From owner-freebsd-audit Sun Mar 18 6:26:12 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mail.imp.ch (mail.imp.ch [157.161.1.2]) by hub.freebsd.org (Postfix) with ESMTP id 4CF7037B719; Sun, 18 Mar 2001 06:26:08 -0800 (PST) (envelope-from mb@imp.ch) Received: from levais.imp.ch (levais.imp.ch [157.161.4.66]) by mail.imp.ch (8.11.1/8.11.1) with ESMTP id f2IEQ7p55623; Sun, 18 Mar 2001 15:26:07 +0100 (CET) (envelope-from Martin.Blapp@imp.ch) Date: Sun, 18 Mar 2001 15:27:31 +0100 (CET) From: Martin Blapp To: audit@freebsd.org Cc: alfred@freebsd.org Subject: audit of tirpc code Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, As you know I did the tirpc port from NetBSD to FreeBSD. I tried to integrate all known bugs and security issues from Open-/Net-/FreeBSD into this FreeBSD tirpc and there are a lot of bugs fixed there. So can anybody who fixed a security bug in portmapper or rpc look at this diff and check if there are similar conditions ? I tried to do that carefully, hand have fixed a lot of them. I'm asking for a carefully audit, but I think we should integrate the code now into CURRENT and upgrade it then to the latest version. What do you think ? Two commits are missing, I'd like to integrate them if you think they are necessary (code is still the same in tirpc1999): http://www.FreeBSD.org/cgi/cvsweb.cgi/src/lib/libc/rpc/svc.c.diff?r1=1.6&r2=1.7 http://www.FreeBSD.org/cgi/cvsweb.cgi/src/lib/libc/rpc/svc.c.diff?r1=1.12&r2=1.13 Included in the 1,3 MB big patch are: - tirpc2.3 (and parts from 2.0 and tirpc1999) I've planed to slowly upgrade the code to tirpc1999 which is available under SunOS OSS license. - nfs utilities converted to ipv6 and lot of bugfixes ifor nfsd(8) and umount(8). - fixes to rpc userland code. You can find the diff on: http://www.attic.ch/tirpc.html http://home.teleport.ch/freebsd/tirpc-20010318.diff http://home.teleport.ch/freebsd/tirpc-20010318.diff.tgz Martin Martin Blapp, mb@imp.ch ------------------------------------------------ Improware AG, UNIX solution and service provider Zurlindenstrasse 29, 4133 Pratteln, Switzerland Phone: +41 79 370 26 05, Fax: +41 61 826 93 01 ------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Mar 20 23:26:51 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mailgate.originative.co.uk (mailgate.originative.co.uk [62.232.68.68]) by hub.freebsd.org (Postfix) with ESMTP id BA05E37B73E for ; Tue, 20 Mar 2001 23:26:44 -0800 (PST) (envelope-from paul@freebsd-services.co.uk) Received: from freebsd-services.co.uk (lobster.originative.co.uk [62.232.68.81]) by mailgate.originative.co.uk (Postfix) with ESMTP id 05A441D14A for ; Wed, 21 Mar 2001 07:26:43 +0000 (GMT) Message-ID: <3AB857E7.D4CEBD40@freebsd-services.co.uk> Date: Wed, 21 Mar 2001 07:27:35 +0000 From: Paul "=?iso-8859-1?Q?Richards=FC?=" X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-audit@freebsd.org Subject: ipfw permanent rules Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG What do people think of the the patch below. It sets a rule number below which rules will not be flushed. I've been using it to install permanent rules, like SSH access from the office to remote servers, so I can flush the majority of rules but keep those that are essential to allow me to maintain connectivity to the box. =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.131.2.22 diff -r1.131.2.22 ip_fw.c 80a81 > static int fw_permanent_rules = 0; 110a112,113 > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, permanent_rules, CTLFLAG_RW, > &fw_permanent_rules, 0, "Set rule number, below which rules are permanent"); 1852,1855c1855,1862 < while ( (fcp = LIST_FIRST(&ip_fw_chain_head)) && < fcp->rule->fw_number != IPFW_DEFAULT_RULE ) { < s = splnet(); < LIST_REMOVE(fcp, next); --- > fcp = LIST_FIRST(&ip_fw_chain_head); > while (fcp) { > struct ip_fw_chain *next; > next = LIST_NEXT(fcp, next); > if (fcp->rule->fw_number > fw_permanent_rules && > fcp->rule->fw_number != IPFW_DEFAULT_RULE ) { > s = splnet(); > LIST_REMOVE(fcp, next); 1857c1864 < dn_rule_delete(fcp); --- > dn_rule_delete(fcp); 1859,1861c1866,1870 < FREE(fcp->rule, M_IPFW); < FREE(fcp, M_IPFW); < splx(s); --- > FREE(fcp->rule, M_IPFW); > FREE(fcp, M_IPFW); > splx(s); > } > fcp = next; Paul Richards To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Mar 20 23:39:15 2001 Delivered-To: freebsd-audit@freebsd.org Received: from gratis.grondar.za (grouter.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id 2E7FA37B71C for ; Tue, 20 Mar 2001 23:39:08 -0800 (PST) (envelope-from mark@grondar.za) Received: from grondar.za (root@gratis.grondar.za [196.7.18.133]) by gratis.grondar.za (8.11.1/8.11.1) with ESMTP id f2L7cof42204; Wed, 21 Mar 2001 09:38:52 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <200103210738.f2L7cof42204@gratis.grondar.za> To: "Paul " =?iso-8859-1?Q?Richards=FC?= "" Cc: freebsd-audit@FreeBSD.ORG Subject: Re: ipfw permanent rules References: <3AB857E7.D4CEBD40@freebsd-services.co.uk> In-Reply-To: <3AB857E7.D4CEBD40@freebsd-services.co.uk> ; from Paul "=?iso-8859-1?Q?Richards=FC?= " "Wed, 21 Mar 2001 07:27:35 GMT." Date: Wed, 21 Mar 2001 09:39:53 +0200 From: Mark Murray Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > What do people think of the the patch below. I think it is a nifty idea! > It sets a rule number below which rules will not be flushed. I've been > using it to install permanent rules, like SSH access from the office to > remote servers, so I can flush the majority of rules but keep those that > are essential to allow me to maintain connectivity to the box. Erm, could you do this as a unified diff rather - makes it a heck of a lot easier to read. :-) M -- Mark Murray Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Mar 20 23:41:52 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mailgate.originative.co.uk (mailgate.originative.co.uk [62.232.68.68]) by hub.freebsd.org (Postfix) with ESMTP id 5CB8A37B71A for ; Tue, 20 Mar 2001 23:41:48 -0800 (PST) (envelope-from paul@freebsd-services.co.uk) Received: from freebsd-services.co.uk (lobster.originative.co.uk [62.232.68.81]) by mailgate.originative.co.uk (Postfix) with ESMTP id 12AFD1D149; Wed, 21 Mar 2001 07:41:47 +0000 (GMT) Message-ID: <3AB85B6F.32E9EE7C@freebsd-services.co.uk> Date: Wed, 21 Mar 2001 07:42:39 +0000 From: Paul Richards X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Mark Murray Cc: freebsd-audit@FreeBSD.ORG Subject: Re: ipfw permanent rules References: <3AB857E7.D4CEBD40@freebsd-services.co.uk> <200103210738.f2L7cof42204@gratis.grondar.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Mark Murray wrote: > > > What do people think of the the patch below. > > I think it is a nifty idea! > > > It sets a rule number below which rules will not be flushed. I've been > > using it to install permanent rules, like SSH access from the office to > > remote servers, so I can flush the majority of rules but keep those that > > are essential to allow me to maintain connectivity to the box. > > Erm, could you do this as a unified diff rather - makes it a heck of > a lot easier to read. :-) Ok. Index: ip_fw.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.131.2.22 diff -u -r1.131.2.22 ip_fw.c --- ip_fw.c 2001/03/09 16:37:36 1.131.2.22 +++ ip_fw.c 2001/03/21 00:10:59 @@ -78,6 +78,7 @@ #else static int fw_verbose_limit = 0; #endif +static int fw_permanent_rules = 0; /* * Right now, two fields in the IP header are changed to host format @@ -108,6 +109,8 @@ &fw_verbose, 0, "Log matches to ipfw rules"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, &fw_verbose_limit, 0, "Set upper limit of matches of ipfw rules logged"); +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, permanent_rules, CTLFLAG_RW, + &fw_permanent_rules, 0, "Set rule number, below which rules are permanent"); /* * Extension for stateful ipfw. @@ -1849,16 +1852,22 @@ s = splnet(); remove_dyn_rule(NULL, 1 /* force delete */); splx(s); - while ( (fcp = LIST_FIRST(&ip_fw_chain_head)) && - fcp->rule->fw_number != IPFW_DEFAULT_RULE ) { - s = splnet(); - LIST_REMOVE(fcp, next); + fcp = LIST_FIRST(&ip_fw_chain_head); + while (fcp) { + struct ip_fw_chain *next; + next = LIST_NEXT(fcp, next); + if (fcp->rule->fw_number > fw_permanent_rules && + fcp->rule->fw_number != IPFW_DEFAULT_RULE ) { + s = splnet(); + LIST_REMOVE(fcp, next); #ifdef DUMMYNET - dn_rule_delete(fcp); + dn_rule_delete(fcp); #endif - FREE(fcp->rule, M_IPFW); - FREE(fcp, M_IPFW); - splx(s); + FREE(fcp->rule, M_IPFW); + FREE(fcp, M_IPFW); + splx(s); + } + fcp = next; } break; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Mar 20 23:58:37 2001 Delivered-To: freebsd-audit@freebsd.org Received: from gratis.grondar.za (grouter.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id C1E4437B71D for ; Tue, 20 Mar 2001 23:58:32 -0800 (PST) (envelope-from mark@grondar.za) Received: from grondar.za (root@gratis.grondar.za [196.7.18.133]) by gratis.grondar.za (8.11.1/8.11.1) with ESMTP id f2L7wJf42277; Wed, 21 Mar 2001 09:58:22 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <200103210758.f2L7wJf42277@gratis.grondar.za> To: Paul Richards Cc: freebsd-audit@FreeBSD.ORG Subject: Re: ipfw permanent rules References: <3AB85B6F.32E9EE7C@freebsd-services.co.uk> In-Reply-To: <3AB85B6F.32E9EE7C@freebsd-services.co.uk> ; from Paul Richards "Wed, 21 Mar 2001 07:42:39 GMT." Date: Wed, 21 Mar 2001 09:59:22 +0200 From: Mark Murray Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > Erm, could you do this as a unified diff rather - makes it a heck of > > a lot easier to read. :-) > > Ok. > > Index: ip_fw.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v Looks good to me! M -- Mark Murray Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Mar 21 1:32: 9 2001 Delivered-To: freebsd-audit@freebsd.org Received: from avocet.prod.itd.earthlink.net (avocet.prod.itd.earthlink.net [207.217.121.50]) by hub.freebsd.org (Postfix) with ESMTP id EF6C237B72A for ; Wed, 21 Mar 2001 01:32:07 -0800 (PST) (envelope-from dhagan@colltech.com) Received: from colltech.com (1Cust246.tnt2.clarksburg.wv.da.uu.net [63.21.115.246]) by avocet.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id BAA01087; Wed, 21 Mar 2001 01:30:57 -0800 (PST) Message-ID: <3AB87590.FA684AE7@colltech.com> Date: Wed, 21 Mar 2001 04:34:08 -0500 From: Daniel Hagan X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Paul Richards Cc: Mark Murray , freebsd-audit@FreeBSD.ORG Subject: Re: ipfw permanent rules References: <3AB857E7.D4CEBD40@freebsd-services.co.uk> <200103210738.f2L7cof42204@gratis.grondar.za> <3AB85B6F.32E9EE7C@freebsd-services.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > It sets a rule number below which rules will not be flushed. I've been > using it to install permanent rules, like SSH access from the office to > remote servers, so I can flush the majority of rules but keep those that > are essential to allow me to maintain connectivity to the box. I'm a little concerned that this overrides the meaning of the rule numbers. Now they will define what order rules are processed and whether they can be flushed. Wouldn't it be more orthogonal to add a flag to each rule (like the log keyword) to mark permanent rules? I don't know anything about the ipfw code, so maybe this is impractical (and I'm sure it would require more work), but it sounds worth it to me. I'd certainly love to have this feature, but I think it would be more intuitive & useful as a per rule flag. If this matter is going to be discussed at length, it should probably move to -security and/or -ipfw. Daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Mar 21 1:48:41 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mailgate.originative.co.uk (mailgate.originative.co.uk [62.232.68.68]) by hub.freebsd.org (Postfix) with ESMTP id D99A537B73D for ; Wed, 21 Mar 2001 01:48:38 -0800 (PST) (envelope-from paul@freebsd-services.co.uk) Received: from freebsd-services.co.uk (lobster.originative.co.uk [62.232.68.81]) by mailgate.originative.co.uk (Postfix) with ESMTP id EA7F31D149; Wed, 21 Mar 2001 09:48:37 +0000 (GMT) Message-ID: <3AB8792A.19308025@freebsd-services.co.uk> Date: Wed, 21 Mar 2001 09:49:30 +0000 From: Paul Richards X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Daniel Hagan Cc: Mark Murray , freebsd-audit@FreeBSD.ORG Subject: Re: ipfw permanent rules References: <3AB857E7.D4CEBD40@freebsd-services.co.uk> <200103210738.f2L7cof42204@gratis.grondar.za> <3AB85B6F.32E9EE7C@freebsd-services.co.uk> <3AB87590.FA684AE7@colltech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Daniel Hagan wrote: > > > It sets a rule number below which rules will not be flushed. I've been > > using it to install permanent rules, like SSH access from the office to > > remote servers, so I can flush the majority of rules but keep those that > > are essential to allow me to maintain connectivity to the box. > > I'm a little concerned that this overrides the meaning of the rule > numbers. Now they will define what order rules are processed and > whether they can be flushed. Wouldn't it be more orthogonal to add a > flag to each rule (like the log keyword) to mark permanent rules? I > don't know anything about the ipfw code, so maybe this is impractical > (and I'm sure it would require more work), but it sounds worth it to me. The order of rules processing isn't affected unless you enable this feature. If you set the rule number above 0 then after a flush all the presistent rules will be at the front of the chain so in that situation it's possible for the rule order to get changed when you add back flushed rules but if you're using this feature then you're going to have your persistent rules together at the bottom of the number range anyway so the problem shouldn't arise. I looked at making it a per-rule setting but the flags field looks full so it would require extending the struct and modifying the userland parser. That was too much of a change for what I needed but I might take a look at extending the functionality later. Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Mar 21 2:19:39 2001 Delivered-To: freebsd-audit@freebsd.org Received: from scaup.prod.itd.earthlink.net (scaup.prod.itd.earthlink.net [207.217.121.49]) by hub.freebsd.org (Postfix) with ESMTP id 941A037B719 for ; Wed, 21 Mar 2001 02:19:36 -0800 (PST) (envelope-from dhagan@colltech.com) Received: from colltech.com (1Cust246.tnt2.clarksburg.wv.da.uu.net [63.21.115.246]) by scaup.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id CAA09630; Wed, 21 Mar 2001 02:15:20 -0800 (PST) Message-ID: <3AB87FF8.C9442D09@colltech.com> Date: Wed, 21 Mar 2001 05:18:32 -0500 From: Daniel Hagan Reply-To: freebsd-ipfw@FreeBSD.ORG, Freebsd-ipfw@FreeBSD.ORG, dhagan@colltech.com, paul@freebsd-services.co.uk, mark@grondar.za X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Paul Richards Cc: freebsd-audit@FreeBSD.ORG Subject: Re: ipfw permanent rules References: <3AB857E7.D4CEBD40@freebsd-services.co.uk> <200103210738.f2L7cof42204@gratis.grondar.za> <3AB85B6F.32E9EE7C@freebsd-services.co.uk> <3AB87590.FA684AE7@colltech.com> <3AB8792A.19308025@freebsd-services.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [Reply-To: set for -ipfw & participants] [Summary for -ipfw folk: Paul has a patch which adds an integer sysctl & modifies ip_fw.c. Any ipfw rule numbered below that integer will not be deleted by a flush, effectively making it permanent. This is useful for rules like ssh access, making it safer to modify ipfw rule sets remotely.] Paul Richards wrote: > Daniel Hagan wrote: > > I'm a little concerned that this overrides the meaning of the rule > > numbers. Now they will define what order rules are processed and > > whether they can be flushed. [snip] > > The order of rules processing isn't affected unless you enable this > feature. If you set the rule number above 0 then after a flush all the > presistent rules will be at the front of the chain so in that situation > it's possible for the rule order to get changed when you add back > flushed rules but if you're using this feature then you're going to have > your persistent rules together at the bottom of the number range anyway > so the problem shouldn't arise. Allow me to use a pseudo-ipfw-syntax example: ... 10 deny all from hacker.ip ... 100 allow tcp to port 22 101 allow tcp to port 25 102 allow tcp to port 80 ... I want 100, 101, & 102 to be permanent, but I want to have 10 flushed because it's a temporary rule (generated by portsentry, just as an example). Since the numbers define the order of processing _and_ what is permanent, I can't have this setup. But I certainly don't want to loose the ability to place specific deny rules early on in the stack either. > I looked at making it a per-rule setting but the flags field looks full It looks like the high bit is available in my copy of the source* (once IP_FW_F_MASK is set to 0xffffffff). I could be wrong though. If it is full, we should move to an unsigned long anyway (what are the chances that we won't want to add another flag down the road...). > so it would require extending the struct and modifying the userland > parser. That was too much of a change for what I needed but I might take > a look at extending the functionality later. I think, for it to be added to the base system, the functionality should be as orthogonal as possible. Just my opinion, of course. Daniel * ip_fw.h,v 1.57; it hasn't be supped for a while though. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message