From owner-freebsd-security@FreeBSD.ORG Sun Nov 21 02:06:25 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E82C16A4CE for ; Sun, 21 Nov 2004 02:06:25 +0000 (GMT) Received: from mail1.acecape.com (mail1.acecape.com [66.114.74.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D54743D48 for ; Sun, 21 Nov 2004 02:06:24 +0000 (GMT) (envelope-from lists@natserv.com) Received: from zoraida.natserv.net (p65-147.acedsl.com [66.114.65.147]) by mail1.acecape.com (8.12.11/8.12.11) with ESMTP id iAL26Nv7022655; Sat, 20 Nov 2004 21:06:23 -0500 Date: Sat, 20 Nov 2004 21:09:38 -0500 (EST) From: Francisco Reyes X-X-Sender: fran@zoraida.natserv.net To: Poul-Henning Kamp In-Reply-To: <8776.1100981342@critter.freebsd.dk> Message-ID: <20041120210256.K27307@zoraida.natserv.net> References: <8776.1100981342@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: FreeBSD Security List Subject: Re: Importing into rc.firewal rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Nov 2004 02:06:25 -0000 On Sat, 20 Nov 2004, Poul-Henning Kamp wrote: > If the list is long it may be almost as good, if not better, to use > blackhole routes for it. I was not familiar with the term. Looking in Google came up with a link. However in that link they recommend against that method. http://tinyurl.com/5r5cl Also any link on how to implement it? What would be the advantage of that route vs ipfw? From owner-freebsd-security@FreeBSD.ORG Sun Nov 21 04:22:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 601D216A4CF for ; Sun, 21 Nov 2004 04:22:33 +0000 (GMT) Received: from pop-a065d19.pas.sa.earthlink.net (pop-a065d19.pas.sa.earthlink.net [207.217.121.253]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F9B043D41 for ; Sun, 21 Nov 2004 04:22:33 +0000 (GMT) (envelope-from andrei@kableu.com) Received: from h-66-167-207-212.snvacaid.dynamic.covad.net ([66.167.207.212] helo=root.kableu.com) by pop-a065d19.pas.sa.earthlink.net with esmtp (Exim 3.33 #1) id 1CVjFA-00043f-00 for freebsd-security@freebsd.org; Sat, 20 Nov 2004 20:22:32 -0800 Received: by root.kableu.com (Postfix, from userid 1001) id C0AD35C6F; Sat, 20 Nov 2004 20:22:49 -0800 (PST) Date: Sat, 20 Nov 2004 20:22:49 -0800 From: Andrew Konstantinov To: freebsd-security@freebsd.org Message-ID: <20041121042249.GA37865@root.kableu.com> References: <20041120133048.N7533@zoraida.natserv.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" Content-Disposition: inline In-Reply-To: <20041120133048.N7533@zoraida.natserv.net> User-Agent: Mutt/1.4.2.1i Subject: Re: Importing into rc.firewal rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Nov 2004 04:22:33 -0000 --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Nov 20, 2004 at 01:32:15PM -0500, Francisco Reyes wrote: > I have a grown list of IPs that I am "deny ip from ###.### to any". > Infected machines, hackers, etc.. >=20 > Is there a way to have this list outside of rc.firewall and just read it= =20 > in? I don't know how strong your bond with ipfw is, but it seems like pf has exactly what you need. For example: #--- excerpts from pf documentation --- Tables can also be populated from text files containing a list of IP addres= ses and networks: table persist file "/etc/spammers" block in on fxp0 from to any Tables can be manipulated on the fly by using pfctl(8). For instance, to add entries to the table created above: # pfctl -t spammers -T add 218.70.0.0/16 #--- excerpts from pf documentation --- If ipfw isn't a tradition in your family, you might want to consider switch= ing to pf for those specific needs. :) Andrew --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBoBgZ5Jhyz2/cFigRAlxtAKD8FAhpdXFrs6Y33M6u8WU3iq0jAQCgzkVZ ec5M8IeYwzsQFlu7Ts833XY= =Ch70 -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/-- From owner-freebsd-security@FreeBSD.ORG Sun Nov 21 09:46:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 63ED816A4CE for ; Sun, 21 Nov 2004 09:46:44 +0000 (GMT) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id C263343D1D for ; Sun, 21 Nov 2004 09:46:43 +0000 (GMT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.13.1/8.13.1) with ESMTP id iAL9kfLX020465; Sun, 21 Nov 2004 10:46:41 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Francisco Reyes From: "Poul-Henning Kamp" In-Reply-To: Your message of "Sat, 20 Nov 2004 21:09:38 EST." <20041120210256.K27307@zoraida.natserv.net> Date: Sun, 21 Nov 2004 10:46:41 +0100 Message-ID: <20464.1101030401@critter.freebsd.dk> Sender: phk@critter.freebsd.dk cc: FreeBSD Security List Subject: Re: Importing into rc.firewal rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Nov 2004 09:46:44 -0000 In message <20041120210256.K27307@zoraida.natserv.net>, Francisco Reyes writes: >On Sat, 20 Nov 2004, Poul-Henning Kamp wrote: > >> If the list is long it may be almost as good, if not better, to use >> blackhole routes for it. > >I was not familiar with the term. Looking in Google came up with a link. >However in that link they recommend against that method. > >http://tinyurl.com/5r5cl > >Also any link on how to implement it? route add -host $IP 127.0.0.1 -blackhole >What would be the advantage of that route vs ipfw? It's faster because the route table uses a tree for lookup whereas the firewall is sequential. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@FreeBSD.ORG Sun Nov 21 11:16:54 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F24D16A4CE for ; Sun, 21 Nov 2004 11:16:54 +0000 (GMT) Received: from aspc.cs.utt.ro (aspc.cs.utt.ro [193.226.12.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id E399D43D2D for ; Sun, 21 Nov 2004 11:16:53 +0000 (GMT) (envelope-from cbadescu@aspc.cs.utt.ro) Received: from aspc.cs.utt.ro (aspc [127.0.0.1]) by aspc.cs.utt.ro (8.12.10/8.12.10) with ESMTP id iALBGg5c003208 for ; Sun, 21 Nov 2004 13:16:42 +0200 Received: (from apache@localhost) by aspc.cs.utt.ro (8.12.10/8.12.10/Submit) id iALBGgNg003206; Sun, 21 Nov 2004 13:16:42 +0200 From: Ciprian BADESCU X-Authentication-Warning: aspc.cs.utt.ro: apache set sender to cbadescu@aspc.cs.utt.ro using -f Received: from 82.77.156.141 (proxying for 192.168.55.229) (SquirrelMail authenticated user cbadescu); by aspc.cs.utt.ro with HTTP; Sun, 21 Nov 2004 13:16:42 +0200 (EET) Message-ID: <2274.82.77.156.141.1101035802.squirrel@82.77.156.141> Date: Sun, 21 Nov 2004 13:16:42 +0200 (EET) To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.3a-0.f1.1 X-Mailer: SquirrelMail/1.4.3a-0.f1.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-aspc-MailScanner-Information: Please contact the ISP for more information X-aspc-MailScanner: Found to be clean X-MailScanner-From: cbadescu@aspc.cs.utt.ro Subject: [Fwd: Re: Importing into rc.firewal rules] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Nov 2004 11:16:54 -0000 Hi, > On Sat, Nov 20, 2004 at 01:32:15PM -0500, Francisco Reyes wrote: >> I have a grown list of IPs that I am "deny ip from ###.### to any". Infected machines, hackers, etc.. >> >> Is there a way to have this list outside of rc.firewall and just read it in? > from man ipfw LOOKUP TABLES Lookup tables are useful to handle large sparse address sets, typically from a hundred to several thousands of entries. There could be 128 dif- ferent lookup tables, numbered 0 to 127. Each entry is represented by an addr[/masklen] and will match all addresses with base addr (specified as a dotted quad or a hostname) and mask width of masklen bits. If masklen is not specified, it defaults to 32. When looking up an IP address in a table, the most specific entry will match. Associated with each entry is a 32-bit unsigned value, which can optionally be checked by a rule matching code. When adding an entry, if value is not specified, it defaults to 0. An entry can be added to a table (add), removed from a table (delete), a table can be examined (list) or flushed (flush). Internally, each table is stored in a Radix tree, the same way as the routing table (see route(4)). , and here is an example: ${fwcmd} table 0 add 82.77.156.42 ${fwcmd} add deny all from table\(0\) to any via ${oif} ${fwcmd} add deny all from any to table\(0\) via ${oif} # I know, second rule, .... it's paranoic To set the table you could use a file /etc/badboys and a short shell script executed before the table denying rules: for i in `cat /etc/badboys`; do ${fwcmd} table 0 add $i; done; ---- Ciprian Badescu From owner-freebsd-security@FreeBSD.ORG Sat Nov 20 20:39:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC88216A4CE for ; Sat, 20 Nov 2004 20:39:46 +0000 (GMT) Received: from mail.pilgerer.org (hamlet.pilgerer.org [217.20.119.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 243D143D1D for ; Sat, 20 Nov 2004 20:39:46 +0000 (GMT) (envelope-from marc@hamlet.pilgerer.org) Received: from localhost (hamlet.pilgerer.de [217.20.119.252]) by mail.pilgerer.org (8.13.0/8.12.10) with ESMTP id iAKKdidv088237; Sat, 20 Nov 2004 21:39:44 +0100 (CET) (envelope-from marc@hamlet.pilgerer.org) Received: from mail.pilgerer.org ([217.20.119.252]) by localhost (hamlet.pilgerer.org [217.20.119.252]) (amavisd-new, port 10024) with LMTP id 86246-05; Sat, 20 Nov 2004 21:39:43 +0100 (CET) Received: from hamlet.pilgerer.org (marc@hamlet.pilgerer.de [217.20.119.252]) by mail.pilgerer.org (8.13.0/8.12.10) with ESMTP id iAKKdf60088231 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 20 Nov 2004 21:39:41 +0100 (CET) (envelope-from marc@hamlet.pilgerer.org) Received: (from marc@localhost) by hamlet.pilgerer.org (8.13.0/8.12.10/Submit) id iAKKdfmE088230; Sat, 20 Nov 2004 21:39:41 +0100 (CET) (envelope-from marc) Date: Sat, 20 Nov 2004 21:39:41 +0100 From: Marc Sztochay To: Francisco Reyes Message-ID: <20041120203941.GB87868@pilgerer.org> References: <20041120133048.N7533@zoraida.natserv.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VrqPEDrXMn8OVzN4" Content-Disposition: inline In-Reply-To: <20041120133048.N7533@zoraida.natserv.net> X-PGP-Key: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0x3C2EE66A X-PGP-Fingerprint: 0AE1 18CF 01C0 0546 27DC 56F9 5A43 0B24 3C2E E66A X-Disclaimer: Use Outlook Express at your own risk X-Operating-System: FreeBSD 5.2.1-RELEASE-p9 i386 User-Agent: Mutt/1.5.6i X-Scanned-By: milter-sender/0.55.730 (hamlet.pilgerer.org [217.20.119.252]); Sat, 20 Nov 2004 21:39:41 +0100 X-Filter-Status: scanned by Antivir, f-prot and clamd X-Mailman-Approved-At: Sun, 21 Nov 2004 14:41:28 +0000 cc: FreeBSD Security List Subject: Re: Importing into rc.firewal rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Nov 2004 20:39:47 -0000 --VrqPEDrXMn8OVzN4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable You (Francisco Reyes) wrote on Sat, Nov 20, 2004 at 07:32:15PM CET: > I have a grown list of IPs that I am "deny ip from ###.### to any". > Infected machines, hackers, etc.. >=20 > Is there a way to have this list outside of rc.firewall and just read it= =20 > in? hi *, simply add a : for i in `cat denied_badhackers ` ; do ... into your ipfw script. its just shell :) regards, marc --=20 Marc Sztochay - mailto:msztochay@pilgerer.org =20 --VrqPEDrXMn8OVzN4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBn6uNWkMLJDwu5moRAmMJAJ9hFvcDTMutv/X+QWVdo6tqHjR6AwCgrJqe iOXhnOz193MJ21PYQEHHTmA= =uC7H -----END PGP SIGNATURE----- --VrqPEDrXMn8OVzN4-- From owner-freebsd-security@FreeBSD.ORG Sat Nov 20 18:26:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 977EE16A4CE for ; Sat, 20 Nov 2004 18:26:03 +0000 (GMT) Received: from mail1.acecape.com (mail1.acecape.com [66.114.74.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3367443D48 for ; Sat, 20 Nov 2004 18:26:03 +0000 (GMT) (envelope-from francisco@natserv.net) Received: from zoraida.natserv.net (p65-147.acedsl.com [66.114.65.147]) by mail1.acecape.com (8.12.11/8.12.11) with ESMTP id iAKIPuVL027009; Sat, 20 Nov 2004 13:25:58 -0500 Date: Sat, 20 Nov 2004 13:29:09 -0500 (EST) From: Francisco X-X-Sender: fran@zoraida.natserv.net To: Mark Ogden In-Reply-To: <20041007183400.GA25339@yem.eng.utah.edu> Message-ID: <20041120132543.L7533@zoraida.natserv.net> References: <20041007180630.GA25130@yem.eng.utah.edu> <20041007183400.GA25339@yem.eng.utah.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Mailman-Approved-At: Sun, 21 Nov 2004 14:42:09 +0000 cc: freebsd-security@freebsd.org cc: Vlad GALU Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Nov 2004 18:26:03 -0000 On Thu, 7 Oct 2004, Mark Ogden wrote: Coming.. way late to the discussion.. > groups. We would like to allow root ssh login to our machines but only > from one or two machines. For starters I don't think it is a good idea to allow remote root logins There are several ways to do what you want. A few options If you only need the root users to login, set the firewall to only allow ssh from specific IPs. Set a user that can ssh and either configure sudo or allow user to su. >We like to have root login to be able to run >remote commands to all our machines. That sounds like something you could do with a regular user + sudo. > So is there a way to limit roots > login from one or two machines? Yet another approach, you can turn on to allow connections with keys only. No password authentication. Then enable root.. or better another ID which can su or sudo the commands you need. From owner-freebsd-security@FreeBSD.ORG Sun Nov 21 20:21:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1246D16A4CE for ; Sun, 21 Nov 2004 20:21:24 +0000 (GMT) Received: from mx01.dfw.tx.globalhop.net (kz1.globalhop.net [67.18.51.90]) by mx1.FreeBSD.org (Postfix) with SMTP id 5C5A843D5C for ; Sun, 21 Nov 2004 20:21:23 +0000 (GMT) (envelope-from nicksm@ioport.com) Received: (qmail 14995 invoked from network); 21 Nov 2004 14:21:22 -0600 Received: from cpe-65-30-122-68.kc.rr.com (HELO localhost) (65.30.122.68) by mx01.dfw.tx.globalhop.net with SMTP; 21 Nov 2004 14:21:22 -0600 Date: Sun, 21 Nov 2004 14:21:22 -0600 From: Michael Nicks To: freebsd-security@freebsd.org Message-ID: <11/21/04_02:03:27_-0600__nicksm@ioport.com> Mail-Followup-To: freebsd-security@freebsd.org References: <20041007180630.GA25130@yem.eng.utah.edu> <20041007183400.GA25339@yem.eng.utah.edu> <20041120132543.L7533@zoraida.natserv.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041120132543.L7533@zoraida.natserv.net> User-Agent: Mutt/1.4.2.1i X-GPG-Key: gpg --recv-keys --keyserver pgp.mit.edu 0F11CED3 Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Nov 2004 20:21:24 -0000 On 11/20/04 01:29:09 -0500, Francisco wrote: > On Thu, 7 Oct 2004, Mark Ogden wrote: > > Coming.. way late to the discussion.. > > >groups. We would like to allow root ssh login to our machines but only > >from one or two machines. > > For starters I don't think it is a good idea to allow remote root logins > There are several ways to do what you want. > A few options > > If you only need the root users to login, set the firewall to only allow > ssh from specific IPs. Set a user that can ssh and either configure sudo > or allow user to su. > > >We like to have root login to be able to run > >remote commands to all our machines. > > That sounds like something you could do with a regular user + sudo. > > >So is there a way to limit roots > >login from one or two machines? > > Yet another approach, you can turn on to allow connections with keys > only. No password authentication. Then enable root.. or better another ID > which can su or sudo the commands you need. Look at the 'AllowUsers' directive in sshd_config. You can use something to the like of 'AllowUsers root@10.0.0.1 root@10.0.0.1 etc'. You can also use wildcards in the fields. -- Michael Nicks IOPort Technologies, LLC nicksm@ioport.com PGP/GNUPG key: 1024D/0F11CED3 1(913)-378-6516 Keyfile available at pgp.mit.edu. (Fingerprint: 4F9A 25F8 5DC7 4BA0 6288 91E3 C7CD ADA4 0F11 CED3) From owner-freebsd-security@FreeBSD.ORG Sun Nov 21 21:27:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16DA616A4CE; Sun, 21 Nov 2004 21:27:59 +0000 (GMT) Received: from ss.eunet.cz (ss.eunet.cz [212.47.7.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4957443D39; Sun, 21 Nov 2004 21:27:58 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from [127.0.0.1] (ss [212.47.7.215]) by ss.eunet.cz (8.13.1/8.13.1) with ESMTP id iALLRuHG063751; Sun, 21 Nov 2004 22:27:56 +0100 (CET) (envelope-from mime@traveller.cz) Message-ID: <41A1085B.6000807@traveller.cz> Date: Sun, 21 Nov 2004 22:27:55 +0100 From: Michal Mertl User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; cs-CZ; rv:1.7.3) Gecko/20041117 X-Accept-Language: cs, en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit cc: rwatson@freebsd.org Subject: mac_portacl and automatic port allocation X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Nov 2004 21:27:59 -0000 Hello, I really like the idea behind mac_portacl but I find it difficult to use it because of one issue. When an unprivileged program binds to high automatic port with a call to bind(2) and port number set to 0 the system chooses the port to bind to itself. This mechanismus is used by number of programs, most commonly by ftp clients in active mode. Unfortunately this 0 is checked by the mac_portacl(4) module and the call to bind is refused. Rather simple fix would be to check if the local port is 0 and user hasn't asked for IP_PORTRANGE_LOW and then allow the call to trivially succeed. It can be controlled by a sysctl if needed. What do you think of the patch below? Index: mac_portacl.c =================================================================== RCS file: /home/fcvs/cvs/src/sys/security/mac_portacl/mac_portacl.c,v retrieving revision 1.5 diff -u -r1.5 mac_portacl.c --- mac_portacl.c 15 May 2004 20:55:19 -0000 1.5 +++ mac_portacl.c 21 Nov 2004 21:25:49 -0000 @@ -79,6 +79,7 @@ #include #include +#include #include @@ -441,6 +442,7 @@ struct label *socketlabel, struct sockaddr *sockaddr) { struct sockaddr_in *sin; + struct inpcb *inp = sotoinpcb(so); int family, type; u_int16_t port; @@ -467,6 +469,11 @@ type = so->so_type; sin = (struct sockaddr_in *) sockaddr; port = ntohs(sin->sin_port); + /* If port == 0 and user hasn't asked for IP_PORTRANGELOW return + success */ + printf("mac_portacl: port %d, inp_flags: 0x%X\n", port, inp->inp_flags); + if (port == 0 && (inp->inp_flags & INP_LOWPORT) == 0) + return (0); return (rules_check(cred, family, type, port)); } ---------------- Best regards -- Michal Mertl From owner-freebsd-security@FreeBSD.ORG Mon Nov 22 11:28:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03C1916A4CE for ; Mon, 22 Nov 2004 11:28:07 +0000 (GMT) Received: from aiolos.otenet.gr (aiolos.otenet.gr [195.170.0.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C98F43D1D for ; Mon, 22 Nov 2004 11:28:05 +0000 (GMT) (envelope-from keramida@linux.gr) Received: from orion.daedalusnetworks.priv (aris.bedc.ondsl.gr [62.103.39.226])iAMBS1tK010945; Mon, 22 Nov 2004 13:28:01 +0200 Received: from orion.daedalusnetworks.priv (orion [127.0.0.1]) iAMBRt5k001705; Mon, 22 Nov 2004 13:27:55 +0200 (EET) (envelope-from keramida@linux.gr) Received: (from keramida@localhost)iAMBRo8o001704; Mon, 22 Nov 2004 13:27:50 +0200 (EET) (envelope-from keramida@linux.gr) Date: Mon, 22 Nov 2004 13:27:50 +0200 From: Giorgos Keramidas To: Ciprian BADESCU Message-ID: <20041122112750.GA994@orion.daedalusnetworks.priv> References: <2274.82.77.156.141.1101035802.squirrel@82.77.156.141> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2274.82.77.156.141.1101035802.squirrel@82.77.156.141> cc: freebsd-security@freebsd.org Subject: Re: [Fwd: Re: Importing into rc.firewal rules] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Nov 2004 11:28:07 -0000 On 2004-11-21 13:16, Ciprian BADESCU wrote: > > On Sat, Nov 20, 2004 at 01:32:15PM -0500, Francisco Reyes wrote: > >> I have a grown list of IPs that I am "deny ip from ###.### to any". > >> Infected machines, hackers, etc.. > >> > >> Is there a way to have this list outside of rc.firewall and just > >> read it in? > > from man ipfw > > LOOKUP TABLES > Lookup tables are useful to handle large sparse address sets, typically > from a hundred to several thousands of entries. There could be 128 > different lookup tables, numbered 0 to 127. > [...] here is an example: [...] > To set the table you could use a file /etc/badboys > and a short shell script executed before the table denying rules: > for i in `cat /etc/badboys`; do ${fwcmd} table 0 add $i; done; If the table is going to grow at least a few thousand entries you might hit the command line length limit. Try something like this instead: while read ipaddr ;do ${fwcmd} table 0 add "${ipaddr}" done < /etc/badhosts Getting the lines one by one can be bit slow but it's more flexible. Another good idea may be to use a custom awk script to parse the badhosts file and ``generate'' sh(1) code that is run to populate the table: badtable=0 fwcmcd="ipfw -q" awk -v fwcmd="${fwcmd}" -v tab="${badtable}" \ '! /^[ ]*#/ { printf "%s table %d add %s", fwcmd, tab, $1 }' | sh This is probably going to be a bit faster than while read ... - Giorgos From owner-freebsd-security@FreeBSD.ORG Mon Nov 22 20:03:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67B5716A4CE for ; Mon, 22 Nov 2004 20:03:13 +0000 (GMT) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1BBBA43D1F for ; Mon, 22 Nov 2004 20:03:13 +0000 (GMT) (envelope-from marquis@roble.com) Received: from localhost (localhost [127.0.0.1]) by mx5.roble.com (Postfix) with ESMTP id 708B52BC0F for ; Mon, 22 Nov 2004 12:03:12 -0800 (PST) Date: Mon, 22 Nov 2004 12:03:12 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20041122120146.5292416A4CF@hub.freebsd.org> References: <20041122120146.5292416A4CF@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: <20041122200312.708B52BC0F@mx5.roble.com> Subject: Re: Importing into rc.firewal rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Nov 2004 20:03:13 -0000 Francisco Reyes wrote: > I have a grown list of IPs that I am "deny ip from ###.### to any". > Infected machines, hackers, etc.. > Is there a way to have this list outside of rc.firewall and just > read it in? Lots of good recommendation in this thread. Our own is a customized rc.firewall script to parse multiple blacklist files, by IP and by port, with a little error checking: filterfile () { for ip in `grep -hv '^#' $file | \ sed -e 's/^ *//' -e 's/^ *//' -e 's/#.*$//' -e 's/ .*$//' -e 's/ .*$//' | \ sort -u | grep -v '^$'` ; do if [ "`echo $ip | grep ^[1-9]`" = "" ] || \ [ "`echo $ip | egrep '([a-z]|[A-Z]|^0|^255)'`" != "" ]; then echo "ERROR: $ip is not a valid IP address" continue elif [ "`echo $ip|egrep $WHITELIST`" != "" ]; then ## TO DO: better whitelist parsing. echo "ERROR: $ip is whitelisted" continue elif [ "$port" = "" ]; then ## Block IP if no port is specified. $IPFW add 210 deny ip from $ip to any elif [ $port = 53 ]; then ## Block both tcp and udp if port = DNS. $IPFW add 211 deny tcp from $ip to any $port $IPFW add 211 deny udp from $ip to any $port else ## Else: block tcp (and not udp). $IPFW add 212 deny tcp from $ip to any $port fi done } for file in `ls $BLACKLIST $BLACKLIST.[1-9]*` ; do if [ ! -s $file ]; then echo "WARNING: empty $file" continue elif [ "$file" = "$BLACKLIST" ]; then port="" else port="`echo $file | awk -F. '{print $NF}'`" if [ $port -lt 1 ] || [ $port -gt 65000 ]; then echo "ERROR: invalid port: $port" continue fi fi echo "PROCESSING: ${file} port: ${port}" filterfile $file done -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Tue Nov 23 15:11:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4330C16A4CE for ; Tue, 23 Nov 2004 15:11:28 +0000 (GMT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF3BE43D49 for ; Tue, 23 Nov 2004 15:11:27 +0000 (GMT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.13.1/8.13.1) with ESMTP id iANF9f9J089399; Tue, 23 Nov 2004 10:09:41 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)iANF9fvg089396; Tue, 23 Nov 2004 15:09:41 GMT (envelope-from robert@fledge.watson.org) Date: Tue, 23 Nov 2004 15:09:41 +0000 (GMT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Michal Mertl In-Reply-To: <41A1085B.6000807@traveller.cz> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: mac_portacl and automatic port allocation X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Nov 2004 15:11:28 -0000 On Sun, 21 Nov 2004, Michal Mertl wrote: > I really like the idea behind mac_portacl but I find it difficult to use > it because of one issue. When an unprivileged program binds to high > automatic port with a call to bind(2) and port number set to 0 the > system chooses the port to bind to itself. This mechanismus is used by > number of programs, most commonly by ftp clients in active mode. > Unfortunately this 0 is checked by the mac_portacl(4) module and the > call to bind is refused. Rather simple fix would be to check if the > local port is 0 and user hasn't asked for IP_PORTRANGE_LOW and then > allow the call to trivially succeed. It can be controlled by a sysctl if > needed. > > What do you think of the patch below? Seems like a good change to me. Technically, there's probably a slight atomicity problem relating to threads, since one thread could change the flag while another thread is making the call to bind the socket. I'm not sure that's easily fixed without a specific MAC check in the inet code, and what you propose is certainly a big improvement over what is there. I'll get this, sans the printf, merged sometime today. Thanks! Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Principal Research Scientist, McAfee Research From owner-freebsd-security@FreeBSD.ORG Tue Nov 23 16:23:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D9DEF16A4D4; Tue, 23 Nov 2004 16:23:44 +0000 (GMT) Received: from ss.eunet.cz (ss.eunet.cz [212.47.7.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2490B43D5D; Tue, 23 Nov 2004 16:23:44 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from [127.0.0.1] (ss [212.47.7.215]) by ss.eunet.cz (8.13.1/8.13.1) with ESMTP id iANGNgFk074572; Tue, 23 Nov 2004 17:23:42 +0100 (CET) (envelope-from mime@traveller.cz) Message-ID: <41A3640C.2060001@traveller.cz> Date: Tue, 23 Nov 2004 17:23:40 +0100 From: Michal Mertl User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; cs-CZ; rv:1.7.3) Gecko/20041117 X-Accept-Language: cs, en-us, en MIME-Version: 1.0 To: Robert Watson References: In-Reply-To: Content-Type: multipart/mixed; boundary="------------050001000402070006050702" cc: freebsd-security@freebsd.org Subject: Re: mac_portacl and automatic port allocation X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Nov 2004 16:23:45 -0000 This is a multi-part message in MIME format. --------------050001000402070006050702 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Robert Watson wrote(a): > On Sun, 21 Nov 2004, Michal Mertl wrote: > > >>I really like the idea behind mac_portacl but I find it difficult to use >>it because of one issue. When an unprivileged program binds to high >>automatic port with a call to bind(2) and port number set to 0 the >>system chooses the port to bind to itself. This mechanismus is used by >>number of programs, most commonly by ftp clients in active mode. >>Unfortunately this 0 is checked by the mac_portacl(4) module and the >>call to bind is refused. Rather simple fix would be to check if the >>local port is 0 and user hasn't asked for IP_PORTRANGE_LOW and then >>allow the call to trivially succeed. It can be controlled by a sysctl if >>needed. >> >>What do you think of the patch below? > > > Seems like a good change to me. Technically, there's probably a slight > atomicity problem relating to threads, since one thread could change the > flag while another thread is making the call to bind the socket. I'm not > sure that's easily fixed without a specific MAC check in the inet code, > and what you propose is certainly a big improvement over what is there. I noticed this potential problem. I don't think it's too serious. But it may possibly allow attacker to bind to low ports, potentially block legal use of them. That's why I offered the behavior in this case may be controlled by a sysctl. Extended patch attached. Binding to zero is disabled by default. > > I'll get this, sans the printf, merged sometime today. > Thank you. > Thanks! > > Robert N M Watson FreeBSD Core Team, TrustedBSD Projects > robert@fledge.watson.org Principal Research Scientist, McAfee Research > > > > --------------050001000402070006050702 Content-Type: text/plain; name="mac_portacl.c.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="mac_portacl.c.diff" --- mac_portacl.c.orig Tue Nov 23 17:02:05 2004 +++ mac_portacl.c Tue Nov 23 17:08:39 2004 @@ -79,6 +79,7 @@ #include #include +#include #include @@ -100,6 +101,12 @@ TUNABLE_INT("security.mac.portacl.suser_exempt", &mac_portacl_suser_exempt); +static int mac_portacl_allow_bind_zero = 0; +SYSCTL_INT(_security_mac_portacl, OID_AUTO, allow_bind_zero, CTLFLAG_RW, + &mac_portacl_allow_bind_zero, 0, "Whether binding to port 0 (system chooses the port automaticaly) is permitted"); +TUNABLE_INT("security.mac.portacl.allow_bind_zero", + &mac_portacl_allow_bind_zero); + static int mac_portacl_port_high = 1023; SYSCTL_INT(_security_mac_portacl, OID_AUTO, port_high, CTLFLAG_RW, &mac_portacl_port_high, 0, "Highest port to enforce for"); @@ -441,6 +448,7 @@ struct label *socketlabel, struct sockaddr *sockaddr) { struct sockaddr_in *sin; + struct inpcb *inp = sotoinpcb(so); int family, type; u_int16_t port; @@ -467,6 +475,11 @@ type = so->so_type; sin = (struct sockaddr_in *) sockaddr; port = ntohs(sin->sin_port); + /* If port == 0 and user hasn't asked for IP_PORTRANGELOW return + success */ + if (mac_portacl_allow_bind_zero && port == 0 && + (inp->inp_flags & INP_LOWPORT) == 0) + return (0); return (rules_check(cred, family, type, port)); } --------------050001000402070006050702-- From owner-freebsd-security@FreeBSD.ORG Wed Nov 24 09:21:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B1FC16A4CE for ; Wed, 24 Nov 2004 09:21:13 +0000 (GMT) Received: from aspc.cs.utt.ro (aspc.cs.utt.ro [193.226.12.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E49943D39 for ; Wed, 24 Nov 2004 09:21:12 +0000 (GMT) (envelope-from cbadescu@aspc.cs.utt.ro) Received: from aspc.cs.utt.ro (aspc [127.0.0.1]) by aspc.cs.utt.ro (8.12.10/8.12.10) with ESMTP id iAO9L45c005341 for ; Wed, 24 Nov 2004 11:21:04 +0200 Received: (from apache@localhost) by aspc.cs.utt.ro (8.12.10/8.12.10/Submit) id iAO9L4VL005339; Wed, 24 Nov 2004 11:21:04 +0200 From: Ciprian BADESCU X-Authentication-Warning: aspc.cs.utt.ro: apache set sender to cbadescu@aspc.cs.utt.ro using -f Received: from 62.23.212.61 (SquirrelMail authenticated user cbadescu); by aspc.cs.utt.ro with HTTP; Wed, 24 Nov 2004 11:21:04 +0200 (EET) Message-ID: <58613.62.23.212.61.1101288064.squirrel@62.23.212.61> In-Reply-To: <20041122200312.708B52BC0F@mx5.roble.com> References: <20041122120146.5292416A4CF@hub.freebsd.org> <20041122200312.708B52BC0F@mx5.roble.com> Date: Wed, 24 Nov 2004 11:21:04 +0200 (EET) To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.3a-0.f1.1 X-Mailer: SquirrelMail/1.4.3a-0.f1.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-aspc-MailScanner-Information: Please contact the ISP for more information X-aspc-MailScanner: Found to be clean X-MailScanner-From: cbadescu@aspc.cs.utt.ro Subject: Re: Importing into rc.firewal rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 09:21:13 -0000 > Francisco Reyes wrote: >> I have a grown list of IPs that I am "deny ip from ###.### to any". >> Infected machines, hackers, etc.. >> Is there a way to have this list outside of rc.firewall and just >> read it in? I've got another ideea (the table structure is faster, so it ahould be used) of what should be put in /etc/rc.firewall: `awk '{print "${ipfw} table n add $0"}' /etc/badusers.txt`. just be sure that awk is in yout PATH, use use absolute path. > > Lots of good recommendation in this thread. Our own is a customized > rc.firewall script to parse > multiple blacklist files, by IP and by port, with a little error > checking: > > filterfile () { > for ip in `grep -hv '^#' $file | \ > sed -e 's/^ *//' -e 's/^ *//' -e 's/#.*$//' -e 's/ .*$//' -e 's/ > .*$//' | \ > sort -u | grep -v '^$'` ; do > if [ "`echo $ip | grep ^[1-9]`" = "" ] || \ > [ "`echo $ip | egrep '([a-z]|[A-Z]|^0|^255)'`" != "" ]; then > echo "ERROR: $ip is not a valid IP address" > continue > elif [ "`echo $ip|egrep $WHITELIST`" != "" ]; then > ## TO DO: better whitelist parsing. > echo "ERROR: $ip is whitelisted" > continue > elif [ "$port" = "" ]; then > ## Block IP if no port is specified. > $IPFW add 210 deny ip from $ip to any > elif [ $port = 53 ]; then > ## Block both tcp and udp if port = DNS. > $IPFW add 211 deny tcp from $ip to any $port > $IPFW add 211 deny udp from $ip to any $port > else > ## Else: block tcp (and not udp). > $IPFW add 212 deny tcp from $ip to any $port > fi > done > } > for file in `ls $BLACKLIST $BLACKLIST.[1-9]*` ; do > if [ ! -s $file ]; then > echo "WARNING: empty $file" > continue > elif [ "$file" = "$BLACKLIST" ]; then > port="" > else > port="`echo $file | awk -F. '{print $NF}'`" > if [ $port -lt 1 ] || [ $port -gt 65000 ]; then > echo "ERROR: invalid port: $port" > continue > fi > fi > echo "PROCESSING: ${file} port: ${port}" > filterfile $file > done > > -- > Roger Marquis > Roble Systems Consulting > http://www.roble.com/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Wed Nov 24 15:13:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A738016A4CE for ; Wed, 24 Nov 2004 15:13:21 +0000 (GMT) Received: from smtp.nlink.com.br (smtp.nlink.com.br [201.12.59.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 1E4AD43D5D for ; Wed, 24 Nov 2004 15:13:20 +0000 (GMT) (envelope-from paulo@nlink.com.br) Received: (qmail 33260 invoked from network); 24 Nov 2004 15:13:15 -0000 Received: from unknown (HELO ?201.12.59.126?) (paulo@intra.nlink.com.br@201.12.59.126) by smtp.nlink.com.br with SMTP; 24 Nov 2004 15:13:15 -0000 Message-ID: <41A4A505.5070808@nlink.com.br> Date: Wed, 24 Nov 2004 12:13:09 -0300 From: Paulo Fragoso User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041016 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Jail fails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 15:13:21 -0000 Hi, We are trying to create a jail with FreeBSD 5.3 but it's fails with this error: cc -O -pipe -I/usr/obj/usr/src/i386/legacy/usr/include -c /usr/src/games/fortune/strfile/strfile.c make: don't know how to make /j/usr/lib/libc.a. Stop *** Error code 2 We are excuting those command in /usr/src: export D=/j make world DESTDIR=$D Are there any problem with FreeBSD 5.3? We have ever created some jails enviroments this way, before FreeBSD 5.3. Thanks, Paulo. From owner-freebsd-security@FreeBSD.ORG Wed Nov 24 15:26:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 46D0316A4CE for ; Wed, 24 Nov 2004 15:26:03 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFD1343D39 for ; Wed, 24 Nov 2004 15:26:02 +0000 (GMT) (envelope-from dr.clau@gmail.com) Received: by wproxy.gmail.com with SMTP id 68so411014wra for ; Wed, 24 Nov 2004 07:25:57 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=blR3GRClFL5Kd/S1vQENRSbcoMc3UH4hD03OFtdtq6VyRK3xQ5wz/jjRASd3x6pj85YKqGMPk4ZzyQkqVGR7nxtpSTVNIta4Y5kaiAl6a/vH+AUVSSIKQ9lKL+RiKGpZOkuxUUMgkvgb/5L3GCPzL/TQWH0F0HA98j0Uehv2W/8= Received: by 10.54.46.2 with SMTP id t2mr87148wrt; Wed, 24 Nov 2004 07:24:35 -0800 (PST) Received: by 10.54.21.10 with HTTP; Wed, 24 Nov 2004 07:24:34 -0800 (PST) Message-ID: Date: Wed, 24 Nov 2004 17:24:34 +0200 From: Claudiu Dragalina-Paraipan To: Paulo Fragoso In-Reply-To: <41A4A505.5070808@nlink.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <41A4A505.5070808@nlink.com.br> cc: freebsd-security@freebsd.org Subject: Re: Jail fails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Claudiu Dragalina-Paraipan List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 15:26:03 -0000 Try this way: cd /usr/src make buildworld make installworld DESTDIR= cd etc make distribution DESTDIR=<.....> Now you sould have everything, including /etc in jail home dir. cheers, On Wed, 24 Nov 2004 12:13:09 -0300, Paulo Fragoso wrote: > Hi, > > We are trying to create a jail with FreeBSD 5.3 but it's fails with this > error: > > cc -O -pipe -I/usr/obj/usr/src/i386/legacy/usr/include -c > /usr/src/games/fortune/strfile/strfile.c > make: don't know how to make /j/usr/lib/libc.a. Stop > *** Error code 2 > > We are excuting those command in /usr/src: > > export D=/j > make world DESTDIR=$D > > Are there any problem with FreeBSD 5.3? We have ever created some jails > enviroments this way, before FreeBSD 5.3. > > Thanks, > Paulo. -- Claudiu Dragalina-Paraipan e-mail: dr.clau@gmail.com From owner-freebsd-security@FreeBSD.ORG Wed Nov 24 15:35:48 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B292816A4CE for ; Wed, 24 Nov 2004 15:35:48 +0000 (GMT) Received: from update.ods.org (221056.ds.nac.net [66.246.72.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D6A643D5A for ; Wed, 24 Nov 2004 15:35:48 +0000 (GMT) (envelope-from jd@ods.org) Received: from localhost (221056.ds.nac.net [127.0.0.1]) by update.ods.org (Postfix) with ESMTP id 12B11B488E for ; Wed, 24 Nov 2004 10:35:48 -0500 (EST) Received: from update.ods.org ([127.0.0.1]) by localhost (update.ods.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 62509-06 for ; Wed, 24 Nov 2004 10:35:47 -0500 (EST) Received: from [10.0.2.15] (unknown [66.246.72.188]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by update.ods.org (Postfix) with ESMTP id 8A7C2B484E for ; Wed, 24 Nov 2004 10:35:47 -0500 (EST) Date: Wed, 24 Nov 2004 10:11:47 -0500 From: Jason DiCioccio To: Paulo Fragoso , freebsd-security@freebsd.org Message-ID: In-Reply-To: <41A4A505.5070808@nlink.com.br> References: <41A4A505.5070808@nlink.com.br> X-Mailer: Mulberry/3.1.3 (Linux/x86) Resent-Date: Wed, 24 Nov 2004 10:27:50 -0500 Resent-From: Jason DiCioccio Resent-To: freebsd-security@freebsd.org Resent-Message-ID: <73A0A3D0C22B5B240EDCAB92@[10.102.0.67]> X-Resent-Mailer: Mulberry/3.1.3 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; FORMAT=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Virus-Scanned: amavisd-new at ods.org Subject: Re: Jail fails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 15:35:48 -0000 Greetings --On Wednesday, November 24, 2004 12:13:09 -0300 Paulo Fragoso wrote: > Hi, > > We are trying to create a jail with FreeBSD 5.3 but it's fails with this > error: > > cc -O -pipe -I/usr/obj/usr/src/i386/legacy/usr/include -c > /usr/src/games/fortune/strfile/strfile.c > make: don't know how to make /j/usr/lib/libc.a. Stop > *** Error code 2 > > We are excuting those command in /usr/src: > > export D=/j > make world DESTDIR=$D > try: env DESTDIR=$D make world It's a weird bug(?) that I believe is being worked on. Regards, -JD- From owner-freebsd-security@FreeBSD.ORG Wed Nov 24 18:32:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 356E216A4CE for ; Wed, 24 Nov 2004 18:32:34 +0000 (GMT) Received: from server1.carmatec.com (server1.carmatec.com [66.45.229.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1D5F43D41 for ; Wed, 24 Nov 2004 18:32:33 +0000 (GMT) (envelope-from akhthar@carmatec.com) Received: from [202.88.173.225] (helo=server.trouble-free.net) by server1.carmatec.com with esmtpa (Exim 4.43) id 1CX1wM-0004uL-Ex for freebsd-security@freebsd.org; Wed, 24 Nov 2004 13:32:09 -0500 From: "Akhthar Parvez. K" Organization: Carmatec Solutions To: freebsd-security@freebsd.org Date: Thu, 25 Nov 2004 00:02:37 +0530 User-Agent: KMail/1.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200411250002.37764.akhthar@carmatec.com> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server1.carmatec.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - carmatec.com X-Source: X-Source-Args: X-Source-Dir: Subject: Mbuf errors X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: akhthar@carmatec.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 18:32:34 -0000 Hi All, Mysql service is going down continously in my system due to lack of memory space. I checked the messages log and found the following error message. All mbuf clusters exhausted, please see tuning(7). I have no idea about mbuf cluster. Can anyone please help me to fix the issue. I hope the information below will help you. Following is the output of top. last pid: 84718; load averages: 2.56, 2.29, 2.55 up 2+03:59:04 13:27:58 195 processes: 2 running, 193 sleeping CPU states: 26.2% user, 0.0% nice, 10.0% system, 5.0% interrupt, 58.8% idle Mem: 1912M Active, 995M Inact, 421M Wired, 132M Cache, 199M Buf, 27M Free Swap: 2048M Total, 34M Used, 2014M Free, 1% Inuse Following is the output of netstat -m 3797/14672/26624 mbufs in use (current/peak/max): 3791 mbufs allocated to data 2 mbufs allocated to fragment reassembly queue headers 4 mbufs allocated to socket names and addresses 3704/6656/6656 mbuf clusters in use (current/peak/max) 16980 Kbytes allocated to network (85% of mb_map in use) 106522 requests for memory denied 1545 requests for memory delayed 0 calls to protocol drain routines Please let me know if you need more info regarding this. Thank you in advance. -- With Regards, Akhthar Parvez.K System Administrator Bangalore. --------------------- NOTHING IS IMPOSSIBLE Because Impossible itself says I'M POSSIBLE From owner-freebsd-security@FreeBSD.ORG Wed Nov 24 18:51:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CB2216A4CE for ; Wed, 24 Nov 2004 18:51:35 +0000 (GMT) Received: from smtp.nlink.com.br (smtp.nlink.com.br [201.12.59.3]) by mx1.FreeBSD.org (Postfix) with SMTP id F3BF243D2D for ; Wed, 24 Nov 2004 18:51:33 +0000 (GMT) (envelope-from paulo@nlink.com.br) Received: (qmail 70422 invoked from network); 24 Nov 2004 18:51:32 -0000 Received: from unknown (HELO ?201.12.59.126?) (paulo@intra.nlink.com.br@201.12.59.126) by smtp.nlink.com.br with SMTP; 24 Nov 2004 18:51:32 -0000 Message-ID: <41A4D82E.9070602@nlink.com.br> Date: Wed, 24 Nov 2004 15:51:26 -0300 From: Paulo Fragoso User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041016 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jason DiCioccio References: <41A4A505.5070808@nlink.com.br> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: Jail fails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 18:51:35 -0000 Jason DiCioccio wrote, On 24/11/2004 12:11: > Greetings > > --On Wednesday, November 24, 2004 12:13:09 -0300 Paulo Fragoso > wrote: > >> Hi, >> >> We are trying to create a jail with FreeBSD 5.3 but it's fails with this >> error: >> >> cc -O -pipe -I/usr/obj/usr/src/i386/legacy/usr/include -c >> /usr/src/games/fortune/strfile/strfile.c >> make: don't know how to make /j/usr/lib/libc.a. Stop >> *** Error code 2 >> >> We are excuting those command in /usr/src: >> >> export D=/j >> make world DESTDIR=$D >> > > try: > > env DESTDIR=$D make world > > It's a weird bug(?) that I believe is being worked on. It's working now, thanks. (off topic) We have a similar problem with BATCH=YES using ports, after 5.2.1-RELEASE (not included) we are using: export BATCH=yes && make install instead BATCH=yes in main Makefile, sounds like a make problem. Paulo. > > Regards, > -JD- From owner-freebsd-security@FreeBSD.ORG Wed Nov 24 20:38:58 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05AE216A4F2 for ; Wed, 24 Nov 2004 20:38:58 +0000 (GMT) Received: from chicago.domecon.de (chicago.domecon.de [80.237.200.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4FFA43D55 for ; Wed, 24 Nov 2004 20:38:56 +0000 (GMT) (envelope-from eisenbarth@domecon.de) Received: (qmail 82764 invoked by uid 1032); 24 Nov 2004 20:38:55 -0000 Received: from eisenbarth@domecon.de by chicago.domecon.de by uid 89 with qmail-scanner-1.20 Clear:RC:1(213.23.15.42):SA:0(-0.6/8.0):. Processed in 2.118532 secs); 24 Nov 2004 20:38:55 -0000 X-Spam-Status: No, hits=-0.6 required=8.0 X-Qmail-Scanner-Mail-From: eisenbarth@domecon.de via chicago.domecon.de X-Qmail-Scanner: 1.20 (Clear:RC:1(213.23.15.42):SA:0(-0.6/8.0):. Processed in 2.118532 secs) Received: from dsl-213-023-015-042.arcor-ip.net (HELO localhost) (213.23.15.42) by domecon.de with SMTP; 24 Nov 2004 20:38:53 -0000 From: Thomas Eisenbarth Organization: DoMeCon To: freebsd-security@freebsd.org, akhthar@carmatec.com Date: Wed, 24 Nov 2004 21:30:19 +0100 User-Agent: KMail/1.7 References: <200411250002.37764.akhthar@carmatec.com> In-Reply-To: <200411250002.37764.akhthar@carmatec.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1222736.GZYedOQJSF"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200411242130.24229.eisenbarth@domecon.de> Subject: Re: Mbuf errors X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 20:38:58 -0000 --nextPart1222736.GZYedOQJSF Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi there, Am Mittwoch, 24. November 2004 19:32 schrieb Akhthar Parvez. K: > All mbuf clusters exhausted, please see tuning(7). Did you have a look at this ? > 3704/6656/6656 mbuf clusters in use (current/peak/max) > 16980 Kbytes allocated to network (85% of mb_map in use) > 106522 requests for memory denied > 1545 requests for memory delayed tuning(7): kern.ipc.nmbclusters may be adjusted to increase the number of network mbufs the system is willing to allocate. Each cluster represents appr= ox- imately 2K of memory, so a value of 1024 represents 2M of kernel memory reserved for network buffers. You can do a simple calculation to figu= re out how many you need. If you have a web server which maxes out at 10= 00 simultaneous connections, and each connection eats a 16K receive and 1= 6K send buffer, you need approximately 32MB worth of network buffers to d= eal with it. A good rule of thumb is to multiply by 2, so 32MBx2 =3D 64MB= /2K =3D 32768. So for this case you would want to set kern.ipc.nmbclusters to 32768. We recommend values between 1024 and 4096 for machines with mo= d- erates amount of memory, and between 4096 and 32768 for machines with greater amounts of memory. Under no circumstances should you specify = an arbitrarily high value for this parameter, it could lead to a boot-time crash. The -m option to netstat(1) may be used to observe network clu= s- ter use. Older versions of FreeBSD do not have this tunable and requi= re that the kernel config(8) option NMBCLUSTERS be set instead. greetings =2D-=20 Thomas Eisenbarth eisenbarth@domecon.de Donau-Ries Media-Consulting http://www.domecon.de --nextPart1222736.GZYedOQJSF Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBBpO9fktWR+KhvEXIRAsLtAJ981Z2q6AN40Gs7Jzr0sn/gOes3xACgh+e2 9pPm221JUweNuc+elgntZwo= =3Uul -----END PGP SIGNATURE----- --nextPart1222736.GZYedOQJSF-- From owner-freebsd-security@FreeBSD.ORG Wed Nov 24 15:19:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 294CD16A4CE for ; Wed, 24 Nov 2004 15:19:52 +0000 (GMT) Received: from update.ods.org (221056.ds.nac.net [66.246.72.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9927443D66 for ; Wed, 24 Nov 2004 15:19:51 +0000 (GMT) (envelope-from jd@ods.org) Received: from localhost (221056.ds.nac.net [127.0.0.1]) by update.ods.org (Postfix) with ESMTP id D69CCB4881; Wed, 24 Nov 2004 10:19:50 -0500 (EST) Received: from update.ods.org ([127.0.0.1]) by localhost (update.ods.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 58522-06; Wed, 24 Nov 2004 10:19:44 -0500 (EST) Received: from [10.0.2.15] (unknown [66.246.72.188]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by update.ods.org (Postfix) with ESMTP id 6F01DB3341; Wed, 24 Nov 2004 10:19:44 -0500 (EST) Date: Wed, 24 Nov 2004 10:11:47 -0500 From: Jason DiCioccio To: Paulo Fragoso , freebsd-security@freebsd.org Message-ID: In-Reply-To: <41A4A505.5070808@nlink.com.br> References: <41A4A505.5070808@nlink.com.br> X-Mailer: Mulberry/3.1.3 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Virus-Scanned: amavisd-new at ods.org X-Mailman-Approved-At: Thu, 25 Nov 2004 13:23:04 +0000 Subject: Re: Jail fails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 15:19:52 -0000 Greetings --On Wednesday, November 24, 2004 12:13:09 -0300 Paulo Fragoso wrote: > Hi, > > We are trying to create a jail with FreeBSD 5.3 but it's fails with this > error: > > cc -O -pipe -I/usr/obj/usr/src/i386/legacy/usr/include -c > /usr/src/games/fortune/strfile/strfile.c > make: don't know how to make /j/usr/lib/libc.a. Stop > *** Error code 2 > > We are excuting those command in /usr/src: > > export D=/j > make world DESTDIR=$D > try: env DESTDIR=$D make world It's a weird bug(?) that I believe is being worked on. Regards, -JD- From owner-freebsd-security@FreeBSD.ORG Wed Nov 24 19:17:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 23E7616A4CE; Wed, 24 Nov 2004 19:17:07 +0000 (GMT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D64643D4C; Wed, 24 Nov 2004 19:17:06 +0000 (GMT) (envelope-from anderson@centtech.com) Received: from [10.177.171.220] (neutrino.centtech.com [10.177.171.220]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id iAOJH3OJ066087; Wed, 24 Nov 2004 13:17:04 -0600 (CST) (envelope-from anderson@centtech.com) Message-ID: <41A4DE2A.6090200@centtech.com> Date: Wed, 24 Nov 2004 13:16:58 -0600 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.3) Gecko/20041110 X-Accept-Language: en-us, en MIME-Version: 1.0 To: akhthar@carmatec.com References: <200411250002.37764.akhthar@carmatec.com> In-Reply-To: <200411250002.37764.akhthar@carmatec.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 25 Nov 2004 13:23:04 +0000 cc: freebsd-performance@freebsd.org Subject: Re: Mbuf errors X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 19:17:07 -0000 Akhthar Parvez. K wrote: > Hi All, > > Mysql service is going down continously in my system due to lack of memory > space. > > I checked the messages log and found the following error message. > > All mbuf clusters exhausted, please see tuning(7). > > I have no idea about mbuf cluster. Can anyone please help me to fix the issue. > > I hope the information below will help you. [..snip..] > Following is the output of netstat -m > > 3797/14672/26624 mbufs in use (current/peak/max): > 3791 mbufs allocated to data > 2 mbufs allocated to fragment reassembly queue headers > 4 mbufs allocated to socket names and addresses > 3704/6656/6656 mbuf clusters in use (current/peak/max) > 16980 Kbytes allocated to network (85% of mb_map in use) > 106522 requests for memory denied > 1545 requests for memory delayed > 0 calls to protocol drain routines > > Please let me know if you need more info regarding this. > Thank you in advance. This isn't really security related, more performance related, so I'm moving it to that list (freebsd-performance@). The answer to your question is right in your email! In the tuning man page, it says: kern.ipc.nmbclusters may be adjusted to increase the number of network mbufs the system is willing to allocate. Each cluster represents approx- imately 2K of memory, so a value of 1024 represents 2M of kernel memory reserved for network buffers. You can do a simple calculation to figure out how many you need. If you have a web server which maxes out at 1000 simultaneous connections, and each connection eats a 16K receive and 16K send buffer, you need approximately 32MB worth of network buffers to deal with it. A good rule of thumb is to multiply by 2, so 32MBx2 = 64MB/2K = 32768. So for this case you would want to set kern.ipc.nmbclusters to 32768. We recommend values between 1024 and 4096 for machines with mod- erates amount of memory, and between 4096 and 32768 for machines with greater amounts of memory. Under no circumstances should you specify an arbitrarily high value for this parameter, it could lead to a boot-time crash. The -m option to netstat(1) may be used to observe network clus- ter use. Older versions of FreeBSD do not have this tunable and require that the kernel config(8) option NMBCLUSTERS be set instead. More and more programs are using the sendfile(2) system call to transmit files over the network. The kern.ipc.nsfbufs sysctl controls the number of file system buffers sendfile(2) is allowed to use to perform its work. This parameter nominally scales with kern.maxusers so you should not need to modify this parameter except under extreme circumstances. See the TUNING section in the sendfile(2) manual page for details. So basically you need to use sysctl to adjust (increase) the kern.ipc.nmbclusters number. Eric -- ------------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology When in doubt, mumble; when in trouble, delegate; when in charge, ponder ------------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Wed Nov 24 21:27:31 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81C2C16A4CE for ; Wed, 24 Nov 2004 21:27:31 +0000 (GMT) Received: from 168.18.broadband2.iol.cz (27.240.broadband2.iol.cz [83.208.240.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0F1343D2F for ; Wed, 24 Nov 2004 21:27:30 +0000 (GMT) (envelope-from bln@deprese.net) Received: from gprs40-132.eurotel.cz ([160.218.40.132] helo=[10.177.71.246]) by 168.18.broadband2.iol.cz with asmtp (Exim 4.41) id 1CX4fe-00083a-Ll for freebsd-security@freebsd.org; Wed, 24 Nov 2004 22:27:29 +0100 Message-ID: <41A4FCB5.2030500@deprese.net> Date: Wed, 24 Nov 2004 22:27:17 +0100 From: Ondra Holecek User-Agent: Mozilla Thunderbird 0.8 (X11/20041014) X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org References: <41A4A505.5070808@nlink.com.br> <41A4D82E.9070602@nlink.com.br> In-Reply-To: <41A4D82E.9070602@nlink.com.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 25 Nov 2004 13:23:04 +0000 Subject: Re: Jail fails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 21:27:31 -0000 Do you really need to create full system? I think it is better to jail only one process, if it is possible of course... Paulo Fragoso wrote: > Jason DiCioccio wrote, On 24/11/2004 12:11: > >> Greetings >> >> --On Wednesday, November 24, 2004 12:13:09 -0300 Paulo Fragoso >> wrote: >> >>> Hi, >>> >>> We are trying to create a jail with FreeBSD 5.3 but it's fails with this >>> error: >>> >>> cc -O -pipe -I/usr/obj/usr/src/i386/legacy/usr/include -c >>> /usr/src/games/fortune/strfile/strfile.c >>> make: don't know how to make /j/usr/lib/libc.a. Stop >>> *** Error code 2 >>> >>> We are excuting those command in /usr/src: >>> >>> export D=/j >>> make world DESTDIR=$D >>> >> >> try: >> >> env DESTDIR=$D make world >> >> It's a weird bug(?) that I believe is being worked on. > > > It's working now, thanks. > > (off topic) > We have a similar problem with BATCH=YES using ports, after > 5.2.1-RELEASE (not included) we are using: > > export BATCH=yes && make install > > instead BATCH=yes in main Makefile, sounds like a make problem. > > Paulo. > >> >> Regards, >> -JD- > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- # If it happens once, it's a bug. # If it happens twice, it's a feature. # If it happens more then twice, it's a design philosophy. From owner-freebsd-security@FreeBSD.ORG Sat Nov 27 07:46:55 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0752216A4CE; Sat, 27 Nov 2004 07:46:55 +0000 (GMT) Received: from mail.npubs.com (mail.zoneseven.net [209.66.100.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id D25BF43D2F; Sat, 27 Nov 2004 07:46:54 +0000 (GMT) (envelope-from nielsen@memberwebs.com) From: Nielsen User-Agent: Mozilla Thunderbird 0.8 (X11/20041020) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andrei Grudiy References: <20041115084956.GA24138@interexc.com> X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Message-Id: <20041127075906.86005840714@mail.npubs.com> X-AV-Checked: ClamAV using ClamSMTP Date: Sat, 27 Nov 2004 07:59:07 +0000 (GMT) cc: freebsd-security@freebsd.org cc: freebsd-stable@freebsd.org cc: freebsd-questions@freebsd.org Subject: Re: 100.chksetuid in /etc/periodic/security resets the mashine X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Nov 2004 07:46:55 -0000 Andrei Grudiy wrote: > I have a problem. > When I (or system) start the script 100.chksetuid in > /etc/periodic/security my machine resets. Are you using null mounts? Or perhaps jails? I've had a combination of these features cause a kernel panic. Too many 'find' processing going at once. Setting different jails to do their security checks at slightly different times fixed it for me. Cheers, Nate