From owner-freebsd-security Sun Mar 31 5: 1:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailserv.xpert.com (node-135.xpert.com [199.203.132.135]) by hub.freebsd.org (Postfix) with ESMTP id B04F937B405 for ; Sun, 31 Mar 2002 05:01:41 -0800 (PST) Received: by mailserv.xpert.com with Internet Mail Service (5.5.2653.19) id ; Sun, 31 Mar 2002 16:01:39 +0300 Message-ID: From: Yonatan Bokovza To: "'security@freebsd.org'" Subject: DoS from within jail Date: Sun, 31 Mar 2002 16:01:33 +0300 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="windows-1255" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Do you think it's a security issue, that root in jail can DoS the hosting server and other jails on it with a forkbomb ? Best Regards, Yonatan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 31 5: 5:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-17.dsl.lsan03.pacbell.net [64.169.104.17]) by hub.freebsd.org (Postfix) with ESMTP id 9D27337B41B for ; Sun, 31 Mar 2002 05:05:11 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3902E66D19; Sun, 31 Mar 2002 05:05:11 -0800 (PST) Date: Sun, 31 Mar 2002 05:05:11 -0800 From: Kris Kennaway To: Yonatan Bokovza Cc: "'security@freebsd.org'" Subject: Re: DoS from within jail Message-ID: <20020331050511.A467@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from Yonatan@xpert.com on Sun, Mar 31, 2002 at 04:01:33PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Mar 31, 2002 at 04:01:33PM +0300, Yonatan Bokovza wrote: > Hi, > Do you think it's a security issue, > that root in jail can DoS the hosting > server and other jails on it with a > forkbomb ? No. Kris --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8pwmGWry0BWjoQKURAhyCAKC5sixqIOWqeEFY+mv4g20ge0dYIQCgwxli ahyFhtvrqVok4bgG7vvUjx4= =nN9w -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 31 5: 8:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (heresy.dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 2353B37B41F for ; Sun, 31 Mar 2002 05:08:04 -0800 (PST) Received: (qmail 2611 invoked by uid 1000); 31 Mar 2002 13:09:12 -0000 Date: Sun, 31 Mar 2002 15:09:12 +0200 From: Bart Matthaei To: Yonatan Bokovza Cc: freebsd-security@freebsd.org Subject: Re: DoS from within jail Message-ID: <20020331150912.A29545@heresy.dreamflow.nl> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IJpNTDwzlM2Ie8A6" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from Yonatan@xpert.com on Sun, Mar 31, 2002 at 04:01:33PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --IJpNTDwzlM2Ie8A6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 31, 2002 at 04:01:33PM +0300, Yonatan Bokovza wrote: > Hi, > Do you think it's a security issue, > that root in jail can DoS the hosting > server and other jails on it with a > forkbomb ? root in jail =3D root on box .. So the answer is no. Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Eat drink and be merry, for tomorrow they may make it illegal. --IJpNTDwzlM2Ie8A6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8pwp4gcc6pR+tCegRAsXRAJ9hYQ1QGaplUv5TKurcmH8ElLz55QCgi5fm CC7832Wa+lGarqd9iDHjY48= =P3EC -----END PGP SIGNATURE----- --IJpNTDwzlM2Ie8A6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 31 5:21:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id 1C57537B41A for ; Sun, 31 Mar 2002 05:21:16 -0800 (PST) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.12.2/8.12.2) with ESMTP id g2VDKle7032502; Sun, 31 Mar 2002 15:20:47 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Bart Matthaei Cc: Yonatan Bokovza , freebsd-security@FreeBSD.ORG Subject: Re: DoS from within jail In-Reply-To: Your message of "Sun, 31 Mar 2002 15:09:12 +0200." <20020331150912.A29545@heresy.dreamflow.nl> Date: Sun, 31 Mar 2002 15:20:47 +0200 Message-ID: <32501.1017580847@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20020331150912.A29545@heresy.dreamflow.nl>, Bart Matthaei writes: > >root in jail = root on box .. Care to elaborate ? -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 31 5:38:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (heresy.dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 3E76C37B41A for ; Sun, 31 Mar 2002 05:38:12 -0800 (PST) Received: (qmail 7112 invoked by uid 1000); 31 Mar 2002 13:39:21 -0000 Date: Sun, 31 Mar 2002 15:39:21 +0200 From: Bart Matthaei To: Poul-Henning Kamp Cc: freebsd-security@freebsd.org Subject: Re: DoS from within jail Message-ID: <20020331153921.B29545@heresy.dreamflow.nl> References: <20020331150912.A29545@heresy.dreamflow.nl> <32501.1017580847@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="+pHx0qQiF2pBVqBT" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <32501.1017580847@critter.freebsd.dk>; from phk@critter.freebsd.dk on Sun, Mar 31, 2002 at 03:20:47PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --+pHx0qQiF2pBVqBT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 31, 2002 at 03:20:47PM +0200, Poul-Henning Kamp wrote: > In message <20020331150912.A29545@heresy.dreamflow.nl>, Bart Matthaei wri= tes: > > > >root in jail =3D root on box .. >=20 > Care to elaborate ? I withdraw my remark. I mistook the freebsd jail with the linux jail. The freebsd jail is better implemented, isn't it ? Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Love cannot be much younger than the lust for murder. -- Sigmund Freud --+pHx0qQiF2pBVqBT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8pxGJgcc6pR+tCegRAqDhAJ45TMxGKQrLPp/KxwTiqTPbTwZ0egCgt1/9 A/Syn21nthzEFY2m3Z3j+iY= =eCIo -----END PGP SIGNATURE----- --+pHx0qQiF2pBVqBT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 31 6: 0:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from phucking.kicks-ass.org (c-873a70d5.022-45-6f72652.cust.bredbandsbolaget.se [213.112.58.135]) by hub.freebsd.org (Postfix) with ESMTP id CCFEC37B43C for ; Sun, 31 Mar 2002 06:00:30 -0800 (PST) Received: from phucking.kicks-ass.org (localhost.kicks-ass.org [127.0.0.1]) by phucking.kicks-ass.org (Postfix) with SMTP id 995046E4 for ; Sun, 31 Mar 2002 16:00:20 +0200 (CEST) Received: from 213.112.58.135 (SquirrelMail authenticated user z3l3zt) by phucking.kicks-ass.org with HTTP; Sun, 31 Mar 2002 16:00:20 +0200 (CEST) Message-ID: <4487.213.112.58.135.1017583220.squirrel@phucking.kicks-ass.org> Date: Sun, 31 Mar 2002 16:00:20 +0200 (CEST) Subject: Why update the world because of OpenSSH? From: "Jesper Wallin" To: X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal X-Mailer: SquirrelMail (version 1.2.5) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Once again I make me look like a fool.. I'm quite new to both mailinglists and FreeBSD so I'm not sure IF i should post this or where I should post if.. sorry for pissing you off.. Well, for some month ago I saw the warnings about the root exploit for OpenSSH here. What I never understood what, why should I update my world because of an OpenSSH exploit? Isn't it enought to just cvsup the ports and re-install OpenSSH from the ports? //Jesper aka Z3l3zT [ "It's better to be a lame hacker than a hacked lamer" -Z3l3zT 98' ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 31 6: 8:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.unibe.ch (mailhub.unibe.ch [130.92.9.52]) by hub.freebsd.org (Postfix) with ESMTP id D43C137B419 for ; Sun, 31 Mar 2002 06:08:16 -0800 (PST) Received: from CONVERSION-DAEMON.mailhub.unibe.ch by mailhub.unibe.ch (PMDF V6.1 #40086) id <0GTU00101CLR9B@mailhub.unibe.ch> for freebsd-security@freebsd.org; Sun, 31 Mar 2002 16:08:15 +0200 (MEST) Received: from iam.unibe.ch (asterix.unibe.ch [130.92.64.4]) by mailhub.unibe.ch (PMDF V6.1 #40086) with ESMTP id <0GTU00LABCLRS5@mailhub.unibe.ch>; Sun, 31 Mar 2002 16:08:15 +0200 (MEST) Received: from lara.unibe.ch (lara [130.92.65.56]) by iam.unibe.ch (8.11.6+Sun/8.11.6) with ESMTP id g2VE8ES05178; Sun, 31 Mar 2002 16:08:14 +0200 (MET DST) Received: (from roth@localhost) by lara.unibe.ch (8.9.3+Sun/8.9.1) id QAA12297; Sun, 31 Mar 2002 16:08:14 +0200 (MET DST) Date: Sun, 31 Mar 2002 16:08:14 +0200 From: Tobias Roth Subject: Re: Why update the world because of OpenSSH? In-reply-to: <4487.213.112.58.135.1017583220.squirrel@phucking.kicks-ass.org> To: Jesper Wallin Cc: freebsd-security@freebsd.org Message-id: <20020331160814.A12284@lara.unibe.ch> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.3.23i X-Operating-System: SunOS lara 5.7 Generic_106541-10 sun4u sparc SUNW,Ultra-5_10 References: <4487.213.112.58.135.1017583220.squirrel@phucking.kicks-ass.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Once again I make me look like a fool.. > > I'm quite new to both mailinglists and FreeBSD so I'm not sure IF i should > post this or where I should post if.. sorry for pissing you off.. I think freebsd-questions would be a good place for this question. > Well, for some month ago I saw the warnings about the root exploit for > OpenSSH here. What I never understood what, why should I update my world > because of an OpenSSH exploit? Isn't it enought to just cvsup the ports and > re-install OpenSSH from the ports? Well, since SSH usually is in the base system, remaking the world (or at least the OpenSSH part of the system) is reasonable. But of course, you can also install the fixed OpenSSH port over the system SSH. It's up to you. Remaking the OpenSSH part of the base system would be the cleaner approach tho. cheers, Tobe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 31 6:10:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from boleskine.patpro.net (boleskine.patpro.net [62.4.20.155]) by hub.freebsd.org (Postfix) with ESMTP id 80CE837B417 for ; Sun, 31 Mar 2002 06:10:31 -0800 (PST) Received: from [192.168.0.1] (cassandre [192.168.0.1]) by boleskine.patpro.net (8.11.3/8.11.3) with ESMTP id g2VEAUH80980 for ; Sun, 31 Mar 2002 16:10:31 +0200 (CEST) (envelope-from patpro@patpro.net) User-Agent: Microsoft Outlook Express Macintosh Edition - 5.01 (1630) Date: Sun, 31 Mar 2002 16:10:29 +0200 Subject: Re: Why update the world because of OpenSSH? From: patpro To: Message-ID: In-Reply-To: <4487.213.112.58.135.1017583220.squirrel@phucking.kicks-ass.org> Mime-version: 1.0 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org le 31/03/02 16:00, Jesper Wallin =E0 z3l3zt@phucking.kicks-ass.org a =E9crit=A0: > Once again I make me look like a fool.. >=20 > I'm quite new to both mailinglists and FreeBSD so I'm not sure IF i shoul= d > post this or where I should post if.. sorry for pissing you off.. >=20 > Well, for some month ago I saw the warnings about the root exploit for > OpenSSH here. What I never understood what, why should I update my world > because of an OpenSSH exploit? Isn't it enought to just cvsup the ports a= nd > re-install OpenSSH from the ports? it appears to me that you just have to remove the openssh that comes with the base system and to install the openssh-portable port (and tune rc.conf accordingly). patpro --=20 "Rien ne se perd, rien ne se cr=E9e, tout s'empile" - Mon Bureau - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 31 6:13:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from roc-66-66-72-6.rochester.rr.com (roc-66-66-72-6.rochester.rr.com [66.66.72.6]) by hub.freebsd.org (Postfix) with ESMTP id 27CFE37B41A for ; Sun, 31 Mar 2002 06:13:23 -0800 (PST) Received: by roc-66-66-72-6.rochester.rr.com (Postfix, from userid 1000) id E02F7901A00; Sun, 31 Mar 2002 09:12:02 -0500 (EST) Date: Sun, 31 Mar 2002 09:12:02 -0500 From: mpd To: Jesper Wallin Cc: security@freebsd.org Subject: Re: Why update the world because of OpenSSH? Message-ID: <20020331091202.A91049@rochester.rr.com> References: <4487.213.112.58.135.1017583220.squirrel@phucking.kicks-ass.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <4487.213.112.58.135.1017583220.squirrel@phucking.kicks-ass.org>; from z3l3zt@phucking.kicks-ass.org on Sun, Mar 31, 2002 at 04:00:20PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Mar 31, 2002 at 04:00:20PM +0200, Jesper Wallin wrote: > Once again I make me look like a fool.. > > I'm quite new to both mailinglists and FreeBSD so I'm not sure IF i should > post this or where I should post if.. sorry for pissing you off.. > > Well, for some month ago I saw the warnings about the root exploit for > OpenSSH here. What I never understood what, why should I update my world > because of an OpenSSH exploit? Isn't it enought to just cvsup the ports and > re-install OpenSSH from the ports? OpenSSH is part of the base system in both -STABLE and -CURRENT, and has been for awhile now. > > > //Jesper aka Z3l3zT > mike -- ___________________________________________________________ "WITH A FEW SMALL MODIFICATIONS ANY CANOE CAN TRAVEL THROUGH TIME!!!" - Pokey the Penguin from "POKEY IN ANCIENT SCOTLAND" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 31 6:50:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 7EA2E37B41C for ; Sun, 31 Mar 2002 06:50:24 -0800 (PST) Received: (qmail 21042 invoked by uid 1000); 31 Mar 2002 14:50:45 -0000 Date: Sun, 31 Mar 2002 16:50:45 +0200 From: "Karsten W. Rohrbach" To: patpro Cc: security@freebsd.org Subject: Re: Why update the world because of OpenSSH? Message-ID: <20020331165044.D20031@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , patpro , security@freebsd.org References: <4487.213.112.58.135.1017583220.squirrel@phucking.kicks-ass.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="/unnNtmY43mpUSKx" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from patpro@patpro.net on Sun, Mar 31, 2002 at 04:10:29PM +0200 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --/unnNtmY43mpUSKx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable patpro(patpro@patpro.net)@2002.03.31 16:10:29 +0000: > it appears to me that you just have to remove the openssh that comes with > the base system and to install the openssh-portable port (and tune rc.conf > accordingly). judging from the "bsd" in "freebsd" i guess, the native version in /usr/ports/security/openssh might be a more straighforward choice. regards, /k --=20 KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --/unnNtmY43mpUSKx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8pyJEM0BPTilkv0YRAsLfAKCNTkeMJbOH02WrqkWoN9H9fuJlIgCffyOy 6y8dxASJEpCwAS+vxXHLU7w= =UKD7 -----END PGP SIGNATURE----- --/unnNtmY43mpUSKx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 31 9:58:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from switchblade.cyberpunkz.org (switchblade.cyberpunkz.org [198.174.169.125]) by hub.freebsd.org (Postfix) with ESMTP id D23A537B405 for ; Sun, 31 Mar 2002 09:58:51 -0800 (PST) Received: from switchblade.cyberpunkz.org (rob@localhost.cyberpunkz.org [127.0.0.1]) by switchblade.cyberpunkz.org (8.12.2/8.12.2-rda) with ESMTP id g2VHwmIN038785 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sun, 31 Mar 2002 11:58:49 -0600 (CST)?g (envelope-from rob@switchblade.cyberpunkz.org)œ Posted-Date: Sun, 31 Mar 2002 11:58:49 -0600 (CST) Abuse-Contact: abuse@cyberpunkz.org Received: (from rob@localhost) by switchblade.cyberpunkz.org (8.12.2/8.12.1/Submit) id g2VHwlSV038784; Sun, 31 Mar 2002 11:58:47 -0600 (CST)?g (envelope-from rob) Date: Sun, 31 Mar 2002 11:58:47 -0600 From: Rob Andrews To: Jesper Wallin Cc: security@FreeBSD.ORG Subject: Re: Why update the world because of OpenSSH? Message-ID: <20020331115847.J69105@switchblade.cyberpunkz.org> References: <4487.213.112.58.135.1017583220.squirrel@phucking.kicks-ass.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <4487.213.112.58.135.1017583220.squirrel@phucking.kicks-ass.org>; from z3l3zt@phucking.kicks-ass.org on Sun, Mar 31, 2002 at 04:00:20PM +0200 Organization: Cyberpunk Alliance Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org .- - - - - - Jesper Wallin wrote (2002/03/31 at 08:00:49 AM) - - - - - - | |> Once again I make me look like a fool.. A fool is one that stumbles around and doesn't ask the question.. |> Well, for some month ago I saw the warnings about the root exploit for |> OpenSSH here. What I never understood what, why should I update my world |> because of an OpenSSH exploit? Isn't it enought to just cvsup the ports and |> re-install OpenSSH from the ports? Well you don't always have to cvsup the src tree to update the version of openssh for posted advisories. They do post the patchs so you can just patch it into the source tree and rebuild. The other thing that you should know is that the port version does not over install the system version. So its very possible to have conflicting versions of openssh on your system. If you want the newest version of openssh running on your system then the port is of course the way to go. Sometimes new features will be introduced that you won't see in the system version until the next revision or so of freebsd. Its really a matter of what you feel comfortable running on the system. best of luck.. -- ::::::::::::=================--------------------- :|Robert Andrews :|Cyberpunk Alliance http://www.cyberpunkz.org :|Minneapolis, MN Email: rob@cyberpunkz.org Office: 763-535-6392 :::::::::::::::::::::::::::====================------------------------- US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets the definition of a telephone fax machine. By Sec.227(b)(1)(C), it is unlawful to send any unsolicited advertisement to such equipment. By Sec.227(b)(3)(C), a violation of the aforementioned Section is punishable by action to recover actual monetary loss, or $500, whichever is greater, for each violation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 31 10:15: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by hub.freebsd.org (Postfix) with SMTP id 5846D37B42C for ; Sun, 31 Mar 2002 10:14:49 -0800 (PST) Received: (qmail 28878 invoked by uid 0); 31 Mar 2002 18:14:43 -0000 Received: from p50913206.dip.t-dialin.net (HELO mail.gsinet.sittig.org) (80.145.50.6) by mail.gmx.net (mp008-rz3) with SMTP; 31 Mar 2002 18:14:43 -0000 Received: (qmail 35153 invoked from network); 31 Mar 2002 14:19:28 -0000 Received: from shell.gsinet.sittig.org (192.168.11.153) by mail.gsinet.sittig.org with SMTP; 31 Mar 2002 14:19:28 -0000 Received: (from sittig@localhost) by shell.gsinet.sittig.org (8.11.3/8.11.3) id g2VEJLX35140 for security@FreeBSD.ORG; Sun, 31 Mar 2002 16:19:21 +0200 (CEST) (envelope-from sittig) Date: Sun, 31 Mar 2002 16:19:21 +0200 From: Gerhard Sittig To: security@FreeBSD.ORG Subject: Re: SSH or Telnet? Message-ID: <20020331161921.H1494@shell.gsinet.sittig.org> Mail-Followup-To: security@FreeBSD.ORG References: <20020328201100.E6672-100000@cactus.fi.uba.ar> <72250498197.20020329133335@ns.tb.by> <20020329143538.B340@straylight.oblivion.bg> <192258005672.20020329153842@ns.tb.by> <20020329122806.V97841@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020329122806.V97841@blossom.cjclark.org>; from cjc@FreeBSD.ORG on Fri, Mar 29, 2002 at 12:28:06PM -0800 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Mar 29, 2002 at 12:28 -0800, Crist J. Clark wrote: > > Please repeat after me... > > 1) Switching is not a security feature. Switching is not a security > feature. Switching... > > 2) VLANs are not a security feature. VLANs are not a security > feature. VLANs... Recently there has been a thread on suse-security@suse.com about VLANs. The article I took notice of (it had interesting looking URLs in it) was Message-ID: <96C102324EF9D411A49500306E06C8D1A56E31@eketsv02.cubis.de> From: "Reckhard, Tobias" To: suse-security@suse.com Date: Wed, 20 Mar 2002 13:00:19 +0100 Subject: RE: [suse-security] What to do against ARP-Poisoning? http://lists.suse.com/ holds an archive. The above characterized article lives at http://lists.suse.com/archive/suse-security/2002-Mar/0505.html virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 31 12:19: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns1.xtraxion.com (e134174.upc-e.chello.nl [213.93.134.174]) by hub.freebsd.org (Postfix) with ESMTP id 8D31F37B41F for ; Sun, 31 Mar 2002 12:18:53 -0800 (PST) Received: from xp (xp.xtraxion.com [10.0.0.3]) by ns1.xtraxion.com (8.12.2/8.12.2) with SMTP id g2VKLC1s009223; Sun, 31 Mar 2002 22:21:16 +0200 (CEST) From: "Rick Hoppe" To: "Jesper Wallin" Cc: Subject: RE: Why update the world because of OpenSSH? Date: Sun, 31 Mar 2002 22:18:42 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <4487.213.112.58.135.1017583220.squirrel@phucking.kicks-ass.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jesper Wallin wrote: > Once again I make me look like a fool.. > > I'm quite new to both mailinglists and FreeBSD so I'm not sure IF i should > post this or where I should post if.. sorry for pissing you off.. > > Well, for some month ago I saw the warnings about the root exploit for > OpenSSH here. What I never understood what, why should I update my world > because of an OpenSSH exploit? Isn't it enought to just cvsup the > ports and > re-install OpenSSH from the ports? > > > //Jesper aka Z3l3zT > Please take your time to read and understand the FreeBSD Security Advisories. Your answer is already in the security advisory itself. Part of FreeBSD Security Advisory FreeBSD-SA-02:13.openssh : V. Solution Do one of the following: [For OpenSSH included in the base system] 1) Upgrade the vulnerable system to 4.4-RELEASEp9, 4.5-RELEASEp2, or 4.5-STABLE after the correction date and rebuild. 2) FreeBSD 4.x systems prior to the correction date: The following patch has been verified to apply to FreeBSD 4.4-RELEASE, 4.5-RELEASE, and 4.5-STABLE dated prior to the correction date. It may or may not apply to older, unsupported versions of FreeBSD. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:13/openssh.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:13/openssh.patch.asc Execute the following commands as root: # cd /usr/src # patch < /path/to/sshd.patch # cd /usr/src/secure/lib/libssh # make depend && make all # cd /usr/src/secure/usr.sbin/sshd # make depend && make all install # cd /usr/src/secure/usr.bin/ssh # make depend && make all install This advisory has two solutions for systems with OpenSSH in the base system. It seems the second solution is the best for you. Please note when you already installed the OpenSSH port, the base OpenSSH is still there. So your users may be able to use that one with the security problem instead of the OpenSSH you installed with the port. So you may choose to install the newest OpenSSH port that also is fixed, but don't forget the OpenSSH in the base system. Please use solution 2. Regards, Rick Hoppe Network- and Systemspecialist Xtraxion Internet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 31 22:21:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx-uno.texoma.net (mx-uno.texoma.net [209.151.96.9]) by hub.freebsd.org (Postfix) with ESMTP id 1C38537B417 for ; Sun, 31 Mar 2002 22:21:45 -0800 (PST) Received: from love2golf.texoma.net (mosel.texoma.net [209.151.96.67]) by mx-uno.texoma.net (8.12.2/8.11.6) with ESMTP id g316LUUE048444 for ; Mon, 1 Apr 2002 00:21:31 -0600 (CST) (envelope-from vaden@texoma.net) Message-Id: <5.1.0.14.2.20020331223056.05213e90@mail.texoma.net> X-Sender: ldvhomeu@mail.texoma.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 01 Apr 2002 00:21:42 -0600 To: security@FreeBSD.ORG From: Larry Vaden Subject: RE: Why update the world because of OpenSSH? In-Reply-To: References: <4487.213.112.58.135.1017583220.squirrel@phucking.kicks-ass.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 02:18 PM 3/31/2002, Rick Hoppe wrote: >Please take your time to read and understand the FreeBSD Security >Advisories. >Your answer is already in the security advisory itself. > >Part of FreeBSD Security Advisory FreeBSD-SA-02:13.openssh : > > > >V. Solution > >Do one of the following: > >[For OpenSSH included in the base system] > >1) Upgrade the vulnerable system to 4.4-RELEASEp9, 4.5-RELEASEp2, > or 4.5-STABLE after the correction date and rebuild. Having been a multiple license holder of BSD/OS for 7 years and now making the transition to FreeBSD, I tried to read and understand the SA. I didn't find [much | anything] on the freebsd.org site about 4.5-RELEASEp2. Yes, I saw Makoto Matsushita's kind offer and thank him for said. What's the tag for 4.5-RELEASEp2? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 31 22:28:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from sc.apana.org.au (sc.apana.org.au [202.12.88.20]) by hub.freebsd.org (Postfix) with ESMTP id C5BF737B417 for ; Sun, 31 Mar 2002 22:28:23 -0800 (PST) Received: from bbuzzed.cx (localhost.apana.org.au [127.0.0.1]) by sc.apana.org.au (8.11.6/8.11.6) with ESMTP id g316SA179661; Mon, 1 Apr 2002 16:28:11 +1000 (EST) (envelope-from nathan@bbuzzed.cx) Message-ID: <3CA7FDF9.1040702@bbuzzed.cx> Date: Mon, 01 Apr 2002 16:28:09 +1000 From: Nathan Reilly User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020325 X-Accept-Language: en-au, en-us MIME-Version: 1.0 To: Larry Vaden Cc: security@FreeBSD.ORG Subject: Re: Why update the world because of OpenSSH? References: <4487.213.112.58.135.1017583220.squirrel@phucking.kicks-ass.org> <5.1.0.14.2.20020331223056.05213e90@mail.texoma.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Larry Vaden wrote: > What's the tag for 4.5-RELEASEp2? RELENG_4_5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 31 22:35:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx-uno.texoma.net (mx-uno.texoma.net [209.151.96.9]) by hub.freebsd.org (Postfix) with ESMTP id A306737B41C for ; Sun, 31 Mar 2002 22:35:33 -0800 (PST) Received: from love2golf.texoma.net (mosel.texoma.net [209.151.96.67]) by mx-uno.texoma.net (8.12.2/8.11.6) with ESMTP id g316ZGUE049897; Mon, 1 Apr 2002 00:35:16 -0600 (CST) (envelope-from vaden@texoma.net) Message-Id: <5.1.0.14.2.20020401003241.058c7668@mail.texoma.net> X-Sender: ldvhomeu@mail.texoma.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 01 Apr 2002 00:35:28 -0600 To: Nathan Reilly From: Larry Vaden Subject: Re: Why update the world because of OpenSSH? Cc: security@FreeBSD.ORG In-Reply-To: <3CA7FDF9.1040702@bbuzzed.cx> References: <4487.213.112.58.135.1017583220.squirrel@phucking.kicks-ass.org> <5.1.0.14.2.20020331223056.05213e90@mail.texoma.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:28 AM 4/1/2002, Nathan Reilly wrote: >Larry Vaden wrote: >>What's the tag for 4.5-RELEASEp2? > >RELENG_4_5 Am I correct in assuming that RELENG_4_5 changes from time to time? If that is the case, how does one build 4.5-RELEASEp2 without the exposure of mods since that release? thnx/ldv To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 31 22:45:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from midway.uchicago.edu (midway.uchicago.edu [128.135.12.12]) by hub.freebsd.org (Postfix) with ESMTP id 475B337B416 for ; Sun, 31 Mar 2002 22:45:31 -0800 (PST) Received: from there (adsl-65-42-87-52.dsl.chcgil.ameritech.net [65.42.87.52]) by midway.uchicago.edu (8.11.6/8.11.6) with SMTP id g316jTX05511; Mon, 1 Apr 2002 00:45:29 -0600 (CST) Message-Id: <200204010645.g316jTX05511@midway.uchicago.edu> Content-Type: text/plain; charset="iso-8859-1" From: David Syphers Reply-To: charon@seektruth.org To: Larry Vaden Subject: Re: Why update the world because of OpenSSH? Date: Mon, 1 Apr 2002 00:45:29 -0600 X-Mailer: KMail [version 1.3.2] Cc: security@FreeBSD.ORG References: <4487.213.112.58.135.1017583220.squirrel@phucking.kicks-ass.org> <5.1.0.14.2.20020331223056.05213e90@mail.texoma.net> <5.1.0.14.2.20020401003241.058c7668@mail.texoma.net> In-Reply-To: <5.1.0.14.2.20020401003241.058c7668@mail.texoma.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Monday 01 April 2002 12:35 am, Larry Vaden wrote: > At 12:28 AM 4/1/2002, Nathan Reilly wrote: > >Larry Vaden wrote: > >>What's the tag for 4.5-RELEASEp2? > > > >RELENG_4_5 > > Am I correct in assuming that RELENG_4_5 changes from time to time? > > If that is the case, how does one build 4.5-RELEASEp2 without the exposure > of mods since that release? Take a look at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvs-tags.html RELENG_4_5 not -STABLE. It is the security branch. Presumably you would want everything commited to it, but at this point it would give you 4.5-RELEASEp2. -David -- Everyone who believes in telekinesis, raise my hand... Center for Cosmological Physics The University of Chicago To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 31 22:48: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from clink.schulte.org (clink.schulte.org [209.134.156.193]) by hub.freebsd.org (Postfix) with ESMTP id 5722037B41C for ; Sun, 31 Mar 2002 22:47:58 -0800 (PST) Received: from tarmap.nospam.schulte.org (tarmap.schulte.org [209.134.156.198]) by clink.schulte.org (Postfix) with ESMTP id BB8A92440F; Mon, 1 Apr 2002 00:47:56 -0600 (CST) Message-Id: <5.1.0.14.0.20020401004221.0694bcc8@pop3s.schulte.org> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 01 Apr 2002 00:47:52 -0600 To: Larry Vaden , Nathan Reilly From: Christopher Schulte Subject: Re: Why update the world because of OpenSSH? Cc: security@FreeBSD.ORG In-Reply-To: <5.1.0.14.2.20020401003241.058c7668@mail.texoma.net> References: <3CA7FDF9.1040702@bbuzzed.cx> <4487.213.112.58.135.1017583220.squirrel@phucking.kicks-ass.org> <5.1.0.14.2.20020331223056.05213e90@mail.texoma.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:35 AM 4/1/2002 -0600, Larry Vaden wrote: >Am I correct in assuming that RELENG_4_5 changes from time to time? Yup. Whenever critical (security) changes are committed. >If that is the case, how does one build 4.5-RELEASEp2 without the exposure >of mods since that release? The current state of RELENG_4_5 is 4.5-RELEASE-p2. That basically means there have been 2 changes to RELENG_4_5 since 4.5-RELEASE came to be. As soon as another commit is made, it will be known as 4.5-RELEASE-p3. You simply synchronize to RELENG_4_5 and get the most current -px state. /usr/src/UPDATING documents the changes made, once you cvsup your sources. >thnx/ldv -- Christopher Schulte http://www.schulte.org/ Do not un-munge my @nospam.schulte.org email address. This address is valid. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 1 0:28:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id DD39C37B41A for ; Mon, 1 Apr 2002 00:28:54 -0800 (PST) Received: (qmail 80398 invoked by uid 1000); 1 Apr 2002 08:28:48 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Apr 2002 08:28:48 -0000 Date: Mon, 1 Apr 2002 00:28:30 -0800 (PST) From: Jason Stone X-X-Sender: To: Zvezdan Petkovic Cc: Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? In-Reply-To: <20020330210748.A1609@dali.cs.wm.edu> Message-ID: <20020401002447.K2704-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Well, for one, the fact that you can't copy from one remote host to > > another. > > Wrong, you _CAN_ copy between two remote hosts. > scp man page says in the second paragraph of DESCRIPTION: > > Any file name may contain a host and user specification to indicate that > the file is to be copied to/from that host. Copies between two remote > hosts are permitted. > > scp my.office.machine:file.pdf my.home.machine: Yes, but it's not what you think - when you did this, what actually happened was that the client on the machine you started from did: ssh my.office.machine "scp file.pdf my.home.machine:" That is to say, you really just copied the file from office to home without it ever touching the machine in the middle. So if the two end machines can't see each other, this won't work. And if you can't arrange to get the password/key/passphrase for the home machine from the middle machine to the office machine, this won't work. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8qBpAswXMWWtptckRAqsOAKC0t+GNNMdAjTdKUg8tnZZpufY7FgCeL+Wa mhRBDWibIk7otIiNYfILxC0= =cv6D -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 1 0:32:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id E807737B41A for ; Mon, 1 Apr 2002 00:32:52 -0800 (PST) Received: (qmail 80470 invoked by uid 1000); 1 Apr 2002 08:32:51 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Apr 2002 08:32:51 -0000 Date: Mon, 1 Apr 2002 00:32:40 -0800 (PST) From: Jason Stone X-X-Sender: To: Subject: Re: SSH or Telnet? In-Reply-To: <004101c1d800$a4a71ee0$6401a8c0@router.unknown.ca> Message-ID: <20020401003026.D2704-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I would also recomend that you restrict access to ssh using > /etc/hosts.allow if you would like some added security to just who all > can ssh to your box. ipfw (or whatever) rules are preferable to /etc/hosts.allow rules, because if there's a buffer overrun, it can probablly be exploited before /etc/hosts.allow is even opened, whereas ipfw rules prevent the exploitative packets from ever reaching the sshd. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8qBszswXMWWtptckRArhtAJ0Z3g8P7iwCdd/0yOoZncXzR8evNQCg9Fmc ZtOdVrJWMFRAPFBh140o0xY= =09oC -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 1 0:57:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.sambolian.net.nz (203-79-83-205.cable.paradise.net.nz [203.79.83.205]) by hub.freebsd.org (Postfix) with ESMTP id B5A7237B41F for ; Mon, 1 Apr 2002 00:57:24 -0800 (PST) Received: by smtp.sambolian.net.nz (Postfix, from userid 80) id 11BAD102D8; Mon, 1 Apr 2002 21:45:27 +1200 (NZST) Received: from 192.168.0.81 ( [192.168.0.81]) as user andy@imap.sambolian.net.nz by webmail.sambolian.net.nz with HTTP; Mon, 1 Apr 2002 21:45:26 +1200 Message-ID: <1017654326.3ca82c36df0d2@webmail.sambolian.net.nz> Date: Mon, 1 Apr 2002 21:45:26 +1200 From: andy@sambolian.net.nz To: security@freebsd.org Subject: Re: Why update the world because of OpenSSH? References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.0 X-Originating-IP: 192.168.0.81 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, What you can do is this. It will overwrite ssh that comes with the base so there is no need to change rc.conf or anything. cd /usr/ports/security/openssh-portable make clean make -DOPENSSH_OVERWRITE_BASE make -DOPENSSH_OVERWRITE_BASE install Quoting patpro : > le 31/03/02 16:00, Jesper Wallin à z3l3zt@phucking.kicks-ass.org a écrit : > > > Once again I make me look like a fool.. > > > > I'm quite new to both mailinglists and FreeBSD so I'm not sure IF i > should > > post this or where I should post if.. sorry for pissing you off.. > > > > Well, for some month ago I saw the warnings about the root exploit for > > OpenSSH here. What I never understood what, why should I update my world > > because of an OpenSSH exploit? Isn't it enought to just cvsup the ports > and > > re-install OpenSSH from the ports? > > > it appears to me that you just have to remove the openssh that comes with > the base system and to install the openssh-portable port (and tune rc.conf > accordingly). > > patpro > -- > "Rien ne se perd, rien ne se crée, tout s'empile" > - Mon Bureau - > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 1 2:38: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31]) by hub.freebsd.org (Postfix) with ESMTP id 8533837B416 for ; Mon, 1 Apr 2002 02:38:01 -0800 (PST) Received: from dali.cs.wm.edu (dali [128.239.26.26]) by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id g31Abkb28142 for ; Mon, 1 Apr 2002 05:37:47 -0500 (EST) Received: (from zvezdan@localhost) by dali.cs.wm.edu (8.11.6/8.9.1) id g31Ac0u14222 for freebsd-security@FreeBSD.ORG; Mon, 1 Apr 2002 05:38:00 -0500 Date: Mon, 1 Apr 2002 05:38:00 -0500 From: Zvezdan Petkovic To: freebsd-security@FreeBSD.ORG Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? Message-ID: <20020401053800.A14193@dali.cs.wm.edu> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20020330210748.A1609@dali.cs.wm.edu> <20020401002447.K2704-100000@walter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020401002447.K2704-100000@walter>; from jason@shalott.net on Mon, Apr 01, 2002 at 12:28:30AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Apr 01, 2002 at 12:28:30AM -0800, Jason Stone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > > Well, for one, the fact that you can't copy from one remote host to > > > another. > > > > Wrong, you _CAN_ copy between two remote hosts. > > scp man page says in the second paragraph of DESCRIPTION: > > > > Any file name may contain a host and user specification to indicate that > > the file is to be copied to/from that host. Copies between two remote > > hosts are permitted. > > > > scp my.office.machine:file.pdf my.home.machine: > > Yes, but it's not what you think - when you did this, what actually > happened was that the client on the machine you started from did: > ssh my.office.machine "scp file.pdf my.home.machine:" > That is to say, you really just copied the file from office to home > without it ever touching the machine in the middle. So if the two end > machines can't see each other, this won't work. And if you can't arrange > to get the password/key/passphrase for the home machine from the middle > machine to the office machine, this won't work. > > > -Jason > Correct. Remember though that the original post was that scp man page is not clear enough. I just tried to show that it is quite clear and correct. Setting the keys correctly is another matter, but my opinion is that it is quite clear too for people who read documentation carefully. Also, the first person in the quote above doesn't claim that copy has to be over the middle machine. But again, you pointed correctly that if these two machines do not allow direct connection to each other then the copying wouldn't work. I don't think scp man page wanted to imply that it would. -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 1 3:35:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 9E3A637B417 for ; Mon, 1 Apr 2002 03:35:31 -0800 (PST) Received: from cairo.anu.edu.au (localhost [127.0.0.1]) by cairo.anu.edu.au (8.12.0/8.12.0) with ESMTP id g31BZRsd014857; Mon, 1 Apr 2002 21:35:28 +1000 (EST) Received: (from avalon@localhost) by cairo.anu.edu.au (8.12.0/8.12.0.Beta16) id g31BZQJj014853; Mon, 1 Apr 2002 21:35:26 +1000 (EST) From: Darren Reed Message-Id: <200204011135.g31BZQJj014853@cairo.anu.edu.au> Subject: Re: pf OR ipf ? To: kerberus@microbsd.net (kerberus) Date: Mon, 1 Apr 2002 21:35:26 +1000 (Australia/NSW) Cc: avalon@cairo.anu.edu.au (Darren Reed), Alex.Wilkinson@dsto.defence.gov.au, FreeBSD-Security@FreeBSD.ORG In-Reply-To: <1017320587.4219.1.camel@vaio.microbsd.net> from "kerberus" at Mar 28, 2002 08:03:07 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I wonder just how much you have "modified" it. That aside, I think you need to learn to read. In some mail from kerberus, sie said: > > Because I can modify it to whatever I want...!!! I also like certain > aspects of the pfctl mechanism...... > > > > > Why use PF when you can use IPF ? :) > > > > Darren > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 1 7:24: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from shikima.mine.nu (pc1-card4-0-cust77.cdf.cable.ntl.com [62.252.49.77]) by hub.freebsd.org (Postfix) with ESMTP id 7B00737B419 for ; Mon, 1 Apr 2002 07:23:50 -0800 (PST) Received: from rasputin by shikima.mine.nu with local (Exim 3.35 #1) id 16s3eP-00005w-00; Mon, 01 Apr 2002 16:23:17 +0100 Date: Mon, 1 Apr 2002 16:23:17 +0100 From: Rasputin To: mininx Cc: security@freebsd.org Subject: Re: loop-aes (porting) Message-ID: <20020401162317.A339@shikima.mine.nu> Reply-To: Rasputin References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from mininx@jol.hu on Wed, Mar 27, 2002 at 11:57:07PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * mininx [020327 21:57]: > Hi! > > I'm looking for people helping to port loop-aes > (www.sourceforge.net/projects/loop-aes) under FreeBSD. It is a type of > crypted fs just like CFS. But since i had many problems with CFS (unsolved > prolbems, and there was no answers for it from the writer and either from > the mailing list) i decided to port this really good stuff under FreeBSD. > if you have time/energy, and have ideas (because I don't have any) where > to start feel free to mail me. If this is a loopback-crypted filesystem, take a look at: vncrypt.sourceforge.net which is a KLM that does similar things. -- A conclusion is simply the place where someone got tired of thinking. Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 1 9:28:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 7A3B737B405 for ; Mon, 1 Apr 2002 09:28:11 -0800 (PST) Received: (qmail 87234 invoked by uid 1000); 1 Apr 2002 17:28:05 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Apr 2002 17:28:05 -0000 Date: Mon, 1 Apr 2002 09:28:01 -0800 (PST) From: Jason Stone X-X-Sender: To: mininx Cc: Subject: Re: loop-aes (porting) In-Reply-To: <20020401162317.A339@shikima.mine.nu> Message-ID: <20020401091347.P2704-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > I'm looking for people helping to port loop-aes > > (www.sourceforge.net/projects/loop-aes) under FreeBSD. > > If this is a loopback-crypted filesystem, take a look at: > vncrypt.sourceforge.net > which is a KLM that does similar things. There's also FiST, a toolkit for writing portable filesystems. It comes with several working filesystems including a cryptfs. The FreeBSD version is currently less stable than the Linux version, but it is under active developement, and stability fixes for FreeBSD and Solaris are on the list of near-term goals. http://www.cs.columbia.edu/~ezk/research/fist/ -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8qJilswXMWWtptckRAjF+AKCYDkysONTn/5uCZiZys3Lkp/zOzQCg5mI/ NC5ns1JzJBwvfpGbX3Ls/mU= =9BpS -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 1 10:48:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 5A14A37B405 for ; Mon, 1 Apr 2002 10:48:21 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.6) id g31ImGv55875; Mon, 1 Apr 2002 13:48:16 -0500 (EST) (envelope-from wollman) Date: Mon, 1 Apr 2002 13:48:16 -0500 (EST) From: Garrett Wollman Message-Id: <200204011848.g31ImGv55875@khavrinen.lcs.mit.edu> To: Dag-Erling Smorgrav Cc: freebsd-security@FreeBSD.ORG Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? In-Reply-To: References: <5.0.2.1.1.20020326024955.02392830@popserver.sfu.ca> <20020326034234.Q10197-100000@patrocles.silby.com> <20020326185714.F22539@mail.webmonster.de> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > Some systems (like the SparcStation 5 that serves DNS, DHCP and NTP > requests from my home network) are too slow for the algorithms used by > ssh2. It's perfectly acceptable on our IPX. The session takes a few seconds to start, and the keys took a long time to generate, but once authenticated there does not seem to be much difference to me. (In fact, `cat /etc/termcap' takes consistently twice as long using v1 as v2.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 1 11: 6:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 93B4837B419 for ; Mon, 1 Apr 2002 11:06:04 -0800 (PST) Received: (from peter@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g31J61r20147 for security@freebsd.org; Mon, 1 Apr 2002 11:06:01 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 1 Apr 2002 11:06:01 -0800 (PST) Message-Id: <200204011906.g31J61r20147@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Current FreeBSD problem reports No matches to your query To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 1 11:31:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 525D637B417 for ; Mon, 1 Apr 2002 11:31:07 -0800 (PST) Received: (qmail 92045 invoked by uid 1001); 1 Apr 2002 19:31:01 -0000 Date: Mon, 1 Apr 2002 14:31:01 -0500 From: "Peter C. Lai" To: Jason Stone Cc: security@FreeBSD.ORG Subject: Re: SSH or Telnet? Message-ID: <20020401143101.A91978@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <004101c1d800$a4a71ee0$6401a8c0@router.unknown.ca> <20020401003026.D2704-100000@walter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020401003026.D2704-100000@walter>; from jason@shalott.net on Mon, Apr 01, 2002 at 12:32:40AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org And also ipfw is a good habit to pick up because it is preferable for any other services you may be running because not every service supports tcpwrappers. You are only guarenteed tcpwrappers (hosts.allow/deny) functionality if your service is being run by inetd or has been compiled to link to tcpwrappers. On Mon, Apr 01, 2002 at 12:32:40AM -0800, Jason Stone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > I would also recomend that you restrict access to ssh using > > /etc/hosts.allow if you would like some added security to just who all > > can ssh to your box. > > ipfw (or whatever) rules are preferable to /etc/hosts.allow rules, because > if there's a buffer overrun, it can probablly be exploited before > /etc/hosts.allow is even opened, whereas ipfw rules prevent the > exploitative packets from ever reaching the sshd. > > > -Jason > > ----------------------------------------------------------------------- > I worry about my child and the Internet all the time, even though she's > too young to have logged on yet. Here's what I worry about. I worry > that 10 or 15 years from now, she will come to me and say "Daddy, where > were you when they took freedom of the press away from the Internet?" > -- Mike Godwin > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: See https://private.idealab.com/public/jason/jason.gpg > > iD8DBQE8qBszswXMWWtptckRArhtAJ0Z3g8P7iwCdd/0yOoZncXzR8evNQCg9Fmc > ZtOdVrJWMFRAPFBh140o0xY= > =09oC > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 1 15:18: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 0656D37B41A for ; Mon, 1 Apr 2002 15:17:55 -0800 (PST) Received: (qmail 46284 invoked by uid 1000); 1 Apr 2002 23:18:15 -0000 Date: Tue, 2 Apr 2002 01:18:15 +0200 From: "Karsten W. Rohrbach" To: Garrett Wollman Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? Message-ID: <20020402011815.D45946@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Garrett Wollman , Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG References: <5.0.2.1.1.20020326024955.02392830@popserver.sfu.ca> <20020326034234.Q10197-100000@patrocles.silby.com> <20020326185714.F22539@mail.webmonster.de> <200204011848.g31ImGv55875@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ZARJHfwaSJQLOEUz" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200204011848.g31ImGv55875@khavrinen.lcs.mit.edu>; from wollman@lcs.mit.edu on Mon, Apr 01, 2002 at 01:48:16PM -0500 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ZARJHfwaSJQLOEUz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Garrett Wollman(wollman@lcs.mit.edu)@2002.04.01 13:48:16 +0000: > < said: >=20 > > Some systems (like the SparcStation 5 that serves DNS, DHCP and NTP > > requests from my home network) are too slow for the algorithms used by > > ssh2. >=20 > It's perfectly acceptable on our IPX. The session takes a few seconds > to start, and the keys took a long time to generate, but once > authenticated there does not seem to be much difference to me. (In > fact, `cat /etc/termcap' takes consistently twice as long using v1 as > v2.) interresting. i observe a similar behaviour on my router (intel pentium 60, 4.4-stable 12/6/2001, ssh 2.0 20011202, protocol v2). generation of the server key takes ages (~3+ minutes)... regards, /k --=20 > The idea that Bill Gates has appeared like a knight in shining armour > to lead all customers out of a mire of technological chaos neatly ignores > the fact that it was he who, by peddling second-rate technology, led them > into it in the first place. --Douglas Adams in Guardian, August 25, 1995= =20 KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --ZARJHfwaSJQLOEUz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8qOq3M0BPTilkv0YRAmbJAJ4nOWHt3rqugfy0MY3CrK1y8XHuEwCgle9i IpMRqSZPcE0W7jbPtPudqTg= =iXqN -----END PGP SIGNATURE----- --ZARJHfwaSJQLOEUz-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 1 18:37:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp-server6.tampabay.rr.com (smtp-server6.tampabay.rr.com [65.32.1.43]) by hub.freebsd.org (Postfix) with ESMTP id B2F3A37B419 for ; Mon, 1 Apr 2002 18:37:36 -0800 (PST) Received: from dual866 (6534115hfc67.swfla.rr.com [65.34.115.67] (may be forged)) by smtp-server6.tampabay.rr.com (8.12.2/8.11.2) with ESMTP id g322bU1F013140 for ; Mon, 1 Apr 2002 21:37:30 -0500 (EST) Date: Mon, 1 Apr 2002 21:38:51 -0500 From: nobody@cyberstreet.com X-Mailer: The Bat! (v1.53d) Educational X-Priority: 3 (Normal) Message-ID: <1065771453.20020401213851@email.com> To: freebsd-security@freebsd.org Subject: linksys 8 port router and ipfw MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org thanks in advance. i have 8 windows clients behind a linksys router (befsr81 with updated firmware) on a hub that links to a freebsd box (4.5 release) running natd and connected to the net via cable; no dhcp anywhere. i can make it work, BUT, i am unsure of how well i have done it and how well it is protected. i have omitted the more mundane lo0 and spoofing entries for brevity. xl0 is internal interface. ipfw rules add divert natd all from any to any via xl1 add check-state add allow tcp from "the-router" to any 22 in setup keep-state add deny tcp from any to any 22 add allow all from "the-router" to any keep-state add allow all from any to any out default to deny #1 how can i change this so i doesn't suck and so the i can browse and ftp from bsd box? #2 see below, not as important as #1 but i didnt want to cross-post to questions. ***side note*** the strange thing about router. ssh works until i use the router. i googled and found other people that said to change to mtu on the nic and router, didnt work. the router only breaks ssh, (it is in /etc/hosts) you can still browse and ftp. remove the router and all works, without any other changes. i cheated and changed my sshd_config to listen on all interfaces and it will work through the router; not working on xl0 only xl1. i dont think this is, however, the best answer. again, i thank you all for any time and help. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 1 20:45: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from phucking.kicks-ass.org (c-7d3a70d5.022-45-6f72652.cust.bredbandsbolaget.se [213.112.58.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AA2A37B405 for ; Mon, 1 Apr 2002 20:45:03 -0800 (PST) Received: from phucking.kicks-ass.org (localhost.kicks-ass.org [127.0.0.1]) by phucking.kicks-ass.org (Postfix) with SMTP id 25ECF91F for ; Tue, 2 Apr 2002 06:44:56 +0200 (CEST) Received: from 213.112.58.125 (SquirrelMail authenticated user z3l3zt) by phucking.kicks-ass.org with HTTP; Tue, 2 Apr 2002 06:44:56 +0200 (CEST) Message-ID: <1501.213.112.58.125.1017722696.squirrel@phucking.kicks-ass.org> Date: Tue, 2 Apr 2002 06:44:56 +0200 (CEST) Subject: Stop usage of "who"? From: "Jesper Wallin" To: X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal X-Mailer: SquirrelMail (version 1.2.5) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey.. This night I was taking a look at the local security and decided to make this system more like a it was a huge wall between all the users.. The first thing I wanted to do was to limit the access to top and ps.. This was done very easy with "sysctl -w kern.ps_showallprocs=0" and edit the /etc/sysctl.conf.. Now I want to stop usage of commands like w, who and users.. I guess it must be able to change somewhere in the proc dir instead of changing the permissons on all the executables.. Another thing I want to do (if it's possible) is to add a default quota.. like, all new users who's being added will have about 500Mb of disk space.. Jesper aka Z3l3zT To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 1 21:56:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from russian-caravan.cloud9.net (russian-caravan.cloud9.net [168.100.1.4]) by hub.freebsd.org (Postfix) with ESMTP id BA8A737B416 for ; Mon, 1 Apr 2002 21:56:47 -0800 (PST) Received: from earl-grey.cloud9.net (earl-grey.cloud9.net [168.100.1.1]) by russian-caravan.cloud9.net (Postfix) with ESMTP id A793E28B5D; Tue, 2 Apr 2002 00:56:46 -0500 (EST) Date: Tue, 2 Apr 2002 00:56:46 -0500 (EST) From: Peter Leftwich X-X-Sender: To: Jesper Wallin Cc: FreeBSD Security List Subject: Re: Stop usage of "who"? [doing things the hard way] In-Reply-To: <1501.213.112.58.125.1017722696.squirrel@phucking.kicks-ass.org> Message-ID: <20020402005030.D5931-100000@earl-grey.cloud9.net> Organization: Video2Video Services - http://Www.Video2Video.Com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 2 Apr 2002, Jesper Wallin wrote: > Hey.. This night I was taking a look at the local security and decided to make > this system more like a it was a huge wall between all the users.. The first > thing I wanted to do was to limit the access to top and ps.. This was done Did you want to limit the access to the top and ps binaries (type `man chmod ; man chgrp`) or limit the information these binaries display? > very easy with "sysctl -w kern.ps_showallprocs=0" and edit the > /etc/sysctl.conf.. Now I want to stop usage of commands like w, who and When I looked at `man sysctl` the manpage said that "-w" has been deprecated (i.e. the powers that be discourage its use) and my /etc/sysctl.conf file is basically empty except for comments. > users.. I guess it must be able to change somewhere in the proc dir instead > of changing the permissons on all the executables.. What? > Another thing I want to do (if it's possible) is to add a default quota.. I love when people ask if something is possible! Ahem, this is FreeBSD?! > like, all new users who's being added will have about 500Mb of disk space.. In the /etc/rc.conf file enable_quotas="NO" # turn on quotas on startup (or NO). check_quotas="NO" # Check quotas on startup (or NO). accounting_enable="YES" # Turn on process accounting (or NO). Change the first two to "YES" and also check out `man quota` for info. > Jesper aka Z3l3zT What's a "zelezt?" -- Peter Leftwich President & Founder Video2Video Services Box 13692, La Jolla, CA, 92039 USA +1-413-403-9555 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 1 23:16:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from phucking.kicks-ass.org (c-7d3a70d5.022-45-6f72652.cust.bredbandsbolaget.se [213.112.58.125]) by hub.freebsd.org (Postfix) with ESMTP id E1FCB37B416 for ; Mon, 1 Apr 2002 23:16:30 -0800 (PST) Received: from phucking.kicks-ass.org (localhost.kicks-ass.org [127.0.0.1]) by phucking.kicks-ass.org (Postfix) with SMTP id 5BBB3962; Tue, 2 Apr 2002 09:16:28 +0200 (CEST) Received: from 213.112.58.125 (SquirrelMail authenticated user z3l3zt) by phucking.kicks-ass.org with HTTP; Tue, 2 Apr 2002 09:16:28 +0200 (CEST) Message-ID: <1907.213.112.58.125.1017731788.squirrel@phucking.kicks-ass.org> Date: Tue, 2 Apr 2002 09:16:28 +0200 (CEST) Subject: Re: Stop usage of 'who'? [doing things the hard way] From: "Jesper Wallin" To: In-Reply-To: <20020402005030.D5931-100000@earl-grey.cloud9.net> References: <20020402005030.D5931-100000@earl-grey.cloud9.net> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: X-Mailer: SquirrelMail (version 1.2.5) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Tue, 2 Apr 2002, Jesper Wallin wrote: >> Hey.. This night I was taking a look at the local security and decided >> to make this system more like a it was a huge wall between all the >> users.. The first thing I wanted to do was to limit the access to top >> and ps.. This was done > > Did you want to limit the access to the top and ps binaries (type `man > chmod ; man chgrp`) or limit the information these binaries display? > eeeh?! How can that help me out? They just need to copy thier own bins from thier own system then? >> very easy with "sysctl -w kern.ps_showallprocs=0" and edit the >> /etc/sysctl.conf.. Now I want to stop usage of commands like w, who >> and > > When I looked at `man sysctl` the manpage said that "-w" has been > deprecated (i.e. the powers that be discourage its use) and my > /etc/sysctl.conf file is basically empty except for comments. > Well, try su and type "sysctl -w kern.ps_showallprocs=0" and run ps as a non-root user.. and I said that I edited the /etc/sysctr.conf.. ofcause it's empty by defualt.. add "kern.ps_showallprocs=0" if you don't want to retype it each time you need to reboot.. >> users.. I guess it must be able to change somewhere in the proc dir >> instead of changing the permissons on all the executables.. > > What? > What i ment was the log files.. sorry about that.. Just chmod the executables (optional) and change /var/run/utmp.. if you want to disable last(1) and lastlogin too, just simply chmod the /var/log/wtmp and /var/log/lastlog. >> Another thing I want to do (if it's possible) is to add a default >> quota.. > > I love when people ask if something is possible! Ahem, this is > FreeBSD?! > I know! I know! :) and it really owns! :) >> like, all new users who's being added will have about 500Mb of disk >> space.. > > In the /etc/rc.conf file > enable_quotas="NO" # turn on quotas on startup (or NO). > check_quotas="NO" # Check quotas on startup (or NO). > accounting_enable="YES" # Turn on process accounting (or NO). > > Change the first two to "YES" and also check out `man quota` for info. > I didn't mean that, I ment, when I add a user, the files in /usr/share/skel will be copied to the users home dir. I want his/her quota to be changed at the same time so I don't need to change it manually.. >> Jesper aka Z3l3zT > > What's a "zelezt?" > I lame computer geek who's too lazy to rtfm at 09:16AM with not an minute of sleep? ;) > -- > Peter Leftwich > President & Founder > Video2Video Services > Box 13692, La Jolla, CA, 92039 USA > +1-413-403-9555 //Jesper aka Z3l3zT To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 1 23:28:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by hub.freebsd.org (Postfix) with ESMTP id 21ABA37B416 for ; Mon, 1 Apr 2002 23:28:04 -0800 (PST) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id LAA25607; Tue, 2 Apr 2002 11:27:53 +0400 (MSD) Received: from IBMKA.star.spb.ru (217.195.79.241 [217.195.79.241]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id GY0AJ19X; Tue, 2 Apr 2002 11:27:37 +0400 Date: Tue, 2 Apr 2002 11:27:47 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" X-Priority: 3 (Normal) Message-ID: <9974775811.20020402112747@internethelp.ru> To: "Jesper Wallin" Cc: Hostmaster@Video2Video.Com, security@FreeBSD.ORG Subject: Re[2]: Stop usage of 'who'? [doing things the hard way] In-reply-To: <1907.213.112.58.125.1017731788.squirrel@phucking.kicks-ass.org> References: <20020402005030.D5931-100000@earl-grey.cloud9.net> <1907.213.112.58.125.1017731788.squirrel@phucking.kicks-ass.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Jesper, Tuesday, April 02, 2002, 11:16:28 AM, you wrote: >> On Tue, 2 Apr 2002, Jesper Wallin wrote: >>> Hey.. This night I was taking a look at the local security and decided >>> to make this system more like a it was a huge wall between all the >>> users.. The first thing I wanted to do was to limit the access to top >>> and ps.. This was done >> >> Did you want to limit the access to the top and ps binaries (type `man >> chmod ; man chgrp`) or limit the information these binaries display? >> JW> eeeh?! How can that help me out? They just need to copy thier own bins from JW> thier own system then? AFAIK top must be sgid kmem to run. and, as somebody had already mentioned, ps can be restricted with kern.ps_showallprocs=0. >>> users.. I guess it must be able to change somewhere in the proc dir >>> instead of changing the permissons on all the executables.. >> >> What? >> JW> What i ment was the log files.. sorry about that.. Just chmod the JW> executables (optional) and change /var/run/utmp.. if you want to disable JW> last(1) and lastlogin too, just simply chmod the /var/log/wtmp and JW> /var/log/lastlog. >>> Another thing I want to do (if it's possible) is to add a default >>> quota.. >> >> I love when people ask if something is possible! Ahem, this is >> FreeBSD?! >> JW> I know! I know! :) and it really owns! :) >>> like, all new users who's being added will have about 500Mb of disk >>> space.. >> >> In the /etc/rc.conf file >> enable_quotas="NO" # turn on quotas on startup (or NO). >> check_quotas="NO" # Check quotas on startup (or NO). >> accounting_enable="YES" # Turn on process accounting (or NO). >> >> Change the first two to "YES" and also check out `man quota` for info. >> JW> I didn't mean that, I ment, when I add a user, the files in /usr/share/skel JW> will be copied to the users home dir. I want his/her quota to be changed at JW> the same time so I don't need to change it manually.. use quota for group "lusers" ? man quota |grep -2 -e "-g" man login.conf >>> Jesper aka Z3l3zT >> >> What's a "zelezt?" >> JW> I lame computer geek who's too lazy to rtfm at 09:16AM with not an minute of JW> sleep? ;) >> -- >> Peter Leftwich >> President & Founder >> Video2Video Services >> Box 13692, La Jolla, CA, 92039 USA >> +1-413-403-9555 JW> //Jesper aka Z3l3zT JW> To Unsubscribe: send mail to majordomo@FreeBSD.org JW> with "unsubscribe freebsd-security" in the body of the message ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 2 0: 5:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 472ED37B423 for ; Tue, 2 Apr 2002 00:05:08 -0800 (PST) Received: (qmail 10647 invoked by uid 1000); 2 Apr 2002 08:05:07 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Apr 2002 08:05:07 -0000 Date: Tue, 2 Apr 2002 00:05:03 -0800 (PST) From: Jason Stone X-X-Sender: To: Jesper Wallin Cc: Subject: Re: Stop usage of "who"? In-Reply-To: <1501.213.112.58.125.1017722696.squirrel@phucking.kicks-ass.org> Message-ID: <20020401210722.S94832-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Now I want to stop usage of commands like w, who and users.. I guess > it must be able to change somewhere in the proc dir instead of > changing the permissons on all the executables.. Most daemons/programs that log you in write a record into utmp/wtmp when they do so, and who(1) _et al_ just read utmp and print out whatever is in it. So to make this machanism fail, it is sufficient to either stop the writing to utmp/etc, or to stop the reading of utmp/etc. The files in question are (from /usr/include/utmp.h): #define _PATH_UTMP "/var/run/utmp" #define _PATH_WTMP "/var/log/wtmp" #define _PATH_LASTLOG "/var/log/lastlog" Making all these files mode 600 would allow who(1) to be run normally by root but fail for normal users. Also remember to change newsyslog.conf so that the restrictive permissions will get preservers when the files get rotated. Note that users will still be able to see some information about other users. netstat(1), for example, will show users all open network connections, vmstat(8) will allow users to see if someone is working at the physical console, etc. > Another thing I want to do (if it's possible) is to add a default > quota.. like, all new users who's being added will have about 500Mb of > disk space.. quotas are discussed in detail in section 12.5 of the handbook - check that out and then mail freebsd-questions if you have specific questions. If you're wondering strictly about setting the default when you create users, well then it depends on how you're creating the users, and there are many approaches you can take depending on your needs. wrapping pw(8) with a shell or perl script and running another script from cron to check that all users have a quota is the approach I'd take. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8qWYzswXMWWtptckRAtsaAKC4K3omxAaymOrfSakae1dbL0XDwACgtACu ig/YFCB7SkvzPjoP7x4ziHg= =cgJ2 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 2 5:58:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from harrier.prod.itd.earthlink.net (harrier.mail.pas.earthlink.net [207.217.120.12]) by hub.freebsd.org (Postfix) with ESMTP id 291A137B416 for ; Tue, 2 Apr 2002 05:58:17 -0800 (PST) Received: from user-119aekg.biz.mindspring.com ([66.149.58.144] helo=ns.flncs.com) by harrier.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16sOng-0003BS-00 for freebsd-security@freebsd.org; Tue, 02 Apr 2002 05:58:16 -0800 Received: from moti (cylex [12.27.148.78]) by ns.flncs.com (Postfix) with SMTP id 1E67D207C5 for ; Tue, 2 Apr 2002 09:02:47 -0500 (EST) Message-ID: <01a201c1da4e$b70cacd0$fd6e34c6@moti> From: "Moti Levy" To: Subject: dsniff from ports installs XFree86 ? Date: Tue, 2 Apr 2002 08:59:48 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org why is that ? can i make it install without it . I tried make -DWITHOUT_X make -DWITHOUT_GUI no luck .... b.t.w is this a "questions" question ? Moti To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 2 6:19:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by hub.freebsd.org (Postfix) with SMTP id 6F9C537B41C for ; Tue, 2 Apr 2002 06:19:41 -0800 (PST) Received: (qmail 83302 invoked from network); 2 Apr 2002 14:25:10 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 2 Apr 2002 14:25:10 -0000 Received: (qmail 59875 invoked by uid 1000); 2 Apr 2002 14:19:33 -0000 Date: Tue, 2 Apr 2002 17:19:33 +0300 From: Peter Pentchev To: Moti Levy Cc: freebsd-security@freebsd.org Subject: Re: dsniff from ports installs XFree86 ? Message-ID: <20020402171933.K416@straylight.oblivion.bg> Mail-Followup-To: Moti Levy , freebsd-security@freebsd.org References: <01a201c1da4e$b70cacd0$fd6e34c6@moti> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="G3juXO9GfR42w+sw" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <01a201c1da4e$b70cacd0$fd6e34c6@moti>; from moti@flncs.com on Tue, Apr 02, 2002 at 08:59:48AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --G3juXO9GfR42w+sw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 02, 2002 at 08:59:48AM -0500, Moti Levy wrote: >=20 > why is that ? > can i make it install without it . > I tried make -DWITHOUT_X > make -DWITHOUT_GUI=20 > no luck .... > b.t.w is this a "questions" question ?=20 The webspy(8) utility included in the dsniff package needs X to be able to send URL's to Netscape (or whatever browser you point it at). And actually, this is a "ports" question :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 What would this sentence be like if pi were 3? --G3juXO9GfR42w+sw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjypvfUACgkQ7Ri2jRYZRVMNNwCeNH2aXsv7mwtvfEqI3K4LY/dl 7AYAn23vTfwS9idpII/d4bo6vkQUojoW =+Rz/ -----END PGP SIGNATURE----- --G3juXO9GfR42w+sw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 2 8:53:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from users.pesaro.com (pesaro.com [195.120.225.6]) by hub.freebsd.org (Postfix) with ESMTP id 46CB437B476 for ; Tue, 2 Apr 2002 08:52:15 -0800 (PST) Received: from mail.ru (pax2-184.cis.ru [212.109.194.184]) by users.pesaro.com (8.11.2/8.11.2/SuSE Linux 8.11.1-0.5) with SMTP id g32GwcP11213 for ; Tue, 2 Apr 2002 18:58:38 +0200 Message-Id: <200204021658.g32GwcP11213@users.pesaro.com> From: "Paul" To: Subject: Software Development from Russia ($20-$25 per hour) Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Date: Tue, 2 Apr 2002 23:52:09 +0700 Reply-To: "Paul" X-Priority: 1 (Highest) Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear IT Manager, Have you ever thought of redesigning your website or creating an on-line database, in short, anything that has to do with software development, this offer is right for you. Our highly skilled off-shore programmers are capable and ready to develop any of your e-commerce software dreams and needs. We develop for ALL WINDOWS AND UNIX PLATFORMS Auctions, Hosting Solutions, Shopping Carts, databases, networks, plus Perl, PHP, C++, ASP, Cold Fusion, Java, Wap, XML, MS Access, SQL, etc. From business analysis and consulting to web design, from coding to testing we provide a full cycle of IT services. Typical rates are 20-25 USD per hour. For more complete information about the company and services provided please visit http://www.smtprogramming.com I will be glad to answer any of your questions (bestdeal411@mail.ru). Feel free to contact us any time and all the estimates will be done for you FREE of charge. Thanks! Paul PS. It's one time message. You are not on a list. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 2 11:48:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from m5.andara.com (m5-real.eastlink.ca [24.222.0.25]) by hub.freebsd.org (Postfix) with ESMTP id 399C637B41E for ; Tue, 2 Apr 2002 11:48:31 -0800 (PST) Received: from xeno (u206n232.hfx.eastlink.ca [24.222.206.232]) by m5.andara.com (8.12.1/8.12.1) with SMTP id g32Jmcju007735; Tue, 2 Apr 2002 15:48:38 -0400 (AST) Message-ID: <002301c1da7f$629f66c0$6401a8c0@router.unknown.ca> From: "N. J. Cash" To: "Jason Stone" , "Jesper Wallin" Cc: References: <20020401210722.S94832-100000@walter> Subject: Re: Stop usage of "who"? Date: Tue, 2 Apr 2002 15:48:38 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As far as trying to chmod permissions on files I would recomend that you check out and use *jail* instead. Jail can be a little tricky to get going but it's a nice way to limit users to basically no or customized shell access commands. It can also prevent a cd .. to /home *so no looking around!* In FreeBSD *man jail* is a little funky to understand, i'd try a google search about it for some more detailed info.. It'll work perfectly if you have the time and patience to do it : ) Here's some info on quotas if you never seen it yet.. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/quotas.html ----- Original Message ----- From: Jason Stone To: Jesper Wallin Cc: security@FreeBSD.ORG Sent: Tuesday, April 02, 2002 4:05 AM Subject: Re: Stop usage of "who"? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Now I want to stop usage of commands like w, who and users.. I guess > it must be able to change somewhere in the proc dir instead of > changing the permissons on all the executables.. Most daemons/programs that log you in write a record into utmp/wtmp when they do so, and who(1) _et al_ just read utmp and print out whatever is in it. So to make this machanism fail, it is sufficient to either stop the writing to utmp/etc, or to stop the reading of utmp/etc. The files in question are (from /usr/include/utmp.h): #define _PATH_UTMP "/var/run/utmp" #define _PATH_WTMP "/var/log/wtmp" #define _PATH_LASTLOG "/var/log/lastlog" Making all these files mode 600 would allow who(1) to be run normally by root but fail for normal users. Also remember to change newsyslog.conf so that the restrictive permissions will get preservers when the files get rotated. Note that users will still be able to see some information about other users. netstat(1), for example, will show users all open network connections, vmstat(8) will allow users to see if someone is working at the physical console, etc. > Another thing I want to do (if it's possible) is to add a default > quota.. like, all new users who's being added will have about 500Mb of > disk space.. quotas are discussed in detail in section 12.5 of the handbook - check that out and then mail freebsd-questions if you have specific questions. If you're wondering strictly about setting the default when you create users, well then it depends on how you're creating the users, and there are many approaches you can take depending on your needs. wrapping pw(8) with a shell or perl script and running another script from cron to check that all users have a quota is the approach I'd take. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8qWYzswXMWWtptckRAtsaAKC4K3omxAaymOrfSakae1dbL0XDwACgtACu ig/YFCB7SkvzPjoP7x4ziHg= =cgJ2 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 2 17:14: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id 68A1937B405 for ; Tue, 2 Apr 2002 17:14:04 -0800 (PST) Received: from famine.cs.utah.edu (famine.cs.utah.edu [155.99.198.114]) by wrath.cs.utah.edu (8.11.6/8.11.6) with ESMTP id g331E3T28811 for ; Tue, 2 Apr 2002 18:14:03 -0700 (MST) Received: by famine.cs.utah.edu (Postfix, from userid 2146) id CCDA323A83; Tue, 2 Apr 2002 18:14:02 -0700 (MST) Date: Tue, 2 Apr 2002 18:14:02 -0700 From: "David G . Andersen" To: freebsd-security@freebsd.org Subject: Jail with one IP? Message-ID: <20020402181402.A27138@cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Does anyone have warnings / experience with how Jail will behave when used with a single IP address, as "chroot++"? What I'm really looking for is something that's a hybrid between chroot and jail; my machines have only a single IP address, but I'd like the benefit of a real Jail environment, that people can access through an sshd started on a different port from within the jail. It seems to have the dangers one would expect - root inside the jail can bind TCP ports that take over those from the external jail environment (highly bummer), but these can likely be fixed with a little bit of hackery, or very easily by denying binding to ports < 1024 from the jail environment.. are there any other caveats of which I should be aware before heading down this road? Or has anyone else done this before and has lots of good advice? TIA, -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 2 21:21:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id 4C89937B41B for ; Tue, 2 Apr 2002 21:21:21 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g335LBDu090465; Wed, 3 Apr 2002 17:21:11 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Wed, 3 Apr 2002 17:21:11 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: "David G . Andersen" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Jail with one IP? In-Reply-To: <20020402181402.A27138@cs.utah.edu> Message-ID: <20020403170935.R86973-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What I do is to alias extra IP's to the loopback interface. ie my ifconfig output looks something like this: lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet 127.0.0.2 netmask 0xff000000 inet 127.0.0.3 netmask 0xff000000 I then use those IP's for jails. I pass packets on with ipfw forwarding rules and via proxies on the externally available IP. Eg you can use this approach to set up a bunch of jailed apache servers and pass connections to them internally from a single front end proxy implemented with either apache or squid. The front end proxy can service many virtual domains with a single external IP. Presumably something similar would be possible with incoming smtp, but I haven't yet set that up. For ssh access to the jail environments it is easiest to set up on separate ports. I've wondered about setting up user accounts which immediately exec a second internal ssh connection to the appropriate jail using a key based login, but I don't know quite enough about whether there are ways to subvert this. Andrew McNaughton On Tue, 2 Apr 2002, David G . Andersen wrote: > Date: Tue, 2 Apr 2002 18:14:02 -0700 > From: David G . Andersen > To: freebsd-security@FreeBSD.ORG > Subject: Jail with one IP? > > Does anyone have warnings / experience with how Jail will behave > when used with a single IP address, as "chroot++"? > What I'm really looking for is something that's a > hybrid between chroot and jail; my machines have only a single IP address, > but I'd like the benefit of a real Jail environment, that people can access > through an sshd started on a different port from within the jail. > > It seems to have the dangers one would expect - root inside the jail can bind > TCP ports that take over those from the external jail environment (highly > bummer), but these can likely be fixed with a little bit of hackery, > or very easily by denying binding to ports < 1024 from the jail environment.. > are there any other caveats of which I should be aware before heading down > this road? Or has anyone else done this before and has lots of good advice? > > TIA, > > -Dave > > -- > work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science http://www.angio.net/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 2 23:16:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id 1923B37B419 for ; Tue, 2 Apr 2002 23:15:55 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g337FrG1092215; Wed, 3 Apr 2002 19:15:53 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Wed, 3 Apr 2002 19:15:53 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: "N. J. Cash" Cc: Jason Stone , Jesper Wallin , Subject: Re: Stop usage of "who"? In-Reply-To: <002301c1da7f$629f66c0$6401a8c0@router.unknown.ca> Message-ID: <20020403190942.D92128-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone developed tools for managing software updates over a large numbers of jails. I'm thinking along the lines of freevsd (that is a 'v'). Also (related) is NFS ever likely to play nicely with jails, and what alternatives are there for providing access to a shared read only file area for things like ports, packages and recently built FreeBSD source/object files. Andrew McNaughton On Tue, 2 Apr 2002, N. J. Cash wrote: > Date: Tue, 2 Apr 2002 15:48:38 -0400 > From: N. J. Cash > To: Jason Stone , > Jesper Wallin > Cc: security@FreeBSD.ORG > Subject: Re: Stop usage of "who"? > > As far as trying to chmod permissions on files I would recomend that you > check out and use *jail* instead. > Jail can be a little tricky to get going but it's a nice way to limit users > to basically no or customized shell access commands. > It can also prevent a cd .. to /home *so no looking around!* > > In FreeBSD *man jail* is a little funky to understand, i'd try a google > search about it for some more detailed info.. > > It'll work perfectly if you have the time and patience to do it : ) > > Here's some info on quotas if you never seen it yet.. > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/quotas.html > > > ----- Original Message ----- > From: Jason Stone > To: Jesper Wallin > Cc: security@FreeBSD.ORG > Sent: Tuesday, April 02, 2002 4:05 AM > Subject: Re: Stop usage of "who"? > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Now I want to stop usage of commands like w, who and users.. I guess > > it must be able to change somewhere in the proc dir instead of > > changing the permissons on all the executables.. > > Most daemons/programs that log you in write a record into utmp/wtmp when > they do so, and who(1) _et al_ just read utmp and print out whatever is in > it. > > So to make this machanism fail, it is sufficient to either stop the > writing to utmp/etc, or to stop the reading of utmp/etc. > > The files in question are (from /usr/include/utmp.h): > #define _PATH_UTMP "/var/run/utmp" > #define _PATH_WTMP "/var/log/wtmp" > #define _PATH_LASTLOG "/var/log/lastlog" > > Making all these files mode 600 would allow who(1) to be run normally by > root but fail for normal users. Also remember to change newsyslog.conf so > that the restrictive permissions will get preservers when the files get > rotated. > > > Note that users will still be able to see some information about other > users. netstat(1), for example, will show users all open network > connections, vmstat(8) will allow users to see if someone is working at > the physical console, etc. > > > > Another thing I want to do (if it's possible) is to add a default > > quota.. like, all new users who's being added will have about 500Mb of > > disk space.. > > quotas are discussed in detail in section 12.5 of the handbook - check > that out and then mail freebsd-questions if you have specific questions. > If you're wondering strictly about setting the default when you create > users, well then it depends on how you're creating the users, and there > are many approaches you can take depending on your needs. wrapping pw(8) > with a shell or perl script and running another script from cron to check > that all users have a quota is the approach I'd take. > > > -Jason > > ----------------------------------------------------------------------- > I worry about my child and the Internet all the time, even though she's > too young to have logged on yet. Here's what I worry about. I worry > that 10 or 15 years from now, she will come to me and say "Daddy, where > were you when they took freedom of the press away from the Internet?" > -- Mike Godwin > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: See https://private.idealab.com/public/jason/jason.gpg > > iD8DBQE8qWYzswXMWWtptckRAtsaAKC4K3omxAaymOrfSakae1dbL0XDwACgtACu > ig/YFCB7SkvzPjoP7x4ziHg= > =cgJ2 > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 3 4: 1:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.6]) by hub.freebsd.org (Postfix) with ESMTP id 7661337B416 for ; Wed, 3 Apr 2002 04:01:13 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (8.11.6/8.11.6) with ESMTP id g33C1Ap03620; Wed, 3 Apr 2002 07:01:10 -0500 (EST) Date: Wed, 3 Apr 2002 07:01:10 -0500 (EST) From: Trevor Johnson To: "David G . Andersen" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Jail with one IP? In-Reply-To: <20020402181402.A27138@cs.utah.edu> Message-ID: <20020403065410.T799-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Does anyone have warnings / experience with how Jail will behave > when used with a single IP address, as "chroot++"? It works for me. I do it with ipf and ipnat, on a small scale. There's a detailed article on this at http://www.BSDpro.com/info.php?cat=security&fileid=00014#article . -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 3 4:34:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from web10001.mail.yahoo.com (web10001.mail.yahoo.com [216.136.130.37]) by hub.freebsd.org (Postfix) with SMTP id 402BB37B41A for ; Wed, 3 Apr 2002 04:34:35 -0800 (PST) Message-ID: <20020403123435.70190.qmail@web10001.mail.yahoo.com> Received: from [66.92.164.43] by web10001.mail.yahoo.com via HTTP; Wed, 03 Apr 2002 04:34:35 PST Date: Wed, 3 Apr 2002 04:34:35 -0800 (PST) From: Kenneth Stailey Subject: KAME IPSec <--> Cisco IPSec To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, How does the Cisco group password relate to the KAME PSK? If the Cisco AuthType = 1 and the GroupName is set to "group1" and the GroupPwd is set to "secret1" what should psk.txt on the FreeBSD box look like? Thanks, Ken __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 3 5:44:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from crag.niss.com (niss.com [169.207.33.46]) by hub.freebsd.org (Postfix) with ESMTP id 65AB737B422 for ; Wed, 3 Apr 2002 05:44:40 -0800 (PST) Received: from crag.niss.com (localhost.niss.com [127.0.0.1]) by crag.niss.com (8.11.6/8.11.6) with ESMTP id g33DiRT86944; Wed, 3 Apr 2002 07:44:27 -0600 (CST) (envelope-from listS+freebsd-security@niss.com) Message-Id: <200204031344.g33DiRT86944@crag.niss.com> From: Scott Bolte To: Andrew McNaughton Cc: "David G . Andersen" , freebsd-security@FreeBSD.ORG Subject: Re: Jail with one IP? MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <86941.1017841467.1@crag.niss.com> Date: Wed, 03 Apr 2002 07:44:27 -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 3 Apr 2002 17:21:11 +1200 (NZST), Andrew McNaughton wrote: > For ssh access to the jail environments it is easiest to set up on > separate ports. I've wondered about setting up user accounts which > immediately exec a second internal ssh connection to the appropriate jail > using a key based login, but I don't know quite enough about whether > there are ways to subvert this. I don't think a second ssh connection would be the right way to address that. Instead, I'd recommend linking the "permitopen" option with specific authorization keys. See the "AUTHORIZED_KEYS FILE FORMAT" section in openssh's sshd manual page for more details. Permitopen will let you limit an inbound tunnel to a specific host and port. In theory, you could let it bind only to the jail's address on the 127.0.0.* subnet. Assuming the remote host is 192.3.4.5, then the (untested) ssh command on the source host would be: ssh -N -f -L 80:jail2:80 -l ruser 192.3.4.5 On the remote host 192.3.4.5, the ~ruser/.ssh/authorized_keys2 file would contain: permitopen="jail2:80" ssh-dss ... I don't believe jail2 needs to be a fully qualified domain name. Instead, it would need to resolve to 127.0.0.2 only on 192.3.4.5 By the way, I created a patch that allows the source end of a tunnel to be bound to a specific IP address. (Previously it could be bound to localhost or INADDR_ANY.) When I submitted the patch I was told the functionality was already on the road map and the -L option would be modified to allow a local host address. Whether you use my patch or wait for official support, in theory you could connect ports in two jails, both of which are on different 127.* subnets, with a single SSH tunnel. Cool trick. Scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 3 8:16:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from nyogtha.unknownkadath.net (nyogtha.unknownkadath.net [209.153.153.179]) by hub.freebsd.org (Postfix) with ESMTP id 698C337B41B for ; Wed, 3 Apr 2002 08:16:32 -0800 (PST) Received: from cm (ppc.tcimet.net [198.109.164.203]) by nyogtha.unknownkadath.net (8.12.2/8.12.2) with SMTP id g33GT6s0000971 for ; Wed, 3 Apr 2002 11:29:06 -0500 (EST) From: "Asenchi" To: Subject: ?: natd and ipfw Date: Wed, 3 Apr 2002 11:16:31 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hello, i am somewhat new at fbsd, and i am setting up a firewall for a network. I have a question about configuring three nics to handle dmz stuff along with the internal network. here is my setup: INTERNET -> [oif=vr0 1.1.1.1] -> [iif1=xl0 10.10.0/24] -> NETWORK | [iif2=rl0 10.10.1/24] -> DMZ (Webserver/Email/FTP) Here is how my configuration is setup: I have IPFW built into the kernel. Right now I have built my own rc.firewall file and am using that. I also have natd running and enabled in rc.conf. I guess I don't know what else you would need, if you want me to send along my configurations I can do that. Here is my question. How do I redirect incoming packets that want to go to my website to my DMZ side of the network? I have read about -redirect_port | -redirect_address but really don't understand how that will filter the traffic. I need to read a little more but thought maybe somebody on this could give me some direction. I guess I should simplify the question. How do i route traffic that is trying to reach my website? How do I specify the correct traffic? Can I use a host name instead of an ip address in natd configurations? Sorry if this is too much, I hope I have layed out my question so that you can help me. Please respond to the group with any direction you could give me. Thank you, ASENCHI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 3 8:54:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by hub.freebsd.org (Postfix) with ESMTP id D3A3037B416 for ; Wed, 3 Apr 2002 08:54:26 -0800 (PST) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id UAA34508; Wed, 3 Apr 2002 20:54:00 +0400 (MSD) Received: from IBMKA.star.spb.ru (217.195.79.241 [217.195.79.241]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 2G6MRYZR; Wed, 3 Apr 2002 20:53:58 +0400 Date: Wed, 3 Apr 2002 20:53:53 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" X-Priority: 3 (Normal) Message-ID: <17812416694.20020403205353@internethelp.ru> To: "Asenchi" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ?: natd and ipfw In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Asenchi, Wednesday, April 03, 2002, 8:16:31 PM, you wrote: A> hello, A> i am somewhat new at fbsd, and i am setting up a firewall for a network. I A> have a question about configuring three nics to handle dmz stuff along with A> the internal network. A> here is my setup: INTERNET ->> [oif=vr0 1.1.1.1] -> [iif1=xl0 10.10.0/24] -> NETWORK A> | A> [iif2=rl0 10.10.1/24] -> DMZ (Webserver/Email/FTP) A> Here is how my configuration is setup: A> I have IPFW built into the kernel. Right now I have built my own A> rc.firewall file and am using that. I also have natd running and enabled in A> rc.conf. A> I guess I don't know what else you would need, if you want me to send along A> my configurations I can do that. A> Here is my question. How do I redirect incoming packets that want to go to A> my website to my DMZ side of the network? I have read about -redirect_port A> | -redirect_address but really don't understand how that will filter the A> traffic. I need to read a little more but thought maybe somebody on this A> could give me some direction. maybe an example will help you. if you add following line to your natd.conf file: redirect_port tcp 10.0.1.1:25 1.1.1.1:25 then all tcp traffic coming to your box, port 25 from internet will be forwarded to machine 10.0.1.1 port 25 (in DMZ network). A> I guess I should simplify the question. How do i route traffic that is A> trying to reach my website? How do I specify the correct traffic? Can I A> use a host name instead of an ip address in natd configurations? yes, you can use host names and port names along with numeric equivalents, like mail.domain.com:25 mail.domain.com:smtp 1.2.3.4:smtp 1.2.3.4:25 A> Sorry if this is too much, I hope I have layed out my question so that you A> can help me. Please respond to the group with any direction you could give A> me. A> Thank you, A> ASENCHI ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 3 9:37:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from brain-stream.com (brain-stream.com [209.95.107.206]) by hub.freebsd.org (Postfix) with ESMTP id 2F09937B41E for ; Wed, 3 Apr 2002 09:37:48 -0800 (PST) Received: from pantalaimon.pobox.com (h00609708e398.ne.client2.attbi.com [24.128.187.79]) by brain-stream.com (8.9.3/8.9.3) with ESMTP id JAA02165 for ; Wed, 3 Apr 2002 09:37:36 -0800 (PST) Message-Id: <5.1.0.14.2.20020403123725.04509c68@pop.earthlink.net> X-Sender: bdelong@pop.earthlink.net (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 03 Apr 2002 12:37:40 -0500 To: freebsd-security@FreeBSD.ORG From: "B.K. DeLong" Subject: Black Hat Briefings (Vegas) Call for Papers Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well folks, less than one more month (May 1st, 2002) before the BlackHat 2002 Call for Papers closes! I hope to see SEVERAL members of this list submit talks. There are some great possibilities that can be developed from discussions originating from this list. Papers and presentations are now being accepted for the Black Hat Briefings 2002 conference. The conference is held from July 31-August 1, 2002 at the Caesars Palace Hotel and Resort in Las Vegas, NV, USA. Papers and requests to speak will be received and reviewed until May 1, 2002. Please read the full announcement at: http://www.blackhat.com/html/bh-usa-02/bh-usa-02-cfp.html -- B.K. DeLong bkdelong@pobox.com 617.877.3271 http://www.brain-stream.com Play. http://www.the-leaky-cauldron.org Potter. http://www.attrition.org Security. http://www.artemisiabotanicals.com Herb. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 3 10:22:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from phucking.kicks-ass.org (c-4b3a70d5.022-45-6f72652.cust.bredbandsbolaget.se [213.112.58.75]) by hub.freebsd.org (Postfix) with ESMTP id 8FF8737B417 for ; Wed, 3 Apr 2002 10:21:32 -0800 (PST) Received: from phucking.kicks-ass.org (localhost.kicks-ass.org [127.0.0.1]) by phucking.kicks-ass.org (Postfix) with SMTP id 4E5B1AD6 for ; Wed, 3 Apr 2002 20:21:17 +0200 (CEST) Received: from 213.112.58.75 (SquirrelMail authenticated user z3l3zt) by phucking.kicks-ass.org with HTTP; Wed, 3 Apr 2002 20:21:17 +0200 (CEST) Message-ID: <1320.213.112.58.75.1017858077.squirrel@phucking.kicks-ass.org> Date: Wed, 3 Apr 2002 20:21:17 +0200 (CEST) Subject: Is screen really secure? From: "Jesper Wallin" To: X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal X-Mailer: SquirrelMail (version 1.2.5) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey.. When I started with Linux/Unix security, the first thing I learned was "do not run a daemon as root as long isn't really require it".. well, when I use irssi as my primary irc-client which not has any built-in detach function i use screen instead. When a run a "ps -aux" it shows me screen is runned by root!? Example: root 302 0.0 0.5 1800 1164 ?? Is Tue04PM 0:01.85 screen irssi and it's started as user "z3l3zt".. any ideas/suggestions about this? Jesper aka Z3l3zT To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 3 10:29:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from nyogtha.unknownkadath.net (nyogtha.unknownkadath.net [209.153.153.179]) by hub.freebsd.org (Postfix) with ESMTP id 1B7EC37B41E for ; Wed, 3 Apr 2002 10:29:18 -0800 (PST) Received: from cm (ppc.tcimet.net [198.109.164.203]) by nyogtha.unknownkadath.net (8.12.2/8.12.2) with SMTP id g33Ifps0002392; Wed, 3 Apr 2002 13:41:52 -0500 (EST) From: "Asenchi" To: "Nickolay A.Kritsky" Cc: Subject: RE: ?: natd and ipfw Date: Wed, 3 Apr 2002 13:29:16 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal In-Reply-To: <17812416694.20020403205353@internethelp.ru> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks a lot, this was very helpful. ASENCHI -----Original Message----- From: Nickolay A. Kritsky [mailto:nkritsky@internethelp.ru] Sent: Wednesday, April 03, 2002 11:54 AM To: Asenchi Cc: freebsd-security@FreeBSD.ORG Subject: Re: ?: natd and ipfw Hello Asenchi, Wednesday, April 03, 2002, 8:16:31 PM, you wrote: A> hello, A> i am somewhat new at fbsd, and i am setting up a firewall for a network. I A> have a question about configuring three nics to handle dmz stuff along with A> the internal network. A> here is my setup: INTERNET ->> [oif=vr0 1.1.1.1] -> [iif1=xl0 10.10.0/24] -> NETWORK A> | A> [iif2=rl0 10.10.1/24] -> DMZ (Webserver/Email/FTP) A> Here is how my configuration is setup: A> I have IPFW built into the kernel. Right now I have built my own A> rc.firewall file and am using that. I also have natd running and enabled in A> rc.conf. A> I guess I don't know what else you would need, if you want me to send along A> my configurations I can do that. A> Here is my question. How do I redirect incoming packets that want to go to A> my website to my DMZ side of the network? I have read about -redirect_port A> | -redirect_address but really don't understand how that will filter the A> traffic. I need to read a little more but thought maybe somebody on this A> could give me some direction. maybe an example will help you. if you add following line to your natd.conf file: redirect_port tcp 10.0.1.1:25 1.1.1.1:25 then all tcp traffic coming to your box, port 25 from internet will be forwarded to machine 10.0.1.1 port 25 (in DMZ network). A> I guess I should simplify the question. How do i route traffic that is A> trying to reach my website? How do I specify the correct traffic? Can I A> use a host name instead of an ip address in natd configurations? yes, you can use host names and port names along with numeric equivalents, like mail.domain.com:25 mail.domain.com:smtp 1.2.3.4:smtp 1.2.3.4:25 A> Sorry if this is too much, I hope I have layed out my question so that you A> can help me. Please respond to the group with any direction you could give A> me. A> Thank you, A> ASENCHI ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 3 10:53:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-17.dsl.lsan03.pacbell.net [64.169.104.17]) by hub.freebsd.org (Postfix) with ESMTP id 9B7DC37B416 for ; Wed, 3 Apr 2002 10:53:13 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0D3F866D19; Wed, 3 Apr 2002 10:53:12 -0800 (PST) Date: Wed, 3 Apr 2002 10:53:12 -0800 From: Kris Kennaway To: Jesper Wallin Cc: security@freebsd.org Subject: Re: Is screen really secure? Message-ID: <20020403105312.B7146@xor.obsecurity.org> References: <1320.213.112.58.75.1017858077.squirrel@phucking.kicks-ass.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Bn2rw/3z4jIqBvZU" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <1320.213.112.58.75.1017858077.squirrel@phucking.kicks-ass.org>; from z3l3zt@phucking.kicks-ass.org on Wed, Apr 03, 2002 at 08:21:17PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Bn2rw/3z4jIqBvZU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 03, 2002 at 08:21:17PM +0200, Jesper Wallin wrote: > Hey.. >=20 > When I started with Linux/Unix security, the first thing I learned was "do > not run a daemon as root as long isn't really require it".. well, when I = use > irssi as my primary irc-client which not has any built-in detach function= i > use screen instead. When a run a "ps -aux" it shows me screen is runned by > root!? Erm.. # ls -l `which screen` -rwsr-xr-x 1 root wheel 266576 Mar 15 04:40 /usr/local/bin/screen Read the documentation about why screen needs to be setuid root and what will break if you remove it. Kris --Bn2rw/3z4jIqBvZU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8q0+YWry0BWjoQKURAtsmAJ434QYE+kAeMRwwOhMFmjvbnrvEfACg7tlK Vf1HI1nwtI+CzS3pjnQ2gcU= =Y5Z/ -----END PGP SIGNATURE----- --Bn2rw/3z4jIqBvZU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 3 10:55:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from clink.schulte.org (clink.schulte.org [209.134.156.193]) by hub.freebsd.org (Postfix) with ESMTP id E548C37B419 for ; Wed, 3 Apr 2002 10:55:30 -0800 (PST) Received: from schulte-laptop.nospam.schulte.org (nb-65.netbriefings.com [209.134.134.65]) by clink.schulte.org (Postfix) with ESMTP id 117622442D; Wed, 3 Apr 2002 12:55:29 -0600 (CST) Message-Id: <5.1.0.14.0.20020403124925.034d12b8@pop3s.schulte.org> X-Sender: X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 03 Apr 2002 12:53:59 -0600 To: "Jesper Wallin" , From: Christopher Schulte Subject: Re: Is screen really secure? In-Reply-To: <1320.213.112.58.75.1017858077.squirrel@phucking.kicks-ass. org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:21 PM 4/3/2002 +0200, Jesper Wallin wrote: >Hey.. > >When I started with Linux/Unix security, the first thing I learned was "do >not run a daemon as root as long isn't really require it".. well, when I use >irssi as my primary irc-client which not has any built-in detach function i >use screen instead. When a run a "ps -aux" it shows me screen is runned by >root!? > >Example: >root 302 0.0 0.5 1800 1164 ?? Is Tue04PM 0:01.85 screen irssi > >and it's started as user "z3l3zt".. any ideas/suggestions about this? IIRC, it's because screen is sometimes (usually?) setuid root so it can modify utmp data and register each virtual screen. If you don't like this behavior, just remove the setuid bit. Presto. Screen has had problems in the past, so it might be prudent to chmod -s, in any case. >Jesper aka Z3l3zT -- Christopher Schulte http://www.schulte.org/ Do not un-munge my @nospam.schulte.org email address. This address is valid. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 3 13:41:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from nyogtha.unknownkadath.net (nyogtha.unknownkadath.net [209.153.153.179]) by hub.freebsd.org (Postfix) with ESMTP id 8C8B737B419 for ; Wed, 3 Apr 2002 13:41:27 -0800 (PST) Received: from cm (www.grebner.com [198.109.164.203]) by nyogtha.unknownkadath.net (8.12.2/8.12.2) with SMTP id g33Ls2s0004742 for ; Wed, 3 Apr 2002 16:54:02 -0500 (EST) From: "Asenchi" To: "freebsd-security@FreeBSD. ORG" Subject: another natd question Date: Wed, 3 Apr 2002 16:41:27 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org thank you to all who responded to my question earlier. i have another quesiton about natd. when i startup the machine in the boot messages i get this: Starting local daemons: natd: Unable to bind divert socket.: Address already in use. I have always gotten this actually, I just haven't been curious enough til now to ask about it. Thanks for any help you can give, ASENCHI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 3 15:32:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from web20510.mail.yahoo.com (web20510.mail.yahoo.com [216.136.226.145]) by hub.freebsd.org (Postfix) with SMTP id 4CBB037B419 for ; Wed, 3 Apr 2002 15:32:36 -0800 (PST) Message-ID: <20020403233235.53970.qmail@web20510.mail.yahoo.com> Received: from [169.139.115.185] by web20510.mail.yahoo.com via HTTP; Wed, 03 Apr 2002 15:32:35 PST Date: Wed, 3 Apr 2002 15:32:35 -0800 (PST) From: kjhd kjsdfhk Subject: linksys 8 port router and ipfw To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-753884340-1017876755=:53824" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --0-753884340-1017876755=:53824 Content-Type: text/plain; charset=us-ascii thanks in advance. i have 8 windows clients behind a linksys router (befsr81 with updated firmware) on a hub that links to a freebsd box (4.5 release) running natd and connected to the net via cable; no dhcp anywhere. i can make it work, BUT, i am unsure of how well i have done it and how well it is protected. i have omitted the more mundane lo0 and spoofing entries for brevity. xl0 is internal interface. ipfw rules add divert natd all from any to any via xl1 add check-state add allow tcp from "the-router" to any 22 in setup keep-state add deny tcp from any to any 22 add allow all from "the-router" to any keep-state add allow all from any to any out default to deny #1 how can i change this so i doesn't suck and so the i can browse and ftp from bsd box? #2 see below, not as important as #1 but i didnt want to cross-post to questions. ***side note*** the strange thing about router. ssh works until i use the router. i googled and found other people that said to change to mtu on the nic and router, didnt work. the router only breaks ssh, (it is in /etc/hosts) you can still browse and ftp. remove the router and all works, without any other changes. i cheated and changed my sshd_config to listen on all interfaces and it will work through the router; not working on xl0 only xl1. i dont think this is, however, the best answer. again, i thank you all for any time and help. --------------------------------- Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax --0-753884340-1017876755=:53824 Content-Type: text/html; charset=us-ascii


        thanks in advance. i have 8 windows clients behind a linksys router (befsr81 with
     updated firmware) on a hub that links to a freebsd box (4.5 release) running natd and
     connected to the net via cable; no dhcp anywhere. i can make it work, BUT, i am unsure of
     how well i have done it and how well it is protected. i have omitted the more mundane lo0
     and spoofing entries for brevity. xl0 is internal interface.
    
     ipfw rules
    
         add divert natd all from any to any via xl1
         add check-state
         add allow tcp from "the-router" to any 22 in setup keep-state
         add deny tcp from any to any 22
         add allow all from "the-router" to any keep-state
         add allow all from any to any out
         default to deny

     #1 how can i change this so i doesn't suck and so the i can browse and ftp from
     bsd box?

     #2 see below, not as important as #1 but i didnt want to cross-post to questions.


     ***side note*** the strange thing about router. ssh works until i use the router.
     i googled and found other people that said to change to mtu on the nic and router,
     didnt work. the router only breaks ssh, (it is in /etc/hosts) you can still browse
     and ftp. remove the router and all works, without any other changes. i cheated and
     changed my sshd_config to listen on all interfaces and it will work through the
     router; not working on xl0 only xl1. i dont think this is, however, the best answer.

     again, i thank you all for any time and help.


Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax --0-753884340-1017876755=:53824-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 3 16:39:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id D998B37B41B for ; Wed, 3 Apr 2002 16:39:50 -0800 (PST) Received: (qmail 65667 invoked by uid 1000); 4 Apr 2002 00:39:44 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 4 Apr 2002 00:39:44 -0000 Date: Wed, 3 Apr 2002 16:39:40 -0800 (PST) From: Jason Stone X-X-Sender: To: Jesper Wallin Cc: Subject: Re: Is screen really secure? In-Reply-To: <1320.213.112.58.75.1017858077.squirrel@phucking.kicks-ass.org> Message-ID: <20020403163222.I94832-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > When I started with Linux/Unix security, the first thing I learned was > "do not run a daemon as root as long isn't really require it".. well, > when I use irssi as my primary irc-client which not has any built-in > detach function i use screen instead. When a run a "ps -aux" it shows > me screen is runned by root!? > > Example: > root 302 0.0 0.5 1800 1164 ?? Is Tue04PM 0:01.85 screen irssi Screen is setuid root by default. As it has a long history of readily segfaulting, you should probablly take the setuid bit off. In general, if a software package is not a critical part of a production system and it installs setuid parts, you should take off the setuid bits and see if it still works acceptably, or try to determine if it can be made to work with a new group and setgid instead. For instance, many ports are setuid root to manipulate peripheral devices in /dev - usually you can work around this by making the /dev/ entry group writable and the binary setgid that group. In this case, screen is setuid so that it can write utmp, (so that when you open another screen window, it can create a login entry for you). You can either just remove the setuid bit and go without that functionality, or you can (probablly) make utmp/wtmp/lastlog group "utmp" (for example), group writable, and make screen setgid utmp. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8q6DQswXMWWtptckRAreRAJoCNLvxqQGT1dLVQ1FfpxAGVM0n2ACeOFwa Qb5roTGWzi/7UjtBzrcee0U= =uOW7 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 3 18:28:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by hub.freebsd.org (Postfix) with ESMTP id CAC0E37B41D for ; Wed, 3 Apr 2002 18:28:54 -0800 (PST) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id GAA35341; Thu, 4 Apr 2002 06:28:41 +0400 (MSD) Received: from IBMKA.star.spb.ru (217.195.79.241 [217.195.79.241]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 2G6MRY6M; Thu, 4 Apr 2002 06:28:40 +0400 Date: Thu, 4 Apr 2002 06:28:27 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" X-Priority: 3 (Normal) Message-ID: <1943520261.20020404062827@internethelp.ru> To: "Asenchi" Cc: "freebsd-security@FreeBSD. ORG" Subject: Re: another natd question In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Asenchi, Thursday, April 04, 2002, 1:41:27 AM, you wrote: A> thank you to all who responded to my question earlier. A> i have another quesiton about natd. when i startup the machine in the boot A> messages i get this: A> Starting local daemons: natd: Unable to bind divert socket.: Address already A> in use. This probably means that you start two instances of natd. Check your rc scripts (man rc) A> I have always gotten this actually, I just haven't been curious enough til A> now to ask about it. A> Thanks for any help you can give, A> ASENCHI ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 3 23:11:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp24.singnet.com.sg (smtp24.singnet.com.sg [165.21.101.204]) by hub.freebsd.org (Postfix) with ESMTP id 2385137B42F; Wed, 3 Apr 2002 23:11:00 -0800 (PST) Received: from bryan (bb-203-125-134-162.singnet.com.sg [203.125.134.162]) by smtp24.singnet.com.sg (8.12.2/8.12.2) with SMTP id g347AhT6015759; Thu, 4 Apr 2002 15:10:45 +0800 Message-Id: <3.0.32.20020404153300.0289ae28@singnet.com.sg> X-Sender: spades81@singnet.com.sg X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 04 Apr 2002 15:33:02 +0800 To: , From: Spades Subject: Re: openssh ports err Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ports openssh err bash-2.05a# cd /usr/ports/security/openssh bash-2.05a# make install ===> Patching for openssh-3.1_6 ===> Applying distribution patches for openssh-3.1_6 Ignoring previously applied (or reversed) patch. 1 out of 1 hunks ignored--saving rejects to key.c.rej Ignoring previously applied (or reversed) patch. 1 out of 1 hunks ignored--saving rejects to lib/Makefile.rej Ignoring previously applied (or reversed) patch. 2 out of 2 hunks ignored--saving rejects to sshd/Makefile.rej Ignoring previously applied (or reversed) patch. 1 out of 1 hunks ignored--saving rejects to Makefile.rej Ignoring previously applied (or reversed) patch. 1 out of 1 hunks ignored--saving rejects to README.rej Ignoring previously applied (or reversed) patch. 1 out of 1 hunks ignored--saving rejects to readconf.h.rej Ignoring previously applied (or reversed) patch. 1 out of 1 hunks ignored--saving rejects to servconf.c.rej Ignoring previously applied (or reversed) patch. 2 out of 2 hunks ignored--saving rejects to session.c.rej Ignoring previously applied (or reversed) patch. 1 out of 1 hunks ignored--saving rejects to ssh-keyscan.1.rej Ignoring previously applied (or reversed) patch. 11 out of 11 hunks ignored--saving rejects to ssh.1.rej Ignoring previously applied (or reversed) patch. 12 out of 12 hunks ignored--saving rejects to sshd.8.rej Ignoring previously applied (or reversed) patch. 2 out of 2 hunks ignored--saving rejects to sshd_config.rej Ignoring previously applied (or reversed) patch. 1 out of 1 hunks ignored--saving rejects to pathnames.h.rej Ignoring previously applied (or reversed) patch. 10 out of 10 hunks ignored--saving rejects to cipher.c.rej *** Error code 47 Stop in /usr/ports/security/openssh. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 3 23:38:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from prometheus.vh.laserfence.net (prometheus.laserfence.net [196.44.73.116]) by hub.freebsd.org (Postfix) with ESMTP id ED18B37B41C for ; Wed, 3 Apr 2002 23:38:08 -0800 (PST) Received: from phoenix.vh.laserfence.net ([192.168.0.10]) by prometheus.vh.laserfence.net with esmtp (Exim 3.34 #1) id 16t1oV-0001Jv-00; Thu, 04 Apr 2002 09:37:43 +0200 Date: Thu, 4 Apr 2002 09:37:43 +0200 (SAST) From: Willie Viljoen X-X-Sender: will@phoenix.vh.laserfence.net To: kjhd kjsdfhk Cc: freebsd-security@freebsd.org Subject: Re: linksys 8 port router and ipfw In-Reply-To: <20020403233235.53970.qmail@web20510.mail.yahoo.com> Message-ID: <20020404093230.C2932-100000@phoenix.vh.laserfence.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To be quite honest, I would remove the router and connect the FreeBSD box directly to the LAN. Then I would simply make the FreeBSD box act as a router between the LAN and the cable interface... as for firewall rules, here is something you might consider: (this assumes 10.0.0.0/24 is your LAN) add divert natd all from 10.0.0.0/255.255.255.0 to ! 10.0.0.0/255.255.255.0 via xl1 add check-state add allow tcp from any to any setup keep-state in add allow udp from any to any keep-state in add allow all from 10.0.0.0/255.255.255.0 to any The syntax there might be slightly off... I've been playing around with linux iptables recently, which has weird syntax and somehow sticks in my memory... but you get the idea :) Will On Wed, 3 Apr 2002, kjhd kjsdfhk wrote: > > > thanks in advance. i have 8 windows clients behind a linksys router (befsr81 with > updated firmware) on a hub that links to a freebsd box (4.5 release) running natd and > connected to the net via cable; no dhcp anywhere. i can make it work, BUT, i am unsure of > how well i have done it and how well it is protected. i have omitted the more mundane lo0 > and spoofing entries for brevity. xl0 is internal interface. > > ipfw rules > > add divert natd all from any to any via xl1 > add check-state > add allow tcp from "the-router" to any 22 in setup keep-state > add deny tcp from any to any 22 > add allow all from "the-router" to any keep-state > add allow all from any to any out > default to deny > > #1 how can i change this so i doesn't suck and so the i can browse and ftp from > bsd box? > > #2 see below, not as important as #1 but i didnt want to cross-post to questions. > > > ***side note*** the strange thing about router. ssh works until i use the router. > i googled and found other people that said to change to mtu on the nic and router, > didnt work. the router only breaks ssh, (it is in /etc/hosts) you can still browse > and ftp. remove the router and all works, without any other changes. i cheated and > changed my sshd_config to listen on all interfaces and it will work through the > router; not working on xl0 only xl1. i dont think this is, however, the best answer. > > again, i thank you all for any time and help. > > > > > --------------------------------- > Do You Yahoo!? > Yahoo! Tax Center - online filing with TurboTax -- Willie Viljoen Private IT Consultant 214 Paul Kruger Avenue Universitas Bloemfontein 9321 South Africa +27 51 522 15 60, a/h +27 51 522 44 36 +27 82 404 03 27 will@laserfence.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 0: 2: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id 6E8D237B421 for ; Thu, 4 Apr 2002 00:01:46 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g3481jbL033155 for ; Thu, 4 Apr 2002 20:01:45 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Thu, 4 Apr 2002 20:01:45 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: freebsd-security@FreeBSD.ORG Subject: Mason equivalent for ipfw or ipf? In-Reply-To: <20020404093230.C2932-100000@phoenix.vh.laserfence.net> Message-ID: <20020404195513.A32036-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In a recent job we used Debian machines and I discovered a tool called Mason which workes with ipchains to monitor what sort of traffic is on the network and create a large set of rules representing different kinds of traffic. The user can then come back and adjust these rules to accept, deny or reject various sorts of traffic as required. This still leaves quite a bit of cleaning up to do, and doesn't lead to an adequately methodical approach, but it has a place where the administrator is not clear enough on what's happening on the network to easily create a firewall without interrupting important services. Has anyone developed something similar for adaptive rule generation for any of the FreeBSD firewall options? Andrew McNaughton On Thu, 4 Apr 2002, Willie Viljoen wrote: > Date: Thu, 4 Apr 2002 09:37:43 +0200 (SAST) > From: Willie Viljoen > To: kjhd kjsdfhk > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: linksys 8 port router and ipfw > > To be quite honest, I would remove the router and connect the FreeBSD box > directly to the LAN. Then I would simply make the FreeBSD box act as a > router between the LAN and the cable interface... as for firewall rules, > here is something you might consider: (this assumes 10.0.0.0/24 is your > LAN) > > add divert natd all from 10.0.0.0/255.255.255.0 to ! 10.0.0.0/255.255.255.0 via xl1 > add check-state > add allow tcp from any to any setup keep-state in > add allow udp from any to any keep-state in > add allow all from 10.0.0.0/255.255.255.0 to any > > The syntax there might be slightly off... I've been playing around with > linux iptables recently, which has weird syntax and somehow sticks in my > memory... but you get the idea :) > > Will > > On Wed, 3 Apr 2002, kjhd kjsdfhk wrote: > > > > > > > thanks in advance. i have 8 windows clients behind a linksys router (befsr81 with > > updated firmware) on a hub that links to a freebsd box (4.5 release) running natd and > > connected to the net via cable; no dhcp anywhere. i can make it work, BUT, i am unsure of > > how well i have done it and how well it is protected. i have omitted the more mundane lo0 > > and spoofing entries for brevity. xl0 is internal interface. > > > > ipfw rules > > > > add divert natd all from any to any via xl1 > > add check-state > > add allow tcp from "the-router" to any 22 in setup keep-state > > add deny tcp from any to any 22 > > add allow all from "the-router" to any keep-state > > add allow all from any to any out > > default to deny > > > > #1 how can i change this so i doesn't suck and so the i can browse and ftp from > > bsd box? > > > > #2 see below, not as important as #1 but i didnt want to cross-post to questions. > > > > > > ***side note*** the strange thing about router. ssh works until i use the router. > > i googled and found other people that said to change to mtu on the nic and router, > > didnt work. the router only breaks ssh, (it is in /etc/hosts) you can still browse > > and ftp. remove the router and all works, without any other changes. i cheated and > > changed my sshd_config to listen on all interfaces and it will work through the > > router; not working on xl0 only xl1. i dont think this is, however, the best answer. > > > > again, i thank you all for any time and help. > > > > > > > > > > --------------------------------- > > Do You Yahoo!? > > Yahoo! Tax Center - online filing with TurboTax > > -- > Willie Viljoen > Private IT Consultant > > 214 Paul Kruger Avenue > Universitas > Bloemfontein > 9321 > > South Africa > > +27 51 522 15 60, a/h +27 51 522 44 36 > +27 82 404 03 27 > > will@laserfence.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 0: 2:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by hub.freebsd.org (Postfix) with SMTP id 3FE2537B400 for ; Thu, 4 Apr 2002 00:02:15 -0800 (PST) Received: (qmail 2770 invoked from network); 4 Apr 2002 08:07:32 -0000 Received: from discworld.nanolink.com (HELO straylight.ringlet.net) (217.75.135.248) by south.nanolink.com with SMTP; 4 Apr 2002 08:07:32 -0000 Received: (qmail 4164 invoked by uid 1000); 4 Apr 2002 08:01:37 -0000 Date: Thu, 4 Apr 2002 11:01:37 +0300 From: Peter Pentchev To: Spades Cc: security@FreeBSD.ORG, chat@FreeBSD.ORG Subject: Re: openssh ports err Message-ID: <20020404110137.B336@straylight.oblivion.bg> Mail-Followup-To: Spades , security@FreeBSD.ORG, chat@FreeBSD.ORG References: <3.0.32.20020404153300.0289ae28@singnet.com.sg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="hQiwHBbRI9kgIhsi" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3.0.32.20020404153300.0289ae28@singnet.com.sg>; from spades@galaxynet.org on Thu, Apr 04, 2002 at 03:33:02PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --hQiwHBbRI9kgIhsi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 04, 2002 at 03:33:02PM +0800, Spades wrote: > ports openssh err >=20 > bash-2.05a# cd /usr/ports/security/openssh > bash-2.05a# make install > =3D=3D=3D> Patching for openssh-3.1_6 Is this really the first thing you saw? No "Extracting for openssh.." before that? This means that you had a previously extracted source, possibly an old one, possibly with some patches applied and some failed. This would be a good reason for the patches that have been previously applied to fail now :) You should *ALWAYS* do a 'make clean', both when building and when rebuilding a port. Oh, and BTW - this is not a security question, this is not -chat material, this is a question related to the FreeBSD Ports Collection, so it is only logical that it should have gone to -ports instead :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If you think this sentence is confusing, then change one pig. --hQiwHBbRI9kgIhsi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjysCGEACgkQ7Ri2jRYZRVPWigCgnWZozy1w9rDg7Fw45tF6HFPW ucUAoMKdZw72ZA5rGagXjLOULWpWRPRF =EU6W -----END PGP SIGNATURE----- --hQiwHBbRI9kgIhsi-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 7:19:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from nyogtha.unknownkadath.net (nyogtha.unknownkadath.net [209.153.153.179]) by hub.freebsd.org (Postfix) with ESMTP id 4824E37B417 for ; Thu, 4 Apr 2002 07:19:07 -0800 (PST) Received: from cm (www.grebner.com [198.109.164.203]) by nyogtha.unknownkadath.net (8.12.2/8.12.2) with SMTP id g34FVhs0012129; Thu, 4 Apr 2002 10:31:43 -0500 (EST) From: "Asenchi" To: "Nickolay A.Kritsky" Cc: "freebsd-security@FreeBSD. ORG" Subject: RE: another natd question Date: Thu, 4 Apr 2002 10:19:06 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal In-Reply-To: <1943520261.20020404062827@internethelp.ru> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thank you for your answer, but I can't seem to find any case of two instances of natd running. would this be listed in ps? if anyone could give me some places that i should look at as far as finding two instances of natd. thank you all for your help, ASENCHI -----Original Message----- From: Nickolay A. Kritsky [mailto:nkritsky@internethelp.ru] Sent: Wednesday, April 03, 2002 9:28 PM To: Asenchi Cc: freebsd-security@FreeBSD. ORG Subject: Re: another natd question Hello Asenchi, Thursday, April 04, 2002, 1:41:27 AM, you wrote: A> thank you to all who responded to my question earlier. A> i have another quesiton about natd. when i startup the machine in the boot A> messages i get this: A> Starting local daemons: natd: Unable to bind divert socket.: Address already A> in use. This probably means that you start two instances of natd. Check your rc scripts (man rc) A> I have always gotten this actually, I just haven't been curious enough til A> now to ask about it. A> Thanks for any help you can give, A> ASENCHI ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 10:26:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by hub.freebsd.org (Postfix) with ESMTP id 8E69737B422 for ; Thu, 4 Apr 2002 10:26:29 -0800 (PST) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id g34IQO387369 for ; Thu, 4 Apr 2002 13:26:24 -0500 (EST) (envelope-from behanna@zbzoom.net) Date: Thu, 4 Apr 2002 13:26:19 -0500 (EST) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: ipfw/ipf test tool? Message-ID: <20020404132436.Y87338-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is there a tool to test a packet against a set of firewall rules, a lá Linux's "ipchains -C"? -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 11:54:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 560EE37B41C for ; Thu, 4 Apr 2002 11:54:41 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id 5458513667; Thu, 4 Apr 2002 14:54:39 -0500 (EST) Date: Thu, 4 Apr 2002 14:54:39 -0500 From: Chris Faulhaber To: Chris BeHanna Cc: FreeBSD Security Subject: Re: ipfw/ipf test tool? Message-ID: <20020404195439.GA95294@peitho.fxp.org> References: <20020404132436.Y87338-100000@topperwein.dyndns.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc" Content-Disposition: inline In-Reply-To: <20020404132436.Y87338-100000@topperwein.dyndns.org> User-Agent: Mutt/1.3.24i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 04, 2002 at 01:26:19PM -0500, Chris BeHanna wrote: > Is there a tool to test a packet against a set of firewall rules, > a l=E1 Linux's "ipchains -C"? >=20 You mean like: NAME ipftest - test packet filter rules with arbitrary input. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjysr38ACgkQObaG4P6BelBjyACeNt0RO5IIiHsYZvzYibKlhnWU A08AnRAHg4lSt68wu2LK2TyIuNKiq8fh =xBFv -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 13:18:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.libero.it (smtp2.libero.it [193.70.192.52]) by hub.freebsd.org (Postfix) with ESMTP id 0B87037B41E for ; Thu, 4 Apr 2002 13:18:18 -0800 (PST) Received: from libero.it (193.70.192.44) by smtp2.libero.it (6.5.015) (authenticated as srstefanosteve@libero.it) id 3C99A71000A279BF for FreeBSD-security@FreeBSD.org; Thu, 4 Apr 2002 23:18:15 +0200 Date: Thu, 4 Apr 2002 23:18:11 +0200 Message-Id: Subject: =?iso-8859-1?Q?info?= MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: base64 From: "=?utf-8?Q?srstefanosteve@libero.it?=" To: FreeBSD-security@FreeBSD.org X-XaM3-API-Version: 3.0.1build13 R13 X-type: 0 X-SenderIP: 195.232.62.22 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org SGksDQpJJ20gc3RldmUuIEkgaGF2ZSBnb3QgYSBMYW4gaW50cmFuZXQgaW4gbXkgb2ZmaWNl LCB3aGVyZSB0aGVyZSBhcmUgDQpjb25uZWN0ZWQgc29tZSBzZXJ2ZXJzLg0KSW4gdGhlc2Ug c2VydmVycyBhcmUgaW5zdGFsbGVkIE9TICBGcmVlQlNEIHZlcnNpb25lIDMuNCBhbmQgMy4y Lg0KSSdtIGludGVyZXN0ZWQgdG8gcmVjZWl2ZSB0aGUgcGF0Y2ggZm9yIHRoZXNlIE9TIHRv IHN0b3AgaGFja2Vycy4NCg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBUaGFua3M= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 13:35:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from phucking.kicks-ass.org (c-4b3a70d5.022-45-6f72652.cust.bredbandsbolaget.se [213.112.58.75]) by hub.freebsd.org (Postfix) with ESMTP id 16A5C37B419 for ; Thu, 4 Apr 2002 13:35:11 -0800 (PST) Received: from phucking.kicks-ass.org (localhost.kicks-ass.org [127.0.0.1]) by phucking.kicks-ass.org (Postfix) with SMTP id 85853AD7; Thu, 4 Apr 2002 23:34:47 +0200 (CEST) Received: from 213.112.58.75 (SquirrelMail authenticated user z3l3zt) by phucking.kicks-ass.org with HTTP; Thu, 4 Apr 2002 23:34:47 +0200 (CEST) Message-ID: <3211.213.112.58.75.1017956087.squirrel@phucking.kicks-ass.org> Date: Thu, 4 Apr 2002 23:34:47 +0200 (CEST) Subject: Re: info From: "Jesper Wallin" To: In-Reply-To: References: X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: X-Mailer: SquirrelMail (version 1.2.5) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello.. Well, if you have cvsup installed you can upgrade the source for both the kernel and the "world" (the system base). Take a look at /usr/share/examples/cvsup/ and download the latest source. When it's done, just install the new kernel and rebuild the "world" and voula! you're running FreeBSD 4.5-Stable without any reinstall at all.. :) There is very helpful information in the handbook (www.freebsd.org/handbook) about how you make your kernel/world and why you do it.. btw, patches is for linux, this is FreeBSD! :D //Jesper aka Z3l3zT > Hi, > I'm steve. I have got a Lan intranet in my office, where there are > connected some servers. > In these servers are installed OS FreeBSD versione 3.4 and 3.2. > I'm interested to receive the patch for these OS to stop hackers. > > Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 13:58:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from midway.uchicago.edu (midway.uchicago.edu [128.135.12.12]) by hub.freebsd.org (Postfix) with ESMTP id 8953D37B420 for ; Thu, 4 Apr 2002 13:58:14 -0800 (PST) Received: from there (adsl-67-36-183-196.dsl.chcgil.ameritech.net [67.36.183.196]) by midway.uchicago.edu (8.11.6/8.11.6) with SMTP id g34Lw4b03209; Thu, 4 Apr 2002 15:58:04 -0600 (CST) Message-Id: <200204042158.g34Lw4b03209@midway.uchicago.edu> Content-Type: text/plain; charset="iso-8859-1" From: David Syphers Reply-To: charon@seektruth.org To: "Jesper Wallin" , Subject: Re: info Date: Thu, 4 Apr 2002 15:58:05 -0600 X-Mailer: KMail [version 1.3.2] Cc: References: <3211.213.112.58.75.1017956087.squirrel@phucking.kicks-ass.org> In-Reply-To: <3211.213.112.58.75.1017956087.squirrel@phucking.kicks-ass.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, FreeBSD does release patches for critical security updates, but these are only for recent versions of the OS (3.2 is about three years old). See the security advisories (e.g. on the -security archives). But I haven't seen binary patches of late... "The patch ... to stop hackers", eh? I think we all want that one :) -David -- Everyone who believes in telekinesis, raise my hand... Center for Cosmological Physics The University of Chicago On Thursday 04 April 2002 03:34 pm, Jesper Wallin wrote: > btw, patches is for linux, this is FreeBSD! :D > > > //Jesper aka Z3l3zT > > > Hi, > > I'm steve. I have got a Lan intranet in my office, where there are > > connected some servers. > > In these servers are installed OS FreeBSD versione 3.4 and 3.2. > > I'm interested to receive the patch for these OS to stop hackers. > > > > > > Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 14: 8: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from n27.grp.scd.yahoo.com (n27.grp.scd.yahoo.com [66.218.66.83]) by hub.freebsd.org (Postfix) with SMTP id 59BAF37B419 for ; Thu, 4 Apr 2002 14:07:51 -0800 (PST) X-eGroups-Return: ozkan_kirik@yahoo.com Received: from [66.218.67.147] by n27.grp.scd.yahoo.com with NNFMP; 04 Apr 2002 21:57:04 -0000 Date: Thu, 04 Apr 2002 21:57:03 -0000 From: "ozkan_kirik" To: freebsd-security@freebsd.org Subject: IpFilter / IpFireWall Message-ID: User-Agent: eGroups-EW/0.82 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 X-Mailer: Yahoo Groups Message Poster X-Originating-IP: 193.255.128.250 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i am new to FreeBSD. i use freebsd v4.5 Release #0. i am trying to setup an firewall. but i couldnt block or pass any IP. i think i have a mistake about my IPF&IPFW settings. in my kernel: options IPFILTER options IPFILTER_LOG options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 but my rules doesnt work. for example: # ipfw add deny tcp from 193.255.128.250 to any **answer is: ipfw: getsockopt(IP_FW_ADD): Protocol not available when i saw this error i get crazy Plx help me... With my best regards. Ozkan KIRIK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 14:58: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.icablenet.com.br (mail.icablenet.com.br [200.215.9.228]) by hub.freebsd.org (Postfix) with ESMTP id 50B3237B419 for ; Thu, 4 Apr 2002 14:57:52 -0800 (PST) Received: from broilo (broilo.icablenet.com.br [200.215.37.2]) by mail.icablenet.com.br (8.10.1/pre1.0-MySQL/8.10.1) with SMTP id g34MttM36553 for ; Thu, 4 Apr 2002 19:55:56 -0300 (BRT) Message-ID: <001f01c1dc2c$23f86e40$0225d7c8@broilo> From: "FreeBSD" To: References: Subject: Re: IpFilter / IpFireWall Date: Thu, 4 Apr 2002 19:57:47 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org to use ipfw&ipf use this in your kernel! :) options IPFIREWALL options IPDIVERT options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFILTER options IPFILTER_LOG options TCPDEBUG options TCP_DROP_SYNFIN options ICMP_BANDLIM options DUMMYNET options IPSTEALTH ----- Original Message ----- From: "ozkan_kirik" To: Sent: Thursday, April 04, 2002 6:57 PM Subject: IpFilter / IpFireWall > i am new to FreeBSD. > i use freebsd v4.5 Release #0. > > i am trying to setup an firewall. > but i couldnt block or pass any IP. > i think i have a mistake about my IPF&IPFW settings. > > in my kernel: > options IPFILTER > options IPFILTER_LOG > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=10 > > but my rules doesnt work. > for example: > # ipfw add deny tcp from 193.255.128.250 to any > **answer is: > ipfw: getsockopt(IP_FW_ADD): Protocol not available > > when i saw this error i get crazy > > Plx help me... > With my best regards. > Ozkan KIRIK > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.344 / Virus Database: 191 - Release Date: 2/4/2002 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 15:19: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id AED5A37B417 for ; Thu, 4 Apr 2002 15:19:01 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id 75E47AE0C7; Thu, 4 Apr 2002 15:19:01 -0800 (PST) Date: Thu, 4 Apr 2002 15:19:01 -0800 From: Bill Fumerola To: FreeBSD Cc: freebsd-security@FreeBSD.ORG Subject: Re: IpFilter / IpFireWall Message-ID: <20020404231901.GM1135@elvis.mu.org> References: <001f01c1dc2c$23f86e40$0225d7c8@broilo> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001f01c1dc2c$23f86e40$0225d7c8@broilo> User-Agent: Mutt/1.3.27i X-Operating-System: FreeBSD 4.5-MUORG-20020317 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 04, 2002 at 07:57:47PM -0300, FreeBSD wrote: > to use ipfw&ipf use this in your kernel! :) > > options IPFIREWALL > options IPDIVERT IPDIVERT isn't required unless you're using divert sockets (natd, mostly). > options IPFIREWALL_FORWARD IPFIREWALL_FORWARD isn't required unless you're using 'ipfw fwd'. > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=100 > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFILTER > options IPFILTER_LOG > options TCPDEBUG TCPDEBUG has nothing to do with ipfw or ipfilter and probably isn't even that great of an idea on production systems. > options TCP_DROP_SYNFIN > options ICMP_BANDLIM these also have nothing to do with ipfw or ipfilter. > options DUMMYNET this is only required if you're using dummynet (rate limiting). > options IPSTEALTH this has nothing to do with ipfw or ipfilter. bad advice is actually worse then no advice at all... -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org - my anger management counselor can beat up your self-affirmation therapist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 15:25:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from www.kpi.com.au (www.kpi.com.au [203.39.132.210]) by hub.freebsd.org (Postfix) with ESMTP id 32B3037B423 for ; Thu, 4 Apr 2002 15:24:54 -0800 (PST) Received: from kpi.com.au (localhost.kpi.com.au [127.0.0.1]) by www.kpi.com.au (8.9.3/8.9.3) with ESMTP id JAA44780; Fri, 5 Apr 2002 09:24:55 +1000 (EST) (envelope-from johnsa@kpi.com.au) Message-ID: <3CACE0AD.90403@kpi.com.au> Date: Fri, 05 Apr 2002 09:24:29 +1000 From: Andrew Johns User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1 X-Accept-Language: en-gb MIME-Version: 1.0 To: FreeBSD Cc: freebsd-security@FreeBSD.ORG Subject: Re: IpFilter / IpFireWall References: <001f01c1dc2c$23f86e40$0225d7c8@broilo> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FreeBSD wrote: > to use ipfw&ipf use this in your kernel! :) > > options IPFIREWALL > options IPDIVERT > options IPFIREWALL_FORWARD > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=100 > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFILTER > options IPFILTER_LOG > options TCPDEBUG > options TCP_DROP_SYNFIN > options ICMP_BANDLIM > options DUMMYNET > options IPSTEALTH > > > ----- Original Message ----- > From: "ozkan_kirik" > To: > Sent: Thursday, April 04, 2002 6:57 PM > Subject: IpFilter / IpFireWall > > > >>i am new to FreeBSD. >>i use freebsd v4.5 Release #0. >> >>i am trying to setup an firewall. >>but i couldnt block or pass any IP. >>i think i have a mistake about my IPF&IPFW settings. >> >>in my kernel: >>options IPFILTER >>options IPFILTER_LOG >>options IPFIREWALL >>options IPFIREWALL_VERBOSE >>options IPFIREWALL_VERBOSE_LIMIT=10 >> >>but my rules doesnt work. >>for example: >># ipfw add deny tcp from 193.255.128.250 to any >>**answer is: >>ipfw: getsockopt(IP_FW_ADD): Protocol not available >> >>when i saw this error i get crazy >> Actually I believe that the "Protocol not available" means that either: a) he's not actually built the new kernel after editing the config file; or b) he hasn't rebooted with the new kernel. That message only appears (AFAIK) when IPFIREWALL is not in the _currently running_ kernel. Cheers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 15:26:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from slc.edu (weir-01c.slc.edu [207.106.89.46]) by hub.freebsd.org (Postfix) with ESMTP id 417CC37B444 for ; Thu, 4 Apr 2002 15:25:40 -0800 (PST) Received: (from anthony@localhost) by slc.edu (8.11.1/8.11.1) id g34NP3803453; Thu, 4 Apr 2002 18:25:03 -0500 (EST) (envelope-from anthony) Date: Thu, 4 Apr 2002 18:25:03 -0500 From: Anthony Schneider To: Jesper Wallin Cc: srstefanosteve@libero.it, security@FreeBSD.ORG Subject: Re: info Message-ID: <20020404182503.A3401@mail.slc.edu> References: <3211.213.112.58.75.1017956087.squirrel@phucking.kicks-ass.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3211.213.112.58.75.1017956087.squirrel@phucking.kicks-ass.org>; from z3l3zt@phucking.kicks-ass.org on Thu, Apr 04, 2002 at 11:34:47PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable i'm not sure that's necessarily a good idea. i believe that upgrading from a 3.x box via make world can get you in a lot of trouble during the build process. there was a thread about this in -hackers, so you might want to browse through there (the last two months or so). i think the solution ended up being to build the sources on a 4.x machine, tar it up, pass it over to the 3.x machine, untar it, and make installworld, and even then i'm not sure if the install was completely successful. if i were you, i would seriously consider simply backing up your files and installing 4.5 from scratch. then, follow the instructions for cvsup and make world to keep on top of security patches with the RELENG_4 branch. if you want to be even more on top of things, subscribe to this mailing list, watch for advisories, have a cron job that nightly downloads the latest -stable sources (again, RELENG_4) and port, and when you notice a security advisory on this list, decide whether that advisory affects you or not, and then if it does, follow the instructions to build the patched version of the software (remember, you should already have the patched sources), and you have suddenly managed to patch your system within (potentially) minutes of the announcement. -Anthony. On Thu, Apr 04, 2002 at 11:34:47PM +0200, Jesper Wallin wrote: > Hello.. >=20 > Well, if you have cvsup installed you can upgrade the source for both the > kernel and the "world" (the system base). Take a look at > /usr/share/examples/cvsup/ and download the latest source. When it's done, > just install the new kernel and rebuild the "world" and voula! you're > running FreeBSD 4.5-Stable without any reinstall at all.. :) There is very > helpful information in the handbook (www.freebsd.org/handbook) about how = you > make your kernel/world and why you do it.. >=20 > btw, patches is for linux, this is FreeBSD! :D >=20 >=20 > //Jesper aka Z3l3zT >=20 >=20 > > Hi, > > I'm steve. I have got a Lan intranet in my office, where there are > > connected some servers. > > In these servers are installed OS FreeBSD versione 3.4 and 3.2. > > I'm interested to receive the patch for these OS to stop hackers. >=20 > > > > Thanks >=20 >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ----------------------------------------------- PGP key at: http://www.keyserver.net/ http://www.anthonydotcom.com/gpgkey/key.txt Home: http://www.anthonydotcom.com ----------------------------------------------- --HlL+5n6rz5pIUxbD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjys4M8ACgkQ+rDjkNht5F2vPgCdHJMXjYetdA+kNdvPPLfqVQhc 0jcAnjgAvhAjfkb32wz+GRf5J1SYfNFw =R39V -----END PGP SIGNATURE----- --HlL+5n6rz5pIUxbD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 15:33:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by hub.freebsd.org (Postfix) with ESMTP id D17E837B405 for ; Thu, 4 Apr 2002 15:33:14 -0800 (PST) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id 0F80CFB4610 for ; Thu, 4 Apr 2002 18:33:09 -0500 (EST) Received: (qmail 98563 invoked by uid 1001); 4 Apr 2002 23:27:54 -0000 Date: Thu, 4 Apr 2002 18:27:54 -0500 From: Steve Shorter To: Bill Fumerola Cc: FreeBSD , freebsd-security@FreeBSD.ORG Subject: Re: IpFilter / IpFireWall Message-ID: <20020404182754.A98545@nomad.lets.net> References: <001f01c1dc2c$23f86e40$0225d7c8@broilo> <20020404231901.GM1135@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020404231901.GM1135@elvis.mu.org>; from billf@mu.org on Thu, Apr 04, 2002 at 03:19:01PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 04, 2002 at 03:19:01PM -0800, Bill Fumerola wrote: > > options IPSTEALTH > > this has nothing to do with ipfw or ipfilter. Hmm.. this adds a syctl parameter that when enabled causes the firewall to not decrease the ttl for packets that pass through it making it "invisible" to traceroute et al. Or am I missing something? -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 15:36:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from n9.grp.scd.yahoo.com (n9.grp.scd.yahoo.com [66.218.66.93]) by hub.freebsd.org (Postfix) with SMTP id CEB9237B41A for ; Thu, 4 Apr 2002 15:36:21 -0800 (PST) X-eGroups-Return: ozkan_kirik@yahoo.com Received: from [66.218.67.148] by n9.grp.scd.yahoo.com with NNFMP; 04 Apr 2002 23:33:53 -0000 Date: Thu, 04 Apr 2002 23:33:52 -0000 From: "ozkan_kirik" To: freebsd-security@freebsd.org Subject: When rebuilding Kernel! Message-ID: User-Agent: eGroups-EW/0.82 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 X-Mailer: Yahoo Groups Message Poster X-Originating-IP: 193.255.128.250 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org when i rebuilding my kernel on step "make install", error occurs as below: # make install chflags noschg /kernel chflags: /kernel: Operation not permitted *** Error code 1 (ignored) mv /kernel /kernel.old mv: rename /kernel to /kernel.old: Operation not permitted *** Error code 1 Stop in /usr/src/sys/compile/GENERIC. # what can i do???? how can i complete my kernel building???? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 15:38:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id CAE1937B41A for ; Thu, 4 Apr 2002 15:38:24 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id 94C5CAE0C7; Thu, 4 Apr 2002 15:38:24 -0800 (PST) Date: Thu, 4 Apr 2002 15:38:24 -0800 From: Bill Fumerola To: Steve Shorter Cc: FreeBSD , freebsd-security@FreeBSD.ORG Subject: Re: IpFilter / IpFireWall Message-ID: <20020404233824.GN1135@elvis.mu.org> References: <001f01c1dc2c$23f86e40$0225d7c8@broilo> <20020404231901.GM1135@elvis.mu.org> <20020404182754.A98545@nomad.lets.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020404182754.A98545@nomad.lets.net> User-Agent: Mutt/1.3.27i X-Operating-System: FreeBSD 4.5-MUORG-20020317 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 04, 2002 at 06:27:54PM -0500, Steve Shorter wrote: > On Thu, Apr 04, 2002 at 03:19:01PM -0800, Bill Fumerola wrote: > > > options IPSTEALTH > > > > this has nothing to do with ipfw or ipfilter. > > Hmm.. this adds a syctl parameter that when enabled > causes the firewall to not decrease the ttl for packets that > pass through it making it "invisible" to traceroute et al. ipfw and ipfilter don't decrement the ttl. > Or am I missing something? yes, the difference between a firewall and a router. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org - my anger management counselor can beat up your self-affirmation therapist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 15:42:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from apollo.pwhsnet.com (adsl-64-164-39-143.dsl.scrm01.pacbell.net [64.164.39.143]) by hub.freebsd.org (Postfix) with ESMTP id C9EC537B41A for ; Thu, 4 Apr 2002 15:42:22 -0800 (PST) Received: from zeus (patrick@zeus.pwhsnet.com [192.168.0.3]) by apollo.pwhsnet.com (8.12.2/8.11.6) with SMTP id g34NkvLs063418; Thu, 4 Apr 2002 15:46:57 -0800 (PST) (envelope-from patrick@pwhsnet.com) Message-ID: <017f01c1dc32$524da3e0$0300a8c0@pwhsnet.com> From: "Patrick O. Fish" To: "ozkan_kirik" , References: Subject: Re: When rebuilding Kernel! Date: Thu, 4 Apr 2002 15:42:02 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This should be posted on -questions next time, however I will try to help you. Type this as root: sysctl kern.securelevel -1 and retry. - Patrick Fish - patrick at pwhsnet dot com PWHS Networks - http://www.pwhsnet.com ----- Original Message ----- From: "ozkan_kirik" To: Sent: Thursday, April 04, 2002 3:33 PM Subject: When rebuilding Kernel! > when i rebuilding my kernel on step "make install", error occurs as > below: > > # make install > > chflags noschg /kernel > chflags: /kernel: Operation not permitted > *** Error code 1 (ignored) > mv /kernel /kernel.old > mv: rename /kernel to /kernel.old: Operation not permitted > *** Error code 1 > > Stop in /usr/src/sys/compile/GENERIC. > # > > > > what can i do???? > how can i complete my kernel building???? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 15:45:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from roc-66-66-72-6.rochester.rr.com (roc-66-66-72-6.rochester.rr.com [66.66.72.6]) by hub.freebsd.org (Postfix) with ESMTP id CF54A37B419 for ; Thu, 4 Apr 2002 15:45:35 -0800 (PST) Received: by roc-66-66-72-6.rochester.rr.com (Postfix, from userid 1000) id 88E69901A00; Thu, 4 Apr 2002 18:44:15 -0500 (EST) Date: Thu, 4 Apr 2002 18:44:15 -0500 From: mpd To: ozkan_kirik Cc: freebsd-security@freebsd.org Subject: Re: When rebuilding Kernel! Message-ID: <20020404184415.A49690@rochester.rr.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from ozkan_kirik@yahoo.com on Thu, Apr 04, 2002 at 11:33:52PM -0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 04, 2002 at 11:33:52PM -0000, ozkan_kirik wrote: > when i rebuilding my kernel on step "make install", error occurs as > below: > > # make install > > chflags noschg /kernel > chflags: /kernel: Operation not permitted > *** Error code 1 (ignored) > mv /kernel /kernel.old > mv: rename /kernel to /kernel.old: Operation not permitted > *** Error code 1 > > Stop in /usr/src/sys/compile/GENERIC. > # > > > > what can i do???? > how can i complete my kernel building???? This answer is in section 9.6 of the handbook, as well as archived in tons of places. mike -- ___________________________________________________________ "HOORAY FOR MR NUTTY!!" - Little Girl from "WE ARE PLAYING GEOGRAPHY" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 15:49:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from apollo.pwhsnet.com (adsl-64-164-39-143.dsl.scrm01.pacbell.net [64.164.39.143]) by hub.freebsd.org (Postfix) with ESMTP id 5C2A637B41B for ; Thu, 4 Apr 2002 15:49:16 -0800 (PST) Received: from zeus (patrick@zeus.pwhsnet.com [192.168.0.3]) by apollo.pwhsnet.com (8.12.2/8.11.6) with SMTP id g34NrpLs063464; Thu, 4 Apr 2002 15:53:51 -0800 (PST) (envelope-from patrick@pwhsnet.com) Message-ID: <018f01c1dc33$48c88c30$0300a8c0@pwhsnet.com> From: "Patrick O. Fish" To: "Patrick O. Fish" , "ozkan_kirik" , References: <017f01c1dc32$524da3e0$0300a8c0@pwhsnet.com> Subject: Re: When rebuilding Kernel! Date: Thu, 4 Apr 2002 15:48:56 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm sorry, its: susctl kern.securelevel=-1 - Patrick Fish - patrick at pwhsnet dot com PWHS Networks - http://www.pwhsnet.com ----- Original Message ----- From: "Patrick O. Fish" To: "ozkan_kirik" ; Sent: Thursday, April 04, 2002 3:42 PM Subject: Re: When rebuilding Kernel! > This should be posted on -questions next time, however I will try to help > you. > > Type this as root: > > sysctl kern.securelevel -1 > and retry. > > > - > Patrick Fish - patrick at pwhsnet dot com > PWHS Networks - http://www.pwhsnet.com > ----- Original Message ----- > From: "ozkan_kirik" > To: > Sent: Thursday, April 04, 2002 3:33 PM > Subject: When rebuilding Kernel! > > > > when i rebuilding my kernel on step "make install", error occurs as > > below: > > > > # make install > > > > chflags noschg /kernel > > chflags: /kernel: Operation not permitted > > *** Error code 1 (ignored) > > mv /kernel /kernel.old > > mv: rename /kernel to /kernel.old: Operation not permitted > > *** Error code 1 > > > > Stop in /usr/src/sys/compile/GENERIC. > > # > > > > > > > > what can i do???? > > how can i complete my kernel building???? > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 15:51:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from apollo.pwhsnet.com (adsl-64-164-39-143.dsl.scrm01.pacbell.net [64.164.39.143]) by hub.freebsd.org (Postfix) with ESMTP id CFF2137B420 for ; Thu, 4 Apr 2002 15:51:17 -0800 (PST) Received: from zeus (patrick@zeus.pwhsnet.com [192.168.0.3]) by apollo.pwhsnet.com (8.12.2/8.11.6) with SMTP id g34NtqLs063500; Thu, 4 Apr 2002 15:55:52 -0800 (PST) (envelope-from patrick@pwhsnet.com) Message-ID: <019901c1dc33$91302960$0300a8c0@pwhsnet.com> From: "Patrick O. Fish" To: "Patrick O. Fish" , "ozkan_kirik" , References: <017f01c1dc32$524da3e0$0300a8c0@pwhsnet.com> <018f01c1dc33$48c88c30$0300a8c0@pwhsnet.com> Subject: Re: When rebuilding Kernel! Date: Thu, 4 Apr 2002 15:50:57 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ....We all make mistakes... sysctl kern.securelevel=-1 - Patrick Fish - patrick at pwhsnet dot com PWHS Networks - http://www.pwhsnet.com ----- Original Message ----- From: "Patrick O. Fish" To: "Patrick O. Fish" ; "ozkan_kirik" ; Sent: Thursday, April 04, 2002 3:48 PM Subject: Re: When rebuilding Kernel! > I'm sorry, its: > > susctl kern.securelevel=-1 > - > Patrick Fish - patrick at pwhsnet dot com > PWHS Networks - http://www.pwhsnet.com > ----- Original Message ----- > From: "Patrick O. Fish" > To: "ozkan_kirik" ; > Sent: Thursday, April 04, 2002 3:42 PM > Subject: Re: When rebuilding Kernel! > > > > This should be posted on -questions next time, however I will try to help > > you. > > > > Type this as root: > > > > sysctl kern.securelevel -1 > > and retry. > > > > > > - > > Patrick Fish - patrick at pwhsnet dot com > > PWHS Networks - http://www.pwhsnet.com > > ----- Original Message ----- > > From: "ozkan_kirik" > > To: > > Sent: Thursday, April 04, 2002 3:33 PM > > Subject: When rebuilding Kernel! > > > > > > > when i rebuilding my kernel on step "make install", error occurs as > > > below: > > > > > > # make install > > > > > > chflags noschg /kernel > > > chflags: /kernel: Operation not permitted > > > *** Error code 1 (ignored) > > > mv /kernel /kernel.old > > > mv: rename /kernel to /kernel.old: Operation not permitted > > > *** Error code 1 > > > > > > Stop in /usr/src/sys/compile/GENERIC. > > > # > > > > > > > > > > > > what can i do???? > > > how can i complete my kernel building???? > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 15:56: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from slc.edu (weir-01c.slc.edu [207.106.89.46]) by hub.freebsd.org (Postfix) with ESMTP id 0B44237B41E for ; Thu, 4 Apr 2002 15:55:59 -0800 (PST) Received: (from anthony@localhost) by slc.edu (8.11.1/8.11.1) id g34NtPL03985; Thu, 4 Apr 2002 18:55:25 -0500 (EST) (envelope-from anthony) Date: Thu, 4 Apr 2002 18:55:25 -0500 From: Anthony Schneider To: "Patrick O. Fish" Cc: ozkan_kirik , freebsd-security@FreeBSD.ORG Subject: Re: When rebuilding Kernel! Message-ID: <20020404185524.A3925@mail.slc.edu> References: <017f01c1dc32$524da3e0$0300a8c0@pwhsnet.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="dDRMvlgZJXvWKvBx" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <017f01c1dc32$524da3e0$0300a8c0@pwhsnet.com>; from patrick@pwhsnet.com on Thu, Apr 04, 2002 at 03:42:02PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --dDRMvlgZJXvWKvBx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 04, 2002 at 03:42:02PM -0800, Patrick O. Fish wrote: > This should be posted on -questions next time, however I will try to help > you. i agree. >=20 > Type this as root: >=20 > sysctl kern.securelevel -1 > and retry. i disagree. it won't work, as you can't lower a security level, you can only raise it. i'd suggest simply rebooting into singleuser mode and running make install from there, and then reboot with the new kernel. -Anthony. >=20 >=20 > - > Patrick Fish - patrick at pwhsnet dot com > PWHS Networks - http://www.pwhsnet.com > ----- Original Message ----- > From: "ozkan_kirik" > To: > Sent: Thursday, April 04, 2002 3:33 PM > Subject: When rebuilding Kernel! >=20 >=20 > > when i rebuilding my kernel on step "make install", error occurs as > > below: > > > > # make install > > > > chflags noschg /kernel > > chflags: /kernel: Operation not permitted > > *** Error code 1 (ignored) > > mv /kernel /kernel.old > > mv: rename /kernel to /kernel.old: Operation not permitted > > *** Error code 1 > > > > Stop in /usr/src/sys/compile/GENERIC. > > # > > > > > > > > what can i do???? > > how can i complete my kernel building???? > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ----------------------------------------------- PGP key at: http://www.keyserver.net/ http://www.anthonydotcom.com/gpgkey/key.txt Home: http://www.anthonydotcom.com ----------------------------------------------- --dDRMvlgZJXvWKvBx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjys5+wACgkQ+rDjkNht5F3WFACfQUoHezq96RPEISo6v2pb6FK9 +nMAnj/SsDS1j9eM5nwYBISf55gkH68c =rNft -----END PGP SIGNATURE----- --dDRMvlgZJXvWKvBx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 16:41:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail00.svc.cra.dublin.eircom.net (mail00.svc.cra.dublin.eircom.net [159.134.118.16]) by hub.freebsd.org (Postfix) with SMTP id 17BFF37B417 for ; Thu, 4 Apr 2002 16:41:41 -0800 (PST) Received: (qmail 68939 messnum 523926 invoked from network[159.134.242.178/alpha.eng.eircom.net]); 5 Apr 2002 00:41:40 -0000 Received: from alpha.eng.eircom.net (159.134.242.178) by mail00.svc.cra.dublin.eircom.net (qp 68939) with SMTP; 5 Apr 2002 00:41:40 -0000 Received: (from jerryc@localhost) by alpha.eng.eircom.net (8.11.3/8.10.1) id g350fdX04697; Fri, 5 Apr 2002 01:41:39 +0100 (IST) Date: Fri, 5 Apr 2002 01:41:39 +0100 From: Jerry Connolly To: Anthony Schneider Cc: Jesper Wallin , srstefanosteve@libero.it Subject: Re: info Message-ID: <20020405014139.B26189@alpha.eng.eircom.net> References: <3211.213.112.58.75.1017956087.squirrel@phucking.kicks-ass.org> <20020404182503.A3401@mail.slc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020404182503.A3401@mail.slc.edu>; from aschneid@mail.slc.edu on Thu, Apr 04, 2002 at 06:25:03PM -0500 Organization: Eircom CIRT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Anthony Schneider said the following on Thu, Apr 04, 2002 at 06:25:03PM -0500, > i'm not sure that's necessarily a good idea. > i believe that upgrading from a 3.x box via make world can get you in a lot > of trouble during the build process. There are certainly pitfalls. One possible path would be to upgrade from 3.2 to 3.5 in the normal way. Then follow these instructions: http://laa.zp.ua/doc/FreeBSD/3.5-4.x.upgrade.txt I upgraded from 3.2-RELEASE to 4.1-STABLE successfully in the past using this method. -- Jerry Connolly Security Specialist jerry.connolly@eircom.net Eircom Net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 19:37:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from www.kpi.com.au (www.kpi.com.au [203.39.132.210]) by hub.freebsd.org (Postfix) with ESMTP id 7867B37B417 for ; Thu, 4 Apr 2002 19:37:06 -0800 (PST) Received: from kpi.com.au (localhost.kpi.com.au [127.0.0.1]) by www.kpi.com.au (8.9.3/8.9.3) with ESMTP id NAA45213; Fri, 5 Apr 2002 13:37:14 +1000 (EST) (envelope-from johnsa@kpi.com.au) Message-ID: <3CAD1BD0.8030008@kpi.com.au> Date: Fri, 05 Apr 2002 13:36:48 +1000 From: Andrew Johns User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1 X-Accept-Language: en-gb MIME-Version: 1.0 To: Anthony Schneider Cc: freebsd-security@FreeBSD.ORG Subject: Re: a possible solution (re: su thread) References: <20020327163901.A33089@mail.slc.edu> <20020327171502.A33652@mail.slc.edu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Anthony Schneider wrote: > oh, by the way, as another person mentioned to me already, this idea > is also quite akin to notions in the trustedbsd paradigm. he's right, > it is. the idea is that the tool would be extremely portable across > *NIX platforms. it would of course in no way stand above trustedbsd, > and that is not my intention. it would, however, somewhat mirror > access control policies in trustedbsd in userland. again, any ideas > on how to make this more flexible, secure, etc., are wolcomed. > -Anthony. > While doing some work recently, we came across sus - an interesting utility used where "many users need to run commands as root, but where sudo was too limited and su too powerful". http://pdg.uow.edu.au/sus/index.html From the homepage: SUS is a utility to allow a user (typically a system administrator) to run a single command as the super user. SUS reads a configuration file which determines if the user may execute the command or not. Some of the more advanced features of SUS are: * the configuration file is preprocessed as it is read by a "CPP style proprocessor." * an ability to define a class of system objects (users, groups, files, hosts or proccesses) by their attributes. * an ability to treat arguments passed to the target command as references to system objects and allow or reject commands based on the membership of such objects to predefined object classes. * the ability to run commands as users other than root. * the ability to run commands in background as session leaders. * the ability to let a user run a command as a target user if the invoking user can authenticate as the target user. I haven't tried compiling this on BSD, but it might get you some of the way there (or perhaps not). I'm interested in any comments on the code, etc. There are no copyright notices in the code or on the site, but I've emailed the author to determine the state of this. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 23: 2:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 0DFC337B41A for ; Thu, 4 Apr 2002 23:02:31 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020405070227.ZUHZ21252.rwcrmhc53.attbi.com@blossom.cjclark.org>; Fri, 5 Apr 2002 07:02:27 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g3572KN60893; Thu, 4 Apr 2002 23:02:20 -0800 (PST) (envelope-from cjc) Date: Thu, 4 Apr 2002 23:02:20 -0800 From: "Crist J. Clark" To: Asenchi Cc: "Nickolay A.Kritsky" , "freebsd-security@FreeBSD. ORG" Subject: Re: another natd question Message-ID: <20020404230220.C60574@blossom.cjclark.org> References: <1943520261.20020404062827@internethelp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from asenchi@asenchi.com on Thu, Apr 04, 2002 at 10:19:06AM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 04, 2002 at 10:19:06AM -0500, Asenchi wrote: > Thank you for your answer, but I can't seem to find any case of two > instances of natd running. No, because the second attempt to start it fails and generates the message you see. > if anyone could give me some places that i should look at as far as finding > two instances of natd. Do you have, natd_enable="YES" In your rc.conf(5) and also run natd(8) on your own out of some file? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 4 23:44:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from n5.grp.scd.yahoo.com (n5.grp.scd.yahoo.com [66.218.66.89]) by hub.freebsd.org (Postfix) with SMTP id 2EB0737B41B for ; Thu, 4 Apr 2002 23:44:49 -0800 (PST) X-eGroups-Return: ozkan_kirik@yahoo.com Received: from [66.218.67.171] by n5.grp.scd.yahoo.com with NNFMP; 05 Apr 2002 07:44:48 -0000 Date: Fri, 05 Apr 2002 07:44:45 -0000 From: "ozkan_kirik" To: freebsd-security@freebsd.org Subject: Ping problem! Message-ID: User-Agent: eGroups-EW/0.82 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 X-Mailer: Yahoo Groups Message Poster X-Originating-IP: 193.255.128.250 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org after i built my kernel, i couldnt ping to anywhere even router, & i couldnt ping to my firewall. what the problem can be? the options on kernel are: IPFIREWALL IPDIVERT IPFIREWALL_FORWARD IPFIREWALL_VERBOSE IPFIREWALL_VERBOSE_LIMIT=100 IPFIREWALL_DEFAULT_TO_ACCEPT IPFILTER IPFILTER_LOG TCPDEBUG TCP_DROP_SYNFIN DUMMYNET IPSTEALTH BRIDGE my rc.conf: ... ... ... inetd_enable="YES" ipv6_enable="YES" kern_securelevel="2" kern_securelevel_enable="YES" ipfilter_enable="YES" ipfilter_program="/sbin/ipf -FA -f" ipfilter_rules="/etc/ipf.rules" ipfilter_flags="-E" ipmon_enable="YES" ipmon_program="/sbin/ipmon" ipmonflags="-Ds" ipfirewall_enable="YES" what can i do? by now thx 4 yr help. :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 5 2:59:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 7CF6B37B404 for ; Fri, 5 Apr 2002 02:59:53 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 9E1791E3D; Fri, 5 Apr 2002 10:59:47 +0000 (GMT) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id g35Axim01221; Fri, 5 Apr 2002 12:59:44 +0200 Date: Fri, 5 Apr 2002 12:59:44 +0200 From: Krzysztof Zaraska To: "ozkan_kirik" Cc: freebsd-security@freebsd.org Subject: Re: Ping problem! Message-Id: <20020405125944.10c361c8.kzaraska@student.uci.agh.edu.pl> In-Reply-To: References: Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 05 Apr 2002 07:44:45 -0000 ozkan_kirik wrote: > after i built my kernel, i couldnt ping to anywhere even router, & i > couldnt ping to my firewall. I don't quite understand you... Usually the firewall should be setup the way allowing you to ping outside host, but the external world should not be able to ping you. > what the problem can be? > > the options on kernel are: > > IPFIREWALL > IPDIVERT > IPFIREWALL_FORWARD > IPFIREWALL_VERBOSE > IPFIREWALL_VERBOSE_LIMIT=100 > IPFIREWALL_DEFAULT_TO_ACCEPT ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This will let through any traffic not explicitely denied. Standard recommended setup is 'default to deny'. > IPFILTER > IPFILTER_LOG Are you sure you want to run both ipf and ipfw at the same time? -- // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // Prelude IDS: http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 5 3:11:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 6198737B405 for ; Fri, 5 Apr 2002 03:10:58 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id D64AD1E3D; Fri, 5 Apr 2002 11:10:56 +0000 (GMT) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id g35BArm01237; Fri, 5 Apr 2002 13:10:53 +0200 Date: Fri, 5 Apr 2002 13:10:53 +0200 From: Krzysztof Zaraska To: "Krzysztof Zaraska" Cc: freebsd-security@freebsd.org Subject: Re: Ping problem! Message-Id: <20020405131053.442ecc01.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <20020405125944.10c361c8.kzaraska@student.uci.agh.edu.pl> References: <20020405125944.10c361c8.kzaraska@student.uci.agh.edu.pl> Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 5 Apr 2002 12:59:44 +0200 Krzysztof Zaraska wrote: > On Fri, 05 Apr 2002 07:44:45 -0000 ozkan_kirik wrote: > > > after i built my kernel, i couldnt ping to anywhere even router, & i > > couldnt ping to my firewall. > > I don't quite understand you... Usually the firewall should be setup the > way allowing you to ping outside host, but the external world should not > be able to ping you. > > > what the problem can be? > > > > the options on kernel are: > > > > IPFIREWALL > > IPDIVERT > > IPFIREWALL_FORWARD > > IPFIREWALL_VERBOSE > > IPFIREWALL_VERBOSE_LIMIT=100 > > IPFIREWALL_DEFAULT_TO_ACCEPT > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > This will let through any traffic not explicitely denied. > > Standard recommended setup is 'default to deny'. > > > IPFILTER > > IPFILTER_LOG > > Are you sure you want to run both ipf and ipfw at the same time? Ooops, missed previous thread on the subject. Sorry. It _makes_ sense. Did you try looking at counters for each firewall rule and/or your logs while pinging? You may have a misconfigured ruleset, ending up in dropping packets that should be let through. Just a guess. -- // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // Prelude IDS: http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 5 3:17:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from ksemat.co.ug (g-class.sanyutel.com [216.250.215.129]) by hub.freebsd.org (Postfix) with ESMTP id 812B637B417 for ; Fri, 5 Apr 2002 03:17:41 -0800 (PST) Received: from localhost (localhost.sanyutel.com [127.0.0.1]) by ksemat.co.ug (Postfix) with ESMTP id 6CF1E28C; Fri, 5 Apr 2002 14:19:31 +0300 (EAT) Date: Fri, 5 Apr 2002 14:19:31 +0300 (EAT) From: Sematimba Noah Kevin X-X-Sender: ksemat@delight.sanyutel.com To: Asenchi Cc: "Nickolay A.Kritsky" , "freebsd-security@FreeBSD. ORG" Subject: RE: another natd question In-Reply-To: Message-ID: <20020405141842.R615-100000@delight.sanyutel.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Perhaps it could be that you have another application that listens on that port and starts before natd? What port are you diverting to in your natd.cf? Noah Beware! To touch these wires is instant death. Anyone found doing so will be prosecuted. -- sign at a railroad station On Thu, 4 Apr 2002, Asenchi wrote: > Thank you for your answer, but I can't seem to find any case of two > instances of natd running. > > would this be listed in ps? > > if anyone could give me some places that i should look at as far as finding > two instances of natd. > > thank you all for your help, > > ASENCHI > > -----Original Message----- > From: Nickolay A. Kritsky [mailto:nkritsky@internethelp.ru] > Sent: Wednesday, April 03, 2002 9:28 PM > To: Asenchi > Cc: freebsd-security@FreeBSD. ORG > Subject: Re: another natd question > > > Hello Asenchi, > > Thursday, April 04, 2002, 1:41:27 AM, you wrote: > > A> thank you to all who responded to my question earlier. > > A> i have another quesiton about natd. when i startup the machine in the > boot > A> messages i get this: > > A> Starting local daemons: natd: Unable to bind divert socket.: Address > already > A> in use. > > This probably means that you start two instances of natd. Check your > rc scripts (man rc) > > A> I have always gotten this actually, I just haven't been curious enough > til > A> now to ask about it. > > A> Thanks for any help you can give, > > A> ASENCHI > > > ;------------------------------------------- > ; NKritsky > ; mailto:nkritsky@internethelp.ru > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 5 5:38:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from hitit.bimel.com.tr (hitit.bimel.com.tr [212.175.97.140]) by hub.freebsd.org (Postfix) with ESMTP id EB4C337B41F for ; Fri, 5 Apr 2002 05:38:36 -0800 (PST) Received: (from root@localhost) by hitit.bimel.com.tr (8.11.6/8.11.6) id g35DiIs03367; Fri, 5 Apr 2002 16:44:19 +0300 (EEST) (envelope-from simsek@bimel.com.tr) Received: from localhost (simsek@localhost) by hitit.bimel.com.tr (8.11.6/8.11.6av) with ESMTP id g35Di9R03341; Fri, 5 Apr 2002 16:44:13 +0300 (EEST) (envelope-from simsek@bimel.com.tr) X-Authentication-Warning: hitit.bimel.com.tr: simsek owned process doing -bs Date: Fri, 5 Apr 2002 16:44:08 +0300 (EEST) From: Baris Simsek To: ozkan_kirik Cc: Subject: Re: Ping problem! In-Reply-To: Message-ID: <20020405164130.G2867-100000@hitit.bimel.com.tr> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org default kernel option is rejecting every packet. you have to add rule to accept which packets you want. Add this rule to test it: ipfw add 10000 allow all from any to any >-------------------------------------------------------------------< Baris Simsek - UNIX Sys. Adm. - Bimel Elektronik - (+90312) 4342245 http://acikkod.org/ On Fri, 5 Apr 2002, ozkan_kirik wrote: > after i built my kernel, i couldnt ping to anywhere even router, & i > couldnt ping to my firewall. > > what the problem can be? > > the options on kernel are: > > IPFIREWALL > IPDIVERT > IPFIREWALL_FORWARD > IPFIREWALL_VERBOSE > IPFIREWALL_VERBOSE_LIMIT=100 > IPFIREWALL_DEFAULT_TO_ACCEPT > IPFILTER > IPFILTER_LOG > TCPDEBUG > TCP_DROP_SYNFIN > DUMMYNET > IPSTEALTH > BRIDGE > > > my rc.conf: > > ... > ... > ... > inetd_enable="YES" > ipv6_enable="YES" > kern_securelevel="2" > kern_securelevel_enable="YES" > ipfilter_enable="YES" > ipfilter_program="/sbin/ipf -FA -f" > ipfilter_rules="/etc/ipf.rules" > ipfilter_flags="-E" > ipmon_enable="YES" > ipmon_program="/sbin/ipmon" > ipmonflags="-Ds" > ipfirewall_enable="YES" > > > > what can i do? > by now thx 4 yr help. :) > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 5 7: 9: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0E85537B419; Fri, 5 Apr 2002 07:08:58 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g35F8wE10919; Fri, 5 Apr 2002 07:08:58 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Fri, 5 Apr 2002 07:08:58 -0800 (PST) Message-Id: <200204051508.g35F8wE10919@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: NEW: FreeBSD Security Notices Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hello, Historically, FreeBSD Security Advisories have been used to report security issues found in the base system, and high-risk issues related to third-party applications available in the Ports Collection. The FreeBSD Security Officer Team will now be issuing Security Notices in addition to Security Advisories. While Security Advisories will continue to be the team's focus, the Security Notices will provide a channel for communicating issues that have been previously publicized. In particular, problems reported with applications in the Ports Collection that are not FreeBSD-specific are likely to be reported in a Security Notice. FreeBSD makes no claim about the security of these third-party applications. We expect that this will allow the FreeBSD Security Officer Team to cover more issues --- especially in third-party software --- in a more timely fashion, while reserving full Security Advisories for problems in FreeBSD itself or that only affect FreeBSD. Cheers, The FreeBSD Security Officer Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPK23iVUuHi5z0oilAQEP6gP/dSC4dTT6I9ggl2DaxKI89+44av6e3vrZ VHDT1TNTHPGTrAwYj6vtpMBIu6Pd08GuYTxyT355Tg1fZAwvvHCPWQYW9BaevFTB cTXDrMZSOIF9TEBuxZVB3DE7ef3DnWyBqb6hB3+jYz8Kqwyl2vZY0+KZw0AibjEH PwLWGjvnopk= =wss2 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 5 7:28:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7C4D837BB92; Fri, 5 Apr 2002 07:26:35 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g35FDhx11883; Fri, 5 Apr 2002 07:13:43 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Fri, 5 Apr 2002 07:13:43 -0800 (PST) Message-Id: <200204051513.g35FDhx11883@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Notice FreeBSD-SN-02:01 Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SN-02:01 Security Notice FreeBSD, Inc. Topic: security issues in ports Announced: 2002-03-30 I. Introduction Several ports in the FreeBSD Ports Collection are affected by security issues. These are listed below with references and affected versions. All versions given refer to the FreeBSD port/package version numbers. These ports are not installed by default, nor are they ``part of FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications. See for more information about the FreeBSD Ports Collection. II. Ports +------------------------------------------------------------------------+ Port name: acroread, acroread-chsfont, acroread-chtfont, acroread-commfont, acroread4, linux-mozilla, linux-netscape6, linux_base, linux_base-7 Affected: versions < linux_base-6.1_1 (linux_base port) versions < linux_base-7.1_2 (linux_base-7 port) versions < linux_mozilla-0.9.9_1 all versions of all acroread ports all versions of linux-netscape6 Status: Fixed: linux_base, linux_base-7, linux-mozilla. Not fixed: acroread, acroread-chsfont, acroread-chtfont, acroread-commfont, acroread4, linux-netscape6. These Linux binaries utilize versions of zlib which may contain an exploitable double-free bug. +------------------------------------------------------------------------+ Port name: apache13-ssl, apache13-modssl Affected: all versions of apache+ssl all versions of apache+mod_ssl Status: Not yet fixed. Buffer overflows in SSL session cache handling. +------------------------------------------------------------------------+ Port name: bulk_mailer Affected: all versions Status: Not yet fixed. Buffer overflows, temporary file race. +------------------------------------------------------------------------+ Port name: cups, cups-base, cups-lpr Affected: versions < cups-1.1.14 versions < cups-base-1.1.14 versions < cups-lpr-1.1.14 Status: Fixed. Buffer overflows in IPP code. +------------------------------------------------------------------------+ Port name: fileutils Affected: all versions Status: Not yet fixed. Race condition in directory removal. +------------------------------------------------------------------------+ Port name: imlib Affected: versions < imlib-1.9.13 Status: Fixed. Heap corruption in image handling. +------------------------------------------------------------------------+ Port name: listar, ecartis Affected: versions < ecartis-1.0.0b all versions of listar Status: Fixed: ecartis. Not fixed: listar. Local and remote buffer overflows, incorrect privilege handling. +------------------------------------------------------------------------+ Port name: mod_php3, mod_php4 Affected: versions < mod_php3-3.0.18_3 versions < mod_php4-4.1.2 Status: Fixed. Vulnerabilities in file upload handling. +------------------------------------------------------------------------+ Port name: ntop Affected: all versions Status: Not yet fixed. Remote format string vulnerability. +------------------------------------------------------------------------+ Port name: rsync Affected: versions < rsync-2.5.4 Status: Fixed. Incorrect group privilege handling, zlib double-free bug. +------------------------------------------------------------------------+ Port name: xchat, xchat-devel Affected: all versions Status: Not yet fixed. Malicious server may cause xchat to execute arbitrary commands. +------------------------------------------------------------------------+ III. Upgrading Ports/Packages Do one of the following: 1) Upgrade your Ports Collection and rebuild and reinstall the port. Several tools are available in the Ports Collection to make this easier. See: /usr/ports/devel/portcheckout /usr/ports/misc/porteasy /usr/ports/sysutils/portupgrade 2) Deinstall the old package and install a new package obtained from [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/ Packages are not automatically generated for other architectures at this time. +------------------------------------------------------------------------+ FreeBSD Security Notices are communications from the Security Officer intended to inform the user community about potential security issues, such as bugs in the third-party applications found in the Ports Collection, which will not be addressed in a FreeBSD Security Advisory. Feedback on Security Notices is welcome at . -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPK28lVUuHi5z0oilAQGUuQP/aBo4NQLKF4qiFxvy6+Z0FyMGChECbZYr 3TR2OLdPks0xuoIgbpPAstrTeFbCRe7m59zCibdbRCpUd167QAUEF72nICmcQmYa +ZEFGUHcMxNg09LUd7MxDg1LbczBX7L1SFKFaZOCGuzPa6SrsbvPFbXO7hUu+nSI nH5M1Y1F9rk= =hHhx -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 5 7:33:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from bran.mc.mpls.visi.com (bran.mc.mpls.visi.com [208.42.156.103]) by hub.freebsd.org (Postfix) with ESMTP id 4452537BC95 for ; Fri, 5 Apr 2002 07:30:11 -0800 (PST) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bran.mc.mpls.visi.com (Postfix) with ESMTP id 798E54C07 for ; Fri, 5 Apr 2002 09:29:56 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g35FTt727865 for freebsd-security@freebsd.org; Fri, 5 Apr 2002 09:29:55 -0600 (CST) (envelope-from hawkeyd) Date: Fri, 5 Apr 2002 09:29:55 -0600 From: D J Hawkey Jr To: security at FreeBSD Subject: Re: NEW: FreeBSD Security Notices Message-ID: <20020405092955.A27777@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <200204051508.g35F8vi10916@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200204051508.g35F8vi10916@freefall.freebsd.org>; from security-advisories@FreeBSD.ORG on Fri, Apr 05, 2002 at 07:08:57AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Apr 05, at 07:08 AM, FreeBSD Security Advisories wrote: > > The FreeBSD Security Officer Team will now be issuing Security Notices > in addition to Security Advisories. While Security Advisories will > continue to be the team's focus, the Security Notices will provide a > channel for communicating issues that have been previously publicized. > In particular, problems reported with applications in the Ports > Collection that are not FreeBSD-specific are likely to be reported in > a Security Notice. FreeBSD makes no claim about the security of these > third-party applications. Can someone please provide the mail address for this, as found in the To: and From: mail headers (as opposed to the RCPT and FROM envelope headers)? I've finished writing some sendmail anti-spam rules, and they test the mail header addresses. I wouldn't want these Security Notices dropped on the floor, for my not making the proper allowances... Thanks, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 5 7:53:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 72E6C37B4D0 for ; Fri, 5 Apr 2002 07:53:10 -0800 (PST) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id C9D769; Fri, 5 Apr 2002 09:51:46 -0600 (CST) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id g35FpkY19632; Fri, 5 Apr 2002 09:51:46 -0600 (CST) (envelope-from nectar) Date: Fri, 5 Apr 2002 09:51:46 -0600 From: "Jacques A. Vidrine" To: D J Hawkey Jr Cc: freebsd-security@freebsd.org Subject: Re: NEW: FreeBSD Security Notices Message-ID: <20020405155146.GC13286@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , D J Hawkey Jr , freebsd-security@freebsd.org References: <200204051508.g35F8vi10916@freefall.freebsd.org> <20020405092955.A27777@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020405092955.A27777@sheol.localdomain> User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Apr 05, 2002 at 09:29:55AM -0600, D J Hawkey Jr wrote: > Can someone please provide the mail address for this, as found in the > To: and From: mail headers (as opposed to the RCPT and FROM envelope > headers)? FreeBSD Security Notices will use essentially the same headers as the advisories, i.e. . Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 5 10:37:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from sudz.ns3g.com (CPE0080c6f29e4f.cpe.net.cable.rogers.com [24.43.67.29]) by hub.freebsd.org (Postfix) with ESMTP id 4F9C537B416 for ; Fri, 5 Apr 2002 10:37:38 -0800 (PST) Received: from COOLER (CPE00e029860b4d.cpe.net.cable.rogers.com [24.42.29.172]) by sudz.ns3g.com (8.11.6/8.11.6) with SMTP id g35Ihcr36893; Fri, 5 Apr 2002 13:43:42 -0500 (EST) (envelope-from sudz@ns3g.com) Reply-To: From: "Colin Legendre" To: "Baris Simsek" , "ozkan_kirik" Cc: Subject: RE: Ping problem! Date: Fri, 5 Apr 2002 13:41:44 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20020405164130.G2867-100000@hitit.bimel.com.tr> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Nope that is wrong, look at the message, he has default to accept set. Colin Legendre CCNP, MCP sudz@ns3g.com http://www.ns3g.com -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Baris Simsek Sent: Friday, April 05, 2002 8:44 AM To: ozkan_kirik Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ping problem! default kernel option is rejecting every packet. you have to add rule to accept which packets you want. Add this rule to test it: ipfw add 10000 allow all from any to any >-------------------------------------------------------------------< Baris Simsek - UNIX Sys. Adm. - Bimel Elektronik - (+90312) 4342245 http://acikkod.org/ On Fri, 5 Apr 2002, ozkan_kirik wrote: > after i built my kernel, i couldnt ping to anywhere even router, & i > couldnt ping to my firewall. > > what the problem can be? > > the options on kernel are: > > IPFIREWALL > IPDIVERT > IPFIREWALL_FORWARD > IPFIREWALL_VERBOSE > IPFIREWALL_VERBOSE_LIMIT=100 > IPFIREWALL_DEFAULT_TO_ACCEPT > IPFILTER > IPFILTER_LOG > TCPDEBUG > TCP_DROP_SYNFIN > DUMMYNET > IPSTEALTH > BRIDGE > > > my rc.conf: > > ... > ... > ... > inetd_enable="YES" > ipv6_enable="YES" > kern_securelevel="2" > kern_securelevel_enable="YES" > ipfilter_enable="YES" > ipfilter_program="/sbin/ipf -FA -f" > ipfilter_rules="/etc/ipf.rules" > ipfilter_flags="-E" > ipmon_enable="YES" > ipmon_program="/sbin/ipmon" > ipmonflags="-Ds" > ipfirewall_enable="YES" > > > > what can i do? > by now thx 4 yr help. :) > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 6 9:52: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from n28.grp.scd.yahoo.com (n28.grp.scd.yahoo.com [66.218.66.84]) by hub.freebsd.org (Postfix) with SMTP id DEC0137B41D for ; Sat, 6 Apr 2002 09:51:57 -0800 (PST) X-eGroups-Return: ozkan_kirik@yahoo.com Received: from [66.218.67.190] by n28.grp.scd.yahoo.com with NNFMP; 06 Apr 2002 17:51:57 -0000 Date: Sat, 06 Apr 2002 17:51:57 -0000 From: "ozkan_kirik" To: freebsd-security@freebsd.org Subject: Abit different ping problem :( Message-ID: User-Agent: eGroups-EW/0.82 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 X-Mailer: Yahoo Groups Message Poster X-Originating-IP: 193.255.128.250 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i tryed to allow to all packets but didnt work. & then i decided to configure my Kernel again. in my kernel: IPFIREWALL IPSTEALTH BRIDGE my defaultrouter="193.255.128.1" when i try to ping anywhere even my router, i got: "Permission denied" & then i do this: # ipfw add allow all from 193.255.128.1 to any # ipfw add allow all from any to 193.255.128.1 then i tried to ping 193.255.128.1 now i got: "Host is down" !!! but other computers on network can ping to 193.255.128.1 for example this PC can ping to all computers except to my firewall. WARNING: i am trying to setup a firewall. my firewall is not before router because it still has problems. it is on LAN as a normal computer. Waiting 4 yr helps. With my best regards. **Ozkan KIRIK** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 6 10:45:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from m5.andara.com (m5-real.eastlink.ca [24.222.0.25]) by hub.freebsd.org (Postfix) with ESMTP id 42DBD37B405 for ; Sat, 6 Apr 2002 10:45:48 -0800 (PST) Received: from xeno (u206n232.hfx.eastlink.ca [24.222.206.232]) by m5.andara.com (8.12.1/8.12.1) with SMTP id g36IjtWo006684; Sat, 6 Apr 2002 14:45:56 -0400 (AST) Message-ID: <000a01c1dd9b$4c11f840$6401a8c0@router.unknown.ca> From: "N. J. Cash" To: "ozkan_kirik" , References: Subject: Re: Abit different ping problem :( Date: Sat, 6 Apr 2002 14:46:00 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org sounds like more of a bad configuration router problem, not freebsd-security ----- Original Message ----- From: ozkan_kirik To: freebsd-security@FreeBSD.ORG Sent: Saturday, April 06, 2002 1:51 PM Subject: Abit different ping problem :( i tryed to allow to all packets but didnt work. & then i decided to configure my Kernel again. in my kernel: IPFIREWALL IPSTEALTH BRIDGE my defaultrouter="193.255.128.1" when i try to ping anywhere even my router, i got: "Permission denied" & then i do this: # ipfw add allow all from 193.255.128.1 to any # ipfw add allow all from any to 193.255.128.1 then i tried to ping 193.255.128.1 now i got: "Host is down" !!! but other computers on network can ping to 193.255.128.1 for example this PC can ping to all computers except to my firewall. WARNING: i am trying to setup a firewall. my firewall is not before router because it still has problems. it is on LAN as a normal computer. Waiting 4 yr helps. With my best regards. **Ozkan KIRIK** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 6 11:33: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from tp.databus.com (p72-186.acedsl.com [66.114.72.186]) by hub.freebsd.org (Postfix) with ESMTP id D163F37B41D for ; Sat, 6 Apr 2002 11:32:43 -0800 (PST) Received: (from barney@localhost) by tp.databus.com (8.11.6/8.11.6) id g36JWhv08919 for security@FreeBSD.ORG; Sat, 6 Apr 2002 14:32:43 -0500 (EST) (envelope-from barney) Date: Sat, 6 Apr 2002 14:32:43 -0500 From: Barney Wolff To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Notice FreeBSD-SN-02:01 Message-ID: <20020406143243.A8409@tp.databus.com> References: <200204051512.g35FCOr11637@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200204051512.g35FCOr11637@freefall.freebsd.org>; from security-advisories@FreeBSD.ORG on Fri, Apr 05, 2002 at 07:12:24AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I don't understand the status of "Not yet fixed." The advisory says mod_ssl versions < 2.8.7 have the bug, while 2.8.8 is the port distfile as of 3/28/02. What am I missing? On Fri, Apr 05, 2002 at 07:12:24AM -0800, FreeBSD Security Advisories wrote: > +------------------------------------------------------------------------+ > Port name: apache13-ssl, apache13-modssl > Affected: all versions of apache+ssl > all versions of apache+mod_ssl > Status: Not yet fixed. > Buffer overflows in SSL session cache handling. > > -- Barney Wolff I never met a computer I didn't like. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 6 11:42:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from n24.grp.scd.yahoo.com (n24.grp.scd.yahoo.com [66.218.66.80]) by hub.freebsd.org (Postfix) with SMTP id E0DEC37B417 for ; Sat, 6 Apr 2002 11:42:18 -0800 (PST) X-eGroups-Return: ozkan_kirik@yahoo.com Received: from [66.218.67.168] by n24.grp.scd.yahoo.com with NNFMP; 06 Apr 2002 19:42:18 -0000 Date: Sat, 06 Apr 2002 19:42:17 -0000 From: "ozkan_kirik" To: freebsd-security@freebsd.org Subject: NAT question. Message-ID: User-Agent: eGroups-EW/0.82 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 X-Mailer: Yahoo Groups Message Poster X-Originating-IP: 193.255.128.250 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org in my LAN, NAT function is on Router. I wanna remove NAT from router. how can i activate NAT on firewall. i use FreeBSD 4.5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 6 14:47:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from enterprise.francisscott.net (enterprise.francisscott.net [64.81.95.235]) by hub.freebsd.org (Postfix) with ESMTP id 9A0A437B404; Sat, 6 Apr 2002 14:47:21 -0800 (PST) Received: from cobalt.heavymetal.org (cobalt.heavymetal.org [64.81.95.242]) by enterprise.francisscott.net (Postfix) with ESMTP id 5287654A2; Sat, 6 Apr 2002 14:47:21 -0800 (PST) Date: Sat, 6 Apr 2002 14:47:17 -0800 From: Scott Lampert To: "Crist J. Clark" Cc: security@FreeBSD.ORG Subject: Re: pf OR ipf ? Message-Id: <20020406144717.5b973afd.scott@lampert.org> In-Reply-To: <20020328121200.C97841@blossom.cjclark.org> References: <20020328064640.GA74780@area51.dk> <20020328121200.C97841@blossom.cjclark.org> X-Mailer: Sylpheed version 0.7.4claws (GTK+ 1.2.10; i386-portbld-freebsd4.5) X-Operating-System: FreeBSD4 Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=.,J.PRY+Ujm3o,B" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=.,J.PRY+Ujm3o,B Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Thu, 28 Mar 2002 12:12:00 -0800 "Crist J. Clark" wrote: > On Thu, Mar 28, 2002 at 01:20:40PM +0100, Attila Nagy wrote: > > Hello, > > > > > pf currently runs only on OpenBSD. Jordan Hubbard has expressed > > > annoyance with the fact that there are now three filters (ipfw, ipf and > > > pf) so it seems unlikely that FreeBSD is going to port it. > > I'm sad to hear that. I think diversity is a good thing. With FreeBSD if > > you are paranoid you can set up your firewall rules in two packet filters, > > which has a different codebase. So if one fails, it is unlikely that the > > other will too. > > I think it is good to have more than one packet filter in the kernel :) > > > > With PF some more features could be also ported, like the bridge support. > > And that would be a good thing also. > > There is nothing special about PF that makes bridge support > easier. Afterall, there is mature bridging support for IPFilter in > OpenBSD. I also recently committed a hack for IPFilter bridging > support in -CURRENT. I'll put the -STABLE patches on the website > listed in the headers and .sig today if anyone wants 'em. Please do! Thats the one thing I've really been missing in FreeBSD. Any chance of that ever making it into a RELEASE tree? -- Scott Lampert "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, 1759 Public Key: http://www.lampert.org/lampert.key --=.,J.PRY+Ujm3o,B Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) iD8DBQE8r3r5SVL3/uWE7xYRAgqGAKCHl9nESnBNdiohEQQOgOsdc25DYACdFqvY 3S9Wv/WIr4mP//de/KJr6KQ= =7kXf -----END PGP SIGNATURE----- --=.,J.PRY+Ujm3o,B-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 6 15:43:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from agena.meridian-enviro.com (thunder.meridian-enviro.com [207.109.234.227]) by hub.freebsd.org (Postfix) with ESMTP id 4855937B404 for ; Sat, 6 Apr 2002 15:43:23 -0800 (PST) Received: from delta.meridian-enviro.com (delta.meridian-enviro.com [10.10.10.43]) by agena.meridian-enviro.com (8.11.6/8.11.6) with ESMTP id g36NhMW85818 for ; Sat, 6 Apr 2002 17:43:22 -0600 (CST) (envelope-from rand@meridian-enviro.com) Date: Sat, 06 Apr 2002 17:43:22 -0600 Message-ID: <874riov1et.wl@delta.meridian-enviro.com> From: "Douglas K. Rand" To: freebsd-security@freebsd.org Subject: Centralized authentication User-Agent: Wanderlust/2.9.7 (Unchained Melody) SEMI/1.14.3 (Ushinoya) FLIM/1.14.3 (=?ISO-8859-4?Q?Unebigory=F2mae?=) APEL/10.3 MULE XEmacs/21.4 (patch 6) (Common Lisp) (i386--freebsd) X-Face: $L%T~#'9fAQ])o]A][d7EH`V;"_;2K;TEPQB=v]rDf_2s% List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We have a few dozen FreeBSD workstaions and servers and as their numbers increase managing users and groups via indvidual /etc/passwd and /etc/group files is getting more and more tiresome. We also have just a few Linux boxes. We aren't a huge site, everybody is in one building on the same network. I was wondering what other sites are using to solve this problem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 6 16: 0:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from samuelstn.dhs.org (h24-64-81-248.cg.shawcable.net [24.64.81.248]) by hub.freebsd.org (Postfix) with SMTP id 5B43337B400 for ; Sat, 6 Apr 2002 16:00:25 -0800 (PST) Received: (qmail 86893 invoked from network); 7 Apr 2002 00:00:24 -0000 Received: from celeron (192.168.1.6) by homeserver with SMTP; 7 Apr 2002 00:00:24 -0000 Date: Sat, 6 Apr 2002 17:00:14 -0700 From: Samuel Chow To: "Douglas K. Rand" Cc: freebsd-security@freebsd.org Subject: Re: Centralized authentication Message-Id: <20020406170014.5f47c85f.cyschow@shaw.ca> In-Reply-To: <874riov1et.wl@delta.meridian-enviro.com> References: <874riov1et.wl@delta.meridian-enviro.com> X-Mailer: Sylpheed version 0.7.4 (GTK+ 1.2.10; i386-portbld-freebsd4.4) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=.cbyp)j_wL.YnNF" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=.cbyp)j_wL.YnNF Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Sat, 06 Apr 2002 17:43:22 -0600 "Douglas K. Rand" wrote: > We have a few dozen FreeBSD workstaions and servers and as their > numbers increase managing users and groups via indvidual /etc/passwd > and /etc/group files is getting more and more tiresome. We also have > just a few Linux boxes. How about NIS? I use it at home with a total of two machines and one users. --- Samuel Chow cyschow@shaw.ca Segmentation Fault (core dumped) This message is displayed using recycled electrons. --=.cbyp)j_wL.YnNF Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) iD8DBQE8r4wXdz8GlxBxiQ0RAokCAJ4hpMGNbGD9vx6jXZy4j6AGbXHm+QCcCQJg DN2jPZh0rsCSpUK5nGE+EPE= =BLkh -----END PGP SIGNATURE----- --=.cbyp)j_wL.YnNF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 6 17:12:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 0E14D37B404 for ; Sat, 6 Apr 2002 17:12:25 -0800 (PST) Received: from hades.hell.gr (patr530-b187.otenet.gr [212.205.244.195]) by mailsrv.otenet.gr (8.12.2/8.12.2) with ESMTP id g371Bu2a004058; Sun, 7 Apr 2002 04:12:12 +0300 (EEST) Received: from hades.hell.gr (hades [127.0.0.1]) by hades.hell.gr (8.12.2/8.12.2) with ESMTP id g371BnGI003210; Sun, 7 Apr 2002 04:11:49 +0300 (EEST) (envelope-from keramida@freebsd.org) Received: (from charon@localhost) by hades.hell.gr (8.12.2/8.12.2/Submit) id g371B4vM003201; Sun, 7 Apr 2002 04:11:04 +0300 (EEST) (envelope-from keramida@freebsd.org) Date: Sun, 7 Apr 2002 04:11:03 +0300 (EEST) From: Giorgos Keramidas X-X-Sender: charon@hades To: "Patrick O. Fish" Cc: ozkan_kirik , Subject: Re: When rebuilding Kernel! In-Reply-To: <019901c1dc33$91302960$0300a8c0@pwhsnet.com> Message-ID: <20020407040833.F3172-100000@hades> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-04-04 15:50, Patrick O. Fish wrote: > ....We all make mistakes... > > sysctl kern.securelevel=-1 You can't lower the securelevel once it's raised. There is a way, if you have compiled DDB in the kernel, but you have to be on the system console, and stop the running kernel with CTRL+ALT+ESC. The only way you can lower the securelevel on a machine that you don't have consle access *and* DDB compiled into the kernel is by tweaking the proper lines in /etc/rc.conf and rebooting. Giorgos Keramidas FreeBSD Documentation Project keramida@{freebsd.org,ceid.upatras.gr} http://www.FreeBSD.org/docproj/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 6 21:43: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id 4A3B937B417 for ; Sat, 6 Apr 2002 21:42:56 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020407054254.YXNR18078.rwcrmhc51.attbi.com@blossom.cjclark.org>; Sun, 7 Apr 2002 05:42:54 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g375gsV71389; Sat, 6 Apr 2002 21:42:54 -0800 (PST) (envelope-from cjc) Date: Sat, 6 Apr 2002 21:42:54 -0800 From: "Crist J. Clark" To: Scott Lampert Cc: security@FreeBSD.ORG Subject: Re: pf OR ipf ? Message-ID: <20020406214253.H70207@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020328064640.GA74780@area51.dk> <20020328121200.C97841@blossom.cjclark.org> <20020406144717.5b973afd.scott@lampert.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020406144717.5b973afd.scott@lampert.org>; from scott@lampert.org on Sat, Apr 06, 2002 at 02:47:17PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Apr 06, 2002 at 02:47:17PM -0800, Scott Lampert wrote: > On Thu, 28 Mar 2002 12:12:00 -0800 > "Crist J. Clark" wrote: > > > On Thu, Mar 28, 2002 at 01:20:40PM +0100, Attila Nagy wrote: > > > Hello, > > > > > > > pf currently runs only on OpenBSD. Jordan Hubbard has expressed > > > > annoyance with the fact that there are now three filters (ipfw, ipf and > > > > pf) so it seems unlikely that FreeBSD is going to port it. > > > I'm sad to hear that. I think diversity is a good thing. With FreeBSD if > > > you are paranoid you can set up your firewall rules in two packet filters, > > > which has a different codebase. So if one fails, it is unlikely that the > > > other will too. > > > I think it is good to have more than one packet filter in the kernel :) > > > > > > With PF some more features could be also ported, like the bridge support. > > > And that would be a good thing also. > > > > There is nothing special about PF that makes bridge support > > easier. Afterall, there is mature bridging support for IPFilter in > > OpenBSD. I also recently committed a hack for IPFilter bridging > > support in -CURRENT. I'll put the -STABLE patches on the website > > listed in the headers and .sig today if anyone wants 'em. > > Please do! The patch is there. > Thats the one thing I've really been missing in FreeBSD. > Any chance of that ever making it into a RELEASE tree? It's in 5.0-CURRENT so it may make 5.0-RELEASE. ;) I do not plan to merge the code into 4.x-STABLE in its current form. I really am not happy with how it works in -CURRENT either, but to get it to work more cleanly and in a way darrenr suggested, I'd need to modify IPFilter code, which I have tried to avoid. So the -CURRENT code is experimental, but that's OK for -CURRENT. It's not OK for -STABLE. I recently started working fulltime again and don't see myself working too much on this without funding or some other motivation to "do it right." -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 6 21:45:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp02.mrf.mail.rcn.net (smtp02.mrf.mail.rcn.net [207.172.4.61]) by hub.freebsd.org (Postfix) with ESMTP id 2538737B417 for ; Sat, 6 Apr 2002 21:45:28 -0800 (PST) Received: from 209-122-237-19.s527.apx1.nyw.ny.dialup.rcn.com ([209.122.237.19] helo=confusion) by smtp02.mrf.mail.rcn.net with smtp (Exim 3.33 #10) id 16u5UU-0005m5-00; Sun, 07 Apr 2002 00:45:27 -0500 Message-ID: <002401c1ddf7$557e84a0$13ed7ad1@unstable.org> From: "klik" To: "Douglas K. Rand" , References: <874riov1et.wl@delta.meridian-enviro.com> Subject: Re: Centralized authentication Date: Sun, 7 Apr 2002 00:44:48 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org check out LDAP ----- Original Message ----- From: "Douglas K. Rand" To: Sent: Saturday, April 06, 2002 6:43 PM Subject: Centralized authentication > We have a few dozen FreeBSD workstaions and servers and as their > numbers increase managing users and groups via indvidual /etc/passwd > and /etc/group files is getting more and more tiresome. We also have > just a few Linux boxes. > > We aren't a huge site, everybody is in one building on the same > network. > > I was wondering what other sites are using to solve this problem. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 6 22: 2:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from rain.macguire.net (sense-sea-MegaSub-1-125.oz.net [216.39.144.125]) by hub.freebsd.org (Postfix) with ESMTP id 35B5937B416 for ; Sat, 6 Apr 2002 22:02:39 -0800 (PST) Received: (from roo@localhost) by rain.macguire.net (8.11.6/8.11.6) id g3761oN03278; Sat, 6 Apr 2002 22:01:50 -0800 (PST) (envelope-from roo) Date: Sat, 6 Apr 2002 22:01:50 -0800 From: Benjamin Krueger To: klik Cc: "Douglas K. Rand" , freebsd-security@freebsd.org Subject: Re: Centralized authentication Message-ID: <20020406220150.C2867@rain.macguire.net> References: <874riov1et.wl@delta.meridian-enviro.com> <002401c1ddf7$557e84a0$13ed7ad1@unstable.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002401c1ddf7$557e84a0$13ed7ad1@unstable.org>; from klik@unstable.org on Sun, Apr 07, 2002 at 12:44:48AM -0500 X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * klik (klik@unstable.org) [020406 21:46]: > check out LDAP > > ----- Original Message ----- > From: "Douglas K. Rand" > To: > Sent: Saturday, April 06, 2002 6:43 PM > Subject: Centralized authentication > > > > We have a few dozen FreeBSD workstaions and servers and as their > > numbers increase managing users and groups via indvidual /etc/passwd > > and /etc/group files is getting more and more tiresome. We also have > > just a few Linux boxes. > > > > We aren't a huge site, everybody is in one building on the same > > network. > > > > I was wondering what other sites are using to solve this problem. I'd highly suggest the oft-little understood but incredibly deserving Kerberos. I truly believe that if it were better documented and understood by the masses of administrators out there, it would blow away current network authentication systems. Heck, Microsoft used it to totally revitalize their network authentication scheme to enormous benefit. Sadly, they then broke it for anyone who isn't them. -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 7 0: 1:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.san.rr.com (smtp2.san.rr.com [24.25.195.39]) by hub.freebsd.org (Postfix) with ESMTP id DF8C737B41E; Sun, 7 Apr 2002 00:00:08 -0800 (PST) Received: from 24-161-164-113.san.rr.com (24-161-164-113.san.rr.com [24.161.164.113]) by smtp2.san.rr.com (8.11.4/8.11.4) with ESMTP id g377xvr25761; Sat, 6 Apr 2002 23:59:57 -0800 (PST) Date: Sun, 7 Apr 2002 00:00:55 -0800 (PST) From: Peter Leftwich X-X-Sender: root@66-75-1-142.san.rr.com To: FreeBSD Questions Cc: FreeBSD Security Subject: `pkg_info | grep -i openssh` ; echo "2.9 vs 3.0.2?" Message-ID: <20020406235622.O877-100000@66-75-1-142.san.rr.com> Organization: Video2Video Services - http://Www.Video2Video.Com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org prompt$ pkg_info | grep -i openssh openssh-3.0.2 OpenBSD's secure shell client and server (remote login prog I just upgraded (or tried to upgrade) openssh on my FreeBSD 4.5-RELEASE box using /stand/sysinstall but I get this (ver. 2.9??) when I type: prompt$ ssh -V OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f pkg_help -r --source majordomo? ;-) -- Peter Leftwich President & Founder Video2Video Services Box 13692, La Jolla, CA, 92039 USA +1-413-403-9555 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message