From owner-freebsd-security Sun Sep 20 05:02:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA11640 for freebsd-security-outgoing; Sun, 20 Sep 1998 05:02:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotmail.com (f230.hotmail.com [207.82.251.121]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id FAA11538 for ; Sun, 20 Sep 1998 05:01:24 -0700 (PDT) (envelope-from madrapour@hotmail.com) Received: (qmail 4653 invoked by uid 0); 20 Sep 1998 12:00:52 -0000 Message-ID: <19980920120052.4652.qmail@hotmail.com> Received: from 208.218.169.84 by www.hotmail.com with HTTP; Sun, 20 Sep 1998 05:00:52 PDT X-Originating-IP: [208.218.169.84] From: "N. N.M" To: freebsd-security@FreeBSD.ORG Subject: Re: A question probably relevant to IPFW Content-Type: text/plain Date: Sun, 20 Sep 1998 05:00:52 PDT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi >I do have ipfw active on the machine with packet filtering but >just a default let-anything-through filter. > >I didn't get any log entries like this, I've even been logged >in just before the machine's rebooted before and there was no-one >else logged in, no strange netstat -i entries.. > >What was in your cron that starts up at this time? /etc/daily? > >home# time /etc/daily > >real 1m25.888s >user 0m2.159s >sys 0m12.067s > >This machine's only a P75 and yet it still manages to finish >/etc/daily in 1minute 25seconds. Was it 02:05 exactly? > >Mine's not rebooted in 6 days btw.. > >Regards, > >Jay Tribick The exact lines in /var/cron/log are as follow (these lines are repeated in /var/cron/log file whenever automatically rebooting is occured): Sep 18 02:00:00 MACHINE-NAME CRON [21019]: (root) CMD ( /etc/daily 2> &1 | sendmail root) Sep 18 02:00:00 MACHINE-NAME CRON [21020]: (root) CMD (/usr/sbin/newsyslog) Sep 18 02:00:00 MACHINE-NAME CRON [21021]: (root) CMD (/usr/libexec/atrun) Sep 18 02:05:32 MACHINE-NAME cron [8949]: (CRON) STARTUP (fork ok) It seems whenever this combination of the commands occure, it reboots. I mean a combination of: sendmail root, newsyslog and atrun; it reboots. I've commented the daily, weekly and monthly in "crontab" file to see if the problem will be fixed or not. Regards, Nazila M. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 20 05:39:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA17321 for freebsd-security-outgoing; Sun, 20 Sep 1998 05:39:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotmail.com (f83.hotmail.com [207.82.250.189]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id FAA17316 for ; Sun, 20 Sep 1998 05:39:45 -0700 (PDT) (envelope-from madrapour@hotmail.com) Received: (qmail 480 invoked by uid 0); 20 Sep 1998 12:39:18 -0000 Message-ID: <19980920123918.479.qmail@hotmail.com> Received: from 208.218.169.84 by www.hotmail.com with HTTP; Sun, 20 Sep 1998 05:39:18 PDT X-Originating-IP: [208.218.169.84] From: "N. N.M" To: freebsd-security@FreeBSD.ORG Subject: Show & LIST commands in IPFW Content-Type: text/plain Date: Sun, 20 Sep 1998 05:39:18 PDT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I use IPFW with around 9000 rules. These 9000 rules are active in system's databases, but I can't brows them by using the SHOW or LIST commands. Using these commands causes the following message and then auto-rebooting of system: Fatal trap 12: page fault while in kernel mode fault virtual address = 0xc fault code = supervisor fault, page not present instruction pointer = 0x8:0xf01540dc stack pointer = 0x10:0xefbffebc frame pointer = 0x10:0xefbffed4 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gra 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 9059 (ipfw) interrupt mask = panic: page fault Syncing disks ..... 13 13 10 4 done Automatic reboot ........ Does anyone have any idea about the probable cause? Regards, Nazila M. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 20 06:22:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA22909 for freebsd-security-outgoing; Sun, 20 Sep 1998 06:22:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA22833 for ; Sun, 20 Sep 1998 06:22:10 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199809201322.GAA22833@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA280337689; Sun, 20 Sep 1998 23:21:29 +1000 From: Darren Reed Subject: Re: Show & LIST commands in IPFW To: madrapour@hotmail.com (N. N.M) Date: Sun, 20 Sep 1998 23:21:29 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <19980920123918.479.qmail@hotmail.com> from "N. N.M" at Sep 20, 98 05:39:18 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from N. N.M, sie said: > > Hi, > > I use IPFW with around 9000 rules. These 9000 rules are active in > system's databases, but I can't brows them by using the SHOW or LIST > commands. Using these commands causes the following message and then > auto-rebooting of system: > > Fatal trap 12: page fault while in kernel mode > fault virtual address = 0xc > fault code = supervisor fault, page not present > instruction pointer = 0x8:0xf01540dc > stack pointer = 0x10:0xefbffebc > frame pointer = 0x10:0xefbffed4 > code segment = base 0x0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, def32 1, gra 1 > processor eflags = interrupt enabled, resume, IOPL = 0 > current process = 9059 (ipfw) > interrupt mask = > panic: page fault > > Syncing disks ..... 13 13 10 4 done > Automatic reboot ........ > > > Does anyone have any idea about the probable cause? Just for experimentation, write a script to add them one at a time and after each one is added to save them all to a file (different file for each output) and run syn after that. How many rules does it safely insert ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 20 06:50:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA27107 for freebsd-security-outgoing; Sun, 20 Sep 1998 06:50:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-19.igrin.co.nz [202.49.245.98]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA27102 for ; Sun, 20 Sep 1998 06:50:56 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id BAA06465; Mon, 21 Sep 1998 01:50:19 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Mon, 21 Sep 1998 01:50:19 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: "N. N.M" cc: security@FreeBSD.ORG Subject: Re: Show & LIST commands in IPFW In-Reply-To: <19980920123918.479.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 20 Sep 1998, N. N.M wrote: > I use IPFW with around 9000 rules. These 9000 rules are active in > system's databases, but I can't brows them by using the SHOW or LIST > commands. Using these commands causes the following message and then > auto-rebooting of system: Probably this should be a moot point. Probably you should rewrite your ruleset to use less rules. If you can describe in general terms what you're trying to do with this ruleset, then you're half way to generalising the rules. Using skipto and a bit of thought about the similarities between different rules you use you should be able to knock it right down. You'll probably get a performance win as well as recovering your list/show functionality. the 'list' routine in ipfw.c defines struct ip_fw rules[1024]; I haven't read in depth, so there may be gotchas, but it looks like it's probably an easy fix. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 20 12:24:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA19829 for freebsd-security-outgoing; Sun, 20 Sep 1998 12:24:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA19812 for ; Sun, 20 Sep 1998 12:24:08 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id MAA01841; Sun, 20 Sep 1998 12:23:41 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Sun, 20 Sep 1998 12:23:41 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: freebsd-security@FreeBSD.ORG cc: john Subject: Re: Are we vulnerable to "stealth" port scans? In-Reply-To: <8631.906017885@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 17 Sep 1998, Poul-Henning Kamp wrote: > >patches ? > >In message , "Jan > B. Koum " writes: >> >> I wouldn't use the word "vulnerable", but yes, most TCP stacks >>will in one way or another respond to Steal scans. On my system I modifed >>kernel to log via net.inet.tcp.log_in_vain sysctl variable not only SYN >>packets but all other packets. If someone would be to do this stealth scan >>on you, you could still notice: >> >>Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP >>199.51.61.23:1 from 199.51.61.22:1<6>FIN<6>RST<6>PUSH<6>URG<6> >> >>Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP >>199.51.61.23:1 from 199.51.61.22:1<6>RST<6> >> >>Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP >>199.51.61.23:1 from 199.51.61.22:1<6>ACK<6>FIN<6>RST<6>URG<6> >> >> Also, one can setup something like NFR to watch for port scans on >>the network. >> >>-- Yan >> Had to modify the hack.. Here is what the log looks like now: Connection attempt to TCP 199.51.61.23:138 from 0.255.0.255:31337 flags=0xc onnection attempt to TCP 199.51.61.23:138 from 255.255.255.255:0 flags=0x32 Connection attempt to TCP 199.51.61.23:138 from 255.255.255.255:0 flags=0xa Connection attempt to TCP 199.51.61.23:138 from 255.255.255.255:0 flags=0x3f And here is diff -p against -CURRENT of a few days ago: twentythree# diff -p tcp_input.c.orig tcp_input.c *** tcp_input.c.orig Sat Sep 19 23:13:02 1998 --- tcp_input.c Sat Sep 19 23:16:17 1998 *************** findpcb: *** 388,401 **** * but should either do a listen or a connect soon. */ if (inp == NULL) { ! if (log_in_vain && tiflags & TH_SYN) { char buf[4*sizeof "123"]; strcpy(buf, inet_ntoa(ti->ti_dst)); log(LOG_INFO, ! "Connection attempt to TCP %s:%d from %s:%d\n", buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src), ntohs(ti->ti_sport)); } goto dropwithreset; } --- 388,417 ---- * but should either do a listen or a connect soon. */ if (inp == NULL) { ! if (log_in_vain && tiflags & (TH_FLAGS)) { char buf[4*sizeof "123"]; strcpy(buf, inet_ntoa(ti->ti_dst)); log(LOG_INFO, ! "Connection attempt to TCP %s:%d from %s:%d ", buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src), ntohs(ti->ti_sport)); + + /* + * Code below added by Jan Koum to log flags + * of tcp packets via net.inet.tcp.log_in_vain - "man sysctl" + */ + + printf("flags=0x%b\n", ti->ti_flags, + "\020" + "\001FIN" + "\002SYN" + "\003RST" + "\004PUSH" + "\005ACK" + "\006URG" + ); + } goto dropwithreset; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 20 14:29:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA10974 for freebsd-security-outgoing; Sun, 20 Sep 1998 14:29:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA10959 for ; Sun, 20 Sep 1998 14:29:27 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id PAA11447; Sun, 20 Sep 1998 15:28:57 -0600 (MDT) Message-Id: <199809202128.PAA11447@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.63 (Beta) Date: Sun, 20 Sep 1998 14:43:33 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Bogus hits on our Web server Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We've gotten several spates of Web log entries like the following: 62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 - 62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi" 404 - 62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler" 404 - and 38.11.110.182 root - [20/Sep/1998:13:37:16 -0600] "GET /cgi-bin/phf" 404 - 38.11.110.182 root - [20/Sep/1998:13:37:19 -0600] "GET /cgi-bin/test-cgi" 404 - 38.11.110.182 root - [20/Sep/1998:13:37:22 -0600] "GET /cgi-bin/handler" 404 - Is this a mass attack by a bunch of "skript kiddies?" What's going on? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 20 15:31:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA23229 for freebsd-security-outgoing; Sun, 20 Sep 1998 15:31:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from java.dpcsys.com (java.dpcsys.com [206.16.184.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA23201 for ; Sun, 20 Sep 1998 15:31:16 -0700 (PDT) (envelope-from dan@dpcsys.com) Received: from localhost (dan@localhost) by java.dpcsys.com (8.8.7/8.8.2) with SMTP id PAA05154; Sun, 20 Sep 1998 15:31:26 -0700 (PDT) Date: Sun, 20 Sep 1998 15:31:26 -0700 (PDT) From: Dan Busarow To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server In-Reply-To: <199809202128.PAA11447@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 20 Sep 1998, Brett Glass wrote: > 38.11.110.182 root - [20/Sep/1998:13:37:16 -0600] "GET /cgi-bin/phf" 404 - > 38.11.110.182 root - [20/Sep/1998:13:37:19 -0600] "GET /cgi-bin/test-cgi" > 404 - > 38.11.110.182 root - [20/Sep/1998:13:37:22 -0600] "GET /cgi-bin/handler" 404 - > > Is this a mass attack by a bunch of "skript kiddies?" What's going on? Yep. Add the directives suggested in access.conf to send them to a "your busted" page. Dan -- Dan Busarow 949 443 4172 Dana Point Communications, a California corporation dan@dpcsys.com Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 20 15:41:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA25313 for freebsd-security-outgoing; Sun, 20 Sep 1998 15:41:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from redfish.go2net.com (redfish.go2net.com [207.178.55.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA25303 for ; Sun, 20 Sep 1998 15:41:11 -0700 (PDT) (envelope-from marcs@go2net.com) Received: from marcs by redfish.go2net.com with smtp (Exim 1.82 #2) id 0zKs8H-0007nD-00; Sun, 20 Sep 1998 15:39:05 -0700 Date: Sun, 20 Sep 1998 15:39:05 -0700 (PDT) From: Marc Slemko X-Sender: marcs@redfish To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server In-Reply-To: <199809202128.PAA11447@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 20 Sep 1998, Brett Glass wrote: > We've gotten several spates of Web log entries like the following: > > 62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 - > 62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi" > 404 - > 62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler" > 404 - > > and > > 38.11.110.182 root - [20/Sep/1998:13:37:16 -0600] "GET /cgi-bin/phf" 404 - > 38.11.110.182 root - [20/Sep/1998:13:37:19 -0600] "GET /cgi-bin/test-cgi" > 404 - > 38.11.110.182 root - [20/Sep/1998:13:37:22 -0600] "GET /cgi-bin/handler" 404 - > > Is this a mass attack by a bunch of "skript kiddies?" What's going on? Yup, that is what it looks like. They appear to be basing their probing on servers listed as DNS servers for various domains. If you look at your logs, you will probably find ftp, telnet, imap, and pop connections as well. imap and pop are probably looking for obvious holes, telnet I guess just to try to find the OS, finger to look for activity or accounts to crack. We have seen a dozen or so sites pulling this in the past week, most of ours appear to be boxes that have been broken into. Don't know if it is one group or some stupid lame-assed script that a bunch of morons are trying. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 20 15:57:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA28449 for freebsd-security-outgoing; Sun, 20 Sep 1998 15:57:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cs1.cityscope.net (cs1.cityscope.net [206.222.183.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA28384 for ; Sun, 20 Sep 1998 15:56:43 -0700 (PDT) (envelope-from bahwi@technologist.com) Received: from cs1 (pm2-86.cityscope.net [209.16.48.86]) by cs1.cityscope.net (8.9.0/8.9.0) with SMTP id SAA00900; Sun, 20 Sep 1998 18:08:38 -0500 (CDT) Message-Id: <199809202308.SAA00900@cs1.cityscope.net> From: "Bahwi Malistyr" Organization: http://www.cityscope.net/~bahwi/home.html To: Brett Glass Date: Sun, 20 Sep 1998 17:55:56 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Bogus hits on our Web server Reply-to: bahwi@technologist.com CC: security@FreeBSD.ORG In-reply-to: <199809202128.PAA11447@lariat.lariat.org> X-mailer: Pegasus Mail for Win32 (v3.01b) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Is this a mass attack by a bunch of "skript kiddies?" What's going on? I wouldn't say a mass attack unless there are a lot more people than you let on, but script kiddies is the right word. the phf file is an exploit from way back if I recall correctly, at least a few years ago. I haven't seen anything with the test-cgi but yes, they are script kiddies after root on your machine, report it to the root of their ISP or the root of their machines -1 on the traceroute if it becomes too much of a problem, and if you think it is necessary. If this didn't help that much, sorry, if it did, good, if you still have questions, go ahead and ask. -bahwi http://www.cityscope.net/~bahwi/home.html bahwi@technologist.com bahwi@yahoo.com UIN: 3329836 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 20 16:10:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA01631 for freebsd-security-outgoing; Sun, 20 Sep 1998 16:10:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from eyelab.psy.msu.edu (eyelab.psy.msu.edu [35.8.64.179]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA01610 for ; Sun, 20 Sep 1998 16:10:43 -0700 (PDT) (envelope-from root@eyelab.psy.msu.edu) Received: from logrus-p2 (dyn1-tnt13-196.detroit.mi.ameritech.net [199.179.188.196]) by eyelab.psy.msu.edu (8.9.1/8.8.7) with SMTP id TAA05189; Sun, 20 Sep 1998 19:09:52 -0400 (EDT) (envelope-from root@eyelab.psy.msu.edu) Message-Id: <199809202309.TAA05189@eyelab.psy.msu.edu> X-Sender: root@eyelab.msu.edu X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.52 (Beta) Date: Sun, 20 Sep 1998 19:09:19 -0400 To: Brett Glass From: Gary Schrock Subject: Re: Bogus hits on our Web server Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199809202128.PAA11447@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:43 PM 9/20/98 -0600, you wrote: >We've gotten several spates of Web log entries like the following: > >62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 - >62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi" >404 - >62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler" >404 - People running scripts. The phf one is an old old hole in one of the cgi programs that was included in apache (or maybe just ncsa?). It was removed a couple years ago or so, but people still scan for it. I get several of them every month. Gary Schrock root@eyelab.msu.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 20 16:16:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA02434 for freebsd-security-outgoing; Sun, 20 Sep 1998 16:16:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA02415 for ; Sun, 20 Sep 1998 16:16:43 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id QAA25274; Sun, 20 Sep 1998 16:16:14 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Sun, 20 Sep 1998 16:16:14 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server In-Reply-To: <199809202128.PAA11447@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yup, looks like it. There are MANY scripts out there for script kiddiez which would check for possible bad CGIs on your web server. -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org On Sun, 20 Sep 1998, Brett Glass wrote: >We've gotten several spates of Web log entries like the following: > >62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 - >62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi" >404 - >62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler" >404 - > >and > >38.11.110.182 root - [20/Sep/1998:13:37:16 -0600] "GET /cgi-bin/phf" 404 - >38.11.110.182 root - [20/Sep/1998:13:37:19 -0600] "GET /cgi-bin/test-cgi" >404 - >38.11.110.182 root - [20/Sep/1998:13:37:22 -0600] "GET /cgi-bin/handler" 404 - > >Is this a mass attack by a bunch of "skript kiddies?" What's going on? > >--Brett > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 20 16:53:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA06961 for freebsd-security-outgoing; Sun, 20 Sep 1998 16:53:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from isr3277.urh.uiuc.edu (isr3277.urh.uiuc.edu [130.126.65.13]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA06934 for ; Sun, 20 Sep 1998 16:52:45 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 3596 invoked by uid 1000); 20 Sep 1998 23:51:42 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 20 Sep 1998 23:51:42 -0000 Date: Sun, 20 Sep 1998 18:51:28 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@isr3277.urh.uiuc.edu To: security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server In-Reply-To: <199809202128.PAA11447@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > 62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 - > 62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi" > 404 - > 62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler" > 404 - ... This definitely looks like a search for holes on your website. If you'll notice by the apache access.conf file: ... There have been reports of people trying to abuse an old bug from pre-1.1 days. This bug involved a CGI script distributed as a part of Apache. By uncommenting these lines you can redirect these attacks to a logging script on phf.apache.org. Or, you can record them yourself, using the script support/phf_abuse_log.cgi. deny from all ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi ... The test-cgi and other 404 requests are obviously looking for some type of hole, also. This could be being done by SATAN (I don't know if it checks for http holes), or some other blatant exploit. You should check to see if there have been other tcp-related attacks, by checking your logfiles for where tcp-wrappers has recorded connection attempts from (and if you don't have tcp-wrappers installed, I'd HIGHLY recommend looking into it). - -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGP DH/DSS key ID: 0xF40EB65E fingerprint: 1502 6E84 8C08 E828 7945 3F4A 02F8 503A F40E B65E -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBNgWG/QL4UDr0DrZeEQJZQQCdHnw+UWSMSRpB+q9Ys/jh0Xzom7sAn1pP tD13a4DLkboJe1k7gtSP0Nt4 =rha0 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 20 17:12:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA10484 for freebsd-security-outgoing; Sun, 20 Sep 1998 17:12:11 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA10382 for ; Sun, 20 Sep 1998 17:11:59 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id SAA12487; Sun, 20 Sep 1998 18:10:58 -0600 (MDT) Message-Id: <199809210010.SAA12487@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.63 (Beta) Date: Sun, 20 Sep 1998 18:07:24 -0600 To: "Jan B. Koum " From: Brett Glass Subject: Re: Bogus hits on our Web server Cc: security@FreeBSD.ORG In-Reply-To: References: <199809202128.PAA11447@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org By the way, just got a few more. What's this "formmail.pl" they're testing for? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 20 17:38:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA14514 for freebsd-security-outgoing; Sun, 20 Sep 1998 17:38:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from locnar.336.net (locnar.336.net [207.69.181.130]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA14436 for ; Sun, 20 Sep 1998 17:38:27 -0700 (PDT) (envelope-from sevn@336.net) Received: from locnar.336.net (sevn@locnar.336.net [207.69.181.130]) by locnar.336.net (8.8.8/8.8.8) with SMTP id UAA22981; Sun, 20 Sep 1998 20:35:06 -0400 (EDT) (envelope-from sevn@336.net) Date: Sun, 20 Sep 1998 20:35:06 -0400 (EDT) From: Scott Wilson To: Brett Glass cc: "Jan B. Koum " , security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server In-Reply-To: <199809210010.SAA12487@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've seen this at work. formail is a perl cgi script that was written by Matt Wright. He has a site called Matt's Script Archive. From what I understand, there is a bulk email program out that that takes advantage of a deficiency in the code to send mass amounts of UCE. I wish I had more information. Scott Fine day to work off excess energy. Steal something heavy. On Sun, 20 Sep 1998, Brett Glass wrote: > By the way, just got a few more. What's this "formmail.pl" they're > testing for? > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 20 17:40:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA15048 for freebsd-security-outgoing; Sun, 20 Sep 1998 17:40:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA15043 for ; Sun, 20 Sep 1998 17:40:29 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id RAA02854; Sun, 20 Sep 1998 17:40:01 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Sun, 20 Sep 1998 17:40:00 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server In-Reply-To: <199809210010.SAA12487@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I bet another CGI with as bug in it. On Bugtraq there is a reference to FormMail: http://geek-girl.com/bugtraq/1995_3/0086.html not sure if this is the same one they are looking for. If don't have any CGIs you can let them scan all they want... -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org On Sun, 20 Sep 1998, Brett Glass wrote: >By the way, just got a few more. What's this "formmail.pl" they're >testing for? > >--Brett > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 20 18:01:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA18497 for freebsd-security-outgoing; Sun, 20 Sep 1998 18:01:03 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bofh.laosb.org (classifieds.laosb.org [206.170.208.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA18475 for ; Sun, 20 Sep 1998 18:00:59 -0700 (PDT) (envelope-from jon@bofh.laosb.org) Received: from localhost (jon@localhost) by bofh.laosb.org (8.8.8/8.8.8) with SMTP id SAA02953; Sun, 20 Sep 1998 18:02:55 -0700 Date: Sun, 20 Sep 1998 18:02:55 -0700 (PDT) From: Jon White To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server In-Reply-To: <199809210010.SAA12487@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Another old, poorly written cgi, geek-girl.com/bugtraq has details. On Sun, 20 Sep 1998, Brett Glass wrote: > By the way, just got a few more. What's this "formmail.pl" they're > testing for? > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 20 19:07:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA29770 for freebsd-security-outgoing; Sun, 20 Sep 1998 19:07:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from inet03.citec.qld.gov.au (inet03.citec.qld.gov.au [203.5.10.10]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id TAA29765 for ; Sun, 20 Sep 1998 19:07:28 -0700 (PDT) (envelope-from freebsd-security@manila.workcover.qld.gov.au) Received: by inet03.citec.qld.gov.au; id MAA20226; Mon, 21 Sep 1998 12:07:00 +1000 Received: from CCII.workcover.qld.gov.au(h084202.workcover.qld.gov.au 131.242.84.202) by inet03.citec.qld.gov.au via smap (V2.0) id xma019443; Mon, 21 Sep 98 12:06:11 +1000 Received: from bne16unx215.workcover.qld.gov.au (CCI.workcover.qld.gov.au [131.242.84.201]) by CCII.workcover.qld.gov.au (8.8.5/8.8.5) with ESMTP id MAA20760 for ; Mon, 21 Sep 1998 12:09:51 +1000 (EST) Received: (from freebsd-security@localhost) by bne16unx215.workcover.qld.gov.au (8.8.5/8.8.5) id CAA23962 for freebsd-security@FreeBSD.ORG; Mon, 21 Sep 1998 02:09:24 GMT Date: Mon, 21 Sep 1998 02:09:24 GMT Message-Id: <199809210209.CAA23962@bne16unx215.workcover.qld.gov.au> From: freebsd-security@workcover.qld.gov.au To: freebsd-security@FreeBSD.ORG Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org auth a2d00eb8 subscribe freebsd-security freebsd-security@workcover.qld.gov.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 20 21:56:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA26458 for freebsd-security-outgoing; Sun, 20 Sep 1998 21:56:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from horst.bfd.com (horst.bfd.com [12.9.219.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA26451 for ; Sun, 20 Sep 1998 21:56:08 -0700 (PDT) (envelope-from ejs@bfd.com) Received: from HARLIE.bfd.com (bastion.bfd.com [12.9.219.14]) by horst.bfd.com (8.9.1/8.9.1) with SMTP id VAA03192; Sun, 20 Sep 1998 21:55:38 -0700 (PDT) (envelope-from ejs@bfd.com) Date: Sun, 20 Sep 1998 21:55:38 -0700 (PDT) From: "Eric J. Schwertfeger" To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server In-Reply-To: <199809202128.PAA11447@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 20 Sep 1998, Brett Glass wrote: > We've gotten several spates of Web log entries like the following: > > 62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 - > 62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi" > 404 - > 62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler" > 404 - I've got our web server emailing me every time a 404 pops up on the assumption that our site, or one of the sites we host, has a broken link. The blind stab at /cgi-bin/phf has been happening for a very long time, though it has suddenly become more popular. The other two I hadn't seen much of until recently. I definitely suspect script-kiddies, enough that I want to set those to pop up a page saying "Just what do you expect to find here?" Or at least dump all the parameters. Hmmmm..... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 21 01:18:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA24855 for freebsd-security-outgoing; Mon, 21 Sep 1998 01:18:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA24818 for ; Mon, 21 Sep 1998 01:18:21 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA08547; Mon, 21 Sep 1998 09:17:46 +0100 (BST) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by bofh.fast.net.uk (8.9.1/8.8.8) with SMTP id JAA05998; Mon, 21 Sep 1998 09:17:44 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Mon, 21 Sep 1998 09:17:44 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: "Eric J. Schwertfeger" cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > We've gotten several spates of Web log entries like the following: | > | > 62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 - | > 62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi" | > 404 - | > 62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler" | > 404 - | | I've got our web server emailing me every time a 404 pops up on the | assumption that our site, or one of the sites we host, has a broken link. | The blind stab at /cgi-bin/phf has been happening for a very long time, | though it has suddenly become more popular. The other two I hadn't seen | much of until recently. | | I definitely suspect script-kiddies, enough that I want to set those to | pop up a page saying "Just what do you expect to find here?" Or at least | dump all the parameters. Hmmmm..... The phf problem is quite an old exploit - all it does (AFAIR) is dump a list of current environment variables as a HTML page. The exploit was basically that it didn't do any sanity-checking[1] on the variables so a cracker could do, for example: http://yourowned.com/cgi-bin/test-cgi?ohdear=`cat /etc/passwd` [1] probably not the right word, but who cares.. it's monday :) More info is in the httpd.conf file, thus: # This controls which options the .htaccess files in directories can # script on phf.apache.org. Or, you can record them yourself, using the # script support/phf_abuse_log.cgi. # #deny from all #ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi # Regards, Jay Tribick -- [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 21 05:54:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA01098 for freebsd-security-outgoing; Mon, 21 Sep 1998 05:54:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-05.igrin.co.nz [202.49.245.84]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA01064 for ; Mon, 21 Sep 1998 05:54:08 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id AAA02742; Tue, 22 Sep 1998 00:53:14 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Tue, 22 Sep 1998 00:53:13 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Brett Glass cc: "Jan B. Koum " , security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server In-Reply-To: <199809210010.SAA12487@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 20 Sep 1998, Brett Glass wrote: > By the way, just got a few more. What's this "formmail.pl" they're > testing for? there's a FormMail.pl on Matt's Script Archive, which sends the contents of a CGI form via email but can be subverted using a fudged http request so as to send to any address (referrer check). May not be this exact script they're after, but probably something along those lines. Probably you have someone looking to cover their tracks when sending mail. Spam or other nastyness. A CGI mail form should be configured with a list of mail addresses it may send to, and for what it's worth it should create a mail header containing the originating IP of the CGI request. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 21 08:25:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA27497 for freebsd-security-outgoing; Mon, 21 Sep 1998 08:25:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hosting.doublesquare.com (hosting.doublesquare.com [195.5.128.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA27490 for ; Mon, 21 Sep 1998 08:25:15 -0700 (PDT) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: from eltex.ru (eltex-spiiras.nw.ru [195.19.204.46] (may be forged)) by hosting.doublesquare.com (8.8.8/8.8.8) with ESMTP id TAA01581; Mon, 21 Sep 1998 19:23:28 +0400 (MSD) Received: from paranoid.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with ESMTP id TAA05765; Mon, 21 Sep 1998 19:23:48 +0400 (MSD) Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id SAA01013; Mon, 21 Sep 1998 18:27:21 +0400 Date: Mon, 21 Sep 1998 18:27:21 +0400 Message-Id: <199809211427.SAA01013@paranoid.eltex.spb.ru> Organization: "Klingon Imperial Intelligence Service" Subject: Re: Are we vulnerable to "stealth" port scans? To: jkb@best.com Cc: freebsd-security@FreeBSD.ORG, john@paranoid.eltex.spb.ru, Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, (darren's patch skipped) seems to have no effect for "FIN" scans like nmap.c does. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNgZiR6H/mIJW9LeBAQEB/gP/dW+47ZjI3NE2JvbDFApinTnrXElr6/gf zNRP+wxvhywYQYTNCTBSp07NrbhYjdunXmhfnAyHE2uhjcerTJIciZQr4NlRex75 3OF4ckOcq4v7frEJXpeeRDq/wfduxO+mYRVZ1W2xmC2HqOCQfntZBr7CIGnKbg7u MN/heERI6s4= =Rvxq -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 21 09:00:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA03340 for freebsd-security-outgoing; Mon, 21 Sep 1998 09:00:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from peloton.physics.montana.edu (peloton.physics.montana.edu [153.90.192.177]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA03188 for ; Mon, 21 Sep 1998 09:00:01 -0700 (PDT) (envelope-from brett@peloton.physics.montana.edu) Received: from localhost (brett@localhost) by peloton.physics.montana.edu (8.8.8/8.8.7) with SMTP id JAA14689; Mon, 21 Sep 1998 09:58:16 -0600 (MDT) (envelope-from brett@peloton.physics.montana.edu) Date: Mon, 21 Sep 1998 09:58:16 -0600 (MDT) From: Brett Taylor To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server In-Reply-To: <199809202128.PAA11447@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Sun, 20 Sep 1998, Brett Glass wrote: > We've gotten several spates of Web log entries like the following: > > 62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 - > 62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi" > 404 - > 62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler" > 404 - from /usr/local/etc/apache/access.conf-dist: # There have been reports of people trying to abuse an old bug from # pre-1.1 days. This bug involved a CGI script distributed as a part of # Apache. By uncommenting these lines you can redirect these attacks to a # logging script on phf.apache.org. Or, you can record them yourself, # using the script support/phf_abuse_log.cgi. # #deny from all #ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi # Basically someone's trying to see if you have some old known-to-be-bad cgi scripts laying around. Brett ****************************************************************** Brett Taylor brett@peloton.physics.montana.edu http://peloton.physics.montana.edu/brett/ "There is something uncanny in the noiseless rush of the cyclist, as he comes into view, passes by, and disappears." - Popular Science, 1891 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 21 11:22:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA28151 for freebsd-security-outgoing; Mon, 21 Sep 1998 11:22:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.gamespot.com (ns2.gamespot.com [206.169.18.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA28146 for ; Mon, 21 Sep 1998 11:22:15 -0700 (PDT) (envelope-from ian@gamespot.com) Received: from localhost (ian@localhost) by mail.gamespot.com (8.9.0/8.9.0) with SMTP id LAA13411 for ; Mon, 21 Sep 1998 11:20:40 -0700 (PDT) Date: Mon, 21 Sep 1998 11:20:39 -0700 (PDT) From: Ian Kallen To: freebsd-security@FreeBSD.ORG Subject: corrupted libwrap? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I maintain a machine on a network that's poorly staffed. On occasion, the hub that it's connected to will get unplugged for a long time, in this case, a day. Meantime, the machine was power cycled. So when the machine is powered back up and the hub is powered up (is that so much to ask?), the system complains about libwrap, like so: % telnet freebsd.hopeless.net Trying 192.169.1.55... Connected to freebsd.hopeless.net. Escape character is '^]'. ld.so failed: Can't find shared library "libwrap.so.7.6" Connection closed by foreign host. But libwrap.so.7.6 _is_ in /usr/local/lib -- I can rememedy it by reinstalling tcp wrappers (or maybe there's some mumbo jumbo that's needed with ld?). It's just annoying and it's happened twice since upgrading 2.2.2 to 2.2.7. Has anybody else seen and fixed this? I have a feeling the people at this facility are going to be incompetent for the foreseeable future, randomly unplugging things and other stupid antics, but I'd like to keep tcpd on without it being susceptible to this. -Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 21 13:18:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA25521 for freebsd-security-outgoing; Mon, 21 Sep 1998 13:18:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA25476 for ; Mon, 21 Sep 1998 13:18:14 -0700 (PDT) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id WAA20944; Mon, 21 Sep 1998 22:17:27 +0200 (CEST) Message-ID: <19980921221727.A20938@foobar.franken.de> Date: Mon, 21 Sep 1998 22:17:27 +0200 From: Harold Gutch To: Ian Kallen , freebsd-security@FreeBSD.ORG Subject: Re: corrupted libwrap? References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Ian Kallen on Mon, Sep 21, 1998 at 11:20:39AM -0700 X-Organisation: BatmanSystemDistribution X-Mission: To free the world from the Penguin Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Sep 21, 1998 at 11:20:39AM -0700, Ian Kallen wrote: > % telnet freebsd.hopeless.net > Trying 192.169.1.55... > Connected to freebsd.hopeless.net. > Escape character is '^]'. Off topic, but: $ host freebsd.hopeless.net Host not found. If you want to use private IPs, I suspect the 256 class C-networks with IPs ranging from 192.168.0.0 to 192.168.255.255 are what you're looking for (192.169.x.x is NOT in this range). > ld.so failed: Can't find shared library "libwrap.so.7.6" > Connection closed by foreign host. > > But libwrap.so.7.6 _is_ in /usr/local/lib -- I can rememedy it by > reinstalling tcp wrappers (or maybe there's some mumbo jumbo that's needed > with ld?). It's just annoying and it's happened twice since upgrading Make sure that /usr/local/lib is mentioned in your /etc/rc.conf: ldconfig_paths="/usr/lib/compat /usr/X11R6/lib /usr/local/lib" # shared library search paths -- bye, logix Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 21 15:07:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA21509 for freebsd-security-outgoing; Mon, 21 Sep 1998 15:07:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA21291 for ; Mon, 21 Sep 1998 15:07:05 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199809212207.PAA21291@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA190465540; Tue, 22 Sep 1998 08:05:41 +1000 From: Darren Reed Subject: Re: Are we vulnerable to "stealth" port scans? To: ark@eltex.ru Date: Tue, 22 Sep 1998 08:05:40 +1000 (EST) Cc: jkb@best.com, freebsd-security@FreeBSD.ORG, john@paranoid.eltex.spb.ru, john@unt.edu In-Reply-To: <199809211427.SAA01013@paranoid.eltex.spb.ru> from "ark@eltex.ru" at Sep 21, 98 06:27:21 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from ark@eltex.ru, sie said: > > -----BEGIN PGP SIGNED MESSAGE----- > > nuqneH, > > (darren's patch skipped) > seems to have no effect for "FIN" scans like nmap.c does. err, there are/were two patches to apply but if tcp_input() has changed much on FreeBSD, then the second may be incorrect. they were tested on NetSBD-1.3G and produced the desired results. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 21 15:45:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA01308 for freebsd-security-outgoing; Mon, 21 Sep 1998 15:45:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns2.inch.com (oscar.inch.com [207.240.140.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA01232 for ; Mon, 21 Sep 1998 15:45:16 -0700 (PDT) (envelope-from spork@super-g.com) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by ns2.inch.com (8.8.8/8.8.5) with ESMTP id SAA15469 for ; Mon, 21 Sep 1998 18:44:13 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id SAA04093; Mon, 21 Sep 1998 18:30:19 -0400 (EDT) Date: Mon, 21 Sep 1998 18:30:19 -0400 (EDT) From: spork X-Sender: spork@super-g.inch.com To: Ian Kallen cc: freebsd-security@FreeBSD.ORG Subject: Re: corrupted libwrap? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That sounds like a little gotcha with the 2.2.2 -> 2.2.7 upgrade. Make sure you merge in all the /etc changes, esp. rc and rc.conf. Someone changed the way ldconfig search paths are set. The old way was that if the various libdirs existed, they were added. The new way requires them to be specified in rc.conf... You're probably stretching a bit posting this on -security :) Charles --- Charles Sprickman spork@super-g.com --- "...there's no idea that's so good you can't ruin it with a few well-placed idiots." On Mon, 21 Sep 1998, Ian Kallen wrote: > > I maintain a machine on a network that's poorly staffed. On occasion, the > hub that it's connected to will get unplugged for a long time, in this > case, a day. Meantime, the machine was power cycled. So when the machine > is powered back up and the hub is powered up (is that so much to ask?), > the system complains about libwrap, like so: > % telnet freebsd.hopeless.net > Trying 192.169.1.55... > Connected to freebsd.hopeless.net. > Escape character is '^]'. > ld.so failed: Can't find shared library "libwrap.so.7.6" > Connection closed by foreign host. > > But libwrap.so.7.6 _is_ in /usr/local/lib -- I can rememedy it by > reinstalling tcp wrappers (or maybe there's some mumbo jumbo that's needed > with ld?). It's just annoying and it's happened twice since upgrading > 2.2.2 to 2.2.7. Has anybody else seen and fixed this? I have a feeling > the people at this facility are going to be incompetent for the > foreseeable future, randomly unplugging things and other stupid antics, > but I'd like to keep tcpd on without it being susceptible to this. > -Ian > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 21 16:40:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA14346 for freebsd-security-outgoing; Mon, 21 Sep 1998 16:40:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.gamespot.com (ns2.gamespot.com [206.169.18.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA14118 for ; Mon, 21 Sep 1998 16:39:24 -0700 (PDT) (envelope-from ian@gamespot.com) Received: from localhost (ian@localhost) by mail.gamespot.com (8.9.0/8.9.0) with SMTP id QAA28524; Mon, 21 Sep 1998 16:37:40 -0700 (PDT) Date: Mon, 21 Sep 1998 16:37:40 -0700 (PDT) From: Ian Kallen To: spork cc: freebsd-security@FreeBSD.ORG Subject: Re: corrupted libwrap? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yeah, that was it. Sorry I thought something was screwy with the way tcp wrappers built, n'er mind! Specified in now in rc.conf, thanks. -Ian On Mon, 21 Sep 1998, spork wrote: :That sounds like a little gotcha with the 2.2.2 -> 2.2.7 upgrade. Make :sure you merge in all the /etc changes, esp. rc and rc.conf. Someone :changed the way ldconfig search paths are set. The old way was that if :the various libdirs existed, they were added. The new way requires them :to be specified in rc.conf... : :You're probably stretching a bit posting this on -security :) -- Ian Kallen ICQ: 17073910 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 22 00:26:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA07694 for freebsd-security-outgoing; Tue, 22 Sep 1998 00:26:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from amon.siol.net ([193.189.160.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA07687 for ; Tue, 22 Sep 1998 00:26:47 -0700 (PDT) (envelope-from tomaz.borstnar@over.net) Message-Id: <199809220726.AAA07687@hub.freebsd.org> Received: from hang ([212.30.94.66]) by amon.siol.net (Post.Office MTA v3.5.1 release 219 ID# 620-52342U30000L30000S0V35) with SMTP id net for ; Tue, 22 Sep 1998 09:26:11 +0200 X-Sender: tomaz@haktar.siol.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.63 (Beta) Date: Tue, 22 Sep 1998 09:26:12 +0200 To: freebsd-security@FreeBSD.ORG From: Tomaz Borstnar Subject: performance comparision of ipfilter and ipfw Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! Anyone did testing on performance of IPFW and IPFilter? From feature list it looks like IPfilter has better interface and more features, but what about perfomance? Also what kind of machine would you suggest for firewall? As fast as possible CPU, 256MB RAM and plenty of disk? Tomaz ---- Tomaz Borstnar "Love is the answer to the final question you ask" - Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 22 00:55:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA12177 for freebsd-security-outgoing; Tue, 22 Sep 1998 00:55:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from orbital.tiora.net (cx31658-a.escnd1.sdca.home.com [24.0.185.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA12171 for ; Tue, 22 Sep 1998 00:55:32 -0700 (PDT) (envelope-from liam@orbital.tiora.net) Received: from localhost (liam@localhost) by orbital.tiora.net (8.9.1a/8.9.1a+rbl+antispam+zol_hack) with SMTP id AAA07239; Tue, 22 Sep 1998 00:37:05 -0700 (PDT) Date: Tue, 22 Sep 1998 00:37:04 -0700 (PDT) From: Liam Slusser To: Tomaz Borstnar cc: freebsd-security@FreeBSD.ORG Subject: Re: performance comparision of ipfilter and ipfw In-Reply-To: <199809220726.AAA07687@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It is a "firewall", not a application server....you don't need that much disk/ram. ;) liam System Administrator Tiora Networks | www.tiora.net <---- tiora's webpage www.tiora.net/~liam <----- homepage | liam@tiora.net <-- my email address Lowered turbo powered Honda Civic's are really cool. <---------- my quote On Tue, 22 Sep 1998, Tomaz Borstnar wrote: > Hello! > > Anyone did testing on performance of IPFW and IPFilter? From feature list > it looks like IPfilter has better interface and more features, but what > about perfomance? Also what kind of machine would you suggest for firewall? > As fast as possible CPU, 256MB RAM and plenty of disk? > > Tomaz > > ---- > Tomaz Borstnar > "Love is the answer to the final question you ask" - Unknown > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 22 00:59:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA12875 for freebsd-security-outgoing; Tue, 22 Sep 1998 00:59:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA12868 for ; Tue, 22 Sep 1998 00:59:13 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id AAA07361; Tue, 22 Sep 1998 00:58:36 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Tue, 22 Sep 1998 00:58:36 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Tomaz Borstnar cc: freebsd-security@FreeBSD.ORG Subject: Re: performance comparision of ipfilter and ipfw In-Reply-To: <199809220726.AAA07687@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I haven't done any benchmarks, but I can try to answer you other questions: make sure to pick a good supported PCI card. At this moment Intel EtherExpress 10/100B comes to mind (fxp0). I am sure P200 will be enough for a firewall - but it also depend on how much traffic are you pushing through. Having more ram will help - 256 is overkill if system will ONLY do firewall. Don't really need a lot of disk unless you are going to do a lot of logging (with tools like tcpdump or nfr). -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org On Tue, 22 Sep 1998, Tomaz Borstnar wrote: >Hello! > > Anyone did testing on performance of IPFW and IPFilter? From feature list >it looks like IPfilter has better interface and more features, but what >about perfomance? Also what kind of machine would you suggest for firewall? >As fast as possible CPU, 256MB RAM and plenty of disk? > >Tomaz > >---- >Tomaz Borstnar >"Love is the answer to the final question you ask" - Unknown > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 22 02:13:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA23241 for freebsd-security-outgoing; Tue, 22 Sep 1998 02:13:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from buddy.sovlink.ru (buddy.sovlink.ru [194.186.12.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA22822 for ; Tue, 22 Sep 1998 02:10:33 -0700 (PDT) (envelope-from alla@sovlink.ru) Received: from sovlink.ru (punk.sovlink.ru [194.186.12.133]) by buddy.sovlink.ru (8.9.1/8.9.1) with ESMTP id NAA13867; Tue, 22 Sep 1998 13:10:03 +0400 (MSD) Message-ID: <360768D0.96FB0D0A@sovlink.ru> Date: Tue, 22 Sep 1998 13:07:28 +0400 From: Alla Bezroutchko X-Mailer: Mozilla 4.5b2 [en] (WinNT; I) X-Accept-Language: ru,en MIME-Version: 1.0 To: Tomaz Borstnar CC: freebsd-security@FreeBSD.ORG Subject: Re: performance comparision of ipfilter and ipfw References: <199809220726.AAA07687@hub.freebsd.org> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tomaz Borstnar wrote: > about perfomance? Also what kind of machine would you suggest for firewall? > As fast as possible CPU, 256MB RAM and plenty of disk? I am running ipfw on Pentium 100 with 32 Mb of RAM and 1GB SCSI. This box also runs squid, SOCKS and other stuff and acts as a firewall and proxy for a network with about 40 users. Didn't have any trouble with perfomance. Processor load has never been higher than 5%. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 22 03:11:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA02904 for freebsd-security-outgoing; Tue, 22 Sep 1998 03:11:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.ga.ru ([195.151.46.104]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA02886 for ; Tue, 22 Sep 1998 03:11:07 -0700 (PDT) (envelope-from dimon@ga.ru) Received: from mailhub.ga.local (mailhub.ga.local [192.168.0.253]) by ns.ga.ru (8.9.1/8.9.1) with ESMTP id OAA03584; Tue, 22 Sep 1998 14:08:09 +0400 (MSD) Received: from localhost (dimon@localhost) by mailhub.ga.local (8.9.1/8.9.1) with SMTP id OAA05994; Tue, 22 Sep 1998 14:09:07 +0400 (MSD) Date: Tue, 22 Sep 1998 14:09:07 +0400 (MSD) From: Dmitry Petrakoff X-Sender: dimon@mailhub.ga.local To: Tomaz Borstnar cc: freebsd-security@FreeBSD.ORG Subject: Re: performance comparision of ipfilter and ipfw In-Reply-To: <360768D0.96FB0D0A@sovlink.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 22 Sep 1998, Alla Bezroutchko wrote: Tomaz Borstnar wrote: > about perfomance? Also what kind of machine would you suggest for firewall? > As fast as possible CPU, 256MB RAM and plenty of disk? Those machine that "old" for M$Win -). I am running all software for I-net gateway (except httpd and ftpd) on 486dx2-66 with 40M RAM and 512M IDE HDD. This host serving 120 users. Uptime now > 1year. CPU usage < 15%. FreeBSD-2.2-STABLE Best regards Dmitry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 22 06:52:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA05373 for freebsd-security-outgoing; Tue, 22 Sep 1998 06:52:11 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA05368 for ; Tue, 22 Sep 1998 06:52:07 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199809221352.GAA05368@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA023362252; Tue, 22 Sep 1998 23:50:53 +1000 From: Darren Reed Subject: Re: performance comparision of ipfilter and ipfw To: liam@tiora.net (Liam Slusser) Date: Tue, 22 Sep 1998 23:50:52 +1000 (EST) Cc: tomaz.borstnar@over.net, freebsd-security@FreeBSD.ORG In-Reply-To: from "Liam Slusser" at Sep 22, 98 00:37:04 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Tue, 22 Sep 1998, Tomaz Borstnar wrote: > > > Hello! > > > > Anyone did testing on performance of IPFW and IPFilter? From feature list > > it looks like IPfilter has better interface and more features, but what > > about perfomance? Also what kind of machine would you suggest for firewall? > > As fast as possible CPU, 256MB RAM and plenty of disk? > > > > Tomaz > > > > ---- > > Tomaz Borstnar > > "Love is the answer to the final question you ask" - Unknown I missed the original email (presumably posted elsewhere) but I'll respond re. IP Filter. In testing I did some time ago now, on a Sun Sparc2 (~486dx2-66 in speed). With 400 rules, 400 packets took around 11 minutes to be processed 1000 times which comes out at around 4us for 1 packet to be processed by 1 rule. That is *JUST* for packet filtering, no state stuff, no NAT, no logging. Quite some time ago I designed IP Filter to provide extensive coverage for TCP/IP filtering, probably more than most people will need but attempted to do it in a way that has no doubt increased the `cost' of doing 1 simple rule but has also brought down the `cost' of doing complex ones. As others have mentioned, the choice of network card is important - choose a PCI one which can do bus mastering (well, that's moot really as that still depends on FreeBSD support :). Somewhere between 32MB and 128MB of RAM is good - 256MB is just a waste. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 22 09:33:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA04764 for freebsd-security-outgoing; Tue, 22 Sep 1998 09:33:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA04751 for ; Tue, 22 Sep 1998 09:33:08 -0700 (PDT) (envelope-from nash@Mercury.mcs.net) Received: from Mercury.mcs.net (nash@Mercury.mcs.net [192.160.127.80]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id LAA10206; Tue, 22 Sep 1998 11:32:37 -0500 (CDT) Received: (from nash@localhost) by Mercury.mcs.net (8.8.7/8.8.2) id LAA00511; Tue, 22 Sep 1998 11:32:37 -0500 (CDT) Message-ID: <19980922113237.A28158@mcs.net> Date: Tue, 22 Sep 1998 11:32:37 -0500 From: Alex Nash To: Darren Reed , Liam Slusser Cc: tomaz.borstnar@over.net, freebsd-security@FreeBSD.ORG Subject: Re: performance comparision of ipfilter and ipfw Mail-Followup-To: Darren Reed , Liam Slusser , tomaz.borstnar@over.net, freebsd-security@FreeBSD.ORG References: <199809221352.GAA05368@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199809221352.GAA05368@hub.freebsd.org>; from Darren Reed on Tue, Sep 22, 1998 at 11:50:52PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Sep 22, 1998 at 11:50:52PM +1000, Darren Reed wrote: > I missed the original email (presumably posted elsewhere) but I'll respond > re. IP Filter. > > In testing I did some time ago now, on a Sun Sparc2 (~486dx2-66 in speed). > With 400 rules, 400 packets took around 11 minutes to be processed 1000 > times which comes out at around 4us for 1 packet to be processed by 1 rule. > That is *JUST* for packet filtering, no state stuff, no NAT, no logging. I've measured ipfw's overhead on a 486-66, further details of which can be found in the FreBSD FAQ. Here's a brief summary: Two scenarios with 1000 rules were tested. The first presented a best case with rules that were quickly determined not to match the packet being processed. The second used rules which traversed the entire packet match routine before being rejected. In both cases, the 1000th rule was the accepting rule. The findings showed a best case processing time of 1.2us per packet per rule, and a worst case of 2.7us per packet per rule. Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 22 13:27:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA21639 for freebsd-security-outgoing; Tue, 22 Sep 1998 13:27:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA21630 for ; Tue, 22 Sep 1998 13:27:45 -0700 (PDT) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id QAA20126; Tue, 22 Sep 1998 16:27:07 -0400 (EDT) Date: Tue, 22 Sep 1998 16:27:07 -0400 (EDT) From: spork X-Sender: spork@super-g.inch.com To: Darren Reed cc: freebsd-security@FreeBSD.ORG Subject: Re: performance comparision of ipfilter and ipfw In-Reply-To: <199809221352.GAA05368@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren, I must admit I've been brainwashed by Checkpoint and their "stateful inspection" rhetoric. Could you briefly explain some of the differences between ipfilter's state mechanism and the checkpoint version? Am I correct in assuming that they are basically the same at many levels? I'd appreciate hearing any other opinions you might have on FW1 as well. We have a few set up for clients, and other than the name recogntion, I don't see anything too incredible for the money... Thanks, Charles -- Charles Sprickman spork@super-g.com On Tue, 22 Sep 1998, Darren Reed wrote: > > On Tue, 22 Sep 1998, Tomaz Borstnar wrote: > > > > > Hello! > > > > > > Anyone did testing on performance of IPFW and IPFilter? From feature list > > > it looks like IPfilter has better interface and more features, but what > > > about perfomance? Also what kind of machine would you suggest for firewall? > > > As fast as possible CPU, 256MB RAM and plenty of disk? > > > > > > Tomaz > > > > > > ---- > > > Tomaz Borstnar > > > "Love is the answer to the final question you ask" - Unknown > > I missed the original email (presumably posted elsewhere) but I'll respond > re. IP Filter. > > In testing I did some time ago now, on a Sun Sparc2 (~486dx2-66 in speed). > With 400 rules, 400 packets took around 11 minutes to be processed 1000 > times which comes out at around 4us for 1 packet to be processed by 1 rule. > That is *JUST* for packet filtering, no state stuff, no NAT, no logging. > > Quite some time ago I designed IP Filter to provide extensive coverage for > TCP/IP filtering, probably more than most people will need but attempted > to do it in a way that has no doubt increased the `cost' of doing 1 simple > rule but has also brought down the `cost' of doing complex ones. > > As others have mentioned, the choice of network card is important - choose > a PCI one which can do bus mastering (well, that's moot really as that > still depends on FreeBSD support :). Somewhere between 32MB and 128MB > of RAM is good - 256MB is just a waste. > > Darren > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 22 23:07:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA13582 for freebsd-security-outgoing; Tue, 22 Sep 1998 23:07:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-11.igrin.co.nz [202.49.245.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA13555 for ; Tue, 22 Sep 1998 23:07:31 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id AAA01909; Wed, 23 Sep 1998 00:35:38 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Wed, 23 Sep 1998 00:35:10 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Dmitry Petrakoff cc: Tomaz Borstnar , freebsd-security@FreeBSD.ORG Subject: Re: performance comparision of ipfilter and ipfw In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 22 Sep 1998, Dmitry Petrakoff wrote: > Those machine that "old" for M$Win -). > I am running all software for I-net gateway (except httpd and ftpd) > on 486dx2-66 with 40M RAM and 512M IDE HDD. This host serving 120 > users. Uptime now > 1year. CPU usage < 15%. FreeBSD-2.2-STABLE What speed pipeline is it servicing? Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 22 23:15:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA14967 for freebsd-security-outgoing; Tue, 22 Sep 1998 23:15:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.ga.ru ([195.151.46.104]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA14920 for ; Tue, 22 Sep 1998 23:15:25 -0700 (PDT) (envelope-from dimon@ga.ru) Received: from mailhub.ga.local (mailhub.ga.local [192.168.0.253]) by ns.ga.ru (8.9.1/8.9.1) with ESMTP id KAA05683; Wed, 23 Sep 1998 10:12:53 +0400 (MSD) Received: from localhost (dimon@localhost) by mailhub.ga.local (8.9.1/8.9.1) with SMTP id KAA08687; Wed, 23 Sep 1998 10:13:57 +0400 (MSD) Date: Wed, 23 Sep 1998 10:13:56 +0400 (MSD) From: Dmitry Petrakoff X-Sender: dimon@mailhub.ga.local To: Andrew McNaughton cc: freebsd-security@FreeBSD.ORG Subject: Re: performance comparision of ipfilter and ipfw In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 23 Sep 1998, Andrew McNaughton wrote: > On Tue, 22 Sep 1998, Dmitry Petrakoff wrote: > > > Those machine that "old" for M$Win -). > > I am running all software for I-net gateway (except httpd and ftpd) > > on 486dx2-66 with 40M RAM and 512M IDE HDD. This host serving 120 > > users. Uptime now > 1year. CPU usage < 15%. FreeBSD-2.2-STABLE > > What speed pipeline is it servicing? > It began servicing 19.2K, and now - 64K (4 month). I have began to migrate users from Sqiud,running on this host, to another for balancing loading only 2 week ago. -) > > Andrew > > Best wishes Dimon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 22 23:23:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA16094 for freebsd-security-outgoing; Tue, 22 Sep 1998 23:23:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from csi-x.net (csi-x.net [202.184.73.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA16046 for ; Tue, 22 Sep 1998 23:23:00 -0700 (PDT) (envelope-from najib@csi-x.net) Received: from csi-x.net (nobody@csi-x.net [202.184.73.5]) by csi-x.net (8.9.1/8.9.1) with SMTP id OAA05450 for ; Wed, 23 Sep 1998 14:28:19 +0800 (MYT) From: "Muhammad Najib" Reply-to: najib@csi-x.net To: freebsd-security@FreeBSD.ORG Date: Wed, 23 Sep 98 14:28:41 -800 Subject: Firewall ... X-Mailer: DMailWeb Web to Mail Gateway 1.5af, http://netwinsite.com/top_mail.htm Message-id: <36089519.1546.0@csi-x.net> X-User-Info: 202.184.73.12 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can anyone in here tell me the exact number of firewall rules that I can actually invoke with ipfw. It seems that I can only invoke a little number of rules which I think not more than 100. Thanx in advance. cheers, ****************************************************************** MUHAMMAD NAJIB ABDUL MUKTHI member of My-Linux.ORG NETWORK ENGINEER / SYSTEM ADMINISTRATOR http://www.my-linux.org Cutting Edge Enterprise MPKS Tower Jalan Tunku Ibrahim najib@mrsm.org 05000 Kedah Darulaman. najib@csi-x.net http://najib.csi-x.net najib@kdupg.edu.my Tel : 012-4717452 najib@my-linux.org ****************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 23 02:06:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA14154 for freebsd-security-outgoing; Wed, 23 Sep 1998 02:06:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from csi-x.net (csi-x.net [202.184.73.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA14086 for ; Wed, 23 Sep 1998 02:06:18 -0700 (PDT) (envelope-from najib@csi-x.net) Received: from csi-x.net (nobody@csi-x.net [202.184.73.5]) by csi-x.net (8.9.1/8.9.1) with SMTP id RAA06578 for ; Wed, 23 Sep 1998 17:11:41 +0800 (MYT) From: "Muhammad Najib" Reply-to: najib@csi-x.net To: freebsd-security@FreeBSD.ORG Date: Wed, 23 Sep 98 17:11:47 -800 Subject: Re: Firewall ... X-Mailer: DMailWeb Web to Mail Gateway 1.5af, http://netwinsite.com/top_mail.htm Message-id: <3608bb53.19ae.0@csi-x.net> X-User-Info: 202.184.73.12 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanx Andrew :) I wonder .. do you know who is the porter/programmer of this ipfw from BSDi for FreeBSD ? I'd like to inform him/her about this .. mainly just to fix this problem. It's really important for me as I've chosen FreeBSD as a firewall for my network :) Thanx in advance regards, ****************************************************************** MUHAMMAD NAJIB ABDUL MUKTHI member of My-Linux.ORG NETWORK ENGINEER / SYSTEM ADMINISTRATOR http://www.my-linux.org Cutting Edge Enterprise MPKS Tower Jalan Tunku Ibrahim najib@mrsm.org 05000 Kedah Darulaman. najib@csi-x.net http://najib.csi-x.net najib@kdupg.edu.my Tel : 012-4717452 najib@my-linux.org ****************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 23 03:38:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA27545 for freebsd-security-outgoing; Wed, 23 Sep 1998 03:38:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA27526 for ; Wed, 23 Sep 1998 03:38:31 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199809231038.DAA27526@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA174187093; Wed, 23 Sep 1998 20:38:13 +1000 From: Darren Reed Subject: Re: performance comparision of ipfilter and ipfw To: spork@super-g.com (spork) Date: Wed, 23 Sep 1998 20:38:13 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "spork" at Sep 22, 98 04:27:07 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from spork, sie said: > > Darren, > > I must admit I've been brainwashed by Checkpoint and their "stateful > inspection" rhetoric. > > Could you briefly explain some of the differences between ipfilter's state > mechanism and the checkpoint version? Am I correct in assuming that they > are basically the same at many levels? Similar in idea (at the TCP level) but that's about it. Checkpoint's SPF (they claim) operates at ISO layers 3-7, which I find somewhat bogus whereas IP Filter only works at 3 & 4. The "best" difference I know of is that Checkpoint has a "quick" expirey for connections (they may not follow the TCP FSM at all :/) and as a result, in order to "pickup" connections that have "idled out", let dataless through the firewall (I'm not sure if you can turn off this behaviour) ACK packets and recreate the session if an ACK is returned. IP FIlter, on the other hand, has a large expirey for "established" connections (5 days) and follows the TCP FSM and won't let through ACK's just because they're a stray ACK and might be part of a connection it doesn't know about (of course this can be countered but I'm assuming a "sane" config). An interesting outcome of this is that FW-1 doesn't necessarily know all the "active" connections through it at any given moment. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 23 03:41:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA27896 for freebsd-security-outgoing; Wed, 23 Sep 1998 03:41:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA27849 for ; Wed, 23 Sep 1998 03:40:43 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199809231040.DAA27849@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA174397164; Wed, 23 Sep 1998 20:39:24 +1000 From: Darren Reed Subject: Re: performance comparision of ipfilter and ipfw To: nash@mcs.net (Alex Nash) Date: Wed, 23 Sep 1998 20:39:24 +1000 (EST) Cc: avalon@coombs.anu.edu.au, liam@tiora.net, tomaz.borstnar@over.net, freebsd-security@FreeBSD.ORG In-Reply-To: <19980922113237.A28158@mcs.net> from "Alex Nash" at Sep 22, 98 11:32:37 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Alex Nash, sie said: > > On Tue, Sep 22, 1998 at 11:50:52PM +1000, Darren Reed wrote: > > I missed the original email (presumably posted elsewhere) but I'll respond > > re. IP Filter. > > > > In testing I did some time ago now, on a Sun Sparc2 (~486dx2-66 in speed). > > With 400 rules, 400 packets took around 11 minutes to be processed 1000 > > times which comes out at around 4us for 1 packet to be processed by 1 rule. > > That is *JUST* for packet filtering, no state stuff, no NAT, no logging. > > I've measured ipfw's overhead on a 486-66, further details of which can > be found in the FreBSD FAQ. Here's a brief summary: > > Two scenarios with 1000 rules were tested. The first presented a best > case with rules that were quickly determined not to match the packet > being processed. The second used rules which traversed the entire > packet match routine before being rejected. In both cases, the 1000th > rule was the accepting rule. > > The findings showed a best case processing time of 1.2us per packet per > rule, and a worst case of 2.7us per packet per rule. Hmm, I'll have to tune my code to make sure I can go faster ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 23 20:41:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA16426 for freebsd-security-outgoing; Wed, 23 Sep 1998 20:41:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from csi-x.net (csi-x.net [202.184.73.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA16324 for ; Wed, 23 Sep 1998 20:41:18 -0700 (PDT) (envelope-from najib@csi-x.net) Received: from csi-x.net (nobody@csi-x.net [202.184.73.5]) by csi-x.net (8.9.1/8.9.1) with SMTP id LAA09955 for ; Thu, 24 Sep 1998 11:46:38 +0800 (MYT) From: "Muhammad Najib" Reply-to: najib@csi-x.net To: freebsd-security@FreeBSD.ORG Date: Thu, 24 Sep 98 11:46:52 -800 Subject: Re: Firewall ... X-Mailer: DMailWeb Web to Mail Gateway 1.5af, http://netwinsite.com/top_mail.htm Message-id: <3609c0ac.26df.0@csi-x.net> X-User-Info: 202.184.73.12 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Andrew, Actually, I'm working in a college where certain network access to certain network destination gotta be gave to those who owns the priviledge to do so. In this case, I am bringing down the firewall structure to the lowest level of all, the host level instead of the network level. A host consist of about 30 firewall rules. I don't really know how to hack the ipfw.c source code as I'm a no c programmer. I've tried using ipfw and had invoked around 30x110 rules and when I do 'ipfw show' or 'ipfw -a l' it seems likely not to show all the rules that have been invoked. I wonder why.... About the ip filter, where can I get it ? Is that ip filter package comes along with FreeBSD ? Please do pin point me to this problem I'm having ... Thanx in advance :) regards, ****************************************************************** MUHAMMAD NAJIB ABDUL MUKTHI member of My-Linux.ORG NETWORK ENGINEER / SYSTEM ADMINISTRATOR http://www.my-linux.org Cutting Edge Enterprise MPKS Tower Jalan Tunku Ibrahim najib@mrsm.org 05000 Kedah Darulaman. najib@csi-x.net http://najib.csi-x.net najib@kdupg.edu.my Tel : 012-4717452 najib@my-linux.org ****************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 24 01:02:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA20986 for freebsd-security-outgoing; Thu, 24 Sep 1998 01:02:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-09.igrin.co.nz [202.49.245.88]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA20974 for ; Thu, 24 Sep 1998 01:02:15 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id UAA10768; Thu, 24 Sep 1998 20:00:52 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Thu, 24 Sep 1998 20:00:41 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Muhammad Najib cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall ... In-Reply-To: <3609c0ac.26df.0@csi-x.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 24 Sep 1998, Muhammad Najib wrote: > Date: Thu, 24 Sep 98 11:46:52 -800 > From: Muhammad Najib > To: freebsd-security@FreeBSD.ORG > Subject: Re: Firewall ... > > Andrew, > > Actually, I'm working in a college where certain network access to certain > network destination gotta be gave to those who owns the priviledge to do so. > In this case, I am bringing down the firewall structure to the lowest level > of all, the host level instead of the network level. A host consist of about > 30 firewall rules. Can your hosts be grouped into categories? So you have classrooms of computers which each need the same access don't you? I really don't think you're going to get efficiency or security out of this sort of setup. If you can't classify what sort of traffic are allowed onto what wires then packet filtering is the wrong tool for the job. It's too easy to spoof packets. Perhaps you should be looking at a ticket based system like Kerberos? > I don't really know how to hack the ipfw.c source code as > I'm a no c programmer. I've tried using ipfw and had invoked around 30x110 rules My source is unmodified from 2.2.5-RELEASE. This seems to work for me. cd /usr/src/sbin/ipfw/ cp ipfw.c ipfw.c.orig perl -pi -e 's/1024/20480/' ipfw.c # 20K rules make make install The change is to the user interface program, and has no effect on the way things actually work in the kernel. It just lets you see more rules with show and less. As such I presume it's safe in spite of not having read right through the source. > and when I do 'ipfw show' or 'ipfw -a l' it seems likely not to show all the > rules that have been invoked. I wonder why.... About the ip filter, where can > I get it ? Is that ip filter package comes along with FreeBSD ? Please do pin > point me to this problem I'm having ... Thanx in advance :) I don't see anything in the packages directories. I think it hasn't been long since IPfilter was gotten to work with FreeBSD. I gather it's a port from Linux. Go to www.findmail.com and search for 'freebsd ipfilter'. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 24 01:03:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA21111 for freebsd-security-outgoing; Thu, 24 Sep 1998 01:03:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotmail.com ([207.82.250.36]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id BAA21101 for ; Thu, 24 Sep 1998 01:03:29 -0700 (PDT) (envelope-from madrapour@hotmail.com) Received: (qmail 3002 invoked by uid 0); 24 Sep 1998 08:02:35 -0000 Message-ID: <19980924080235.3001.qmail@hotmail.com> Received: from 208.218.169.84 by www.hotmail.com with HTTP; Thu, 24 Sep 1998 01:02:35 PDT X-Originating-IP: [208.218.169.84] From: "N. N.M" To: freebsd-security@FreeBSD.ORG Subject: Re: Firewall Content-Type: text/plain Date: Thu, 24 Sep 1998 01:02:35 PDT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, As I mentioned in this mailing list before, I've had some problems with SHOW and LIST commands as well. It can't be shown more than 1024 rules and besides it makes the computers automatically reboots. About the number of allowed rules in IPFW, I have currently around 9000 rules and it doesn't seem have nay problem. Nazila N. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 24 01:53:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA27047 for freebsd-security-outgoing; Thu, 24 Sep 1998 01:53:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA27037 for ; Thu, 24 Sep 1998 01:53:56 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id BAA19855; Thu, 24 Sep 1998 01:52:57 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Thu, 24 Sep 1998 01:52:57 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Andrew McNaughton cc: Muhammad Najib , freebsd-security@FreeBSD.ORG Subject: Re: Firewall ... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 24 Sep 1998, Andrew McNaughton wrote: >> and when I do 'ipfw show' or 'ipfw -a l' it seems likely not to show all the >> rules that have been invoked. I wonder why.... About the ip filter, where can >> I get it ? Is that ip filter package comes along with FreeBSD ? Please do pin >> point me to this problem I'm having ... Thanx in advance :) > >I don't see anything in the packages directories. I think it hasn't been >long since IPfilter was gotten to work with FreeBSD. I gather it's a port >from Linux. > >Go to www.findmail.com and search for 'freebsd ipfilter'. > >Andrew > IP filter is part of 3.0: coredump# ipfstat input packets: blocked 0 passed 5225 nomatch 3478 counted 0 output packets: blocked 0 passed 5835 nomatch 1241 counted 0 input packets logged: blocked 0 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 0 output 0 fragment state(in): kept 0 lost 0 fragment state(out): kept 0 lost 0 packet state(in): kept 0 lost 0 packet state(out): kept 0 lost 0 ICMP replies: 0 TCP RSTs sent: 0 Result cache hits(in): 1747 (out): 4594 IN Pullups succeeded: 0 failed: 0 OUT Pullups succeeded: 0 failed: 0 Fastroute successes: 0 failures: 0 TCP cksum fails(in): 0 (out): 0 Packet log flags set: (0) none coredump# uname -a FreeBSD coredump.jkb.org 3.0-BETA FreeBSD 3.0-BETA #0: AFAIK IP filter was built for BSD systems before it was ported to Linux and other OSes. I am sure Darren will correct me if I am wrong. You can also get ip filter from http://coombs.anu.edu.au/ipfilter/ and it will work on 2.2 - it just doesn't come as part of 2.2 -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 24 18:57:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA03603 for freebsd-security-outgoing; Thu, 24 Sep 1998 18:57:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from smtp.interlog.com (smtp.interlog.com [207.34.202.37]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA03574 for ; Thu, 24 Sep 1998 18:57:10 -0700 (PDT) (envelope-from paulg@interlog.com) Received: from shell1.interlog.com (paulg@shell1.interlog.com [207.34.202.8]) by smtp.interlog.com (8.9.1/8.9.1) with SMTP id VAA09087; Thu, 24 Sep 1998 21:56:39 -0400 (EDT) Date: Thu, 24 Sep 1998 21:56:39 -0400 (EDT) From: Paul Griffith To: Andrew McNaughton cc: Muhammad Najib , freebsd-security@FreeBSD.ORG Subject: IPFilter In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You can get ipfilter from: http://www.cyber.com.au/cyber/product/ipfilter/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 25 04:47:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA19937 for freebsd-security-outgoing; Fri, 25 Sep 1998 04:47:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from maciek.gv.edu.pl ([195.117.86.8]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA19291 for ; Fri, 25 Sep 1998 04:43:20 -0700 (PDT) (envelope-from andrzej@maciek.gv.edu.pl) Received: from localhost (andrzej@localhost) by maciek.gv.edu.pl (8.8.8/8.8.8) with SMTP id NAA01368 for ; Thu, 24 Sep 1998 13:42:11 GMT (envelope-from andrzej@maciek.gv.edu.pl) Date: Thu, 24 Sep 1998 13:42:10 +0000 (GMT) From: Andrzej Szydlo To: freebsd-security@FreeBSD.ORG Subject: Checking for uids 0 in /etc/security Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I've just noticed that /etc/security checks for strings "0" in the uid field of the master.passwd file. awk 'BEGIN {FS=":"} $3=="0" {print $1, $3}' /etc/master.passwd ^^^^^^ In this way it doesn't notice entries like this: myroot:xxxx:000:000:.... while such an entry still gives uid 0. Changing this line to: awk 'BEGIN {FS=":"} $3==0 {print $1, $3}' /etc/master.passwd ^^^^^ solves the problem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 25 07:52:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA11744 for freebsd-security-outgoing; Fri, 25 Sep 1998 07:52:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA11722 for ; Fri, 25 Sep 1998 07:52:44 -0700 (PDT) (envelope-from nash@Mars.mcs.net) Received: from Mars.mcs.net (nash@Mars.mcs.net [192.160.127.85]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id JAA10468; Fri, 25 Sep 1998 09:52:38 -0500 (CDT) Received: (from nash@localhost) by Mars.mcs.net (8.8.7/8.8.2) id JAA21198; Fri, 25 Sep 1998 09:52:38 -0500 (CDT) Message-ID: <19980925095238.A20899@mcs.net> Date: Fri, 25 Sep 1998 09:52:38 -0500 From: Alex Nash To: Andrzej Szydlo Cc: freebsd-security@FreeBSD.ORG Subject: Re: Checking for uids 0 in /etc/security Mail-Followup-To: Andrzej Szydlo , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Andrzej Szydlo on Thu, Sep 24, 1998 at 01:42:10PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 24, 1998 at 01:42:10PM +0000, Andrzej Szydlo wrote: > I've just noticed that /etc/security checks for strings "0" in the uid > field of the master.passwd file. This was fixed in July with the following revisions: 3.0-current 1.25 2.2-stable (2.2.7R) 1.16.2.6 Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 25 08:32:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA17556 for freebsd-security-outgoing; Fri, 25 Sep 1998 08:32:03 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA17487 for ; Fri, 25 Sep 1998 08:31:59 -0700 (PDT) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id LAA24084; Fri, 25 Sep 1998 11:31:08 -0400 (EDT) Date: Fri, 25 Sep 1998 11:31:08 -0400 (EDT) From: spork X-Sender: spork@super-g.inch.com To: Andrzej Szydlo cc: freebsd-security@FreeBSD.ORG Subject: Re: Checking for uids 0 in /etc/security In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As long as you've verified that uid "000" is taken as uid "0", why don't you use send-pr to file this as a bug. Someone will most likely commit this for you. Attach a diff with your fixes after checking that it hasn't already been fixed (http://www.freebsd.org/cgi/cvsweb.cgi). Nice catch! Charles --- Charles Sprickman spork@super-g.com On Thu, 24 Sep 1998, Andrzej Szydlo wrote: > Hi, > > I've just noticed that /etc/security checks for strings "0" in the uid > field of the master.passwd file. > > awk 'BEGIN {FS=":"} $3=="0" {print $1, $3}' /etc/master.passwd > ^^^^^^ > In this way it doesn't notice entries like this: > > myroot:xxxx:000:000:.... > > while such an entry still gives uid 0. > Changing this line to: > > awk 'BEGIN {FS=":"} $3==0 {print $1, $3}' /etc/master.passwd > ^^^^^ > solves the problem. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 25 09:29:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA26538 for freebsd-security-outgoing; Fri, 25 Sep 1998 09:29:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from maciek.gv.edu.pl (netserv.gv.edu.pl [195.117.86.8]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA26507 for ; Fri, 25 Sep 1998 09:29:02 -0700 (PDT) (envelope-from andrzej@maciek.gv.edu.pl) Received: from localhost (andrzej@localhost) by maciek.gv.edu.pl (8.8.8/8.8.8) with SMTP id SAA03571; Thu, 24 Sep 1998 18:26:14 +0200 (CEST) (envelope-from andrzej@maciek.gv.edu.pl) Date: Thu, 24 Sep 1998 18:26:14 +0200 (CEST) From: Andrzej Szydlo To: Alex Nash cc: freebsd-security@FreeBSD.ORG Subject: Re: Checking for uids 0 in /etc/security In-Reply-To: <19980925095238.A20899@mcs.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 25 Sep 1998, Alex Nash wrote: > On Thu, Sep 24, 1998 at 01:42:10PM +0000, Andrzej Szydlo wrote: > > I've just noticed that /etc/security checks for strings "0" in the uid > > field of the master.passwd file. > > This was fixed in July with the following revisions: > > 3.0-current 1.25 > 2.2-stable (2.2.7R) 1.16.2.6 I'm running 2.2.7-STABLE, but CVSuped it from 2.2.6-RELEASE (last cvsup yesterday) and my /etc/security file version is 1.16.2.4. Does it mean CVSup doesn't solve such problems or I'm doing something wrong? Andrzej To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 25 09:37:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA28760 for freebsd-security-outgoing; Fri, 25 Sep 1998 09:37:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA28742 for ; Fri, 25 Sep 1998 09:37:34 -0700 (PDT) (envelope-from nash@Jupiter.Mcs.Net) Received: from Jupiter.Mcs.Net (nash@Jupiter.mcs.net [192.160.127.88]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id LAA17670; Fri, 25 Sep 1998 11:37:28 -0500 (CDT) Received: (from nash@localhost) by Jupiter.Mcs.Net (8.8.7/8.8.2) id LAA13061; Fri, 25 Sep 1998 11:37:27 -0500 (CDT) Message-ID: <19980925113727.A9163@Mcs.Net> Date: Fri, 25 Sep 1998 11:37:27 -0500 From: Alex Nash To: Andrzej Szydlo Cc: freebsd-security@FreeBSD.ORG Subject: Re: Checking for uids 0 in /etc/security Mail-Followup-To: Andrzej Szydlo , freebsd-security@FreeBSD.ORG References: <19980925095238.A20899@mcs.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Andrzej Szydlo on Thu, Sep 24, 1998 at 06:26:14PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 24, 1998 at 06:26:14PM +0200, Andrzej Szydlo wrote: > On Fri, 25 Sep 1998, Alex Nash wrote: > > > On Thu, Sep 24, 1998 at 01:42:10PM +0000, Andrzej Szydlo wrote: > > > I've just noticed that /etc/security checks for strings "0" in the uid > > > field of the master.passwd file. > > > > This was fixed in July with the following revisions: > > > > 3.0-current 1.25 > > 2.2-stable (2.2.7R) 1.16.2.6 > > I'm running 2.2.7-STABLE, but CVSuped it from 2.2.6-RELEASE (last cvsup > yesterday) and my /etc/security file version is 1.16.2.4. Does it mean > CVSup doesn't solve such problems or I'm doing something wrong? 'make world' (or equivalent) won't upgrade /etc/security. Assuming you haven't modified /etc/security, the simplest thing is to do is: cp /usr/src/etc/security /etc Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 25 14:26:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA14369 for freebsd-security-outgoing; Fri, 25 Sep 1998 14:26:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA14364 for ; Fri, 25 Sep 1998 14:26:46 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id RAA05727; Fri, 25 Sep 1998 17:26:32 -0400 (EDT) From: "Allen Smith" Message-Id: <9809251726.ZM5725@beatrice.rutgers.edu> Date: Fri, 25 Sep 1998 17:26:32 -0400 In-Reply-To: Alexandre Snarskii "Re: The 99,999-bug question: Why can you execute from the stack?" (Sep 18, 12:25pm) References: <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> <9807192209.ZM23527@beatrice.rutgers.edu> <19980720173800.17978@nevalink.ru> <9809171619.ZM23712@beatrice.rutgers.edu> <19980918202308.39458@nevalink.ru> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Alexandre Snarskii , Warner Losh Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sep 18, 12:25pm, Alexandre Snarskii (possibly) wrote: > Library, which checks stack integrity only for cases > of setugid/root owned now called libaranoia.N.N-root.tgz, > where N.N is a version. Note, that these checks is > a little broken by design - there are some daemons > (tftpd, for example) running non-setuid and with euid!=0, > so, no checks of stack integrity done. I've done a bit of a redesign of it, which after testing I'll make available - it's a very minor change, which basically has the libparanoia version always doing the checks and the libc version only doing the checks if the geteuid & issetugid checks turn out possibly problematic. (An #ifdef LIBPARANOIA is about all this is... I'm not much of a C programmer. > > > > Sorry about the delay on replying to this; I've been busy. While this > > is a nicer way to do this in many ways, I am concerned in whether the > > delay from calling the libparanoia checks is from the function call or > > from what the function does. If the latter, fine; if the former, the > > problem I was working on (avoiding the slowdown except when really > > needed) still exists. Any idea which is the case? (Of course, there's > ^^^^^^^^^^^^^^^^^^^^^^^^^^ > Second one. Excellent. > > also the time taken in doing the issetugid and geteuid checks in > > either case, whether one has them in the individual functions or in > > This check done only once - at first call to any 'insecure' > function. Result stored in global static variable, and used > in later calls to avoid switching to kernel mode. Hmm... right. Good design. Thanks, -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 25 16:26:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA05172 for freebsd-security-outgoing; Fri, 25 Sep 1998 16:26:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from colin.muc.de (colin.muc.de [193.174.4.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA05145 for ; Fri, 25 Sep 1998 16:26:33 -0700 (PDT) (envelope-from lutz@muc.de) Received: from tavari.muc.de ([193.174.4.22]) by colin.muc.de with SMTP id <140579-3>; Fri, 25 Sep 1998 19:50:33 +0200 Received: (from daemon@localhost) by tavari.muc.de (8.8.8/8.8.7) id TAA21509; Fri, 25 Sep 1998 19:32:05 +0200 (CEST) Received: from ripley(192.168.42.202) by morranon via smap (V2.1) id xma021454; Fri, 25 Sep 98 19:31:54 +0200 From: "Lutz Albers" To: "Andrzej Szydlo" Cc: Subject: RE: Checking for uids 0 in /etc/security Date: Fri, 25 Sep 1998 19:31:51 +0200 Message-ID: <000001bde8aa$6191c770$ca2aa8c0@ripley.tavari.muc.de> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I'm running 2.2.7-STABLE, but CVSuped it from 2.2.6-RELEASE (last cvsup > yesterday) and my /etc/security file version is 1.16.2.4. Does it mean > CVSup doesn't solve such problems or I'm doing something wrong? Files in /etc are not touched by CVSUP. You'll need to merge the changes by hand from /usr/src/etc. You still have the /etc files from 2.2.6 lutz albers -- Lutz Albers, lutz@muc.de, pgp key available from Do not take life too seriously, you will never get out of it alive. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 26 03:47:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA16703 for freebsd-security-outgoing; Sat, 26 Sep 1998 03:47:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA16653 for ; Sat, 26 Sep 1998 03:47:01 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199809261047.DAA16653@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA019606768; Sat, 26 Sep 1998 20:46:08 +1000 From: Darren Reed Subject: Re: IPFilterKK To: paulg@interlog.com (Paul Griffith) Date: Sat, 26 Sep 1998 20:46:08 +1000 (EST) Cc: andrew@squiz.co.nz, najib@csi-x.net, freebsd-security@FreeBSD.ORG In-Reply-To: from "Paul Griffith" at Sep 24, 98 09:56:39 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Paul Griffith, sie said: > > > You can get ipfilter from: > > http://www.cyber.com.au/cyber/product/ipfilter/ I no longer work there. The "official" URL for ipfilter is http://coombs.anu.edu.au/ipfilter/ darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 26 03:54:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA19072 for freebsd-security-outgoing; Sat, 26 Sep 1998 03:54:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from csi-x.net (csi-x.net [202.184.73.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA19063 for ; Sat, 26 Sep 1998 03:54:03 -0700 (PDT) (envelope-from najib@csi-x.net) Received: from csi-x.net (nobody@csi-x.net [202.184.73.5]) by csi-x.net (8.9.1/8.9.1) with SMTP id SAA03009 for ; Sat, 26 Sep 1998 18:59:42 +0800 (MYT) From: "Muhammad Najib" Reply-to: najib@csi-x.net To: freebsd-security@FreeBSD.ORG Date: Sat, 26 Sep 98 18:59:42 -800 Subject: Re: Firewall ... X-Mailer: DMailWeb Web to Mail Gateway 1.5af, http://netwinsite.com/top_mail.htm Message-id: <360cc91e.bbd.0@csi-x.net> X-User-Info: 202.184.73.12 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren, Could you please give me an example file as well as some lines which have the rule(s) of allowing connection on the telnet port(23) and deny any other else than that. I've refered to the page you pointed me to, but I just wanna make a kinda confirmation here :) . Which where if I were to use ipfw : ipfw add pass tcp from any to any 23 ipfw add pass tcp from any 23 to any ipfw add deny all from any to any I really hope you could give a satisfactory answer :) Thanx in advance. regards, ****************************************************************** MUHAMMAD NAJIB ABDUL MUKTHI member of My-Linux.ORG NETWORK ENGINEER / SYSTEM ADMINISTRATOR http://www.my-linux.org Cutting Edge Enterprise MPKS Tower Jalan Tunku Ibrahim najib@mrsm.org 05000 Kedah Darulaman. najib@csi-x.net http://najib.csi-x.net najib@kdupg.edu.my Tel : 012-4717452 najib@my-linux.org ****************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 26 07:43:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA09529 for freebsd-security-outgoing; Sat, 26 Sep 1998 07:43:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from thing.dyn.ml.org (dyn1-tnt13-209.detroit.mi.ameritech.net [199.179.188.209]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA09501 for ; Sat, 26 Sep 1998 07:43:42 -0700 (PDT) (envelope-from mcdougall@ameritech.net) Received: from ameritech.net (bsdx [192.168.1.2]) by thing.dyn.ml.org (8.8.8/8.8.7) with ESMTP id KAA18354 for ; Sat, 26 Sep 1998 10:43:35 -0400 (EDT) (envelope-from mcdougall@ameritech.net) Message-ID: <360CFD95.1A0B1ED2@ameritech.net> Date: Sat, 26 Sep 1998 10:43:33 -0400 From: Adam McDougall X-Mailer: Mozilla 4.06 [en] (X11; I; FreeBSD 3.0-BETA i386) MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Changing 3-way handshakes to prevent port scans Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I know someone who has linux patches to alter 3-way handshakes so a 'strobe' portscan returns no open ports, yet normal tcp communication seems unhindered, does anyone have any patches for FreeBSD to do the same? If the patches for linux might help I could attempt to dig them up. Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 26 10:16:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA26079 for freebsd-security-outgoing; Sat, 26 Sep 1998 10:16:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (ts01-007.dublin.indigo.ie [194.125.134.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA26071 for ; Sat, 26 Sep 1998 10:16:30 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id SAA07885; Sat, 26 Sep 1998 18:09:35 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199809261709.SAA07885@indigo.ie> Date: Sat, 26 Sep 1998 18:09:33 +0000 In-Reply-To: <360CFD95.1A0B1ED2@ameritech.net>; Adam McDougall Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Adam McDougall , security@FreeBSD.ORG Subject: Re: Changing 3-way handshakes to prevent port scans Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sep 26, 10:43am, Adam McDougall wrote: } Subject: Changing 3-way handshakes to prevent port scans > I know someone who has linux patches to alter 3-way handshakes so a > 'strobe' portscan returns no open ports, yet normal tcp communication > seems unhindered, does anyone have any patches for FreeBSD to do the > same? If the patches for linux might help I could attempt to dig them > up. Thanks This just isn't possible. A variety of portscanners exploit particular implementation bugs or features to determine if a port is being listened on, but strobe simply sends a plain old SYN segment and waits for a SYN|ACK, changing that would break TCP. Send me on the patches anyway and I'll see what I think they actually do. You can use ipfw to block port scans from particular hosts. Niall -- Niall Smart, rotel@indigo.ie. Amaze your friends and annoy your enemies: echo '#define if(x) if (!(x))' >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 26 15:13:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA24523 for freebsd-security-outgoing; Sat, 26 Sep 1998 15:13:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-02.igrin.co.nz [202.49.245.81]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA24484 for ; Sat, 26 Sep 1998 15:13:04 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with SMTP id KAA00513; Sun, 27 Sep 1998 10:11:49 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Sun, 27 Sep 1998 10:11:49 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Muhammad Najib cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall ... In-Reply-To: <360cc91e.bbd.0@csi-x.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 26 Sep 1998, Muhammad Najib wrote: > Could you please give me an example file as well as some lines which have > the rule(s) of allowing connection on the telnet port(23) and deny any other > else than that. I've refered to the page you pointed me to, but I just wanna > make a kinda confirmation here :) . Which where if I were to use ipfw : > > ipfw add pass tcp from any to any 23 allows all telnet connections in and out. If you only wanted to enable incoming telnet connections you could use: ipfw add pass tcp from any to any 23 recv ipfw add pass tcp from any 23 to any xmit > ipfw add pass tcp from any 23 to any allows anything in and out so long as it comes from a port 23. This is bad. If they have root on their end then they can send a packet to any port on your machine. (They may not get anything back). > ipfw add deny all from any to any ^^^ change 'all' to 'ip'. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 26 18:58:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA21461 for freebsd-security-outgoing; Sat, 26 Sep 1998 18:58:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from csi-x.net (csi-x.net [202.184.73.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA21452 for ; Sat, 26 Sep 1998 18:58:11 -0700 (PDT) (envelope-from najib@csi-x.net) Received: from csi-x.net (nobody@csi-x.net [202.184.73.5]) by csi-x.net (8.9.1/8.9.1) with SMTP id KAA04726 for ; Sun, 27 Sep 1998 10:03:39 +0800 (MYT) From: "Muhammad Najib" Reply-to: najib@csi-x.net To: freebsd-security@FreeBSD.ORG Date: Sun, 27 Sep 98 10:03:40 -800 Subject: Re: Firewall ... X-Mailer: DMailWeb Web to Mail Gateway 1.5af, http://netwinsite.com/top_mail.htm Message-id: <360d9cfc.1271.0@csi-x.net> X-User-Info: 202.184.73.12 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >On Sat, 26 Sep 1998, Muhammad Najib wrote: > >> Could you please give me an example file as well as some lines which have >> the rule(s) of allowing connection on the telnet port(23) and deny any other >> else than that. I've refered to the page you pointed me to, but I just wanna >> make a kinda confirmation here :) . Which where if I were to use ipfw : >> >> ipfw add pass tcp from any to any 23 > >allows all telnet connections in and out. > >If you only wanted to enable incoming telnet connections you could use: > >ipfw add pass tcp from any to any 23 recv >ipfw add pass tcp from any 23 to any xmit > > >> ipfw add pass tcp from any 23 to any > >allows anything in and out so long as it comes from a port 23. This is >bad. If they have root on their end then they can send a packet to any >port on your machine. (They may not get anything back). > >> ipfw add deny all from any to any > ^^^ >change 'all' to 'ip'. > > >Andrew McNaughton > > Thanx Andrew for that bunch of information. But actually I need it in 'ipf' instead of 'ipfw' :) I'll take note on what you forward up here. Again thanx in advance. regards, ****************************************************************** MUHAMMAD NAJIB ABDUL MUKTHI member of My-Linux.ORG NETWORK ENGINEER / SYSTEM ADMINISTRATOR http://www.my-linux.org Cutting Edge Enterprise MPKS Tower Jalan Tunku Ibrahim najib@mrsm.org 05000 Kedah Darulaman. najib@csi-x.net http://najib.csi-x.net najib@kdupg.edu.my Tel : 012-4717452 najib@my-linux.org ****************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 26 23:31:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA17800 for freebsd-security-outgoing; Sat, 26 Sep 1998 23:31:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA17792 for ; Sat, 26 Sep 1998 23:31:07 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199809270631.XAA17792@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA109637834; Sun, 27 Sep 1998 16:30:34 +1000 From: Darren Reed Subject: Re: Firewall ... To: najib@csi-x.net Date: Sun, 27 Sep 1998 16:30:34 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <360d9cfc.1271.0@csi-x.net> from "Muhammad Najib" at Sep 27, 98 10:03:40 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Muhammad Najib, sie said: > > Thanx Andrew for that bunch of information. But actually I need it in 'ipf' > instead of 'ipfw' :) If you're using ipf, use "keep state". Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message