From owner-freebsd-security@FreeBSD.ORG Sun Jan 22 19:42:50 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99A7F16A41F for ; Sun, 22 Jan 2006 19:42:50 +0000 (GMT) (envelope-from vaida.bogdan@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2561643D55 for ; Sun, 22 Jan 2006 19:42:50 +0000 (GMT) (envelope-from vaida.bogdan@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so789130nzo for ; Sun, 22 Jan 2006 11:42:49 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=R6EOYgvfiAEkMg+QVG11kKoCgT8kLVHKpIoa1/XZ4rEvsQZDC50WBgJuZanobWoNfeg+N4dueUoE+kuN7/J5muRocTN5yWArRYkj2piZhVfnpve2Sdl8rQNMNwbofNw0CeT3F3gU110J5qeOB+J8XdryCMhmhvDU3G6VkPRT4Cw= Received: by 10.36.13.18 with SMTP id 18mr3294780nzm; Sun, 22 Jan 2006 11:42:49 -0800 (PST) Received: by 10.36.251.28 with HTTP; Sun, 22 Jan 2006 11:42:48 -0800 (PST) Message-ID: <12848a3b0601221142r2161c20ka6d128ecf5c299aa@mail.gmail.com> Date: Sun, 22 Jan 2006 19:42:48 +0000 From: Vaida Bogdan To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: setting up vpn client on a freebsd workstation X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jan 2006 19:42:50 -0000 I have the following network: External Interface External Interface ccc.ccc.ccc.ccc aaa.aaa.aaa.aaa | | --> VPN <--> Internet <--> FreeBSD Client (NATed extip: bbb.bbb.bbb.bbb) | FW-1 Protected Net ddd.ddd.ddd.ddd/24 VPN: ipsec freeswan (UDP encapsulated tunnel) ccc.ccc.ccc.ccc has port 136/UDP open for this I also have the following certs: cert.pem, key.pem crl.pem and CA.pem I am behind internal ips allocated by dhcp. I need to connect to an ip in the Protected Net area. It's my first VPN connection and I'm having problems with it. I tried following the handbook but it gets into racoon configs and I'm seeking a simpler implementation. I also found papers regarding pptp and pipsec. The problem is I don't know which one to use. Could anyone point me to a paper and the differences in the configs for my scenario? From owner-freebsd-security@FreeBSD.ORG Sun Jan 22 20:10:59 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1FC9516A41F for ; Sun, 22 Jan 2006 20:10:59 +0000 (GMT) (envelope-from corwin@aeternal.net) Received: from amber.aeternal.net (amber.in.markiza.sk [62.168.76.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D3BF43D5C for ; Sun, 22 Jan 2006 20:10:57 +0000 (GMT) (envelope-from corwin@aeternal.net) Received: from localhost (localhost.aeternal.net [127.0.0.1]) by amber.aeternal.net (Postfix) with ESMTP id A7CA6B8C8 for ; Sun, 22 Jan 2006 21:10:53 +0100 (CET) Received: from amber.aeternal.net ([127.0.0.1]) by localhost (amber.aeternal.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 77311-04 for ; Sun, 22 Jan 2006 21:10:52 +0100 (CET) Received: from [192.168.0.44] (pleiades.aeternal.net [192.168.0.44]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by amber.aeternal.net (Postfix) with ESMTP id 1AFEBB8E5 for ; Sun, 22 Jan 2006 21:10:52 +0100 (CET) Message-ID: <43D3E694.9040902@aeternal.net> Date: Sun, 22 Jan 2006 21:09:56 +0100 From: Martin Hudec User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <12848a3b0601221142r2161c20ka6d128ecf5c299aa@mail.gmail.com> In-Reply-To: <12848a3b0601221142r2161c20ka6d128ecf5c299aa@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at aeternal.net Subject: Re: setting up vpn client on a freebsd workstation X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: corwin@aeternal.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jan 2006 20:10:59 -0000 Hello, Vaida Bogdan wrote: > I have the following network: > > External Interface External Interface > ccc.ccc.ccc.ccc aaa.aaa.aaa.aaa > | | > --> VPN <--> Internet <--> FreeBSD Client (NATed extip: bbb.bbb.bbb.bbb) > | > FW-1 Protected Net > ddd.ddd.ddd.ddd/24 > > VPN: ipsec freeswan (UDP encapsulated tunnel) > ccc.ccc.ccc.ccc has port 136/UDP open for this > I also have the following certs: cert.pem, key.pem crl.pem and CA.pem > I am behind internal ips allocated by dhcp. > > I need to connect to an ip in the Protected Net area. Are you connecting to Windows VPN server or VPN router or what? Maybe net/pptp-client will be enough for you.. Martin From owner-freebsd-security@FreeBSD.ORG Sun Jan 22 20:46:43 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F255716A41F for ; Sun, 22 Jan 2006 20:46:43 +0000 (GMT) (envelope-from darkstrumn@hivenet.net) Received: from fed1rmmtao02.cox.net (fed1rmmtao02.cox.net [68.230.241.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FC2443D49 for ; Sun, 22 Jan 2006 20:46:43 +0000 (GMT) (envelope-from darkstrumn@hivenet.net) Received: from praetor-sarc.hivenet.net ([68.2.60.234]) by fed1rmmtao02.cox.net (InterMail vM.6.01.05.02 201-2131-123-102-20050715) with ESMTP id <20060122204442.NXUI17006.fed1rmmtao02.cox.net@praetor-sarc.hivenet.net> for ; Sun, 22 Jan 2006 15:44:42 -0500 Received: from [192.168.2.20] (qwauul-prime.hivenet.net [192.168.2.20]) by praetor-sarc.hivenet.net (HiveNet ESMTP Datastore) with ESMTP id B425B52E9A for ; Sun, 22 Jan 2006 13:49:24 -0700 (MST) Message-ID: <43D3EF32.6050002@hivenet.net> Date: Sun, 22 Jan 2006 13:46:42 -0700 From: "darkstrumn@qwauulprime.hivenet.net" User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sun, 22 Jan 2006 21:36:56 +0000 Subject: ASMTP setup on 4.8 -- SOLVED!!! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jan 2006 20:46:44 -0000 Hi Drew, I came across your solution to an SASL problem where the system would not authenticate. Note: As per discussions on the Postfix users mailing list, there is a known issue in Postfix20020917/SASL2 where the smtpd_sasl_local_domain option must be left to an empty (null) value, otherwise SASL2 will not authenticate. In /usr/local/etc/postfix/main.cf I had "smtpd_sasl_local_domain = $myhostname" as shown in the various examples on the net. Based on the above, I changed it to "smtpd_sasl_local_domain =" and now it works. In my attempts to correct the issue, your solution provided the nudge in the right direction. However, I believe the conclusion "a known issue in Postfix20020917/SASL2" is invalid. Using your solution as a base, I instead of issuing a "saslpasswd2 -c -u domain user" (user is unable to authenticate) issue a "saslpasswd2 -c -u hostname.domain user" (user is now able to authenticate) where the hostname is happens to be the hostname of the server as that is the fully qualified $myhostname. To proof it, I changed "smtpd_sasl_local_domain = $myhostname" to "smtpd_sasl_local_domain = $mydomain" and the original user added via "saslpasswd2 -c -u domain user" is now able to authenticate using the credentials for that user. So, by setting "smtpd_sasl_local_domain = " to (null) it allows users added using "saslpasswd2 -c user" to work, which I also tested. Anyway, I'm writing you because I'm not on the news groups, and can not post my findings, but as you have, and had this issue once before...I figured you might post it. If you do not wish to, that's ok too, I just figured I would contribute to the community what I could. Thanks for your time. Dawayne From owner-freebsd-security@FreeBSD.ORG Sun Jan 22 22:40:04 2006 Return-Path: X-Original-To: Freebsd-security@freebsd.org Delivered-To: Freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D62E16A41F for ; Sun, 22 Jan 2006 22:40:04 +0000 (GMT) (envelope-from freebsd@meijome.net) Received: from sigma.octantis.com.au (ns2.octantis.com.au [207.44.189.124]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D41043D46 for ; Sun, 22 Jan 2006 22:40:03 +0000 (GMT) (envelope-from freebsd@meijome.net) Received: (qmail 13181 invoked from network); 23 Jan 2006 09:40:01 +1100 Received: from andromeda.lef.com.au (HELO ?10.168.101.24?) (210.8.93.2) by sigma.octantis.com.au with (DHE-RSA-AES256-SHA encrypted) SMTP; 23 Jan 2006 09:40:01 +1100 Message-ID: <43D409B8.6070704@meijome.net> Date: Mon, 23 Jan 2006 09:39:52 +1100 From: Norberto Meijome User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD Questions , Freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Encrypted volume - how? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jan 2006 22:40:04 -0000 Hi all, I'm looking for a way to recreate the functionality of PGP Disk (under Win32). Basically, create an encrypted file, which contains a filesystem which can then be mounted in any mount point. I know I can use GELI in FreeBSD 6 - as I understand, it performs the encryption at the partition level (the whole partition is encrypted). I'd like to be able to simply unmount my 'secure volume', and be able to back it up as a whole, or move it to another computer without having to repartition the destination. I think GELI wouldn't be good for this. I think I've read somewhere that you could use openssl to generate an encrypted volume and then mount it. I searched for a while and can't find any reference to this. Does anyone know how to do this with openssl, OR any other tool ? thanks in advance, Beto From owner-freebsd-security@FreeBSD.ORG Sun Jan 22 23:08:18 2006 Return-Path: X-Original-To: Freebsd-security@freebsd.org Delivered-To: Freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 358F616A41F; Sun, 22 Jan 2006 23:08:18 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id D48DD43D46; Sun, 22 Jan 2006 23:08:17 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id k0MN8G5S008585; Sun, 22 Jan 2006 15:08:17 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id k0MN8GER008584; Sun, 22 Jan 2006 15:08:16 -0800 Date: Sun, 22 Jan 2006 15:08:16 -0800 From: Brooks Davis To: Norberto Meijome Message-ID: <20060122230816.GC7703@odin.ac.hmc.edu> References: <43D409B8.6070704@meijome.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="RIYY1s2vRbPFwWeW" Content-Disposition: inline In-Reply-To: <43D409B8.6070704@meijome.net> User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu Cc: Freebsd-security@freebsd.org, FreeBSD Questions Subject: Re: Encrypted volume - how? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jan 2006 23:08:18 -0000 --RIYY1s2vRbPFwWeW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 23, 2006 at 09:39:52AM +1100, Norberto Meijome wrote: > Hi all, > I'm looking for a way to recreate the functionality of PGP Disk (under=20 > Win32). Basically, create an encrypted file, which contains a filesystem= =20 > which can then be mounted in any mount point. >=20 > I know I can use GELI in FreeBSD 6 - as I understand, it performs the=20 > encryption at the partition level (the whole partition is encrypted).=20 > I'd like to be able to simply unmount my 'secure volume', and be able to= =20 > back it up as a whole, or move it to another computer without having to= =20 > repartition the destination. I think GELI wouldn't be good for this. GELI or GBDE are probably what you're looking for, you just need to use mdconfig to create a vnode (file) backed disk image which you will encrypt and then create a file system on. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --RIYY1s2vRbPFwWeW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFD1BBgXY6L6fI4GtQRArGMAKCtP+SpBFxdbE4ni+oj+qnMzAqpyACgwGuF wRKFhU7QBp9NOqnwYv0+vAc= =TjUx -----END PGP SIGNATURE----- --RIYY1s2vRbPFwWeW-- From owner-freebsd-security@FreeBSD.ORG Sun Jan 22 23:13:55 2006 Return-Path: X-Original-To: Freebsd-security@freebsd.org Delivered-To: Freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C54D216A41F for ; Sun, 22 Jan 2006 23:13:55 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: from web30303.mail.mud.yahoo.com (web30303.mail.mud.yahoo.com [68.142.200.96]) by mx1.FreeBSD.org (Postfix) with SMTP id 1824143D5A for ; Sun, 22 Jan 2006 23:13:52 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 39383 invoked by uid 60001); 22 Jan 2006 23:13:52 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=rRP+bLQLaitEMDZ6EkYRaw8IPEhde5VPKv/rAu67o5/DptQVT8xo1lW+SMLYOQ/L90Z3n9d3BxmUMnHNKeIdKWaoYxbKJNtxlhSnlipmurXZXP7WC3FD/MCuw1QTJfrlXVVp3K0IVBgdPeOBCTFZTtHXEw/WcWKXZ24gVQeno0k= ; Message-ID: <20060122231352.39381.qmail@web30303.mail.mud.yahoo.com> Received: from [213.54.64.87] by web30303.mail.mud.yahoo.com via HTTP; Sun, 22 Jan 2006 15:13:52 PST Date: Sun, 22 Jan 2006 15:13:52 -0800 (PST) From: Arne Woerner To: Norberto Meijome , FreeBSD Questions , Freebsd-security@freebsd.org In-Reply-To: <43D409B8.6070704@meijome.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: Encrypted volume - how? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jan 2006 23:13:55 -0000 --- Norberto Meijome wrote: > openssl, OR any other tool ? > I have heard of gbde(8), which might be a few years old, than geli(8)... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Mon Jan 23 00:12:00 2006 Return-Path: X-Original-To: Freebsd-security@freebsd.org Delivered-To: Freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 565F316A41F for ; Mon, 23 Jan 2006 00:12:00 +0000 (GMT) (envelope-from freebsd@meijome.net) Received: from sigma.octantis.com.au (ns2.octantis.com.au [207.44.189.124]) by mx1.FreeBSD.org (Postfix) with ESMTP id B563143D6B for ; Mon, 23 Jan 2006 00:11:58 +0000 (GMT) (envelope-from freebsd@meijome.net) Received: (qmail 15660 invoked from network); 23 Jan 2006 11:11:58 +1100 Received: from andromeda.lef.com.au (HELO ?10.168.101.24?) (210.8.93.2) by sigma.octantis.com.au with (DHE-RSA-AES256-SHA encrypted) SMTP; 23 Jan 2006 11:11:58 +1100 Message-ID: <43D41F48.6080603@meijome.net> Date: Mon, 23 Jan 2006 11:11:52 +1100 From: Norberto Meijome User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD Questions References: <43D409B8.6070704@meijome.net> <20060122230816.GC7703@odin.ac.hmc.edu> In-Reply-To: <20060122230816.GC7703@odin.ac.hmc.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Freebsd-security@freebsd.org Subject: Re: Encrypted volume - how? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2006 00:12:00 -0000 Brooks Davis wrote: > On Mon, Jan 23, 2006 at 09:39:52AM +1100, Norberto Meijome wrote: > >>Hi all, >>I'm looking for a way to recreate the functionality of PGP Disk (under >>Win32). Basically, create an encrypted file, which contains a filesystem >>which can then be mounted in any mount point. >> >>I know I can use GELI in FreeBSD 6 - as I understand, it performs the >>encryption at the partition level (the whole partition is encrypted). >>I'd like to be able to simply unmount my 'secure volume', and be able to >>back it up as a whole, or move it to another computer without having to >>repartition the destination. I think GELI wouldn't be good for this. > > > GELI or GBDE are probably what you're looking for, you just need to use > mdconfig to create a vnode (file) backed disk image which you will > encrypt and then create a file system on. > Thanks Brooks and everyone else who kindly pointed me in the right direction :) I think I will use GELI (i like the 2 key system, and it seems to be newer technology.) cheers, Beto From owner-freebsd-security@FreeBSD.ORG Mon Jan 23 01:09:25 2006 Return-Path: X-Original-To: Freebsd-security@freebsd.org Delivered-To: Freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBF8616A420 for ; Mon, 23 Jan 2006 01:09:25 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from nic.ach.sch.gr (nic.sch.gr [194.63.238.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D76743D4C for ; Mon, 23 Jan 2006 01:09:23 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: (qmail 6848 invoked by uid 207); 23 Jan 2006 01:09:22 -0000 Received: from keramida@ceid.upatras.gr by nic by uid 201 with qmail-scanner-1.21 (sophie: 3.04/2.30/3.97. Clear:RC:1(81.186.70.52):. Processed in 0.133104 secs); 23 Jan 2006 01:09:22 -0000 Received: from dialup52.ach.sch.gr (HELO flame.pc) ([81.186.70.52]) (envelope-sender ) by nic.sch.gr (qmail-ldap-1.03) with SMTP for ; 23 Jan 2006 01:09:21 -0000 Received: by flame.pc (Postfix, from userid 1001) id 01D78118DF; Mon, 23 Jan 2006 00:55:56 +0200 (EET) Date: Mon, 23 Jan 2006 00:55:56 +0200 From: Giorgos Keramidas To: Norberto Meijome Message-ID: <20060122225556.GA44171@flame.pc> References: <43D409B8.6070704@meijome.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43D409B8.6070704@meijome.net> Cc: Freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Encrypted volume - how? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2006 01:09:25 -0000 On 2006-01-23 09:39, Norberto Meijome wrote: > Hi all, > I'm looking for a way to recreate the functionality of PGP Disk (under > Win32). Basically, create an encrypted file, which contains a > filesystem which can then be mounted in any mount point. > > I know I can use GELI in FreeBSD 6 - as I understand, it performs the > encryption at the partition level (the whole partition is encrypted). > I'd like to be able to simply unmount my 'secure volume', and be able > to back it up as a whole, or move it to another computer without > having to repartition the destination. I think GELI wouldn't be good > for this. If the destination computer runs FreeBSD too, you shouldn't need to repartition at all. > I think I've read somewhere that you could use openssl to generate an > encrypted volume and then mount it. I searched for a while and can't > find any reference to this. Does anyone know how to do this with > openssl, OR any other tool ? A simple way to do this is to create a file, mount it, then encrypt it with openssl after it's unmounted and remove the unencrypted file. # truncate -s 30m /tmp/file # mdconfig -a -t vnode -f /tmp/file -u 10 # newfs_msdos /dev/md10 # mount -t msdosfs /dev/md10 ... # umount /dev/md10 # openssl enc -bf < /tmp/file > /tmp/file.encrypted enter bf-cbc encryption password:******** Verifying - enter bf-cbc encryption password:******** # rm -f /tmp/file This has the advantage that, if you use a file as a `block device' that holds a single FAT filesystem, without any partitions at all, you can then use it in other operating systems too, i.e. in Solaris you could use openssl to decrypt the encrypted file, use lofiadm(1M) to create a /dev/lofi/XXX device and mount it as a FAT filesystem too. This is not as safe as using GELI or GBDE though. From owner-freebsd-security@FreeBSD.ORG Mon Jan 23 08:55:41 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C4F4016A41F for ; Mon, 23 Jan 2006 08:55:41 +0000 (GMT) (envelope-from vaida.bogdan@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id E09C243D75 for ; Mon, 23 Jan 2006 08:55:35 +0000 (GMT) (envelope-from vaida.bogdan@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so885403nzo for ; Mon, 23 Jan 2006 00:55:34 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=fCQxGVxU4Z7vejRwz2scyKKARZd94svanDSn3EZsPsjejftpjqL6eq1/edwtQcU/C+gPaWq8p6hpuwK93zywsWA8mhlf2rm1ehqNUwEaQghdEMqIGWPmDTvTJLIyQJwH+nTSFiK8wg+gVfra+7adH6QMiqOqcipNXZJienbpPWs= Received: by 10.36.74.17 with SMTP id w17mr3753743nza; Mon, 23 Jan 2006 00:55:34 -0800 (PST) Received: by 10.36.251.28 with HTTP; Mon, 23 Jan 2006 00:55:34 -0800 (PST) Message-ID: <12848a3b0601230055h12b7169uce7f1fbb2f0da8e6@mail.gmail.com> Date: Mon, 23 Jan 2006 10:55:34 +0200 From: Vaida Bogdan To: corwin@aeternal.net In-Reply-To: <43D3E694.9040902@aeternal.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <12848a3b0601221142r2161c20ka6d128ecf5c299aa@mail.gmail.com> <43D3E694.9040902@aeternal.net> Cc: freebsd-security@freebsd.org Subject: Re: setting up vpn client on a freebsd workstation X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2006 08:55:41 -0000 I don't need openvpn, I need IPSEC (KAME). So none of the proposed solutions work. I am the "FreeBSD Client" in the configuration so I can't change the server vpn implementation. On 1/22/06, Martin Hudec wrote: > Hello, > > Vaida Bogdan wrote: > > I have the following network: > > > > External Interface External Interface > > ccc.ccc.ccc.ccc aaa.aaa.aaa.aaa > > | | > > --> VPN <--> Internet <--> FreeBSD Client (NATed extip: bbb.bbb.bbb.bbb= ) > > | > > FW-1 Protected Net > > ddd.ddd.ddd.ddd/24 > > > > VPN: ipsec freeswan (UDP encapsulated tunnel) > > ccc.ccc.ccc.ccc has port 136/UDP open for this > > I also have the following certs: cert.pem, key.pem crl.pem and CA.pem > > I am behind internal ips allocated by dhcp. > > > > I need to connect to an ip in the Protected Net area. > > Are you connecting to Windows VPN server or VPN router or what? Maybe > net/pptp-client will be enough for you.. > > Martin > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" > From owner-freebsd-security@FreeBSD.ORG Tue Jan 24 23:07:12 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4DA816A41F for ; Tue, 24 Jan 2006 23:07:12 +0000 (GMT) (envelope-from user@dhp.com) Received: from shell.dhp.com (shell.dhp.com [199.245.105.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id E484443D48 for ; Tue, 24 Jan 2006 23:07:11 +0000 (GMT) (envelope-from user@dhp.com) Received: by shell.dhp.com (Postfix, from userid 896) id 111D631311; Tue, 24 Jan 2006 18:07:09 -0500 (EST) Date: Tue, 24 Jan 2006 18:07:09 -0500 (EST) From: Ensel Sharon To: freebsd-security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Mailman-Approved-At: Tue, 24 Jan 2006 23:14:58 +0000 Subject: limiting concurrent scp/rsync sessions (over ssh) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jan 2006 23:07:12 -0000 Hello, I have a file server that serves files over rsync and scp (all over ssh - in fact, ssh is the only service listening) I would like to limit each user to no more than X concurrent ssh sessions (regardless of what they are doing (interactive login, scp, rsync, etc.)) I have read the documentation and man pages and it looks like I need to set this in /etc/pam.d/sshd, but I don't know exactly what to put in place where. Can someone tell me the steps needed to do this ? Thank you very much. From owner-freebsd-security@FreeBSD.ORG Tue Jan 24 23:59:48 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0810B16A422 for ; Tue, 24 Jan 2006 23:59:48 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: from web52114.mail.yahoo.com (web52114.mail.yahoo.com [206.190.48.117]) by mx1.FreeBSD.org (Postfix) with SMTP id 23D3C43D48 for ; Tue, 24 Jan 2006 23:59:46 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: (qmail 92440 invoked by uid 60001); 24 Jan 2006 23:59:45 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=QU2i0LPE43/u88IOdsVX9DEjE/DWh04HOtYIvnxsbERDMBEAnWQm8IVdil6kK06jnfwPrEvl4+QYQ18mqNDnoPW+8892AloY8du4/lUeZbc6mz41ZIlC6EqHHv7BsIRgybeN6l4jNNn12r7nZ7QmKQl4xAhiy3aM8hVnbvbpFsc= ; Message-ID: <20060124235945.92438.qmail@web52114.mail.yahoo.com> Received: from [200.38.156.194] by web52114.mail.yahoo.com via HTTP; Tue, 24 Jan 2006 15:59:45 PST Date: Tue, 24 Jan 2006 15:59:45 -0800 (PST) From: gahn To: freebsd-security@freebsd.org, freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: IPsec, VPN and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jan 2006 23:59:48 -0000 Hi: We intend to build IPSec based VPN server on FreeBSD platform so that we can access internal network of a lab. The remote side will use VPN client and could be from anywhere of the Internet, or may be from the another site of the company. From the hnadbook, I saw the sample of site-to-site configurations and we do have one FreeBSD firewall (running ipfw) on both site and another one on another site (both have firewalls on them), can we do that? Also what about the client-server model? What kind of clients do we need in order to connect to the FreeBSD/IPsec/VPN? Any tips/information for the configuration of the clients/server model on internet? Any help will be greatly appreciated. Thanks __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Wed Jan 25 01:18:10 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF6CD16A41F; Wed, 25 Jan 2006 01:18:10 +0000 (GMT) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9942A43D49; Wed, 25 Jan 2006 01:18:06 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [10.251.17.229]) ([10.251.17.229]) by a50.ironport.com with ESMTP; 24 Jan 2006 17:18:04 -0800 Message-ID: <43D6D1CD.5060504@elischer.org> Date: Tue, 24 Jan 2006 17:18:05 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.11) Gecko/20050727 X-Accept-Language: en-us, en MIME-Version: 1.0 To: gahn References: <20060124235945.92438.qmail@web52114.mail.yahoo.com> In-Reply-To: <20060124235945.92438.qmail@web52114.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 25 Jan 2006 01:30:16 +0000 Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: IPsec, VPN and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 01:18:11 -0000 gahn wrote: >Hi: > >We intend to build IPSec based VPN server on FreeBSD >platform so that we can access internal network of a >lab. The remote side will use VPN client and could be >from anywhere of the Internet, or may be from the >another site of the company. From the hnadbook, I saw >the sample of site-to-site configurations and we do >have one FreeBSD firewall (running ipfw) on both site >and another one on another site (both have firewalls >on them), can we do that? Also what about the >client-server model? What kind of clients do we need >in order to connect to the FreeBSD/IPsec/VPN? Any >tips/information for the configuration of the >clients/server model on internet? > >Any help will be greatly appreciated. > > there are almost too many options to mention.. however you should be able to implement pptp tunnels (as used on windows) using mpd (in ports) alternatively there is always ssh or ipsec. (or a combination of them) If as you suggest, both ends are freebsd, then I've used mpd over ssh with great effect. use the 'tcp transport' option of mpd and connect it through an ssh tunnel. is the 'client' roaming or at a fixed address? if a fixed address then ipsec becomes easier. >Thanks > > > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Wed Jan 25 02:19:17 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 830B916A422 for ; Wed, 25 Jan 2006 02:19:17 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: from web52102.mail.yahoo.com (web52102.mail.yahoo.com [206.190.48.105]) by mx1.FreeBSD.org (Postfix) with SMTP id B898143D53 for ; Wed, 25 Jan 2006 02:19:16 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: (qmail 59672 invoked by uid 60001); 25 Jan 2006 02:19:15 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=TaTkmLKRNAa7ZnsW0vKkz//GhKheZRIfqh2WTaLYiCRs/CqHPn2+KSVE1DD7RKZABUQkmNLmjb1J+qj5z/M8Bush+cvHcK4bGr2rbSh3k7AA/Dean9rq8bfH5++RpU3GsNJn5KamR3seoejdKiARLeEXqWMR6RMy8aoX3cbaK2k= ; Message-ID: <20060125021915.59670.qmail@web52102.mail.yahoo.com> Received: from [200.38.156.194] by web52102.mail.yahoo.com via HTTP; Tue, 24 Jan 2006 18:19:15 PST Date: Tue, 24 Jan 2006 18:19:15 -0800 (PST) From: gahn To: Julian Elischer In-Reply-To: <43D6D1CD.5060504@elischer.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: IPsec, VPN and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 02:19:17 -0000 Thanks Julian: Well, the another site is using a linux box for firewall. We have extra PCs available so we could build another FreeBSD box. That probably makes the VPN setup a lot easier between two sites. As to the roaming users, very unlikely there will be dial-up line, but those users could be on road and using ISPs to connect the internal lab. both sites are labs. I will try the roaming clients<--->freebsd vpn server first. --- Julian Elischer wrote: > gahn wrote: > > >Hi: > > > >We intend to build IPSec based VPN server on > FreeBSD > >platform so that we can access internal network of > a > >lab. The remote side will use VPN client and could > be > >from anywhere of the Internet, or may be from the > >another site of the company. From the hnadbook, I > saw > >the sample of site-to-site configurations and we do > >have one FreeBSD firewall (running ipfw) on both > site > >and another one on another site (both have > firewalls > >on them), can we do that? Also what about the > >client-server model? What kind of clients do we > need > >in order to connect to the FreeBSD/IPsec/VPN? Any > >tips/information for the configuration of the > >clients/server model on internet? > > > >Any help will be greatly appreciated. > > > > > there are almost too many options to mention.. > > however you should be able to implement pptp > tunnels (as used on windows) using mpd (in ports) > alternatively there is always ssh or ipsec. > (or a combination of them) > > If as you suggest, both ends are freebsd, then I've > used mpd over ssh > with great effect. > use the 'tcp transport' option of mpd and connect it > through an ssh tunnel. > > is the 'client' roaming or at a fixed address? if a > fixed address then > ipsec becomes easier. > > > > >Thanks > > > > > > > >__________________________________________________ > >Do You Yahoo!? > >Tired of spam? Yahoo! Mail has the best spam > protection around > >http://mail.yahoo.com > >_______________________________________________ > >freebsd-security@freebsd.org mailing list > >http://lists.freebsd.org/mailman/listinfo/freebsd-security > >To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Wed Jan 25 02:43:35 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F59116A41F; Wed, 25 Jan 2006 02:43:35 +0000 (GMT) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 225F643D45; Wed, 25 Jan 2006 02:43:34 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [10.251.17.229]) ([10.251.17.229]) by a50.ironport.com with ESMTP; 24 Jan 2006 18:43:34 -0800 Message-ID: <43D6E5D6.9010705@elischer.org> Date: Tue, 24 Jan 2006 18:43:34 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.11) Gecko/20050727 X-Accept-Language: en-us, en MIME-Version: 1.0 To: gahn References: <20060125021915.59670.qmail@web52102.mail.yahoo.com> In-Reply-To: <20060125021915.59670.qmail@web52102.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 25 Jan 2006 02:55:53 +0000 Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: IPsec, VPN and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 02:43:35 -0000 gahn wrote: >Thanks Julian: > >Well, the another site is using a linux box for >firewall. We have extra PCs available so we could >build another FreeBSD box. That probably makes the VPN >setup a lot easier between two sites. > >As to the roaming users, very unlikely there will be >dial-up line, but those users could be on road and >using ISPs to connect the internal lab. both sites are >labs. > >I will try the roaming clients<--->freebsd vpn server >first. > > ok google for mpd and pptp > > >--- Julian Elischer wrote: > > > >>gahn wrote: >> >> >> >>>Hi: >>> >>>We intend to build IPSec based VPN server on >>> >>> >>FreeBSD >> >> >>>platform so that we can access internal network of >>> >>> >>a >> >> >>>lab. The remote side will use VPN client and could >>> >>> >>be >>>from anywhere of the Internet, or may be from the >> >> >>>another site of the company. From the hnadbook, I >>> >>> >>saw >> >> >>>the sample of site-to-site configurations and we do >>>have one FreeBSD firewall (running ipfw) on both >>> >>> >>site >> >> >>>and another one on another site (both have >>> >>> >>firewalls >> >> >>>on them), can we do that? Also what about the >>>client-server model? What kind of clients do we >>> >>> >>need >> >> >>>in order to connect to the FreeBSD/IPsec/VPN? Any >>>tips/information for the configuration of the >>>clients/server model on internet? >>> >>>Any help will be greatly appreciated. >>> >>> >>> >>> >>there are almost too many options to mention.. >> >>however you should be able to implement pptp >>tunnels (as used on windows) using mpd (in ports) >>alternatively there is always ssh or ipsec. >>(or a combination of them) >> >>If as you suggest, both ends are freebsd, then I've >>used mpd over ssh >>with great effect. >>use the 'tcp transport' option of mpd and connect it >>through an ssh tunnel. >> >>is the 'client' roaming or at a fixed address? if a >>fixed address then >>ipsec becomes easier. >> >> >> >> >> >>>Thanks >>> >>> >>> >>>__________________________________________________ >>>Do You Yahoo!? >>>Tired of spam? Yahoo! Mail has the best spam >>> >>> >>protection around >> >> >>>http://mail.yahoo.com >>>_______________________________________________ >>>freebsd-security@freebsd.org mailing list >>> >>> >>http://lists.freebsd.org/mailman/listinfo/freebsd-security >> >> >>>To unsubscribe, send any mail to >>> >>> >>"freebsd-security-unsubscribe@freebsd.org" >> >> >>> >>> >>> >>> >>_______________________________________________ >>freebsd-questions@freebsd.org mailing list >> >> >> >http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > >>To unsubscribe, send any mail to >>"freebsd-questions-unsubscribe@freebsd.org" >> >> >> > > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > > From owner-freebsd-security@FreeBSD.ORG Wed Jan 25 05:00:03 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2959716A41F for ; Wed, 25 Jan 2006 05:00:03 +0000 (GMT) (envelope-from vaida.bogdan@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A7F243D46 for ; Wed, 25 Jan 2006 05:00:02 +0000 (GMT) (envelope-from vaida.bogdan@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so24229nzo for ; Tue, 24 Jan 2006 21:00:01 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=DP1Bcsj3f+3oIYm9SQxJ5UbSiNrcxaYq+XPAUUmVTmSIXGA3TQIczCJEJ7tybBbH1S9gOTGZphHm8X5UQUTQE8EYZZEkohytctiPO0ng0mUr1k6YpGWDf38Ok39ogAH3HjB1CLbESGxhwbpnMb7GbnwjiLg4QYJX4KwQ2Sy0/Hg= Received: by 10.36.220.2 with SMTP id s2mr280182nzg; Tue, 24 Jan 2006 21:00:01 -0800 (PST) Received: by 10.36.251.28 with HTTP; Tue, 24 Jan 2006 21:00:01 -0800 (PST) Message-ID: <12848a3b0601242100x285d4497p48476d422901ffa7@mail.gmail.com> Date: Wed, 25 Jan 2006 05:00:01 +0000 From: Vaida Bogdan To: freebsd-security@freebsd.org In-Reply-To: <12848a3b0601230055h12b7169uce7f1fbb2f0da8e6@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <12848a3b0601221142r2161c20ka6d128ecf5c299aa@mail.gmail.com> <43D3E694.9040902@aeternal.net> <12848a3b0601230055h12b7169uce7f1fbb2f0da8e6@mail.gmail.com> Subject: Re: setting up vpn client on a freebsd workstation X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 05:00:03 -0000 So do I need to use racoon for this or there is an alternative? On 1/23/06, Vaida Bogdan wrote: > I don't need openvpn, I need IPSEC (KAME). So none of the proposed > solutions work. > > I am the "FreeBSD Client" in the configuration so I can't change the > server vpn implementation. > > > On 1/22/06, Martin Hudec wrote: > > Hello, > > > > Vaida Bogdan wrote: > > > I have the following network: > > > > > > External Interface External Interface > > > ccc.ccc.ccc.ccc aaa.aaa.aaa.aaa > > > | | > > > --> VPN <--> Internet <--> FreeBSD Client (NATed extip: bbb.bbb.bbb.b= bb) > > > | > > > FW-1 Protected Net > > > ddd.ddd.ddd.ddd/24 > > > > > > VPN: ipsec freeswan (UDP encapsulated tunnel) > > > ccc.ccc.ccc.ccc has port 136/UDP open for this > > > I also have the following certs: cert.pem, key.pem crl.pem and CA.pem > > > I am behind internal ips allocated by dhcp. > > > > > > I need to connect to an ip in the Protected Net area. > > > > Are you connecting to Windows VPN server or VPN router or what? Maybe > > net/pptp-client will be enough for you.. > > > > Martin > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.= org" > > > From owner-freebsd-security@FreeBSD.ORG Wed Jan 25 07:08:17 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2867D16A41F; Wed, 25 Jan 2006 07:08:17 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.187.76.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 558FE43D48; Wed, 25 Jan 2006 07:08:15 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from [IPv6:::1] (localhost [IPv6:::1]) by smtp.infracaninophile.co.uk (8.13.4/8.13.4) with ESMTP id k0P784MX015597; Wed, 25 Jan 2006 07:08:05 GMT (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <43D723CE.3060106@infracaninophile.co.uk> Date: Wed, 25 Jan 2006 07:07:58 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 1.5 (X11/20060113) MIME-Version: 1.0 To: Drew Tomlinson References: <20060124235945.92438.qmail@web52114.mail.yahoo.com> <43D71F2B.2090100@mykitchentable.net> In-Reply-To: <43D71F2B.2090100@mykitchentable.net> X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; micalg=pgp-ripemd160; protocol="application/pgp-signature"; boundary="------------enig8CD5EADB7851B6B7248D4253" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (smtp.infracaninophile.co.uk [IPv6:::1]); Wed, 25 Jan 2006 07:08:05 +0000 (GMT) X-Virus-Scanned: ClamAV 0.88/1248/Tue Jan 24 10:54:38 2006 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,NO_RELAYS autolearn=ham version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on happy-idiot-talk.infracaninophile.co.uk Cc: gahn , freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: IPsec, VPN and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 07:08:17 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig8CD5EADB7851B6B7248D4253 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Drew Tomlinson wrote: > I've been very pleased with OpenVPN for my needs. Biggest downside is > that each potential connection requires a separate OpenVPN instance as = I > understand it. However if your client base is small, you might give it= > a look. That used to be the case, but since OpenVPN 2 came out, it is no longer necessary. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig8CD5EADB7851B6B7248D4253 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFD1yPU8Mjk52CukIwRA1SFAJ9OBUud+0XAF5UxKSwkO2agwiQ1CgCXV66p bNwjj65oNtNwco/CU7mzmA== =+5F+ -----END PGP SIGNATURE----- --------------enig8CD5EADB7851B6B7248D4253-- From owner-freebsd-security@FreeBSD.ORG Wed Jan 25 10:13:11 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AA1416A420; Wed, 25 Jan 2006 10:13:11 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7FDA943D55; Wed, 25 Jan 2006 10:13:09 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k0PAD9Ms059011; Wed, 25 Jan 2006 10:13:09 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k0PAD9ps059009; Wed, 25 Jan 2006 10:13:09 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 25 Jan 2006 10:13:09 GMT Message-Id: <200601251013.k0PAD9ps059009@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:06.kmem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 10:13:11 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:06.kmem Security Advisory The FreeBSD Project Topic: Local kernel memory disclosure Category: core Module: kernel Announced: 2006-01-25 Credits: Xin LI, Karl Janmar Affects: FreeBSD 5.4-STABLE and FreeBSD 6.0 Corrected: 2006-01-25 10:00:59 UTC (RELENG_6, 6.0-STABLE) 2006-01-25 10:01:26 UTC (RELENG_6_0, 6.0-RELEASE-p4) 2006-01-25 10:01:47 UTC (RELENG_5, 5.4-STABLE) CVE Name: CVE-2006-0379, CVE-2006-0380 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The network sub-system commonly utilizes the ioctl(2) mechanism to pass information regarding the current state and statistics of logical and physical network devices. II. Problem Description A buffer allocated from the kernel stack may not be completely initialized before being copied to userland. [CVE-2006-0379] A logic error in computing a buffer length may allow too much data to be copied into userland. [CVE-2006-0380] III. Impact Portions of kernel memory may be disclosed to local users. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE or 6-STABLE, or to the RELENG_6_0 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.4 and 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 5.4-STABLE and 6.0-STABLE] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:06/kmem.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:06/kmem.patch.asc [FreeBSD 6.0-RELEASE] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:06/kmem60.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:06/kmem60.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/sys/net/if_bridge.c 1.23.2.7 RELENG_6 src/sys/net/if_bridge.c 1.11.2.24 RELENG_6_0 src/UPDATING 1.416.2.3.2.9 src/sys/conf/newvers.sh 1.69.2.8.2.5 src/sys/net/if_bridge.c 1.11.2.12.2.4 src/sys/net80211/ieee80211_ioctl.c 1.25.2.3.2.2 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0379 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0380 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:06.kmem.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD105UFdaIBMps37IRArxMAJ9fS+dok28f9PsFvJwH8fUkkVOiawCfV6HM +qRRPaBQCOX9XRXwB35y7h8= =pLt2 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Jan 25 10:13:45 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B66516A42C; Wed, 25 Jan 2006 10:13:45 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C32943D46; Wed, 25 Jan 2006 10:13:44 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k0PADikf059147; Wed, 25 Jan 2006 10:13:44 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k0PADikY059145; Wed, 25 Jan 2006 10:13:44 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 25 Jan 2006 10:13:44 GMT Message-Id: <200601251013.k0PADikY059145@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:07.pf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 10:13:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:07.pf Security Advisory The FreeBSD Project Topic: IP fragment handling panic in pf(4) Category: contrib Module: sys_contrib Announced: 2006-01-25 Credits: Jakob Schlyter, Daniel Hartmeier Affects: FreeBSD 5.3, FreeBSD 5.4, and FreeBSD 6.0 Corrected: 2006-01-25 10:00:59 UTC (RELENG_6, 6.0-STABLE) 2006-01-25 10:01:26 UTC (RELENG_6_0, 6.0-RELEASE-p4) 2006-01-25 10:01:47 UTC (RELENG_5, 5.4-STABLE) 2006-01-25 10:02:07 UTC (RELENG_5_4, 5.4-RELEASE-p10) 2006-01-25 10:02:27 UTC (RELENG_5_3, 5.3-RELEASE-p25) CVE Name: CVE-2006-0381 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pf is an Internet Protocol packet filter originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. II. Problem Description A logic bug in pf's IP fragment cache may result in a packet fragment being inserted twice, violating a kernel invariant. III. Impact By sending carefully crafted sequence of IP packet fragments, a remote attacker can cause a system running pf with a ruleset containing a 'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash. IV. Workaround Do not use 'scrub fragment crop' or 'scrub fragment drop-ovl' rules on systems running pf. In most cases, such rules can be replaced by 'scrub fragment reassemble' rules; see the pf.conf(5) manual page for more details. Systems which do not use pf, or use pf but do not use the aforementioned rules, are not affected by this issue. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE or 6-STABLE, or to the RELENG_6_0, RELENG_5_4, or RELENG_5_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.3, 5.4, and 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:07/pf.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:07/pf.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/sys/contrib/pf/net/pf_norm.c 1.10.2.2 RELENG_5_4 src/UPDATING 1.342.2.24.2.19 src/sys/conf/newvers.sh 1.62.2.18.2.15 src/sys/contrib/pf/net/pf_norm.c 1.10.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.28 src/sys/conf/newvers.sh 1.62.2.15.2.30 src/sys/contrib/pf/net/pf_norm.c 1.10.4.1 RELENG_6 src/sys/contrib/pf/net/pf_norm.c 1.11.2.3 RELENG_6_0 src/UPDATING 1.416.2.3.2.9 src/sys/conf/newvers.sh 1.69.2.8.2.5 src/sys/contrib/pf/net/pf_norm.c 1.11.2.1.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0381 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:07.pf.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD105kFdaIBMps37IRAth+AKCPd0puGZJ1u1/gbFRgYMQpQs8TiQCcD1ai 56HQEqlhvzoW09g/05mbPCk= =hyeL -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Jan 25 06:48:19 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B85DA16A41F; Wed, 25 Jan 2006 06:48:19 +0000 (GMT) (envelope-from drew@mykitchentable.net) Received: from relay01.roc.ny.frontiernet.net (relay01.roc.ny.frontiernet.net [66.133.182.164]) by mx1.FreeBSD.org (Postfix) with ESMTP id 619EE43D46; Wed, 25 Jan 2006 06:48:15 +0000 (GMT) (envelope-from drew@mykitchentable.net) Received: from blacklamb.mykitchentable.net (70-97-219-158.dsl2.elk.ca.frontiernet.net [70.97.219.158]) by relay01.roc.ny.frontiernet.net (Postfix) with ESMTP id 0A5B3364139; Wed, 25 Jan 2006 06:48:13 +0000 (UTC) Received: from [192.168.25.6] (unknown [192.168.25.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by blacklamb.mykitchentable.net (Postfix) with ESMTP id 5989CAE685; Tue, 24 Jan 2006 22:48:12 -0800 (PST) Message-ID: <43D71F2B.2090100@mykitchentable.net> Date: Tue, 24 Jan 2006 22:48:11 -0800 From: Drew Tomlinson User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: gahn References: <20060124235945.92438.qmail@web52114.mail.yahoo.com> In-Reply-To: <20060124235945.92438.qmail@web52114.mail.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-2.3.2 (20050629) at filter05.roc.ny.frontiernet.net X-Mailman-Approved-At: Wed, 25 Jan 2006 12:35:43 +0000 Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: IPsec, VPN and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 06:48:19 -0000 On 1/24/2006 3:59 PM gahn wrote: >Hi: > >We intend to build IPSec based VPN server on FreeBSD >platform so that we can access internal network of a >lab. The remote side will use VPN client and could be >from anywhere of the Internet, or may be from the >another site of the company. From the hnadbook, I saw >the sample of site-to-site configurations and we do >have one FreeBSD firewall (running ipfw) on both site >and another one on another site (both have firewalls >on them), can we do that? Also what about the >client-server model? What kind of clients do we need >in order to connect to the FreeBSD/IPsec/VPN? Any >tips/information for the configuration of the >clients/server model on internet? > >Any help will be greatly appreciated. > I've been very pleased with OpenVPN for my needs. Biggest downside is that each potential connection requires a separate OpenVPN instance as I understand it. However if your client base is small, you might give it a look. Cheers, Drew -- Visit The Alchemist's Warehouse Magic Tricks, DVDs, Videos, Books, & More! http://www.alchemistswarehouse.com From owner-freebsd-security@FreeBSD.ORG Wed Jan 25 14:21:44 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13F5B16A41F for ; Wed, 25 Jan 2006 14:21:44 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from caine.easynet.fr (smarthost167.mail.easynet.fr [212.180.1.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86A7143D46 for ; Wed, 25 Jan 2006 14:21:38 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from easyconnect2121135-233.clients.easynet.fr ([212.11.35.233] helo=smtp.zeninc.net) by caine.easynet.fr with esmtp (Exim 4.50) id 1F1lWm-0002BT-D1 for freebsd-security@freebsd.org; Wed, 25 Jan 2006 15:21:40 +0100 Received: by smtp.zeninc.net (smtpd, from userid 1000) id C60D33F17; Wed, 25 Jan 2006 15:21:08 +0100 (CET) Date: Wed, 25 Jan 2006 15:21:08 +0100 From: VANHULLEBUS Yvan To: freebsd-security@freebsd.org Message-ID: <20060125142108.GB682@zen.inc> References: <43D6D1CD.5060504@elischer.org> <20060125021915.59670.qmail@web52102.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060125021915.59670.qmail@web52102.mail.yahoo.com> User-Agent: All mail clients suck. This one just sucks less. Subject: Re: IPsec, VPN and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 14:21:44 -0000 On Tue, Jan 24, 2006 at 06:19:15PM -0800, gahn wrote: [....] > As to the roaming users, very unlikely there will be > dial-up line, but those users could be on road and > using ISPs to connect the internal lab. both sites are > labs. > > I will try the roaming clients<--->freebsd vpn server > first. IPsec with dynamic remote IPs is not as difficult, especially with racoon's generate_policy option, but you'll need to know what you are doing: Aggressive mode + PSK is known to be less secure than other modes, Main mode + PSK can't be done with remote dynamic IPs, and Main mode + X509 certificates need to have some X509 certificates knowledge... But it CAN be done, it is probably NOT the most easy way of doing things, but it is probably the most secure, the most interoperable and the most "easy" to administrate when it's in production... Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com From owner-freebsd-security@FreeBSD.ORG Wed Jan 25 17:30:08 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E82E516A423 for ; Wed, 25 Jan 2006 17:30:08 +0000 (GMT) (envelope-from fred.letter@lacave.net) Received: from talisker.lacave.net (talisker.lacave.net [217.145.39.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 373E843D79 for ; Wed, 25 Jan 2006 17:30:05 +0000 (GMT) (envelope-from fred.letter@lacave.net) Received: (qmail 41558 invoked from network); 25 Jan 2006 17:30:03 -0000 Received: from 212-100-178-134.adsl.easynet.be (HELO tamnavulin.lacave.local) (212.100.178.134) by talisker.lacave.net with SMTP; 25 Jan 2006 17:30:03 -0000 Date: Wed, 25 Jan 2006 18:30:02 +0100 From: "F. Senault" X-Mailer: The Bat! (v3.64.01 Christmas Edition) Professional Organization: Freelance gourou X-Priority: 3 (Normal) Message-ID: <909547276.20060125183002@lacave.net> To: freebsd-security@freebsd.org In-Reply-To: <20060125142108.GB682@zen.inc> References: <43D6D1CD.5060504@elischer.org> <20060125021915.59670.qmail@web52102.mail.yahoo.com> <20060125142108.GB682@zen.inc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: IPsec, VPN and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "F. Senault" List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 17:30:09 -0000 Wednesday, January 25, 2006, 3:21:08 PM, you wrote: > On Tue, Jan 24, 2006 at 06:19:15PM -0800, gahn wrote: > [....] >> As to the roaming users, very unlikely there will be >> dial-up line, but those users could be on road and >> using ISPs to connect the internal lab. both sites are >> labs. >> >> I will try the roaming clients<--->freebsd vpn server >> first. > IPsec with dynamic remote IPs is not as difficult, especially with > racoon's generate_policy option For a real-world example of a setup interconnecting networks and roaming users to a central office with ipsec-tools' racoon, I've put my config and some info here : http://www.lacave.net/~fred/racoon/config.html Hope this helps, Fred -- Trusted you With my life Shattered dreams Broken glass I hope there is a closure Down your path (Kittie, For I have yet to find The means to forgive Pink Lemonade) From owner-freebsd-security@FreeBSD.ORG Wed Jan 25 17:56:31 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 476AB16A420 for ; Wed, 25 Jan 2006 17:56:31 +0000 (GMT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id A986443D7F for ; Wed, 25 Jan 2006 17:56:21 +0000 (GMT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from localhost (localhost [127.0.0.1]) by cactus.fi.uba.ar (8.13.4/8.13.4) with ESMTP id k0PHuYAt037035; Wed, 25 Jan 2006 14:56:34 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Wed, 25 Jan 2006 14:56:34 -0300 (ART) From: Fernando Gleiser To: Vaida Bogdan In-Reply-To: <12848a3b0601230055h12b7169uce7f1fbb2f0da8e6@mail.gmail.com> Message-ID: <20060125145213.A65853@cactus.fi.uba.ar> References: <12848a3b0601221142r2161c20ka6d128ecf5c299aa@mail.gmail.com> <43D3E694.9040902@aeternal.net> <12848a3b0601230055h12b7169uce7f1fbb2f0da8e6@mail.gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Scanned-By: MIMEDefang 2.52 on 157.92.49.108 Cc: freebsd-security@freebsd.org Subject: Re: setting up vpn client on a freebsd workstation X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 17:56:31 -0000 On Mon, 23 Jan 2006, Vaida Bogdan wrote: > I don't need openvpn, I need IPSEC (KAME). So none of the proposed > solutions work. > > I am the "FreeBSD Client" in the configuration so I can't change the > server vpn implementation. > Some basic questions: are your certificates self-signed? are your certificates and the linux ones signed by the same CA? you need to send your certificate and your CA's certificate to the linux admin so s?he can install them in the linux box. For the local config, look here: http://ezine.daemonnews.org/200502/ipsec.html Hope this helps Fer From owner-freebsd-security@FreeBSD.ORG Wed Jan 25 18:49:33 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0163E16A420 for ; Wed, 25 Jan 2006 18:49:33 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: from web52115.mail.yahoo.com (web52115.mail.yahoo.com [206.190.48.118]) by mx1.FreeBSD.org (Postfix) with SMTP id 8029643D46 for ; Wed, 25 Jan 2006 18:49:30 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: (qmail 5860 invoked by uid 60001); 25 Jan 2006 18:49:29 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=aIzmFJxt4Yk/YQuJHcGal6NYeh6eehwtG7GbrZiH906rktfuHd5jTU9r/W+VjzwMOR1FJHq8i1D9uX/KI60xTQaB82WgqcW9o4Bn789YwnZjmGsP0VZu7Gsr2UFMs7LXmCQ+aApXBzlSn22QVpebu0EcvFiqoFVw2ZBa87TsfHg= ; Message-ID: <20060125184929.5858.qmail@web52115.mail.yahoo.com> Received: from [200.38.156.194] by web52115.mail.yahoo.com via HTTP; Wed, 25 Jan 2006 10:49:29 PST Date: Wed, 25 Jan 2006 10:49:29 -0800 (PST) From: gahn To: "F. Senault" , freebsd-security@freebsd.org In-Reply-To: <909547276.20060125183002@lacave.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: IPsec, VPN and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 18:49:33 -0000 fred, i am very gateful for the help. best --- "F. Senault" wrote: > Wednesday, January 25, 2006, 3:21:08 PM, you wrote: > > > On Tue, Jan 24, 2006 at 06:19:15PM -0800, gahn > wrote: > > [....] > >> As to the roaming users, very unlikely there will > be > >> dial-up line, but those users could be on road > and > >> using ISPs to connect the internal lab. both > sites are > >> labs. > >> > >> I will try the roaming clients<--->freebsd vpn > server > >> first. > > > IPsec with dynamic remote IPs is not as difficult, > especially with > > racoon's generate_policy option > > For a real-world example of a setup interconnecting > networks > and roaming users to a central office with > ipsec-tools' racoon, I've put > my config and some info here : > > http://www.lacave.net/~fred/racoon/config.html > > Hope this helps, > > Fred > -- > Trusted you With my life > Shattered dreams Broken glass > I hope there is a closure Down your path > (Kittie, > For I have yet to find The means to forgive > Pink Lemonade) > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Thu Jan 26 03:23:32 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A53E916A420 for ; Thu, 26 Jan 2006 03:23:32 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: from web52112.mail.yahoo.com (web52112.mail.yahoo.com [206.190.48.115]) by mx1.FreeBSD.org (Postfix) with SMTP id 1E65243D45 for ; Thu, 26 Jan 2006 03:23:32 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: (qmail 96808 invoked by uid 60001); 26 Jan 2006 03:23:31 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Lq9qjavnXWYi69njpCJ7gye/mbsBkr0w90Za/YeStBGaWoTlraQQ4C6X72S+UfzDEavQQnYkCGa4Mj0lvBBv9ahfseWrVOoI569Y0V5WKxPzcdzuSo6goE87VXptE+wlWmlyKyqOnZ6gP8G9HIZ3iR/wNqA9NhyhQggNVbyfr5Q= ; Message-ID: <20060126032331.96806.qmail@web52112.mail.yahoo.com> Received: from [200.38.156.194] by web52112.mail.yahoo.com via HTTP; Wed, 25 Jan 2006 19:23:31 PST Date: Wed, 25 Jan 2006 19:23:31 -0800 (PST) From: gahn To: VANHULLEBUS Yvan , freebsd-security@freebsd.org In-Reply-To: <20060125142108.GB682@zen.inc> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: IPsec, VPN and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2006 03:23:32 -0000 Thanks Vanhu: could you give me some tips on this knowhow? --- VANHULLEBUS Yvan wrote: > > IPsec with dynamic remote IPs is not as difficult, > especially with > racoon's generate_policy option, but you'll need to > know what you are > doing: Aggressive mode + PSK is known to be less > secure than other > modes, Main mode + PSK can't be done with remote > dynamic IPs, and Main > mode + X509 certificates need to have some X509 > certificates > knowledge... > > > But it CAN be done, it is probably NOT the most easy > way of doing > things, but it is probably the most secure, the most > interoperable and > the most "easy" to administrate when it's in > production... > > > Yvan. > > -- > NETASQ - Secure Internet Connectivity > http://www.netasq.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Thu Jan 26 05:24:23 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F157316A420 for ; Thu, 26 Jan 2006 05:24:23 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: from web52114.mail.yahoo.com (web52114.mail.yahoo.com [206.190.48.117]) by mx1.FreeBSD.org (Postfix) with SMTP id 413EB43D46 for ; Thu, 26 Jan 2006 05:24:23 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: (qmail 34745 invoked by uid 60001); 26 Jan 2006 05:24:22 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=v0XpJm25vRQ33Os6wfasTgIF6QaooxWfrRCwLwhAGB8jPMEzURY+j3uMRTKg66vYArdn75A4VI51xe0qTcymiKVDUd5irW7oYHmYETO9wNTk8HVn8alq3fNb3LFLvH4JPdJfoqaMudoGXYZA7PiDyc+fAAE1GsQ+Lk5VPrWCa4k= ; Message-ID: <20060126052422.34743.qmail@web52114.mail.yahoo.com> Received: from [200.38.156.194] by web52114.mail.yahoo.com via HTTP; Wed, 25 Jan 2006 21:24:22 PST Date: Wed, 25 Jan 2006 21:24:22 -0800 (PST) From: gahn To: freebsd general questions , freebsd security MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: mpd and radius X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2006 05:24:24 -0000 Hi all: I ahve some basic questions regarding the mpd.conf: set radius retries 3 set radius timeout 3 set radius server 192.168.128.101 testing123 1812 1813 set radius me 1.1.1.1 set bundle enable radius-auth radius-fallback Here my radius server is 192.168.128.101 and interanl interface of this mpd server is 192.168.64.65 1) What is this "testing123"? is that key between radius server and the nas (the pptp box)? "set radius me 1.1.1.1 #send the given IP in the RAD_NAS_IP_ADDRESS attribute to the server." Could any guru explain this? which given IP address? Thanks __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Thu Jan 26 08:19:05 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A01D16A420; Thu, 26 Jan 2006 08:19:05 +0000 (GMT) (envelope-from mohacsi@niif.hu) Received: from mail.ki.iif.hu (mignon.ki.iif.hu [193.6.222.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA8D543D46; Thu, 26 Jan 2006 08:19:04 +0000 (GMT) (envelope-from mohacsi@niif.hu) Received: by mail.ki.iif.hu (Postfix, from userid 1003) id 42F3A556C; Thu, 26 Jan 2006 09:19:02 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id 3BF53553F; Thu, 26 Jan 2006 09:19:02 +0100 (CET) Date: Thu, 26 Jan 2006 09:19:02 +0100 (CET) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: gahn In-Reply-To: <20060126052422.34743.qmail@web52114.mail.yahoo.com> Message-ID: <20060126090312.N1888@mignon.ki.iif.hu> References: <20060126052422.34743.qmail@web52114.mail.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd security , freebsd general questions Subject: Re: mpd and radius X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2006 08:19:05 -0000 On Wed, 25 Jan 2006, gahn wrote: > Hi all: > > I ahve some basic questions regarding the mpd.conf: > > set radius retries 3 > set radius timeout 3 > set radius server 192.168.128.101 testing123 1812 1813 > set radius me 1.1.1.1 > set bundle enable radius-auth radius-fallback > > Here my radius server is 192.168.128.101 and interanl > interface of this mpd server is 192.168.64.65 > > 1) What is this "testing123"? is that key between > radius server and the nas (the pptp box)? Yes. This is a shared secret between your radius server and "nas" boxes. Any clients which is accessing radius server should use their respective shared secret. If you are using freeradius you should configure it in clients.conf and your "nas" box. You should also select a reasonably complex shared secret to prevent brute force guessing attack against your radius server. > > "set radius me 1.1.1.1 > #send the given IP in the RAD_NAS_IP_ADDRESS attribute > to the server." This one is the IP address configured for this NAS/client... Regards, Janos Mohacsi From owner-freebsd-security@FreeBSD.ORG Thu Jan 26 14:05:36 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 130AD16A420 for ; Thu, 26 Jan 2006 14:05:36 +0000 (GMT) (envelope-from vaida.bogdan@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 410ED43D48 for ; Thu, 26 Jan 2006 14:05:35 +0000 (GMT) (envelope-from vaida.bogdan@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so369653nzo for ; Thu, 26 Jan 2006 06:05:34 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ItXLVWSQ7QxC38dX6qkpGuQceHBGX8p7UFgL28kSn0R4pObiNphsxJWKWf0SCLMnc2xdfhxyc42xGtMvzZZLrWr4Kew/Lzj4ujAAuuW0FiUrfy7BA53K0QDe5ScE+TBwG0ngFslSihHAKD2DXZygChnVqRgUvP5wn1kmVr/ZVA0= Received: by 10.37.20.41 with SMTP id x41mr1536220nzi; Thu, 26 Jan 2006 06:05:34 -0800 (PST) Received: by 10.36.251.68 with HTTP; Thu, 26 Jan 2006 06:05:34 -0800 (PST) Message-ID: <12848a3b0601260605k668329b7n41b15f7958b5e27e@mail.gmail.com> Date: Thu, 26 Jan 2006 14:05:34 +0000 From: Vaida Bogdan To: Fernando Gleiser In-Reply-To: <20060125145213.A65853@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <12848a3b0601221142r2161c20ka6d128ecf5c299aa@mail.gmail.com> <43D3E694.9040902@aeternal.net> <12848a3b0601230055h12b7169uce7f1fbb2f0da8e6@mail.gmail.com> <20060125145213.A65853@cactus.fi.uba.ar> Cc: freebsd-security@freebsd.org Subject: Re: setting up vpn client on a freebsd workstation X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2006 14:05:36 -0000 My certificates are self-signed and they were signed by the same CA as the server's. What I did on the client: ifconfig gif0 create ifconfig gif0 tunnel aaa.aaa.aaa.aaa ccc.ccc.ccc.ccc ifconfig gif0 inet xxx.xxx.xxx.xxx 192.168.1.1 What do I need to replace xxx.xxx.xxx.xxx with and how do I test it works until this step? External Interface External Interface (behind nat) ccc.ccc.ccc.ccc 10.100.100.2 | | --> VPN <--> Internet <--> FreeBSD Client (NATed extip: ddd.ddd.ddd.ddd) | FW-1 Protected Net 192.168.1.0/24 On 1/25/06, Fernando Gleiser wrote: > On Mon, 23 Jan 2006, Vaida Bogdan wrote: > > > I don't need openvpn, I need IPSEC (KAME). So none of the proposed > > solutions work. > > > > I am the "FreeBSD Client" in the configuration so I can't change the > > server vpn implementation. > > > > Some basic questions: are your certificates self-signed? are your > certificates and the linux ones signed by the same CA? you need to send > your certificate and your CA's certificate to the linux admin so s?he > can install them in the linux box. > > For the local config, look here: > > http://ezine.daemonnews.org/200502/ipsec.html > > > Hope this helps > > > Fer > From owner-freebsd-security@FreeBSD.ORG Thu Jan 26 19:49:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D4ED16A420 for ; Thu, 26 Jan 2006 19:49:07 +0000 (GMT) (envelope-from kian@restek.wwu.edu) Received: from kulshan.restek.wwu.edu (kulshan.restek.wwu.edu [66.165.10.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DA3443D46 for ; Thu, 26 Jan 2006 19:49:06 +0000 (GMT) (envelope-from kian@restek.wwu.edu) Received: (qmail 53416 invoked from network); 26 Jan 2006 19:49:04 -0000 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on kulshan.restek.wwu.edu X-Spam-Level: X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=unavailable version=3.1.0 Received: from unknown (HELO [192.168.1.101]) (kian@[66.165.24.109]) (envelope-sender ) by kulshan.restek.wwu.edu (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for ; 26 Jan 2006 19:49:04 -0000 Message-ID: <43D92788.3030001@restek.wwu.edu> Date: Thu, 26 Jan 2006 11:48:24 -0800 From: Kian Mohageri User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051226) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 0.93.0.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig4D612F5ABF45CE419C654C18" Subject: stateful rulesets with PF X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2006 19:49:07 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig4D612F5ABF45CE419C654C18 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit I've read a bit about how keeping state works with PF and written rulesets which look logical to me, but present some problems intermittently. I believe it has to do with the creation of state entries, and how PF judges what to do in any case. > pass in quick on em0 from to port any port = 3306 keep state As I understood it, because I did not specify any flags such as S/SA, pf will be able to pass packets starting mid-session (how or if it does this is where I'm unclear). I'm also unclear about how it will ever judge whether or not to drop packets from to port 3306. Generally this rule (or a similar one) would work fine, however I run into problems occasionally in which a client is unable to bypass the firewall to connect to 3306 (mysql) on this server. I notice it mostly with PHP scripts which constantly query the database server. My initial thought was to check the number of entries in the state table which I figured might have been full, but it was nowhere near full. Are there times when stateful rules cause problems like this? It seems like "flags S/SA keep state" should work just fine, which it *usually* does...but thought I'd ask the experts anyway since I'm seeing problems. Thanks, Kian -- Kian Mohageri ResTek, Western Washington University kian@restek.wwu.edu --------------enig4D612F5ABF45CE419C654C18 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFD2SeMfLazdIP7nIMRAjGpAJ9v7ZYBGLqOjVJEoEbjeBXS9eDlDwCeLrek jzpOFTZvOElhz9qu5K5uuGk= =+A8i -----END PGP SIGNATURE----- --------------enig4D612F5ABF45CE419C654C18-- From owner-freebsd-security@FreeBSD.ORG Thu Jan 26 23:34:43 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 104AD16A422 for ; Thu, 26 Jan 2006 23:34:43 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: from web52101.mail.yahoo.com (web52101.mail.yahoo.com [206.190.48.104]) by mx1.FreeBSD.org (Postfix) with SMTP id 0376043D5A for ; Thu, 26 Jan 2006 23:34:40 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: (qmail 62353 invoked by uid 60001); 26 Jan 2006 23:34:39 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=gYV01iyeyy8ZK2NBtVG4WMS0tUyupuYAj6graK9jELReISB1iN9Z6hM5MNBwS//qydUVGCHPMgEJl1CopOiOvJs2MgTbLyy0SG/UeldeDaJ1vudgiwP1XdhFbLCOjMTwkjpX0KckKk6qmHrQb+1MY3twvwsYFLZAeh6dTpoeugk= ; Message-ID: <20060126233439.62351.qmail@web52101.mail.yahoo.com> Received: from [200.38.156.194] by web52101.mail.yahoo.com via HTTP; Thu, 26 Jan 2006 15:34:39 PST Date: Thu, 26 Jan 2006 15:34:39 -0800 (PST) From: gahn To: freebsd security , freebsd general questions MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: strange problem with ipfw and rc.conf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2006 23:34:43 -0000 Hi all: I have strange probelm with rc.conf. I set up ipfw (compiled into kernel) on freebsd-5.4 and it doesn't seem to load ipfw rulesets (it uses default ruleset 65335 locking out everything). I have to do "sh /etc/ipfw.rules" in order to load the rulesets, once I did that, I can access the box from remote locations here is my rc.conf: host# more /etc/rc.conf network_interfaces="lo0 em0 dc0 rl0 plip0" kern_securelevel="2" kern_securelevel_enable="YES" linux_enable="YES" named_enable="YES" nisdomainname="NO" sshd_enable="YES" usbd_enable="YES" hostname="sis" tcp_keepalive="YES" tcp_extensions="YES" ifconfig_em0="inet 192.168.128.222/24" ifconfig_dc0="inet 192.168.1.4/24" ifconfig_rl0="inet 10.10.75.126/24" defaultrouter="192.168.128.1" static_routes="net1 net2" route_net1="-net 192.168.0.0/22 192.168.1.1" route_net2="-net 10.10.0.0/16 10.10.128.1" firewall_script="/etc/ipfw.rules" firewall_type="simple" firewall_quiet="YES" ipfilter_enable="YES" ipfilter_rules="/etc/ipf.rules" ipmon_enable="YES" ipmon_flags="-Ds" mpd_enable="YES" also my customized kernel (partial): options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=10 #limit verbosity #options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPFIREWALL_FORWARD #packet destination changes options IPFIREWALL_FORWARD_EXTENDED #all packet dest changes options IPDIVERT #divert sockets TIA __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Fri Jan 27 00:03:33 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D7E216A420 for ; Fri, 27 Jan 2006 00:03:33 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: from web30307.mail.mud.yahoo.com (web30307.mail.mud.yahoo.com [68.142.200.100]) by mx1.FreeBSD.org (Postfix) with SMTP id 59DE043D45 for ; Fri, 27 Jan 2006 00:03:32 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 24568 invoked by uid 60001); 27 Jan 2006 00:03:31 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=YLsHb1sY8drAlxRFCoUL+dhlwcOuBI1se2nagrXO90PSr1gDzs0Z0E7Tbskwm0jOmYxiPHtvz3WR2eF14fpEcH4V7vi0pC6pccaR9cq6qO97CCIfudj6iVOEKZFW1vC5J0QXoM5fgGvCSSmstJqc64AhQ6lMtAGuS9sjeJn9M2I= ; Message-ID: <20060127000331.24566.qmail@web30307.mail.mud.yahoo.com> Received: from [213.54.68.25] by web30307.mail.mud.yahoo.com via HTTP; Thu, 26 Jan 2006 16:03:31 PST Date: Thu, 26 Jan 2006 16:03:31 -0800 (PST) From: Arne Woerner To: gahn , freebsd security , freebsd general questions In-Reply-To: <20060126233439.62351.qmail@web52101.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: strange problem with ipfw and rc.conf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2006 00:03:33 -0000 --- gahn wrote: > 65335 locking out everything). I have to do "sh > /etc/ipfw.rules" in order to load the rulesets, once I > did that, I can access the box from remote locations > Hmm... It helped me, to look at /etc/rc.firewall... There are some comments, that might give u the right hints... Maybe firewall_enable should be YES? E. g. my /etc/rc.firewall.bartely file cannot be executed with sh... But maybe I still did not understand ipfw... My /etc/rc.firewall.bartely contains rules like: add pass log all from any to 47.11.42.42 add deny log all from any to any And in rc.conf my firewall_type=/etc/rc.firewall.bartleby And I use default firewall_script=/etc/rc.firewall -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Fri Jan 27 00:12:37 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC95D16A422 for ; Fri, 27 Jan 2006 00:12:37 +0000 (GMT) (envelope-from lashby@gmail.com) Received: from nproxy.gmail.com (nproxy.gmail.com [64.233.182.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4F7D43D48 for ; Fri, 27 Jan 2006 00:12:35 +0000 (GMT) (envelope-from lashby@gmail.com) Received: by nproxy.gmail.com with SMTP id l37so62155nfc for ; Thu, 26 Jan 2006 16:12:34 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=cGwMyj+6kk4pWvAvFBnjFErAQuSnaZS4iefnSYMlH3o1Pl+PDMo1aeFTVfANwv6IpET0k9OyCxs4C1UsyZcHB6mdf9C3X8SVgmTtFiB7FmRWy/OT4E2RX8HUQPKW10TG5ZRrIgW8bUrCN8x7tNsq7xt5T4Q8avaxoJeZHGKPx10= Received: by 10.48.157.8 with SMTP id f8mr112779nfe; Thu, 26 Jan 2006 16:12:34 -0800 (PST) Received: by 10.48.220.5 with HTTP; Thu, 26 Jan 2006 16:12:34 -0800 (PST) Message-ID: <9cd98d120601261612p6ba20f14k12b36fd50a751d1f@mail.gmail.com> Date: Thu, 26 Jan 2006 18:12:34 -0600 From: Logan To: freebsd-questions@freebsd.org In-Reply-To: <20060126233439.62351.qmail@web52101.mail.yahoo.com> MIME-Version: 1.0 References: <20060126233439.62351.qmail@web52101.mail.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd security Subject: Re: strange problem with ipfw and rc.conf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2006 00:12:37 -0000 On 1/26/06, gahn wrote: > > > I have strange probelm with rc.conf. I set up ipfw > (compiled into kernel) on freebsd-5.4 and it doesn't > seem to load ipfw rulesets (it uses default ruleset > 65335 locking out everything). I have to do "sh > /etc/ipfw.rules" in order to load the rulesets, once I > did that, I can access the box from remote locations > ... > firewall_script=3D"/etc/ipfw.rules" > firewall_type=3D"simple" > firewall_enable=3D"YES" firewall_type=3D"/etc/ipfw.rules" delete firewal_script=3D/etc/ipfw.rules", the default rc.conf already has t= he correct value for what you're trying to do. From owner-freebsd-security@FreeBSD.ORG Fri Jan 27 00:22:58 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8655F16A420 for ; Fri, 27 Jan 2006 00:22:58 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: from web52104.mail.yahoo.com (web52104.mail.yahoo.com [206.190.48.107]) by mx1.FreeBSD.org (Postfix) with SMTP id BA24043D58 for ; Fri, 27 Jan 2006 00:22:55 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: (qmail 61682 invoked by uid 60001); 27 Jan 2006 00:22:55 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=jJ4N0jO/yyBYTH73KDRASraqB6FHoU1G9T84rkZ51za0T271GBZLZq9uClFn4+drX9bAERFhRG1WvA8w3F/DPmw1ojUyDZqmJryGUffA9Q3H1w3SE8mQm0ieLb09gTDN1TC/RZ5+dnpk+Jpm3MeNBtCbfJm6LqE8wbyTJ8B5RdY= ; Message-ID: <20060127002255.61680.qmail@web52104.mail.yahoo.com> Received: from [200.38.156.194] by web52104.mail.yahoo.com via HTTP; Thu, 26 Jan 2006 16:22:54 PST Date: Thu, 26 Jan 2006 16:22:54 -0800 (PST) From: gahn To: Arne Woerner , freebsd security , freebsd general questions In-Reply-To: <20060127000331.24566.qmail@web30307.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: strange problem with ipfw and rc.conf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2006 00:22:58 -0000 Thanks. I don't think it was the problem of ipfw rulesets. In fact once I did "sh /etc/ipfw.rules" and things are fine. I just cant figure out why the rc.conf won't load the rulesets. Besides, I recompiled the customized kernel and there is no need for "firewall_enable="YES"" statement in rc.conf. --- Arne Woerner wrote: > --- gahn wrote: > > 65335 locking out everything). I have to do "sh > > /etc/ipfw.rules" in order to load the rulesets, > once I > > did that, I can access the box from remote > locations > > > Hmm... > > It helped me, to look at /etc/rc.firewall... There > are some > comments, that might give u the right hints... > > Maybe firewall_enable should be YES? > > E. g. my /etc/rc.firewall.bartely file cannot be > executed with > sh... But maybe I still did not understand ipfw... > > My /etc/rc.firewall.bartely contains rules like: > add pass log all from any to 47.11.42.42 > add deny log all from any to any > > And in rc.conf my > firewall_type=/etc/rc.firewall.bartleby > > And I use default firewall_script=/etc/rc.firewall > > -Arne > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Fri Jan 27 00:29:45 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A16DD16A420 for ; Fri, 27 Jan 2006 00:29:45 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: from web52103.mail.yahoo.com (web52103.mail.yahoo.com [206.190.48.106]) by mx1.FreeBSD.org (Postfix) with SMTP id DAF4C43D68 for ; Fri, 27 Jan 2006 00:29:43 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: (qmail 78048 invoked by uid 60001); 27 Jan 2006 00:29:43 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Ho75VgdjJhnUf2hfCDHVrTIpthQvo8AYSjTACuf7fwhuH27hMrkV1ov+wkT9HIUoGSWY2HKkJsP4yaQX/+5Pq4Xb1XfJhlTUGaSN2BN7tK2gUYh6ybJ7rhwyRrMg6y15H2/piaL545U9iAC0FI3Pvn338OsFuaq2FwZffWfxV64= ; Message-ID: <20060127002943.78046.qmail@web52103.mail.yahoo.com> Received: from [200.38.156.194] by web52103.mail.yahoo.com via HTTP; Thu, 26 Jan 2006 16:29:43 PST Date: Thu, 26 Jan 2006 16:29:43 -0800 (PST) From: gahn To: Oxygenshell , Arne Woerner , freebsd security , freebsd general questions In-Reply-To: <01ee01c622d7$b8e77f50$6501a8c0@bob> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: strange problem with ipfw and rc.conf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2006 00:29:45 -0000 Thanks for the comments. My real problem is thta the rc.conf just won load the rulesets when the system reboots. I have to do this every time the system reboots: "sh /etc/ipfw.rules" --- Oxygenshell wrote: > ipfw rules automatically default to deny > You have to explicitly tell it to allow by default. > (kernel setting) > > > ----- Original Message ----- > From: "Arne Woerner" > To: "gahn" ; "freebsd security" > ; "freebsd general > questions" > > Sent: Thursday, January 26, 2006 7:03 PM > Subject: Re: strange problem with ipfw and rc.conf > > > > --- gahn wrote: > >> 65335 locking out everything). I have to do "sh > >> /etc/ipfw.rules" in order to load the rulesets, > once I > >> did that, I can access the box from remote > locations > >> > > Hmm... > > > > It helped me, to look at /etc/rc.firewall... There > are some > > comments, that might give u the right hints... > > > > Maybe firewall_enable should be YES? > > > > E. g. my /etc/rc.firewall.bartely file cannot be > executed with > > sh... But maybe I still did not understand ipfw... > > > > My /etc/rc.firewall.bartely contains rules like: > > add pass log all from any to 47.11.42.42 > > add deny log all from any to any > > > > And in rc.conf my > firewall_type=/etc/rc.firewall.bartleby > > > > And I use default firewall_script=/etc/rc.firewall > > > > -Arne > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > > > > > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Fri Jan 27 01:28:18 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6EC7C16A420 for ; Fri, 27 Jan 2006 01:28:18 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: from web30315.mail.mud.yahoo.com (web30315.mail.mud.yahoo.com [68.142.201.233]) by mx1.FreeBSD.org (Postfix) with SMTP id ACBDE43D53 for ; Fri, 27 Jan 2006 01:28:17 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 56928 invoked by uid 60001); 27 Jan 2006 01:28:17 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=V6Cde2gtU+faabiO3/CW5srMPRzVirfY6aKG8uR4uNfFIHCjQQBfoo32bxaHn79luCKPpoIvf1i6EcpvNbfuIGiaON8tO1tdTQfGUxRNL1dRvQpZs8stxL1ReW+I/0NahnxUP+Zzn+B916aHFPnVE4VyKxRBud1SL8qu96lVRvk= ; Message-ID: <20060127012817.56926.qmail@web30315.mail.mud.yahoo.com> Received: from [213.54.68.25] by web30315.mail.mud.yahoo.com via HTTP; Thu, 26 Jan 2006 17:28:17 PST Date: Thu, 26 Jan 2006 17:28:17 -0800 (PST) From: Arne Woerner To: gahn , freebsd security , freebsd general questions In-Reply-To: <20060127002943.78046.qmail@web52103.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: strange problem with ipfw and rc.conf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2006 01:28:18 -0000 --- gahn wrote: > Thanks for the comments. > > My real problem is thta the rc.conf just won load the > rulesets when the system reboots. I have to do this > every time the system reboots: "sh /etc/ipfw.rules" > Could you just try firewall_enable=YES in your /etc/rc.conf please? Remember: The kernel options do not change /etc/default/rc.conf... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Fri Jan 27 02:15:17 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F81F16A420 for ; Fri, 27 Jan 2006 02:15:17 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: from web52105.mail.yahoo.com (web52105.mail.yahoo.com [206.190.48.108]) by mx1.FreeBSD.org (Postfix) with SMTP id 6372F43D45 for ; Fri, 27 Jan 2006 02:15:16 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: (qmail 16466 invoked by uid 60001); 27 Jan 2006 02:15:15 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=CUcXpX3IidR2nLiFu1pmUjlhGoLZvfyGVPakSxFkkJY4v0oZRQLEw12+o0A7o42ArkFbZ1jPVJ5VJJiVqRlH02UCp6DASPhCBLvAQc85njGkfX9Mlrmhhs2HxfHSYpkNQgdMKM4UCVUDNYOrEAVjxT+t23W8wfF0ZT1WBiR1cvk= ; Message-ID: <20060127021515.16464.qmail@web52105.mail.yahoo.com> Received: from [200.38.156.194] by web52105.mail.yahoo.com via HTTP; Thu, 26 Jan 2006 18:15:15 PST Date: Thu, 26 Jan 2006 18:15:15 -0800 (PST) From: gahn To: Arne Woerner , freebsd general questions , freebsd security In-Reply-To: <20060127012817.56926.qmail@web30315.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: strange problem with ipfw and rc.conf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2006 02:15:17 -0000 arne: Thanks. I did and it worked. You are right; the kernel options don't change the fact that the statement of "firewall_enable" must be in the rc.conf. Best --- Arne Woerner wrote: > --- gahn wrote: > > Thanks for the comments. > > > > My real problem is thta the rc.conf just won load > the > > rulesets when the system reboots. I have to do > this > > every time the system reboots: "sh > /etc/ipfw.rules" > > > Could you just try > firewall_enable=YES > in your > /etc/rc.conf > please? > > Remember: The kernel options do not change > /etc/default/rc.conf... > > -Arne > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Fri Jan 27 02:22:25 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DE7416A420; Fri, 27 Jan 2006 02:22:25 +0000 (GMT) (envelope-from mikhailg@navalradio.cl) Received: from cayster.multisite.site5.com (cayster.multisite.site5.com [216.118.97.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id BAB2F43D46; Fri, 27 Jan 2006 02:22:24 +0000 (GMT) (envelope-from mikhailg@navalradio.cl) Received: from ppp105-208.lns1.hba1.internode.on.net ([150.101.105.208]) by cayster.multisite.site5.com with esmtpa (Exim 4.52) id 1F2JFm-0000bZ-95; Thu, 26 Jan 2006 21:22:23 -0500 Message-ID: <43D9837E.8010900@navalradio.cl> Date: Fri, 27 Jan 2006 13:20:46 +1100 From: Mikhail Goriachev Organization: Naval Radio User-Agent: Thunderbird 1.5 (Macintosh/20051201) MIME-Version: 1.0 To: gahn References: <20060126233439.62351.qmail@web52101.mail.yahoo.com> In-Reply-To: <20060126233439.62351.qmail@web52101.mail.yahoo.com> X-Enigmail-Version: 0.94.0.0 OpenPGP: id=4E148A3B Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig6C003DDD1A4CE3F5ABEA965D" X-Antivirus-Scanner: This message has been scanned by ClamAV. X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - cayster.multisite.site5.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - navalradio.cl X-Source: X-Source-Args: X-Source-Dir: X-Mailman-Approved-At: Fri, 27 Jan 2006 03:30:26 +0000 Cc: freebsd security , freebsd general questions Subject: Re: strange problem with ipfw and rc.conf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2006 02:22:25 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig6C003DDD1A4CE3F5ABEA965D Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable gahn wrote: > Hi all: >=20 > I have strange probelm with rc.conf. I set up ipfw > (compiled into kernel) on freebsd-5.4 and it doesn't > seem to load ipfw rulesets (it uses default ruleset > 65335 locking out everything). I have to do "sh > /etc/ipfw.rules" in order to load the rulesets, once I > did that, I can access the box from remote locations >=20 > [...] > ipfilter_rules=3D"/etc/ipf.rules" =20 Hi, Your rc.conf looks for ipf.rules instead of ipfw.rules files. Adding the missing "w" may solve your problem. Mikhail. --=20 Mikhail Goriachev Systems Administrator Naval Radio Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: mikhailg@navalradio.cl Web: http://www.navalradio.cl PGP Key ID: 0x4E148A3B PGP Key Fingerprint: D96B 7C14 79A5 8824 B99D 9562 F50E 2F5D 4E14 8A3B --------------enig6C003DDD1A4CE3F5ABEA965D Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFD2YOF9Q4vXU4UijsRAmA/AJ9HfOYVy6sHuO5cK8CGhrLNcAv/KACfXVGV 3iE+7hjYm1c4nAext6jaTys= =2TKq -----END PGP SIGNATURE----- --------------enig6C003DDD1A4CE3F5ABEA965D-- From owner-freebsd-security@FreeBSD.ORG Fri Jan 27 13:21:50 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A89A816A420 for ; Fri, 27 Jan 2006 13:21:50 +0000 (GMT) (envelope-from Zhechev@lirex.bg) Received: from tquila.lirex.com (tquila.lirex.com [194.12.246.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6AEE43D46 for ; Fri, 27 Jan 2006 13:21:49 +0000 (GMT) (envelope-from Zhechev@lirex.bg) Received: from 194.12.246.25 ([194.12.246.25]) by tquila.lirex.com ([194.12.246.134]) with Microsoft Exchange Server HTTP-DAV ; Fri, 27 Jan 2006 13:21:45 +0000 Received: from sf-m-zhechev by tquila.lirex.com; 27 Jan 2006 15:21:45 +0000 From: "Zhecho E. Zhechev" To: ipfreak@yahoo.com Content-Type: text/plain; charset=iso-8859-5 Content-Transfer-Encoding: quoted-printable Date: Fri, 27 Jan 2006 15:21:44 +0000 Message-Id: <1138375305.830.30.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port X-Mailman-Approved-At: Fri, 27 Jan 2006 13:36:17 +0000 Cc: freebsd-security@freebsd.org Subject: Re: strange problem with ipfw and rc.conf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2006 13:21:50 -0000 Hi ipfreak, Meditate on this :) 1. ..... why securelevel =3D 2 and what it does? kern_securelevel=3D"2" kern_securelevel_enable=3D"YES" 2. ...... Is in the ipfw.rules has a simple section?=20 ......Is the firewall_enable=3D"YES" figure in the rc.conf file? firewall_script=3D"/etc/ipfw.rules"=20 firewall_type=3D"simple" firewall_quiet=3D"YES" 3. If you wish to work with firewall (ipfw) why ipfilter is on? ipfilter_enable=3D"YES" ipfilter_rules=3D"/etc/ipf.rules" =20 If you answer yourself these questions , you will find the real solution! sorry for my terrible english=20 =DF=DE=D7=D4=E0=D0=D2=D8 ! From owner-freebsd-security@FreeBSD.ORG Fri Jan 27 13:54:36 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B33AB16A422 for ; Fri, 27 Jan 2006 13:54:36 +0000 (GMT) (envelope-from zhechev_@mail.ru) Received: from mx6.mail.ru (mx6.mail.ru [194.67.23.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF70C43D5C for ; Fri, 27 Jan 2006 13:54:35 +0000 (GMT) (envelope-from zhechev_@mail.ru) Received: from [194.12.246.25] (port=50045 helo=sf-t-mdecheva) by mx6.mail.ru with asmtp id 1F2U3e-000GTF-00; Fri, 27 Jan 2006 16:54:34 +0300 From: zhechev To: ipfreak@yahoo.com Content-Type: text/plain; charset=iso-8859-5 Date: Fri, 27 Jan 2006 15:54:32 +0000 Message-Id: <1138377272.830.32.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: strange problem with ipfw and rc.conf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2006 13:54:36 -0000 Hi ipfreak, Meditate on this :) 1. ..... why securelevel =3D 2 and what it does? kern_securelevel=3D"2" kern_securelevel_enable=3D"YES" 2. ...... Is in the ipfw.rules has a simple section?=20 ......Is the firewall_enable=3D"YES" figure in the rc.conf file? firewall_script=3D"/etc/ipfw.rules"=20 firewall_type=3D"simple" firewall_quiet=3D"YES" 3. If you wish to work with firewall (ipfw) why ipfilter is on? ipfilter_enable=3D"YES" ipfilter_rules=3D"/etc/ipf.rules" =20 If you answer yourself these questions , you will find the real solution! sorry for my terrible english=20 поздрави! From owner-freebsd-security@FreeBSD.ORG Sat Jan 28 18:40:22 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D7CC16A420 for ; Sat, 28 Jan 2006 18:40:22 +0000 (GMT) (envelope-from freebsd-security@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B63BE43D49 for ; Sat, 28 Jan 2006 18:40:19 +0000 (GMT) (envelope-from freebsd-security@m.gmane.org) Received: from root by ciao.gmane.org with local (Exim 4.43) id 1F2uzd-0003XA-KH for freebsd-security@freebsd.org; Sat, 28 Jan 2006 19:40:13 +0100 Received: from 26-50-124-83.dsl.3u.net ([83.124.50.26]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 28 Jan 2006 19:40:13 +0100 Received: from christian.baer by 26-50-124-83.dsl.3u.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 28 Jan 2006 19:40:13 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: Christian Baer Date: Sat, 28 Jan 2006 19:34:49 +0100 (CET) Organization: Convenimus Projekt Lines: 76 Message-ID: X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: 26-50-124-83.dsl.3u.net User-Agent: slrn/0.9.8.1 (FreeBSD) Sender: news Subject: Should I use gbde or geli? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jan 2006 18:40:22 -0000 Hello out there, everybody! I was actually expecting to find several (hundred) threads with this subject being discussed. To my surprise I didn't find a single one either on these mailing lists or in the newsgroups - at least not in a language I understand. :-) I realize that gbde and geli are not designed to be better than the other but that both fit different needs and different tastes. Although I I am studying computer science myself, I haven't really gotten to this kind of stuff yet, so simply listing the differences doesn't help too much. For a friend of mine I am thinking up a fileserver for his own little company that contains *very* sensitive information (mainly stuff that is still in developement or on the way of a patent or something like that). Attempts have been made to get at this data the "hard way". The only thing that hasn't happened so far is someone coming into the office with a gun and saying "Stick 'em up!". :-) The main idea is to make the information absolutely useless if the computer itself is somehow stolen. For this reason I have thought up a few criteria (in no particular order): 1. The file system (or rather the encryption) itself must be as secure as possible. gbde uses 128bit AES with a different key for every sector, geli uses up to 256bit AES with the same key all the time. geli also supports blowfish. Which one of these approaches is more secure? geli is newer but that doesn't say much for itself. 2. Since swap and temp space can also contain sensitive information it seems reasonalbe to encrypt these. geli seems to do fine on this task, while I have read of problems doing this with gbde. Is this still true? 3. geli supports crypto(9) which is great. However, I did read that PHK had a version of gbde that also supported crypto(9) but didn't finish it because the performance didn't improve all that much. This message is now about 6 months old. Has any work been done on this since then? All this is mind, performance is not really of prime importance though. 4. In one of the presentations on gbde, PHK spoke about gbde being able to install a new pass-phrase without having to re-encode all the information on the drives[1]. Is this also true for geli? 5. The ideal protection would be to keep the server running[2] and have it connected to the alarm system, so when the alarm is tripped, the server destroys its master-keys and renders the information useless. In case this happens by mistake (false alarm) or the burglar leaves the computer alone for some reason, restoring this information would be very useful. I know this can be done with geli. Does gbde support something like this? A further issue here is the destruction of the keys. AFAIK gbde wants the pass-phrase for this. This poses a problem since the alarm system doesn't have the pass-phrase and noone should be dumb enough to keep the pass-phrase on the server itself so this can work. But even if done manually, entering the pass-phrase could be a problem since a good pass-phrase thends to be long and consists of two parts. Basicly speaking, there probably won't be enough time to stick in the USB-stick (something you have) and add the memorized part (something you know) if you have to nuke your files in a hurry. Is there a way around this with gbde? After considering this, am I better off with gbde or geli? Have I missed anything in my little list? Thanks and regards! Chris [1] A useful feature if the USB-Stick containing part of the pass-phrase were solen. [2] Which happens all the time anyway since often long calculations run overnight.