From owner-freebsd-isp@FreeBSD.ORG Sun Nov 9 11:26:17 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 005B916A4CF for ; Sun, 9 Nov 2003 11:26:17 -0800 (PST) Received: from phantom.keystreams.com (phantom.keystreams.com [207.158.28.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 368C343FAF for ; Sun, 9 Nov 2003 11:26:16 -0800 (PST) (envelope-from volfman@keystreams.com) Received: (qmail 74616 invoked from network); 9 Nov 2003 19:26:09 -0000 Received: from ts46-01-qdr773.wvlle.ca.charter.com (HELO keystreams.com) (66.189.139.5) by mail.keystreams.com with SMTP; 9 Nov 2003 19:26:09 -0000 Message-ID: <3FAE94D7.7050401@keystreams.com> Date: Sun, 09 Nov 2003 11:26:15 -0800 From: Roman Volf User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030507 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-isp@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: FreeBSD not routing between VLANs X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Nov 2003 19:26:17 -0000 Hello All, I've recently had to replace a Cisco router with a freebsd router temporarily as the Cisco decided to start going up and down. Here is my configuration: fxp0: uplink to ISP fxp1: vlans to my switch vlan10: flags=8843 mtu 1500 inet x.x.x.1 netmask 0xfffffff0 broadcast x.x.x.15 inet6 fe80::203:47ff:fe2e:46a0%vlan10 prefixlen 64 scopeid 0x9 ether 00:03:47:2e:46:a1 vlan: 10 parent interface: fxp1 vlan20: flags=8843 mtu 1500 inet x.x.x.17 netmask 0xfffffff0 broadcast x.x.x.31 inet6 fe80::203:47ff:fe2e:46a0%vlan20 prefixlen 64 scopeid 0xa ether 00:03:47:2e:46:a1 vlan: 20 parent interface: fxp1 Its routing everything fine except for routing between the VLAN's. i.e. I can't traceroute or ping from x.x.x.2 to x.x.x.18. With the cisco traceroutes worked fine, going through the router. Also, I have some local IPs bound to fxp1 as it was part of a web cluster before i took it off to use as a temp router. Any suggestions? -- Roman Volf Keystreams Internet Solutions (619) 572-2062 From owner-freebsd-isp@FreeBSD.ORG Sun Nov 9 11:33:10 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 566D616A4CE for ; Sun, 9 Nov 2003 11:33:10 -0800 (PST) Received: from mail.numachi.com (meisai.numachi.com [198.175.254.6]) by mx1.FreeBSD.org (Postfix) with SMTP id DBBFE43FE1 for ; Sun, 9 Nov 2003 11:33:08 -0800 (PST) (envelope-from reichert@numachi.com) Received: (qmail 66838 invoked from network); 9 Nov 2003 19:33:07 -0000 Received: from natto.numachi.com (198.175.254.216) by meisai.numachi.com with SMTP; 9 Nov 2003 19:33:07 -0000 Received: (qmail 75126 invoked by uid 1001); 9 Nov 2003 19:33:07 -0000 Date: Sun, 9 Nov 2003 14:33:07 -0500 From: Brian Reichert To: Roman Volf Message-ID: <20031109193307.GT49679@numachi.com> References: <3FAE94D7.7050401@keystreams.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3FAE94D7.7050401@keystreams.com> User-Agent: Mutt/1.5.4i cc: freebsd-isp@freebsd.org Subject: Re: FreeBSD not routing between VLANs X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Nov 2003 19:33:10 -0000 On Sun, Nov 09, 2003 at 11:26:15AM -0800, Roman Volf wrote: > Its routing everything fine except for routing between the VLAN's. i.e. > I can't traceroute or ping from x.x.x.2 to x.x.x.18. With the cisco > traceroutes worked fine, going through the router. > > Also, I have some local IPs bound to fxp1 as it was part of a web > cluster before i took it off to use as a temp router. Have you configured the machine to bridge? See bridge(4)... > > Any suggestions? > > -- > Roman Volf > Keystreams Internet Solutions > (619) 572-2062 -- Brian 'you Bastard' Reichert 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA BSD admin/developer at large From owner-freebsd-isp@FreeBSD.ORG Mon Nov 10 15:33:20 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC7F216A4CE for ; Mon, 10 Nov 2003 15:33:20 -0800 (PST) Received: from mail.numachi.com (meisai.numachi.com [198.175.254.6]) by mx1.FreeBSD.org (Postfix) with SMTP id 5565643FDD for ; Mon, 10 Nov 2003 15:33:19 -0800 (PST) (envelope-from reichert@numachi.com) Received: (qmail 84812 invoked from network); 10 Nov 2003 23:33:17 -0000 Received: from natto.numachi.com (198.175.254.216) by meisai.numachi.com with SMTP; 10 Nov 2003 23:33:17 -0000 Received: (qmail 90657 invoked by uid 1001); 10 Nov 2003 23:33:17 -0000 Date: Mon, 10 Nov 2003 18:33:17 -0500 From: Brian Reichert To: Frans ter Borg Message-ID: <20031110233317.GN49679@numachi.com> References: <3FAE94D7.7050401@keystreams.com> <20031109193307.GT49679@numachi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i cc: Roman Volf cc: freebsd-isp@freebsd.org Subject: Re: FreeBSD not routing between VLANs X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Nov 2003 23:33:20 -0000 On Mon, Nov 10, 2003 at 11:07:03AM +0100, Frans ter Borg wrote: > > Have you configured the machine to bridge? See bridge(4)... > > ...which would defeat the purpose of having different subnets. > > Rather, have you configured the machine to route (or forward) ? Yup, I was wrong, sorry... > > Frans > -- Brian 'you Bastard' Reichert 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA BSD admin/developer at large From owner-freebsd-isp@FreeBSD.ORG Wed Nov 12 13:05:42 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 816A616A4CE for ; Wed, 12 Nov 2003 13:05:42 -0800 (PST) Received: from sizone.org (mortar.sizone.org [65.126.154.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCD3F43FEC for ; Wed, 12 Nov 2003 13:05:40 -0800 (PST) (envelope-from dgilbert@daveg.ca) Received: by sizone.org (Postfix, from userid 66) id D053A30654; Wed, 12 Nov 2003 16:05:39 -0500 (EST) Received: by canoe.dclg.ca (Postfix, from userid 101) id 42B8F1D25DF; Wed, 12 Nov 2003 16:05:40 -0500 (EST) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16306.41123.916747.973351@canoe.dclg.ca> Date: Wed, 12 Nov 2003 16:05:39 -0500 To: Roman Volf In-Reply-To: <3FAE94D7.7050401@keystreams.com> References: <3FAE94D7.7050401@keystreams.com> X-Mailer: VM 7.17 under 21.4 (patch 14) "Reasonable Discussion" XEmacs Lucid cc: freebsd-isp@freebsd.org Subject: FreeBSD not routing between VLANs X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Nov 2003 21:05:42 -0000 >>>>> "Roman" == Roman Volf writes: Roman> Hello All, I've recently had to replace a Cisco router with a Roman> freebsd router temporarily as the Cisco decided to start going Roman> up and down. Here is my configuration: Roman> fxp0: uplink to ISP fxp1: vlans to my switch Roman> vlan10: flags=8843 mtu Roman> 1500 inet x.x.x.1 netmask 0xfffffff0 broadcast x.x.x.15 inet6 Roman> fe80::203:47ff:fe2e:46a0%vlan10 prefixlen 64 scopeid 0x9 ether Roman> 00:03:47:2e:46:a1 vlan: 10 parent interface: fxp1 vlan20: Roman> flags=8843 mtu 1500 Roman> inet x.x.x.17 netmask 0xfffffff0 broadcast x.x.x.31 inet6 Roman> fe80::203:47ff:fe2e:46a0%vlan20 prefixlen 64 scopeid 0xa ether Roman> 00:03:47:2e:46:a1 vlan: 20 parent interface: fxp1 Umm... netmask x.x.x.15? FreeBSD uses netmasks in the traditional sense. It should likely be 255.255.255.240 and 255.255.255.224 Dave. -- ============================================================================ |David Gilbert, Independent Contractor. | Two things can only be | |Mail: dave@daveg.ca | equal if and only if they | |http://daveg.ca | are precisely opposite. | =========================================================GLO================ From owner-freebsd-isp@FreeBSD.ORG Wed Nov 12 13:13:09 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3477816A4CF for ; Wed, 12 Nov 2003 13:13:09 -0800 (PST) Received: from atlasta.net (wow.atlasta.net [12.129.13.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 7034E43FD7 for ; Wed, 12 Nov 2003 13:13:07 -0800 (PST) (envelope-from drais@wow.atlasta.net) Received: (qmail 83406 invoked by uid 1068); 12 Nov 2003 21:13:06 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Nov 2003 21:13:06 -0000 Date: Wed, 12 Nov 2003 13:13:06 -0800 (PST) From: David Raistrick To: David Gilbert In-Reply-To: <16306.41123.916747.973351@canoe.dclg.ca> Message-ID: References: <3FAE94D7.7050401@keystreams.com> <16306.41123.916747.973351@canoe.dclg.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Roman Volf cc: freebsd-isp@freebsd.org Subject: Re: FreeBSD not routing between VLANs X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Nov 2003 21:13:09 -0000 On Wed, 12 Nov 2003, David Gilbert wrote: > Roman> 1500 inet x.x.x.1 netmask 0xfffffff0 broadcast x.x.x.15 inet6 > > Umm... netmask x.x.x.15? FreeBSD uses netmasks in the traditional > sense. It should likely be 255.255.255.240 and 255.255.255.224 0xfffffff0 is the netmask, .15 is the broadcast. :) ...david --- david raistrick drais@atlasta.net http://www.expita.com/nomime.html From owner-freebsd-isp@FreeBSD.ORG Wed Nov 12 21:32:20 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C35F16A4CE for ; Wed, 12 Nov 2003 21:32:20 -0800 (PST) Received: from phantom.keystreams.com (phantom.keystreams.com [207.158.28.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 224BE43FDF for ; Wed, 12 Nov 2003 21:32:19 -0800 (PST) (envelope-from volfman@keystreams.com) Received: (qmail 64239 invoked from network); 13 Nov 2003 05:32:12 -0000 Received: from ts46-01-qdr773.wvlle.ca.charter.com (HELO keystreams.com) (66.189.139.5) by mail.keystreams.com with SMTP; 13 Nov 2003 05:32:12 -0000 Message-ID: <3FB31760.2090103@keystreams.com> Date: Wed, 12 Nov 2003 21:32:16 -0800 From: Roman Volf User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030507 X-Accept-Language: en-us, en MIME-Version: 1.0 To: David Raistrick References: <3FAE94D7.7050401@keystreams.com> <16306.41123.916747.973351@canoe.dclg.ca> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-isp@freebsd.org cc: David Gilbert Subject: Re: FreeBSD not routing between VLANs X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 05:32:20 -0000 The problem was simply wrong netmasks set on a few aliases on the ethernet cards of the servers on the VLANs.. The netmasks weren't set to 255.255.255.255 on the aliases. Roman David Raistrick wrote: >On Wed, 12 Nov 2003, David Gilbert wrote: > > > >>Roman> 1500 inet x.x.x.1 netmask 0xfffffff0 broadcast x.x.x.15 inet6 >> >>Umm... netmask x.x.x.15? FreeBSD uses netmasks in the traditional >>sense. It should likely be 255.255.255.240 and 255.255.255.224 >> >> > >0xfffffff0 is the netmask, .15 is the broadcast. :) > >...david > >--- >david raistrick >drais@atlasta.net http://www.expita.com/nomime.html > >_______________________________________________ >freebsd-isp@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-isp >To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > > > > -- Roman Volf Keystreams Internet Solutions (619) 572-2062 From owner-freebsd-isp@FreeBSD.ORG Wed Nov 12 23:46:16 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33E1516A4CE for ; Wed, 12 Nov 2003 23:46:16 -0800 (PST) Received: from munk.nu (mail.munk.nu [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D2B943FE1 for ; Wed, 12 Nov 2003 23:46:15 -0800 (PST) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.24; FreeBSD 4.8) id 1AKCBC-000DdX-2c for freebsd-isp@freebsd.org; Thu, 13 Nov 2003 07:46:14 +0000 Date: Thu, 13 Nov 2003 07:46:14 +0000 From: Jez Hancock To: FreeBSD ISP List Message-ID: <20031113074614.GD48330@users.munk.nu> Mail-Followup-To: FreeBSD ISP List Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Sender: User Munk Subject: Apache leaks sensitive info in PHP phpinfo() calls X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 07:46:16 -0000 Hi, Recently posted this to freebsd-questions but thought it might be suitable subject for -isp. I wanted to get some opinions on this subject before I submit a PR about it. I don't know if there are any pitfalls with the 'fix' I suggested and though it best to run it past people here before submitting. If there's a better place to post this please let me know (freebsd-ports?). The send-pr output I was about to send explains everything so I'll just paste it here: -snip- To: FreeBSD-gnats-submit@freebsd.org From: Jez Hancock Reply-To: Jez Hancock >Submitter-Id: current-users >Originator: Jez Hancock >Organization: n/a >Confidential: no >Synopsis: Apache httpd leaks environment information in PHP phpinfo() calls >Severity: non-critical >Priority: low >Category: ports >Class: change-request >Release: FreeBSD 4.8-STABLE i386 >Environment: System: FreeBSD users.munk.nu 4.8-STABLE FreeBSD 4.8-STABLE #1: Fri Apr 18 14:38:46 BST 2003 root@users.munk.nu:/usr/obj/usr/src/sys/MUNKBOXEN i386 >Description: The apache13 port control script /usr/local/sbin/apachectl is used to control the apache httpd daemon. However the apachectl script does not start with a clean environment, inheriting the environment of the user that invokes the script. As a consequence the environment variables set by the shell of the user that invokes apachectl (usually a UID 0 user) are visible to users when executing a command such as phpinfo() in the PHP $_ENV superglobal array. >How-To-Repeat: Invoke the apachectl control script as a user who has shell environment variables set. Browse to a web page served by the httpd that contains a PHP phpinfo() call and observe the environment of the user in the $_ENV superglobal array. >Fix: Add a single line to the apachectl control script to ensure apache runs with a clean environment: *** /usr/local/sbin/apachectl Thu Nov 13 06:59:05 2003 --- /usr/local/sbin/apachectl.bak Thu Nov 13 06:58:54 2003 *************** *** 26,32 **** # # the path to your httpd binary, including options if necessary HTTPD=/usr/local/sbin/httpd - HTTPD=`echo /usr/bin/env -i $HTTPD` # # a command that outputs a formatted text version of the HTML at the # url given on the command line. Designed for lynx, however other --- 26,31 ---- -snip- This appears to work as required, removing any details about the apachectl-invoking user's environment from the $_ENV array. Are there any pitfalls of using env in this way though? -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ From owner-freebsd-isp@FreeBSD.ORG Thu Nov 13 01:24:08 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BC5F16A4CE for ; Thu, 13 Nov 2003 01:24:08 -0800 (PST) Received: from mail.arc.net.my (nagano.arc.net.my [203.115.225.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id EDC6043F85 for ; Thu, 13 Nov 2003 01:24:06 -0800 (PST) (envelope-from nick@arc.net.my) Received: from roponggi (roppongi.arc.net.my [203.115.225.83]) by mail.arc.net.my (iPlanet Messaging Server 5.1 Patch 1 (built Jun 6 2002)) with SMTP id <0HOA00I6DA44XA@mail.arc.net.my> for freebsd-isp@freebsd.org; Thu, 13 Nov 2003 17:24:04 +0800 (SGT) Date: Thu, 13 Nov 2003 17:23:24 +0800 From: Nick Kraal To: FreeBSD ISP List Message-id: <012c01c3a9c7$ca064360$53e173cb@arc.net.my> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Mailer: Microsoft Outlook Express 6.00.2800.1158 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7BIT X-Priority: 3 X-MSMail-priority: Normal References: <20031113074614.GD48330@users.munk.nu> Subject: FreeBSD/Beowulf X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Nick Kraal List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 09:24:08 -0000 Can any recomend a really good how-to to implement a FreeBSD/Beowulf combo? Thanks in advance. -nick/ From owner-freebsd-isp@FreeBSD.ORG Thu Nov 13 07:15:15 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74B6416A4D2 for ; Thu, 13 Nov 2003 07:15:15 -0800 (PST) Received: from mail1.firstlink.com (mail1.firstlink.com [66.37.141.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1683443FBF for ; Thu, 13 Nov 2003 07:15:14 -0800 (PST) (envelope-from dvm@firstlink.com) Received: from shrex.asp.firstlink.com (shrex.firstlink.com [66.37.141.10]) by mail1.firstlink.com (Postfix) with ESMTP id 4C5C1126215 for ; Thu, 13 Nov 2003 08:15:13 -0700 (MST) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message Date: Thu, 13 Nov 2003 08:15:13 -0700 Message-ID: <6633DBDE6F5ED64D9D6AF3264AEE89147B29A4@shrex.asp.firstlink.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Apache leaks sensitive info in PHP phpinfo() calls Thread-Index: AcOpumLKJZ+oThS6QiKW/z1/VjR+2gAPTT6A From: "Dan Vande More" To: "Jez Hancock" , "FreeBSD ISP List" Subject: RE: Apache leaks sensitive info in PHP phpinfo() calls X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 15:15:15 -0000 Sometimes httpd/php needs shell environment variables, especially when = working with Oracle. In otherwords, that's a feature, not a bug. If you have a hosting enviroment, I recommend you use these in your = /usr/local/lib/php.ini: disable_functions =3D = exec,passthru,proc_close,proc_open,shell_exec,system,phpinfo -Dan Vande More -----Original Message----- From: Jez Hancock [mailto:jez.hancock@munk.nu] Sent: Thursday, November 13, 2003 12:46 AM To: FreeBSD ISP List Subject: Apache leaks sensitive info in PHP phpinfo() calls Hi, Recently posted this to freebsd-questions but thought it might be suitable subject for -isp. I wanted to get some opinions on this subject before I submit a PR about it. I don't know if there are any pitfalls with the 'fix' I suggested and though it best to run it past people here before submitting. If there's a better place to post this please let me know (freebsd-ports?). The send-pr output I was about to send explains everything so I'll just paste it here: -snip- To: FreeBSD-gnats-submit@freebsd.org From: Jez Hancock Reply-To: Jez Hancock >Submitter-Id: current-users >Originator: Jez Hancock >Organization: n/a >Confidential: no >Synopsis: Apache httpd leaks environment information in PHP = phpinfo() calls >Severity: non-critical >Priority: low >Category: ports >Class: change-request >Release: FreeBSD 4.8-STABLE i386 >Environment: System: FreeBSD users.munk.nu 4.8-STABLE FreeBSD 4.8-STABLE #1: Fri Apr = 18 14:38:46 BST 2003 root@users.munk.nu:/usr/obj/usr/src/sys/MUNKBOXEN = i386 >Description: The apache13 port control script /usr/local/sbin/apachectl is used to control the apache httpd daemon. However the apachectl script does not start with a clean environment, inheriting the environment of the user that invokes the script. As a consequence the environment variables set by the shell of the user that invokes apachectl (usually a UID 0 user) are visible to users when executing a command such as phpinfo() in the PHP $_ENV superglobal array. >How-To-Repeat: Invoke the apachectl control script as a user who has shell environment variables set. Browse to a web page served by the httpd that contains a PHP phpinfo() call and observe the environment of the user in the $_ENV superglobal array. >Fix: Add a single line to the apachectl control script to ensure apache runs with a clean environment: *** /usr/local/sbin/apachectl Thu Nov 13 06:59:05 2003 --- /usr/local/sbin/apachectl.bak Thu Nov 13 06:58:54 2003 *************** *** 26,32 **** # # the path to your httpd binary, including options if necessary HTTPD=3D/usr/local/sbin/httpd - HTTPD=3D`echo /usr/bin/env -i $HTTPD` # # a command that outputs a formatted text version of the HTML at the # url given on the command line. Designed for lynx, however other --- 26,31 ---- -snip- This appears to work as required, removing any details about the apachectl-invoking user's environment from the $_ENV array. Are there any pitfalls of using env in this way though? --=20 Jez Hancock - System Administrator / PHP Developer http://munk.nu/ _______________________________________________ freebsd-isp@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-isp To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-isp@FreeBSD.ORG Thu Nov 13 09:46:28 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E831316A4CE; Thu, 13 Nov 2003 09:46:28 -0800 (PST) Received: from mtl.alis.com (mtl.alis.com [199.84.165.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE7ED43FE3; Thu, 13 Nov 2003 09:46:26 -0800 (PST) (envelope-from vgoupil@alis.com) Received: from alis-2k.alis.domain (alis-2k.alis.com [199.84.165.130]) by mtl.alis.com (8.12.8p2/8.12.8) with ESMTP id hADHkP5G018531; Thu, 13 Nov 2003 12:46:25 -0500 (EST) (envelope-from vgoupil@alis.com) Received: by alis-2k.alis.domain with Internet Mail Service (5.5.2653.19) id ; Thu, 13 Nov 2003 12:46:25 -0500 Message-ID: From: Vincent Goupil To: "'freebsd-ipfw@freebsd.org'" , "'freebsd-net@freebsd.org'" , "'freebsd-isp@freebsd.org'" Date: Thu, 13 Nov 2003 12:46:24 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) Subject: IPSec VPN & NATD (problem with alias_address vs redirect_address) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 17:46:29 -0000 I setup a firewall with ipfw2 and natd on freebsd 4.9 release. I have mapped my subnet with alias_address I have mapped 4 private ip address with 4 public ip address Everything is working fine (web, email, ftp, etc..) for outgoing and incoming connexion for anyone on my network. With this configuration, 5 person at a time (on my network) could dial = to the same VPN server. 4 with different IP and the one with the alias_address. I supposed = that only one person at a time can use the alias_address with the IPSec VPN = (I think, tell me if I'm wrong) I have authorized AH and ESP to pass through my firewall. Also incoming UDP 500 I'm able to use the VPN for the people mapped with alias_address. I can't use the VPN with the people using the redirect_address. Is there any problem with the redirect_address directive with natd for = the protocol 51 and 51. Is there any other way to have these 5 people at the same time to communicate to the same vpn server ? I though that I could use the redirect_address to do that. So the = incoming connexion to the VPN server appear from a different IP source address. Vincent Goupil Administrateur r=E9seau / Network administrator From owner-freebsd-isp@FreeBSD.ORG Thu Nov 13 10:39:01 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA2B216A4CE for ; Thu, 13 Nov 2003 10:39:01 -0800 (PST) Received: from n27.grp.scd.yahoo.com (n27.grp.scd.yahoo.com [66.218.66.83]) by mx1.FreeBSD.org (Postfix) with SMTP id 204C043FCB for ; Thu, 13 Nov 2003 10:39:00 -0800 (PST) notify-return-freebsd-isp=freebsd.org@returns.groups.yahoo.com) X-eGroups-Return: notify-return-freebsd-isp=freebsd.org@returns.groups.yahoo.com Received: from [66.218.66.159] by n27.grp.scd.yahoo.com with NNFMP; 13 Nov 2003 18:34:33 -0000 Received: (qmail 86444 invoked by uid 7800); 13 Nov 2003 18:34:33 -0000 Date: 13 Nov 2003 18:34:33 -0000 Message-ID: <1068748473.224.86434.m19@yahoogroups.com> From: semanticweb Moderator To: freebsd-isp@freebsd.org MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Subject: Welcome to semanticweb X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 18:39:02 -0000 Hello, welcome to the Semantic Web Mailing List. The purpose of this mailing list is to relate the different existing ontology development efforts to each other and to split of new ones. To start sending messages to members of this group, simply send email to semanticweb@egroups.com If you do not wish to belong to semanticweb, you may unsubscribe by sending an email to semanticweb-unsubscribe@egroups.com Regards, Stefan Decker, SemanticWeb.org Complete your Yahoo! Groups account: ---------------------------------------------------------------------- Your email address has been added to the email list of a Yahoo! Group. To gain access to all of your group's web features (previous messages, photos, files, calendar, etc.) and easier control of your message delivery options, we highly recommend that you complete your account by connecting your email address to Yahoo account. It is easy and free. Please visit: http://groups.yahoo.com/convacct?email=freebsd-isp%40freebsd.org&list=semanticweb Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ From owner-freebsd-isp@FreeBSD.ORG Thu Nov 13 12:23:48 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2826916A4CE; Thu, 13 Nov 2003 12:23:48 -0800 (PST) Received: from mta4.adelphia.net (mta4.adelphia.net [68.168.78.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id B34EE43FA3; Thu, 13 Nov 2003 12:23:46 -0800 (PST) (envelope-from tscrum@1wisp.com) Received: from wolf ([68.235.82.98]) by mta4.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP id <20031113202350.YLNS19804.mta4.adelphia.net@wolf>; Thu, 13 Nov 2003 15:23:50 -0500 From: "Thomas S. Crum" To: "'Vincent Goupil'" , , , Date: Thu, 13 Nov 2003 15:23:47 -0500 Organization: 1WISP, Inc. Message-ID: <000701c3aa24$0e11fbb0$6252eb44@wolf> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 In-reply-to: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 Importance: Normal Subject: RE: IPSec VPN & NATD (problem with alias_address vs redirect_address) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 20:23:48 -0000 It's my understanding that certain IPSEC does not encrypt the entire packet, leaving the header to be mangled by nat or whatever and refused by the IPSEC machine that you are connecting to. I believe therein your problem lies. Best, Tom -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Vincent Goupil Sent: Thursday, November 13, 2003 12:46 PM To: 'freebsd-ipfw@freebsd.org'; 'freebsd-net@freebsd.org'; 'freebsd-isp@freebsd.org' Subject: IPSec VPN & NATD (problem with alias_address vs redirect_address) I setup a firewall with ipfw2 and natd on freebsd 4.9 release. I have mapped my subnet with alias_address I have mapped 4 private ip address with 4 public ip address Everything is working fine (web, email, ftp, etc..) for outgoing and incoming connexion for anyone on my network. With this configuration, 5 person at a time (on my network) could dial to the same VPN server. 4 with different IP and the one with the alias_address. I supposed that only one person at a time can use the alias_address with the IPSec VPN (I think, tell me if I'm wrong) I have authorized AH and ESP to pass through my firewall. Also incoming UDP 500 I'm able to use the VPN for the people mapped with alias_address. I can't use the VPN with the people using the redirect_address. Is there any problem with the redirect_address directive with natd for the protocol 51 and 51. Is there any other way to have these 5 people at the same time to communicate to the same vpn server ? I though that I could use the redirect_address to do that. So the incoming connexion to the VPN server appear from a different IP source address. Vincent Goupil Administrateur r=E9seau / Network administrator _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-isp@FreeBSD.ORG Thu Nov 13 13:16:05 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C439F16A4CF; Thu, 13 Nov 2003 13:16:05 -0800 (PST) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74DD143F3F; Thu, 13 Nov 2003 13:16:03 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (rwcrmhc13) with ESMTP id <2003111321160201500q5553e>; Thu, 13 Nov 2003 21:16:02 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hADLGLsb026811; Thu, 13 Nov 2003 13:16:21 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hADLGKhn026810; Thu, 13 Nov 2003 13:16:20 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Thu, 13 Nov 2003 13:16:20 -0800 From: "Crist J. Clark" To: Vincent Goupil Message-ID: <20031113211620.GB25920@blossom.cjclark.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: "'freebsd-isp@freebsd.org'" cc: "'freebsd-ipfw@freebsd.org'" cc: "'freebsd-net@freebsd.org'" Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_address) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 21:16:06 -0000 On Thu, Nov 13, 2003 at 12:46:24PM -0500, Vincent Goupil wrote: > I setup a firewall with ipfw2 and natd on freebsd 4.9 release. > > I have mapped my subnet with alias_address > I have mapped 4 private ip address with 4 public ip address > > Everything is working fine (web, email, ftp, etc..) for outgoing and > incoming connexion for anyone on my network. > > With this configuration, 5 person at a time (on my network) could dial to > the same VPN server. > 4 with different IP and the one with the alias_address. I supposed that > only one person at a time can use the alias_address with the IPSec VPN (I > think, tell me if I'm wrong) [snip] Nope, that's right. You can have only one machine behind natd(8) using ESP at a time (you could actually have one AH and one ESP at the same time, but since NAT breaks AH, what's the point?). The reason within natd(8) is that accept for a few protocols (TCP, UDP, ICMP, etc.), all that it enters into its translation table is, IPproto: IPsrc_addr-IPdst_addr -> IPalias_addr-IPdst_addr The obvious problem is that you can only have one mapping like this. If you had more than one, when you receive a packet of IPproto from IPdst_addr, to which internal machine do you send it? Now, that's why natd(8) has problems. Why not add a feature to natd(8) to get around it? Because there is no way to get around the problem. ESP packets have this nice SPI field that one could potentially use to map the traffic between multiple machines behind NAT to a single VPN end point on the other side, but there is no practical way for the NAT box to learn the SPI of incoming packets. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-isp@FreeBSD.ORG Thu Nov 13 13:55:05 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1C1716A4CE; Thu, 13 Nov 2003 13:55:05 -0800 (PST) Received: from mtl.alis.com (mtl.alis.com [199.84.165.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id C146043FE1; Thu, 13 Nov 2003 13:55:03 -0800 (PST) (envelope-from vgoupil@alis.com) Received: from alis-2k.alis.domain (alis-2k.alis.com [199.84.165.130]) by mtl.alis.com (8.12.8p2/8.12.8) with ESMTP id hADLt25G022315; Thu, 13 Nov 2003 16:55:02 -0500 (EST) (envelope-from vgoupil@alis.com) Received: by alis-2k.alis.domain with Internet Mail Service (5.5.2653.19) id ; Thu, 13 Nov 2003 16:55:02 -0500 Message-ID: From: Vincent Goupil To: "'Crist J. Clark'" , "'freebsd-ipfw@freebsd.org'" , "'freebsd-net@freebsd.org'" , "'freebsd-isp@freebsd.org'" Date: Thu, 13 Nov 2003 16:55:01 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) Subject: RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 21:55:05 -0000 But if I use this config file for natd: unregistered_only use_sockets log log_denied redirect_address 192.168.1.50 208.x.y.120 redirect_address 192.168.1.51 208.x.y.121 redirect_address 192.168.1.52 208.x.y.122 redirect_address 192.168.1.53 208.x.y.123 alias_address 208.x.y.124 With this setup, I should be able to do 5 VPN IPSec connection at the same time. Since, the ESP packet coming on 208.x.y.120 is mapped directly to 192.168.1.50 and so on for the others using the redirect_address directive. I also understand that I can use only one computer at a time for the others using the alias_address (the rest of the network). I'm currently using this setup. I can do only IPSec with the 192.168.1.10-25 witch is mapped by the alias_address. The computer using the IP from 208.x.y.120-123 can't use the VPN and I don't know why. Vincent -----Original Message----- From: Crist J. Clark [mailto:cristjc@comcast.net] Sent: 13 novembre, 2003 16:16 To: Vincent Goupil Cc: 'freebsd-ipfw@freebsd.org'; 'freebsd-net@freebsd.org'; 'freebsd-isp@freebsd.org' Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_address) On Thu, Nov 13, 2003 at 12:46:24PM -0500, Vincent Goupil wrote: > I setup a firewall with ipfw2 and natd on freebsd 4.9 release. > > I have mapped my subnet with alias_address > I have mapped 4 private ip address with 4 public ip address > > Everything is working fine (web, email, ftp, etc..) for outgoing and > incoming connexion for anyone on my network. > > With this configuration, 5 person at a time (on my network) could dial to > the same VPN server. > 4 with different IP and the one with the alias_address. I supposed that > only one person at a time can use the alias_address with the IPSec VPN (I > think, tell me if I'm wrong) [snip] Nope, that's right. You can have only one machine behind natd(8) using ESP at a time (you could actually have one AH and one ESP at the same time, but since NAT breaks AH, what's the point?). The reason within natd(8) is that accept for a few protocols (TCP, UDP, ICMP, etc.), all that it enters into its translation table is, IPproto: IPsrc_addr-IPdst_addr -> IPalias_addr-IPdst_addr The obvious problem is that you can only have one mapping like this. If you had more than one, when you receive a packet of IPproto from IPdst_addr, to which internal machine do you send it? Now, that's why natd(8) has problems. Why not add a feature to natd(8) to get around it? Because there is no way to get around the problem. ESP packets have this nice SPI field that one could potentially use to map the traffic between multiple machines behind NAT to a single VPN end point on the other side, but there is no practical way for the NAT box to learn the SPI of incoming packets. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-isp@FreeBSD.ORG Thu Nov 13 14:08:46 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D50016A4CE for ; Thu, 13 Nov 2003 14:08:46 -0800 (PST) Received: from smtp-ft1.fr.colt.net (smtp-ft1.fr.colt.net [213.41.78.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB6FA43FD7 for ; Thu, 13 Nov 2003 14:08:44 -0800 (PST) (envelope-from nanard@tou.nu) Received: from thot (adm.crystunix.com [195.68.88.114]) by smtp-ft1.fr.colt.net with SMTP id hADM8h905432 for ; Thu, 13 Nov 2003 23:08:43 +0100 Message-ID: <006d01c3aa32$af0c4710$0200a8c0@thot> From: "nanard" To: Date: Thu, 13 Nov 2003 23:08:34 +0100 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: VPN Client X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 22:08:46 -0000 Hi, I d like to connect BSD clients to an enteprise LAN by VPN. Version of FreeBSD is 4.9 STABLE. I found nothing about VPN client for FreeBSD. Is there some way to do that ? Thanks in advance. Nicolas. From owner-freebsd-isp@FreeBSD.ORG Thu Nov 13 14:45:12 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BBA716A4CE for ; Thu, 13 Nov 2003 14:45:12 -0800 (PST) Received: from srv1.cosmo-project.de (srv1.cosmo-project.de [213.83.6.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6196B43F3F for ; Thu, 13 Nov 2003 14:45:10 -0800 (PST) (envelope-from andreas@klemm.apsfilter.org) Received: from srv1.cosmo-project.de (localhost [IPv6:::1]) hADMj8t2039497 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Thu, 13 Nov 2003 23:45:08 +0100 (CET) (envelope-from andreas@klemm.apsfilter.org) Received: (from uucp@localhost)hADMj7oA039496 for freebsd-isp@freebsd.org; Thu, 13 Nov 2003 23:45:07 +0100 (CET) (envelope-from andreas@klemm.apsfilter.org) Received: from titan.klemm.apsfilter.org (localhost.klemm.apsfilter.org [127.0.0.1]) by klemm.apsfilter.org (8.12.10/8.12.9) with ESMTP id hADMhLlC044873 for ; Thu, 13 Nov 2003 23:43:22 +0100 (CET) (envelope-from andreas@titan.klemm.apsfilter.org) Received: (from andreas@localhost)hADMhLpK044872 for freebsd-isp@freebsd.org; Thu, 13 Nov 2003 23:43:21 +0100 (CET) (envelope-from andreas) Date: Thu, 13 Nov 2003 23:43:21 +0100 From: Andreas Klemm To: freebsd-isp@freebsd.org Message-ID: <20031113224321.GA44854@titan.klemm.apsfilter.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Operating-System: FreeBSD 5.1-CURRENT X-Disclaimer: A free society is one where it is safe to be unpopular User-Agent: Mutt/1.5.4i Subject: someone using openldap for ~3500 windows user for authentication ? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 22:45:12 -0000 Would like to ask some questions about this if somebody has made experiences with this ... Andreas /// -- Andreas Klemm - Powered by FreeBSD 5.1-CURRENT Need a magic printfilter today ? -> http://www.apsfilter.org/ From owner-freebsd-isp@FreeBSD.ORG Fri Nov 14 01:22:50 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A05B16A4CE; Fri, 14 Nov 2003 01:22:50 -0800 (PST) Received: from mizar.origin-it.net (mizar.origin-it.net [194.8.96.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1F0B43FE5; Fri, 14 Nov 2003 01:22:47 -0800 (PST) (envelope-from helge.oldach@atosorigin.com) Received: from matar.hbg.de.int.atosorigin.com (dehsfw3e.origin-it.net [194.8.96.68])hAE9M8UQ065683 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 14 Nov 2003 10:22:08 +0100 (CET) (envelope-from helge.oldach@atosorigin.com) Received: from galaxy.hbg.de.ao-srv.com (galaxy.hbg.de.ao-srv.com [161.89.20.4])ESMTP id hAE9M835051462; Fri, 14 Nov 2003 10:22:08 +0100 (CET) (envelope-from helge.oldach@atosorigin.com) Received: (from hmo@localhost) by galaxy.hbg.de.ao-srv.com (8.9.3p2/8.9.3/hmo30mar03) id KAA17257; Fri, 14 Nov 2003 10:22:06 +0100 (MET) Message-Id: <200311140922.KAA17257@galaxy.hbg.de.ao-srv.com> In-Reply-To: <20031113211620.GB25920@blossom.cjclark.org> from "Crist J. Clark" at "Nov 13, 2003 10:16:20 pm" To: cjc@freebsd.org Date: Fri, 14 Nov 2003 10:22:06 +0100 (MET) From: Helge Oldach X-Address: Atos Origin GmbH, Friesenstraße 13, D-20097 Hamburg, Germany X-Phone: +49 40 7886 7464, Fax: +49 40 7886 9464, Mobile: +49 160 4782517 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2003 09:22:50 -0000 Crist J. Clark: >On Thu, Nov 13, 2003 at 12:46:24PM -0500, Vincent Goupil wrote: >> I setup a firewall with ipfw2 and natd on freebsd 4.9 release. >> >> I have mapped my subnet with alias_address >> I have mapped 4 private ip address with 4 public ip address >> >> Everything is working fine (web, email, ftp, etc..) for outgoing and >> incoming connexion for anyone on my network. >> >> With this configuration, 5 person at a time (on my network) could dial to >> the same VPN server. >> 4 with different IP and the one with the alias_address. I supposed that >> only one person at a time can use the alias_address with the IPSec VPN (I >> think, tell me if I'm wrong) >[snip] > >Nope, that's right. You can have only one machine behind natd(8) using >ESP at a time (you could actually have one AH and one ESP at the same >time, but since NAT breaks AH, what's the point?). The reason within >natd(8) is that accept for a few protocols (TCP, UDP, ICMP, etc.), all >that it enters into its translation table is, > > IPproto: IPsrc_addr-IPdst_addr -> IPalias_addr-IPdst_addr > >The obvious problem is that you can only have one mapping like >this. If you had more than one, when you receive a packet of IPproto >from IPdst_addr, to which internal machine do you send it? > >Now, that's why natd(8) has problems. Why not add a feature to natd(8) >to get around it? Because there is no way to get around the >problem. ESP packets have this nice SPI field that one could >potentially use to map the traffic between multiple machines behind >NAT to a single VPN end point on the other side, but there is no >practical way for the NAT box to learn the SPI of incoming packets. Certainly there is. This is actually implemented in most modern VPN devices. They do NAT translation according to SPI. The alternative is to encapsulate IPSec traffic in UDP (using port 4500) packets which can be neatly NATted. In Cisco IOS speak: cisco(config)#crypto ipsec nat-transparency ? spi-matching Match inbound SPI to outbound SPI for IPsec aware NAT udp-encapsulation UDP encapsulation of IPsec protocols cisco(config)# The core issue is that FreeBSD does neither support SPI-based NAT, nor does it support UDP-encapsulated IPSec. Helge From owner-freebsd-isp@FreeBSD.ORG Fri Nov 14 07:08:20 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE69E16A4CE for ; Fri, 14 Nov 2003 07:08:20 -0800 (PST) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2644C43FA3 for ; Fri, 14 Nov 2003 07:08:20 -0800 (PST) (envelope-from anderson@centtech.com) Received: from centtech.com (dhcp-171-146.centtech.com [10.177.171.146]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id hAEF8E6T071746; Fri, 14 Nov 2003 09:08:15 -0600 (CST) (envelope-from anderson@centtech.com) Message-ID: <3FB4EFDA.5090209@centtech.com> Date: Fri, 14 Nov 2003 09:08:10 -0600 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: nanard References: <006d01c3aa32$af0c4710$0200a8c0@thot> In-Reply-To: <006d01c3aa32$af0c4710$0200a8c0@thot> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-isp@freebsd.org Subject: Re: VPN Client X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2003 15:08:21 -0000 nanard wrote: >Hi, > >I d like to connect BSD clients to an enteprise LAN by VPN. > >Version of FreeBSD is 4.9 STABLE. > >I found nothing about VPN client for FreeBSD. > >Is there some way to do that ? > I use mpd as a vpn product (see your nearest ports collection). It's not the most secure, but it is simple to set up. It more depends on what device you are connecting to on the "server" end. Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology All generalizations are false, including this one. ------------------------------------------------------------------ From owner-freebsd-isp@FreeBSD.ORG Fri Nov 14 07:09:24 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E8CD16A4CE; Fri, 14 Nov 2003 07:09:24 -0800 (PST) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id E588F43FBF; Fri, 14 Nov 2003 07:09:22 -0800 (PST) (envelope-from anderson@centtech.com) Received: from centtech.com (dhcp-171-146.centtech.com [10.177.171.146]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id hAEF9L6T071913; Fri, 14 Nov 2003 09:09:21 -0600 (CST) (envelope-from anderson@centtech.com) Message-ID: <3FB4F01D.8020008@centtech.com> Date: Fri, 14 Nov 2003 09:09:17 -0600 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andreas Klemm References: <20031113224321.GA44854@titan.klemm.apsfilter.org> In-Reply-To: <20031113224321.GA44854@titan.klemm.apsfilter.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-isp@freebsd.org Subject: Re: someone using openldap for ~3500 windows user for authentication ? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2003 15:09:24 -0000 Andreas Klemm wrote: >Would like to ask some questions about this if somebody >has made experiences with this ... > Are you planning on using Samba as a PDC for authentication, or did you have another way? Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology All generalizations are false, including this one. ------------------------------------------------------------------ From owner-freebsd-isp@FreeBSD.ORG Fri Nov 14 08:36:38 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BD5716A4CE; Fri, 14 Nov 2003 08:36:38 -0800 (PST) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3919D43FE0; Fri, 14 Nov 2003 08:36:37 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (rwcrmhc11) with ESMTP id <2003111416363601300hutqre>; Fri, 14 Nov 2003 16:36:36 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hAEGatsb062096; Fri, 14 Nov 2003 08:36:55 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hAEGasev062095; Fri, 14 Nov 2003 08:36:54 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Fri, 14 Nov 2003 08:36:54 -0800 From: "Crist J. Clark" To: Helge Oldach Message-ID: <20031114163654.GB61960@blossom.cjclark.org> References: <20031113211620.GB25920@blossom.cjclark.org> <200311140922.KAA17257@galaxy.hbg.de.ao-srv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200311140922.KAA17257@galaxy.hbg.de.ao-srv.com> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cjclark@alum.mit.edu List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2003 16:36:38 -0000 On Fri, Nov 14, 2003 at 10:22:06AM +0100, Helge Oldach wrote: > Crist J. Clark: > >On Thu, Nov 13, 2003 at 12:46:24PM -0500, Vincent Goupil wrote: > >> I setup a firewall with ipfw2 and natd on freebsd 4.9 release. > >> > >> I have mapped my subnet with alias_address > >> I have mapped 4 private ip address with 4 public ip address > >> > >> Everything is working fine (web, email, ftp, etc..) for outgoing and > >> incoming connexion for anyone on my network. > >> > >> With this configuration, 5 person at a time (on my network) could dial to > >> the same VPN server. > >> 4 with different IP and the one with the alias_address. I supposed that > >> only one person at a time can use the alias_address with the IPSec VPN (I > >> think, tell me if I'm wrong) > >[snip] > > > >Nope, that's right. You can have only one machine behind natd(8) using > >ESP at a time (you could actually have one AH and one ESP at the same > >time, but since NAT breaks AH, what's the point?). The reason within > >natd(8) is that accept for a few protocols (TCP, UDP, ICMP, etc.), all > >that it enters into its translation table is, > > > > IPproto: IPsrc_addr-IPdst_addr -> IPalias_addr-IPdst_addr > > > >The obvious problem is that you can only have one mapping like > >this. If you had more than one, when you receive a packet of IPproto > >from IPdst_addr, to which internal machine do you send it? > > > >Now, that's why natd(8) has problems. Why not add a feature to natd(8) > >to get around it? Because there is no way to get around the > >problem. ESP packets have this nice SPI field that one could > >potentially use to map the traffic between multiple machines behind > >NAT to a single VPN end point on the other side, but there is no > >practical way for the NAT box to learn the SPI of incoming packets. > > Certainly there is. Nope, there isn't a general way to do it. > This is actually implemented in most modern VPN > devices. They do NAT translation according to SPI. The alternative is to > encapsulate IPSec traffic in UDP (using port 4500) packets which can be > neatly NATted. It's not actually very neat. Most vendor kludges to do this are not interoperable. The IETF draft for it isn't widely implemented AFAIK. > In Cisco IOS speak: > > cisco(config)#crypto ipsec nat-transparency ? > spi-matching Match inbound SPI to outbound SPI for IPsec aware NAT Not sure what that is going to accomplish. The inbound SPI and outbound SPI are, in general, completely indpendent values. The whole problem is that there is no way to know what the incoming (from the external VPN end point to the one behind the NAT device) SPI is going to be. There are heuristics a NAT device could use to guess (when a new SPI shows up at the doorstep, it's to the host that most recently had some IKE activity), but it's just that, a guess. (And if two systems start up or rekey at the same time, you're hosed when guessing by key traffic. Worse yet, there is no requirement to use IKE to setup IPsec SAs, so then what's a NAT box to do?) > udp-encapsulation UDP encapsulation of IPsec protocols > cisco(config)# > > The core issue is that FreeBSD does neither support SPI-based NAT, 'Cause unless you have a hacked up IPsec implementation that uses the same SPI both directions, it is useless. > nor > does it support UDP-encapsulated IPSec. I'll post some instructions on how to do this (not compliant with the draft below). But that still is not a panecea, http://ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-06.txt http://ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-06.txt NAT is evil. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-isp@FreeBSD.ORG Fri Nov 14 09:23:48 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCA5216A4CE; Fri, 14 Nov 2003 09:23:47 -0800 (PST) Received: from mizar.origin-it.net (mizar.origin-it.net [194.8.96.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0298743FE5; Fri, 14 Nov 2003 09:23:46 -0800 (PST) (envelope-from helge.oldach@atosorigin.com) Received: from matar.hbg.de.int.atosorigin.com (dehsfw3e.origin-it.net [194.8.96.68])hAEHN3UQ089189 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 14 Nov 2003 18:23:03 +0100 (CET) (envelope-from helge.oldach@atosorigin.com) Received: from galaxy.hbg.de.ao-srv.com (galaxy.hbg.de.ao-srv.com [161.89.20.4])ESMTP id hAEHN335075842; Fri, 14 Nov 2003 18:23:03 +0100 (CET) (envelope-from helge.oldach@atosorigin.com) Received: (from hmo@localhost) by galaxy.hbg.de.ao-srv.com (8.9.3p2/8.9.3/hmo30mar03) id SAA19138; Fri, 14 Nov 2003 18:22:55 +0100 (MET) Message-Id: <200311141722.SAA19138@galaxy.hbg.de.ao-srv.com> In-Reply-To: <20031114163654.GB61960@blossom.cjclark.org> from "Crist J. Clark" at "Nov 14, 2003 5:36:54 pm" To: cjclark@alum.mit.edu Date: Fri, 14 Nov 2003 18:22:55 +0100 (MET) From: Helge Oldach X-Address: Atos Origin GmbH, Friesenstraße 13, D-20097 Hamburg, Germany X-Phone: +49 40 7886 7464, Fax: +49 40 7886 9464, Mobile: +49 160 4782517 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2003 17:23:48 -0000 Crist J. Clark: >> >ESP packets have this nice SPI field that one could >> >potentially use to map the traffic between multiple machines behind >> >NAT to a single VPN end point on the other side, but there is no >> >practical way for the NAT box to learn the SPI of incoming packets. >> Certainly there is. > >Nope, there isn't a general way to do it. Agreed, there is no *general* trick. But the hacks I have described work very well in many business environments. >> This is actually implemented in most modern VPN >> devices. They do NAT translation according to SPI. The alternative is to >> encapsulate IPSec traffic in UDP (using port 4500) packets which can be >> neatly NATted. > >It's not actually very neat. Most vendor kludges to do this are not >interoperable. The IETF draft for it isn't widely implemented AFAIK. As I said, must modern VPN devices have it. As a minimum, virtually any el-cheapo DSL router supports ESP-NAT for a single device (assuming that all SPIs belong to a single internal address). But many also support SPI-aware NAT. >> In Cisco IOS speak: >> >> cisco(config)#crypto ipsec nat-transparency ? >> spi-matching Match inbound SPI to outbound SPI for IPsec aware NAT > >Not sure what that is going to accomplish. The inbound SPI and >outbound SPI are, in general, completely indpendent values. The whole >problem is that there is no way to know what the incoming (from the >external VPN end point to the one behind the NAT device) SPI is going >to be. Correct. Cisco requires that you use IKE in order to make it work. Basically this is NAT for ESP, and the SPI-NAT table is being built up using IKE cookie matching. There is no heuristics involved. >> udp-encapsulation UDP encapsulation of IPsec protocols >> cisco(config)# >> >> The core issue is that FreeBSD does neither support SPI-based NAT, > >'Cause unless you have a hacked up IPsec implementation that uses the >same SPI both directions, it is useless. Nothing that works well and has noticeable exposure is useless. This definitely has both. Not with FreeBSD, though. It does work with Windows 2000 SP4, to put a name up... So it's definitely out there. >> nor >> does it support UDP-encapsulated IPSec. > >I'll post some instructions on how to do this (not compliant with the >draft below). But that still is not a panecea, Thank you, this is very interesting. >NAT is evil. Of course. But it's also a fact of life... Helge From owner-freebsd-isp@FreeBSD.ORG Fri Nov 14 12:12:34 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E79516A4CE; Fri, 14 Nov 2003 12:12:34 -0800 (PST) Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id A43A544017; Fri, 14 Nov 2003 12:12:31 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (sccrmhc12) with ESMTP id <2003111420123001200s535ue>; Fri, 14 Nov 2003 20:12:30 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hAEKCmsb062924; Fri, 14 Nov 2003 12:12:48 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hAEKCkrn062923; Fri, 14 Nov 2003 12:12:46 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Fri, 14 Nov 2003 12:12:46 -0800 From: "Crist J. Clark" To: Helge Oldach Message-ID: <20031114201246.GA62521@blossom.cjclark.org> References: <20031114163654.GB61960@blossom.cjclark.org> <200311141722.SAA19138@galaxy.hbg.de.ao-srv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200311141722.SAA19138@galaxy.hbg.de.ao-srv.com> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cjclark@alum.mit.edu List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2003 20:12:34 -0000 On Fri, Nov 14, 2003 at 06:22:55PM +0100, Helge Oldach wrote: > Crist J. Clark: [snip] > >> This is actually implemented in most modern VPN > >> devices. They do NAT translation according to SPI. The alternative is to > >> encapsulate IPSec traffic in UDP (using port 4500) packets which can be > >> neatly NATted. > > > >It's not actually very neat. Most vendor kludges to do this are not > >interoperable. The IETF draft for it isn't widely implemented AFAIK. > > As I said, must modern VPN devices have it. As a minimum, virtually any > el-cheapo DSL router supports ESP-NAT for a single device (assuming that > all SPIs belong to a single internal address). But many also support > SPI-aware NAT. FreeBSD natd(8) will work fine for a single VPN end point behind a many-to-one mapping. In fact, it will work fine for arbitrarily many VPN end points behind NAT as long as each one has a unique address at the other end. > >> In Cisco IOS speak: > >> > >> cisco(config)#crypto ipsec nat-transparency ? > >> spi-matching Match inbound SPI to outbound SPI for IPsec aware NAT > > > >Not sure what that is going to accomplish. The inbound SPI and > >outbound SPI are, in general, completely indpendent values. The whole > >problem is that there is no way to know what the incoming (from the > >external VPN end point to the one behind the NAT device) SPI is going > >to be. > > Correct. Cisco requires that you use IKE in order to make it work. > Basically this is NAT for ESP, and the SPI-NAT table is being built up > using IKE cookie matching. There is no heuristics involved. The IKE cookies, the IKE-SPI, do not have anything to do with IPsec protocol SPIs. The cookies can be used to perform NAT tricks with IKE traffic, but not IPsec (unless there are proprietary vendor kludges to make the IPsec SPIs derivatives of the IKE-SPI). > >> udp-encapsulation UDP encapsulation of IPsec protocols > >> cisco(config)# > >> > >> The core issue is that FreeBSD does neither support SPI-based NAT, > > > >'Cause unless you have a hacked up IPsec implementation that uses the > >same SPI both directions, it is useless. > > Nothing that works well and has noticeable exposure is useless. This > definitely has both. Not with FreeBSD, though. It does work with Windows > 2000 SP4, to put a name up... So it's definitely out there. Two different ESP end points behind many-to-one NAT connected to a single ESP end point on the other side of the NAT? I'd be very curious to get the documentation on how they are cheating to get that to work. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-isp@FreeBSD.ORG Fri Nov 14 22:55:33 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B5F916A4CE; Fri, 14 Nov 2003 22:55:33 -0800 (PST) Received: from mizar.origin-it.net (mizar.origin-it.net [194.8.96.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id D397F43F85; Fri, 14 Nov 2003 22:55:31 -0800 (PST) (envelope-from Helge.Oldach@atosorigin.com) Received: from matar.hbg.de.int.atosorigin.com (dehsfw3e.origin-it.net [194.8.96.68])hAF6soUQ023422 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 15 Nov 2003 07:54:51 +0100 (CET) (envelope-from Helge.Oldach@atosorigin.com) Received: from dehhx004.hbg.de.int.atosorigin.com (dehhx004.hbg.de.int.atosorigin.com [161.90.164.40]) ESMTP id hAF6so35007855; Sat, 15 Nov 2003 07:54:50 +0100 (CET) (envelope-from Helge.Oldach@atosorigin.com) Received: by dehhx004.hbg.de.int.atosorigin.com with Internet Mail Service (5.5.2657.72) id ; Sat, 15 Nov 2003 07:54:50 +0100 Message-ID: From: "Oldach, Helge" To: "'cjclark@alum.mit.edu'" Date: Sat, 15 Nov 2003 07:54:40 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain; charset="iso-8859-1" cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2003 06:55:33 -0000 From: Crist J. Clark [mailto:cristjc@comcast.net] > On Fri, Nov 14, 2003 at 06:22:55PM +0100, Helge Oldach wrote: > > Nothing that works well and has noticeable exposure is useless. This > > definitely has both. Not with FreeBSD, though. It does work with Windows > > 2000 SP4, to put a name up... So it's definitely out there. > > Two different ESP end points behind many-to-one NAT connected to a > single ESP end point on the other side of the NAT? I'd be very curious > to get the documentation on how they are cheating to get that to work. You have posted a reference already. W2k SP4 supports UDP encapsulation of IPSec. And yes, it works fine, and reliably. Further, all of Cisco's and Checkpoints VPN gear support IPSec-over-UDP as well. This alone is >70% market share. Note that an MS employee has co-authored one of the IETF drafts you had mentioned. This is apparently not just coincidence... I do well understand that there is no general solution. However, FreeBSD is definitely behind what is available on the commercial market today. Call it "cheating" - but it's out there and it works. I would rather prefer to see a feature that doesn't solve a 100% case than to see nothing because we feel that a "general specification" is missing. Helge From owner-freebsd-isp@FreeBSD.ORG Sat Nov 15 02:59:27 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A22F316A4CE for ; Sat, 15 Nov 2003 02:59:27 -0800 (PST) Received: from smtp-ft4.fr.colt.net (smtp-ft4.fr.colt.net [213.41.78.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1279B43FE9 for ; Sat, 15 Nov 2003 02:59:26 -0800 (PST) (envelope-from nanard@tou.nu) Received: from thot (adm.crystunix.com [195.68.88.114]) by smtp-ft4.fr.colt.net with SMTP id hAFAxLH11716; Sat, 15 Nov 2003 11:59:21 +0100 Message-ID: <00dd01c3ab67$80931590$0200a8c0@thot> From: "nanard" To: "Eric Anderson" References: <006d01c3aa32$af0c4710$0200a8c0@thot> <3FB4EFDA.5090209@centtech.com> Date: Sat, 15 Nov 2003 11:59:10 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 cc: freebsd-isp@freebsd.org Subject: Re: VPN Client X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2003 10:59:27 -0000 Hi, Thanks for your answear. I installed mpd-3.15 I tried to configure it but it doesn"t seen to work. My configuration : The remote public IP of the VPN server is : AA.BB.XX.YY (port 10 000) IP range given by my VPN server: 10.33.249.0/24 With WindowsXP, i just put the remote public IP AA.BB.XX.YY , user/pass and group/passwd I found some documentation on Internet. in /usr/local/etc/mpd.conf i put this: ---- default: load ciscovpn ciscovpn: new -i ng0 ciscovpn pptp192 set bundle authname "MY_USERNAME" set ipcp ranges 10.33.249.0/24 AA.BB.YY.ZZ/16 set iface up-script /usr/local/etc/mpd/ciscovpn-iface-up.sh load ciscopptp open ciscopptp: set bundle disable compression encryption set bundle no crypt-reqd set iface idle 0 set ipcp disable vjcomp set ipcp enable req-pri-dns req-sec-dns set link max-redial 1 set link keep-alive 0 0 set link disable pap chap set link disable acfcomp protocomp --------- eof ------------ In /usr/local/etc/mpd/ciscovpn-iface-up.sh: #!/bin/sh iface=$1 proto=$2 localip=$3 remoteip=$4 vpn_private_ip=AA.BB.XX.YY ifconfig $iface $proto $localip $vpn_private_ip netmask 0xffffffff ifconfig $iface mtu 1460 route flush route add default -interface $iface ----- eof ---------- In /usr/local/etc/mpd.links : ciscovpn: set link type pptp set pptp peer AA.BB.XX.YY.ZZ set pptp enable originate outcall --------- eof --------------- In /usr/local/etc/mpd.secret: "MY_USERNAME" "MY_PASSWORD" When i started "mpd", it said this: # mpd Multi-link PPP for FreeBSD, by Archie L. Cobbs. Based on iij-ppp, by Toshiharu OHNO. mpd: pid 63338, version 3.15 (root@xxxxx.xxxx.com 21:42 13-Nov-2003) [ciscovpn] ppp node is "mpd63338-ciscov" [ciscovpn] using interface ng0 [ciscovpn] IFACE: Open event [ciscovpn] IPCP: Open event [ciscovpn] IPCP: state change Initial --> Starting [ciscovpn] IPCP: LayerStart [ciscovpn:pptp192] [ciscovpn] bundle: OPEN event in state CLOSED [ciscovpn] opening link "pptp192"... [pptp192] link: OPEN event [pptp192] LCP: Open event [pptp192] LCP: state change Initial --> Starting [pptp192] LCP: LayerStart [pptp192] device: OPEN event in state DOWN [pptp192] this link has no type set [pptp192] device is now in state DOWN Is there something i forgotten ? Thanks in advance. nanard ----- Original Message ----- From: "Eric Anderson" To: "nanard" Cc: Sent: Friday, November 14, 2003 4:08 PM Subject: Re: VPN Client > nanard wrote: > > >Hi, > > > >I d like to connect BSD clients to an enteprise LAN by VPN. > > > >Version of FreeBSD is 4.9 STABLE. > > > >I found nothing about VPN client for FreeBSD. > > > >Is there some way to do that ? > > > I use mpd as a vpn product (see your nearest ports collection). It's > not the most secure, but it is simple to set up. It more depends on > what device you are connecting to on the "server" end. > > Eric > > -- > ------------------------------------------------------------------ > Eric Anderson Systems Administrator Centaur Technology > All generalizations are false, including this one. > ------------------------------------------------------------------ > > > From owner-freebsd-isp@FreeBSD.ORG Sat Nov 15 08:22:49 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7D2016A4CF for ; Sat, 15 Nov 2003 08:22:49 -0800 (PST) Received: from etrn2.doruk.net.tr (etrn2.doruk.net.tr [212.58.5.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA77643FAF for ; Sat, 15 Nov 2003 08:22:48 -0800 (PST) (envelope-from vahric@doruk.net.tr) Received: from vahric.doruk.net.tr ([212.58.13.17] helo=VAHOXP) by etrn2.doruk.net.tr with esmtp (Exim 4.24) id 1AL3GY-00073O-8g for freebsd-isp@freebsd.org; Sat, 15 Nov 2003 18:27:18 +0200 From: "Vahric MUHTARYAN" To: Date: Sat, 15 Nov 2003 18:22:04 +0200 Message-ID: <009b01c3ab94$9b2aaa80$110d3ad4@VAHOXP> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: About DNS (BIND) with Database X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2003 16:22:49 -0000 Hi Everybody , Are anybody use BIND with Mysql database (BIND DNS 9 server which supports a MySQL backend ) any suggstion ?!!! Do you it's working stable or not ?! Port name: bind9-sdb-mysql-9.2.2_1 Vahric From owner-freebsd-isp@FreeBSD.ORG Sat Nov 15 10:23:56 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67C0216A4CE; Sat, 15 Nov 2003 10:23:56 -0800 (PST) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0B3343FD7; Sat, 15 Nov 2003 10:23:54 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (sccrmhc13) with ESMTP id <2003111518235301600kc4vue>; Sat, 15 Nov 2003 18:23:53 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hAFIOCsb002059; Sat, 15 Nov 2003 10:24:12 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hAFIO9lk002057; Sat, 15 Nov 2003 10:24:10 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Sat, 15 Nov 2003 10:24:09 -0800 From: "Crist J. Clark" To: "Oldach, Helge" Message-ID: <20031115182409.GA2001@blossom.cjclark.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cjclark@alum.mit.edu List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2003 18:23:56 -0000 On Sat, Nov 15, 2003 at 07:54:40AM +0100, Oldach, Helge wrote: > From: Crist J. Clark [mailto:cristjc@comcast.net] > > On Fri, Nov 14, 2003 at 06:22:55PM +0100, Helge Oldach wrote: > > > Nothing that works well and has noticeable exposure is useless. This > > > definitely has both. Not with FreeBSD, though. It does work with Windows > > > 2000 SP4, to put a name up... So it's definitely out there. > > > > Two different ESP end points behind many-to-one NAT connected to a > > single ESP end point on the other side of the NAT? I'd be very curious > > to get the documentation on how they are cheating to get that to work. > > You have posted a reference already. W2k SP4 supports UDP encapsulation of > IPSec. And yes, it works fine, and reliably. Further, all of Cisco's and > Checkpoints VPN gear support IPSec-over-UDP as well. This alone is >70% > market share. Oh, yeah, I know of UDP or TCP encapsulation tricks that work. I have dealt with several of these implementations too. I thought that you were implying that there were working NAT implementations that could deal with ESP in these circumstances. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-isp@FreeBSD.ORG Sat Nov 15 19:01:18 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 172A416A4CE; Sat, 15 Nov 2003 19:01:18 -0800 (PST) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id A468E43FD7; Sat, 15 Nov 2003 19:01:15 -0800 (PST) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id EFAD3651F7; Sat, 15 Nov 2003 07:20:15 +0000 (GMT) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 06312-04-7; Sat, 15 Nov 2003 07:20:15 +0000 (GMT) Received: from saboteur.dek.spc.org (unknown [82.147.19.91]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 01205651F1; Sat, 15 Nov 2003 07:20:14 +0000 (GMT) Received: by saboteur.dek.spc.org (Postfix, from userid 1001) id 575815; Sat, 15 Nov 2003 07:20:10 +0000 (GMT) Date: Sat, 15 Nov 2003 07:20:10 +0000 From: Bruce M Simpson To: "Oldach, Helge" Message-ID: <20031115072010.GA72782@saboteur.dek.spc.org> Mail-Followup-To: "Oldach, Helge" , "'cjclark@alum.mit.edu'" , freebsd-isp@freebsd.org, freebsd-ipfw@freebsd.org, vgoupil@alis.com, freebsd-net@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: "'cjclark@alum.mit.edu'" cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2003 03:01:18 -0000 On Sat, Nov 15, 2003 at 07:54:40AM +0100, Oldach, Helge wrote: > I do well understand that there is no general solution. However, FreeBSD > is definitely behind what is available on the commercial market today. Call > it "cheating" - but it's out there and it works. I would rather prefer to > see > a feature that doesn't solve a 100% case than to see nothing because we feel > that a "general specification" is missing. I'm in agreement here. The fact alone that hundreds of DSL providers are blocking tunneling and VPN protocols should be enough. So far, though, our provider passes ESP, so I'm not in a hurry to implement this myself. BMS