From owner-freebsd-security Sun Sep 27 01:27:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA01051 for freebsd-security-outgoing; Sun, 27 Sep 1998 01:27:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from csi-x.net (csi-x.net [202.184.73.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA01041 for ; Sun, 27 Sep 1998 01:26:59 -0700 (PDT) (envelope-from najib@csi-x.net) Received: from csi-x.net (nobody@csi-x.net [202.184.73.5]) by csi-x.net (8.9.1/8.9.1) with SMTP id QAA05826 for ; Sun, 27 Sep 1998 16:32:40 +0800 (MYT) From: "Muhammad Najib" Reply-to: najib@csi-x.net To: freebsd-security@FreeBSD.ORG Date: Sun, 27 Sep 98 16:32:42 -800 Subject: Re: Firewall ... X-Mailer: DMailWeb Web to Mail Gateway 1.5af, http://netwinsite.com/top_mail.htm Message-id: <360df82a.16bd.0@csi-x.net> X-User-Info: 202.188.177.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >In some mail from Muhammad Najib, sie said: >> >> Thanx Andrew for that bunch of information. But actually I need it in 'ipf' >> instead of 'ipfw' :) > >If you're using ipf, use "keep state". > >Darren > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > Thanx Darren, Let me try this here. This is the file I made for trying out purposes. It's actually allow DNS, telnet and ftp services only and disallow other then those services. # Allow ftp and ftp-data pass in proto tcp from any to any port = 20 keep state pass out proto tcp from any to any port = 20 keep state pass in proto tcp from any to any port = 21 keep state pass out proto tcp from any to any port = 21 keep state # Allow telnet pass in proto tcp from any to any port = 23 keep state pass out proto tcp from any to any port = 23 keep state # Allow DNS pass in proto tcp from any to any port = 53 keep state pass out proto tcp from any to any port = 53 keep state Please point me out if there's anything wrong with this. Thanx in advance. regards, ****************************************************************** MUHAMMAD NAJIB ABDUL MUKTHI member of My-Linux.ORG NETWORK ENGINEER / SYSTEM ADMINISTRATOR http://www.my-linux.org Cutting Edge Enterprise MPKS Tower Jalan Tunku Ibrahim najib@mrsm.org 05000 Kedah Darulaman. najib@csi-x.net http://najib.csi-x.net najib@kdupg.edu.my Tel : 012-4717452 najib@my-linux.org ****************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 27 05:17:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA26835 for freebsd-security-outgoing; Sun, 27 Sep 1998 05:17:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lohi.clinet.fi (lohi.clinet.fi [194.100.0.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA26822 for ; Sun, 27 Sep 1998 05:16:57 -0700 (PDT) (envelope-from hsu@mail.clinet.fi) Received: from katiska.clinet.fi (katiska.clinet.fi [194.100.0.4]) by lohi.clinet.fi (8.9.1/8.9.0) with ESMTP id PAA17940 for ; Sun, 27 Sep 1998 15:17:53 +0300 (EEST) Received: (from hsu@localhost) by katiska.clinet.fi (8.9.0/8.9.0) id PAA24629; Sun, 27 Sep 1998 15:16:42 +0300 (EEST) Date: Sun, 27 Sep 1998 15:16:42 +0300 (EEST) Message-Id: <199809271216.PAA24629@katiska.clinet.fi> From: Heikki Suonsivu To: freebsd-security@FreeBSD.ORG Subject: ipfw Organization: Clinet Ltd, Espoo, Finland Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How much work would be to rewrite ipfw to have interface-specific lists instead of current global lists ? It think it would probably work best if directives with "via" directive would be entered into a ipfw list attached to if-specific structure, while the global ipfw lists would be handled separately whereever they are handled today. Another possibility would be a more efficient matching data structure for ipfw, which would hash addresses, in/out ports and device numbers into a map of rules applicable to specific packet. I assume this would be more compilicated but better solution in long term, as it would scale. We are building a >= 32-port device, and having ipfw lists global is tremendous waste of precious CPU, as most interfaces need at least some interface-specific access lists. -- Heikki Suonsivu / Clinet Oy / Tekniikantie 12 / FI-02150 Espoo / FINLAND, hsu@clinet.fi mobile +358-40-5519679 work +358-9-43542270 fax -4555276 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 27 07:00:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA02758 for freebsd-security-outgoing; Sun, 27 Sep 1998 07:00:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-14.igrin.co.nz [202.49.245.93]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA02751 for ; Sun, 27 Sep 1998 07:00:46 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with SMTP id BAA02997; Mon, 28 Sep 1998 01:59:48 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Mon, 28 Sep 1998 01:59:47 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Heikki Suonsivu cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw In-Reply-To: <199809271216.PAA24629@katiska.clinet.fi> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 27 Sep 1998, Heikki Suonsivu wrote: > Date: Sun, 27 Sep 1998 15:16:42 +0300 (EEST) > From: Heikki Suonsivu > To: freebsd-security@FreeBSD.ORG > Subject: ipfw > > > How much work would be to rewrite ipfw to have interface-specific lists > instead of current global lists ? It think it would probably work best if > directives with "via" directive would be entered into a ipfw list attached > to if-specific structure, while the global ipfw lists would be handled > separately whereever they are handled today. > > Another possibility would be a more efficient matching data structure for > ipfw, which would hash addresses, in/out ports and device numbers into a > map of rules applicable to specific packet. I assume this would be more > compilicated but better solution in long term, as it would scale. > > We are building a >= 32-port device, and having ipfw lists global is > tremendous waste of precious CPU, as most interfaces need at least some > interface-specific access lists. Some improvement could be had from a hash table, but you can go a long way with a decision tree implemented with skipto, and it's a far more general technique. To split by interface you can do stuff like: 1000 skipto 10000 ip from any to any via lo0 1010 skipto 12000 ip from any to any via ed0 1010 skipto 14000 ip from any to any via ed1 1020 skipto 18000 ip from any to any via ed2 ... I've just set up ipfw for a school where I defined 5 general security zones (the router, world, office, servers, classrooms) using a combination of interface and ip# and multiplexed first by which zone the packet was from and then by which zone the packet was going to. In some cases there was an allow or deny rule in the second decision level, and for the others the packet got run through a list with a deny all rule at the end of it. The whole ruleset consists of a bit over 100 rules (not all that big anyway), but the worst case number of comparisons for any given packet is about 15 (could be improved a little if desired) and at least as importantly it's easy to find the relevant rules for any given communication and know you haven't missed anything. A downside of this scheme is that rules related to one session are not located in the same place for incoming and outcoming traffic. Interaction between global and interface specific rule sets could be a bit messy, depending what you want to do. You can run one set after another, but need to be clear about how the rulesets are going to interact. I could see good uses for a subroutine like mechanism in simplifying the rules for this sort of thing, but you can pretty much set up whatever you like as is. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 27 07:19:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA04160 for freebsd-security-outgoing; Sun, 27 Sep 1998 07:19:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA04152 for ; Sun, 27 Sep 1998 07:19:45 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.1/8.8.5) with ESMTP id QAA11808; Sun, 27 Sep 1998 16:13:01 +0200 (CEST) To: andrew@squiz.co.nz cc: Heikki Suonsivu , freebsd-security@FreeBSD.ORG Subject: Re: ipfw In-reply-to: Your message of "Mon, 28 Sep 1998 01:59:47 +1200." Date: Sun, 27 Sep 1998 16:13:00 +0200 Message-ID: <11806.906905580@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Andrew McNaughton writes: >On Sun, 27 Sep 1998, Heikki Suonsivu wrote: > >> Date: Sun, 27 Sep 1998 15:16:42 +0300 (EEST) >> From: Heikki Suonsivu >> To: freebsd-security@FreeBSD.ORG >> Subject: ipfw >> >> >> How much work would be to rewrite ipfw to have interface-specific lists >> instead of current global lists ? A long time ago I suggested splitting the one list we have today into several lists, specifically: * per interface input list * per interface output list * packet forwarding list * ip_input() list * ip_output() list Doing it would be simple, but people complained that configuring it would be too complex. This would save a lot of time in complex filters. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 27 10:02:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA16270 for freebsd-security-outgoing; Sun, 27 Sep 1998 10:02:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA16259 for ; Sun, 27 Sep 1998 10:02:42 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id TAA01034 for freebsd-security@FreeBSD.ORG; Sun, 27 Sep 1998 19:02:32 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (VMailer, from userid 101) id AF3521531; Sun, 27 Sep 1998 16:58:09 +0200 (CEST) Date: Sun, 27 Sep 1998 16:58:09 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: ipfw Message-ID: <19980927165809.A26371@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <11806.906905580@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.4i In-Reply-To: <11806.906905580@critter.freebsd.dk>; from Poul-Henning Kamp on Sun, Sep 27, 1998 at 04:13:00PM +0200 X-Operating-System: FreeBSD 3.0-BETA/ELF ctm#4660 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Poul-Henning Kamp: > * per interface input list > * per interface output list > * packet forwarding list > * ip_input() list > * ip_output() list > > Doing it would be simple, but people complained that configuring it would > be too complex. Even having #1, #2 and #3 would be nice. In my experience with Network Systems' routers (which have the 5 levels above), most people use the first three most. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-BETA #0: Sat Sep 19 23:38:25 CEST 1998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 27 10:19:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA17706 for freebsd-security-outgoing; Sun, 27 Sep 1998 10:19:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA17701 for ; Sun, 27 Sep 1998 10:19:29 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.1/8.8.5) with ESMTP id TAA12024; Sun, 27 Sep 1998 19:14:09 +0200 (CEST) To: Ollivier Robert cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw In-reply-to: Your message of "Sun, 27 Sep 1998 16:58:09 +0200." <19980927165809.A26371@keltia.freenix.fr> Date: Sun, 27 Sep 1998 19:14:08 +0200 Message-ID: <12022.906916448@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19980927165809.A26371@keltia.freenix.fr>, Ollivier Robert writes: >According to Poul-Henning Kamp: >> * per interface input list >> * per interface output list >> * packet forwarding list >> * ip_input() list >> * ip_output() list >> >> Doing it would be simple, but people complained that configuring it would >> be too complex. > >Even having #1, #2 and #3 would be nice. In my experience with Network >Systems' routers (which have the 5 levels above), most people use the first >three most. ... for routers, and the last two most for hosts, although #1 and #2 will do the same thing on a one interface machine. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 27 11:12:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA23451 for freebsd-security-outgoing; Sun, 27 Sep 1998 11:12:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA23437 for ; Sun, 27 Sep 1998 11:12:10 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id UAA07194; Sun, 27 Sep 1998 20:11:42 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id UAA20349; Sun, 27 Sep 1998 20:11:40 +0200 (MET DST) Message-ID: <19980927201139.00803@follo.net> Date: Sun, 27 Sep 1998 20:11:39 +0200 From: Eivind Eklund To: Poul-Henning Kamp , andrew@squiz.co.nz Cc: Heikki Suonsivu , freebsd-security@FreeBSD.ORG Subject: Re: ipfw References: <11806.906905580@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: <11806.906905580@critter.freebsd.dk>; from Poul-Henning Kamp on Sun, Sep 27, 1998 at 04:13:00PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Sep 27, 1998 at 04:13:00PM +0200, Poul-Henning Kamp wrote: > A long time ago I suggested splitting the one list we have today into several > lists, specifically: > > * per interface input list > * per interface output list > * packet forwarding list > * ip_input() list > * ip_output() list > > Doing it would be simple, but people complained that configuring it would > be too complex. > > This would save a lot of time in complex filters. I don't think it would have to be complex to configure it - we could do this splitting automatically, based on what the users has configured and an 'ipfw finalize' or similar. Of course, I would rather have everything be explicit, but that has been shouted down when I suggested it, too. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 27 11:56:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA28561 for freebsd-security-outgoing; Sun, 27 Sep 1998 11:56:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA28547 for ; Sun, 27 Sep 1998 11:56:29 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id OAA04433; Sun, 27 Sep 1998 14:56:14 -0400 (EDT) (envelope-from wollman) Date: Sun, 27 Sep 1998 14:56:14 -0400 (EDT) From: Garrett Wollman Message-Id: <199809271856.OAA04433@khavrinen.lcs.mit.edu> To: Eivind Eklund Cc: Poul-Henning Kamp , andrew@squiz.co.nz, Heikki Suonsivu , freebsd-security@FreeBSD.ORG Subject: Re: ipfw In-Reply-To: <19980927201139.00803@follo.net> References: <11806.906905580@critter.freebsd.dk> <19980927201139.00803@follo.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: >> * per interface input list >> * per interface output list >> * packet forwarding list >> * ip_input() list >> * ip_output() list > I don't think it would have to be complex to configure it - we could > do this splitting automatically, based on what the users has > configured and an 'ipfw finalize' or similar. > Of course, I would rather have everything be explicit, but that has > been shouted down when I suggested it, too. int fast1/0 ip access-group nosmurf out ! int eth3/0 ip access-group mumblefrotz in ! line vty 0 3 access-class 27 ! ...sound familiar? -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 27 12:45:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA03690 for freebsd-security-outgoing; Sun, 27 Sep 1998 12:45:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id MAA03650 for ; Sun, 27 Sep 1998 12:45:34 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 12756 invoked by uid 1001); 27 Sep 1998 19:45:20 +0000 (GMT) To: wollman@khavrinen.lcs.mit.edu Cc: eivind@yes.no, phk@critter.freebsd.dk, andrew@squiz.co.nz, hsu@clinet.fi, freebsd-security@FreeBSD.ORG Subject: Re: ipfw In-Reply-To: Your message of "Sun, 27 Sep 1998 14:56:14 -0400 (EDT)" References: <199809271856.OAA04433@khavrinen.lcs.mit.edu> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 27 Sep 1998 21:45:20 +0200 Message-ID: <12754.906925520@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Of course, I would rather have everything be explicit, but that has > > been shouted down when I suggested it, too. > > int fast1/0 > ip access-group nosmurf out > ! > int eth3/0 > ip access-group mumblefrotz in > ! > line vty 0 3 > access-class 27 > ! > > ...sound familiar? Very. I'd love to have something similar to Cisco access lists available. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 27 23:20:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA08357 for freebsd-security-outgoing; Sun, 27 Sep 1998 23:20:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA08331; Sun, 27 Sep 1998 23:20:42 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id CAA06406; Mon, 28 Sep 1998 02:20:34 -0400 (EDT) From: "Allen Smith" Message-Id: <9809280220.ZM6404@beatrice.rutgers.edu> Date: Mon, 28 Sep 1998 02:20:33 -0400 In-Reply-To: Terry Lambert "Re: Booting from NT ?" (Sep 26, 6:43pm) References: <199809262242.PAA24523@usr04.primenet.com> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Terry Lambert Subject: Re: Booting from NT ? Cc: security@FreeBSD.ORG, hackers@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sep 26, 6:43pm, Terry Lambert (possibly) wrote: > The minimal modification is an MFS /var, mounted early, and a symlink > from /tmp -> /var/tmp, yes. > > Having a DEVFS (with SLICE) also helps... one less thing to deal > with not being R/O. Question... what does happen if one has a R/O root filesystem, including /dev, without DEVFS? I'm constructing a firewall computer with a (switchable - a nice facility of some Seagate drives) hard drive for root, a second writeable drive for /var and swap, and a /tmp MFS. What problems am I likely to run into with /dev? I'd really prefer not to have it as a symlink to /var/dev or some such... -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 27 23:21:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA08401 for freebsd-security-outgoing; Sun, 27 Sep 1998 23:21:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cyclops.xtra.co.nz (cyclops.xtra.co.nz [202.27.184.96]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA08395 for ; Sun, 27 Sep 1998 23:21:56 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker (210-55-210-87.ipnets.xtra.co.nz [210.55.210.87]) by cyclops.xtra.co.nz (8.9.1/8.9.1) with SMTP id SAA17886 for ; Mon, 28 Sep 1998 18:21:41 +1200 (NZST) Message-Id: <199809280621.SAA17886@cyclops.xtra.co.nz> From: "Dan Langille" Organization: DVL Software Limited To: security@FreeBSD.ORG Date: Mon, 28 Sep 1998 18:21:40 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: ipfw vs ipf : pros/cons Reply-to: junkmale@xtra.co.nz X-mailer: Pegasus Mail for Win32 (v3.01b) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've been recently introduced to ipf. I've been using ipfw for my firewall/router on my home subnet. For such an application (ie. a three node subnet), where the rules are pretty basic, I can't see any reason for me to switch. I'm not wishing to start a flame war, but what I am looking for is stuff I may be missing. I''ve concluded that the reporting within ipf is better in terms of packets denied etc, but what other possible reasons would exist for me to change? Given my situation. Advise always appreciated. -- Dan Langille DVL Software Limited The FreeBSD Diary - my [mis]adventures http://www.FreeBSDDiary.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 28 00:04:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA13794 for freebsd-security-outgoing; Mon, 28 Sep 1998 00:04:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from labinfo.iet.unipi.it (labinfo.iet.unipi.it [131.114.9.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id AAA13771; Mon, 28 Sep 1998 00:04:11 -0700 (PDT) (envelope-from luigi@labinfo.iet.unipi.it) Received: from localhost (luigi@localhost) by labinfo.iet.unipi.it (8.6.5/8.6.5) id GAA03233; Mon, 28 Sep 1998 06:02:48 +0100 From: Luigi Rizzo Message-Id: <199809280502.GAA03233@labinfo.iet.unipi.it> Subject: Re: Booting from NT ? To: easmith@beatrice.rutgers.edu (Allen Smith) Date: Mon, 28 Sep 1998 06:02:47 +0100 (MET) Cc: tlambert@primenet.com, security@FreeBSD.ORG, hackers@FreeBSD.ORG In-Reply-To: <9809280220.ZM6404@beatrice.rutgers.edu> from "Allen Smith" at Sep 28, 98 02:20:14 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Question... what does happen if one has a R/O root filesystem, > including /dev, without DEVFS? I'm constructing a firewall computer > with a (switchable - a nice facility of some Seagate drives) hard > drive for root, a second writeable drive for /var and swap, and a /tmp > MFS. What problems am I likely to run into with /dev? I'd really > prefer not to have it as a symlink to /var/dev or some such... not sure. i generally put /dev /var/dev and repopulate /var at boot from a tgz file. It is much more convenient, because you can then create new device entries if needed. luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 28 01:41:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA29199 for freebsd-security-outgoing; Mon, 28 Sep 1998 01:41:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA29178; Mon, 28 Sep 1998 01:41:14 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id BAA05970; Mon, 28 Sep 1998 01:41:01 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id BAA01147; Mon, 28 Sep 1998 01:41:00 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id BAA03201; Mon, 28 Sep 1998 01:40:59 -0700 (PDT) From: Don Lewis Message-Id: <199809280840.BAA03201@salsa.gv.tsc.tdk.com> Date: Mon, 28 Sep 1998 01:40:58 -0700 In-Reply-To: "Allen Smith" "Re: Booting from NT ?" (Sep 28, 2:20am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: "Allen Smith" Subject: Re: Booting from NT ? Cc: security@FreeBSD.ORG, hackers@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sep 28, 2:20am, "Allen Smith" wrote: } Subject: Re: Booting from NT ? } Question... what does happen if one has a R/O root filesystem, } including /dev, without DEVFS? I'm constructing a firewall computer } with a (switchable - a nice facility of some Seagate drives) hard } drive for root, a second writeable drive for /var and swap, and a /tmp } MFS. What problems am I likely to run into with /dev? I'd really } prefer not to have it as a symlink to /var/dev or some such... You won't be able to chown() and chmod() the tty devices when you log in. Before /dev/log was made a symlink to /var/run/log, syslogd wouldn't be able to create /dev/log. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 28 01:42:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA29444 for freebsd-security-outgoing; Mon, 28 Sep 1998 01:42:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rnocserv.urc.ac.ru (rnocserv.urc.ac.ru [193.233.85.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA29189 for ; Mon, 28 Sep 1998 01:41:20 -0700 (PDT) (envelope-from anton@urc.ac.ru) Received: from urc.ac.ru (Belle.urc.ac.ru [193.233.85.55]) by rnocserv.urc.ac.ru (8.8.8/8.8.8) with ESMTP id OAA02065; Mon, 28 Sep 1998 14:36:19 +0600 (ESS) (envelope-from anton@urc.ac.ru) Message-ID: <360F4A82.2A2E8157@urc.ac.ru> Date: Mon, 28 Sep 1998 14:36:18 +0600 From: Anton Voronin Organization: URC FREEnet X-Mailer: Mozilla 4.5b1 [ru] (X11; I; FreeBSD 2.2.7-STABLE i386) X-Accept-Language: ru MIME-Version: 1.0 To: Allen Smith , freebsd-security@FreeBSD.ORG Subject: Re: Booting from NT ? References: <199809262242.PAA24523@usr04.primenet.com> <9809280220.ZM6404@beatrice.rutgers.edu> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Allen Smith wrote: > Question... what does happen if one has a R/O root filesystem, > including /dev, without DEVFS? I'm constructing a firewall computer > with a (switchable - a nice facility of some Seagate drives) hard > drive for root, a second writeable drive for /var and swap, and a /tmp > MFS. What problems am I likely to run into with /dev? I'd really > prefer not to have it as a symlink to /var/dev or some such... > > -Allen > > It needs to write /dev/console but it does this before mounting according to fstab. If you protect your hard drive it probably won't work. Try to just mount it with -ro option. Anton -- Anton Voronin | Ural Regional Center of FREEnet, | Southern Ural University, Chelyabinsk, Russia http://www.urc.ac.ru/~anton | Programmer & System Administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 28 01:47:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA00244 for freebsd-security-outgoing; Mon, 28 Sep 1998 01:47:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA00239 for ; Mon, 28 Sep 1998 01:47:12 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id EAA14013; Mon, 28 Sep 1998 04:42:03 -0400 (EDT) From: "Allen Smith" Message-Id: <9809280442.ZM14011@beatrice.rutgers.edu> Date: Mon, 28 Sep 1998 04:42:02 -0400 In-Reply-To: Anton Voronin "Re: Booting from NT ?" (Sep 28, 4:39am) References: <199809262242.PAA24523@usr04.primenet.com> <9809280220.ZM6404@beatrice.rutgers.edu> <360F4A82.2A2E8157@urc.ac.ru> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Anton Voronin , freebsd-security@FreeBSD.ORG Subject: Re: Booting from NT ? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sep 28, 4:39am, Anton Voronin (possibly) wrote: > Allen Smith wrote: > > > Question... what does happen if one has a R/O root filesystem, > > including /dev, without DEVFS? I'm constructing a firewall computer > > with a (switchable - a nice facility of some Seagate drives) hard > > drive for root, a second writeable drive for /var and swap, and a /tmp > > MFS. What problems am I likely to run into with /dev? I'd really > > prefer not to have it as a symlink to /var/dev or some such... > > It needs to write /dev/console but it does this before mounting according to > fstab. If you protect your hard drive it probably won't work. Try to just > mount it with -ro option. Sorry, that would defeat the purpose - if somebody gets root on the machine, they can override that. If it's _physically_ read-only, they can't. If need be, I'll do something like moving /dev/console to /var/dev/console and putting in a symlink - thanks for the information. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 28 02:39:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA07910 for freebsd-security-outgoing; Mon, 28 Sep 1998 02:39:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA07887 for ; Mon, 28 Sep 1998 02:39:10 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id CAA06305; Mon, 28 Sep 1998 02:33:25 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id CAA01897; Mon, 28 Sep 1998 02:33:24 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id CAA03313; Mon, 28 Sep 1998 02:33:22 -0700 (PDT) From: Don Lewis Message-Id: <199809280933.CAA03313@salsa.gv.tsc.tdk.com> Date: Mon, 28 Sep 1998 02:33:22 -0700 In-Reply-To: Anton Voronin "Re: Booting from NT ?" (Sep 28, 2:36pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Anton Voronin , Allen Smith , freebsd-security@FreeBSD.ORG Subject: Re: Booting from NT ? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sep 28, 2:36pm, Anton Voronin wrote: } Subject: Re: Booting from NT ? } Allen Smith wrote: } } > Question... what does happen if one has a R/O root filesystem, } > including /dev, without DEVFS? I'm constructing a firewall computer } > with a (switchable - a nice facility of some Seagate drives) hard } > drive for root, a second writeable drive for /var and swap, and a /tmp } > MFS. What problems am I likely to run into with /dev? I'd really } > prefer not to have it as a symlink to /var/dev or some such... } It needs to write /dev/console but it does this before mounting according to } fstab. If you protect your hard drive it probably won't work. Try to just } mount it with -ro option. That should not be a problem. You should be able to write to /dev/console or /dev/null even with a physically write-protected disk, because writes to these devices don't require changing any of the bits on the disk. Just be sure to mount the filesystem read-only as well, otherwise the kernel will get upset when it tries to update the mtime on these devices and can't because the disk is write-protected. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 28 06:11:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA06308 for freebsd-security-outgoing; Mon, 28 Sep 1998 06:11:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from trooper.velocet.ca (host-034.canadiantire.ca [209.146.201.34]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA06285 for ; Mon, 28 Sep 1998 06:11:30 -0700 (PDT) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.8.7/8.8.7) id JAA15301; Mon, 28 Sep 1998 09:11:06 -0400 (EDT) Date: Mon, 28 Sep 1998 09:11:06 -0400 (EDT) Message-Id: <199809281311.JAA15301@trooper.velocet.ca> From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Don Lewis Cc: Anton Voronin , Allen Smith , freebsd-security@FreeBSD.ORG Subject: Re: Booting from NT ? In-Reply-To: <199809280933.CAA03313@salsa.gv.tsc.tdk.com> References: <199809280933.CAA03313@salsa.gv.tsc.tdk.com> X-Mailer: VM 6.34 under Emacs 20.2.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Don" == Don Lewis writes: Don> On Sep 28, 2:36pm, Anton Voronin wrote: } Subject: Re: Booting Don> from NT ? } Allen Smith wrote: } } > Question... what does Don> happen if one has a R/O root filesystem, } > including /dev, Don> without DEVFS? I'm constructing a firewall computer } > with a Don> (switchable - a nice facility of some Seagate drives) hard } > Don> drive for root, a second writeable drive for /var and swap, and a Don> /tmp } > MFS. What problems am I likely to run into with /dev? Don> I'd really } > prefer not to have it as a symlink to /var/dev or Don> some such... Don> } It needs to write /dev/console but it does this before mounting Don> according to } fstab. If you protect your hard drive it probably Don> won't work. Try to just } mount it with -ro option. Don> That should not be a problem. You should be able to write to Don> /dev/console or /dev/null even with a physically write-protected Don> disk, because writes to these devices don't require changing any Don> of the bits on the disk. Don> Just be sure to mount the filesystem read-only as well, otherwise Don> the kernel will get upset when it tries to update the mtime on Don> these devices and can't because the disk is write-protected. I was trying this using a bootable CDROM. The kernel hangs just before kicking off /etc/rc. My initial attempt has been with a standard install of 2.2.6 (was a month or two ago). Not that this is different to how the install boots from the cdrom. It has a writable RAM mounted root partition... preloaded inside the compressed kernel. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 28 08:46:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA28229 for freebsd-security-outgoing; Mon, 28 Sep 1998 08:46:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA28224 for ; Mon, 28 Sep 1998 08:46:52 -0700 (PDT) (envelope-from dag-erli@ifi.uio.no) Received: from bergelmir.ifi.uio.no (2602@bergelmir.ifi.uio.no [129.240.65.172]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id RAA07452; Mon, 28 Sep 1998 17:46:17 +0200 (MET DST) Received: (from dag-erli@localhost) by bergelmir.ifi.uio.no ; Mon, 28 Sep 1998 17:46:17 +0200 (MET DST) Mime-Version: 1.0 To: Harold Gutch Cc: Ian Kallen , freebsd-security@FreeBSD.ORG Subject: Re: corrupted libwrap? References: <19980921221727.A20938@foobar.franken.de> Organization: University of Oslo, Department of Informatics X-url: http://www.stud.ifi.uio.no/~dag-erli/ X-other-addresses: 'finger dag-erli@ifi.uio.no' for a list X-disclaimer-1: The views expressed in this article are mine alone, and do X-disclaimer-2: not necessarily coincide with those of any organisation or X-disclaimer-3: company with which I am or have been affiliated. X-Stop-Spam: http://www.cauce.org/ From: dag-erli@ifi.uio.no (Dag-Erling C. =?iso-8859-1?Q?Sm=F8rgrav?= ) Date: 28 Sep 1998 17:46:16 +0200 In-Reply-To: Harold Gutch's message of "Mon, 21 Sep 1998 22:17:27 +0200" Message-ID: Lines: 20 X-Mailer: Gnus v5.5/Emacs 19.34 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id IAA28225 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Harold Gutch writes: > On Mon, Sep 21, 1998 at 11:20:39AM -0700, Ian Kallen wrote: > > % telnet freebsd.hopeless.net > > Trying 192.169.1.55... > > Connected to freebsd.hopeless.net. > > Escape character is '^]'. > Off topic, but: > > $ host freebsd.hopeless.net > Host not found. Off topic, but it is genereally regarded as a bad move securitywise to publish the host name and IP address of a non-public machine in a public forum. Hence Ian used fake addresses. Other people read RFCs, too. DES -- Dag-Erling Smørgrav - dag-erli@ifi.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 28 08:48:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA28533 for freebsd-security-outgoing; Mon, 28 Sep 1998 08:48:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA28527 for ; Mon, 28 Sep 1998 08:48:54 -0700 (PDT) (envelope-from dag-erli@ifi.uio.no) Received: from bergelmir.ifi.uio.no (2602@bergelmir.ifi.uio.no [129.240.65.172]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id RAA07772; Mon, 28 Sep 1998 17:48:36 +0200 (MET DST) Received: (from dag-erli@localhost) by bergelmir.ifi.uio.no ; Mon, 28 Sep 1998 17:48:35 +0200 (MET DST) Mime-Version: 1.0 To: Tomaz Borstnar Cc: freebsd-security@FreeBSD.ORG Subject: Re: performance comparision of ipfilter and ipfw References: <199809220726.AAA07687@hub.freebsd.org> Organization: University of Oslo, Department of Informatics X-url: http://www.stud.ifi.uio.no/~dag-erli/ X-other-addresses: 'finger dag-erli@ifi.uio.no' for a list X-disclaimer-1: The views expressed in this article are mine alone, and do X-disclaimer-2: not necessarily coincide with those of any organisation or X-disclaimer-3: company with which I am or have been affiliated. X-Stop-Spam: http://www.cauce.org/ From: dag-erli@ifi.uio.no (Dag-Erling C. =?iso-8859-1?Q?Sm=F8rgrav?= ) Date: 28 Sep 1998 17:48:35 +0200 In-Reply-To: Tomaz Borstnar's message of "Tue, 22 Sep 1998 09:26:12 +0200" Message-ID: Lines: 11 X-Mailer: Gnus v5.5/Emacs 19.34 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id IAA28529 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tomaz Borstnar writes: > Anyone did testing on performance of IPFW and IPFilter? From feature list > it looks like IPfilter has better interface and more features, but what > about perfomance? Also what kind of machine would you suggest for firewall? > As fast as possible CPU, 256MB RAM and plenty of disk? A 486DX2/66 with snappy NICs, a 100 MB disk and 16 MB RAM oughta be enough. DES -- Dag-Erling Smørgrav - dag-erli@ifi.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 28 14:48:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA02996 for freebsd-security-outgoing; Mon, 28 Sep 1998 14:48:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from smtp03.primenet.com (smtp03.primenet.com [206.165.6.133]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA02990; Mon, 28 Sep 1998 14:48:15 -0700 (PDT) (envelope-from tlambert@usr04.primenet.com) Received: (from daemon@localhost) by smtp03.primenet.com (8.8.8/8.8.8) id OAA27768; Mon, 28 Sep 1998 14:47:59 -0700 (MST) Received: from usr04.primenet.com(206.165.6.204) via SMTP by smtp03.primenet.com, id smtpd027678; Mon Sep 28 14:47:49 1998 Received: (from tlambert@localhost) by usr04.primenet.com (8.8.5/8.8.5) id OAA07076; Mon, 28 Sep 1998 14:47:44 -0700 (MST) From: Terry Lambert Message-Id: <199809282147.OAA07076@usr04.primenet.com> Subject: Re: Booting from NT ? To: easmith@beatrice.rutgers.edu (Allen Smith) Date: Mon, 28 Sep 1998 21:47:44 +0000 (GMT) Cc: tlambert@primenet.com, security@FreeBSD.ORG, hackers@FreeBSD.ORG In-Reply-To: <9809280220.ZM6404@beatrice.rutgers.edu> from "Allen Smith" at Sep 28, 98 02:20:33 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > The minimal modification is an MFS /var, mounted early, and a symlink > > from /tmp -> /var/tmp, yes. > > > > Having a DEVFS (with SLICE) also helps... one less thing to deal > > with not being R/O. > > Question... what does happen if one has a R/O root filesystem, > including /dev, without DEVFS? I'm constructing a firewall computer > with a (switchable - a nice facility of some Seagate drives) hard > drive for root, a second writeable drive for /var and swap, and a /tmp > MFS. What problems am I likely to run into with /dev? I'd really > prefer not to have it as a symlink to /var/dev or some such... It works. For a bastion host, there's really no reason to have it writeable anyway... Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 28 15:38:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA11677 for freebsd-security-outgoing; Mon, 28 Sep 1998 15:38:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA11627 for ; Mon, 28 Sep 1998 15:37:54 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id AAA06593; Tue, 29 Sep 1998 00:37:32 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id AAA26035; Tue, 29 Sep 1998 00:37:31 +0200 (MET DST) Message-ID: <19980929003731.04702@follo.net> Date: Tue, 29 Sep 1998 00:37:31 +0200 From: Eivind Eklund To: Harold Gutch , Ian Kallen , freebsd-security@FreeBSD.ORG Subject: Re: corrupted libwrap? References: <19980921221727.A20938@foobar.franken.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: <19980921221727.A20938@foobar.franken.de>; from Harold Gutch on Mon, Sep 21, 1998 at 10:17:27PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Sep 21, 1998 at 10:17:27PM +0200, Harold Gutch wrote: > On Mon, Sep 21, 1998 at 11:20:39AM -0700, Ian Kallen wrote: > > % telnet freebsd.hopeless.net > > Trying 192.169.1.55... > > Connected to freebsd.hopeless.net. > > Escape character is '^]'. > Off topic, but: > > $ host freebsd.hopeless.net > Host not found. > > If you want to use private IPs, I suspect the 256 class > C-networks with IPs ranging from 192.168.0.0 to 192.168.255.255 > are what you're looking for (192.169.x.x is NOT in this range). Just to supply a little more information: There are 3 ranges of private IP address, and recommended use is documented in RFC 1918. The address ranges are 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) ... where (according to pre-CIDR) 10. would be viewed as a single A-net, 172.16 would be viewed as a set of B-nets, and 192.168 would be viewed as a set of C-nets. The non-CIDR view is outdated, but may be necessary to work with ancient equipment. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 30 22:15:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA14130 for freebsd-security-outgoing; Wed, 30 Sep 1998 22:15:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from servidor.exsocom.com.mx (servidor.exsocom.com.mx [200.34.46.130]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA14100; Wed, 30 Sep 1998 22:15:27 -0700 (PDT) (envelope-from agalindo@servidor.exsocom.com.mx) Received: from servidor.exsocom.com.mx (servidor.exsocom.com.mx [200.34.46.130]) by servidor.exsocom.com.mx (8.8.7/8.8.5) with SMTP id AAA25087; Thu, 1 Oct 1998 00:22:30 -0500 (CDT) Date: Thu, 1 Oct 1998 00:22:30 -0500 (CDT) From: Alejandro Galindo Chairez AGALINDO To: questions@FreeBSD.ORG cc: freebsd-security@FreeBSD.ORG Subject: Firewall with 2 NIC and a NET class C Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! I have a network class C (conected to Internet), some hackers are cracking my server and i need to install a firewall. I have 2 xl NIC's (xl0 and xl1), but i dont know how will be the rc.firewall configuration and how i can protect all my network for outside attacks. In the rc.firewall i use the "simple" firewall type, but i dont understand how i can divide my network class C in 2 networks (with a mask 255.255.255.128 sample). I need to have real internet ip's in the 2 NIC's becouse i want to protect my WWW and e-mail servers. Here is a sample of what i have and what i need: INTERNET | | My router (208.195.117.2) | | ----------------------- (network class C 208.195.117.*) | | | | | | WWW server email server and PCs 208.195.117.11 208...12 208...13 (sample) I need to protect all my network and i think the solution can be: INTERNET | | ROUTER (208.195.117.2) | | maybe mask 255.255.255.128 FIREWALL (208.195.117.14) xl0 (first NIC) | | 208.195.117.129 xl1 (second NIC) of the firewall ------------------------ | | | maybe mask 255.255.255.128 | | | WWW server email server PC's ... 208.195.117.130 208...131 208...132 etc Please i need help i how to plain the network and how to indicate the rules in the rc.firewall Iam desesperate becouse my network is attacked. Thanks in advanced Alejandro Galindo ---------------------------------------------------------------------------- | , , | | /( )` | | \ \___ / | | | /- _ `-/ ' | | (/\/ \ \ /\ | | ExSoCom Dgo. MEXICO / / | ` \ | | O O ) / | | | `-^--'`< ' | | (_.) _ ) / | | Alejandro Galindo `.___/` / | | Tel: (52 18) 179177 `-----' / | | Fax: (52 18) 185155 <----. __ / __ \ | | <----|====O)))==) \) /==== | | e-mail alejandro.galindo@exsocom.com.mx <----' `--' `.__,' \ | | | | | | http://www.exsocom.com.mx \ / /\| | ______( (_ / \______/ | | ,' ,-----' | | | a FreeBSD ISP `--{__________) | ---------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 30 23:07:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA21369 for freebsd-security-outgoing; Wed, 30 Sep 1998 23:07:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from well.key.net.au (well.key.net.au [203.35.4.19]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA21256; Wed, 30 Sep 1998 23:06:36 -0700 (PDT) (envelope-from keith@well.key.net.au) Received: (from keith@localhost) by well.key.net.au (8.8.8/8.8.8) id QAA21245; Thu, 1 Oct 1998 16:05:44 +1000 (EST) (envelope-from keith) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit MIME-Version: 1.0 In-Reply-To: Date: Thu, 01 Oct 1998 16:05:32 +1000 (EST) Reply-To: keith@apcs.com.au Organization: Australia Power Control Systems P/L From: Keith Anderson To: Alejandro Galindo Chairez AGALINDO Subject: RE: Firewall with 2 NIC and a NET class C Cc: freebsd-security@FreeBSD.ORG, questions@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alejandro I have a netmask table I made some time ago. Hope it helps http://www.key.net.au/keith/netmask/netmask.html Keith ANderson On 01-Oct-98 Alejandro Galindo Chairez AGALINDO wrote: > Hello! > > I have a network class C (conected to Internet), some hackers are > cracking my server and i need to install a firewall. > > I have 2 xl NIC's (xl0 and xl1), but i dont know how will be the > rc.firewall configuration and how i can protect all my network for outside > attacks. > > In the rc.firewall i use the "simple" firewall type, but i dont > understand how i can divide my network class C in 2 networks (with a mask > 255.255.255.128 sample). > > I need to have real internet ip's in the 2 NIC's becouse i want to > protect my WWW and e-mail servers. > > Here is a sample of what i have and what i need: > > INTERNET > | > | > My router (208.195.117.2) > | > | > ----------------------- (network class C 208.195.117.*) > | | | > | | | > WWW server email server and PCs > 208.195.117.11 208...12 208...13 (sample) > > > > I need to protect all my network and i think the solution can be: > > INTERNET > | > | > ROUTER (208.195.117.2) > | > | maybe mask 255.255.255.128 > FIREWALL (208.195.117.14) xl0 (first NIC) > | > | 208.195.117.129 xl1 (second NIC) of the firewall > ------------------------ > | | | maybe mask 255.255.255.128 > | | | > WWW server email server PC's ... > 208.195.117.130 208...131 208...132 etc > > Please i need help i how to plain the network and how to indicate the > rules in the rc.firewall > > Iam desesperate becouse my network is attacked. > > Thanks in advanced > > Alejandro Galindo > > > ---------------------------------------------------------------------------- >| , , | >| /( )` | >| \ \___ / | | >| /- _ `-/ ' | >| (/\/ \ \ /\ | >| ExSoCom Dgo. MEXICO / / | ` \ | >| O O ) / | | >| `-^--'`< ' | >| (_.) _ ) / | >| Alejandro Galindo `.___/` / | >| Tel: (52 18) 179177 `-----' / | >| Fax: (52 18) 185155 <----. __ / __ \ | >| <----|====O)))==) \) /==== | >| e-mail alejandro.galindo@exsocom.com.mx <----' `--' `.__,' \ | >| | | | >| http://www.exsocom.com.mx \ / /\| >| ______( (_ / \______/ | >| ,' ,-----' | | >| a FreeBSD ISP `--{__________) | > ---------------------------------------------------------------------------- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ---------------------------------- E-Mail: Keith Anderson Date: 01-Oct-98 Time: 16:01:41 "Don't trouble trouble until trouble troubles you!" This message was sent by XFMail ---------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 1 00:19:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA02934 for freebsd-security-outgoing; Thu, 1 Oct 1998 00:19:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tinker.com (troll.tinker.com [204.214.7.146]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA02928; Thu, 1 Oct 1998 00:19:41 -0700 (PDT) (envelope-from kim@tinker.com) Received: by localhost (8.8.5/8.8.5) Received: by mail.tinker.com via smap (V2.0) id xma005157; Thu Oct 1 02:14:09 1998 Received: by localhost (8.8.5/8.8.5) id CAA29785; Thu, 1 Oct 1998 02:21:44 -0500 (CDT) Message-ID: <36132D71.39FCD5A3@tinker.com> Date: Thu, 01 Oct 1998 02:21:21 -0500 From: Kim Shrier Organization: Shrier and Deihl X-Mailer: Mozilla 4.05 [en] (X11; U; FreeBSD 2.2.7-RELEASE i386) MIME-Version: 1.0 To: Alejandro Galindo Chairez AGALINDO CC: questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Firewall with 2 NIC and a NET class C References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You have a couple of ways to approach this. You could use network address translation and have private addresses for all your machines. The "public" machines would have static mappings to real IP addresses that are aliased on the outside interface of the firewall. You would also use ipfw rules to control the traffic. Another approach is to split your class C into subnets, one subnet for the outside interface and the other for the inside interface, and then set up ipfw rules and routes in the firewall to control the traffic. If you want, I can help you with the rules once I know how you want to proceed. Kim Shrier kim@tinker.com Alejandro Galindo Chairez AGALINDO wrote: > > Hello! > > I have a network class C (conected to Internet), some hackers are > cracking my server and i need to install a firewall. > > I have 2 xl NIC's (xl0 and xl1), but i dont know how will be the > rc.firewall configuration and how i can protect all my network for outside > attacks. > > In the rc.firewall i use the "simple" firewall type, but i dont > understand how i can divide my network class C in 2 networks (with a mask > 255.255.255.128 sample). > > I need to have real internet ip's in the 2 NIC's becouse i want to > protect my WWW and e-mail servers. > > Here is a sample of what i have and what i need: > > INTERNET > | > | > My router (208.195.117.2) > | > | > ----------------------- (network class C 208.195.117.*) > | | | > | | | > WWW server email server and PCs > 208.195.117.11 208...12 208...13 (sample) > > I need to protect all my network and i think the solution can be: > > INTERNET > | > | > ROUTER (208.195.117.2) > | > | maybe mask 255.255.255.128 > FIREWALL (208.195.117.14) xl0 (first NIC) > | > | 208.195.117.129 xl1 (second NIC) of the firewall > ------------------------ > | | | maybe mask 255.255.255.128 > | | | > WWW server email server PC's ... > 208.195.117.130 208...131 208...132 etc > > Please i need help i how to plain the network and how to indicate the > rules in the rc.firewall > > Iam desesperate becouse my network is attacked. > > Thanks in advanced > > Alejandro Galindo > > ---------------------------------------------------------------------------- > | , , | > | /( )` | > | \ \___ / | | > | /- _ `-/ ' | > | (/\/ \ \ /\ | > | ExSoCom Dgo. MEXICO / / | ` \ | > | O O ) / | | > | `-^--'`< ' | > | (_.) _ ) / | > | Alejandro Galindo `.___/` / | > | Tel: (52 18) 179177 `-----' / | > | Fax: (52 18) 185155 <----. __ / __ \ | > | <----|====O)))==) \) /==== | > | e-mail alejandro.galindo@exsocom.com.mx <----' `--' `.__,' \ | > | | | | > | http://www.exsocom.com.mx \ / /\| > | ______( (_ / \______/ | > | ,' ,-----' | | > | a FreeBSD ISP `--{__________) | > ---------------------------------------------------------------------------- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 1 08:04:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA01935 for freebsd-security-outgoing; Thu, 1 Oct 1998 08:04:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from servidor.exsocom.com.mx (servidor.exsocom.com.mx [200.34.46.130]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA01914; Thu, 1 Oct 1998 08:04:38 -0700 (PDT) (envelope-from agalindo@servidor.exsocom.com.mx) Received: from servidor.exsocom.com.mx (servidor.exsocom.com.mx [200.34.46.130]) by servidor.exsocom.com.mx (8.8.7/8.8.5) with SMTP id KAA29705; Thu, 1 Oct 1998 10:11:14 -0500 (CDT) Date: Thu, 1 Oct 1998 10:11:13 -0500 (CDT) From: Alejandro Galindo Chairez AGALINDO To: Kim Shrier cc: questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Firewall with 2 NIC and a NET class C In-Reply-To: <36132D71.39FCD5A3@tinker.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 1 Oct 1998, Kim Shrier wrote: > You have a couple of ways to approach this. You could use network address > translation and have private addresses for all your machines. The "public" > machines would have static mappings to real IP addresses that are aliased > on the outside interface of the firewall. You would also use ipfw rules to > control the traffic. ok i like the idea to have static mappings to real IP addrs. that are aliased on the out interface, how can i do that? > > Another approach is to split your class C into subnets, one subnet for the > outside interface and the other for the inside interface, and then set up > ipfw rules and routes in the firewall to control the traffic. ok in this case i can setup my outside network like a half class C (mask 255.255.255.128) with the next ips: 208.195.117.1 - 208.195.117.127, and the inside net with the ips 208.195.117.129 - 208.195.117.254. Actually, the external router's ethernet port now is 208.195.117.2 with a mask /25, i will need to change the mask here too? and if yes, why the router indicate to me invalida mask /25? (the router is a CISCO 4000). Other questions: I think if its posible to connect the firewall directly with the Router (without a hub) with a cross cable dos it work? or is necesary to use the hub? and how can i setup the routes in the firewall? > > If you want, I can help you with the rules once I know how you want to > proceed. THANKS, i will apreciate that very much Have a good day Alejandro Galindo > > Kim Shrier > kim@tinker.com > > Alejandro Galindo Chairez AGALINDO wrote: > > > > Hello! > > > > I have a network class C (conected to Internet), some hackers are > > cracking my server and i need to install a firewall. > > > > I have 2 xl NIC's (xl0 and xl1), but i dont know how will be the > > rc.firewall configuration and how i can protect all my network for outside > > attacks. > > > > In the rc.firewall i use the "simple" firewall type, but i dont > > understand how i can divide my network class C in 2 networks (with a mask > > 255.255.255.128 sample). > > > > I need to have real internet ip's in the 2 NIC's becouse i want to > > protect my WWW and e-mail servers. > > > > Here is a sample of what i have and what i need: > > > > INTERNET > > | > > | > > My router (208.195.117.2) > > | > > | > > ----------------------- (network class C 208.195.117.*) > > | | | > > | | | > > WWW server email server and PCs > > 208.195.117.11 208...12 208...13 (sample) > > > > I need to protect all my network and i think the solution can be: > > > > INTERNET > > | > > | > > ROUTER (208.195.117.2) > > | > > | maybe mask 255.255.255.128 > > FIREWALL (208.195.117.14) xl0 (first NIC) > > | > > | 208.195.117.129 xl1 (second NIC) of the firewall > > ------------------------ > > | | | maybe mask 255.255.255.128 > > | | | > > WWW server email server PC's ... > > 208.195.117.130 208...131 208...132 etc > > > > Please i need help i how to plain the network and how to indicate the > > rules in the rc.firewall > > > > Iam desesperate becouse my network is attacked. > > > > Thanks in advanced > > > > Alejandro Galindo > > > > ---------------------------------------------------------------------------- > > | , , | > > | /( )` | > > | \ \___ / | | > > | /- _ `-/ ' | > > | (/\/ \ \ /\ | > > | ExSoCom Dgo. MEXICO / / | ` \ | > > | O O ) / | | > > | `-^--'`< ' | > > | (_.) _ ) / | > > | Alejandro Galindo `.___/` / | > > | Tel: (52 18) 179177 `-----' / | > > | Fax: (52 18) 185155 <----. __ / __ \ | > > | <----|====O)))==) \) /==== | > > | e-mail alejandro.galindo@exsocom.com.mx <----' `--' `.__,' \ | > > | | | | > > | http://www.exsocom.com.mx \ / /\| > > | ______( (_ / \______/ | > > | ,' ,-----' | | > > | a FreeBSD ISP `--{__________) | > > ---------------------------------------------------------------------------- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 1 12:09:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA14250 for freebsd-security-outgoing; Thu, 1 Oct 1998 12:09:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA14244; Thu, 1 Oct 1998 12:09:36 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id OAA24213; Thu, 1 Oct 1998 14:09:09 -0500 (CDT) Received: from harkol-87.isdn.mke.execpc.com(169.207.64.215) by peak.mountin.net via smap (V1.3) id sma024211; Thu Oct 1 14:08:48 1998 Message-Id: <3.0.3.32.19981001140720.0077bf10@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 01 Oct 1998 14:07:20 -0500 To: Alejandro Galindo Chairez AGALINDO From: "Jeffrey J. Mountin" Subject: Re: Firewall with 2 NIC and a NET class C Cc: questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: References: <36132D71.39FCD5A3@tinker.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:11 AM 10/1/98 -0500, Alejandro Galindo Chairez AGALINDO wrote: >On Thu, 1 Oct 1998, Kim Shrier wrote: > >> You have a couple of ways to approach this. You could use network address >> translation and have private addresses for all your machines. The "public" >> machines would have static mappings to real IP addresses that are aliased >> on the outside interface of the firewall. You would also use ipfw rules to >> control the traffic. > >ok i like the idea to have static mappings to real IP addrs. that are >aliased on the out interface, how can i do that? > >> >> Another approach is to split your class C into subnets, one subnet for the >> outside interface and the other for the inside interface, and then set up >> ipfw rules and routes in the firewall to control the traffic. > >ok in this case i can setup my outside network like a half class C (mask >255.255.255.128) with the next ips: 208.195.117.1 - 208.195.117.127, and >the inside net with the ips 208.195.117.129 - 208.195.117.254. If you are using nat you don't need "real" IPs on the internal interface. You could use private IPs on the internal interface and map them to the real IPs on the external interface. As pointed out you can do the mapping: External Internal 208.195.117.1 208.195.117.129 208.195.117.2 208.195.117.130 etc or with private addresses: 208.195.117.1 192.168.117.1 208.195.117.2 192.168.117.2 etc In either case you need to alias a number of IPs on the external interface, but using private addresses doubles what you can use and you don't have to subnet. Otherwise there is no difference on how it's done, but just to make it clear before you do this. 8-) >Actually, the external router's ethernet port now is 208.195.117.2 with a >mask /25, i will need to change the mask here too? and if yes, why the >router indicate to me invalida mask /25? (the router is a CISCO 4000). conf t ip subnet-zero wr mem Without this you cannot use any .0 subnet and in this case would waste a few addresses. >Other questions: > > I think if its posible to connect the firewall directly with the >Router (without a hub) with a cross cable dos it work? or is necesary to >use the hub? Yes. A cross cable will work. Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 2 01:40:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA19638 for freebsd-security-outgoing; Fri, 2 Oct 1998 01:40:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA19633 for ; Fri, 2 Oct 1998 01:40:18 -0700 (PDT) (envelope-from ncb05@banshee.cs.uow.edu.au) Received: (from ncb05@localhost) by banshee.cs.uow.edu.au (8.9.1a/8.9.1) id SAA25896; Fri, 2 Oct 1998 18:39:58 +1000 (EST) Date: Fri, 2 Oct 1998 18:39:58 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: freebsd-security@FreeBSD.ORG Subject: TCFS - Transparent Cryptographic File System Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A friend pointed this out to me. From a quick glance at the site, it looks like it's worth looking into: - http://tcfs.dia.unisa.it/ Nick -- Email: ncb@poboxes.com - http://www.poboxes.com/ncb Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 2 02:09:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA21549 for freebsd-security-outgoing; Fri, 2 Oct 1998 02:09:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hosting.doublesquare.com (hosting.doublesquare.com [195.5.128.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA21544; Fri, 2 Oct 1998 02:09:28 -0700 (PDT) (envelope-from ) Received: from eltex.ru (eltex-spiiras.nw.ru [195.19.204.46] (may be forged)) by hosting.doublesquare.com (8.8.8/8.8.8) with ESMTP id NAA00749; Fri, 2 Oct 1998 13:08:29 +0400 (MSD) Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id NAA08282; Fri, 2 Oct 1998 13:08:57 +0400 (MSD) Received: by border.eltex.spb.ru (sSMTP sendmail emulation); Fri, 2 Oct 1998 12:08:44 +0300 Received: from paranoid(10.0.0.2) by border.eltex.spb.ru via smap (V2.1) id xma008818; Fri, 2 Oct 98 12:08:22 +0300 Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id NAA21458; Fri, 2 Oct 1998 13:08:12 +0400 Date: Fri, 2 Oct 1998 13:08:12 +0400 Message-Id: <199810020908.NAA21458@paranoid.eltex.spb.ru> In-Reply-To: from "Alejandro Galindo Chairez AGALINDO " From: ark@eltex.ru Organization: "Klingon Imperial Intelligence Service" Subject: Re: Firewall with 2 NIC and a NET class C To: agalindo@servidor.exsocom.com.mx Cc: kim@tinker.com, questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Alejandro Galindo Chairez AGALINDO said : > > You have a couple of ways to approach this. You could use network address > > translation and have private addresses for all your machines. The "public" > > machines would have static mappings to real IP addresses that are aliased > > on the outside interface of the firewall. You would also use ipfw rules to > > control the traffic. > > ok i like the idea to have static mappings to real IP addrs. that are > aliased on the out interface, how can i do that? It is definitely BAD idea. It breaks any reasonable security policy. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNhSX+qH/mIJW9LeBAQHDNwP/XR/kLkpLZI+BEl6gprGLbzcqm0Ro6G8M nDrWaMU6P9zKve2QDnsna2dnHvoZ/1ffjNa4GSiWped74MfeFZ37ejXypkeKFm1z VYR6vRP7451qiadyZ0W92rYxdSrzZ6+vphTbH/XllmfPWC1YIGb8dcHoUzfD53rd gAg3db5fZ6Y= =PJCP -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 2 02:50:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA25043 for freebsd-security-outgoing; Fri, 2 Oct 1998 02:50:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from smtp1.erols.com (smtp1.erols.com [207.172.3.234]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA25017; Fri, 2 Oct 1998 02:50:36 -0700 (PDT) (envelope-from wightman@acm.org) Received: from default (209-122-207-15.s15.tnt1.ftw.erols.com [209.122.207.15]) by smtp1.erols.com (8.8.8/8.8.5) with SMTP id FAA15976; Fri, 2 Oct 1998 05:50:13 -0400 (EDT) Message-Id: <3.0.3.32.19981002054354.007bc100@pop.erols.com> X-Sender: bwightman@pop.erols.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Fri, 02 Oct 1998 05:43:54 -0400 To: "Jeffrey J. Mountin" , Alejandro Galindo Chairez AGALINDO From: "Brian T. Wightman" Subject: Re: Firewall with 2 NIC and a NET class C Cc: questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: <3.0.3.32.19981001140720.0077bf10@207.227.119.2> References: <36132D71.39FCD5A3@tinker.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 02:07 PM 10/1/98 -0500, Jeffrey J. Mountin wrote: >At 10:11 AM 10/1/98 -0500, Alejandro Galindo Chairez AGALINDO wrote: [...Snip...] >> I think if its posible to connect the firewall directly with the >>Router (without a hub) with a cross cable dos it work? or is necesary to >>use the hub? > >Yes. A cross cable will work. It may, however, be beneficial to have a hub there to allow you to place a dedicated "evidence gathering" sniffer on the wire in the event that one would be needed. Just my $0.02. Brian -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNhSgWYVcmMo9wkyzEQIxZACeLlZ3hCdwRuFHjM/Icrc97fSFuEsAn0NN nIE2+0JIGuJowr0+yxw5rPAN =Py9d -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 2 02:53:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA25714 for freebsd-security-outgoing; Fri, 2 Oct 1998 02:53:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-13.igrin.co.nz [202.49.245.92]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA25676 for ; Fri, 2 Oct 1998 02:53:26 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with SMTP id VAA02003; Fri, 2 Oct 1998 21:52:54 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Fri, 2 Oct 1998 21:52:54 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Nicholas Charles Brawn cc: freebsd-security@FreeBSD.ORG Subject: Re: TCFS - Transparent Cryptographic File System In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 2 Oct 1998, Nicholas Charles Brawn wrote: > A friend pointed this out to me. From a quick glance at the site, it > looks like it's worth looking into: > - http://tcfs.dia.unisa.it/ That site (the original one) seems to be down at present, but there are mirrors. This one is up and lists others. http://zaphod.ethz.ch/linux/tcfs/ Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 2 03:33:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA00307 for freebsd-security-outgoing; Fri, 2 Oct 1998 03:33:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-13.igrin.co.nz [202.49.245.92]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA00288; Fri, 2 Oct 1998 03:33:15 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with SMTP id WAA02083; Fri, 2 Oct 1998 22:30:33 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Fri, 2 Oct 1998 22:30:33 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: ark@eltex.ru cc: agalindo@servidor.exsocom.com.mx, kim@tinker.com, freebsd-security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: Firewall with 2 NIC and a NET class C In-Reply-To: <199810020908.NAA21458@paranoid.eltex.spb.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm still getting to grips with this stuff, so please correct me if I've got it wrong. On Fri, 2 Oct 1998 ark@eltex.ru wrote: > Alejandro Galindo Chairez AGALINDO said : > > > > You have a couple of ways to approach this. You could use network address > > > translation and have private addresses for all your machines. The "public" > > > machines would have static mappings to real IP addresses that are aliased > > > on the outside interface of the firewall. You would also use ipfw rules to > > > control the traffic. > > > > ok i like the idea to have static mappings to real IP addrs. that are > > aliased on the out interface, how can i do that? > > It is definitely BAD idea. It breaks any reasonable security policy. Care to elaborate? What sort of security measure does this prevent or weaken? I imagine a setup where firewall has route entries directing the real IPs of the servers to their addresses in the private address space, and those machines have the real IPs mapped onto their loopback interface. So long as the firewall has rules to prevent spoofed packets appearing to come from the private address space, and otherwise blocks all but the necessary traffic, it seems this should work. Earlier discussion of splitting the class C network of real IPs seemed wasteful. Even if all the machines behind the firewall were to have real IPs, why waste half of them on the connection from the outside router to the firewall. Those interfaces could use private IPs even if nothing else did. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 2 03:49:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA02240 for freebsd-security-outgoing; Fri, 2 Oct 1998 03:49:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hosting.doublesquare.com (hosting.doublesquare.com [195.5.128.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA02234; Fri, 2 Oct 1998 03:49:24 -0700 (PDT) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: from eltex.ru (eltex-spiiras.nw.ru [195.19.204.46] (may be forged)) by hosting.doublesquare.com (8.8.8/8.8.8) with ESMTP id OAA00965; Fri, 2 Oct 1998 14:48:24 +0400 (MSD) Received: from paranoid.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with ESMTP id OAA08568; Fri, 2 Oct 1998 14:48:45 +0400 (MSD) Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id OAA21732; Fri, 2 Oct 1998 14:48:24 +0400 Date: Fri, 2 Oct 1998 14:48:24 +0400 Message-Id: <199810021048.OAA21732@paranoid.eltex.spb.ru> Organization: "Klingon Imperial Intelligence Service" Subject: Re: Firewall with 2 NIC and a NET class C To: andrew@squiz.co.nz Cc: ark@eltex.ru, agalindo@servidor.exsocom.com.mx, kim@tinker.com, freebsd-security@FreeBSD.ORG, questions@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, ..from my paper on NAT in firewall environment (yet unfinished): [skip] Static Bidirectional NAT (one-to-one) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ NATed internal IP address is bidirectionally mapped to external one, passing all incoming and outgoing connections to/from internal machine - it appears as virtual host in external network. Connectivity viewpoint: Execllent. Every protocol will work except ones that do send IP addresses in data stream. Security viewpoint: Really Bad Thing, inacceptible in most cases. Creating a bidirectional virtual channel to inside host is equal to placing it as another dual-homed gateway being protected with packet filtering only (most NAT boxes can do packet filtering as well). This will probably break any reasonable network security policy. Dynamic Bidirectional NAT (many-to-many) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The same thing as described above, but external IP addresses are assigned dynamically from address pool on the NAT box. Assigned address (NAT rule) is created on connection request (outgoing packet to an external address) and exists until the rule expires (due to inactivity or another reason) Connectivity viewpoint: The same as above, except you can't place a public server inside because NATed host has no fixed external IP address. Security viewpoint: Much worse than most people think and even worse than static NAT, because possible compromise affects not a single machine, but a whole network that is NAT-allowed. It is common misconception that hackers will not find NATed machines because addresses are hidden. They will scan NAT pool and do that fast enough. After machine is compromised it is easy to keep NAT rule active thus keeping the host exposed or to spoof packets to cause other hosts to appear on the external side. Dynamic "Unidirectional" NAT (many-to-one), possibly with port remapping ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ a.k.a. IP Masquerading. The word "unidirectional" is kept in quotes because it does not (usually) mean that data stream is unidirectional; that just means connection requests (except some special cases) are passed one direction (inside to outside only) due to different nature of the NAT rule, which includes not only real and mapped source (internal) IP, but also original and mapped port numbers and destination IP and port number. Packets that do not match the rule are rejected. Connectivity viewpoint: only protocols that use single client-to-server connection should work. Most NAT implementations include some workarounds to bypass this limitation (which does not allow, say, active ftp to work) , usually based on some application level knowledge achieved by packet contents inspection. There are some additional security issues with that technique (not to be discussed here). Security viewpoint: not as good as it seems to be. If a host on the protected network is compromised, it is relatively easy to expose it to further attacks. Some techniques are shown below. 1) Attacks using inside-originated connection. The most obvious example of a protocol that gives full control to _server_ it connects to is X-Windows system. Speaking X11, the "server" is a computer with display attached and "client" is any program that interacts with it using X protocol. That means that all connections are client-originated (TCP sessions to port 6000+display #) and will go out via NAT perfectly. A real-life attack could look like this: A victim host behind NATing firewall is being exploited (does not matter how does that happen: actively - say, attacking irc client (remember that BitchX dgets() vulnerabilities), mail program or something else - or passively (creating website with malicious page). An xterm session is started from there to attacker's display - and - full shell access is gained. 2) Attacks intended to create specific NAT rules. An attacker sends connection requests from desired IP addresses (after compromising at least one internal machine) from service port to be exploited to an attacker host. Then properly crafted backwards connection (with source port that matches the rule which can be determined by analysing appeared packet from the first step) will match the rule and can passed to the victim. (Note: not all NAT implementations are vulnerable; it depends on how connection setup is checked when creating the rules and what is allowed in the estabilished connection packet stream) [skip] _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNhSvdqH/mIJW9LeBAQESCgP9E5HJXAAICf01qbX/9M0dXIaRi6GNDF5Y Qd1o5DONW5fzwPz7L7kfkT1U7dz2KtZrsECaM6G3/rtPGTlfVR6L0kAadYvxoZ67 XMyMDviqzEEqzxBZwQoi2RRRJ02u6hEBHybtT5RH0s+GtUgpRpuhhSs+crVfyXck 7Pd/YXN/EDE= =ZEF7 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 2 05:31:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA16606 for freebsd-security-outgoing; Fri, 2 Oct 1998 05:31:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA16591; Fri, 2 Oct 1998 05:31:42 -0700 (PDT) (envelope-from mike@seidata.com) Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with SMTP id IAA13297; Fri, 2 Oct 1998 08:34:59 -0400 (EDT) Date: Fri, 2 Oct 1998 08:34:59 -0400 (EDT) From: Mike To: ark@eltex.ru cc: agalindo@servidor.exsocom.com.mx, kim@tinker.com, questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Firewall with 2 NIC and a NET class C In-Reply-To: <199810020908.NAA21458@paranoid.eltex.spb.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 2 Oct 1998 ark@eltex.ru wrote: > > ok i like the idea to have static mappings to real IP addrs. that are > > aliased on the out interface, how can i do that? > > It is definitely BAD idea. It breaks any reasonable security policy. "Our recommendation is to obtain and use registered IP addresses if at all possible. If you must use private IP addresses, then use the ones specified by RFC1597, but beware that you're setting youself up for later problem[s]." _Building Internet Firewalls_, Ch. 4, p. 90 D. Brent Chapman & Elizabeth D. Zwicky -mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 2 07:02:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA00698 for freebsd-security-outgoing; Fri, 2 Oct 1998 07:02:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from servidor.exsocom.com.mx (servidor.exsocom.com.mx [200.34.46.130]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA00670; Fri, 2 Oct 1998 07:02:28 -0700 (PDT) (envelope-from agalindo@servidor.exsocom.com.mx) Received: from servidor.exsocom.com.mx (servidor.exsocom.com.mx [200.34.46.130]) by servidor.exsocom.com.mx (8.8.7/8.8.5) with SMTP id JAA13338; Fri, 2 Oct 1998 09:09:07 -0500 (CDT) Date: Fri, 2 Oct 1998 09:09:07 -0500 (CDT) From: Alejandro Galindo Chairez AGALINDO To: ark@eltex.ru cc: andrew@squiz.co.nz, kim@tinker.com, freebsd-security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: Firewall with 2 NIC and a NET class C In-Reply-To: <199810021048.OAA21732@paranoid.eltex.spb.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org mmmm i think all depend in the firewall rules, i will only permit the pass of the DNS, HTTP and e-mail (no telnet, x11, etc), HTTP (80 only for show the pages of my web server) all other packets will be denied. dos this cause a security problem? (may be only the http). Saludos Alejandro On Fri, 2 Oct 1998 ark@eltex.ru wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > nuqneH, > > ..from my paper on NAT in firewall environment (yet unfinished): > > [skip] > > Static Bidirectional NAT (one-to-one) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > NATed internal IP address is bidirectionally mapped to external one, > passing all incoming and outgoing connections to/from internal machine - > it appears as virtual host in external network. > > Connectivity viewpoint: Execllent. Every protocol will work except > ones that do send IP addresses in data stream. > > Security viewpoint: Really Bad Thing, inacceptible in most cases. > Creating a bidirectional virtual channel to inside host is equal to > placing it as another dual-homed gateway being protected with packet > filtering only (most NAT boxes can do packet filtering as well). > This will probably break any reasonable network security policy. > > Dynamic Bidirectional NAT (many-to-many) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > The same thing as described above, but external IP addresses are assigned > dynamically from address pool on the NAT box. Assigned address (NAT rule) > is created on connection request (outgoing packet to an external address) > and exists until the rule expires (due to inactivity or another reason) > > Connectivity viewpoint: The same as above, except you can't place a public > server inside because NATed host has no fixed external IP address. > > Security viewpoint: Much worse than most people think and even worse than > static NAT, because possible compromise affects not a single machine, > but a whole network that is NAT-allowed. It is common misconception that > hackers will not find NATed machines because addresses are hidden. They > will scan NAT pool and do that fast enough. After machine is compromised > it is easy to keep NAT rule active thus keeping the host exposed or to > spoof packets to cause other hosts to appear on the external side. > > Dynamic "Unidirectional" NAT (many-to-one), possibly with port remapping > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > a.k.a. IP Masquerading. The word "unidirectional" is kept in quotes > because it does not (usually) mean that data stream is unidirectional; > that just means connection requests (except some special cases) are > passed one direction (inside to outside only) due to different nature > of the NAT rule, which includes not only real and mapped source > (internal) IP, but also original and mapped port numbers and destination > IP and port number. Packets that do not match the rule are rejected. > > Connectivity viewpoint: only protocols that use single client-to-server > connection should work. Most NAT implementations include some workarounds > to bypass this limitation (which does not allow, say, active ftp to work) , > usually based on some application level knowledge achieved by packet > contents inspection. There are some additional security issues with that > technique (not to be discussed here). > > Security viewpoint: not as good as it seems to be. If a host on the > protected network is compromised, it is relatively easy to expose it > to further attacks. Some techniques are shown below. > > 1) Attacks using inside-originated connection. > The most obvious example of a protocol that gives full control to > _server_ it connects to is X-Windows system. Speaking X11, the "server" > is a computer with display attached and "client" is any program that > interacts with it using X protocol. > That means that all connections are client-originated (TCP sessions to > port 6000+display #) and will go out via NAT perfectly. > > A real-life attack could look like this: > > A victim host behind NATing firewall is being exploited (does not > matter how does that happen: actively - say, attacking irc client > (remember that BitchX dgets() vulnerabilities), mail program or something > else - or passively (creating website with malicious page). An xterm > session is started from there to attacker's display - and - full shell > access is gained. > > 2) Attacks intended to create specific NAT rules. > > An attacker sends connection requests from desired IP addresses (after > compromising at least one internal machine) from service port to be exploited > to an attacker host. Then properly crafted backwards connection (with source > port that matches the rule which can be determined by analysing appeared packet > from the first step) will match the rule and can passed to the victim. > (Note: not all NAT implementations are vulnerable; it depends on how > connection setup is checked when creating the rules and what is allowed > in the estabilished connection packet stream) > > [skip] > > _ _ _ _ _ _ _ > {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ > (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| > [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.3i > Charset: noconv > > iQCVAwUBNhSvdqH/mIJW9LeBAQESCgP9E5HJXAAICf01qbX/9M0dXIaRi6GNDF5Y > Qd1o5DONW5fzwPz7L7kfkT1U7dz2KtZrsECaM6G3/rtPGTlfVR6L0kAadYvxoZ67 > XMyMDviqzEEqzxBZwQoi2RRRJ02u6hEBHybtT5RH0s+GtUgpRpuhhSs+crVfyXck > 7Pd/YXN/EDE= > =ZEF7 > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 2 07:31:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA05223 for freebsd-security-outgoing; Fri, 2 Oct 1998 07:31:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-07.igrin.co.nz [202.49.245.86]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA05197 for ; Fri, 2 Oct 1998 07:31:02 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with SMTP id CAA02773 for ; Sat, 3 Oct 1998 02:30:41 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Sat, 3 Oct 1998 02:30:41 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: security@FreeBSD.ORG Subject: Some people.. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > ipfw: 60100 Accept UDP 192.54.130.84:9 255.255.255.255:9 in via de0 You have to wonder. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 3 00:02:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA08311 for freebsd-security-outgoing; Sat, 3 Oct 1998 00:02:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from thing.dyn.ml.org (dyn1-tnt12-164.detroit.mi.ameritech.net [209.18.31.164]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA08269 for ; Sat, 3 Oct 1998 00:02:19 -0700 (PDT) (envelope-from mcdougall@ameritech.net) Received: from ameritech.net (bsdx [192.168.1.2]) by thing.dyn.ml.org (8.8.8/8.8.7) with ESMTP id DAA04808 for ; Sat, 3 Oct 1998 03:01:27 -0400 (EDT) (envelope-from mcdougall@ameritech.net) Message-ID: <3615CBC2.CE45793@ameritech.net> Date: Sat, 03 Oct 1998 03:01:22 -0400 From: Adam McDougall X-Mailer: Mozilla 4.06 [en] (X11; I; FreeBSD 3.0-BETA i386) MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: Changing 3-way handshakes to prevent port scans References: <199809261709.SAA07885@indigo.ie> Content-Type: multipart/mixed; boundary="------------F8D091035FCE578D91FA4FEA" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------F8D091035FCE578D91FA4FEA Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Niall Smart wrote: > > On Sep 26, 10:43am, Adam McDougall wrote: > } Subject: Changing 3-way handshakes to prevent port scans > > I know someone who has linux patches to alter 3-way handshakes so a > > 'strobe' portscan returns no open ports, yet normal tcp communication > > seems unhindered, does anyone have any patches for FreeBSD to do the > > same? If the patches for linux might help I could attempt to dig them > > up. Thanks > > This just isn't possible. A variety of portscanners exploit particular > implementation bugs or features to determine if a port is being listened > on, but strobe simply sends a plain old SYN segment and waits for a > SYN|ACK, changing that would break TCP. Send me on the patches anyway > and I'll see what I think they actually do. > > You can use ipfw to block port scans from particular hosts. > > Niall > found the patch.. --------------F8D091035FCE578D91FA4FEA Content-Type: text/plain; charset=us-ascii; name="strobeprot-tcpd-2.0.33.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="strobeprot-tcpd-2.0.33.patch" diff -cr linux-pure/Documentation/Configure.help linux-patched/Documentation/Configure.help *** linux-pure/Documentation/Configure.help Wed Dec 10 20:21:47 1997 --- linux-patched/Documentation/Configure.help Mon Jan 12 23:32:32 1998 *************** *** 4111,4116 **** --- 4111,4134 ---- This is the driver for the Sun ESP SCSI host adapter. The ESP chipset is present in most SPARC-based computers. + TCP connection auditing (aka tcpd) + CONFIG_TCP_AUDIT + Logs all incoming connection attempts to syslog, whether or not + they are being listened to. + + Strobe flood protection + CONFIG_STROBE_PROTECT + Strobing is what potential crackers will do to see, in a sense, + what 'doors' [ports] are open on your computer to the network. With this + option, we are able to judge if we are being strobed, and if so, we + make ourselves look like we have no ports open to the strober to + exploit. We do this by counting the amount of failed connection + requests we receive each second from a given IP. If a limit is reached + a message is logged and the IP gets nothing other than RST's on + each successive connection request. Once the requests stop coming, + the IP is ignored for another given amount of time, after which, things + will be set back to normal. Author: Jesse Off [joff@iastate.edu] + Sparc /dev/openprom compatibility driver CONFIG_SUN_OPENPROMIO This driver provides user programs with an interface to the Sparc diff -cr linux-pure/arch/i386/defconfig linux-patched/arch/i386/defconfig *** linux-pure/arch/i386/defconfig Mon Sep 22 15:44:01 1997 --- linux-patched/arch/i386/defconfig Mon Jan 12 23:34:13 1998 *************** *** 72,77 **** --- 72,79 ---- # CONFIG_IP_ACCT is not set # CONFIG_IP_ROUTER is not set # CONFIG_NET_IPIP is not set + CONFIG_TCP_AUDIT=y + CONFIG_STROBE_PROTECT=y # # (it is safe to leave these untouched) diff -cr linux-pure/net/Config.in linux-patched/net/Config.in *** linux-pure/net/Config.in Tue Aug 12 13:30:22 1997 --- linux-patched/net/Config.in Mon Jan 12 23:33:44 1998 *************** *** 24,27 **** --- 24,39 ---- if [ "$CONFIG_NETLINK" = "y" ]; then bool 'Routing messages' CONFIG_RTNETLINK fi + bool 'Strobe flood protection' CONFIG_STROBE_PROTECT + + if [ "$CONFIG_STROBE_PROTECT" = "y" ]; then + int 'post-strobe ignore period (secs)' IGNORE_TIME 10 + fi + + if [ "$CONFIG_STROBE_PROTECT" = "y" ]; then + int 'refused connections/sec considered a strobe' MAX_SYN_SEC 3 + fi + + + bool 'TCP connection auditing (aka tcpd)' CONFIG_TCP_AUDIT endmenu diff -cr linux-pure/net/ipv4/tcp_input.c linux-patched/net/ipv4/tcp_input.c *** linux-pure/net/ipv4/tcp_input.c Fri Oct 31 13:34:12 1997 --- linux-patched/net/ipv4/tcp_input.c Mon Jan 12 23:33:10 1998 *************** *** 43,48 **** --- 43,63 ---- #include #include + + #ifdef CONFIG_STROBE_PROTECT + + #define MAX_FLOOD 64 /* a good round number */ + + + static struct flood { + u32 ip; + unsigned int count; + unsigned long timestamp; + } flood_hash[MAX_FLOOD]; + unsigned int dummy_temp, dummy_temp2; + #endif + + /* * Policy code extracted so it's now separate */ *************** *** 2311,2316 **** --- 2326,2386 ---- else #endif sk = __tcp_v4_lookup(th, saddr, th->source, daddr, th->dest, dev); + if ((th->syn && !th->ack && !th->rst && ip_chk_addr(daddr)==IS_MYADDR) && + !(sk && sk->state == TCP_SYN_RECV)) { + #ifdef CONFIG_STROBE_PROTECT + dummy_temp2 = dummy_temp = saddr % MAX_FLOOD; + /* Ok, this is probably WAY overdue for something as trivial as strobing, and it is still not + * perfect, as forged SYN packets can be used deny service for the forged IP [although for not very long] + * and it is still possible to get a modified, spoofing, strober to fill up the flood hash. But even + * then, it will have to refill up the flood hash every second or so, which means the strobe could take a + * LONG time to complete, depending on what MAX_FLOOD is set as. Generally speaking MAX_FLOOD is link + * dependent and is the expected maximum connection requests per second _from different sources_ it should be + * prepared for. You raise this, you lower chances of anyone getting a meaningful strobe [but also waste memory + * for all those flood_structs]. If anyone rewrites a strober to do the spoofing and hash filling mentioned + * above, you are even more stupid than me for writing this patch. I still don't know why I did this. I + * think I just like playing with hashes :) + * + * Jesse Off [joff@iastate.edu] + */ + cli(); /* Don't know much about race conditions, cli()/sti() actually needed? */ + restart_fhash: + if ( (flood_hash[dummy_temp].timestamp < xtime.tv_sec) ) { /* simplest case: slot useable */ + if (!sk) { + flood_hash[dummy_temp].ip = saddr; + flood_hash[dummy_temp].count = 1; + flood_hash[dummy_temp].timestamp = xtime.tv_sec; + } + } else { /* slot in use */ + if ( flood_hash[dummy_temp].ip != saddr ) { /* handle collision */ + dummy_temp = (dummy_temp + 1) % MAX_FLOOD; + if (dummy_temp != dummy_temp2) goto restart_fhash; + printk(KERN_CRIT "We're being strobed and I cant do a thing! Flood hash full, not good...\n"); } + else { /* slot in use by this current ip, increment or deny */ + if ( flood_hash[dummy_temp].count >= MAX_SYN_SEC ) { + if (flood_hash[dummy_temp].count == MAX_SYN_SEC) { + printk(KERN_CRIT "Strobe from %d.%d.%d.%d, rejecting until they stop for %d seconds\n", + NIPQUAD(saddr), IGNORE_TIME); + flood_hash[dummy_temp].count++; /* Takes care of logfile runaway */ + } + flood_hash[dummy_temp].timestamp = xtime.tv_sec + IGNORE_TIME; + goto no_tcp_socket; /* DENY */ + sti(); + } + if (!sk) flood_hash[dummy_temp].count++; + } + } + sti(); + #endif + #ifdef CONFIG_TCP_AUDIT + printk( KERN_INFO "TCP connection request from %d.%d.%d.%d, port %d\n", + NIPQUAD(saddr), ntohs(th->dest) ); + #endif + + + + + } if (!sk) goto no_tcp_socket; skb->sk = sk; *************** *** 2333,2338 **** --- 2403,2409 ---- return(0); } } + /* * If this socket has got a reset it's to all intents and purposes --------------F8D091035FCE578D91FA4FEA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message