From owner-freebsd-security Sun Sep 8 23:44:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A32837B400 for ; Sun, 8 Sep 2002 23:44:37 -0700 (PDT) Received: from ns1.mgul.ac.ru (ns1.mgul.ac.ru [193.233.63.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72B9043E42 for ; Sun, 8 Sep 2002 23:44:35 -0700 (PDT) (envelope-from andrey@mgul.ac.ru) Received: from ns2.mgul.ac.ru (ns2.mgul.ac.ru [193.233.63.17]) (authenticated bits=0) by ns1.mgul.ac.ru (8.12.6/8.12.6) with ESMTP id g896iJfH069635; Mon, 9 Sep 2002 10:44:19 +0400 (MSD) Date: Mon, 9 Sep 2002 10:44:18 +0400 From: "Andrey V. Pevnev" X-Mailer: The Bat! (v1.61) UNREG / CD5BF9353B3B7091 Reply-To: "Andrey V. Pevnev" Organization: Moscow State Forestry University X-Priority: 3 (Normal) Message-ID: <19738672137.20020909104418@mgul.ac.ru> To: Lawrence Sica Cc: security@FreeBSD.ORG Subject: Re[2]: Anti-virus section for FAQ In-Reply-To: <4A393ABF-C1FA-11D6-9989-000393A335A2@earthlink.net> References: <4A393ABF-C1FA-11D6-9989-000393A335A2@earthlink.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-3.4 required=5 tests=IN_REP_TO X-Scanned-By: MIMEDefang 2.20 (www . roaringpenguin . com / mimedefang) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Lawrence, Saturday, September 7, 2002, 4:39:38 AM, you wrote: >>> http://www.thesicafamily.org/larry/articles/avfaq.html Also, please, take a look at DrWeb Daemon (http://sald.com/) - anti-virus that works with Sendmail/Exim/Postfix/Qmail/Zmailer/Courier-MTA and supports Samba shares scanning! + FREE daily updates via http! It was ported under FreeBSD: /usr/ports/security/drweb* And there is one more Anti-SPAM and Anti-virus program: MIMEDefang http://www.roaringpenguin.com/mimedefang/ which aslo was ported: /usr/ports/mail/mimedefang -- Best regards, MSFU LAN Admin Andrey mailto:andrey@mgul.ac.ru http://www.mgul.ac.ru/~andrey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 9 3:10:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16E2E37B400 for ; Mon, 9 Sep 2002 03:10:39 -0700 (PDT) Received: from mail.seattleFenix.net (seattleFenix.net [216.39.145.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E67643E65 for ; Mon, 9 Sep 2002 03:10:38 -0700 (PDT) (envelope-from roo@mail.seattleFenix.net) Received: (from roo@localhost) by mail.seattleFenix.net (8.11.6/8.11.6) id g88BfPh99383; Sun, 8 Sep 2002 04:41:25 -0700 (PDT) (envelope-from roo) Date: Sun, 8 Sep 2002 04:41:25 -0700 From: Benjamin Krueger To: Hans Zaunere Cc: freebsd-security@freebsd.org Subject: Re: jail() House Rock Message-ID: <20020908044125.C98271@mail.seattleFenix.net> Reply-To: benjamin@seattleFenix.net References: <20020906185814.71834.qmail@web12803.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020906185814.71834.qmail@web12803.mail.yahoo.com>; from zaunere@yahoo.com on Fri, Sep 06, 2002 at 11:58:14AM -0700 X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Hans Zaunere (zaunere@yahoo.com) [020906 11:57]: > > I'm looking to provide jail()'d root access to clients (the virtual > private server bit). I myself have been a client on several of these > setups, and while some are better than others, I often find missing and > broken features - and I've never even looked at it from a security > standpoint. > > Aside from the commonly known man pages/handbooks/etc is there a > definitve source for PROPERLY setting one of these systems up? > Something that outlines what features mean decreased security? > Something that outlines proper layout of these systems? Then I can > judge exactly what and what not to offer. I already have a good handle > on security of regular systems, so something specific to the jail()'d > environment would be best, as I'm sure there are some gotchas and such. > > Thank you, > > Hans Think carefully about exactly what kind of privileges your clients get. A friend asked me recently if his users could escalate privileges if they have a normal user account on the main server, and root inside the jail. After some thinking we outlined a situation in which the user creates a suid binary to escalate any user to root inside the jail, and then runs it as a normal user outside the jail. Instant root. I doubt that there is a definative guide to absolutely securing a jailed environment. It took many years just to iron simple tmp and shell env escalations (such as IFS related issues) from most Unixes. Doubtless there are still undiscovered situations like that which can lead to escalated privileges. To resolve the situation we got above, we had him keep seperate unique UIDs in the main system and all the jails. Normal users were disallowed any access to any parts of the filesystem holding a jail. This is just a simple example, but that is the kind of thing you should start thinking about when designing systems like this. Regards, -- Benjamin Krueger "Everyone has wings, some folks just don't know what they're for" - B. Banzai ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 9 5: 5:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E6A337B400; Mon, 9 Sep 2002 05:05:45 -0700 (PDT) Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8EA5643E4A; Mon, 9 Sep 2002 05:05:43 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id QAA41885; Mon, 9 Sep 2002 16:05:32 +0400 (MSD) Received: from IBMKA ([217.195.79.7]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id SSBRQ2A2; Mon, 9 Sep 2002 16:05:31 +0400 Date: Mon, 9 Sep 2002 16:05:29 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A. Kritsky" X-Priority: 3 (Normal) Message-ID: <318821464.20020909160529@internethelp.ru> To: Lawrence Sica Cc: freebsd-security@FreeBSD.ORG, freebsd-doc@FreeBSD.ORG Subject: Re: Fwd: Anti-virus section for FAQ In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Lawrence, Friday, September 06, 2002, 10:23:43 PM, you wrote: LS> Oops, helps if I post the url eh ;) LS> http://www.thesicafamily.org/larry/articles/avfaq.html I would like to add to this list following AV solution: "Procmail Email Sanitizer" - http://www.impsec.org/email-tools/procmail-security.html To comment the FAQ itself. I do not think that just the list of antivirus packages is a good answer for FAQ. The thing is, that freqentissimus AV-related question sounds like "What is the best AV for freebsd/sendmail/qmail?" not just "What kind of antiviruses do you know?". I think, that it would be truly useful if people, who have an experience with setting up AV on FreeBSD share their knowledge with us in the manner like this: ;--------------FAQ entry start Q. What are the pros and contras of "Procmail Email Sanitizer"? A. Pros for me 1. It is free. 2. It is quite simple to understand and tweak, because it is written with Perl and procmailrc(see man) and all sources are open. 3. It does not rely on signatures provided by vendor, but uses another algorithm of filtering (see webpage for details). Thus it can stop many virii(viries?) before they are known to public. 4. It has support, which consists of mailing list (never tried) and John Hardin (the developer) who was kind and answered some of my questions. 5. It works. It has not failed yet. But see contras. Contras for me 1. I never used it for stopping MSOffice-based virii. May be it can do it, maybe not. 2. I had to read and understand `man procmailrc'. But maybe it is from "pros" part. Resume: Use it to stop EXE/HTML/JScript/VBScript - based virii and trojans. If somebody has tested it with MSOffice based virii - can you tell me what you think about that? ;--------------FAQ entry end ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 9 5:16:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 14CA937B400 for ; Mon, 9 Sep 2002 05:16:37 -0700 (PDT) Received: from michelob.wixb.com (michelob.wixb.com [67.36.82.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DFC643E3B for ; Mon, 9 Sep 2002 05:16:36 -0700 (PDT) (envelope-from lists@xpec.com) Received: from coors.xpec.com (michelob.wixb.com [10.135.144.20]) by michelob.wixb.com (8.12.6/8.12.6) with ESMTP id g89CGZYL021641 for ; Mon, 9 Sep 2002 07:16:36 -0500 (CDT) Message-Id: <5.1.1.6.2.20020909071610.00b27708@localhost> Date: Mon, 09 Sep 2002 07:16:33 -0500 To: freebsd-security@FreeBSD.ORG From: "J.D. Bronson" Subject: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org auth f08edc02 unsubscribe freebsd-security lists@xpec.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 9 7:27:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 095B037B400 for ; Mon, 9 Sep 2002 07:27:21 -0700 (PDT) Received: from mail.ubergeeks.com (lorax.ubergeeks.com [209.145.65.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 634FF43E42 for ; Mon, 9 Sep 2002 07:27:20 -0700 (PDT) (envelope-from adrian+freebsd-security@ubergeeks.com) Received: from mail.ubergeeks.com (localhost [127.0.0.1]) by mail.ubergeeks.com (8.12.5/8.12.5) with ESMTP id g89ERJel008934; Mon, 9 Sep 2002 10:27:19 -0400 (EDT) (envelope-from adrian+freebsd-security@ubergeeks.com) Received: from localhost (adrian@localhost) by mail.ubergeeks.com (8.12.5/8.12.5/Submit) with ESMTP id g89ERJPV008931; Mon, 9 Sep 2002 10:27:19 -0400 (EDT) (envelope-from adrian+freebsd-security@ubergeeks.com) X-Authentication-Warning: lorax.ubergeeks.com: adrian owned process doing -bs Date: Mon, 9 Sep 2002 10:27:19 -0400 (EDT) From: Adrian Filipi-Martin To: Benjamin Krueger Cc: Hans Zaunere , Subject: Re: jail() House Rock In-Reply-To: <20020908044125.C98271@mail.seattleFenix.net> Message-ID: <20020909102116.M8908-100000@lorax.ubergeeks.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 8 Sep 2002, Benjamin Krueger wrote: > Think carefully about exactly what kind of privileges your clients get. A > friend asked me recently if his users could escalate privileges if they have a > normal user account on the main server, and root inside the jail. After some > thinking we outlined a situation in which the user creates a suid binary to > escalate any user to root inside the jail, and then runs it as a normal user > outside the jail. Instant root. We stumbled accross this situation a year or so ago as we converted our development environments to be jails on the developer workstations. A reasonable solution is to block access to the jailed filesystems from non-jailed accounts. Just do the following: install -m u=rwx,go= -d /usr/fence install -d /usr/fence/jail Then use the fenced off directory as your jail root. We are successfully running desktops with multiple developer jails in this sort of configuration and things work great. This exclued anyone but root from using suid binaries from a jail, and well, root's already root. Adrian -- [ adrian@ubergeeks.com ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 9 7:49:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5D9D37B401 for ; Mon, 9 Sep 2002 07:49:36 -0700 (PDT) Received: from mail.XtremeDev.com (xtremedev.com [216.241.38.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B8B743E65 for ; Mon, 9 Sep 2002 07:49:36 -0700 (PDT) (envelope-from bsd@xtremedev.com) Received: from xtremedev.com (xtremedev.com [216.241.38.65]) by mail.XtremeDev.com (Postfix) with ESMTP id 0CABD70601; Mon, 9 Sep 2002 08:49:35 -0600 (MDT) Date: Mon, 9 Sep 2002 08:49:34 -0600 (MDT) From: bsd@xtremedev.com X-X-Sender: dave@Amber.XtremeDev.com To: Adrian Filipi-Martin Cc: Benjamin Krueger , Hans Zaunere , Subject: Re: jail() House Rock In-Reply-To: <20020909102116.M8908-100000@lorax.ubergeeks.com> Message-ID: <20020909084601.K27444-100000@Amber.XtremeDev.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > A reasonable solution is to block access to the jailed filesystems > from non-jailed accounts. Just do the following: > > install -m u=rwx,go= -d /usr/fence > install -d /usr/fence/jail > > Then use the fenced off directory as your jail root. We are > successfully running desktops with multiple developer jails in this sort of > configuration and things work great. This exclued anyone but root from > using suid binaries from a jail, and well, root's already root. Er, I don't believe this solves the issue. If the user knows the full path from the host system to the suid binary s/he created in the jail, s/he can access it directly as a regular use in the host environment. Ie., typing in: /usr/fence/jail/usr/home/baduser/bin/rootshell Please correct me if I'm wrong or if I've misunderstood. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 9 10:16:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1BCA37B400; Mon, 9 Sep 2002 10:16:11 -0700 (PDT) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AF0643E4A; Mon, 9 Sep 2002 10:16:11 -0700 (PDT) (envelope-from lomifeh@earthlink.net) Received: from bgp586692bgs.jdover01.nj.comcast.net (bgp586692bgs.jdover01.nj.comcast.net [68.39.202.147]) by mtaout01.icomcast.net (iPlanet Messaging Server 5.1 HotFix 1.4 (built Aug 5 2002)) with ESMTP id <0H2600AF7LAXTR@mtaout01.icomcast.net>; Mon, 09 Sep 2002 13:16:10 -0400 (EDT) Date: Mon, 09 Sep 2002 13:16:11 -0400 From: Lawrence Sica Subject: Re: Anti-virus section for FAQ In-reply-to: <318821464.20020909160529@internethelp.ru> To: "Nickolay A. Kritsky" Cc: freebsd-security@FreeBSD.ORG, freebsd-doc@FreeBSD.ORG Message-id: MIME-version: 1.0 X-Mailer: Apple Mail (2.543) Content-type: text/plain; charset=US-ASCII; format=flowed Content-transfer-encoding: 7BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Monday, September 9, 2002, at 08:05 AM, Nickolay A. Kritsky wrote: > Hello Lawrence, > > Friday, September 06, 2002, 10:23:43 PM, you wrote: > > LS> Oops, helps if I post the url eh ;) > > LS> http://www.thesicafamily.org/larry/articles/avfaq.html > > I would like to add to this list following AV solution: > "Procmail Email Sanitizer" - > http://www.impsec.org/email-tools/procmail-security.html > > To comment the FAQ itself. I do not think that just the list of > antivirus packages is a good answer for FAQ. The thing is, that > freqentissimus AV-related question sounds like "What is the best AV > for freebsd/sendmail/qmail?" not just "What kind of antiviruses do you > know?". I think, that it would be truly useful if people, who have an > experience with setting up AV on FreeBSD share their knowledge with > us in the manner like this: The goes beyond the purpose of the FAQ tho, it was meant to be a short list of possible software out there. More information would be suited more towards a handbook information. To do that for every package would make it a seperate FAQ. I had planned on a more in depth article as well, but for the FAQ a short, simple list is best imho. Other opinions? This list is meant to be an unbiased bit on what is out there, not an in depth review and rating of each package.. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 10 6:54:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82BCB37B400 for ; Tue, 10 Sep 2002 06:54:16 -0700 (PDT) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id B49EA43E6E for ; Tue, 10 Sep 2002 06:54:15 -0700 (PDT) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 57462 invoked by uid 0); 10 Sep 2002 13:54:14 -0000 Received: from greg.panula@dolaninformation.com by proxy with qmail-scanner-0.96 (. Clean. Processed in 0.401772 secs); 10 Sep 2002 13:54:14 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: freebsd-security@FreeBSD.ORG,zaunere@yahoo.com X-Qmail-Scanner: 0.96 (No viruses found. Processed in 0.401772 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 10 Sep 2002 13:54:14 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 10 Sep 2002 08:54:14 -0500 Message-ID: <3D7DF985.5C41C075@dolaninformation.com> Date: Tue, 10 Sep 2002 08:54:13 -0500 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Cc: Hans Zaunere Subject: Re: asmtp 587 - quickie faq submission References: <20020906230716.99501.qmail@web12808.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hmm, this original email/question is a good example why a security-questions@freebsd.org mail-list might be a good thing. Anyways, to help balance this thread away from noise and towards signal... here is a quickie faq submission for this thread. :) Q: What is ASMTP? A: Authenicated SMTP, explained in RFC 2554 Q: What is ASMTP good for? A: Allow the SMTP server to authenicate users before allowing them to use the smtp service for sending mail. Useful if you have roaming users that connect from foreign networks(e.g. hotel somewhere). Q: How do I or my users make use of ASMTP? A: The user's email client needs to be configured to authenicate themselves to the smtp server. Earthlink has a FAQ section explaining various email client configurations at http://support.earthlink.net/mu/1/psc/img/walkthroughs/Help_FAQ/7280.psc.html Q: Why does Sendmail listen on Port 587? A: For compliance with RFC 2476 which states that seperating the different parts of mail handling(submissions&transfers) is a good thing and port 587 was deemed to be the port for handling submissions. Sendmail 8.10.0 introduced DaemonPortOptions to support this. Checkout http://www.sendmail.org/~gshapiro/8.10.Training/DaemonPortOptions.html for some quick info about DaemonPortOptions. Q: How do I turn off the Message Submission Agent aka stop listening on port 587? A: Add FEATURE(`no_default_msa') your cf.m4 config file and recreate your sendmail.cf file. Someone might want to verify the information above; I haven't done any of it and stopped using&admin'ing sendmail a year or two ago. :) Cheers, Greg Hans Zaunere wrote: > > --- Lyndon Nerenberg wrote: > > >>>>> "Jose" == Jose Esteban Esquer Biskofski > > writes: > > > > Jose> Hello, Ive been looking for information on what sendmail's > > Jose> asmtp (port 587) is exactly, and how to close it. Ive had > > no > > Jose> luck, could someone please tell me how to get rid of it? > > Jose> Thanks. > > > > Port 587 is the Mail Submission service (RFC 2476), and instead of > > turning it off you should learn what it's for and then configure > > your MUAs to use it. > > I disagree. I've been through docs/RFCs/etc and I have yet to see it's > purpose. As far as I can tell, it's just sendmail listening on another > port. > > The pertinent line in /etc/mail/sendmail.cf: > > 0 DaemonPortOptions=Port=587, Name=MSA, M=E > > and I've commented it out. If someone can tell me how I'm supposed to > talk to it, I'd be interested - otherwise I see it just as an immature > default. And, if it's setup for MUAs, why does it listen on all IPs? > Just localhost, no? > > Thanks, > > Hans > > > > > --lyndon > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > __________________________________________________ > Do You Yahoo!? > Yahoo! Finance - Get real-time stock quotes > http://finance.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 10 7:22:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 896FB37B400 for ; Tue, 10 Sep 2002 07:22:22 -0700 (PDT) Received: from antalya.lupe-christoph.de (pD9E88428.dip0.t-ipconnect.de [217.232.132.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDC2D43E3B for ; Tue, 10 Sep 2002 07:22:20 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 57FC85E9; Tue, 10 Sep 2002 16:22:18 +0200 (CEST) Date: Tue, 10 Sep 2002 16:22:18 +0200 To: Greg Panula Cc: freebsd-security@FreeBSD.ORG, Hans Zaunere Subject: Re: asmtp 587 - quickie faq submission Message-ID: <20020910142218.GF2306@lupe-christoph.de> References: <20020906230716.99501.qmail@web12808.mail.yahoo.com> <3D7DF985.5C41C075@dolaninformation.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D7DF985.5C41C075@dolaninformation.com> User-Agent: Mutt/1.4i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday, 2002-09-10 at 08:54:13 -0500, Greg Panula wrote: > Hmm, this original email/question is a good example why a > security-questions@freebsd.org mail-list might be a good thing. > Anyways, to help balance this thread away from noise and towards > signal... here is a quickie faq submission for this thread. :) A few nitpicks, and one addition... > Q: What is ASMTP? > A: Authenicated SMTP, explained in RFC 2554 Authenticated > Q: What is ASMTP good for? > A: Allow the SMTP server to authenicate users before allowing them to authenticate > use the smtp service for sending mail. Useful if you have roaming users > that connect from foreign networks(e.g. hotel somewhere). > Q: How do I or my users make use of ASMTP? > A: The user's email client needs to be configured to authenicate > themselves to the smtp server. Earthlink has a FAQ section explaining itself > various email client configurations at > http://support.earthlink.net/mu/1/psc/img/walkthroughs/Help_FAQ/7280.psc.html Q: How do I implement ASMTP on my mailserver A: Depends on your MTA... Q: OK, how do I implement ASMTP in sendmail? A: (Dunfino, I haven't done this yet.) Q: OK, how do I implement ASMTP in postfix? A: Read this: http://www.mandrakesecure.net/en/docs/postfix-sasl.php > Q: Why does Sendmail listen on Port 587? > A: For compliance with RFC 2476 which states that seperating the > different parts of mail handling(submissions&transfers) is a good thing > and port 587 was deemed to be the port for handling submissions. > Sendmail 8.10.0 introduced DaemonPortOptions to support this. Checkout > http://www.sendmail.org/~gshapiro/8.10.Training/DaemonPortOptions.html > for some quick info about DaemonPortOptions. > Q: How do I turn off the Message Submission Agent aka stop listening on > port 587? > A: Add FEATURE(`no_default_msa') your cf.m4 config file and recreate > your sendmail.cf file. > Someone might want to verify the information above; I haven't done any > of it and stopped using&admin'ing sendmail a year or two ago. :) While referring a Mandrake doc may not be welcome in a FreeBSD FAQ, this is the same document http://www.postfix.org/docs.html refers to for "Postfix + SASL". HTH, Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be | | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 10 7:25:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C50F37B400 for ; Tue, 10 Sep 2002 07:25:46 -0700 (PDT) Received: from mail.crypton.pl (ns.crypton.pl [195.216.109.11]) by mx1.FreeBSD.org (Postfix) with SMTP id BC66943E42 for ; Tue, 10 Sep 2002 07:25:44 -0700 (PDT) (envelope-from mailman@mail.crypton.pl) Received: (qmail 12609 invoked by uid 1017); 10 Sep 2002 14:25:42 -0000 Date: Tue, 10 Sep 2002 16:25:42 +0200 From: Nomad To: freebsd-security@freebsd.org Subject: Re: jail() House Rock Message-ID: <20020910142542.GA12567@killer.crypton.pl> References: <20020909102116.M8908-100000@lorax.ubergeeks.com> <20020909084601.K27444-100000@Amber.XtremeDev.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline In-Reply-To: <20020909084601.K27444-100000@Amber.XtremeDev.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So, you are wrong and I have to correct you. To read a file in way you described user has to have x permission to all subdirectories and x permission to executable file. We assume, that you have x permission to executable, but for root directory of jail you don't. On Mon, Sep 09, 2002 at 08:49:34AM -0600, bsd@xtremedev.com wrote: > > A reasonable solution is to block access to the jailed filesystems > > from non-jailed accounts. Just do the following: > > > > install -m u=rwx,go= -d /usr/fence > > install -d /usr/fence/jail > > > > Then use the fenced off directory as your jail root. We are > > successfully running desktops with multiple developer jails in this sort of > > configuration and things work great. This exclued anyone but root from > > using suid binaries from a jail, and well, root's already root. > > Er, I don't believe this solves the issue. If the user knows the full path > from the host system to the suid binary s/he created in the jail, s/he can > access it directly as a regular use in the host environment. Ie., typing > in: > > /usr/fence/jail/usr/home/baduser/bin/rootshell > > Please correct me if I'm wrong or if I've misunderstood. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 10 12:26: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A34537B400 for ; Tue, 10 Sep 2002 12:25:55 -0700 (PDT) Received: from computinginnovations.com (dsl081-142-072.chi1.dsl.speakeasy.net [64.81.142.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D0A543E65 for ; Tue, 10 Sep 2002 12:25:54 -0700 (PDT) (envelope-from derek@computinginnovations.com) Received: from p4.computinginnovations.com (dhcp-192-168-1-111.computinginnovations.com [192.168.1.111]) by computinginnovations.com (8.11.6/8.11.6) with ESMTP id g8AJPq503532 for ; Tue, 10 Sep 2002 14:25:52 -0500 (CDT) (envelope-from derek@computinginnovations.com) Message-Id: <5.1.1.6.2.20020910142211.01f5bb80@computinginnovations.com> X-Sender: derek@computinginnovations.com X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Tue, 10 Sep 2002 14:25:26 -0500 To: freebsd-security@FreeBSD.ORG From: Derek Ragona Subject: 4.6.2 sendmail anomaly Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I just installed 4.6.2 on a system and now mail sent using the mail command doesn't work. I get an error that the temp queue file cannot be created, permission denied. I have tracked down what I think is the problem: $ ls -al /usr/libexec/sendmail/ total 587 drwxr-xr-x 2 root wheel 512 Sep 9 13:53 . drwxr-xr-x 8 root wheel 1536 Sep 9 13:54 .. -r-xr-sr-x 1 root 25 581728 Aug 14 14:21 sendmail Should sendmail be group setuid? Should it be group 25? What is group 25? -Derek derek@computinginnovations.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 10 12:34:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86E5837B400 for ; Tue, 10 Sep 2002 12:34:21 -0700 (PDT) Received: from mail.crypton.pl (ns.crypton.pl [195.216.109.11]) by mx1.FreeBSD.org (Postfix) with SMTP id 2E68543E42 for ; Tue, 10 Sep 2002 12:34:20 -0700 (PDT) (envelope-from mailman@mail.crypton.pl) Received: (qmail 13010 invoked by uid 1017); 10 Sep 2002 19:34:18 -0000 Date: Tue, 10 Sep 2002 21:34:18 +0200 From: Nomad To: Derek Ragona Cc: freebsd-security@freebsd.org Subject: Re: 4.6.2 sendmail anomaly Message-ID: <20020910193418.GA12989@killer.crypton.pl> References: <5.1.1.6.2.20020910142211.01f5bb80@computinginnovations.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline In-Reply-To: <5.1.1.6.2.20020910142211.01f5bb80@computinginnovations.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi I think, that you just upgraded your system return to old configuration just by copying old /et. Isn't it ? In FreeBSD 4.6.2 exists group smmsp, which have id 25. Read the article: http://www.sendmail.org/~ca/email/doc8.12/SECURITY I'v hope this help you to resolve your problem. Nomad On Tue, Sep 10, 2002 at 02:25:26PM -0500, Derek Ragona wrote: > I just installed 4.6.2 on a system and now mail sent using the mail command > doesn't work. > > I get an error that the temp queue file cannot be created, permission > denied. > > I have tracked down what I think is the problem: > $ ls -al /usr/libexec/sendmail/ > total 587 > drwxr-xr-x 2 root wheel 512 Sep 9 13:53 . > drwxr-xr-x 8 root wheel 1536 Sep 9 13:54 .. > -r-xr-sr-x 1 root 25 581728 Aug 14 14:21 sendmail > > Should sendmail be group setuid? Should it be group 25? What is group 25? > > > > > -Derek > derek@computinginnovations.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 10 13:13:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48A0E37B400 for ; Tue, 10 Sep 2002 13:13:12 -0700 (PDT) Received: from tomts9-srv.bellnexxia.net (tomts9.bellnexxia.net [209.226.175.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F9EF43E6E for ; Tue, 10 Sep 2002 13:13:11 -0700 (PDT) (envelope-from derek@durham.net) Received: from cerberus.motorcity.on.ca ([65.95.185.80]) by tomts10-srv.bellnexxia.net (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with ESMTP id <20020910201041.YCTA10755.tomts10-srv.bellnexxia.net@cerberus.motorcity.on.ca>; Tue, 10 Sep 2002 16:10:41 -0400 Received: (from root@localhost) by cerberus.motorcity.on.ca (8.11.6/8.11.6) id g8AJKxx30031; Tue, 10 Sep 2002 15:20:59 -0400 (EDT) (envelope-from derek@durham.net) Received: from DEVELOPMENT ([192.168.254.4]) by cerberus.motorcity.on.ca (8.11.6/8.11.6av) with SMTP id g8AJKsD30023; Tue, 10 Sep 2002 15:20:54 -0400 (EDT) (envelope-from derek@durham.net) Message-ID: <024901c25906$69236b80$04fea8c0@motorcity.on.ca> From: "Derek" To: "Derek Ragona" , References: <5.1.1.6.2.20020910142211.01f5bb80@computinginnovations.com> Subject: Re: 4.6.2 sendmail anomaly Date: Tue, 10 Sep 2002 16:12:38 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Virus-Scanned: by AMaViS perl-11 ares.durham.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I just installed 4.6.2 on a system and now mail sent using the mail command > doesn't work. If you've just upgraded from an old version (which this kind of implies), you will need to run mergemaster. If the operation of this machine is critical, back up /etc (which you should have with your pre-upgrade backup, right? :), and man mergemaster, as you can bugger your sytem fairly easily. Also read /usr/src/UPDATING, if it's there for you. Off-topic response I'm sure. Derek To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 10 13:26:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E594937B400 for ; Tue, 10 Sep 2002 13:26:48 -0700 (PDT) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id D28C043E77 for ; Tue, 10 Sep 2002 13:26:47 -0700 (PDT) (envelope-from hendrik.danz@gmx.net) Received: (qmail 9562 invoked by uid 0); 10 Sep 2002 20:26:46 -0000 Received: from pd9eb78d4.dip.t-dialin.net (HELO gmx.net) (217.235.120.212) by mail.gmx.net (mp005-rz3) with SMTP; 10 Sep 2002 20:26:46 -0000 Message-ID: <3D7E567E.5080302@gmx.net> Date: Tue, 10 Sep 2002 22:30:54 +0200 From: Hendrik Danz User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0rc3) Gecko/20020607 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Derek Ragona Cc: freebsd-security@FreeBSD.ORG Subject: Re: 4.6.2 sendmail anomaly References: <5.1.1.6.2.20020910142211.01f5bb80@computinginnovations.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hey, > I just installed 4.6.2 on a system.... > mail command doesn't work. > Should sendmail be group setuid? Should it be group 25? > What is group 25? realy just installed - or did you update your old system? it would be a good idea to read the mergemaster manpage. normally you have to run mergemaster during the installation process. this will add smmsp to your /etc/group and the sendmail submission user to your passwd file so long hendrik To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 10 19:15:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB2C237B400 for ; Tue, 10 Sep 2002 19:15:07 -0700 (PDT) Received: from laserbeak.ath.cx (112.a.003.mel.iprimus.net.au [203.134.172.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8925943E4A for ; Tue, 10 Sep 2002 19:15:06 -0700 (PDT) (envelope-from afx@pkl.net) Received: from soap (soap [192.168.0.1]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by laserbeak.ath.cx (Postfix) with ESMTP id 54A2B2B; Wed, 11 Sep 2002 11:31:33 +1000 (EST) From: "George F. Costanzo" To: "'Greg Panula'" Cc: , "'Hans Zaunere'" Subject: RE: asmtp 587 - quickie faq submission Date: Wed, 11 Sep 2002 11:17:10 +1000 Message-ID: <002b01c25930$f4627270$0100a8c0@soap> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 In-Reply-To: <20020910142218.GF2306@lupe-christoph.de> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Q: OK, how do I implement ASMTP in postfix? >A: Read this: http://www.mandrakesecure.net/en/docs/postfix-sasl.php ... >While referring a Mandrake doc may not be welcome in a FreeBSD FAQ, this >is the same document http://www.postfix.org/docs.html refers to for >"Postfix + SASL". I'd recommend pointing them to http://howto.state-of-mind.de/ instead of the mandrake one. It explains how to generically setup SASL (ASMTP), along with the wise option of also setting up TLS. -- George F. Costanzo PGP Fingerprint: 1E4F 09F2 D637 B917 8D61 0413 4FBC 7DB0 1407 2B6D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 10 19:21: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27EFC37B400 for ; Tue, 10 Sep 2002 19:20:56 -0700 (PDT) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FB7543E4A for ; Tue, 10 Sep 2002 19:20:55 -0700 (PDT) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 17ox7e-000DFR-00; Tue, 10 Sep 2002 22:20:54 -0400 Received: from scott by bsd.smnolde.com with local (Exim 3.36 #1) id 17ox7a-0000ms-00; Tue, 10 Sep 2002 22:20:50 -0400 Date: Tue, 10 Sep 2002 22:20:50 -0400 From: "Scott M. Nolde" To: Mike Tancsa Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD IPSEC connection to a Cisco Router using ESP (FAQ submission) Message-ID: <20020911022050.GA2417@smnolde.com> References: <5.1.1.6.0.20020903104701.0591bc10@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.1.6.0.20020903104701.0591bc10@marble.sentex.ca> User-Agent: Mutt/1.4i X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mike Tancsa(mike@sentex.net)@2002.09.03 10:50:02 +0000: > > > Question: How do I setup an IPSEC ESP Tunnel between a Cisco router and > FreeBSD > > AN Answer: > > OK, I have seen a few people ask this question, but I had not found via the > search engines a sample config on how to setup an IPSEC tunnel between a > FreeBSD box and Cisco router. We had a customer over the weekend wanting to > do just this, so I figured I would post the setup here in case anyone else > wanted to do something like this. > Mike, I appreciate your efforts in documenting this. I have verified 3DES encryption using a Cisco 1720 router with IOS c1700-k2sy-mz.121-5.T8.bin. Other IOSs that support 3DES should work similarly. From racoon's log: 2002-09-10 22:13:16: DEBUG: algorithm.c:509:alg_ipsec_encdef(): encription(3des) 2002-09-10 22:13:16: DEBUG: algorithm.c:552:alg_ipsec_hmacdef(): hmac(hmac_md5) From the Cisco 1720 log: 04:10:19: IPSEC(initialize_sas): , (key eng. msg.) src= 192.168.10.20, dest= 192.168.10.7, src_proxy= 192.168.10.20/255.255.255.255/0/0 (type=1), dest_proxy= 192.168.10.7/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 300s and 4608000kb, spi= 0xA7471E6(175403494), conn_id= 2001, keysize= 0, flags= 0x25 04:10:19: IPSEC(create_sa): sa created, (sa) sa_dest= 192.168.10.7, sa_prot= 50, sa_spi= 0xA7471E6(175403494), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001 The changes to the router configuration is minor, as you change esp-des to esp-3des. raccon.conf is changed by using 3des instead of des in the sainfo section. -- Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 10 19:55:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69B8B37B400 for ; Tue, 10 Sep 2002 19:55:36 -0700 (PDT) Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C5AB43E42 for ; Tue, 10 Sep 2002 19:55:35 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (patr530-b229.otenet.gr [212.205.244.237]) by mailsrv.otenet.gr (8.12.4/8.12.4) with ESMTP id g8B2tOK9007460; Wed, 11 Sep 2002 05:55:26 +0300 (EEST) Received: from hades.hell.gr (hades [127.0.0.1]) by hades.hell.gr (8.12.6/8.12.6) with ESMTP id g8B2tJSx008259; Wed, 11 Sep 2002 05:55:20 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from charon@localhost) by hades.hell.gr (8.12.6/8.12.6/Submit) id g8AKvIOe006789; Tue, 10 Sep 2002 23:57:18 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Tue, 10 Sep 2002 23:57:18 +0300 From: Giorgos Keramidas To: Derek Ragona Cc: freebsd-security@FreeBSD.org Subject: Re: 4.6.2 sendmail anomaly Message-ID: <20020910205718.GO2926@hades.hell.gr> References: <5.1.1.6.2.20020910142211.01f5bb80@computinginnovations.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.1.6.2.20020910142211.01f5bb80@computinginnovations.com> X-PGP-Fingerprint: C1EB 0653 DB8B A557 3829 00F9 D60F 941A 3186 03B6 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-09-10 14:25, Derek Ragona wrote: > I just installed 4.6.2 on a system and now mail sent using the mail > command doesn't work. > > I get an error that the temp queue file cannot be created, > permission denied. > > I have tracked down what I think is the problem: > $ ls -al /usr/libexec/sendmail/ > total 587 > drwxr-xr-x 2 root wheel 512 Sep 9 13:53 . > drwxr-xr-x 8 root wheel 1536 Sep 9 13:54 .. > -r-xr-sr-x 1 root 25 581728 Aug 14 14:21 sendmail > > Should sendmail be group setuid? Should it be group 25? What is group 25? Apparently, you lack the smmsp group. Here's output from my machine: $ cd /usr/libexec/sendmail $ ls -ld sendmail -r-xr-sr-x 1 root smmsp - 574404 Sep 10 00:31 sendmail Read /usr/src/UPDATING about the Sendmail changes that require the addition of a new user/group to the system. You should always consult /usr/src/UPDATING before doing a buildworld/installworld cycle... G.K. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 11 1:54:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC55B37B400 for ; Wed, 11 Sep 2002 01:54:39 -0700 (PDT) Received: from doos.cluecentral.net (cluecentral.net [193.109.122.221]) by mx1.FreeBSD.org (Postfix) with SMTP id D29CE43E4A for ; Wed, 11 Sep 2002 01:54:38 -0700 (PDT) (envelope-from sabri@cluecentral.net) Received: (qmail 33172 invoked by uid 1000); 11 Sep 2002 08:54:37 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 Sep 2002 08:54:37 -0000 Date: Wed, 11 Sep 2002 10:54:37 +0200 (CEST) From: Sabri Berisha To: Conrad Burger Cc: Subject: Re: Firewalls on FreeBSD( ipfw vs ipf) In-Reply-To: Message-ID: <20020911105418.F32908-100000@doos.cluecentral.net> X-NCC-Regid: nl.bit X-No-Archive: yes Approved: sabri@pfy.nl MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 22 Aug 2002, Conrad Burger wrote: > I cannot decide which way to go , IPF or IPFW ! For me, ipfw has all my needs. -- Sabri Berisha - www.cluecentral.net - "I route, therefore you are" Met z'n negenen een meisje dwingen bruistabletten te eten: http://www.cluecentral.net/veritas/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 11 2:37: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C9E537B400 for ; Wed, 11 Sep 2002 02:37:04 -0700 (PDT) Received: from antalya.lupe-christoph.de (pD9E880FA.dip0.t-ipconnect.de [217.232.128.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1605243E4A for ; Wed, 11 Sep 2002 02:37:03 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id BF2875E9; Wed, 11 Sep 2002 11:37:00 +0200 (CEST) Date: Wed, 11 Sep 2002 11:37:00 +0200 To: "George F. Costanzo" Cc: 'Greg Panula' , freebsd-security@FreeBSD.ORG, 'Hans Zaunere' Subject: Re: asmtp 587 - quickie faq submission Message-ID: <20020911093700.GG2306@lupe-christoph.de> References: <20020910142218.GF2306@lupe-christoph.de> <002b01c25930$f4627270$0100a8c0@soap> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <002b01c25930$f4627270$0100a8c0@soap> User-Agent: Mutt/1.4i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wednesday, 2002-09-11 at 11:17:10 +1000, George F. Costanzo wrote: > >Q: OK, how do I implement ASMTP in postfix? > >A: Read this: http://www.mandrakesecure.net/en/docs/postfix-sasl.php > ... > >While referring a Mandrake doc may not be welcome in a FreeBSD FAQ, > this > >is the same document http://www.postfix.org/docs.html refers to for > >"Postfix + SASL". > I'd recommend pointing them to http://howto.state-of-mind.de/ instead of > the mandrake one. It explains how to generically setup SASL (ASMTP), > along with the wise option of also setting up TLS. Seconded. Too bad I did not find that when I searched with Google. Lupe -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be | | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 11 3:55:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9080737B400 for ; Wed, 11 Sep 2002 03:55:32 -0700 (PDT) Received: from mail.mobikom.com (ns.mobikom.com [212.5.128.30]) by mx1.FreeBSD.org (Postfix) with SMTP id EB56843E3B for ; Wed, 11 Sep 2002 03:55:29 -0700 (PDT) (envelope-from ivailon@mobikom.com) Received: (qmail 11773 invoked from network); 11 Sep 2002 11:04:54 -0000 Received: from unknown (HELO mobikom.com) (212.5.128.80) by mail.mobikom.com with SMTP; 11 Sep 2002 11:04:54 -0000 Message-ID: <3D7F2125.6525E891@mobikom.com> Date: Wed, 11 Sep 2002 13:55:34 +0300 From: Ivajlo Nikolov X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U) X-Accept-Language: bg MIME-Version: 1.0 To: Sabri Berisha Cc: Conrad Burger , freebsd-security@FreeBSD.ORG Subject: Re: Firewalls on FreeBSD( ipfw vs ipf) References: <20020911105418.F32908-100000@doos.cluecentral.net> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm using both ipfilter and ipfw. i. Sabri Berisha wrote: > On Thu, 22 Aug 2002, Conrad Burger wrote: > > > I cannot decide which way to go , IPF or IPFW ! > > For me, ipfw has all my needs. > > -- > Sabri Berisha - www.cluecentral.net - "I route, therefore you are" > > Met z'n negenen een meisje dwingen bruistabletten te eten: > http://www.cluecentral.net/veritas/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 11 5:30:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D2BE37B400 for ; Wed, 11 Sep 2002 05:30:36 -0700 (PDT) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id BE97643E77 for ; Wed, 11 Sep 2002 05:30:17 -0700 (PDT) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 87341 invoked by uid 0); 11 Sep 2002 12:29:28 -0000 Received: from greg.panula@dolaninformation.com by proxy with qmail-scanner-0.96 (. Clean. Processed in 0.488015 secs); 11 Sep 2002 12:29:28 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: freebsd-security@freebsd.org X-Qmail-Scanner: 0.96 (No viruses found. Processed in 0.488015 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 11 Sep 2002 12:29:27 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167) for freebsd-security@freebsd.org; 11 Sep 2002 07:29:27 -0500 Message-ID: <3D7F3726.958781C8@dolaninformation.com> Date: Wed, 11 Sep 2002 07:29:26 -0500 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: asmtp 587 - quickie faq submission References: <002b01c25930$f4627270$0100a8c0@soap> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok, here is the cleaned-up faq submission for asmtp & port 587. Q: What is ASMTP? A: Authenticated SMTP, explained in RFC 2554 Q: What is ASMTP good for? A: Allow the SMTP server to authenicate users before allowing them to use the smtp service for sending mail. Useful if you have roaming users that connect from foreign networks(e.g. hotel somewhere). Q: How do I or my users make use of ASMTP? A: The user's email client needs to be configured to authenicate themselves to the smtp server. Earthlink has a FAQ section explaining various email client configurations at http://support.earthlink.net/mu/1/psc/img/walkthroughs/Help_FAQ/7280.psc.html Q: How do I implement ASMTP on my mailserver? A: Depends on your MTA. For information about configuring ASMTP&Postfix checkout: http://howto.state-of-mind.de/ Q: Why does Sendmail listen on Port 587? A: For compliance with RFC 2476 which states that seperating the different parts of mail handling(submissions&transfers) is a good thing and port 587 was deemed to be the port for handling submissions. Sendmail 8.10.0 introduced DaemonPortOptions to support this. Checkout http://www.sendmail.org/~gshapiro/8.10.Training/DaemonPortOptions.html for some quick info about DaemonPortOptions. Q: How do I turn off the Message Submission Agent aka stop Sendmail from listening on port 587? A: Add FEATURE(`no_default_msa') your config.mc config file and recreate your sendmail.cf file. Brief example of recreating your sendmail.cf can be found at: http://www.sendmail.org/m4/intro.html -- Greg "George F. Costanzo" wrote: > > >Q: OK, how do I implement ASMTP in postfix? > >A: Read this: http://www.mandrakesecure.net/en/docs/postfix-sasl.php > ... > >While referring a Mandrake doc may not be welcome in a FreeBSD FAQ, > this > >is the same document http://www.postfix.org/docs.html refers to for > >"Postfix + SASL". > > I'd recommend pointing them to http://howto.state-of-mind.de/ instead of > the mandrake one. It explains how to generically setup SASL (ASMTP), > along with the wise option of also setting up TLS. > > -- > George F. Costanzo > PGP Fingerprint: 1E4F 09F2 D637 B917 8D61 0413 4FBC 7DB0 1407 2B6D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 11 8:30:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D32EE37B401 for ; Wed, 11 Sep 2002 08:30:07 -0700 (PDT) Received: from antalya.lupe-christoph.de (pD9E880CA.dip0.t-ipconnect.de [217.232.128.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D56C43E42 for ; Wed, 11 Sep 2002 08:30:06 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 447B95E9; Wed, 11 Sep 2002 17:30:03 +0200 (CEST) Date: Wed, 11 Sep 2002 17:30:03 +0200 To: Greg Panula Cc: freebsd-security@freebsd.org Subject: Re: asmtp 587 - quickie faq submission Message-ID: <20020911153003.GD19536@lupe-christoph.de> References: <002b01c25930$f4627270$0100a8c0@soap> <3D7F3726.958781C8@dolaninformation.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D7F3726.958781C8@dolaninformation.com> User-Agent: Mutt/1.4i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wednesday, 2002-09-11 at 07:29:26 -0500, Greg Panula wrote: > Ok, here is the cleaned-up faq submission for asmtp & port 587. Ok, here is further nitpicking :-) > Q: What is ASMTP? > A: Authenticated SMTP, explained in RFC 2554 > Q: What is ASMTP good for? > A: Allow the SMTP server to authenicate users before allowing them to ^t > use the smtp service for sending mail. Useful if you have roaming users > that connect from foreign networks(e.g. hotel somewhere). Buddy can you spare a space ^here? > Q: How do I or my users make use of ASMTP? > A: The user's email client needs to be configured to authenicate ^t > themselves to the smtp server. Earthlink has a FAQ section explaining clients/themselves or client/itself > various email client configurations at > http://support.earthlink.net/mu/1/psc/img/walkthroughs/Help_FAQ/7280.psc.html > Q: How do I implement ASMTP on my mailserver? > A: Depends on your MTA. For information about configuring ASMTP&Postfix > checkout: http://howto.state-of-mind.de/ We still need an explanation for sendmail! I found nothing better than http://www.sendmail.org/~ca/email/auth.html which doesn't look very /usr/friendly to me ;-) The default sendmail in FreeBSD is not compiled with SASL and does not do ASMTP. I suppose one must install the sendmail-sasl port for this. I'm doing that next, but can't test very much with it, due to my setup. > Q: Why does Sendmail listen on Port 587? > A: For compliance with RFC 2476 which states that seperating the separating > different parts of mail handling(submissions&transfers) is a good thing ^space > and port 587 was deemed to be the port for handling submissions. > Sendmail 8.10.0 introduced DaemonPortOptions to support this. Checkout > http://www.sendmail.org/~gshapiro/8.10.Training/DaemonPortOptions.html > for some quick info about DaemonPortOptions. > Q: How do I turn off the Message Submission Agent aka stop Sendmail from > listening on port 587? > A: Add FEATURE(`no_default_msa') your config.mc config file and recreate > your sendmail.cf file. Brief example of recreating your sendmail.cf can > be found at: http://www.sendmail.org/m4/intro.html Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be | | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 11 9:10:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAE5D37B400 for ; Wed, 11 Sep 2002 09:10:29 -0700 (PDT) Received: from antalya.lupe-christoph.de (pD9E880CA.dip0.t-ipconnect.de [217.232.128.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id C816C43E7B for ; Wed, 11 Sep 2002 09:10:27 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 99A735E9; Wed, 11 Sep 2002 18:10:18 +0200 (CEST) Date: Wed, 11 Sep 2002 18:10:18 +0200 To: Greg Panula Cc: freebsd-security@freebsd.org Subject: Re: asmtp 587 - quickie faq submission Message-ID: <20020911161018.GE19536@lupe-christoph.de> References: <002b01c25930$f4627270$0100a8c0@soap> <3D7F3726.958781C8@dolaninformation.com> <20020911153003.GD19536@lupe-christoph.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020911153003.GD19536@lupe-christoph.de> User-Agent: Mutt/1.4i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wednesday, 2002-09-11 at 17:30:03 +0200, lupe wrote: > We still need an explanation for sendmail! I found nothing better than > http://www.sendmail.org/~ca/email/auth.html which doesn't look very > /usr/friendly to me ;-) > The default sendmail in FreeBSD is not compiled with SASL and does not > do ASMTP. I suppose one must install the sendmail-sasl port for this. > I'm doing that next, but can't test very much with it, due to my setup. Ok, I've installed the port. First thing /usr/local/sbin/sendmail complains about: error: safesasl(/usr/local/etc/sasldb.db) failed: Group readable file Chmodding to 600 gives: error: safesasl(/usr/local/etc/sasldb.db) failed: Permission denied Sigh. But when I edit /etc/mail/sendmail.cf: -#O AuthMechanisms=GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 +O AuthMechanisms=PLAIN GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 I get an offer for plaintext AUTH by sendmail. And *only* plaintext AUTH. The other mechanism have probably been disabled because of the problem with /usr/local/etc/sasldb.db. So I suppose one can say that installing the sendmail-sasl port, and editing /etc/mail/sendmail.cf will suffice to enable ASMTP. I would *very much* appreciate if anybody who is in a situation that allows to test this would do so. Until we have better data, I'd propose to put this in the FAQ: *) How do I enable ASMTP with sendmail? You must install the sendmail-sasl port, and replace the default sendmail with the one from that port. Either edit /etc/mail/sendmail.cf to allow PLAIN AUTH (change AuthMechanisms to contain PLAIN), or create a new sendmail.cf. Some help for this can be obtained from: http://www.sendmail.org/~ca/email/auth.html The FAQ authors would appreciate a report from somebody who has actually used sendmail with ASMTP to augment this entry. Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be | | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 11 9:54:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84C0F37B437; Wed, 11 Sep 2002 09:54:45 -0700 (PDT) Received: from antalya.lupe-christoph.de (pD9E880CA.dip0.t-ipconnect.de [217.232.128.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id D380843E4A; Wed, 11 Sep 2002 09:54:44 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id B18835E9; Wed, 11 Sep 2002 18:54:43 +0200 (CEST) Date: Wed, 11 Sep 2002 18:54:43 +0200 To: Gregory Neil Shapiro Cc: Greg Panula , freebsd-security@FreeBSD.ORG Subject: Re: asmtp 587 - quickie faq submission Message-ID: <20020911165443.GG19536@lupe-christoph.de> References: <002b01c25930$f4627270$0100a8c0@soap> <3D7F3726.958781C8@dolaninformation.com> <20020911153003.GD19536@lupe-christoph.de> <20020911161018.GE19536@lupe-christoph.de> <15743.27734.838400.235126@horsey.gshapiro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <15743.27734.838400.235126@horsey.gshapiro.net> User-Agent: Mutt/1.4i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wednesday, 2002-09-11 at 09:16:22 -0700, Gregory Neil Shapiro wrote: > lupe> error: safesasl(/usr/local/etc/sasldb.db) failed: Group readable file > lupe> Chmodding to 600 gives: > lupe> error: safesasl(/usr/local/etc/sasldb.db) failed: Permission denied > lupe> Sigh. > It shouldn't, assuming it is owned by root (which is should be). It's not: -rw-r----- 1 cyrus mail 16384 Sep 11 17:32 /usr/local/etc/sasldb.db > Instead of the chmod, you can also use this in your .mc file: > define(`confDONT_BLAME_SENDMAIL', `GroupReadableSASLDBFile')dnl ... and sendmail will fall on it's face because of the ownership, I'd guess. > lupe> But when I edit /etc/mail/sendmail.cf: > lupe> -#O AuthMechanisms=GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 > lupe> +O AuthMechanisms=PLAIN GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 > Don't hand edit a .cf file, use the .mc file. For example: For small tweaks, I do. For bigger things (and in the end, ASMTP would probably fall in this category), I don't. > define(`confAUTH_MECHANISMS', `EXTERNAL DIGEST-MD5 CRAM-MD5')dnl > lupe> I would *very much* appreciate if anybody who is in a situation that > lupe> allows to test this would do so. > You can visit http://test.smtp.org/ if you need a machine to test against. Sorry, it's not lack of a host to speak ASMTP with, at least for the client side, I can do this with my ISPs mail relay. It's because all the FreeBSD boxen I have are Firewalls and I don't want to experiment too much on them (my own firewall is OK for local tests). I was hoping somebody had a desktop box or so to play with. Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be | | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 11 10:12:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A311B37B400 for ; Wed, 11 Sep 2002 10:12:09 -0700 (PDT) Received: from antalya.lupe-christoph.de (pD9E880CA.dip0.t-ipconnect.de [217.232.128.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AE6B43E42 for ; Wed, 11 Sep 2002 10:12:09 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id E3A845E9; Wed, 11 Sep 2002 19:12:06 +0200 (CEST) Date: Wed, 11 Sep 2002 19:12:06 +0200 To: Greg Panula Cc: freebsd-security@freebsd.org Subject: Re: asmtp 587 - quickie faq submission Message-ID: <20020911171206.GI19536@lupe-christoph.de> References: <002b01c25930$f4627270$0100a8c0@soap> <3D7F3726.958781C8@dolaninformation.com> <20020911153003.GD19536@lupe-christoph.de> <20020911161018.GE19536@lupe-christoph.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020911161018.GE19536@lupe-christoph.de> User-Agent: Mutt/1.4i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org With suggested tweaks. *) How do I enable ASMTP with sendmail? To implement ASMTP, you must install a sendmail with SASL compiled in. This requires the installation of the cyrus-sasl port. You can then either recompile the system's sendmail as detailed in /etc/defaults/make.conf (look for SASL) or install the sendmail-sasl port, and replace the default sendmail with the one from that port. Either edit /etc/mail/sendmail.cf to allow PLAIN AUTH (change AuthMechanisms to contain PLAIN), or (better) create a new sendmail.cf. Some help for this can be obtained from: http://www.sendmail.org/~ca/email/auth.html More background is contained in http://www.sendmail.org/~gshapiro/security.pdf The FAQ authors would appreciate a report from somebody who has actually used sendmail with ASMTP to augment this entry. Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be | | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 11 12: 0:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE70837B405 for ; Wed, 11 Sep 2002 11:59:59 -0700 (PDT) Received: from maild.telia.com (maild.telia.com [194.22.190.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9833D43E6A for ; Wed, 11 Sep 2002 11:59:58 -0700 (PDT) (envelope-from erikt@midgard.homeip.net) Received: from d1o913.telia.com (d1o913.telia.com [195.252.44.241]) by maild.telia.com (8.12.5/8.12.5) with ESMTP id g8AJbPY0003601 for ; Tue, 10 Sep 2002 21:37:29 +0200 (CEST) X-Original-Recipient: Received: from falcon.midgard.homeip.net (h62n2fls20o913.telia.com [212.181.163.62]) by d1o913.telia.com (8.8.8/8.8.8) with SMTP id VAA22734 for ; Tue, 10 Sep 2002 21:37:24 +0200 (CEST) Received: (qmail 32780 invoked by uid 1001); 10 Sep 2002 19:37:05 -0000 Date: Tue, 10 Sep 2002 21:37:05 +0200 From: Erik Trulsson To: Derek Ragona Cc: freebsd-security@FreeBSD.ORG Subject: Re: 4.6.2 sendmail anomaly Message-ID: <20020910193705.GA32731@falcon.midgard.homeip.net> Mail-Followup-To: Derek Ragona , freebsd-security@FreeBSD.ORG References: <5.1.1.6.2.20020910142211.01f5bb80@computinginnovations.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.1.6.2.20020910142211.01f5bb80@computinginnovations.com> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Sep 10, 2002 at 02:25:26PM -0500, Derek Ragona wrote: > I just installed 4.6.2 on a system and now mail sent using the mail command > doesn't work. This doesn't really belong on -security. It should have been sent to -questions instead. > > I get an error that the temp queue file cannot be created, permission > denied. > > I have tracked down what I think is the problem: > $ ls -al /usr/libexec/sendmail/ > total 587 > drwxr-xr-x 2 root wheel 512 Sep 9 13:53 . > drwxr-xr-x 8 root wheel 1536 Sep 9 13:54 .. > -r-xr-sr-x 1 root 25 581728 Aug 14 14:21 sendmail > > Should sendmail be group setuid? Should it be group 25? What is group 25? Yes, yes, and the line in /etc/groups should be "smmsp:*:25:" -- Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 12 7:53:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8AB437B400 for ; Thu, 12 Sep 2002 07:53:17 -0700 (PDT) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49E4943E65 for ; Thu, 12 Sep 2002 07:53:17 -0700 (PDT) (envelope-from dfolkins@comcast.net) Disposition-notification-to: dfolkins@comcast.net Received: from groovy3xp (pcp01731796pcs.selrsv01.pa.comcast.net [68.83.131.193]) by mtaout04.icomcast.net (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 13 2002)) with SMTP id <0H2B00KDMYOS5D@mtaout04.icomcast.net> for freebsd-security@FreeBSD.ORG; Thu, 12 Sep 2002 10:53:17 -0400 (EDT) Date: Thu, 12 Sep 2002 10:53:07 -0400 From: dfolkins Subject: ipfw, natd, and keep-state - strange behavior? Cc: freebsd-security@FreeBSD.ORG Message-id: <00ac01c25a6c$1b34fb20$0a00a8c0@groovy3xp> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 7BIT X-Priority: 3 X-MSMail-priority: Normal References: <20020911105418.F32908-100000@doos.cluecentral.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hi, pretty sure that this is appropriate for -security, but if it is not, i apologize in advance. i have a fbsd 4.6 router box sitting between a local net (192.168.0) and a single actual ip from a cable modem. naturally, ive set up nat and ipfw on it, but instead of going the old way with the semi-stateful rules i decided to go with keep-state/check-state. but problems arise with outgoing ssh connections. here is the relevant portion of my ipfw rules: #set up NAT ${fwcmd} add 00050 divert natd all from any to any via ${oif} # Allow the packet through if it has previous been added to the # the "dynamic" rules table by an allow keep-state statement. $fwcmd add 00200 check-state # Run all private LAN $iif packet traffic through the dynamic rules # table so the IP addresses are in sync with Natd. $fwcmd add 00220 allow all from any to any via $iif keep-state # Deny all fragments as bogus packets $fwcmd add 00240 deny log all from any to any frag in via $oif # Deny ACK packets that did not match the dynamic rule table $fwcmd add 00260 deny log tcp from any to any established in via $oif # Allow out ssh connections $fwcmd add 00640 allow tcp from any to any 22 out via $oif setup keep-state seems like this should work. initiating an ssh connection with an external host, and checking the dynamic rules (ipfw -ad list), the following two rules are generated: 00220 84 12080 (T 599, slot 109) <-> tcp, 192.168.0.10 3106<-> {external host ip} 22 00640 26 2130 (T 19, slot 166) <-> tcp, {my external ip} 3106<-> {external host ip} 22 the rule for my external ip, though, only gets the lifetime value from the syn_lifetime sysctl var, which is 20 seconds, and only the first rule apparently gets the acks through it and gets a 600sec lifetime that is set in ack_lifetime. any other packets sent through teh connections reset the lifetime of the above two rules to 600 and 20 again. this would not trouble me otherwise, but as soon as the second rule (20 sec) expires, the ssh connection dies. when i remove the word "setup" from rule 640, though, ssh connection does not die. the same two dynamic rules are created, with the same lifetimes, but when the short-lived rule expires the connection is still there, upon sending any data through it the short-lived rule does not get recreated. i am kinda stumped here. any ideas? whats wrong with my rules? any help would be appreciated. -- df To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 12 8: 8: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEAFE37B400 for ; Thu, 12 Sep 2002 08:07:56 -0700 (PDT) Received: from au-ml2.teamlog.fr (smtp-paris1.teamlog.com [213.41.116.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDB8D43E6A for ; Thu, 12 Sep 2002 08:07:53 -0700 (PDT) (envelope-from pof@teamlog.com) Received: from teamlog.com (proxy-paris1.teamlog.fr [213.41.116.89]) by au-ml2.teamlog.fr (8.12.4/8.12.4) with ESMTP id g8CF37sL022888; Thu, 12 Sep 2002 17:03:07 +0200 Message-ID: <3D80CB26.5080304@teamlog.com> Date: Thu, 12 Sep 2002 17:13:10 +0000 From: Pierre-Olivier Fur Reply-To: pof@teamlog.com Organization: Teamlog User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020702 X-Accept-Language: en-us, en MIME-Version: 1.0 To: dfolkins Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw, natd, and keep-state - strange behavior? References: <20020911105418.F32908-100000@doos.cluecentral.net> <00ac01c25a6c$1b34fb20$0a00a8c0@groovy3xp> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To me you should try ipf/ipnat, it's much more easier, efficiency and much more stateful ;) In a few words it's the best. Once you try it and never you leave it... Good luck with ipfw ;) dfolkins wrote: > hi, > pretty sure that this is appropriate for -security, but if it is not, i > apologize in advance. > > i have a fbsd 4.6 router box sitting between a local net (192.168.0) and a > single actual ip from a cable modem. naturally, ive set up nat and ipfw on > it, but instead of going the old way with the semi-stateful rules i decided > to go with keep-state/check-state. but problems arise with outgoing ssh > connections. here is the relevant portion of my ipfw rules: > > #set up NAT > ${fwcmd} add 00050 divert natd all from any to any via ${oif} > > # Allow the packet through if it has previous been added to the > # the "dynamic" rules table by an allow keep-state statement. > $fwcmd add 00200 check-state > > # Run all private LAN $iif packet traffic through the dynamic rules > # table so the IP addresses are in sync with Natd. > $fwcmd add 00220 allow all from any to any via $iif keep-state > > # Deny all fragments as bogus packets > $fwcmd add 00240 deny log all from any to any frag in via $oif > > # Deny ACK packets that did not match the dynamic rule table > $fwcmd add 00260 deny log tcp from any to any established in via $oif > > # Allow out ssh connections > $fwcmd add 00640 allow tcp from any to any 22 out via $oif setup keep-state > > seems like this should work. initiating an ssh connection with an external > host, and checking the dynamic rules (ipfw -ad list), the following two > rules are generated: > > 00220 84 12080 (T 599, slot 109) <-> tcp, 192.168.0.10 3106<-> {external > host ip} 22 > 00640 26 2130 (T 19, slot 166) <-> tcp, {my external ip} 3106<-> {external > host ip} 22 > > the rule for my external ip, though, only gets the lifetime value from the > syn_lifetime sysctl var, which is 20 seconds, and only the first rule > apparently gets the acks through it and gets a 600sec lifetime that is set > in ack_lifetime. any other packets sent through teh connections reset the > lifetime of the above two rules to 600 and 20 again. this would not trouble > me otherwise, but as soon as the second rule (20 sec) expires, the ssh > connection dies. > > when i remove the word "setup" from rule 640, though, ssh connection does > not die. the same two dynamic rules are created, with the same lifetimes, > but when the short-lived rule expires the connection is still there, upon > sending any data through it the short-lived rule does not get recreated. i > am kinda stumped here. > > any ideas? whats wrong with my rules? any help would be appreciated. > > -- > df > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 12 8:11:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D12CC37B400 for ; Thu, 12 Sep 2002 08:11:24 -0700 (PDT) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A9E743E72 for ; Thu, 12 Sep 2002 08:11:24 -0700 (PDT) (envelope-from dfolkins@comcast.net) Disposition-notification-to: dfolkins@comcast.net Received: from groovy3xp (pcp01731796pcs.selrsv01.pa.comcast.net [68.83.131.193]) by mtaout04.icomcast.net (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 13 2002)) with SMTP id <0H2B00KFEZI7IG@mtaout04.icomcast.net> for freebsd-security@FreeBSD.ORG; Thu, 12 Sep 2002 11:10:55 -0400 (EDT) Date: Thu, 12 Sep 2002 11:10:46 -0400 From: dfolkins Subject: Re: ipfw, natd, and keep-state - strange behavior? To: freebsd-security@FreeBSD.ORG Message-id: <00d501c25a6e$92582db0$0a00a8c0@groovy3xp> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 7BIT X-Priority: 3 X-MSMail-priority: Normal References: <200209121456.g8CEuIVp012004@bunrab.catwhisker.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org well, of course that would work, but the regular tcpflags ack rules are less restrictive. i.e. they tend to allow all ack packets through, which opens doors for ack-tunneling trojans, not to mention ack packet ddos. that's why i wanted to make all rules keep-state. and besides, keep-state is _cool_. :) ----- Original Message ----- From: "David Wolfskill" To: Sent: Thursday, September 12, 2002 10:56 AM Subject: Re: ipfw, natd, and keep-state - strange behavior? > What I did was use the stateful stuff (only) for UDP; for TCP, I used > the "established" flag. And I haven't seen the problems you report. > > Cheers, > david > -- > David H. Wolfskill david@catwhisker.org > To paraphrase David Hilbert, there can be no conflicts between the > discipline of systems administration and Microsoft, since they have > nothing in common. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 12 8:55:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE92E37B400 for ; Thu, 12 Sep 2002 08:55:48 -0700 (PDT) Received: from au-ml2.teamlog.fr (smtp-paris1.teamlog.com [213.41.116.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A46A43E77 for ; Thu, 12 Sep 2002 08:54:00 -0700 (PDT) (envelope-from pof@teamlog.com) Received: from teamlog.com (proxy-paris1.teamlog.fr [213.41.116.89]) by au-ml2.teamlog.fr (8.12.4/8.12.4) with ESMTP id g8CFhfsL025694; Thu, 12 Sep 2002 17:43:41 +0200 Message-ID: <3D80D4A8.5040106@teamlog.com> Date: Thu, 12 Sep 2002 17:53:44 +0000 From: Pierre-Olivier Fur Reply-To: pof@teamlog.com Organization: Teamlog User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020702 X-Accept-Language: en-us, en MIME-Version: 1.0 To: dfolkins Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw, natd, and keep-state - strange behavior? References: <200209121456.g8CEuIVp012004@bunrab.catwhisker.org> <00d501c25a6e$92582db0$0a00a8c0@groovy3xp> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I agree dfolkins stateful packet filtering is really cool :) and having stateful and stateless enable at the same time like David is non usefull. I have nothing against ipfw cause it's FreeBSD made, but if you really want to use statefull packet filtering at its best I recommend you to use a native statefull packet filter. dfolkins wrote: > well, of course that would work, but the regular tcpflags ack rules are less > restrictive. i.e. they tend to allow all ack packets through, which opens > doors for ack-tunneling trojans, not to mention ack packet ddos. that's why > i wanted to make all rules keep-state. and besides, keep-state is _cool_. > :) > ----- Original Message ----- > From: "David Wolfskill" > To: > Sent: Thursday, September 12, 2002 10:56 AM > Subject: Re: ipfw, natd, and keep-state - strange behavior? > > > >>What I did was use the stateful stuff (only) for UDP; for TCP, I used >>the "established" flag. And I haven't seen the problems you report. >> >>Cheers, >>david >>-- >>David H. Wolfskill david@catwhisker.org >>To paraphrase David Hilbert, there can be no conflicts between the >>discipline of systems administration and Microsoft, since they have >>nothing in common. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 12 9:12:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 067F337B407 for ; Thu, 12 Sep 2002 09:12:15 -0700 (PDT) Received: from insomnia.spc.org (insomnia.spc.org [195.224.94.183]) by mx1.FreeBSD.org (Postfix) with SMTP id 1692A43E65 for ; Thu, 12 Sep 2002 09:12:13 -0700 (PDT) (envelope-from bms@insomnia.spc.org) Received: (qmail 14586 invoked by uid 1031); 12 Sep 2002 16:09:51 -0000 Date: Thu, 12 Sep 2002 17:09:50 +0100 From: Bruce M Simpson To: hackers@freebsd.org, des@freebsd.org, imp@freebsd.org Cc: freebsd-users@uk.freebsd.org, freebsd-security@freebsd.org, dan@langille.org Subject: ISO7816 Smartcard Support for FreeBSD Message-ID: <20020912160950.GK2420@spc.org> Mail-Followup-To: Bruce M Simpson , hackers@freebsd.org, des@freebsd.org, imp@freebsd.org, freebsd-users@uk.freebsd.org, freebsd-security@freebsd.org, dan@langille.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org All, This is just to call your attention to a bunch of ports I've made and tested over the past few weeks which I've just submitted to support ISO 7816 Smartcards on FreeBSD. I would be grateful if ports committers and security people could review and let me know of any feedback you might have, or problems you find. Not all of the ports have undergone thorough testing - this is because I'm still working on a bug in the gprsc driver for my PCMCIA reader. Nevertheless I thought I should press on and allow other people to benefit from the work. Over the following weeks I hope to get OpenSC storing keys on Gemplus GPK4000 series smart cards and working happily with the OpenSSH port. Once this work has been completed, we can make an informed decision as to whether or not to incorporate this in base.. The ports are as follows: devel/ifd-devkit devel/ifd-test devel/p5-PCSC-Card security/ifd-gpr400 security/libsectok_pcsc security/opensc security/sectok security/pcsc-tools These build on and expand from the existing devel/pcsc-lite port. Ports committers, please see the following PRs: ports/42694 ports/42695 ports/42696 ports/42697 ports/42698 et al. Many thanks BMS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 12 10: 0:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFED737B439 for ; Thu, 12 Sep 2002 10:00:39 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD22143E6E for ; Thu, 12 Sep 2002 10:00:38 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from smtp-relay02.mac.com (smtp-relay02-en1 [10.13.10.225]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id g8CH0WKw020283 for ; Thu, 12 Sep 2002 10:00:33 -0700 (PDT) Received: from asmtp01.mac.com (asmtp01-qfe3 [10.13.10.65]) by smtp-relay02.mac.com (8.12.1/8.12.1/1.0) with ESMTP id g8CH0WZH025030 for ; Thu, 12 Sep 2002 10:00:32 -0700 (PDT) Received: from bust ([12.38.161.88]) by asmtp01.mac.com (Netscape Messaging Server 4.15) with ESMTP id H2C4KV00.PHD for ; Thu, 12 Sep 2002 10:00:31 -0700 Date: Thu, 12 Sep 2002 13:00:30 -0400 Subject: Re: ipfw, natd, and keep-state - strange behavior? Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) From: Chuck Swiger To: freebsd-security@FreeBSD.ORG Content-Transfer-Encoding: 7bit In-Reply-To: <3D80D4A8.5040106@teamlog.com> Message-Id: <24EBAED8-C671-11D6-90D4-000A27D85A7E@mac.com> X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday, September 12, 2002, at 01:53 PM, Pierre-Olivier Fur wrote: > I agree dfolkins stateful packet filtering is really cool :) and having > stateful and stateless enable at the same time like David is non usefull. > I have nothing against ipfw cause it's FreeBSD made, but if you really > want to use statefull packet filtering at its best I recommend you to use > a native statefull packet filter. Let me note that the whole intent of dynamic filtering is to permit return connections only in response to internal requests, and it presumes that such connections are somehow "safer". I'm not so confident about that assumption as some people seem to be. Frankly, I'd prefer to use static rules with aggressive ingress *and* egress filtering, which also avoids the DoS potential involved with overflowing the number of dynamic connections permitted by a given system, thus causing the stateful firewall to lose track of older legitimate connections. (*) Excluding TCP sequence-# based attacks, a static rule forbidding new external connections (ie, with the SYN bit set and ACK clear) to any but explicitly permitted services gives you about the same level of security without the overhead of dynamic firewall rules. YMMV, but in practice it seems to be fairly hard to perform a man-in-the-middle attack when you can' t see any of the internal traffic, source routing is blocked, and internal addresses aren't permitted inbound (ie, anti-spoofing). Besides, most of the servers I deal with support RFC-1918 sequence # generation. -Chuck PS: If you're using NAT, of course, you're already using stateful connections. Chuck Swiger | chuck@codefab.com | All your packets are belong to us. -------------+-------------------+----------------------------------- "The human race's favorite method for being in control of the facts is to ignore them." -Celia Green To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 12 10:17:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27DB437B400 for ; Thu, 12 Sep 2002 10:17:13 -0700 (PDT) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70D7143E72 for ; Thu, 12 Sep 2002 10:17:12 -0700 (PDT) (envelope-from dfolkins@comcast.net) Disposition-notification-to: dfolkins@comcast.net Received: from groovy3xp (pcp01731796pcs.selrsv01.pa.comcast.net [68.83.131.193]) by mtaout01.icomcast.net (iPlanet Messaging Server 5.1 HotFix 1.4 (built Aug 5 2002)) with SMTP id <0H2C00I4A5CLUX@mtaout01.icomcast.net> for freebsd-security@FreeBSD.ORG; Thu, 12 Sep 2002 13:17:09 -0400 (EDT) Date: Thu, 12 Sep 2002 13:16:59 -0400 From: dfolkins Subject: Re: ipfw, natd, and keep-state - strange behavior? To: freebsd-security@FreeBSD.ORG Message-id: <001401c25a80$346cbb50$0a00a8c0@groovy3xp> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 7BIT X-Priority: 3 X-MSMail-priority: Normal References: <24EBAED8-C671-11D6-90D4-000A27D85A7E@mac.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: "Chuck Swiger" > On Thursday, September 12, 2002, at 01:53 PM, Pierre-Olivier Fur wrote: > > I agree dfolkins stateful packet filtering is really cool :) and having > > stateful and stateless enable at the same time like David is non usefull. > > I have nothing against ipfw cause it's FreeBSD made, but if you really > > want to use statefull packet filtering at its best I recommend you to use > > a native statefull packet filter. > > Let me note that the whole intent of dynamic filtering is to permit return > connections only in response to internal requests, and it presumes that > such connections are somehow "safer". I'm not so confident about that > assumption as some people seem to be. how's that? could you please elaborate? > > Frankly, I'd prefer to use static rules with aggressive ingress *and* > egress filtering, but wont that actually result in an overly permissive firewall? e.g., if you want to allow outgoing http connections, you have to allow packets from any external server port 80 to a whole bunch of tcp ports on internal ips. which would allow anyone to send you packets from port 80, and they wont be dropped by firewall. whereas in the stateful case all you have to do is allow tcp out from any to any 80 keep-state setup, and in this case the dynamic rules would open specific holes in the firewall for just that particular response to an http connection request? > which also avoids the DoS potential involved with > overflowing the number of dynamic connections permitted by a given system, > thus causing the stateful firewall to lose track of older legitimate > connections. (*) true, there is that, but having a short enough syn_ udp_ and short_ lifetime, and high enough number of allowed dyn rules would be pretty safe, no? also, i think you forgot to add the footnote that you implied would be forthcoming by the (*). :) > > Excluding TCP sequence-# based attacks, a static rule forbidding new > external connections (ie, with the SYN bit set and ACK clear) to any but > explicitly permitted services gives you about the same level of security > without the overhead of dynamic firewall rules. YMMV, but in practice it > seems to be fairly hard to perform a man-in-the-middle attack when you can' > t see any of the internal traffic, source routing is blocked, and internal > addresses aren't permitted inbound (ie, anti-spoofing). well, it is not so much for the _incoming_ services that stateful rulesets are useful, but for the outgoing ones. i agree with you that for incoming services it does not seem to matter much if you use stateful rules. but as you may remember in my original inquiry about firewall rules, i was trying to allow _outgoing_ ssh connections, not incoming ones. -- dfolkins To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 12 11:10: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 23DF337B401 for ; Thu, 12 Sep 2002 11:09:47 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9308D43E3B for ; Thu, 12 Sep 2002 11:09:46 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.6/8.12.6) with ESMTP id g8CI9iVZ029866 for ; Thu, 12 Sep 2002 14:09:44 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.1.6.0.20020912114230.01f2aba0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Thu, 12 Sep 2002 14:10:27 -0400 To: security@freebsd.org From: Mike Tancsa Subject: Creating an IPSEC tunnel between a netopia 910 and FreeBSD (FAQ submission) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Again, I saw this question asked in my searches through google and mention of it on the vendor website, but I had not seen the answer. Question: How do I setup a netopia 910R router to do an IPSEC ESP tunnel to a FreeBSD box. An Answer: I was a little disappointed with the throughput results, but never the less it does work. My setup was as follows workstation------910R----........---FreeBSDIPSec----workstation 172.16.0.1/24 96.0.0.1 1.1.1.1 10.0.0.2/24 172.16.0.2/24 10.0.0.1/24 Note, with this setup, I was only able to get 180Kbps using DES and under 100Kbps using 3des as the netopia maxed out its little CPU. I called netopia support and spoke with a Ben. He tried 2 units back to back and got roughly the same numbers, so that does seem to be the limiting factor. Anyways, the setup On the netopia, Go to the quick menus Ike Phase 1 config Add IKE profile Call it FreeBSDIKE Mode=main Auth method, Shared Sec. with the key faqdemo, enc = des, Hash=md5, Group 2. Under Advanced, Negotiation = normal, SA=Newest, Allow Dangling=Yes, Phase 1 SA Lifetime=28000,Send Initial Contact Message:Yes, Include Vendor ID Payload:Yes,Independent Phase 2 Re-keys: Yes,Strict Port Policy:No Back up to quick menu Add Connection Profile Profile name = FreeBSD Prof enabable=Yes Encaps= IPSEC Go to Encaps options Key management = IKE IKE Phase 1 Profile, choose the one you created before (FreeBSDIKE) Encapse = ESP ESP Transform = DES ESP Authtransform = HMAC-MD5-96 Up one level and down to IP Profile Params. Remote Tunnel Endpoint: 1.1.1.1 Remote Member Format... Subnet Remote Member Address: 10.0.0.0 Remote Member Mask: 255.255.255.0 Local Member Format... Subnet Local Member Address: 172.16.0.0 Local Member Mask: 255.255.255.0 Address Translation Enabled: No Filter Set... <> Remove Filter Set NetBIOS Proxy Enabled No On the FreeBSD side of things, setkey -F setkey -FP setkey -c <; Thu, 12 Sep 2002 12:46:30 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7AA6B43E65 for ; Thu, 12 Sep 2002 12:46:30 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id C8870154D3; Thu, 12 Sep 2002 12:45:49 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id C6416154D1; Thu, 12 Sep 2002 12:45:49 -0700 (PDT) Date: Thu, 12 Sep 2002 12:45:49 -0700 (PDT) From: Mike To: dfolkins Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw, natd, and keep-state - strange behavior? In-Reply-To: <00ac01c25a6c$1b34fb20$0a00a8c0@groovy3xp> Message-ID: <20020912124432.F98133-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 12 Sep 2002, dfolkins wrote: > lifetime of the above two rules to 600 and 20 again. this would not trouble > me otherwise, but as soon as the second rule (20 sec) expires, the ssh > connection dies. Apply these, http://www.aarongifford.com/computers/ipfwpatch.html Later, -Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 12 14:30:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E0BC37B400 for ; Thu, 12 Sep 2002 14:30:29 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id BCDDA43E42 for ; Thu, 12 Sep 2002 14:30:28 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from smtp-relay01.mac.com (smtp-relay01-en1 [10.13.10.224]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id g8CLUFxD006113 for ; Thu, 12 Sep 2002 14:30:15 -0700 (PDT) Received: from asmtp02.mac.com (asmtp02-qfe3 [10.13.10.66]) by smtp-relay01.mac.com (8.12.1/8.12.1/1.0) with ESMTP id g8CLUSVw020722 for ; Thu, 12 Sep 2002 14:30:28 -0700 (PDT) Received: from bust ([12.38.161.88]) by asmtp02.mac.com (Netscape Messaging Server 4.15) with ESMTP id H2CH2R00.D46 for ; Thu, 12 Sep 2002 14:30:27 -0700 Date: Thu, 12 Sep 2002 17:30:26 -0400 Subject: Re: ipfw, natd, and keep-state - strange behavior? Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) From: Chuck Swiger To: freebsd-security@FreeBSD.ORG Content-Transfer-Encoding: 7bit In-Reply-To: <001401c25a80$346cbb50$0a00a8c0@groovy3xp> Message-Id: X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday, September 12, 2002, at 01:16 PM, dfolkins wrote: > From: "Chuck Swiger" : [ ... ] >> Let me note that the whole intent of dynamic filtering is to permit >> return >> connections only in response to internal requests, and it presumes that >> such connections are somehow "safer". I'm not so confident about that >> assumption as some people seem to be. > > how's that? could you please elaborate? Sure. What happens if a local user opens a connection to a popular site which has been trojaned or redirected to malware via DNS hijacking? The fact that you're using dynamic filtering doesn't help a bit when the originating connection was local. >> Frankly, I'd prefer to use static rules with aggressive ingress *and* >> egress filtering, > > but wont that actually result in an overly permissive firewall? e.g., if > you want to allow outgoing http connections, you have to allow packets > from > any external server port 80 to a whole bunch of tcp ports on internal ips. Nope. While I prefer to use a proxy to centralize web access to the outside via my interior firewall, you can also do something like: add pass tcp from $INET $HIPORTS to any 80,443 add pass tcp from any 80,433 to $INET $HIPORTS established Without performing the TCP 3-way startup (starting with a packet with SYN= 1 and ACK=0), the TCP sequence numbers won't match and the client being scanned from some random external IP will simply drop the invalid connection attempt. >> which also avoids the DoS potential involved with >> overflowing the number of dynamic connections permitted by a given >> system, >> thus causing the stateful firewall to lose track of older legitimate >> connections. (*) > > true, there is that, but having a short enough syn_ udp_ and short_ > lifetime, and high enough number of allowed dyn rules would be pretty > safe, > no? Not that I have seen, although I've never had a firewall which could do syncookies hit by a DoS. Without that, denial-of-service attacks can pretty easily overflow the connection database, thus causing all pre-existing connections to drop, make creating new connections problematic, and that was as true of a firewall on a multihomed x86 box running FreeBSD 4.1 (now 4.5), as it was of Cisco hardware running IOS. > also, i think you forgot to add the footnote that you implied would be > forthcoming by the (*). Sort of-- my PostScript ("PS:") was the footnote, but I wasn't consistent in labelling it as such. :-) [ ... ] > but as you may remember in my original inquiry about firewall rules, i was > trying to allow _outgoing_ ssh connections, not incoming ones. Ok. Here are the equivalent static rules: allow tcp from $INET to any 22 setup allow tcp from any 22 to $INET established -Chuck Chuck Swiger | chuck@codefab.com | All your packets are belong to us. -------------+-------------------+----------------------------------- "The human race's favorite method for being in control of the facts is to ignore them." -Celia Green To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 12 14:40:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2796437B401 for ; Thu, 12 Sep 2002 14:40:31 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id A686A43E75 for ; Thu, 12 Sep 2002 14:40:30 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from smtp-relay02.mac.com (smtp-relay02-en1 [10.13.10.225]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id g8CLeTmF028057 for ; Thu, 12 Sep 2002 14:40:29 -0700 (PDT) Received: from asmtp02.mac.com (asmtp02-qfe3 [10.13.10.66]) by smtp-relay02.mac.com (8.12.1/8.12.1/1.0) with ESMTP id g8CLeTZH015590 for ; Thu, 12 Sep 2002 14:40:29 -0700 (PDT) Received: from bust ([12.38.161.88]) by asmtp02.mac.com (Netscape Messaging Server 4.15) with ESMTP id H2CHJG00.13O for ; Thu, 12 Sep 2002 14:40:28 -0700 Date: Thu, 12 Sep 2002 17:40:27 -0400 Subject: Re: ipfw, natd, and keep-state - strange behavior? Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) From: Chuck Swiger To: freebsd-security@FreeBSD.ORG Content-Transfer-Encoding: 7bit In-Reply-To: Message-Id: <40991368-C698-11D6-90D4-000A27D85A7E@mac.com> X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday, September 12, 2002, at 05:30 PM, Chuck Swiger wrote: > Ok. Here are the equivalent static rules: > > allow tcp from $INET to any 22 setup > allow tcp from any 22 to $INET established Either remove the "setup" keyword, or add the "log" keyword to the first line and and this rule as well: allow tcp from $INET to any 22 established ...depending on whether or not you want to log SSH connections. -Chuck Chuck Swiger | chuck@codefab.com | All your packets are belong to us. -------------+-------------------+----------------------------------- "The human race's favorite method for being in control of the facts is to ignore them." -Celia Green To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 12 14:50:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D696937B400 for ; Thu, 12 Sep 2002 14:50:24 -0700 (PDT) Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8857D43E6A for ; Thu, 12 Sep 2002 14:50:24 -0700 (PDT) (envelope-from jason@shalott.net) Received: (qmail 62806 invoked by uid 1000); 12 Sep 2002 21:50:19 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Sep 2002 21:50:19 -0000 Date: Thu, 12 Sep 2002 14:50:18 -0700 (PDT) From: Jason Stone X-X-Sender: To: Subject: Re: ipfw, natd, and keep-state - strange behavior? In-Reply-To: Message-ID: <20020912144554.L3276-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > but wont that actually result in an overly permissive firewall? e.g., if > > you want to allow outgoing http connections, you have to allow packets > > from > > any external server port 80 to a whole bunch of tcp ports on internal ips. > > Nope. While I prefer to use a proxy to centralize web access to the > outside via my interior firewall, you can also do something like: > > add pass tcp from $INET $HIPORTS to any 80,443 > add pass tcp from any 80,433 to $INET $HIPORTS established > > Without performing the TCP 3-way startup (starting with a packet with SYN= > 1 and ACK=0), the TCP sequence numbers won't match and the client being > scanned from some random external IP will simply drop the invalid > connection attempt. Yes, unless of course the client has a broken tcp stack (think teardrop). Having the firewall permit such packets and counting on the client to correctly discard them is probably a bad idea - after all, if you trust the clients to run a properly configured and non-broken OS, why have a firewall at all? Packets that the client is just going to discard anyway should certainly be discarded by the firewall, and this is exactly what the keep-state/check-state rules do for you. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9gQwbswXMWWtptckRAkdHAKDgeWgGuPUEVqfsydsRRCOQ4Y2OZgCbBijU d/+GbAPNtjYpXh9XMbXkR2w= =qcl5 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 12 15:15: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21A7F37B400 for ; Thu, 12 Sep 2002 15:15:00 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id B249243E6A for ; Thu, 12 Sep 2002 15:14:59 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from smtp-relay02.mac.com (smtp-relay02-en1 [10.13.10.225]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id g8CMElxD014739 for ; Thu, 12 Sep 2002 15:14:47 -0700 (PDT) Received: from asmtp02.mac.com (asmtp02-qfe3 [10.13.10.66]) by smtp-relay02.mac.com (8.12.1/8.12.1/1.0) with ESMTP id g8CMExZH021402 for ; Thu, 12 Sep 2002 15:14:59 -0700 (PDT) Received: from bust ([12.38.161.88]) by asmtp02.mac.com (Netscape Messaging Server 4.15) with ESMTP id H2CJ4Y00.G3W for ; Thu, 12 Sep 2002 15:14:58 -0700 Date: Thu, 12 Sep 2002 18:14:57 -0400 Subject: Re: ipfw, natd, and keep-state - strange behavior? Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) From: Chuck Swiger To: Content-Transfer-Encoding: 7bit In-Reply-To: <20020912144554.L3276-100000@walter> Message-Id: <12908E71-C69D-11D6-90D4-000A27D85A7E@mac.com> X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday, September 12, 2002, at 05:50 PM, Jason Stone wrote: >> Nope. While I prefer to use a proxy to centralize web access to the >> outside via my interior firewall, you can also do something like: >> >> add pass tcp from $INET $HIPORTS to any 80,443 >> add pass tcp from any 80,433 to $INET $HIPORTS established >> >> Without performing the TCP 3-way startup (starting with a packet with >> SYN= >> 1 and ACK=0), the TCP sequence numbers won't match and the client being >> scanned from some random external IP will simply drop the invalid >> connection attempt. > > Yes, unless of course the client has a broken tcp stack (think teardrop). > > Having the firewall permit such packets and counting on the client to > correctly discard them is probably a bad idea - after all, if you trust > the clients to run a properly configured and non-broken OS, why have a > firewall at all? Defense in depth. I attempt to configure client machines to be secure as if there was no firewall at all. So, if the firewall or the rules have bugs, or if someone routes around the firewall via a modem (or wireless, etc), you still have some level of internal security available as well. > Packets that the client is just going to discard anyway should certainly > be discarded by the firewall, and this is exactly what the > keep-state/check-state rules do for you. What happens if the packets don't go through the dynamic firewall? Or are sent in response to an internal request and dynamicly permitted through? Why would someone make a request to a bad site? Well, has anyone ever received spam email which contained hyperlinks? Even if you don't use a MUA which automaticly downloads links yourself, lots of people do. People using dynamic firewalls tend to not pay much attention to egress filtering. Presuming that you should permit responses to internal requests because internally-initiated requests are supposed to be "safer" is an assumption that I question. -Chuck Chuck Swiger | chuck@codefab.com | All your packets are belong to us. -------------+-------------------+----------------------------------- "The human race's favorite method for being in control of the facts is to ignore them." -Celia Green To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 12 15:42:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 558A737B400 for ; Thu, 12 Sep 2002 15:42:12 -0700 (PDT) Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 091C043E6A for ; Thu, 12 Sep 2002 15:42:12 -0700 (PDT) (envelope-from jason-fbsd-security@shalott.net) Received: (qmail 65223 invoked by uid 1000); 12 Sep 2002 22:42:11 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Sep 2002 22:42:11 -0000 Date: Thu, 12 Sep 2002 15:42:11 -0700 (PDT) From: Jason Stone X-X-Sender: To: Subject: Re: ipfw, natd, and keep-state - strange behavior? In-Reply-To: <12908E71-C69D-11D6-90D4-000A27D85A7E@mac.com> Message-ID: <20020912152423.M3276-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Having the firewall permit such packets and counting on the client to > > correctly discard them is probably a bad idea - after all, if you trust > > the clients to run a properly configured and non-broken OS, why have a > > firewall at all? > > Defense in depth. Yes, that's exactly my point - you are advocating that we have the firewall permit more than we need to and trust the clients. I'm saying that of course you try to do as good a job securing the clients as you can, but you also have the firewall be as restrictive as possible so that you're trusting the clients as little as possible. > What happens if the packets don't go through the dynamic firewall? Or > are sent in response to an internal request and dynamicly permitted > through? > Presuming that you should permit responses to internal requests because > internally-initiated requests are supposed to be "safer" is an assumption > that I question. We are not presuming anything of the kind - obviously, any packets that you mean to deny you set up deny rules for. We are talking about a situation where you want to allow a particular outbound service. With your ruleset, you are allowing packets back into the internal network that should never be allowed in there. With a ruleset that involves keep/check-state, you have the same semantics in terms of what you mean to allow, but you deny more packets that shouldn't be allowed. And if you're only setting keep-state on the rules allowing the outbound setup packets, you probably don't have to worry about DoS. We're replacing: allow tcp from $INET to any 22 setup allow tcp from any 22 to $INET established with check-state allow tcp from $INET to any 22 setup keep-state -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9gRhDswXMWWtptckRArKuAJ9bV+AM72M0sKZj63IkGLmCTbI9UwCgqbiz mqoMdw+4bj50uCVTFC4OTlw= =I8Mr -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 12 17:16:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCB2D37B400 for ; Thu, 12 Sep 2002 17:16:30 -0700 (PDT) Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D4B643E65 for ; Thu, 12 Sep 2002 17:16:29 -0700 (PDT) (envelope-from marka@drugs.dv.isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.12.5/8.12.5) with ESMTP id g8D0GRB5032397; Fri, 13 Sep 2002 10:16:27 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200209130016.g8D0GRB5032397@drugs.dv.isc.org> To: Jason Stone Cc: freebsd-security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: ipfw, natd, and keep-state - strange behavior? In-reply-to: Your message of "Thu, 12 Sep 2002 15:42:11 MST." <20020912152423.M3276-100000@walter> Date: Fri, 13 Sep 2002 10:16:27 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > > Having the firewall permit such packets and counting on the client to > > > correctly discard them is probably a bad idea - after all, if you trust > > > the clients to run a properly configured and non-broken OS, why have a > > > firewall at all? > > > > Defense in depth. > > Yes, that's exactly my point - you are advocating that we have the > firewall permit more than we need to and trust the clients. I'm saying > that of course you try to do as good a job securing the clients as you > can, but you also have the firewall be as restrictive as possible so that > you're trusting the clients as little as possible. > > > > What happens if the packets don't go through the dynamic firewall? Or > > are sent in response to an internal request and dynamicly permitted > > through? > > > Presuming that you should permit responses to internal requests because > > internally-initiated requests are supposed to be "safer" is an assumption > > that I question. > > We are not presuming anything of the kind - obviously, any packets that > you mean to deny you set up deny rules for. We are talking about > a situation where you want to allow a particular outbound service. With > your ruleset, you are allowing packets back into the internal network that > should never be allowed in there. With a ruleset that involves > keep/check-state, you have the same semantics in terms of what you mean to > allow, but you deny more packets that shouldn't be allowed. And if you're > only setting keep-state on the rules allowing the outbound setup packets, > you probably don't have to worry about DoS. > > We're replacing: > > allow tcp from $INET to any 22 setup > allow tcp from any 22 to $INET established > > with > > check-state > allow tcp from $INET to any 22 setup keep-state > > > -Jason Note: keep-state works well with protocols that are chatty. 'ssh' is not chatty. You need to adjust the timeouts to support ssh otherwise the rules will timeout. Mark -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 12 19:38:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 98D3537B400 for ; Thu, 12 Sep 2002 19:38:32 -0700 (PDT) Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAEF243E3B for ; Thu, 12 Sep 2002 19:38:31 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id VAA00195; Thu, 12 Sep 2002 21:38:30 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from mke-24-167-197-76.wi.rr.com(24.167.197.76) by peak.mountin.net via smap (V1.3) id sma000173; Thu Sep 12 21:38:11 2002 Message-Id: <4.3.2.20020912211509.02e4cb20@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Thu, 12 Sep 2002 21:36:27 -0500 To: Jason Stone , From: "Jeffrey J. Mountin" Subject: Re: ipfw, natd, and keep-state - strange behavior? In-Reply-To: <20020912152423.M3276-100000@walter> References: <12908E71-C69D-11D6-90D4-000A27D85A7E@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 03:42 PM 9/12/02 -0700, Jason Stone wrote: > > > Having the firewall permit such packets and counting on the client to > > > correctly discard them is probably a bad idea - after all, if you trust > > > the clients to run a properly configured and non-broken OS, why have a > > > firewall at all? > > > > Defense in depth. > >Yes, that's exactly my point - you are advocating that we have the >firewall permit more than we need to and trust the clients. I'm saying >that of course you try to do as good a job securing the clients as you >can, but you also have the firewall be as restrictive as possible so that >you're trusting the clients as little as possible. >We are not presuming anything of the kind - obviously, any packets that >you mean to deny you set up deny rules for. We are talking about >a situation where you want to allow a particular outbound service. With >your ruleset, you are allowing packets back into the internal network that >should never be allowed in there. With a ruleset that involves >keep/check-state, you have the same semantics in terms of what you mean to >allow, but you deny more packets that shouldn't be allowed. And if you're >only setting keep-state on the rules allowing the outbound setup packets, >you probably don't have to worry about DoS. RIght. One can DOS a stateful firewall if any inbound connections are allowed. This is something to consider when making the choice. Also if you alter the timeouts, which should be just long enough for normal operation with some extra for sanity's sake. Once the limit of stateful rules is reached there should be some sort of clean-up to reduce the impact on legitimate connections. Not sure if IPFW or IPFilter do this, but Cisco's PIX handles this by killing off embryonic connections (ie SYN flood). >We're replacing: > > allow tcp from $INET to any 22 setup > allow tcp from any 22 to $INET established > >with > > check-state > allow tcp from $INET to any 22 setup keep-state Should add in the deny and log for established packets. Rather than unconditionally allow them we can now check them and determine if they are due to an incomplete rule set caused by outbound connections or something less benign. Unless you just want protection. For those doing stateless filtering the idea of only allowing established connections for ports that are opened, rather than a blanket allow, is a good idea. Open the door just enough and no more. That is the whole point of stateful rules. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 12 19:53: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F8C537B400 for ; Thu, 12 Sep 2002 19:52:57 -0700 (PDT) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6EFDD43E65 for ; Thu, 12 Sep 2002 19:52:56 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id MAA24453; Fri, 13 Sep 2002 12:52:50 +1000 (EST) From: Darren Reed Message-Id: <200209130252.MAA24453@caligula.anu.edu.au> Subject: Re: ipfw, natd, and keep-state - strange behavior? To: jeff-ml@mountin.net (Jeffrey J. Mountin) Date: Fri, 13 Sep 2002 12:52:50 +1000 (Australia/ACT) Cc: jason-fbsd-security@shalott.net (Jason Stone), freebsd-security@FreeBSD.ORG In-Reply-To: <4.3.2.20020912211509.02e4cb20@207.227.119.2> from "Jeffrey J. Mountin" at Sep 12, 2002 09:36:27 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Jeffrey J. Mountin, sie said: [...] > >We are not presuming anything of the kind - obviously, any packets that > >you mean to deny you set up deny rules for. We are talking about > >a situation where you want to allow a particular outbound service. With > >your ruleset, you are allowing packets back into the internal network that > >should never be allowed in there. With a ruleset that involves > >keep/check-state, you have the same semantics in terms of what you mean to > >allow, but you deny more packets that shouldn't be allowed. And if you're > >only setting keep-state on the rules allowing the outbound setup packets, > >you probably don't have to worry about DoS. > > RIght. One can DOS a stateful firewall if any inbound connections are > allowed. This is something to consider when making the choice. Also if > you alter the timeouts, which should be just long enough for normal > operation with some extra for sanity's sake. Once the limit of stateful > rules is reached there should be some sort of clean-up to reduce the impact > on legitimate connections. Not sure if IPFW or IPFilter do this, but > Cisco's PIX handles this by killing off embryonic connections (ie SYN flood). IPFilter does go looking for "low hanging fruit" to get rid of when it notices that the limit of stateful sessions has been reached. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 12 20:46: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAB8437B400 for ; Thu, 12 Sep 2002 20:46:02 -0700 (PDT) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8136543E65 for ; Thu, 12 Sep 2002 20:46:02 -0700 (PDT) (envelope-from dfolkins@comcast.net) Disposition-notification-to: dfolkins@comcast.net Received: from groovy3xp (pcp01731796pcs.selrsv01.pa.comcast.net [68.83.131.193]) by mtaout01.icomcast.net (iPlanet Messaging Server 5.1 HotFix 1.4 (built Aug 5 2002)) with SMTP id <0H2C000CQYGP0O@mtaout01.icomcast.net> for freebsd-security@FreeBSD.ORG; Thu, 12 Sep 2002 23:46:02 -0400 (EDT) Date: Thu, 12 Sep 2002 23:45:52 -0400 From: dfolkins Subject: Re: ipfw, natd, and keep-state - strange behavior? To: freebsd-security@FreeBSD.ORG Message-id: <000a01c25ad8$0ee04610$0a00a8c0@groovy3xp> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 7BIT X-Priority: 3 X-MSMail-priority: Normal References: <20020912152423.M3276-100000@walter> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org now this is a very interesting discussion and all, but um, could someone take a look at what i posted originally and tell me why there is this rogue short-lived dynamic rule popping up and what i can do about it that does _not_ involve making non-stateful rules? pretty please? :) it would really appreciate it. -- dfolkins P.S. i have to say that i put my eggs in the stateful basket (as opposed to nonstateful). chuck's argument with respect for dyn-rule overflow dos is a valid one, but only if one allows stateful _incoming_ connections. overall stateful rules are more restrictive, and the argument of "what if you accidentally make an outgoing connection to an evil site" holds no water cuz its just as bad with nonstateful rules. anyway, back to our scheduled program - why does the strange short-lived dynamic rule show up? P.P.S. thank you mike for the aaron gifford link, those patches look pretty nice. but i already have a _workaround_ - i.e. remove "setup" from the outgoing stateful rule. i wanted to find out what was going on and why. P.P.P.S. [wow, three of them!] switching to ipnat as per pierres advice maybe is a good idea, but seems to involve lots of work. heh, maybe i will play with ipfw for a while longer. its what i "grew up" with, after all. i can't just abandon it in its hour of need, can i? :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 13 2:13:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88CCD37B400 for ; Fri, 13 Sep 2002 02:13:43 -0700 (PDT) Received: from au-ml2.teamlog.fr (smtp-paris1.teamlog.com [213.41.116.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CE1A43E77 for ; Fri, 13 Sep 2002 02:13:40 -0700 (PDT) (envelope-from pof@teamlog.com) Received: from teamlog.com (proxy-paris1.teamlog.fr [213.41.116.89]) by au-ml2.teamlog.fr (8.12.4/8.12.4) with ESMTP id g8D98csL026094; Fri, 13 Sep 2002 11:08:40 +0200 Message-ID: <3D81C995.30407@teamlog.com> Date: Fri, 13 Sep 2002 11:18:45 +0000 From: Pierre-Olivier Fur Reply-To: pof@teamlog.com Organization: Teamlog User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020702 X-Accept-Language: en-us, en MIME-Version: 1.0 To: dfolkins Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw, natd, and keep-state - strange behavior? References: <20020912152423.M3276-100000@walter> <000a01c25ad8$0ee04610$0a00a8c0@groovy3xp> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org dfolkins wrote: > now this is a very interesting discussion and all, but um, could someone > take a look at what i posted originally and tell me why there is this rogue > short-lived dynamic rule popping up and what i can do about it that does > _not_ involve making non-stateful rules? pretty please? :) it would really > appreciate it. > > -- > dfolkins > > P.S. i have to say that i put my eggs in the stateful basket (as opposed to > nonstateful). chuck's argument with respect for dyn-rule overflow dos is a > valid one, but only if one allows stateful _incoming_ connections. overall > stateful rules are more restrictive, and the argument of "what if you > accidentally make an outgoing connection to an evil site" holds no water cuz > its just as bad with nonstateful rules. anyway, back to our scheduled > program - why does the strange short-lived dynamic rule show up? > > P.P.S. thank you mike for the aaron gifford link, those patches look pretty > nice. but i already have a _workaround_ - i.e. remove "setup" from the > outgoing stateful rule. i wanted to find out what was going on and why. > > P.P.P.S. [wow, three of them!] switching to ipnat as per pierres advice > maybe is a good idea, but seems to involve lots of work. heh, maybe i will > play with ipfw for a while longer. its what i "grew up" with, after all. i > can't just abandon it in its hour of need, can i? :) Yep u can, it will take you 5 minutes depending on the speed of your hardware to remake your kernel with 3 more options. And maybe you'll take an hour to get the rules synthax in your mind. I used to have ipfw as a stateless packet filter for a long time but when I first tried ipf I've never been back. In fact stateful packet filtering as ipf provide it is a powerfull tool for avoiding DOS and bad tcp flags packet. It means a ack (or any other flag) not belonging to any connection list in the kernel table won't be authorised as it would be in established mode. It also checks the tcp sequence number and the window of packet transmitting. In terms of outgoing traffic you don't even need to specify the re-incoming traffic which is automaticly recognize and accept by the filter. The last point i will speak about is the difference between natd from ipfw suite which is a standalone daemon, and ipnat which is implement into the kernel, if it's more secure in term of performance it permits a faster forwarding of the packets on your internal network. I hope I helped you change your mind ;) > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 13 10:31:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1534F37B400 for ; Fri, 13 Sep 2002 10:31:05 -0700 (PDT) Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B61843E42 for ; Fri, 13 Sep 2002 10:31:05 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id MAA16558; Fri, 13 Sep 2002 12:31:04 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from mke-24-167-197-76.wi.rr.com(24.167.197.76) by peak.mountin.net via smap (V1.3) id sma016556; Fri Sep 13 12:30:42 2002 Message-Id: <4.3.2.20020913111417.023fb670@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Fri, 13 Sep 2002 12:29:23 -0500 To: dfolkins , freebsd-security@FreeBSD.ORG From: "Jeffrey J. Mountin" Subject: Re: ipfw, natd, and keep-state - strange behavior? In-Reply-To: <000a01c25ad8$0ee04610$0a00a8c0@groovy3xp> References: <20020912152423.M3276-100000@walter> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:45 PM 9/12/02 -0400, dfolkins wrote: >now this is a very interesting discussion and all, but um, could someone >take a look at what i posted originally and tell me why there is this rogue >short-lived dynamic rule popping up and what i can do about it that does >_not_ involve making non-stateful rules? pretty please? :) it would really >appreciate it. Ran into this when tinkering with dynamic rules and checking out the features of IPFW2. It is not a rouge connection. The problem I saw was the connection would time out and the external host would then try opening a connection on a different port, which would be denied. Did not find a solution or answer, though it was supposedly answered by Ruslan Ermilov according to a message posted to -ipfw on Feb 13th, 2002 and yet was indirect: Keep-state combined with divert is really tricky. Search ML archives for a possible solution. I posted them once. Keep state works without NAT, which is how I use it on stand-alone systems. Might want to try some "log" sprinkling, check the log, and then try a second rule for the external IP. Am not sure if the connection is initiated from the eIP or to. Didn't get around to that. Removing the "setup" from the rule only means that the first packet in the 3-way isn't necessary for a dynamic rule to be created. It may be that adding a similar rule for the eIP *before* divert is the trick. Whether it needs to be in or out is also in question. Changing timeouts is not an option for a decent firewall and TCP keepalives (new with IPFW2) will only work with an established connection. *Or* IPFW needs a method of relating connections. Otherwise doing stateful FTP will not work either (or require opening the door a bit more). Will guess that IPFilter does this and why it works better with stateful rules. The fact that it harvests the LHF (thanks for answering that Darren) makes it more DOS resistant when incoming connections are involved. A solution for IPFW would be an excellent addition to a how-to. I'd imagine this should otherwise move to -doc or -ipfw. Would rather have somewhere to point someone than just tell them this is OT for -security. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 14 13:39: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E494D37B400 for ; Sat, 14 Sep 2002 13:38:59 -0700 (PDT) Received: from ns.flncs.com (srv.flncs.com [12.27.148.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C0E243E4A for ; Sat, 14 Sep 2002 13:38:59 -0700 (PDT) (envelope-from moti@flncs.com) Received: from moti (cylex [12.27.148.78]) by ns.flncs.com (Postfix) with ESMTP id 89901103E5 for ; Wed, 11 Sep 2002 07:43:27 -0400 (EDT) Message-ID: <007501c25987$54b329c0$fd6e34c6@moti> From: "Moti Levy" Cc: References: <20020911105418.F32908-100000@doos.cluecentral.net> <3D7F2125.6525E891@mobikom.com> Subject: Re: Firewalls on FreeBSD( ipfw vs ipf) Date: Wed, 11 Sep 2002 07:35:27 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i like ipfliter because i can run it on a lot of o.s's ( solaris ,hp ,*bsd etc ...) ------------------------------------------------- Moti www.flncs.com ------------------------------------------------- be careful what you wish for ... ------------------------------------------------- ----- Original Message ----- From: "Ivajlo Nikolov" To: "Sabri Berisha" Cc: "Conrad Burger" ; Sent: Wednesday, September 11, 2002 6:55 AM Subject: Re: Firewalls on FreeBSD( ipfw vs ipf) > I'm using both ipfilter and ipfw. > > i. > > Sabri Berisha wrote: > > > On Thu, 22 Aug 2002, Conrad Burger wrote: > > > > > I cannot decide which way to go , IPF or IPFW ! > > > > For me, ipfw has all my needs. > > > > -- > > Sabri Berisha - www.cluecentral.net - "I route, therefore you are" > > > > Met z'n negenen een meisje dwingen bruistabletten te eten: > > http://www.cluecentral.net/veritas/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 14 15: 9:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 346E137B400 for ; Sat, 14 Sep 2002 15:09:12 -0700 (PDT) Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 073E543E4A for ; Sat, 14 Sep 2002 15:09:11 -0700 (PDT) (envelope-from marka@drugs.dv.isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.12.5/8.12.5) with ESMTP id g8EM92B5043544; Sun, 15 Sep 2002 08:09:03 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200209142209.g8EM92B5043544@drugs.dv.isc.org> To: Wincent Colaiuta Cc: Mark_Andrews@isc.org, Jason Stone , freebsd-security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: ipfw, natd, and keep-state - strange behavior? In-reply-to: Your message of "Sat, 14 Sep 2002 20:45:59 +0930." <58D716D2-C7D3-11D6-B5B5-003065C60B4C@wincent.org> Date: Sun, 15 Sep 2002 08:09:02 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > El viernes, 13 septiembre, 2002, a las 09:46 AM, Mark.Andrews@isc.org > escribió: > > >> We're replacing: > >> > >> allow tcp from $INET to any 22 setup > >> allow tcp from any 22 to $INET established > >> > >> with > >> > >> check-state > >> allow tcp from $INET to any 22 setup keep-state > >> > >> > >> -Jason > > > > Note: keep-state works well with protocols that are chatty. > > 'ssh' is not chatty. You need to adjust the timeouts to > > support ssh otherwise the rules will timeout. > > > > Mark > > And when you do that you increase your susceptibility to a flood DOS. > So it's all a balancing act and there's no such thing as an > invulnerable system. > > Cheers > Wincent > Well do you want a system that works or one that is slightly more vulnerable to a accidental exhaustion of rule slots. If they are exhausted you need a bigger table to start with. Note. If they are going to DoS you there is no way any particular timeout will prevent that. Also this has to originate from inside as you should have anti-spoofing rule before the keep-state rule. Mark -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 14 17:23:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6EDB237B400 for ; Sat, 14 Sep 2002 17:23:35 -0700 (PDT) Received: from bifrost.agrknives.com (bifrost.hos.net [204.251.33.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2836A43F7E for ; Sat, 14 Sep 2002 17:23:31 -0700 (PDT) (envelope-from arussell@bifrost.agrknives.com) Received: from bifrost.agrknives.com (localhost.agrknives.com [127.0.0.1]) by bifrost.agrknives.com (8.12.5/8.12.4) with ESMTP id g8F0NOnK011002 for ; Sat, 14 Sep 2002 19:23:27 -0500 (CDT) (envelope-from arussell@bifrost.agrknives.com) Received: (from arussell@localhost) by bifrost.agrknives.com (8.12.5/8.12.2/Submit) id g8F0NNI6011001 for freebsd-security@FreeBSD.ORG; Sat, 14 Sep 2002 19:23:23 -0500 (CDT) Date: Sat, 14 Sep 2002 19:23:23 -0500 From: "Andrew G. Russell IV" To: freebsd-security@FreeBSD.ORG Subject: Mac address of hacked machine... Message-ID: <20020914192323.A10984@bifrost.agrknives.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a machine that is hitting me with "kali" packets every few minutes. I've contacted the ISP, but they can't help unless I supply the MAC address. I've done tcpdump, I've arped, I suppose I don't know what I'm doing on this one. I've read all the HOWTOS that I can find, even linux ones... I've searched the archives, I guess I'm not asking the right question. I'm sure this will be a head smacker. Thanks for any help... And YES I am subscribed... ;-> A.G. -- _______________________________________________________________________________ A.G. Russell IV KC5KFD The Knife Company e-mail: ag4@theknifecompany.com Phone 479-631-0055 FAX 479-631-8734 Old Klingon Saying -- 'oH majQa' yIn je bang, Qo' bang ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 14 17:41:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E27AD37B4CD for ; Sat, 14 Sep 2002 17:41:17 -0700 (PDT) Received: from pursued-with.net (adsl-66-125-9-242.dsl.sndg02.pacbell.net [66.125.9.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B18B441E1 for ; Sat, 14 Sep 2002 17:39:36 -0700 (PDT) (envelope-from Kevin_Stevens@pursued-with.net) Received: from Fffinch.local. (fffinch [192.168.168.101]) by pursued-with.net (8.12.5/8.12.5) with ESMTP id g8F0dauq042485; Sat, 14 Sep 2002 17:39:36 -0700 (PDT) (envelope-from Kevin_Stevens@pursued-with.net) Date: Sat, 14 Sep 2002 17:39:34 -0700 Subject: Re: Mac address of hacked machine... Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v543) Cc: freebsd-security@FreeBSD.ORG To: "Andrew G. Russell IV" From: Kevin Stevens In-Reply-To: <20020914192323.A10984@bifrost.agrknives.com> Message-Id: <9B491C74-C843-11D6-8217-003065715DA8@pursued-with.net> Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.543) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Saturday, Sep 14, 2002, at 17:23 US/Pacific, Andrew G. Russell IV wrote: > I have a machine that is hitting me with "kali" packets every few > minutes. > I've contacted the ISP, but they can't help unless I supply the MAC > address. > > I've done tcpdump, I've arped, I suppose I don't know what I'm doing > on this > one. I've read all the HOWTOS that I can find, even linux ones... > I've > searched the archives, I guess I'm not asking the right question. > > I'm sure this will be a head smacker. > > Thanks for any help... And YES I am subscribed... ;-> > > A.G. I'm not sure what MAC address they're asking for - you won't be able to provide the MAC for the attacking machine unless its on your own network segment. MACs have only local significance; once you pass a router they are substituted. You can see this by pinging several remote machines (www.yahoo.com, for example), and then looking at your arp table. You won't see a MAC for that IP address, only for your next-hop router. Or if you are using proxy-arp, you'll see the same MAC (your router's) for ALL non-local addresses. If you need the MAC address of your machine that is being attacked, you can get that from the "ether" portion of ifconfig. In short, the ISPs request seems confusing or unreasonable. Give us more detail. KeS BTW - I sure have spent a lot of money buying knives from you!! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 14 17:57:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31C2D37B400 for ; Sat, 14 Sep 2002 17:57:17 -0700 (PDT) Received: from bifrost.agrknives.com (bifrost.hos.net [204.251.33.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E75A43E6A for ; Sat, 14 Sep 2002 17:57:16 -0700 (PDT) (envelope-from arussell@bifrost.agrknives.com) Received: from bifrost.agrknives.com (localhost.agrknives.com [127.0.0.1]) by bifrost.agrknives.com (8.12.5/8.12.4) with ESMTP id g8F0vGnK011139; Sat, 14 Sep 2002 19:57:16 -0500 (CDT) (envelope-from arussell@bifrost.agrknives.com) Received: (from arussell@localhost) by bifrost.agrknives.com (8.12.5/8.12.2/Submit) id g8F0vGEo011138; Sat, 14 Sep 2002 19:57:16 -0500 (CDT) Date: Sat, 14 Sep 2002 19:57:16 -0500 From: "Andrew G. Russell IV" To: Kevin Stevens Cc: freebsd-security@FreeBSD.ORG Subject: Re: Mac address of hacked machine... Message-ID: <20020914195716.A11006@bifrost.agrknives.com> References: <20020914192323.A10984@bifrost.agrknives.com> <9B491C74-C843-11D6-8217-003065715DA8@pursued-with.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <9B491C74-C843-11D6-8217-003065715DA8@pursued-with.net>; from Kevin_Stevens@pursued-with.net on Sat, Sep 14, 2002 at 05:39:34PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, they are asking me for the address of the machine on their network, I gave them the IP address, but they said that would not help, and I told them that it had not changed in 4 weeks, so I would not believe they would have a problem finding it on their segment. I'm glad I'm not crazy, I could not think of a way to get "Their" mac address. Sample follows from the cisco... Sep 14 03:19:35 a1-33-251-204b 16142: 2w0d: %SEC-6-IPACCESSLOGP: list 120 denied udp 68.34.208.51(2213) -> 204.251.33.86(27015), 90 packets Sep 14 03:24:36 a1-33-251-204b 16143: 2w0d: %SEC-6-IPACCESSLOGP: list 120 denied udp 68.34.208.51(2213) -> 204.251.33.86(27015), 90 packets Sep 14 03:29:36 a1-33-251-204b 16144: 2w0d: %SEC-6-IPACCESSLOGP: list 120 denied udp 68.34.208.51(2213) -> 204.251.33.86(27015), 90 packets from Freebsd 4.6 tcpdump 04:07:29.365959 pcp663097pcs.indpnd01.mo.comcast.net.2213 > a86-33-251-204b.hos.net.27015: [udp sum ok] udp 8 (ttl 121, id 24169, len 36) 4500 0024 5e69 0000 7911 e0b8 4422 d033 ccfb 2156 08a5 6987 0010 bb1c ffff ffff 696e 666f 0000 0000 0000 0000 0000 04:07:29.374457 pcp663097pcs.indpnd01.mo.comcast.net.2213 > a86-33-251-204b.hos.net.27015: [udp sum ok] udp 9 (ttl 121, id 24170, len 37) 4500 0025 5e6a 0000 7911 e0b6 4422 d033 ccfb 2156 08a5 6987 0011 391d ffff ffff 7275 6c65 7300 0000 0000 0000 0000 04:07:29.379823 pcp663097pcs.indpnd01.mo.comcast.net.2213 > a86-33-251-204b.hos.net.27015: [udp sum ok] udp 11 (ttl 121, id 24171, len 39) 4500 0027 5e6b 0000 7911 e0b3 4422 d033 ccfb 2156 08a5 6987 0013 e09b ffff ffff 706c 6179 6572 7300 0000 0000 0000 strings of dump... ;-> info rules players I have tried extensive nmap probes, all ports are filtered, and no info that way I'm not worried about it, but it is annoying that they won't stop it. at first I changed my dns, and moved the machine to another address, setup rules on the cisco no joy... On Sat, Sep 14, 2002 at 05:39:34PM -0700, Kevin Stevens wrote: > > On Saturday, Sep 14, 2002, at 17:23 US/Pacific, Andrew G. Russell IV > wrote: > > > I have a machine that is hitting me with "kali" packets every few > > minutes. > > I've contacted the ISP, but they can't help unless I supply the MAC > > address. > > > > I've done tcpdump, I've arped, I suppose I don't know what I'm doing > > on this > > one. I've read all the HOWTOS that I can find, even linux ones... > > I've > > searched the archives, I guess I'm not asking the right question. > > > > I'm sure this will be a head smacker. > > > > Thanks for any help... And YES I am subscribed... ;-> > > > > A.G. > > I'm not sure what MAC address they're asking for - you won't be able to > provide the MAC for the attacking machine unless its on your own > network segment. MACs have only local significance; once you pass a > router they are substituted. > > You can see this by pinging several remote machines (www.yahoo.com, for > example), and then looking at your arp table. You won't see a MAC for > that IP address, only for your next-hop router. Or if you are using > proxy-arp, you'll see the same MAC (your router's) for ALL non-local > addresses. > > If you need the MAC address of your machine that is being attacked, you > can get that from the "ether" portion of ifconfig. > > In short, the ISPs request seems confusing or unreasonable. Give us > more detail. > > KeS > > BTW - I sure have spent a lot of money buying knives from you!! > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- _______________________________________________________________________________ A.G. Russell IV KC5KFD The Knife Company e-mail: ag4@theknifecompany.com Phone 479-631-0055 FAX 479-631-8734 Old Klingon Saying -- 'oH majQa' yIn je bang, Qo' bang ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 14 18:27:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2E7737B400 for ; Sat, 14 Sep 2002 18:27:12 -0700 (PDT) Received: from boreas.primus.ca (mail.tor.primus.ca [216.254.136.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6322C43E42 for ; Sat, 14 Sep 2002 18:27:12 -0700 (PDT) (envelope-from leth@primus.ca) Received: from dialin-163-42.tor.primus.ca ([216.254.163.42]) by boreas.primus.ca with esmtp (Exim 3.33 #16) id 17qNsr-0000sg-0A; Sat, 14 Sep 2002 21:07:34 -0400 Date: Sat, 14 Sep 2002 21:26:46 -0400 (EDT) From: Jason Hunt X-X-Sender: leth@lethargic.dyndns.org To: freebsd-security@FreeBSD.ORG Cc: "Andrew G. Russell IV" Subject: Re: Mac address of hacked machine... In-Reply-To: <20020914195716.A11006@bifrost.agrknives.com> Message-ID: <20020914212300.N47759-100000@lethargic.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 14 Sep 2002, Andrew G. Russell IV wrote: > Yes, they are asking me for the address of the machine on their network, I gave > them the IP address, but they said that would not help, and I told them that it > had not changed in 4 weeks, so I would not believe they would have a problem > finding it on their segment. I'm glad I'm not crazy, I could not > think of a way to get "Their" mac address. > Sounds to me like they don't know what they're talking about. Who are you contacting? I hope not their tech support line. You could try e-mailing their abuse e-mail address. (abuse@comcast.net?) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 14 18:47: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C97C37B400 for ; Sat, 14 Sep 2002 18:47:00 -0700 (PDT) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5577043E42 for ; Sat, 14 Sep 2002 18:46:59 -0700 (PDT) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g8F1kvn7047890; Sun, 15 Sep 2002 13:46:57 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Sun, 15 Sep 2002 13:46:57 +1200 (NZST) From: Andrew McNaughton To: "Andrew G. Russell IV" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Mac address of hacked machine... In-Reply-To: <20020914192323.A10984@bifrost.agrknives.com> Message-ID: <20020915133649.L47805-100000@a2.scoop.co.nz> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 14 Sep 2002, Andrew G. Russell IV wrote: > I have a machine that is hitting me with "kali" packets every few minutes. > I've contacted the ISP, but they can't help unless I supply the MAC address. > > I've done tcpdump, I've arped, I suppose I don't know what I'm doing on this > one. I've read all the HOWTOS that I can find, even linux ones... I've > searched the archives, I guess I'm not asking the right question. > > I'm sure this will be a head smacker. > > Thanks for any help... And YES I am subscribed... ;-> Unless the attacker is on the same ethernet subnet, there's no way you can know the MAC address, and the ISP is either clueless or deliberately unhelpful. If the person you are talking to knows enough to make use of a MAC address, then they almost certainly know enough to know that you can't provide one based on traffic seen outside of their network. That said, it's quite possible that they are simply trying to follow something from a helpdesk manual without knowing what the information they are supposed to gather is about or for. If you're dealing with clueless helpdesk staff, then try asking for someone from their network operations team. they will need to be involved to solve the problem anyway. Do collect a tcpdump of the traffic demonstrating the problem, making sure that the timestamps are accurate, and that you tell the ISP what timezone you are in. The ISP should be able to identify which machine the IP address was assigned to at that point in time. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 14 21:20: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D548737B400 for ; Sat, 14 Sep 2002 21:20:00 -0700 (PDT) Received: from tagish.taiga.ca (tagish.taiga.ca [204.209.164.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2806643E42 for ; Sat, 14 Sep 2002 21:20:00 -0700 (PDT) (envelope-from campbell@tagish.taiga.ca) Received: (from campbell@localhost) by tagish.taiga.ca (8.9.3/8.9.1) id WAA00144 for freebsd-security@FreeBSD.ORG; Sat, 14 Sep 2002 22:18:55 -0600 Date: Sat, 14 Sep 2002 22:18:55 -0600 From: Duncan Campbell Message-Id: <200209150418.WAA00144@tagish.taiga.ca> To: freebsd-security@FreeBSD.ORG Subject: A good reason to not have Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Subscriber based posting is that my email is currently being blocked on the basis of destination address. freebsd-security@FreeBSD.ORG is one that is being blocked. Dhu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 14 21:26: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69DD137B400 for ; Sat, 14 Sep 2002 21:26:05 -0700 (PDT) Received: from tagish.taiga.ca (tagish.taiga.ca [204.209.164.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CE6043E3B for ; Sat, 14 Sep 2002 21:26:04 -0700 (PDT) (envelope-from campbell@tagish.taiga.ca) Received: (from campbell@localhost) by tagish.taiga.ca (8.9.3/8.9.1) id WAA00161; Sat, 14 Sep 2002 22:25:04 -0600 Date: Sat, 14 Sep 2002 22:25:04 -0600 From: Duncan Campbell Message-Id: <200209150425.WAA00161@tagish.taiga.ca> To: campbell@tagish.taiga.ca, freebsd-security@FreeBSD.ORG Subject: Re: A good reason to not have Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 14 21:28:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2189237B400 for ; Sat, 14 Sep 2002 21:28:33 -0700 (PDT) Received: from tagish.taiga.ca (tagish.taiga.ca [204.209.164.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B22C43E65 for ; Sat, 14 Sep 2002 21:28:32 -0700 (PDT) (envelope-from campbell@tagish.taiga.ca) Received: (from campbell@localhost) by tagish.taiga.ca (8.9.3/8.9.1) id WAA00171 for freebsd-security@FreeBSD.ORG; Sat, 14 Sep 2002 22:27:33 -0600 Date: Sat, 14 Sep 2002 22:27:33 -0600 From: Duncan Campbell Message-Id: <200209150427.WAA00171@tagish.taiga.ca> To: freebsd-security@FreeBSD.ORG Subject: Crypto Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a short primer on crypto. What it can and can't do. 1. There are no permanent secrets. If you want to keep something secret DON'T TELL ANYONE. More to the point, it is theoretically possible to use the kind of analytical tools available in quantum mechanics to disclose the _semantic content_ (the meaning) of any encrypted data. This means that while your credit card number is probably safe for some time to come, discussions about U233 and fissile weapons are not. And it doesn't matter whether you call it "red mercury", uranium 233 or "chikita bananas", it will be seen all the same. This also means that if you are into child prostitution or snuff films, or just offing someone, you should stay far away from the internet, because if someone looks, you will be found. 2. What matters is temporal security and authority: keeping the Bad Guys from knowing what you are going to do until after it is done, and knowing who has said what when. Cryptography is necessary, but by itself insufficient, for this. 3. Authority is more important than secrecy: a basis of human society is authoritative knowledge: we know little or nothing about the universe we live in, and we know only slightly more about ourselves. So it helps to know who said what, when. Digital signatures, like provided by PGP, can do this for you and your organization. 3. Most breaches of computer/systems security DO NOT result from crypto hacks. They result from a. errors in the programmic glue between what you are doing and the actual crypto you are using. Some systems have intentional holes left in the system logic allowing this to happen (e.g. Back-Orifice). b. not setting the system up right to begin with c. telling the wrong folks the passwords 4. Current cost-benefit makes it cheaper to break your legs (or fuck with your woman) than to bother breaking anything more than a 40-bit key. And there are many more experts in these areas than in cryptography and they have a long tradition of getting what they want. 5. The differences between no encryption, low encryption high encryption is the same as you chances of winning PowerBall with no ticket one ticket ten tickets That is to say your legs will get broken long before your crypto-keys, even if they are only 56 bits. 6. Using your credit card on the internet is no different from using it at a bar: check your statement at the end of the month. If it doesn't line up, call someone. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message