbnQgb24gPSByZXN0 cmljdGVkX2RhdGFfcG9ydHMgPyBJUF9QT1JUUkFOR0VfSElHSA0KKwkgICAg aWYgKGN0cmxfYWRkci5zdV9mYW1pbHkgPT0gQUZfSU5FVCkgew0KKwkJaW50 IG9uID0gcmVzdHJpY3RlZF9kYXRhX3BvcnRzID8gSVBfUE9SVFJBTkdFX0hJ R0gNCiAJCQkJCSAgIDogSVBfUE9SVFJBTkdFX0RFRkFVTFQ7DQogDQotCSAg ICBpZiAoc2V0c29ja29wdChwZGF0YSwgSVBQUk9UT19JUCwgSVBfUE9SVFJB TkdFLA0KKwkJaWYgKHNldHNvY2tvcHQocGRhdGEsIElQUFJPVE9fSVAsIElQ X1BPUlRSQU5HRSwNCiAJCQkgICAgKGNoYXIgKikmb24sIHNpemVvZihvbikp IDwgMCkNCiAJCSAgICBnb3RvIHBhc3ZfZXJyb3I7DQotCX0NCisJICAgIH0N CiAjZW5kaWYNCiAjaWZkZWYgSVBWNl9QT1JUUkFOR0UNCi0JaWYgKGN0cmxf YWRkci5zdV9mYW1pbHkgPT0gQUZfSU5FVDYpIHsNCi0JICAgIGludCBvbiA9 IHJlc3RyaWN0ZWRfZGF0YV9wb3J0cyA/IElQVjZfUE9SVFJBTkdFX0hJR0gN CisJICAgIGlmIChjdHJsX2FkZHIuc3VfZmFtaWx5ID09IEFGX0lORVQ2KSB7 DQorCQlpbnQgb24gPSByZXN0cmljdGVkX2RhdGFfcG9ydHMgPyBJUFY2X1BP UlRSQU5HRV9ISUdIDQogCQkJCQkgICA6IElQVjZfUE9SVFJBTkdFX0RFRkFV TFQ7DQogDQotCSAgICBpZiAoc2V0c29ja29wdChwZGF0YSwgSVBQUk9UT19J UFY2LCBJUFY2X1BPUlRSQU5HRSwNCisJCWlmIChzZXRzb2Nrb3B0KHBkYXRh LCBJUFBST1RPX0lQVjYsIElQVjZfUE9SVFJBTkdFLA0KIAkJCSAgICAoY2hh ciAqKSZvbiwgc2l6ZW9mKG9uKSkgPCAwKQ0KIAkJICAgIGdvdG8gcGFzdl9l cnJvcjsNCi0JfQ0KKwkgICAgfQ0KICNlbmRpZg0KLQ0KKwl9DQogCXBhc3Zf YWRkciA9IGN0cmxfYWRkcjsNCi0JcGFzdl9hZGRyLnN1X3BvcnQgPSAwOw0K LQlpZiAoYmluZChwZGF0YSwgKHN0cnVjdCBzb2NrYWRkciAqKSZwYXN2X2Fk ZHIsIHBhc3ZfYWRkci5zdV9sZW4pIDwgMCkNCisNCisgICAgICAgIGlmIChw YXNzX3BvcnRfb3B0KSB7DQorICAgICAgICAgICAgZm9yKG5leHQgPSBtaW5f cHBvcnQ7IG5leHQgPD0gbWF4X3Bwb3J0OyBuZXh0KyspIHsNCisgICAgICAg ICAgICAgICAgcGFzdl9hZGRyLnN1X3BvcnQgPSBodG9ucyhuZXh0KTsNCisg ICAgICAgICAgICAgICAgaWYgKGJpbmQocGRhdGEsIChzdHJ1Y3Qgc29ja2Fk ZHIgKikmcGFzdl9hZGRyLA0KKyAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBwYXN2X2FkZHIuc3VfbGVuKSA8IDAgKSB7DQorICAg ICAgICAgICAgICAgICAgICBpZiAoZXJybm8gPT0gRUFERFJJTlVTRSApDQor ICAgICAgICAgICAgICAgICAgICAgICAgY29udGludWU7IC8qIHRyeSBuZXh0 IGF2YWlsYWJsZSBwYXNzaXZlIHBvcnQgKi8NCisgICAgICAgICAgICAgICAg ICAgIGVsc2UNCisgICAgICAgICAgICAgICAgICAgICAgICBnb3RvIHBhc3Zf ZXJyb3I7IC8qIGVycm9yIG90aGVyIHRoYW4gRUFERFJJTlVTRSEgKi8NCisg ICAgICAgICAgICAgICAgfQ0KKyAgICAgICAgICAgICAgICBicmVhazsgICAg ICAgICAgICAgICAgICAvKiBiaW5kKCkgc3VjY2VzcyAqLw0KKyAgICAgICAg ICAgIH0NCisgICAgICAgICAgICBpZiAoIG5leHQgPiBtYXhfcHBvcnQgKQ0K KyAgICAgICAgICAgICAgICBnb3RvIHBhc3ZfZXJyb3I7ICAgIC8qIHVuc3Vj Y2Vzc2Z1bCBhdCBnZXR0aW5nIHBhc3YgcG9ydCAqLw0KKw0KKyAgICAgICAg fSBlbHNlIHsgICAgICAgICAgICAgLyogbm90IHNwZWNpZnlpbmcgcGFzc2l2 ZSBwb3J0IHJhbmdlICovDQorDQorDQorCSAgICBwYXN2X2FkZHIuc3VfcG9y dCA9IDA7DQorCSAgICBpZiAoYmluZChwZGF0YSwgKHN0cnVjdCBzb2NrYWRk ciAqKSZwYXN2X2FkZHIscGFzdl9hZGRyLnN1X2xlbikgPCAwKQ0KIAkJZ290 byBwYXN2X2Vycm9yOw0KKwl9DQogDQogCSh2b2lkKSBzZXRldWlkKCh1aWRf dClwdy0+cHdfdWlkKTsNCiANCiAJbGVuID0gc2l6ZW9mKHBhc3ZfYWRkcik7 DQpAQCAtMjQwNSw5ICsyNDQ0LDkgQEANCiBsb25nX3Bhc3NpdmUoY21kLCBw ZikNCiAJY2hhciAqY21kOw0KIAlpbnQgcGY7DQogew0KLQlpbnQgbGVuOw0K KwlpbnQgbGVuLG5leHQ7DQogCWNoYXIgKnAsICphOw0KIA0KIAlpZiAocGRh dGEgPj0gMCkJCS8qIGNsb3NlIG9sZCBwb3J0IGlmIG9uZSBzZXQgKi8NCiAJ CWNsb3NlKHBkYXRhKTsNCkBAIC0yNDQ2LDM1ICsyNDg1LDU5IEBADQogCX0N CiANCiAJKHZvaWQpIHNldGV1aWQoKHVpZF90KTApOw0KIA0KLQlwYXN2X2Fk ZHIgPSBjdHJsX2FkZHI7DQotCXBhc3ZfYWRkci5zdV9wb3J0ID0gMDsNCi0J bGVuID0gcGFzdl9hZGRyLnN1X2xlbjsNCisJaWYgKHBhc3NfcG9ydF9vcHQg PCAxKSB7ICAvKiBpZiBwYXNzaXZlIHBvcnRzIGFyZSBpbiB1c2UgZG9uJ3Qg Ym90aGVyDQorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3aXRo IElQX1BPUlRSQU5HRS4gIERvZXNuJ3QgYWZmZWN0IHBvcnQNCisgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIGFzaWdubWVudCwgYnV0IHNhdmVz IGxpdHRsZSBjcHU/IDspICovDQogDQogI2lmZGVmIElQX1BPUlRSQU5HRQ0K LQlpZiAoY3RybF9hZGRyLnN1X2ZhbWlseSA9PSBBRl9JTkVUKSB7DQotCSAg ICBpbnQgb24gPSByZXN0cmljdGVkX2RhdGFfcG9ydHMgPyBJUF9QT1JUUkFO R0VfSElHSA0KKwkgICAgaWYgKGN0cmxfYWRkci5zdV9mYW1pbHkgPT0gQUZf SU5FVCkgew0KKwkJaW50IG9uID0gcmVzdHJpY3RlZF9kYXRhX3BvcnRzID8g SVBfUE9SVFJBTkdFX0hJR0gNCiAJCQkJCSAgIDogSVBfUE9SVFJBTkdFX0RF RkFVTFQ7DQogDQotCSAgICBpZiAoc2V0c29ja29wdChwZGF0YSwgSVBQUk9U T19JUCwgSVBfUE9SVFJBTkdFLA0KKwkJaWYgKHNldHNvY2tvcHQocGRhdGEs IElQUFJPVE9fSVAsIElQX1BPUlRSQU5HRSwNCiAJCQkgICAgKGNoYXIgKikm b24sIHNpemVvZihvbikpIDwgMCkNCiAJCSAgICBnb3RvIHBhc3ZfZXJyb3I7 DQotCX0NCisJICAgIH0NCiAjZW5kaWYNCiAjaWZkZWYgSVBWNl9QT1JUUkFO R0UNCi0JaWYgKGN0cmxfYWRkci5zdV9mYW1pbHkgPT0gQUZfSU5FVDYpIHsN Ci0JICAgIGludCBvbiA9IHJlc3RyaWN0ZWRfZGF0YV9wb3J0cyA/IElQVjZf UE9SVFJBTkdFX0hJR0gNCisJICAgIGlmIChjdHJsX2FkZHIuc3VfZmFtaWx5 ID09IEFGX0lORVQ2KSB7DQorCQlpbnQgb24gPSByZXN0cmljdGVkX2RhdGFf cG9ydHMgPyBJUFY2X1BPUlRSQU5HRV9ISUdIDQogCQkJCQkgICA6IElQVjZf UE9SVFJBTkdFX0RFRkFVTFQ7DQogDQotCSAgICBpZiAoc2V0c29ja29wdChw ZGF0YSwgSVBQUk9UT19JUFY2LCBJUFY2X1BPUlRSQU5HRSwNCisJCWlmIChz ZXRzb2Nrb3B0KHBkYXRhLCBJUFBST1RPX0lQVjYsIElQVjZfUE9SVFJBTkdF LA0KIAkJCSAgICAoY2hhciAqKSZvbiwgc2l6ZW9mKG9uKSkgPCAwKQ0KIAkJ ICAgIGdvdG8gcGFzdl9lcnJvcjsNCi0JfQ0KKwkgICAgfQ0KICNlbmRpZg0K Kwl9DQorDQorCXBhc3ZfYWRkciA9IGN0cmxfYWRkcjsNCisJbGVuID0gcGFz dl9hZGRyLnN1X2xlbjsNCisNCisgICAgICAgIGlmIChwYXNzX3BvcnRfb3B0 KSB7DQorICAgICAgICAgICAgZm9yKG5leHQgPSBtaW5fcHBvcnQ7IG5leHQg PD0gbWF4X3Bwb3J0OyBuZXh0KyspIHsNCisgICAgICAgICAgICAgICAgcGFz dl9hZGRyLnN1X3BvcnQgPSBodG9ucyhuZXh0KTsNCisgICAgICAgICAgICAg ICAgaWYgKGJpbmQocGRhdGEsIChzdHJ1Y3Qgc29ja2FkZHIgKikmcGFzdl9h ZGRyLCBsZW4pIDwgMCApIHsNCisgICAgICAgICAgICAgICAgICAgIGlmIChl cnJubyA9PSBFQUREUklOVVNFICkNCisgICAgICAgICAgICAgICAgICAgICAg ICBjb250aW51ZTsgLyogdHJ5IG5leHQgYXZhaWxhYmxlIHBhc3NpdmUgcG9y dCAqLw0KKyAgICAgICAgICAgICAgICAgICAgZWxzZQ0KKyAgICAgICAgICAg ICAgICAgICAgICAgIGdvdG8gcGFzdl9lcnJvcjsgLyogZXJyb3Igb3RoZXIg dGhhbiBFQUREUklOVVNFISAqLw0KKyAgICAgICAgICAgICAgICB9DQorICAg ICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgICAgICAgIC8qIGJpbmQo KSBzdWNjZXNzICovDQorICAgICAgICAgICAgfQ0KKyAgICAgICAgICAgIGlm ICggbmV4dCA+IG1heF9wcG9ydCApDQorICAgICAgICAgICAgICAgIGdvdG8g cGFzdl9lcnJvcjsgICAgLyogdW5zdWNjZXNzZnVsIGF0IGdldHRpbmcgcGFz diBwb3J0ICovDQorDQorICAgICAgICB9IGVsc2UgeyAgICAgICAgICAgICAv KiBub3Qgc3BlY2lmeWluZyBwYXNzaXZlIHBvcnQgcmFuZ2UgKi8NCiANCi0J aWYgKGJpbmQocGRhdGEsIChzdHJ1Y3Qgc29ja2FkZHIgKikmcGFzdl9hZGRy LCBsZW4pIDwgMCkNCisNCisJICAgIHBhc3ZfYWRkci5zdV9wb3J0ID0gMDsN CisJICAgIGlmIChiaW5kKHBkYXRhLCAoc3RydWN0IHNvY2thZGRyICopJnBh c3ZfYWRkciwgbGVuKSA8IDApDQogCQlnb3RvIHBhc3ZfZXJyb3I7DQorDQor CX0NCiANCiAJKHZvaWQpIHNldGV1aWQoKHVpZF90KXB3LT5wd191aWQpOw0K IA0KIAlpZiAoZ2V0c29ja25hbWUocGRhdGEsIChzdHJ1Y3Qgc29ja2FkZHIg KikgJnBhc3ZfYWRkciwgJmxlbikgPCAwKQ0K --0-1676703771-962210422=:67967 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="ftpd.8.patch" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: man page patch Content-Disposition: attachment; filename="ftpd.8.patch" LS0tIC91c3Ivc3JjL2xpYmV4ZWMvZnRwZC9mdHBkLjgub2xkCVdlZCBKdW4g MjggMTA6MTE6MTQgMjAwMA0KKysrIC91c3Ivc3JjL2xpYmV4ZWMvZnRwZC9m dHBkLjgJV2VkIEp1biAyOCAxMDoyMTozOSAyMDAwDQpAQCAtNTMsOCArNTMs OSBAQA0KIC5PcCBGbCBUIEFyIG1heHRpbWVvdXQNCiAuT3AgRmwgdCBBciB0 aW1lb3V0DQogLk9wIEZsIGEgQXIgYWRkcmVzcw0KIC5PcCBGbCBwIEFyIGZp bGUNCisuT3AgRmwgUCBBciBtaW5wb3J0LW1heHBvcnQNCiAuU2ggREVTQ1JJ UFRJT04NCiAuTm0gRnRwZA0KIGlzIHRoZQ0KIEludGVybmV0IEZpbGUgVHJh bnNmZXIgUHJvdG9jb2wNCkBAIC0xMjIsOCArMTIzLDE3IEBADQogc2Vjb25k cyB3aXRoIHRoZQ0KIC5GbCBUDQogb3B0aW9uLg0KIFRoZSBkZWZhdWx0IGxp bWl0IGlzIDIgaG91cnMuDQorLkl0IEZsIFANCitXaXRoIHRoaXMgb3B0aW9u IHNldA0KKy5ObQ0KK2FsbG93cyB0aGUgYWRtaW5pc3RyYXRvciB0byBzcGVj aWZ5IGEgcmFuZ2Ugb2YgcG9ydHMgDQorLkFyIG1pbnBvcnQtbWF4cG9ydA0K K3RvIGJlIHVzZWQgZm9yDQoraW5jb21taW5nIHBhc3NpdmUgZGF0YSBjb25u ZWN0aW9ucy4gIFRoaXMgYWxsb3dzIGEgZGVmYXVsdCBkZW55IGZpcmV3YWxs DQorb24gYW4gZnRwIHNlcnZlciB0byBqdXN0IGFsbG93IGEgcmFuZ2Ugb2Yg cG9ydHMsIGFuZCB0aWdodGVucyB1cCBzZWN1cml0eSBpbg0KK2dlbmVyYWwu DQogLkl0IEZsIHQNCiBUaGUgaW5hY3Rpdml0eSB0aW1lb3V0IHBlcmlvZCBp cyBzZXQgdG8NCiAuQXIgdGltZW91dA0KIHNlY29uZHMgKHRoZSBkZWZhdWx0 IGlzIDE1IG1pbnV0ZXMpLg0K --0-1676703771-962210422=:67967-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 28 10: 4:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay2.inwind.it (relay2.inwind.it [212.141.53.73]) by hub.freebsd.org (Postfix) with ESMTP id A53CF37C057 for ; Wed, 28 Jun 2000 10:03:52 -0700 (PDT) (envelope-from bartequi@inwind.it) Received: from bartequi.ottodomain.org (212.141.79.193) by relay2.inwind.it; 28 Jun 2000 19:03:42 +0200 From: Salvo Bartolotta Date: Wed, 28 Jun 2000 18:05:48 GMT Message-ID: <20000628.18054800@bartequi.ottodomain.org> Subject: ipfw & dynamic rules: tutorial(s) ? To: freebsd-security@FreeBSD.ORG X-Mailer: SuperCalifragilis X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear FreeBSD'ers, I am looking for more material on dynamic rules for ipfw. The mail archives seem to suggest ... using ipfilter :-) Are there tutorials and the like somewhere on the 'Net ? Thanks in advance, Salvo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 28 10:16:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id B1C9637B795; Wed, 28 Jun 2000 10:16:02 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id TAA12958; Wed, 28 Jun 2000 19:15:58 +0200 (CEST) (envelope-from des@flood.ping.uio.no) To: Visigoth Cc: freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: new ftpd feature... References: From: Dag-Erling Smorgrav Date: 28 Jun 2000 19:15:58 +0200 In-Reply-To: Visigoth's message of "Wed, 28 Jun 2000 11:40:22 -0500 (CDT)" Message-ID: Lines: 17 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Visigoth writes: > [patches to limit the range of ports used for passive FTP] des@flood ~% sysctl -A | grep portrange net.inet.ip.portrange.lowfirst: 1023 net.inet.ip.portrange.lowlast: 600 net.inet.ip.portrange.first: 1024 net.inet.ip.portrange.last: 5000 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 ftpd uses ports in the high range, just adjust the last two sysctls and you'll be fine. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 28 10:23:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from shell.telemere.net (shell.telemere.net [63.224.9.3]) by hub.freebsd.org (Postfix) with ESMTP id EBABF37BDA3; Wed, 28 Jun 2000 10:23:23 -0700 (PDT) (envelope-from visigoth@telemere.net) Received: by shell.telemere.net (Postfix, from userid 1001) id A44F170601; Wed, 28 Jun 2000 12:23:57 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by shell.telemere.net (Postfix) with ESMTP id 9F8386C801; Wed, 28 Jun 2000 12:23:57 -0500 (CDT) Date: Wed, 28 Jun 2000 12:23:53 -0500 (CDT) From: Visigoth To: Dag-Erling Smorgrav Cc: freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: new ftpd feature... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > ftpd uses ports in the high range, just adjust the last two sysctls > and you'll be fine. I understand how IP_PORTRANGE_HIGH and all work, but there are other programs which use these as well, and in at least my application, having support in ftpd is nice... Visigoth Damieon Stark Sr. Unix Systems Administrator visigoth@telemere.net PGP Public Key: www.telemere.net/~visigoth/visigoth.asc ____________________________________________________________________________ | M$ -Where do you want to go today? | Linux -Where do you want to go tomorrow?| FreeBSD - The POWER to serve Freebsd -Are you guys comming or what? | http://www.freebsd.org | | - ---------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBOVomnTnmC/+RTnGeEQJg+gCggr35YOhnCfd2//YEmTJzH/72zKYAn2c4 6lS/dzts0qx97t3NRpUflZti =ZqQI -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 28 10:29:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id F1B5637B7C7 for ; Wed, 28 Jun 2000 10:29:07 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Wed, 28 Jun 2000 11:29:06 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma005479; Wed, 28 Jun 00 11:28:46 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id LAA32143; Wed, 28 Jun 2000 11:28:46 -0600 (MDT) Date: Wed, 28 Jun 2000 11:28:46 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Fernando Schapachnik Cc: freebsd-security@FreeBSD.ORG Subject: Re: icmp type 3 code 4: a couple of questions In-Reply-To: <200006281303.KAA02473@ns1.via-net-works.net.ar> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 28 Jun 2000, Fernando Schapachnik wrote: > > pass out quick on fxp0 proto tcp from any to any keep state > > pass out quick on fxp0 proto udp from any to any keep state > > pass out quick on fxp0 proto icmp from any to any keep state > > You will also need (al least in 3.4-RELEASE): > > pass in quick on fxp0 proto icmp from any to any icmp-type 11 > > to let traceroute work. No, not in my experience. Try it without your explicit rule to allow ICMP type 11 packets back in as it does work for me without your rule. I had the same concern about how the ICMP time exceeded packets would make their way back in. Darren Reed kindly commented on how the state tracking code in IP Filter handles this case. See: http://false.net/ipfilter/2000_06/0234.html http://false.net/ipfilter/2000_06/0235.html Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 28 10:30:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from server1.mich.com (server1.mich.com [198.108.16.2]) by hub.freebsd.org (Postfix) with ESMTP id 456FC37B7C7; Wed, 28 Jun 2000 10:30:40 -0700 (PDT) (envelope-from will@almanac.yi.org) Received: from argon.gryphonsoft.com (pm016-032.dialup.bignet.net [64.79.82.240]) by server1.mich.com (8.9.3/8.9.3) with ESMTP id NAA26742; Wed, 28 Jun 2000 13:30:25 -0400 Received: by argon.gryphonsoft.com (Postfix, from userid 1000) id C747E18C6; Wed, 28 Jun 2000 13:28:18 -0400 (EDT) Date: Wed, 28 Jun 2000 13:28:18 -0400 From: Will Andrews To: Visigoth Cc: Dag-Erling Smorgrav , freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: new ftpd feature... Message-ID: <20000628132818.B8602@argon.gryphonsoft.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from visigoth@telemere.net on Wed, Jun 28, 2000 at 12:23:53PM -0500 X-Operating-System: FreeBSD 5.0-CURRENT i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jun 28, 2000 at 12:23:53PM -0500, Visigoth wrote: > I understand how IP_PORTRANGE_HIGH and all work, but there are > other programs which use these as well, and in at least my application, > having support in ftpd is nice... I'd have to agree with Visigoth here; system controls should be for EVERYTHING, not just controlling one server. Visigoth could use it for a short-term solution, but in the long term, I think his solution is better (in principle, I didn't look at the code). -- Will Andrews GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ G++>+++ e->++++ h! r-->+++ y? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 28 13:45:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from nova.umuc.edu (nova.umuc.edu [131.171.11.11]) by hub.freebsd.org (Postfix) with ESMTP id 82D0537B654 for ; Wed, 28 Jun 2000 13:45:22 -0700 (PDT) (envelope-from jay@nova.umuc.edu) Received: (from jay@localhost) by nova.umuc.edu (8.9.1/8.9.1) id QAA05101; Wed, 28 Jun 2000 16:45:13 -0400 (EDT) Date: Wed, 28 Jun 2000 16:45:13 -0400 From: Jay Beale To: Salvo Bartolotta Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw & dynamic rules: tutorial(s) ? Message-ID: <20000628164513.B8942@nova.umuc.edu> References: <20000628.18054800@bartequi.ottodomain.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20000628.18054800@bartequi.ottodomain.org>; from bartequi@inwind.it on Wed, Jun 28, 2000 at 06:05:48PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In the wise words of Salvo Bartolotta: > Dear FreeBSD'ers, > I am looking for more material on dynamic rules for ipfw. > The mail archives seem to suggest ... using ipfilter :-) > > Are there tutorials and the like somewhere on the 'Net ? Salvo, Try http://www.linuxsecurity.com/resource_files/firewalls/ipf-howto.txt This is a great read on ipf. I'll also prolly do an article on ipf sometime soon for SecurityPortal.com. - Jay -- Jay Beale jay@bastille-linux.org Lead Developer, Bastille Linux http://www.bastille-linux.org/jay To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 28 16:21:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from racine.cybercable.fr (racine.cybercable.fr [212.198.0.201]) by hub.freebsd.org (Postfix) with SMTP id 8450537C2CF for ; Wed, 28 Jun 2000 16:21:10 -0700 (PDT) (envelope-from root@gits.dyndns.org) Received: (qmail 1589010 invoked from network); 28 Jun 2000 23:21:08 -0000 Received: from r224m65.cybercable.tm.fr (HELO gits.dyndns.org) ([195.132.224.65]) (envelope-sender ) by racine.cybercable.fr (qmail-ldap-1.03) with SMTP for ; 28 Jun 2000 23:21:08 -0000 Received: (from root@localhost) by gits.dyndns.org (8.9.3/8.9.3) id BAA12668; Thu, 29 Jun 2000 01:21:04 +0200 (CEST) (envelope-from root) Posted-Date: Thu, 29 Jun 2000 01:21:04 +0200 (CEST) To: Doug Barton Cc: Gerhard Sittig , security@FreeBSD.ORG Subject: Re: ipfilter hooks in rc.network References: <20000626220852.M9883@speedy.gsinet> <39584C82.988B2F1B@gorean.org> Reply-To: clefevre@citeweb.net X-Face: V|+c;4!|B?E%BE^{E6);aI.[<97Zd*>^#%Y5Cxv;%Y[PT-LW3;A:fRrJ8+^k"e7@+30g0YD0*^^3jgyShN7o?a]C la*Zv'5NA,=963bM%J^o]C From: Cyrille Lefevre Date: 29 Jun 2000 01:21:03 +0200 In-Reply-To: Doug Barton's message of "Mon, 26 Jun 2000 23:41:06 -0700" Message-ID: <7lb9xuhs.fsf@pc166.gits.fr> Lines: 47 X-Mailer: Gnus v5.6.45/XEmacs 21.1 - "Canyonlands" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Doug Barton writes: > Gerhard Sittig wrote: > > First, I'm not sure that -security is the right list for this, -current > or -hackers might be better. Second, while I support adding the ability > to more closely integrate ipfilter into the base, your patch's style is > drastically out of synch with the changes introduced recently. The > following is better style. > > case ${ipfilter_enable} in > [Yy][Ee][Ss]) > if [ -r "${ipfilter_rules}" ]; then > echo -n ' ipfilter' > ipf -Fa -f ${ipfilter_rules} > fi > case ${ipmon_flags} in > [Nn][Oo] | '') > ;; > *) > echo -n ' ipmon' > ipmon ${ipmon_flags} > ;; > esac > case ${ipnat} in ${ipnat_enable} I suppose :) > [Yy][Ee][Ss]) > if [ -r "${ipnat_rules}" ]; then > echo -n ' ipnat' > ipnat -CF -f ${ipnat_rules} > else > echo -n ' ipnat enabled but no rules!' > fi > ;; > esac > ;; > esac what about adding ${ipfilter_flags} and ${ipnet_flags} also, respectively after ${ipfilter_rules} and ${ipnat_rules} ? Cyrille. -- home:mailto:clefevre@no-spam.citeweb.net Supprimer "no-spam." pour me repondre. work:mailto:Cyrille.Lefevre@no-spam.edf.fr Remove "no-spam." to answer me back. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 28 20:37:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from tts.tomsk.su (tts.tomsk.su [212.20.50.9]) by hub.freebsd.org (Postfix) with ESMTP id 7A0D237BA79 for ; Wed, 28 Jun 2000 20:37:38 -0700 (PDT) (envelope-from maksim@tts.tomsk.su) Received: from dragonland (unverified [212.20.50.12]) by tts.tomsk.su (Rockliffe SMTPRA 2.1.6) with SMTP id for ; Thu, 29 Jun 2000 11:37:35 +0800 From: "Maksimov Maksim" To: Subject: Re: How defend from stream2.c attack? Date: Thu, 29 Jun 2000 11:37:34 +0800 Message-ID: <000301bfe17b$5d9954a0$0c3214d4@dragonland.tts.tomsk.su> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal Disposition-Notification-To: "Maksimov Maksim" X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3612.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Problem solved!!! I take PCI network card - 3Com 3c905B-TX Fast Etherlink XL (aka xl0) and now stream(2).c attack not freezed my FreeBSD 4.0 Stable. And though interrupr reached 40-45% I can work at console and network services is available! Thanks! > > Well, I cvsup'd here, and I can't reproduce the problem. > > I'd guess that when the interrupts hit 100%, something's going really > wrong, and the system is crashing. I'm really not sure what > can be done > about that, since the problem's that the processor just can't > offload data > from the NIC fast enough. > > IF you want to test to make sure that's the problem, perhaps try some > other type of flood, and see if you can reproduce the > problem; my guess is > that you'll see the same problem. > > I'm not sure if there is a fix, in this case. Other than > upgrading the > processor or NIC (if it's an ISA NIC, I'd wager that a PCI > 10/100 would be > more efficient, given that it was designed for faster > operation), I think > you're just going to have to hope that an attacker can't > flood fast enough > to cause the problem. > > Actually, if they are ISA, you may want to try the following > two kernel > options: > > > # > # Options for `isa': > # > # AUTO_EOI_1 enables the `automatic EOI' feature for the master 8259A > # interrupt controller. This saves about 0.7-1.25 usec for each > interrupt. > # This option breaks suspend/resume on some portables. > # > # AUTO_EOI_2 enables the `automatic EOI' feature for the slave 8259A > # interrupt controller. This saves about 0.7-1.25 usec for each > interrupt. > # Automatic EOI is documented not to work for for the slave with the > # original i8259A, but it works for some clones and some integrated > # versions. > > Perhaps they might help. > > Mike "Silby" Silbersack > > On Fri, 23 Jun 2000, Maksimov Maksim wrote: > > > > Hm. I noticed on my P100 that according to top, the > > > processor utilization due to interrupts was getting to > 40% or so during a > > stream2 > > > attack - what does top say for you? > > > > interrupts was getting to 98% > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 29 0:34:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 6072D37B94D; Thu, 29 Jun 2000 00:34:12 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.9.3/1.13) id KAA12890; Thu, 29 Jun 2000 10:33:44 +0300 (EEST) Date: Thu, 29 Jun 2000 10:33:44 +0300 From: Ruslan Ermilov To: Visigoth Cc: freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: new ftpd feature... Message-ID: <20000629103344.D10869@sunbay.com> Mail-Followup-To: Visigoth , freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from des@flood.ping.uio.no on Wed, Jun 28, 2000 at 07:15:58PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jun 28, 2000 at 07:15:58PM +0200, Dag-Erling Smorgrav wrote: > Visigoth writes: > > [patches to limit the range of ports used for passive FTP] > > des@flood ~% sysctl -A | grep portrange > net.inet.ip.portrange.lowfirst: 1023 > net.inet.ip.portrange.lowlast: 600 > net.inet.ip.portrange.first: 1024 > net.inet.ip.portrange.last: 5000 > net.inet.ip.portrange.hifirst: 49152 > net.inet.ip.portrange.hilast: 65535 > > ftpd uses ports in the high range, just adjust the last two sysctls > and you'll be fine. > I had a firewall set up in this configuration (allowing "anonymous" connects to the high portrange and denying otherwise). It was great. I can not see the reason why ftpd(8) would need an explicit portrange. -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 29 6:19:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id C2BFC37B87C for ; Thu, 29 Jun 2000 06:19:03 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id KAA06030; Thu, 29 Jun 2000 10:17:12 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200006291317.KAA06030@ns1.via-net-works.net.ar> Subject: Re: icmp type 3 code 4: a couple of questions In-Reply-To: from Paul Hart at "Jun 28, 0 11:28:46 am" To: hart@iserver.com (Paul Hart) Date: Thu, 29 Jun 2000 10:17:11 -0300 (GMT) Cc: fpscha@via-net-works.net.ar, freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Paul Hart escribió: > On Wed, 28 Jun 2000, Fernando Schapachnik wrote: > > > > pass out quick on fxp0 proto tcp from any to any keep state > > > pass out quick on fxp0 proto udp from any to any keep state > > > pass out quick on fxp0 proto icmp from any to any keep state > > > > You will also need (al least in 3.4-RELEASE): > > > > pass in quick on fxp0 proto icmp from any to any icmp-type 11 > > > > to let traceroute work. > > No, not in my experience. Try it without your explicit rule to allow ICMP > type 11 packets back in as it does work for me without your rule. > > I had the same concern about how the ICMP time exceeded packets would make > their way back in. Darren Reed kindly commented on how the state tracking > code in IP Filter handles this case. See: > > http://false.net/ipfilter/2000_06/0234.html > http://false.net/ipfilter/2000_06/0235.html Thanks you for claryfing this for me. Seems that I added the rule before upgrading to IP Filter 3.4.6. Regards! Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 29 10:40:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18]) by hub.freebsd.org (Postfix) with ESMTP id 5239737BFBC for ; Thu, 29 Jun 2000 10:40:23 -0700 (PDT) (envelope-from mwlucas@blackhelicopters.org) Received: (from mwlucas@localhost) by blackhelicopters.org (8.9.3/8.9.3) id NAA16472 for freebsd-security@freebsd.org; Thu, 29 Jun 2000 13:40:21 -0400 (EDT) (envelope-from mwlucas) From: Michael Lucas Message-Id: <200006291740.NAA16472@blackhelicopters.org> Subject: ipfilter & pptp & freebsd To: freebsd-security@freebsd.org Date: Thu, 29 Jun 2000 13:40:21 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, I got a FreeBSD firewall at work, after explaining how the commercial ones weren't any better and cost far more for not much gain. And it makes the enterprise-critical application fail. Sometimes life is just not fair. Anyway, I have a FreeBSD 4.-stable machine as our gateway box. I'm using ipfilter for NAT and connection control. Inside the network, I have a Windows machine, running FrontPage, that needs to publish data to the outside world via pptp tunnels. This machine pumps hundreds of meg a day. If we take this system and put it outside the firewall, it shoves data quickly. Inside the firewall, it runs painfully slowly. In the last 50 minutes, it's sent 1,181,971 bytes. Below, I replace the class C with a.b.c to protect the guilty. 192.168.1.105 is my pptp host. I'd appreciate any help anyone has to offer, or any tips on what to check. Thanks, Michael My ipnat.conf looks like: #then the general NAT for the office #first, pptp rdr fxp1 a.b.c.2/32 port 0 -> 192.168.1.105 port 0 gre rdr fxp1 a.b.c.2/32 port 1723 -> 192.168.1.105 port 1723 tcpudp #then regular networking map fxp1 192.168.1.1/24 -> a.b.c.2/32 proxy port ftp ftp/tcp map fxp1 192.168.1.1/24 -> a.b.c.2/32 portmap tcp/udp 10000:40000 #finally, allow any any outgoing protocol map fxp1 192.168.1.0/24 -> a.b.c.2/32 rdr fxp1 a.b.c.2/32 port 21 -> 192.168.1.254 port 21 ... plus a bunch more "redirect this for incoming services"... My ipf.conf looks like: #universal rules block in log quick from any to any with ipopts block in log quick proto tcp from any to any with short #the outside interface #outgoing on outside pass out on fxp1 all head 350 block out from 127.0.0.0/8 to any group 350 block out from any to 127.0.0.0/8 group 350 block out from any to 192.168.1.1/24 group 350 pass out log quick proto tcp from a.b.c.2 to any keep state group 350 pass out log quick proto udp from a.b.c.2 to any keep state group 350 #incoming on outside #first, the rules for all traffic pass in on fxp1 all head 300 block in log quick from 127.0.0.0/8 to any group 300 block in log quick from 192.168.1.1/32 to any group 300 block in log quick from 10.0.0.1/0xff000000 to any group 300 #for DNS queries to firewall exterior pass in quick proto udp from any to a.b.c.2 port = 53 keep state group 300 #for pptp tunnel pass in log quick proto gre from 135.145.11.128 to a.b.c.2 group 300 pass in log quick proto gre from 135.145.11.129 to a.b.c.2 group 300 pass in log quick proto gre from 135.145.11.128 to 192.168.1.105 group 300 pass in log quick proto gre from 135.145.11.129 to 192.168.1.105 group 300 #establish 3way handshake on a.b.c.2 block in log proto tcp from any to a.b.c.2/32 flags S/SA head 302 group 300 #allow DNS zone transfers pass in quick proto tcp from 209.69.70.3 to a.b.c.2 port = 53 keep state group 302 #incoming connections proxied through the firewall on .2, in port order pass in log quick proto tcp from any to 192.168.1.254/32 port = 21 keep state group 302 ...more of the same... pass in log quick proto tcp from 135.145.11.128 port = 1723 to 192.168.1.105/32 keep state group 302 ...more of same... #finally, after everything else is processed, we bounce bad connections #this gives a proper response to UDP probes block return-icmp(port-unr) in log on fxp1 proto udp from any to any group 302 block return-rst in log proto tcp from any to any group 302 ############################################################################ #the inside interface #outgoing on inside interface pass out log on fxp0 all head 450 block out log quick from 127.0.0.0/8 to any group 450 block out log quick from any to 127.0.0.0/8 group 450 block out log quick from any to a.b.c.2/25 group 450 #do not block syslogd pass out quick from any to 192.168.1.251 port = 514 group 450 #incoming on inside interface pass in on fxp0 all head 400 block in log quick from 127.0.0.0/8 to any group 400 block in log quick from a.b.c.2/25 to any group 400 block in log quick from 10.0.0.1/0xff000000 to any group 400 pass in on fxp0 all head 400 block in log quick from 127.0.0.0/8 to any group 400 block in log quick from a.b.c.2/25 to any group 400 block in log quick from 10.0.0.1/0xff000000 to any group 400 block in quick from any to 206.154.102.240/24 group 400 pass in log quick on fxp0 proto tcp from any to 192.168.1.1 port = 22 keep state group 400 pass in quick on fxp0 proto udp from 192.168.1.251/32 to 192.168.1.1 port = 161 keep state group 400 pass in log quick on fxp0 proto tcp from any to any keep state group 400 pass in log quick on fxp0 proto udp from any to any keep state group 400 pass in log quick on fxp0 proto gre from any to any group 400 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 29 11: 9:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from drawbridge.ctc.com (drawbridge.ctc.com [147.160.99.35]) by hub.freebsd.org (Postfix) with ESMTP id 3972C37B9AC for ; Thu, 29 Jun 2000 11:09:30 -0700 (PDT) (envelope-from cameron@ctc.com) Received: from server2.ctc.com (server2.ctc.com [147.160.1.4]) by drawbridge.ctc.com (8.10.1/8.10.1) with ESMTP id e5TI9P102077; Thu, 29 Jun 2000 14:09:26 -0400 (EDT) Received: from ctcjst-mail1.ctc.com (ctcjst-mail1.ctc.com [147.160.34.4]) by server2.ctc.com (8.9.3/8.9.3) with ESMTP id OAA27538; Thu, 29 Jun 2000 14:09:18 -0400 (EDT) Received: by ctcjst-mail1.ctc.com with Internet Mail Service (5.5.2650.21) id ; Thu, 29 Jun 2000 14:10:19 -0400 Message-ID: From: "Cameron, Frank" To: "'Michael Lucas'" Cc: "'freebsd-security@FreeBSD.ORG'" Subject: RE: ipfilter & pptp & freebsd Date: Thu, 29 Jun 2000 14:10:11 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What about trying a one-to-one mapping like, bimap fxp1 192.168.1.105 -> a.b.c.2/32 instead of the rdr rules? (http://www.obfuscation.org/ipf/ipf-howto.html#TOC_28) -frank > -----Original Message----- > From: Michael Lucas [SMTP:mwlucas@blackhelicopters.org] > Sent: Thursday, June 29, 2000 1:40 PM > To: freebsd-security@FreeBSD.ORG > Subject: ipfilter & pptp & freebsd > > My ipnat.conf looks like: > > #then the general NAT for the office > #first, pptp > rdr fxp1 a.b.c.2/32 port 0 -> 192.168.1.105 port 0 gre > rdr fxp1 a.b.c.2/32 port 1723 -> 192.168.1.105 port 1723 tcpudp > > #then regular networking > map fxp1 192.168.1.1/24 -> a.b.c.2/32 proxy port ftp ftp/tcp > map fxp1 192.168.1.1/24 -> a.b.c.2/32 portmap tcp/udp 10000:40000 > #finally, allow any any outgoing protocol > map fxp1 192.168.1.0/24 -> a.b.c.2/32 > > rdr fxp1 a.b.c.2/32 port 21 -> 192.168.1.254 port 21 > ... plus a bunch more "redirect this for incoming services"... > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 29 13:34:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.everyday.cx (cr308584-a.wlfdle1.on.wave.home.com [24.114.52.208]) by hub.freebsd.org (Postfix) with ESMTP id CF39D37B8E9 for ; Thu, 29 Jun 2000 13:34:29 -0700 (PDT) (envelope-from pccb@yahoo.com) Received: from apollo (apollo.objtech.com [192.168.111.5]) by mail.everyday.cx (Postfix) with ESMTP id 36A5E49A0; Thu, 29 Jun 2000 16:34:19 -0400 (EDT) Date: Thu, 29 Jun 2000 16:34:43 -0700 From: Pierre Chiu X-Mailer: The Bat! (v1.44) Personal Reply-To: Webbie X-Priority: 3 (Normal) Message-ID: <14149621401.20000629163443@everyday.cx> To: Michael Lucas Cc: freebsd-security@freebsd.org Subject: Re: ipfilter & pptp & freebsd In-reply-To: <200006291740.NAA16472@blackhelicopters.org> References: <200006291740.NAA16472@blackhelicopters.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For debugging purpose, how about keeping the nat rules but dropping all the firewall rules. And also, you might want to check out the NIC stats (netstat -i) while frontpage is uploading. The problem could be packet loss. Thursday, June 29, 2000, 10:40:21 AM, you wrote: ML> Well, I got a FreeBSD firewall at work, after explaining how the ML> commercial ones weren't any better and cost far more for not much ML> gain. And it makes the enterprise-critical application fail. ML> Sometimes life is just not fair. ML> Anyway, I have a FreeBSD 4.-stable machine as our gateway box. I'm ML> using ipfilter for NAT and connection control. Inside the network, I ML> have a Windows machine, running FrontPage, that needs to publish data ML> to the outside world via pptp tunnels. This machine pumps hundreds of ML> meg a day. ML> If we take this system and put it outside the firewall, it shoves data ML> quickly. Inside the firewall, it runs painfully slowly. In the last ML> 50 minutes, it's sent 1,181,971 bytes. ML> Below, I replace the class C with a.b.c to protect the guilty. ML> 192.168.1.105 is my pptp host. ML> I'd appreciate any help anyone has to offer, or any tips on what to check. ML> Thanks, ML> Michael ML> My ipnat.conf looks like: ML> #then the general NAT for the office ML> #first, pptp ML> rdr fxp1 a.b.c.2/32 port 0 -> 192.168.1.105 port 0 gre ML> rdr fxp1 a.b.c.2/32 port 1723 -> 192.168.1.105 port 1723 tcpudp ML> #then regular networking ML> map fxp1 192.168.1.1/24 -> a.b.c.2/32 proxy port ftp ftp/tcp ML> map fxp1 192.168.1.1/24 -> a.b.c.2/32 portmap tcp/udp 10000:40000 ML> #finally, allow any any outgoing protocol ML> map fxp1 192.168.1.0/24 -> a.b.c.2/32 ML> rdr fxp1 a.b.c.2/32 port 21 -> 192.168.1.254 port 21 ML> ... plus a bunch more "redirect this for incoming services"... ML> My ipf.conf looks like: ML> #universal rules ML> block in log quick from any to any with ipopts ML> block in log quick proto tcp from any to any with short ML> #the outside interface ML> #outgoing on outside ML> pass out on fxp1 all head 350 ML> block out from 127.0.0.0/8 to any group 350 ML> block out from any to 127.0.0.0/8 group 350 ML> block out from any to 192.168.1.1/24 group 350 ML> pass out log quick proto tcp from a.b.c.2 to any keep state group 350 ML> pass out log quick proto udp from a.b.c.2 to any keep state group 350 ML> #incoming on outside ML> #first, the rules for all traffic ML> pass in on fxp1 all head 300 ML> block in log quick from 127.0.0.0/8 to any group 300 ML> block in log quick from 192.168.1.1/32 to any group 300 ML> block in log quick from 10.0.0.1/0xff000000 to any group 300 ML> #for DNS queries to firewall exterior ML> pass in quick proto udp from any to a.b.c.2 port = 53 keep state group 300 ML> #for pptp tunnel ML> pass in log quick proto gre from 135.145.11.128 to a.b.c.2 group 300 ML> pass in log quick proto gre from 135.145.11.129 to a.b.c.2 group 300 ML> pass in log quick proto gre from 135.145.11.128 to 192.168.1.105 group 300 ML> pass in log quick proto gre from 135.145.11.129 to 192.168.1.105 group 300 ML> #establish 3way handshake on a.b.c.2 ML> block in log proto tcp from any to a.b.c.2/32 flags S/SA head 302 group 300 ML> #allow DNS zone transfers ML> pass in quick proto tcp from 209.69.70.3 to a.b.c.2 port = 53 keep state group 302 ML> #incoming connections proxied through the firewall on .2, in port order ML> pass in log quick proto tcp from any to 192.168.1.254/32 port = 21 keep state group 302 ML> ...more of the same... ML> pass in log quick proto tcp from 135.145.11.128 port = 1723 to 192.168.1.105/32 keep state group 302 ML> ...more of same... ML> #finally, after everything else is processed, we bounce bad connections ML> #this gives a proper response to UDP probes ML> block return-icmp(port-unr) in log on fxp1 proto udp from any to any group 302 ML> block return-rst in log proto tcp from any to any group 302 ML> ############################################################################ ML> #the inside interface ML> #outgoing on inside interface ML> pass out log on fxp0 all head 450 ML> block out log quick from 127.0.0.0/8 to any group 450 ML> block out log quick from any to 127.0.0.0/8 group 450 ML> block out log quick from any to a.b.c.2/25 group 450 ML> #do not block syslogd ML> pass out quick from any to 192.168.1.251 port = 514 group 450 ML> #incoming on inside interface ML> pass in on fxp0 all head 400 ML> block in log quick from 127.0.0.0/8 to any group 400 ML> block in log quick from a.b.c.2/25 to any group 400 ML> block in log quick from 10.0.0.1/0xff000000 to any group 400 ML> pass in on fxp0 all head 400 ML> block in log quick from 127.0.0.0/8 to any group 400 ML> block in log quick from a.b.c.2/25 to any group 400 ML> block in log quick from 10.0.0.1/0xff000000 to any group 400 ML> block in quick from any to 206.154.102.240/24 group 400 ML> pass in log quick on fxp0 proto tcp from any to 192.168.1.1 port = 22 keep state group 400 ML> pass in quick on fxp0 proto udp from 192.168.1.251/32 to 192.168.1.1 port = 161 keep state group 400 ML> pass in log quick on fxp0 proto tcp from any to any keep state group 400 ML> pass in log quick on fxp0 proto udp from any to any keep state group 400 ML> pass in log quick on fxp0 proto gre from any to any group 400 -- Pierre \\|// (o o) +-------------------------oOOo-(_)-oOOo-----------------------------+ EMail : mailto:webbie(at)everyday(dot)cx PGP Key : http://www.everyday.cx/pgpkey.txt PGP Fingerprint: 0B9F E081 35CD B9AF 58EA 7E43 38EC C84F 4AB4 792C +-------------------------------------------------------------------+ network packets travelling uphill (use a carrier pigeon) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 29 13:49:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a13c249.neo.rr.com [204.210.212.249]) by hub.freebsd.org (Postfix) with ESMTP id 3E0FC37C199 for ; Thu, 29 Jun 2000 13:49:43 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.10.1/8.10.1) with ESMTP id e5TKnTV28116; Thu, 29 Jun 2000 16:49:29 -0400 Date: Thu, 29 Jun 2000 16:49:29 -0400 (EDT) From: Mike Nowlin To: Michael Lucas Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfilter & pptp & freebsd In-Reply-To: <200006291740.NAA16472@blackhelicopters.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > If we take this system and put it outside the firewall, it shoves data > quickly. Inside the firewall, it runs painfully slowly. In the last > 50 minutes, it's sent 1,181,971 bytes. Speed issues like this can be caused by half/full duplex mismatching on the ethernet interfaces. I had one the other day that had been running for several months (with occasional reboots without any problems), and then after the last reboot, the auto-negotiation failed between the switch and the fxp card -- the switch was running 100-half, and the fxp card was running 100-full... Result? Estimated 27 hours to transfer a 1.3gig file. Rebooted & forced the parameters on both switch & fxp to 100-full, and the transfer took no time at all. You may want to try doing some large transfers between the FBSD<->Windows box and FBSD<->OutsideWorld to see what happens. If this is your problem, one or both of these will be cripplingly slow. mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 30 5:59: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18]) by hub.freebsd.org (Postfix) with ESMTP id F0A9737B5D2 for ; Fri, 30 Jun 2000 05:58:57 -0700 (PDT) (envelope-from mwlucas@blackhelicopters.org) Received: (from mwlucas@localhost) by blackhelicopters.org (8.9.3/8.9.3) id IAA20130 for freebsd-security@freebsd.org; Fri, 30 Jun 2000 08:58:56 -0400 (EDT) (envelope-from mwlucas) From: Michael Lucas Message-Id: <200006301258.IAA20130@blackhelicopters.org> Subject: Re: ipfilter & pptp & freebsd In-Reply-To: from Mike Nowlin at "Jun 29, 2000 4:49:29 pm" To: freebsd-security@freebsd.org Date: Fri, 30 Jun 2000 08:58:56 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (I'm answering this one message and copying the list, rather than copying the list on *all* the replies.) An interface mismatch doesn't appear to be the problem; other transfers go lickety-split. I can download huge files without difficulty. It doesn't appear to be packet loss. netstat -i doesn't show anything unusual. I've pulled all the firewall rules, leaving only a "pass any to any" and the NAT. No better. Also, I've tried a bimap. No change. One other thing: according to the little PPTP box on Windows (for what it's worth), the speed starts off quick. It just slows down gradually, until it reaches a dead crawl. The firewall packet log seems to agree, although I haven't done a detailed line-by-line analysis to see how many packets pass at any given second. Might ipfw/natd work better? Anyone have any other ideas? ==ml > Speed issues like this can be caused by half/full duplex mismatching on > the ethernet interfaces. I had one the other day that had been running > for several months (with occasional reboots without any problems), and > then after the last reboot, the auto-negotiation failed between the switch > and the fxp card -- the switch was running 100-half, and the fxp card was > running 100-full... Result? Estimated 27 hours to transfer a 1.3gig > file. Rebooted & forced the parameters on both switch & fxp to 100-full, > and the transfer took no time at all. > > You may want to try doing some large transfers between the FBSD<->Windows > box and FBSD<->OutsideWorld to see what happens. If this is your problem, > one or both of these will be cripplingly slow. > > mike > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message