From owner-freebsd-security Sun Jul 14 1:57:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7571537B400 for ; Sun, 14 Jul 2002 01:57:35 -0700 (PDT) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9CAD43E6A for ; Sun, 14 Jul 2002 01:57:34 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020714085734.OZUJ24728.rwcrmhc51.attbi.com@blossom.cjclark.org> for ; Sun, 14 Jul 2002 08:57:34 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g6E8vYJK084838 for ; Sun, 14 Jul 2002 01:57:34 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g6E8vYAF084837 for freebsd-security@FreeBSD.ORG; Sun, 14 Jul 2002 01:57:34 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Sun, 14 Jul 2002 01:57:34 -0700 From: "Crist J. Clark" To: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:29.tcpdump Message-ID: <20020714085734.GD56656@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <200207122046.g6CKk2tG099856@freefall.freebsd.org> <200207131731.g6DHVRs92032@lurza.secnetix.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200207131731.g6DHVRs92032@lurza.secnetix.de> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jul 13, 2002 at 07:31:27PM +0200, Oliver Fromme wrote: > FreeBSD Security Advisories wrote: > > [...] > > IV. Workaround > > > > There is no workaround, other than not using tcpdump. > > Well, you can at least set up the system in a way so you > don't have to run tcpdump as root: Create a special group, > chgrp /dev/bpf* to that group and make them group-readable > (writable is not required). Then add all users to that > group which should be allowed to use tcpdump. tcpdump(8) can still be exploited to run abitrary code as that user. > An even better approach would be to create a pseudo user > (similar to the nobody user) which is a member of the > tcpdump group, and write a small wrapper script which > uses /usr/bin/su to call tcpdump as that pseudo-user. > > Of course, that's only a quick workaround, not a solution. It's not really a workaround, it just mitigates the potential for damage should the bug be exploited. > On a related matter: It would probably be a very good idea > for tcpdump to drop priviledges right after opening the BPF > device. tcpdump(8) never has elevated privileges. It just runs as whoever executes it. As you say, the way to run it at lower privileges is to give a less privileged user read access to the bpf(4) devices. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 14 3: 6:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49FDA37B400; Sun, 14 Jul 2002 03:06:19 -0700 (PDT) Received: from mail.kyx.net (s216-232-31-82.bc.hsia.telus.net [216.232.31.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id A920B43E4A; Sun, 14 Jul 2002 03:06:18 -0700 (PDT) (envelope-from dr@kyx.net) Received: from zick (unknown [216.232.31.79]) by mail.kyx.net (Postfix) with ESMTP id E24C01DC03; Sun, 14 Jul 2002 03:25:45 -0700 (PDT) Content-Type: text/plain; charset="iso-8859-1" From: Dragos Ruiu Reply-To: dr@kyx.net Organization: all terrain ninjas To: "Crist J. Clark" , "Crist J. Clark" , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:29.tcpdump Date: Sun, 14 Jul 2002 03:06:13 +0000 X-Mailer: KYX CP/M FNORD 5602 References: <200207122046.g6CKk2tG099856@freefall.freebsd.org> <200207131731.g6DHVRs92032@lurza.secnetix.de> <20020714085734.GD56656@blossom.cjclark.org> In-Reply-To: <20020714085734.GD56656@blossom.cjclark.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200207140306.13058.dr@kyx.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Or as a workaround use snort. It's been heavily audited and has a much smaller and easier to debug decode engine. Save files off line and use ethereal if the minimal decode engine is insufficient. Run chrooted if feeling insecure still. (see man page and faq) cheers, --dr Sigh... and I thought tcpdump had been through the fires.... It's gonna wind up giving sendmail a run for the money=20 for the "Pit of Infinite Flaws" title :-). On July 14, 2002 08:57 am, Crist J. Clark wrote: > On Sat, Jul 13, 2002 at 07:31:27PM +0200, Oliver Fromme wrote: > > FreeBSD Security Advisories wrote: > > > [...] > > > IV. Workaround > > > > > > There is no workaround, other than not using tcpdump. > > > > Well, you can at least set up the system in a way so you > > don't have to run tcpdump as root: Create a special group, > > chgrp /dev/bpf* to that group and make them group-readable > > (writable is not required). Then add all users to that > > group which should be allowed to use tcpdump. > > tcpdump(8) can still be exploited to run abitrary code as that user. > > > An even better approach would be to create a pseudo user > > (similar to the nobody user) which is a member of the > > tcpdump group, and write a small wrapper script which > > uses /usr/bin/su to call tcpdump as that pseudo-user. > > > > Of course, that's only a quick workaround, not a solution. > > It's not really a workaround, it just mitigates the potential for > damage should the bug be exploited. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 14 4:36: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F8B737B400; Sun, 14 Jul 2002 04:36:01 -0700 (PDT) Received: from mailout07.sul.t-online.com (mailout07.sul.t-online.com [194.25.134.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id A57F343E58; Sun, 14 Jul 2002 04:36:00 -0700 (PDT) (envelope-from Alexander@Leidinger.net) Received: from fwd09.sul.t-online.de by mailout07.sul.t-online.com with smtp id 17ThfT-00035g-01; Sun, 14 Jul 2002 13:35:59 +0200 Received: from Andro-Beta.Leidinger.net (520065502893-0001@[217.229.220.246]) by fmrl09.sul.t-online.com with esmtp id 17ThfM-1we4NUC; Sun, 14 Jul 2002 13:35:52 +0200 Received: from Magelan.Leidinger.net (Magelan [192.168.1.1]) by Andro-Beta.Leidinger.net (8.11.6/8.11.6) with ESMTP id g6EBZpx07681; Sun, 14 Jul 2002 13:35:51 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from Leidinger.net (netchild@localhost [127.0.0.1]) by Magelan.Leidinger.net (8.12.5/8.12.5) with ESMTP id g6EBZhxQ064314; Sun, 14 Jul 2002 13:35:47 +0200 (CEST) (envelope-from netchild@Leidinger.net) Message-Id: <200207141135.g6EBZhxQ064314@Magelan.Leidinger.net> Date: Sun, 14 Jul 2002 13:35:43 +0200 (CEST) From: Alexander Leidinger Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:29.tcpdump To: cjc@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020714085734.GD56656@blossom.cjclark.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-Sender: 520065502893-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 14 Jul, Crist J. Clark wrote: >> On a related matter: It would probably be a very good idea >> for tcpdump to drop priviledges right after opening the BPF >> device. > > tcpdump(8) never has elevated privileges. It just runs as whoever > executes it. As you say, the way to run it at lower privileges is to > give a less privileged user read access to the bpf(4) devices. It could drop privileges (su to another UID like a never OpenSSH or Apache does it) if it gets run by root... Bye, Alexander. -- It's not a bug, it's tradition! http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 14 15: 5:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF96F37B400; Sun, 14 Jul 2002 15:05:29 -0700 (PDT) Received: from lurza.secnetix.de (lurza.secnetix.de [212.66.1.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93D2743E4A; Sun, 14 Jul 2002 15:05:28 -0700 (PDT) (envelope-from olli@lurza.secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.11.6/8.11.6) id g6EM5P541393; Mon, 15 Jul 2002 00:05:25 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Date: Mon, 15 Jul 2002 00:05:25 +0200 (CEST) Message-Id: <200207142205.g6EM5P541393@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG, "Crist J. Clark" Reply-To: freebsd-security@FreeBSD.ORG, "Crist J. Clark" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:29.tcpdump In-Reply-To: <20020714085734.GD56656@blossom.cjclark.org> X-Newsgroups: list.freebsd-security User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.5-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Crist J. Clark wrote: > On Sat, Jul 13, 2002 at 07:31:27PM +0200, Oliver Fromme wrote: > > [...] > tcpdump(8) can still be exploited to run abitrary code as that user. That's what I wrote. > [...] > It's not really a workaround, it just mitigates the potential for > damage should the bug be exploited. Again, I wrote exactly that (in the part of my mail that you did not quote). > > On a related matter: It would probably be a very good idea > > for tcpdump to drop priviledges right after opening the BPF > > device. > > tcpdump(8) never has elevated privileges. Not trough s-bits, but ... > It just runs as whoever > executes it. ... which is usually root because of the default permissions of the /dev/bpf* devices. That's the problem. > As you say, the way to run it at lower privileges is to > give a less privileged user read access to the bpf(4) devices. Or let tcpdump drop it's root priviledges after opening the devices. That would be similar to what openssh does when priviledge separation is enabled. Or what BIND does when running it with the -u option. I think a _lot_ more software should take precautions like that, and there is no reason to exclude tcpdump. Regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "All that we see or seem is just a dream within a dream" (E. A. Poe) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 14 16:24: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF00037B400 for ; Sun, 14 Jul 2002 16:24:02 -0700 (PDT) Received: from www.kpi.com.au (www.kpi.com.au [203.39.132.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A3A443E4A for ; Sun, 14 Jul 2002 16:24:01 -0700 (PDT) (envelope-from johnsa@kpi.com.au) Received: from kpi.com.au (localhost.kpi.com.au [127.0.0.1]) by www.kpi.com.au (8.9.3/8.9.3) with ESMTP id JAA53582; Mon, 15 Jul 2002 09:27:27 +1000 (EST) (envelope-from johnsa@kpi.com.au) Message-ID: <3D3207FC.50102@kpi.com.au> Date: Mon, 15 Jul 2002 09:23:40 +1000 From: Andrew Johns User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:0.9.4.1) Gecko/20020314 Netscape6/6.2.2 X-Accept-Language: en-gb MIME-Version: 1.0 To: "Roger 'Rocky' Vetterberg" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Recommendations for filesystem integrity checkers? References: <20020712065459.GA24030@lupe-christoph.de> <3D2EC5A9.2070305@rambo.simx.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Roger 'Rocky' Vetterberg wrote: > Lupe Christoph wrote: > >> Hi! >> >> Which filesystem integrity checkers do people use? I've >> found ports for aide, cksfv, integrit, l5, three versions >> of tripwire and yafic. (Feel free to point me to the ones >> I overlooked.) I did not find ports for fcheck and samhain >> (found on Debian). >> >> Since I don't have the time to assess them all, I would >> like to tap the collective experience of the FreeBSD >> security people. >> >> So which do you use, and why? >> >> Thanks for your time, Lupe Christoph > > > Personally, I use aide. Its lightweight, easy to configure > and automate via scripts and it does exactly I want it to > do. > Are you using aide-0.8 or 0.7? I've seen people have problems with 0.8 getting gcrypt operating (including myself although I haven't yet had the time to delve in and find the actual problem). If you've succeeded with 0.8, what magic incantation did you need to get gcrypt to compile? Thanks AJ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 14 22:57:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B094937B400 for ; Sun, 14 Jul 2002 22:57:46 -0700 (PDT) Received: from mx10.mail.ru (mx10.mail.ru [194.67.57.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FF3343E6E for ; Sun, 14 Jul 2002 22:57:45 -0700 (PDT) (envelope-from h-k@mail.ru) Received: from [194.84.56.194] (helo=elimar) by mx10.mail.ru with esmtp (Exim SMTP.A) id 17Tyrg-000LmU-00; Mon, 15 Jul 2002 09:57:44 +0400 Date: Mon, 15 Jul 2002 09:58:17 +0400 From: dawnshade X-Mailer: The Bat! (v1.60m) Reply-To: dawnshade X-Priority: 3 (Normal) Message-ID: <1051553493.20020715095817@mail.ru> To: 'dawnshade' , security@freebsd.org Subject: Re[2]: Snort problem. In-Reply-To: <271DE2625FD4D311949B009027F43B9F0918E42F@us-mtvmail2.ariba.com> References: <271DE2625FD4D311949B009027F43B9F0918E42F@us-mtvmail2.ariba.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Jason, Saturday, July 13, 2002, 12:53:15 AM, you wrote: JF> This isn't the snort mailing list, but here is something to help... JF> Is the process actually running? JF> Run the same command minus the option to run as a daemon. This will let you JF> see any errors. JF> -----Original Message----- JF> From: dawnshade [mailto:h-k@mail.ru] JF> Sent: Thursday, July 11, 2002 10:03 PM JF> To: security@FreeBSD.ORG JF> Subject: Snort problem. JF> I have a little problem: JF> install, configure snort (1.8.6 (Build 105)). JF> Run: /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -s -A full -d JF> -D -l /usr/log/snort JF> But the snort does nothing: not log or alert scans, portscans, etc.... JF> thank all for advance. Yes, process running: su-2.05a# /usr/local/bin/snort -i cp0 -A fast -c /usr/local/etc/snort/snort.conf - m 027 Log directory = /var/log/snort Initializing Network Interface cp0 --== Initializing Snort ==-- Decoding PPP on interface cp0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file /usr/local/etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Reassembly method: FAVOR_OLD Using LOCAL time Anomoly sensor threshold adapting repeadly specified, ignoring later specification: 0.01 15 4 24 7 WARNING: command line overrides rules file alert plugin! WARNING: command line overrides rules file alert plugin! limit == 128 UnifiedLogFilename = snort.log Opening /var/log/snort/snort.log.1026712623 1530 Snort rules read... 1530 Option Chains linked into 170 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log->suspicious --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.7 (Build 128) By Martin Roesch (roesch@sourcefire.com, www.snort.org) ps ax: 33529 p3 S+ 0:00.33 /usr/local/bin/snort -i cp0 -A fast -c /usr/local/etc/snort.conf -- Best regards, dawnshade mailto:h-k@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 0:44:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8873137B400 for ; Mon, 15 Jul 2002 00:44:16 -0700 (PDT) Received: from papa.tanu.org (kame195.kame.net [203.178.141.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id A446943E64 for ; Mon, 15 Jul 2002 00:44:15 -0700 (PDT) (envelope-from sakane@kame.net) Received: from localhost ([2001:218:1e1f:40:260:1dff:fe21:f766]) by papa.tanu.org (8.11.6/8.11.6) with ESMTP id g6F7mDn80336; Mon, 15 Jul 2002 16:48:13 +0900 (JST) (envelope-from sakane@kame.net) To: campbell@neotext.ca Cc: security@FreeBSD.ORG Subject: Re: racoon/FreeBSD 4.5 problems & observations In-Reply-To: Your message of "Wed, 10 Jul 2002 09:43:38 -0000" <200207100943.g6A9hcA01547@localhost.neotext.ca> References: <200207100943.g6A9hcA01547@localhost.neotext.ca> X-Mailer: Cue version 0.6 (020620-1817/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20020715164425B.sakane@kame.net> Date: Mon, 15 Jul 2002 16:44:25 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 25 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Then I upgraded (several months or so ago) ww0 to run 4.5. On doing this > I first found my /var/log/racoon.log would bloat and overrun the > filesystem (the 110% useage syndrome). So I then linked /var/log/racoon.log > to /dev/null and ran like that. No good. The racoon task would bloat > by 4k per packet transmitted across the VPN to the 4.5 node and would > quickly reach 2, 3 or 4 hundred megabytes in memory useage. Didn't matter > whether I was setting up for tunnel or transport. And it didn't matter > which version of the racoon task I was using: binaries from 4.3 behaved > as badly on the 4.5 system as did the latest release. Same with binaries > I compiled on both systems. there is no difference of racoon between 4.5 and 4.3. what kind of message did you find in the racoon.log ? i think these messages relatived to routing informations. racoon watches the routing socket in order to get addresses which are assigned to interfaces. when racoon gets either RTM_NEWADDR, RTM_DELADDR, RTM_DELETE or RTM_IFINFO, racoon will re-start to get address list. if your routing table changes frequently, racoon dumps plenty of messages into the racoon.log. to prevent this, you should define addresses to have racoon listened by using the listen directive. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 7:13:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B3BC37B407 for ; Mon, 15 Jul 2002 07:13:54 -0700 (PDT) Received: from balrog.rt.ru (balrog.rt.ru [217.107.221.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id C3C2443E42 for ; Mon, 15 Jul 2002 07:13:52 -0700 (PDT) (envelope-from dima@rt.ru) Received: from rt.ru (localhost [127.0.0.1]) by balrog.rt.ru (8.9.3/8.9.3) with ESMTP id SAA14409 for ; Mon, 15 Jul 2002 18:12:25 +0400 (MSD) (envelope-from dima@rt.ru) Message-ID: <3D32D849.E3D8F2BE@rt.ru> Date: Mon, 15 Jul 2002 18:12:25 +0400 From: "Dmitry S. Rzhavin" Organization: Rostelecom X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 4.0-20000103-CURRENT i386) X-Accept-Language: ru, en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: ipfw and keep-state Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! I'm trying to set up a stateful firewall using ipfw. And I noticed one strange (to me) thing: I create rules like this: sample net: inet | ----------- | FreeBSD | ----------- | ----ip1---- |some host| ----------- sample IPFW rules: 10 pass tcp from any to ip2 in keep-state setup ... nothing interesting here 20 deny tcp from any to ip2 Or, in other words, I want to pre-auth some packet with rile 10 to check it later. Then, I decide to drop it. But ipfw creates dynamic rule "inet <-> ip1" and passes this session. I think this is not good. Why does ipfw works this way? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 7:25:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3039137B400 for ; Mon, 15 Jul 2002 07:25:40 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD60443E4A for ; Mon, 15 Jul 2002 07:25:39 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id D11E1534A; Mon, 15 Jul 2002 16:25:37 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Dmitry S. Rzhavin" Cc: security@FreeBSD.ORG Subject: Re: ipfw and keep-state References: <3D32D849.E3D8F2BE@rt.ru> From: Dag-Erling Smorgrav Date: 15 Jul 2002 16:25:36 +0200 In-Reply-To: <3D32D849.E3D8F2BE@rt.ru> Message-ID: Lines: 19 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Dmitry S. Rzhavin" writes: > 10 pass tcp from any to ip2 in keep-state setup > ... nothing interesting here > 20 deny tcp from any to ip2 > > > Or, in other words, I want to pre-auth some packet with rile 10 to > check it later. Then, I decide to drop it. > But ipfw creates dynamic rule "inet <-> ip1" and passes this > session. I think this is not good. Why does ipfw works this way? That's what you asked it to do. Rule 10 basically says "if the packet is a tcp SYN packet destined for ip2, stop examining it, let it through, and remember to let all similar packets through in the future" DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 7:45:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2B7F37B400 for ; Mon, 15 Jul 2002 07:45:51 -0700 (PDT) Received: from nox.cx (nox.cx [216.12.18.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A26243E4A for ; Mon, 15 Jul 2002 07:45:51 -0700 (PDT) (envelope-from zakj@nox.cx) Received: (qmail 45512 invoked by uid 1000); 15 Jul 2002 14:46:07 -0000 Date: Mon, 15 Jul 2002 10:46:07 -0400 From: Zak Johnson To: security@FreeBSD.ORG Subject: Re: ipfw and keep-state Message-ID: <20020715144607.GA45492@opiate.nox.cx> Mail-Followup-To: security@FreeBSD.ORG References: <3D32D849.E3D8F2BE@rt.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D32D849.E3D8F2BE@rt.ru> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jul 15, 2002 at 06:12:25PM +0400, Dmitry S. Rzhavin wrote: > Or, in other words, I want to pre-auth some packet with rile 10 to > check it later. Then, I decide to drop it. > But ipfw creates dynamic rule "inet <-> ip1" and passes this > session. I think this is not good. Why does ipfw works this way? It sounds as though you're used to IPFilter, in which the last-matched rule wins. ipfw stops processing rules after the first match. See http://coombs.anu.edu.au/~avalon/ipfilfaq.html#III-2 . -Zak To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 8:49:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FC7737B400 for ; Mon, 15 Jul 2002 08:49:43 -0700 (PDT) Received: from balrog.rt.ru (balrog.rt.ru [217.107.221.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id B04FB43E58 for ; Mon, 15 Jul 2002 08:49:41 -0700 (PDT) (envelope-from dima@rt.ru) Received: from rt.ru (localhost [127.0.0.1]) by balrog.rt.ru (8.9.3/8.9.3) with ESMTP id TAA14525 for ; Mon, 15 Jul 2002 19:48:13 +0400 (MSD) (envelope-from dima@rt.ru) Message-ID: <3D32EEBD.E66100A1@rt.ru> Date: Mon, 15 Jul 2002 19:48:13 +0400 From: "Dmitry S. Rzhavin" Organization: Rostelecom X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 4.0-20000103-CURRENT i386) X-Accept-Language: ru, en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: ipfw and keep-state References: <3D32D849.E3D8F2BE@rt.ru> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dag-Erling Smorgrav wrote: > > "Dmitry S. Rzhavin" writes: > > 10 pass tcp from any to ip2 in keep-state setup > > ... nothing interesting here > > 20 deny tcp from any to ip2 > > > > > > Or, in other words, I want to pre-auth some packet with rile 10 to > > check it later. Then, I decide to drop it. > > But ipfw creates dynamic rule "inet <-> ip1" and passes this > > session. I think this is not good. Why does ipfw works this way? > > That's what you asked it to do. Rule 10 basically says "if the packet > is a tcp SYN packet destined for ip2, stop examining it, let it > through nonono! Rule 10 says "let it _in_", not out! Or: -------------- -------- |IPFW is here| |packet|==[flows in]=>in_if---- out_if -------- |packet|==>X | -------------- fly in is allowed ^^^ ^^^ packet dies here So, I expect (at least) dynamic rule to be "pass ip from inet to ip1 _in_". Or, as the best solution, rule "in" creates dynamic candidate, and stateful dynamic rule is created only if packet is allowed to go out. If packet dies inside ipfw, rule dies too. So, the question is: why this is bad? Why FreeBSD Team choosed to create dynamic rule "in/out" for "in" static rule? Is it a bug, or a feature? >, and remember to let all similar packets through in the > future" > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 10: 2: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 361C437B400; Mon, 15 Jul 2002 10:01:57 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D10343E67; Mon, 15 Jul 2002 10:01:56 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (jedgar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6FH1uJU062860; Mon, 15 Jul 2002 10:01:56 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from jedgar@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6FH1uuP062858; Mon, 15 Jul 2002 10:01:56 -0700 (PDT) Date: Mon, 15 Jul 2002 10:01:56 -0700 (PDT) Message-Id: <200207151701.g6FH1uuP062858@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: jedgar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:31.openssh Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:31 Security Advisory The FreeBSD Project Topic: openssh contains remote vulnerability Category: core Module: OpenSSH Announced: 2002-07-15 Credits: ISS X-Force Theo DeRaadt Affects: FreeBSD-CURRENT between 2002-03-18 and 2002-06-25 Corrected: 2002-06-25 19:10:07 (HEAD) FreeBSD only: NO I. Background OpenSSH is a free implementation of the SSH protocol suite, and provides encrypted and authenticated remote login, file transfer and command execution. II. Problem Description SSH clients and servers communicate by exchanging discrete messages with a variable number of parameters. Due to the lack of sufficient integrity checks in a portion of the server code responsible for handling incoming SSH2_MSG_USERAUTH_INFO_RESPONSE messages, it was possible for a malicious client to send a message that would cause the server to overwrite portions of its memory with client-provided data. III. Impact An remote attacker using an SSH client modified to send carefully crafted SSH2_MSG_USERAUTH_INFO_RESPONSE to the server could obtain superuser privileges on the server. Please note that this problem only affects FreeBSD-CURRENT. No versions of FreeBSD-STABLE are or were ever vulnerable to this bug. IV. Workaround Do one of the following: 1) Disable SSH entirely. 2) Use a firewall to block incoming SSH connections from untrusted hosts. 3) Add the following line to /etc/ssh/sshd_config, and restart sshd. ChallengeResponseAuthentication no Note that this will prevent the use of OPIE and similar challenge- based authentication methods with SSH. V. Solution Update your system to the latest -CURRENT. VI. Correction details No correction details are provided in this advisory. VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: FreeBSD: The Power To Serve iQCVAwUBPTLiBVUuHi5z0oilAQFNAwQAoF1azTbsIiUc9O2VvIah+ueT5N3//qgf ka+t5I5FtL8wFDKJXXf3JWx9lqf+JkscrL4SpMyY/OmL2wagvUeVHan+pE9dXRnK YzFjdD8hP3GMiC1g0Dvwg9StoBs8kx+qP8dascS87Ql2QYo7aYcq6aageLSoy4Nj iRHaJB2gZP8= =nSnf -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 10:36:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CFFE337B61C for ; Mon, 15 Jul 2002 10:36:16 -0700 (PDT) Received: from rambo.simx.org (rambo.simx.org [80.65.205.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5BCA9443DE for ; Mon, 15 Jul 2002 10:30:59 -0700 (PDT) (envelope-from listsub@rambo.simx.org) Received: from rambo.simx.org (rocky [192.168.0.2]) by rambo.simx.org (8.12.3/8.12.3) with ESMTP id g6FHTJ4P051924; Mon, 15 Jul 2002 19:29:25 +0200 (CEST) (envelope-from listsub@rambo.simx.org) Message-ID: <3D33068D.8090405@rambo.simx.org> Date: Mon, 15 Jul 2002 19:29:49 +0200 From: "Roger 'Rocky' Vetterberg" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc2) Gecko/20020618 Netscape/7.0b1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andrew Johns Cc: freebsd-security@FreeBSD.ORG Subject: Re: Recommendations for filesystem integrity checkers? References: <20020712065459.GA24030@lupe-christoph.de> <3D2EC5A9.2070305@rambo.simx.org> <3D3207FC.50102@kpi.com.au> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Andrew Johns wrote: > Roger 'Rocky' Vetterberg wrote: > > > Lupe Christoph wrote: > > > >> Hi! > >> > >> Which filesystem integrity checkers do people use? I've > >> found ports for aide, cksfv, integrit, l5, three versions > >> of tripwire and yafic. (Feel free to point me to the ones > >> I overlooked.) I did not find ports for fcheck and samhain > >> (found on Debian). > >> > >> Since I don't have the time to assess them all, I would > >> like to tap the collective experience of the FreeBSD > >> security people. > >> > >> So which do you use, and why? > >> > >> Thanks for your time, Lupe Christoph > > > > > > Personally, I use aide. Its lightweight, easy to configure > > and automate via scripts and it does exactly I want it to > > do. > > > > > Are you using aide-0.8 or 0.7? I've seen people have problems > with 0.8 getting gcrypt operating (including myself although I > haven't yet had the time to delve in and find the actual problem). > > If you've succeeded with 0.8, what magic incantation did you need > to get gcrypt to compile? > > Thanks > AJ aide -v Aide, version 0.7 Compiled with the following options WITH_MHASH CONFIG_FILE = "/etc/aide.conf" This was compiled and configured probably a year ago, and has been working flawless since then. -- R To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 11: 3:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C33F37B400 for ; Mon, 15 Jul 2002 11:03:09 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACAF843E4A for ; Mon, 15 Jul 2002 11:03:08 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6FI38JU078167 for ; Mon, 15 Jul 2002 11:03:08 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6FI38af078162 for security@freebsd.org; Mon, 15 Jul 2002 11:03:08 -0700 (PDT) Date: Mon, 15 Jul 2002 11:03:08 -0700 (PDT) Message-Id: <200207151803.g6FI38af078162@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Current FreeBSD problem reports No matches to your query To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 12: 4:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAB4137B400 for ; Mon, 15 Jul 2002 12:04:19 -0700 (PDT) Received: from skynet.stack.nl (insgate.stack.nl [131.155.140.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F22F43E67 for ; Mon, 15 Jul 2002 12:04:19 -0700 (PDT) (envelope-from marcolz@stack.nl) Received: from toad.stack.nl (toad.stack.nl [2001:610:1108:5010:202:b3ff:fe17:9e1a]) by skynet.stack.nl (Postfix) with ESMTP id 2C1AA3FF3; Mon, 15 Jul 2002 21:04:27 +0200 (CEST) Received: by toad.stack.nl (Postfix, from userid 333) id B706798D1; Mon, 15 Jul 2002 21:04:17 +0200 (CEST) Date: Mon, 15 Jul 2002 21:04:17 +0200 From: Marc Olzheim To: "Dmitry S. Rzhavin" Cc: security@FreeBSD.ORG Subject: Re: ipfw and keep-state Message-ID: <20020715190417.GA72114@stack.nl> References: <3D32D849.E3D8F2BE@rt.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D32D849.E3D8F2BE@rt.ru> User-Agent: Mutt/1.4i X-Operating-System: FreeBSD toad.stack.nl 4.6-STABLE FreeBSD 4.6-STABLE X-URL: http://www.stack.nl/~marcolz/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > 10 pass tcp from any to ip2 in keep-state setup > ... nothing interesting here > 20 deny tcp from any to ip2 > > > Or, in other words, I want to pre-auth some packet with rile 10 to > check it later. Then, I decide to drop it. > But ipfw creates dynamic rule "inet <-> ip1" and passes this > session. I think this is not good. Why does ipfw works this way? "in" is just used to match packets not originating from, or, routed by your machine. The action "pass" is what happens if the rule matches. The actions are not split into "in", "bridge" and "out"... It's just "accept", "deny" or "skipto". (and count, fwd, reset, divert, etc. but:) The first three are enought to handle this: 10 skipto 20 tcp from any to ip2 in setup ... 20 deny tcp from any to ip2 Zlo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 13:22:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC41637B400; Mon, 15 Jul 2002 13:22:10 -0700 (PDT) Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 289D043E4A; Mon, 15 Jul 2002 13:22:10 -0700 (PDT) (envelope-from thierry@pompo.net) Received: from graf.pompo.net (lyon-2-a7-62-147-23-232.dial.proxad.net [62.147.23.232]) by postfix3-2.free.fr (Postfix) with ESMTP id 49C9317FCB; Mon, 15 Jul 2002 22:22:06 +0200 (CEST) Received: by graf.pompo.net (Postfix, from userid 1001) id D6EFC7520; Mon, 15 Jul 2002 22:19:56 +0200 (CEST) To: FreeBSD-gnats-submit@freebsd.org Subject: news/newsx: security patch for newsx version 1.4 From: Thierry Thomas Reply-To: Thierry Thomas Cc: security@FreeBSD.org X-send-pr-version: 3.113 X-GNATS-Notify: Message-Id: <20020715201956.D6EFC7520@graf.pompo.net> Date: Mon, 15 Jul 2002 22:19:56 +0200 (CEST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Submitter-Id: current-users >Originator: Thierry Thomas >Organization: Kabbale Eros >Confidential: no >Synopsis: news/newsx: security patch for newsx version 1.4 >Severity: serious >Priority: high >Category: ports >Class: maintainer-update >Release: FreeBSD 4.6-STABLE i386 >Environment: System: FreeBSD graf.pompo.net 4.6-STABLE FreeBSD 4.6-STABLE #0: Sun Jun 16 15:14:29 CEST 2002 root@graf.pompo.net:/usr/obj/mntsrc/src/sys/GRAF010429 i386 >Description: Message from the author: The attached patch fixes a security vulnerability with newsx version 1.4. It also applies to earlier newsx versions. The vulnerability is primarily local - it is not obvious that it may also apply for remote exploits - but on the other hand this cannot be totally ruled out either. Thanks to zillion@snosoft.com for pointing this out. Egil Kvaleberg >How-To-Repeat: N./A. >Fix: Please apply the attached patch: diff -urN /usr/ports/news/newsx.orig/Makefile /usr/ports/news/newsx/Makefile --- /usr/ports/news/newsx.orig/Makefile Sun Jul 7 22:00:46 2002 +++ /usr/ports/news/newsx/Makefile Mon Jul 15 21:51:29 2002 @@ -6,10 +6,10 @@ # PORTNAME= newsx -PORTVERSION= 1.4.6 +PORTVERSION= 1.4.8 CATEGORIES= news MASTER_SITES= ftp://ftp.kvaleberg.com/pub/ -DISTNAME= ${PORTNAME}-${PORTVERSION:S/.6/pl6/} +DISTNAME= ${PORTNAME}-${PORTVERSION:S/.8/pl6/} MAINTAINER= thierry@pompo.net diff -urN /usr/ports/news/newsx.orig/files/patch-configure.in /usr/ports/news/newsx/files/patch-configure.in --- /usr/ports/news/newsx.orig/files/patch-configure.in Thu Jan 31 21:55:12 2002 +++ /usr/ports/news/newsx/files/patch-configure.in Mon Jul 15 21:47:42 2002 @@ -1,5 +1,14 @@ --- configure.in.orig Tue Jan 29 20:15:19 2002 -+++ configure.in Thu Jan 31 01:05:04 2002 ++++ configure.in Mon Jul 15 21:46:55 2002 +@@ -167,7 +167,7 @@ + dnl + AC_INIT(FAQ) + +-AM_INIT_AUTOMAKE(newsx, 1.4pl6) ++AM_INIT_AUTOMAKE(newsx, 1.4pl8) + AM_CONFIG_HEADER(config.h) + dnl Only most recent year required: + COPYRIGHT="Copyright 2002 Egil Kvaleberg " @@ -189,7 +189,7 @@ dnl Default list of locations to visit in search of the dnl news configuration file diff -urN /usr/ports/news/newsx.orig/files/patch-src_logmsg.c /usr/ports/news/newsx/files/patch-src_logmsg.c --- /usr/ports/news/newsx.orig/files/patch-src_logmsg.c Thu Jan 1 01:00:00 1970 +++ /usr/ports/news/newsx/files/patch-src_logmsg.c Mon Jul 15 21:40:27 2002 @@ -0,0 +1,74 @@ +--- src/logmsg.c.orig Wed Feb 14 07:55:40 2001 ++++ src/logmsg.c Mon Jul 15 21:38:30 2002 +@@ -1,4 +1,4 @@ +-/* VER 079 TAB P $Id: logmsg.c,v 1.10.2.1 2001/02/14 06:55:40 egil Exp $ ++/* VER 080 TAB P $Id: logmsg.c,v 1.10.2.1 2001/02/14 06:55:40 egil Exp $ + * + * handle error messages and such... + * +@@ -60,9 +60,9 @@ + /* + * try to make a surrogate + * we assume that on those architectures where this trick +- * doesn't work there we will surely have stdarg.h or varargs.h ++ * doesn't work there we will surely be stdarg.h or varargs.h + */ +-#define vsprintf(buf, fmt, ap) sprintf(buf, fmt, arg1, arg2, arg3, arg4) ++#define vsnprintf(buf,siz,fmt,ap) snprintf(buf,siz,fmt, arg1,arg2,arg3,arg4) + #define vfprintf(file, fmt, ap) fprintf(file, fmt, arg1, arg2, arg3, arg4) + #endif + +@@ -156,7 +156,7 @@ + #endif + { + int e; +- char buf[BUFSIZ]; /* BUG: do we risk overwriting it? */ ++ char buf[BUFSIZ]; + + #if HAVE_VPRINTF + va_list ap; +@@ -176,34 +176,33 @@ + case L_ERRno: + case L_ERR: + e = errno; +- vsprintf(buf, fmt, ap); +- if (type == L_ERRno) { +- sprintf(buf + strlen (buf), ": %s", str_error(e)); +- } +- strcat(buf, "\n"); ++ vsnprintf(buf, sizeof(buf), fmt, ap); + #if HAVE_SYSLOG_H + if (!debug_opt) { +- syslog(LOG_ERR, buf); ++ syslog(LOG_ERR, "%s%s%s\n", buf, ++ ((type==L_ERRno) ? ": ":""), ++ ((type==L_ERRno) ? str_error(e):"")); + } else + #endif + { + clean_line(); +- fprintf(stderr, "%s: %s", pname, buf); ++ fprintf(stderr, "%s: %s%s%s\n", pname, buf, ++ ((type==L_ERRno) ? ": ":""), ++ ((type==L_ERRno) ? str_error(e):"")); + fflush(stderr); + } + break; + + case L_INFO: +- vsprintf(buf, fmt, ap); +- strcat(buf, "\n"); ++ vsnprintf(buf, sizeof(buf), fmt, ap); + #if HAVE_SYSLOG_H + if (!debug_opt) { +- syslog(LOG_INFO, buf); ++ syslog(LOG_INFO, "%s\n", buf); + } else + #endif + { + clean_line(); +- fprintf(stderr, "%s", buf); ++ fprintf(stderr, "%s\n", buf); + fflush(stderr); + } + break; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 13:57:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 711B237B400 for ; Mon, 15 Jul 2002 13:57:34 -0700 (PDT) Received: from freedom.manicmoment.net (freedom.manicmoment.net [198.31.25.150]) by mx1.FreeBSD.org (Postfix) with SMTP id F36B643E4A for ; Mon, 15 Jul 2002 13:57:33 -0700 (PDT) (envelope-from admin@manicmoment.net) Received: (qmail 19943 invoked from network); 15 Jul 2002 20:57:32 -0000 Received: from akikosan.interfold.com (HELO akikosan.manicmoment.net) (198.31.24.45) by 0 with SMTP; 15 Jul 2002 20:57:32 -0000 Message-Id: <5.1.0.14.2.20020715145432.00a54790@mail.interfold.com> X-Sender: admin@manicmoment.net@mail.manicmoment.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 15 Jul 2002 14:57:28 -0600 To: freebsd-security@freebsd.org From: Gregory Kuhn Subject: OpenSSH Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear FreeBSD-Security, Out of curiosity why hasn't OpenSSH 3.4 been included with the latest stable version? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 14: 3:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE66037B400 for ; Mon, 15 Jul 2002 14:03:51 -0700 (PDT) Received: from mailc.telia.com (mailc.telia.com [194.22.190.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D8E043E67 for ; Mon, 15 Jul 2002 14:03:50 -0700 (PDT) (envelope-from erikt@midgard.homeip.net) Received: from d1o913.telia.com (d1o913.telia.com [195.252.44.241]) by mailc.telia.com (8.11.6/8.11.6) with ESMTP id g6FL3ms01600 for ; Mon, 15 Jul 2002 23:03:49 +0200 (CEST) Received: from falcon.midgard.homeip.net (h53n2fls20o913.telia.com [212.181.163.53]) by d1o913.telia.com (8.8.8/8.8.8) with SMTP id XAA21931 for ; Mon, 15 Jul 2002 23:03:48 +0200 (CEST) Received: (qmail 45871 invoked by uid 1001); 15 Jul 2002 21:03:46 -0000 Date: Mon, 15 Jul 2002 23:03:45 +0200 From: Erik Trulsson To: Gregory Kuhn Cc: freebsd-security@freebsd.org Subject: Re: OpenSSH Message-ID: <20020715210345.GA44837@falcon.midgard.homeip.net> Mail-Followup-To: Gregory Kuhn , freebsd-security@freebsd.org References: <5.1.0.14.2.20020715145432.00a54790@mail.interfold.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.2.20020715145432.00a54790@mail.interfold.com> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jul 15, 2002 at 02:57:28PM -0600, Gregory Kuhn wrote: > Dear FreeBSD-Security, > > > Out of curiosity why hasn't OpenSSH 3.4 been included with the > latest stable version? But it has been. The version of OpenSSH currently included in 4.6-STABLE is OpenSSH 3.4p1 which is the latest. -- Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 14: 6:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 968CE37B401 for ; Mon, 15 Jul 2002 14:06:22 -0700 (PDT) Received: from smtp.web.de (smtp01.web.de [194.45.170.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4879B43E6A for ; Mon, 15 Jul 2002 14:06:21 -0700 (PDT) (envelope-from Jan.Lentfer@web.de) Received: from [217.82.32.66] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.70 #5) id 17UD2x-0001dF-00; Mon, 15 Jul 2002 23:06:19 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 5B654412; Mon, 15 Jul 2002 23:06:18 +0200 (CEST) Received: from jan-alpha.lan (jan-alpha.lan [192.168.0.29]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with SMTP id 6B70A359; Mon, 15 Jul 2002 23:06:14 +0200 (CEST) Date: Mon, 15 Jul 2002 23:06:13 +0200 From: Jan Lentfer To: "Gregory Kuhn" , freebsd-security@freebsd.org Subject: Re: OpenSSH Message-Id: <20020715230613.1dbcb340.Jan.Lentfer@web.de> In-Reply-To: <5.1.0.14.2.20020715145432.00a54790@mail.interfold.com> References: <5.1.0.14.2.20020715145432.00a54790@mail.interfold.com> X-Mailer: Sylpheed version 0.7.8claws (GTK+ 1.2.10; alpha-portbld-freebsd4.6) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 15 Jul 2002 14:57:28 -0600 "Gregory Kuhn" wrote: > Dear FreeBSD-Security, > > > Out of curiosity why hasn't OpenSSH 3.4 been included with the latest > stable version? You can use the version in ports/security/openssh-portable which is 3.4p1. That's what I did you just have to define OPEN_SSH_OVERWRITE_BASE (look in the Makefile) and make sure in make.conf OpenSSH isn't build with the world. Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 14:10:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0982437B405 for ; Mon, 15 Jul 2002 14:10:55 -0700 (PDT) Received: from smtp2.enst.fr (matrix2.enst.fr [137.194.2.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 418AC43E6D for ; Mon, 15 Jul 2002 14:10:54 -0700 (PDT) (envelope-from cedric.ware@enst.fr) Received: from olympe.enst.fr (olympe.enst.fr [137.194.64.54]) by smtp2.enst.fr (Postfix) with ESMTP id ED5BC1EF8C; Mon, 15 Jul 2002 23:10:49 +0200 (MEST) Received: by olympe.enst.fr (Postfix, from userid 14110) id 267C81108B; Mon, 15 Jul 2002 23:10:51 +0200 (CEST) Date: Mon, 15 Jul 2002 23:10:51 +0200 From: Cedric Ware To: Gregory Kuhn Cc: freebsd-security@freebsd.org Subject: Re: OpenSSH Message-ID: <20020715211051.GA10578@enst.fr> References: <5.1.0.14.2.20020715145432.00a54790@mail.interfold.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.2.20020715145432.00a54790@mail.interfold.com> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, > Out of curiosity why hasn't OpenSSH 3.4 been included with the > latest stable version? Because -STABLE is reputed not to be vulnerable to the latest hole, see: http://online.securityfocus.com/archive/1/282331/2002-07-12/2002-07-18/0 Section III (although I still wonder - Challenge/Response is definitely OK but noone speaks about Keyboard/Interactive which affects OpenSSH 2.9...) Furthermore, it has been integrated in 4.6-STABLE, and a point-release 4.6.1 is in preparation. Hope this helps, Cedric Ware. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 15:28:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5EA837B400 for ; Mon, 15 Jul 2002 15:28:08 -0700 (PDT) Received: from carbon.berkeley.netdot.net (carbon.berkeley.netdot.net [216.27.190.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80AB843E4A for ; Mon, 15 Jul 2002 15:28:08 -0700 (PDT) (envelope-from nick@carbon.berkeley.netdot.net) Received: by carbon.berkeley.netdot.net (Postfix, from userid 101) id 509DBF83A; Mon, 15 Jul 2002 15:28:08 -0700 (PDT) Date: Mon, 15 Jul 2002 15:28:08 -0700 From: Nicholas Esborn To: freebsd-security@freebsd.org Subject: Racoon problems with 4.6-STABLE Message-ID: <20020715222808.GE14733@netdot.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I'm having problems with racoon since upgrading from 4.5-S to 4.6-S. I had to kill routed, it was causing the routing table to be updated many times per second and flooding my racoon logs. This behavior seems to be new after the upgrade. A worse problem, however, is that racoon doesn't seem to add all the SAD entries it negotiates to the kernel. The result is messages like: Jul 15 15:22:23 port /kernel: IPv4 AH input: no key association found for spi 207489362 Jul 15 15:22:35 port /kernel: IPv4 AH input: no key association found for spi 129435238 Jul 15 15:22:36 port /kernel: IPv4 AH input: no key association found for spi 129435238 These associations should have been added by racoon. Is anyone willing to lend a hand? I could use some suggestions as to where to look/what data to capture to find the problem. Thanks! -nick -- Nicholas Esborn Unix Systems Administrator nick@netdot.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 16:37:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0901537B400 for ; Mon, 15 Jul 2002 16:37:36 -0700 (PDT) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id DFC4043E65 for ; Mon, 15 Jul 2002 16:37:34 -0700 (PDT) (envelope-from burntime@gmx.net) Received: (qmail 26778 invoked by uid 0); 15 Jul 2002 23:37:31 -0000 Received: from p508f64d8.dip.t-dialin.net (HELO gmx.net) (80.143.100.216) by mail.gmx.net (mp010-rz3) with SMTP; 15 Jul 2002 23:37:31 -0000 Message-ID: <3D335C3F.40308@gmx.net> Date: Tue, 16 Jul 2002 01:35:27 +0200 From: Hendrik Spiegel User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0rc2) Gecko/20020513 Netscape/7.0b1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: FS encryption X-Enigmail-Version: 0.49.5.0 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can someone tell me if there is a port to encrypt a filesystem (except cfs) that uses the AES finalists (especially Serpent) like the international kernelpatch for linux does? Thanks -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9M1w8R9VsnrBbCN4RAiJ+AJ9d5Sm+XVNIsRZwqpEZ6e9jLrLzLwCfW2B/ CrddeT5Lgrx9HyB724zzTMI= =IfmL -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 19:24:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3439637B400; Mon, 15 Jul 2002 19:24:33 -0700 (PDT) Received: from hotmail.com (f85.law15.hotmail.com [64.4.23.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0114943E42; Mon, 15 Jul 2002 19:24:33 -0700 (PDT) (envelope-from jack_zhangcl@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 15 Jul 2002 19:24:32 -0700 Received: from 202.94.4.250 by lw15fd.law15.hotmail.msn.com with HTTP; Tue, 16 Jul 2002 02:24:32 GMT X-Originating-IP: [202.94.4.250] From: "zhang jack" To: security@FreeBSD.ORG, stable@FreeBSD.org Subject: syncache testing Date: Tue, 16 Jul 2002 02:24:32 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=gb2312; format=flowed Message-ID: X-OriginalArrivalTime: 16 Jul 2002 02:24:32.0760 (UTC) FILETIME=[EBB9A780:01C22C6F] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I am testing syncache on FreeBSD 4.6 stable,and it works fine, but I found it *only* protect syn flooding of itself,can it act as a gateway( or firewall ) to protect my www server? can anyone help me? Jack.zhang _________________________________________________________________ ÏíÓÃÊÀ½çÉÏ×î´óµÄµç×ÓÓʼþϵͳ¡ª MSN Hotmail¡£http://www.hotmail.com/cn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 19:33:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F1AD37B400 for ; Mon, 15 Jul 2002 19:33:37 -0700 (PDT) Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59B3C43E64 for ; Mon, 15 Jul 2002 19:33:36 -0700 (PDT) (envelope-from bvi@itouchlabs.com) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.35 #1) id 17UI8v-00006F-00 for security@freebsd.org; Tue, 16 Jul 2002 04:32:49 +0200 Received: from shell.devco.net ([196.15.188.7]) by mx1.dev.itouchnet.net with esmtp (Exim 3.35 #1) id 17UI8v-00005y-00; Tue, 16 Jul 2002 04:32:49 +0200 Received: from bvi by shell.devco.net with local (Exim 3.33 #4) id 17UII0-0003SB-00; Tue, 16 Jul 2002 04:42:12 +0200 Date: Tue, 16 Jul 2002 04:42:12 +0200 From: Barry Irwin To: zhang jack Cc: security@FreeBSD.ORG Subject: Re: syncache testing Message-ID: <20020716044212.L4570@itouchlabs.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jack_zhangcl@hotmail.com on Tue, Jul 16, 2002 at 02:24:32AM +0000 X-Checked: Scanned for any viruses and unauthorized attachments at mx1.dev.itouchnet.net X-iScan-ID: 383-1026786769-68587@mx1.dev.itouchnet.net version $Name: REL_2_0_2 $ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi I'm not overly familiar with the syncache code, but you _may_ be able to make use of the syncache mitigation by having your server sitting behind the BSD box, with traffic being natted. A solution that may work better is to have a reverse proxy of sorts running on the BSD system which proxies requests to your webservers. Barry On Tue 2002-07-16 (02:24), zhang jack wrote: > > Hi, > I am testing syncache on FreeBSD 4.6 stable,and it works fine, > but I found it *only* protect syn flooding of itself,can it act > as a gateway( or firewall ) to protect my www server? > can anyone help me? -- Barry Irwin bvi@itouchlabs.com +27214875177 Systems Administrator: Networks And Security iTouch TAS http://www.itouchlabs.com South Africa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 19:58:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A91E37B401 for ; Mon, 15 Jul 2002 19:58:14 -0700 (PDT) Received: from hotmail.com (f212.law15.hotmail.com [64.4.23.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3134A43E67 for ; Mon, 15 Jul 2002 19:58:14 -0700 (PDT) (envelope-from jack_zhangcl@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 15 Jul 2002 19:58:14 -0700 Received: from 202.94.4.250 by lw15fd.law15.hotmail.msn.com with HTTP; Tue, 16 Jul 2002 02:58:13 GMT X-Originating-IP: [202.94.4.250] From: "zhang jack" To: bvi@itouchlabs.com Cc: security@FreeBSD.ORG Subject: Re: syncache testing Date: Tue, 16 Jul 2002 02:58:13 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=gb2312; format=flowed Message-ID: X-OriginalArrivalTime: 16 Jul 2002 02:58:14.0114 (UTC) FILETIME=[A08BCC20:01C22C74] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks for your reply. I have used Ipfilter,did you mean using port redirecting? rdr fxp0 210.96.1.1 port 80 -> 192.168.1.1 port 80 can it pass though syncache? I know Ipfilter hook the packets in the IP level. >From: Barry Irwin >To: zhang jack >CC: security@FreeBSD.ORG >Subject: Re: syncache testing >Date: Tue, 16 Jul 2002 04:42:12 +0200 > >Hi > >I'm not overly familiar with the syncache code, but you _may_ be able to >make use of the syncache mitigation by having your server sitting behind the >BSD box, with traffic being natted. A solution that may work better is to >have a reverse proxy of sorts running on the BSD system which proxies >requests to your webservers. > >Barry > > >On Tue 2002-07-16 (02:24), zhang jack wrote: > > > > Hi, > > I am testing syncache on FreeBSD 4.6 stable,and it works fine, > > but I found it *only* protect syn flooding of itself,can it act > > as a gateway( or firewall ) to protect my www server? > > can anyone help me? > >-- >Barry Irwin bvi@itouchlabs.com +27214875177 >Systems Administrator: Networks And Security >iTouch TAS http://www.itouchlabs.com South Africa _________________________________________________________________ ÏíÓÃÊÀ½çÉÏ×î´óµÄµç×ÓÓʼþϵͳ¡ª MSN Hotmail¡£http://www.hotmail.com/cn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 20: 6:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3EB1E37B400 for ; Mon, 15 Jul 2002 20:06:38 -0700 (PDT) Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0A6C43E6D for ; Mon, 15 Jul 2002 20:06:36 -0700 (PDT) (envelope-from bvi@itouchlabs.com) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.35 #1) id 17UIet-0000WT-00 for security@freebsd.org; Tue, 16 Jul 2002 05:05:51 +0200 Received: from shell.devco.net ([196.15.188.7]) by mx1.dev.itouchnet.net with esmtp (Exim 3.35 #1) id 17UIes-0000WF-00; Tue, 16 Jul 2002 05:05:50 +0200 Received: from bvi by shell.devco.net with local (Exim 3.33 #4) id 17UInx-0003VX-00; Tue, 16 Jul 2002 05:15:13 +0200 Date: Tue, 16 Jul 2002 05:15:13 +0200 From: Barry Irwin To: zhang jack Cc: security@FreeBSD.ORG Subject: Re: syncache testing Message-ID: <20020716051513.M4570@itouchlabs.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: ; from jack_zhangcl@hotmail.com on Tue, Jul 16, 2002 at 02:58:13AM +0000 X-Checked: Scanned for any viruses and unauthorized attachments at mx1.dev.itouchnet.net X-iScan-ID: 2009-1026788750-28510@mx1.dev.itouchnet.net version $Name: REL_2_0_2 $ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, I make use of ipfw and the separate NAT daemon, however. Given it some more thought and I'm not sure if this would work as expected ( would be very nice if it does, looking forward to the outcomes of your testing). The second method I suggested, will work as the packets are being processed by the local host, however you haev an additioanl software component and load on the gateway/firewall. The sould work for beefing up the security of your web servers if you then firewalled them from connecting to anywhere but there local subnet, as all the Internet faccing communications is via the reverse proxy. Barry On Tue 2002-07-16 (02:58), zhang jack wrote: > > Thanks for your reply. > I have used Ipfilter,did you mean using port redirecting? > rdr fxp0 210.96.1.1 port 80 -> 192.168.1.1 port 80 > can it pass though syncache? I know Ipfilter hook the packets > in the IP level. > > > > >From: Barry Irwin > >To: zhang jack > >CC: security@FreeBSD.ORG > >Subject: Re: syncache testing > >Date: Tue, 16 Jul 2002 04:42:12 +0200 > > > >Hi > > > >I'm not overly familiar with the syncache code, but you _may_ be able to > >make use of the syncache mitigation by having your server sitting behind > the > >BSD box, with traffic being natted. A solution that may work better is to > >have a reverse proxy of sorts running on the BSD system which proxies > >requests to your webservers. > > > >Barry > > > > > >On Tue 2002-07-16 (02:24), zhang jack wrote: > > > > > > Hi, > > > I am testing syncache on FreeBSD 4.6 stable,and it works fine, > > > but I found it *only* protect syn flooding of itself,can it act > > > as a gateway( or firewall ) to protect my www server? > > > can anyone help me? > > > >-- > >Barry Irwin bvi@itouchlabs.com +27214875177 > >Systems Administrator: Networks And Security > >iTouch TAS http://www.itouchlabs.com South Africa > > > > > _________________________________________________________________ > ÏíÓÃÊÀ½çÉÏ×î´óµÄµç×ÓÓʼþϵͳ¡ª MSN Hotmail¡£http://www.hotmail.com/cn > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -- Barry Irwin bvi@itouchlabs.com +27214875177 Systems Administrator: Networks And Security iTouch TAS http://www.itouchlabs.com South Africa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 20:13:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0DE537B400 for ; Mon, 15 Jul 2002 20:13:44 -0700 (PDT) Received: from hotmail.com (f215.law15.hotmail.com [64.4.23.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D3D043E6D for ; Mon, 15 Jul 2002 20:13:44 -0700 (PDT) (envelope-from jack_zhangcl@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 15 Jul 2002 20:13:43 -0700 Received: from 202.94.4.250 by lw15fd.law15.hotmail.msn.com with HTTP; Tue, 16 Jul 2002 03:13:43 GMT X-Originating-IP: [202.94.4.250] From: "zhang jack" To: bvi@itouchlabs.com Cc: security@FreeBSD.ORG Subject: Re: syncache testing Date: Tue, 16 Jul 2002 03:13:43 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=gb2312; format=flowed Message-ID: X-OriginalArrivalTime: 16 Jul 2002 03:13:43.0947 (UTC) FILETIME=[CAC50DB0:01C22C76] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thank you,Barry. I will try it just now. Jack Zhang >From: Barry Irwin >To: zhang jack >CC: security@FreeBSD.ORG >Subject: Re: syncache testing >Date: Tue, 16 Jul 2002 05:15:13 +0200 > > >Yes, I make use of ipfw and the separate NAT daemon, however. Given it some >more thought and I'm not sure if this would work as expected ( would be very >nice if it does, looking forward to the outcomes of your testing). > >The second method I suggested, will work as the packets are being processed >by the local host, however you haev an additioanl software component and >load on the gateway/firewall. The sould work for beefing up the security of >your web servers if you then firewalled them from connecting to anywhere but >there local subnet, as all the Internet faccing communications is via the >reverse proxy. > >Barry > >On Tue 2002-07-16 (02:58), zhang jack wrote: > > > > Thanks for your reply. > > I have used Ipfilter,did you mean using port redirecting? > > rdr fxp0 210.96.1.1 port 80 -> 192.168.1.1 port 80 > > can it pass though syncache? I know Ipfilter hook the packets > > in the IP level. > > > > > > > > >From: Barry Irwin > > >To: zhang jack > > >CC: security@FreeBSD.ORG > > >Subject: Re: syncache testing > > >Date: Tue, 16 Jul 2002 04:42:12 +0200 > > > > > >Hi > > > > > >I'm not overly familiar with the syncache code, but you _may_ be able to > > >make use of the syncache mitigation by having your server sitting behind > > the > > >BSD box, with traffic being natted. A solution that may work better is to > > >have a reverse proxy of sorts running on the BSD system which proxies > > >requests to your webservers. > > > > > >Barry > > > > > > > > >On Tue 2002-07-16 (02:24), zhang jack wrote: > > > > > > > > Hi, > > > > I am testing syncache on FreeBSD 4.6 stable,and it works fine, > > > > but I found it *only* protect syn flooding of itself,can it act > > > > as a gateway( or firewall ) to protect my www server? > > > > can anyone help me? > > > > > >-- > > >Barry Irwin bvi@itouchlabs.com +27214875177 > > >Systems Administrator: Networks And Security > > >iTouch TAS http://www.itouchlabs.com South Africa > > > > > > > > > > _________________________________________________________________ > > ÏíÓÃÊÀ½çÉÏ×î´óµÄµç×ÓÓʼþϵͳ¡ª MSN Hotmail¡£http://www.hotmail.com/cn > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > >-- >Barry Irwin bvi@itouchlabs.com +27214875177 >Systems Administrator: Networks And Security >iTouch TAS http://www.itouchlabs.com South Africa > _________________________________________________________________ ÓëÁª»úµÄÅóÓѽøÐн»Á÷£¬ÇëʹÓà MSN Messenger: http://messenger.microsoft.com/cn/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 20:44:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5757237B400 for ; Mon, 15 Jul 2002 20:44:32 -0700 (PDT) Received: from hotmail.com (f82.law15.hotmail.com [64.4.23.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15A3443E58 for ; Mon, 15 Jul 2002 20:44:32 -0700 (PDT) (envelope-from jack_zhangcl@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 15 Jul 2002 20:44:26 -0700 Received: from 202.94.4.250 by lw15fd.law15.hotmail.msn.com with HTTP; Tue, 16 Jul 2002 03:44:26 GMT X-Originating-IP: [202.94.4.250] From: "zhang jack" To: bvi@itouchlabs.com Cc: security@FreeBSD.ORG Subject: Re: syncache testing Date: Tue, 16 Jul 2002 03:44:26 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=gb2312; format=flowed Message-ID: X-OriginalArrivalTime: 16 Jul 2002 03:44:26.0956 (UTC) FILETIME=[1549E8C0:01C22C7B] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have tested Ipfilter + syncache, it seems doesn't work. client 192.168.1.1 | __|_______ fxp0:192.168.1.2 Gateway __________ fxp1:10.0.0.1 | | www server 10.0.0.2 I make the rdr rule as: "rdr fxp0 192.168.1.2/32 port 80 -> 10.0.0.2 port 80" then I make syn flood to 192.168.1.2(on 192.168.1.1), the syncache seems no work: "net.inet.tcp.syncache.count: 0" Maybe I must use IPFW+Natd? Jack Zhang >From: Barry Irwin >To: zhang jack >CC: security@FreeBSD.ORG >Subject: Re: syncache testing >Date: Tue, 16 Jul 2002 05:15:13 +0200 > > >Yes, I make use of ipfw and the separate NAT daemon, however. Given it some >more thought and I'm not sure if this would work as expected ( would be very >nice if it does, looking forward to the outcomes of your testing). > >The second method I suggested, will work as the packets are being processed >by the local host, however you haev an additioanl software component and >load on the gateway/firewall. The sould work for beefing up the security of >your web servers if you then firewalled them from connecting to anywhere but >there local subnet, as all the Internet faccing communications is via the >reverse proxy. > >Barry > >On Tue 2002-07-16 (02:58), zhang jack wrote: > > > > Thanks for your reply. > > I have used Ipfilter,did you mean using port redirecting? > > rdr fxp0 210.96.1.1 port 80 -> 192.168.1.1 port 80 > > can it pass though syncache? I know Ipfilter hook the packets > > in the IP level. > > > > > > > > >From: Barry Irwin > > >To: zhang jack > > >CC: security@FreeBSD.ORG > > >Subject: Re: syncache testing > > >Date: Tue, 16 Jul 2002 04:42:12 +0200 > > > > > >Hi > > > > > >I'm not overly familiar with the syncache code, but you _may_ be able to > > >make use of the syncache mitigation by having your server sitting behind > > the > > >BSD box, with traffic being natted. A solution that may work better is to > > >have a reverse proxy of sorts running on the BSD system which proxies > > >requests to your webservers. > > > > > >Barry > > > > > > > > >On Tue 2002-07-16 (02:24), zhang jack wrote: > > > > > > > > Hi, > > > > I am testing syncache on FreeBSD 4.6 stable,and it works fine, > > > > but I found it *only* protect syn flooding of itself,can it act > > > > as a gateway( or firewall ) to protect my www server? > > > > can anyone help me? > > > > > >-- > > >Barry Irwin bvi@itouchlabs.com +27214875177 > > >Systems Administrator: Networks And Security > > >iTouch TAS http://www.itouchlabs.com South Africa > > > > > > > > > > _________________________________________________________________ > > ÏíÓÃÊÀ½çÉÏ×î´óµÄµç×ÓÓʼþϵͳ¡ª MSN Hotmail¡£http://www.hotmail.com/cn > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > >-- >Barry Irwin bvi@itouchlabs.com +27214875177 >Systems Administrator: Networks And Security >iTouch TAS http://www.itouchlabs.com South Africa > _________________________________________________________________ ÓëÁª»úµÄÅóÓѽøÐн»Á÷£¬ÇëʹÓà MSN Messenger: http://messenger.microsoft.com/cn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 22:41:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 067BE37B400 for ; Mon, 15 Jul 2002 22:41:23 -0700 (PDT) Received: from papa.tanu.org (kame195.kame.net [203.178.141.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D58843E31 for ; Mon, 15 Jul 2002 22:41:22 -0700 (PDT) (envelope-from sakane@kame.net) Received: from localhost ([2001:218:1e1f:40:260:1dff:fe21:f766]) by papa.tanu.org (8.11.6/8.11.6) with ESMTP id g6G5jhn84992; Tue, 16 Jul 2002 14:45:44 +0900 (JST) (envelope-from sakane@kame.net) To: nick@netdot.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: Racoon problems with 4.6-STABLE In-Reply-To: Your message of "Mon, 15 Jul 2002 15:28:08 -0700" <20020715222808.GE14733@netdot.net> References: <20020715222808.GE14733@netdot.net> X-Mailer: Cue version 0.6 (020620-1817/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20020716144135H.sakane@kame.net> Date: Tue, 16 Jul 2002 14:41:35 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 17 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I'm having problems with racoon since upgrading from 4.5-S to 4.6-S. > > I had to kill routed, it was causing the routing table to be updated many > times per second and flooding my racoon logs. This behavior seems to be > new after the upgrade. when racoon is running on a router or ip addresses are static, you should configure racoon not to get ip addresses dynamically. that is to use listen directive. > A worse problem, however, is that racoon doesn't seem to add all the SAD > entries it negotiates to the kernel. The result is messages like: > > Jul 15 15:22:23 port /kernel: IPv4 AH input: no key association found for spi 207489362 racoon seems busy to process PF_ROUTE message. i think it will be solved when you configure racoon as i proposed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 15 23:23:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B25C937B407 for ; Mon, 15 Jul 2002 23:23:13 -0700 (PDT) Received: from ns.rrc.ru (ns.rrc.ru [217.171.4.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49E2743E31 for ; Mon, 15 Jul 2002 23:23:12 -0700 (PDT) (envelope-from frank@unshadow.net) Received: from hellbell.unshadow.net ([172.18.20.20]) by ns.rrc.ru (8.10.1/8.10.1) with ESMTP id g6G6aEo02030 for ; Tue, 16 Jul 2002 10:36:15 +0400 Received: from localhost (localhost [127.0.0.1]) by hellbell.unshadow.net (Postfix) with ESMTP id A9B1995DF for ; Tue, 16 Jul 2002 10:21:30 +0400 (MSD) Date: Tue, 16 Jul 2002 10:21:30 +0400 (MSD) From: Alexey Zakirov Cc: security@FreeBSD.ORG Subject: Re: FS encryption In-Reply-To: <3D335C3F.40308@gmx.net> Message-ID: <20020716102032.M31686-100000@hellbell.unshadow.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 16 Jul 2002, Hendrik Spiegel wrote: > Can someone tell me if there is a port to encrypt a filesystem (except > cfs) that uses the AES finalists (especially Serpent) like the > international kernelpatch for linux does? Try to look at http://vncrypt.sourceforge.net/ From the page: "This is cryptographic disk driver for FreeBSD. It provides transparent encryption and decryption of selected devices. It is based on vn(4)." *** WBR, Alexey Zakirov (frank@unshadow.net) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 16 0:48:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6547437B400 for ; Tue, 16 Jul 2002 00:48:50 -0700 (PDT) Received: from mta203-rme.xtra.co.nz (mta203-rme.xtra.co.nz [210.86.15.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id D90F943E72 for ; Tue, 16 Jul 2002 00:48:43 -0700 (PDT) (envelope-from mike@netxsecure.net) Received: from mta1-rme.xtra.co.nz ([210.86.15.142]) by mta203-rme.xtra.co.nz with ESMTP id <20020716074744.RZV23891.mta203-rme.xtra.co.nz@mta1-rme.xtra.co.nz> for ; Tue, 16 Jul 2002 19:47:44 +1200 Received: from netxsecure.net ([210.55.242.212]) by mta1-rme.xtra.co.nz with ESMTP id <20020716074743.JUXH25014.mta1-rme.xtra.co.nz@netxsecure.net> for ; Tue, 16 Jul 2002 19:47:43 +1200 Message-ID: <3D33D1B4.39166F8C@netxsecure.net> Date: Tue, 16 Jul 2002 19:56:36 +1200 From: "Michael A. Williams" Reply-To: mike@netxsecure.net X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd security Subject: Re-released GPG signed Trojanproof.org signed_exec kernel option patches. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We have re released all of our signed_exec kernel option patches GnuPG signed. These patches are available for FreeBSD 4.5 and 4.6 Release also 5.0 Developer preview one. Please see http://www.trojanproof.org/ for details, the existing md5 hashes are still valid and can be used to cross check the tar gzip file extracted from gpg. The following key fingerprint can be used to obtain the public key used to sign the download files. The public key is available for verification from the key servers at http://www.keyserver.net/ and also from our web site at http://www.trojanproof.org/releng1.gpg pub 1024D/4D3520E4 2002-07-10 Release Engineer1 (releng1) Key fingerprint = B86D 562E 3D76 18E6 C12D B0E2 6382 302E 4D35 20E4 Regards, Mike. -- Michael A. Williams Security Software Engineering and InfoSec Manager NetXSecure NZ Limited, http://www.nxs.co.nz Ph: +64.3.318.2973 Fax: +64.3.318.2975 Mob: +64.21.995.914 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 16 2:12:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B29237B400 for ; Tue, 16 Jul 2002 02:12:25 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D87643E6D for ; Tue, 16 Jul 2002 02:12:24 -0700 (PDT) (envelope-from campbell@babayaga.neotext.ca) Received: from babayaga.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.11.6/8.11.0) with ESMTP id g6G9COa21344; Tue, 16 Jul 2002 03:12:24 -0600 (MDT) (envelope-from campbell@babayaga.neotext.ca) From: "Duncan Patton a Campbell is Dhu" To: Shoichi Sakane , campbell@neotext.ca Cc: security@FreeBSD.ORG Subject: Re: racoon/FreeBSD 4.5 problems & observations Date: Tue, 16 Jul 2002 03:12:24 -0600 Message-Id: <20020716091224.M29164@babayaga.neotext.ca> In-Reply-To: <20020715164425B.sakane@kame.net> References: <200207100943.g6A9hcA01547@localhost.neotext.ca> <20020715164425B.sakane@kame.net> X-Mailer: Open WebMail 1.70 20020712 X-OriginatingIP: 127.0.0.1 (campbell) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Then I upgraded (several months or so ago) ww0 to run 4.5. On doing this > > I first found my /var/log/racoon.log would bloat and overrun the > > filesystem (the 110% useage syndrome). So I then linked /var/log/racoon.log > > to /dev/null and ran like that. No good. The racoon task would bloat > > by 4k per packet transmitted across the VPN to the 4.5 node and would > > quickly reach 2, 3 or 4 hundred megabytes in memory useage. Didn't matter > > whether I was setting up for tunnel or transport. And it didn't matter > > which version of the racoon task I was using: binaries from 4.3 behaved > > as badly on the 4.5 system as did the latest release. Same with binaries > > I compiled on both systems. > > there is no difference of racoon between 4.5 and 4.3. > what kind of message did you find in the racoon.log ? > > i think these messages relatived to routing informations. > racoon watches the routing socket in order to get addresses which > are assigned to interfaces. when racoon gets either RTM_NEWADDR, > RTM_DELADDR, RTM_DELETE or RTM_IFINFO, racoon will re-start to get > address list. > if your routing table changes frequently, racoon dumps plenty of > messages into the racoon.log. > > to prevent this, you should define addresses to have racoon listened > by using the listen directive. This makes sense: my system has several interfaces, and racoon seemed to be flipping amongst them. Here's a sample from the last log: 2002-06-19 04:01:23: INFO: isakmp.c:1379:isakmp_open(): fe80::201:2ff:fe24:8791%xl0[500] used as isakmp port (fd=12) 2002-06-19 04:01:23: INFO: isakmp.c:1379:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=6) 2002-06-19 04:01:23: INFO: isakmp.c:1379:isakmp_open(): fe80::1%lo0[500] used as isakmp port (fd=7) 2002-06-19 04:01:23: INFO: isakmp.c:1379:isakmp_open(): ::1[500] used as isakmp port (fd=8) 2002-06-19 04:01:23: INFO: isakmp.c:1379:isakmp_open(): fe80::201:2ff:fe24:864f%xl1[500] used as isakmp port (fd=9) 2002-06-19 04:01:23: INFO: isakmp.c:1379:isakmp_open(): 204.92.68.1[500] used as isakmp port (fd=10) 2002-06-19 04:01:23: INFO: isakmp.c:1379:isakmp_open(): 24.70.64.200[500] used as isakmp port (fd=11) 2002-06-19 04:01:23: INFO: isakmp.c:1379:isakmp_open(): fe80::201:2ff:fe24:8791%xl0[500] used as isakmp port (fd=12) 2002-06-19 04:01:23: INFO: isakmp.c:1379:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=6) 2002-06-19 04:01:23: INFO: isakmp.c:1379:isakmp_open(): fe80::1%lo0[500] used as isakmp port (fd=7) 2002-06-19 04:01:23: INFO: isakmp.c:1379:isakmp_open(): ::1[500] used as isakmp port (fd=8) 2002-06-19 04:01:23: INFO: isakmp.c:1379:isakmp_open(): fe80::201:2ff:fe24:864f%xl1[500] used as isakmp port (fd=9) 2002-06-19 04:01:23: INFO: isakmp.c:1379:isakmp_open(): 204.92.68.1[500] used as isakmp port (fd=10) 2002-06-19 04:01:23: INFO: isakmp.c:1379:isakmp_open(): 24.70.64.200[500] used as isakmp port (fd=11) Thanks, Duncan Patton a Campbell is Duibh ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 16 2:27:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2056B37B400 for ; Tue, 16 Jul 2002 02:27:52 -0700 (PDT) Received: from addr-mx01.addr.com (addr-mx01.addr.com [209.249.147.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9714E43E64 for ; Tue, 16 Jul 2002 02:27:51 -0700 (PDT) (envelope-from torvalds@addr.com) Received: from proxy1.addr.com (proxy1.addr.com [209.249.147.28]) by addr-mx01.addr.com (8.12.2/8.12.2) with ESMTP id g6G9Ro2v070745; Tue, 16 Jul 2002 02:27:50 -0700 (PDT) Received: from TS22 ([202.71.153.170]) by proxy1.addr.com (8.11.6/8.9.1) with ESMTP id g6G9Rmg21646; Tue, 16 Jul 2002 02:27:48 -0700 (PDT) (envelope-from torvalds@addr.com)(envelope-to ) Message-ID: <010501c22caa$f3855820$9600a8c0@blraddrcom> From: "Naga Suresh B" To: "Chris BeHanna" Cc: References: <20020715002931.O58350-100000@topperwein.dyndns.org> Subject: Re: plain text password Date: Tue, 16 Jul 2002 14:57:03 +0530 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Scanned-By: MIMEDefang 2.15 (www dot roaringpenguin dot com slash mimedefang) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hai, The solution which u had given is very nice.But it is not putting properly in the htpasswd file we made a small change to u r script. After making that change it started working fine. Thanks for u r help. I am giving the altered script below:- cat /etc/master.passwd | awk -F":" '{ printf("%s:%s\n", $1, $2) }' > /usr/local/www/site/phpMyadmin/httpd_access ----- Original Message ----- From: "Chris BeHanna" To: "Naga Suresh B" Sent: Monday, July 15, 2002 10:03 AM Subject: Re: plain text password > On Mon, 15 Jul 2002, Naga Suresh B wrote: > > > I want to create users with plain text password I want to make use of > > /etc/passwd file to be accessed through apache. > > This is very dangerous. Plain-text passwords in general are a > very bad idea. > > Note that Apache supports both DES (older crypt()-style) and MD5 > password hashes in the htpasswd program. > > > I want to globalise the passwd facility in our company. If I create > > a user and passwd on the server he must be able to access the > > intranet, server with the same password, Please give me if any > > solution is there for this, I know how to do that on Linux is there > > anything like that on FreeBSD Please give me solution. solution as > > early as possible. > > To do what you want to do, I'd suggest something like this: > > cat /etc/master.passwd | awk -F":" '{ printf("%s:%s", $1, $2) }' > /usr/local/etc/apache/htpasswd > > Run it out of cron every so often, or put together a passwd change > script that users should use that will automatically run the above > command every time the user changes his or her password. > > Presto: now you have unified passwords WITHOUT the folly of using > plaintext passwords. > > -- > Chris BeHanna > Software Engineer (Remove "bogus" before responding.) > behanna@bogus.zbzoom.net > Turning coffee into software since 1990. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 16 6:55:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A6F637B405 for ; Tue, 16 Jul 2002 06:55:02 -0700 (PDT) Received: from nippur.irb.hr (nippur.irb.hr [161.53.128.127]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07469441E8 for ; Tue, 16 Jul 2002 06:41:48 -0700 (PDT) (envelope-from mario.pranjic@irb.hr) Received: from localhost (keeper@localhost) by nippur.irb.hr (8.9.3/8.9.3) with ESMTP id PAA21897 for ; Tue, 16 Jul 2002 15:41:45 +0200 (MET DST) Date: Tue, 16 Jul 2002 15:41:45 +0200 (MET DST) From: Mario Pranjic To: Subject: Intrusion Detection Systems Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I'm looking for some references on Intrusion Detection Systems on FreeBSD or other UNIX systems. So, if anyone can point me out to some URL or other references, it would be great. Thanks! Mario Pranjic, dipl.ing. sistem administrator Knjiznica, Institut Rudjer Boskovic ------------------------------------- e-mail: mario.pranjic@irb.hr ICQ: 72059629 tel: +385 1 45 60 954 (interni: 1293) ------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 16 7: 9:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A69A37B400 for ; Tue, 16 Jul 2002 07:09:24 -0700 (PDT) Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 9248243E5E for ; Tue, 16 Jul 2002 07:09:22 -0700 (PDT) (envelope-from mlobo@nlink.com.br) Received: (qmail 59267 invoked by uid 85); 16 Jul 2002 14:09:20 -0000 Received: from mlobo@nlink.com.br by mirage.nlink.com.br by uid 82 with qmail-scanner-1.12 (avp. Clear:. Processed in 1.597997 secs); 16 Jul 2002 14:09:20 -0000 Received: from d-125.nlink.com.br (HELO mlobo) (200.249.197.253) by mirage.nlink.com.br with SMTP; 16 Jul 2002 14:09:18 -0000 From: "Mario Lobo" To: security@FreeBSD.ORG Date: Tue, 16 Jul 2002 11:08:51 -0300 MIME-Version: 1.0 Subject: 4.6 iso images Message-ID: <3D33FEC3.32353.1AF327@localhost> X-mailer: Pegasus Mail for Windows (v4.01) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi; The 4.6 iso images on the FreeBsd site are dated Jun/15. Could anyone say if the openssh / apache holes are fixed on those images? what are they? STABLE? RELEASE? thanx,-- //| //|| // | // || -//--//--|| ARIO LOBO // // || --------------------- mlobo@nlink.com.br http://mallavoodoo.musicpage.com http://www.mallavoodoo.musicpage.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 16 7:17:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 219D837B400 for ; Tue, 16 Jul 2002 07:17:41 -0700 (PDT) Received: from hex.databits.net (hex.csh.rit.edu [129.21.60.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9FFED43E42 for ; Tue, 16 Jul 2002 07:17:40 -0700 (PDT) (envelope-from petef@databits.net) Received: by hex.databits.net (Postfix, from userid 1001) id 1A74B20F53; Tue, 16 Jul 2002 10:17:40 -0400 (EDT) Date: Tue, 16 Jul 2002 10:17:40 -0400 From: Pete Fritchman To: Mario Lobo Cc: security@FreeBSD.ORG Subject: Re: 4.6 iso images Message-ID: <20020716101740.A85544@absolutbsd.org> References: <3D33FEC3.32353.1AF327@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3D33FEC3.32353.1AF327@localhost>; from mlobo@nlink.com.br on Tue, Jul 16, 2002 at 11:08:51AM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org (This is really more appropriate for -questions) ++ 16/07/02 11:08 -0300 - Mario Lobo: | Hi; | | The 4.6 iso images on the FreeBsd site are dated Jun/15. Could anyone say if | the openssh / apache holes are fixed on those images? what are they? | STABLE? RELEASE? They are 4.6-RELEASE, and do not include the updated ports/packages (or a fix for the libc resolver bug). I think re@ is going to roll a 4.6.1 release with these fixes, at least. --pete -- Pete Fritchman [petef@(databits.net|freebsd.org|wyom.net)] finger petef@databits.net for PGP key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 16 7:25:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C22937B400 for ; Tue, 16 Jul 2002 07:25:07 -0700 (PDT) Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by mx1.FreeBSD.org (Postfix) with SMTP id D9EDD43E6D for ; Tue, 16 Jul 2002 07:25:03 -0700 (PDT) (envelope-from mlobo@nlink.com.br) Received: (qmail 68024 invoked by uid 85); 16 Jul 2002 14:25:02 -0000 Received: from mlobo@nlink.com.br by mirage.nlink.com.br by uid 82 with qmail-scanner-1.12 (avp. Clear:. Processed in 1.432976 secs); 16 Jul 2002 14:25:02 -0000 Received: from d-125.nlink.com.br (HELO mlobo) (200.249.197.253) by mirage.nlink.com.br with SMTP; 16 Jul 2002 14:25:00 -0000 From: "Mario Lobo" To: Pete Fritchman Date: Tue, 16 Jul 2002 11:24:34 -0300 MIME-Version: 1.0 Subject: Re: 4.6 iso images Cc: security@FreeBSD.ORG Message-ID: <3D340272.25941.29544F@localhost> In-reply-to: <20020716101740.A85544@absolutbsd.org> References: <3D33FEC3.32353.1AF327@localhost>; from mlobo@nlink.com.br on Tue, Jul 16, 2002 at 11:08:51AM -0300 X-mailer: Pegasus Mail for Windows (v4.01) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanx to all replies !! I'll keep checking the version and dates. > They are 4.6-RELEASE, and do not include the updated ports/packages (or > a fix for the libc resolver bug). I think re@ is going to roll a 4.6.1 > release with these fixes, at least. > > --pete > > -- > Pete Fritchman [petef@(databits.net|freebsd.org|wyom.net)] > finger petef@databits.net for PGP key > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- //| //|| // | // || -//--//--|| ARIO LOBO // // || --------------------- mlobo@nlink.com.br http://mallavoodoo.musicpage.com http://www.mallavoodoo.musicpage.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 16 7:28: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8DB637B400 for ; Tue, 16 Jul 2002 07:27:58 -0700 (PDT) Received: from mail.npubs.com (npubs.com [207.111.208.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D4E743E4A for ; Tue, 16 Jul 2002 07:27:58 -0700 (PDT) (envelope-from nielsen@memberwebs.com) From: "Nielsen" To: "zhang jack" , Cc: References: Subject: Re: syncache testing MIME-Version: 1.0 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020716142852.0475E43B39A@mail.npubs.com> Date: Tue, 16 Jul 2002 14:28:52 +0000 (GMT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It would seem that the syncache firewall would actually have to handle the TCP request. In otherwords you'd need a full fledged proxy which then forwards the request to your real www servers. Cheers Nate From: "zhang jack" > I have tested Ipfilter + syncache, it seems doesn't work. > > client 192.168.1.1 > | > __|_______ fxp0:192.168.1.2 > > Gateway > > __________ fxp1:10.0.0.1 > | > | > www server 10.0.0.2 > > I make the rdr rule as: > "rdr fxp0 192.168.1.2/32 port 80 -> 10.0.0.2 port 80" > then I make syn flood to 192.168.1.2(on 192.168.1.1), > the syncache seems no work: > "net.inet.tcp.syncache.count: 0" > > Maybe I must use IPFW+Natd? > > > Jack Zhang > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 16 7:48:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6633337B401 for ; Tue, 16 Jul 2002 07:48:43 -0700 (PDT) Received: from veldy.net (veldy-host33.dsl.visi.com [209.98.200.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id A731543E6E for ; Tue, 16 Jul 2002 07:48:42 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id 5BF881A257; Tue, 16 Jul 2002 09:48:41 -0500 (CDT) Message-ID: <001201c22cd7$e0d28900$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Erik Trulsson" , References: <5.1.0.14.2.20020715145432.00a54790@mail.interfold.com> <20020715210345.GA44837@falcon.midgard.homeip.net> Subject: Re: OpenSSH Date: Tue, 16 Jul 2002 09:48:41 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It is this "OpenSSH_2.9 FreeBSD localisations 20020307, SSH protocols 1.5/2.0, OpenSSL 0x0090601f" in FreeBSD 4.6-RELEASE-p2. Seems to me that should be updated as well considering the current hole in S-Key authentication. Tom Veldhouse ----- Original Message ----- From: "Erik Trulsson" To: "Gregory Kuhn" Cc: Sent: Monday, July 15, 2002 4:03 PM Subject: Re: OpenSSH > On Mon, Jul 15, 2002 at 02:57:28PM -0600, Gregory Kuhn wrote: > > Dear FreeBSD-Security, > > > > > > Out of curiosity why hasn't OpenSSH 3.4 been included with the > > latest stable version? > > But it has been. The version of OpenSSH currently included in 4.6-STABLE > is OpenSSH 3.4p1 which is the latest. > > > -- > > Erik Trulsson > ertr1013@student.uu.se > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 16 8:33:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7E1437B405 for ; Tue, 16 Jul 2002 08:33:11 -0700 (PDT) Received: from mailg.telia.com (mailg.telia.com [194.22.194.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7467743E6A for ; Tue, 16 Jul 2002 08:33:10 -0700 (PDT) (envelope-from erikt@midgard.homeip.net) Received: from d1o913.telia.com (d1o913.telia.com [195.252.44.241]) by mailg.telia.com (8.11.6/8.11.6) with ESMTP id g6GFX8305715 for ; Tue, 16 Jul 2002 17:33:09 +0200 (CEST) Received: from falcon.midgard.homeip.net (h53n2fls20o913.telia.com [212.181.163.53]) by d1o913.telia.com (8.8.8/8.8.8) with SMTP id RAA01835 for ; Tue, 16 Jul 2002 17:33:08 +0200 (CEST) Received: (qmail 6463 invoked by uid 1001); 16 Jul 2002 15:33:06 -0000 Date: Tue, 16 Jul 2002 17:33:06 +0200 From: Erik Trulsson To: "Thomas T. Veldhouse" Cc: freebsd-security@freebsd.org Subject: Re: OpenSSH Message-ID: <20020716153306.GA6437@falcon.midgard.homeip.net> Mail-Followup-To: "Thomas T. Veldhouse" , freebsd-security@freebsd.org References: <5.1.0.14.2.20020715145432.00a54790@mail.interfold.com> <20020715210345.GA44837@falcon.midgard.homeip.net> <001201c22cd7$e0d28900$3028680a@tgt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001201c22cd7$e0d28900$3028680a@tgt.com> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jul 16, 2002 at 09:48:41AM -0500, Thomas T. Veldhouse wrote: > It is this "OpenSSH_2.9 FreeBSD localisations 20020307, SSH protocols > 1.5/2.0, OpenSSL 0x0090601f" in FreeBSD 4.6-RELEASE-p2. Seems to me that > should be updated as well considering the current hole in S-Key > authentication. It seems other people agree with you since there was a big commit to RELENG_4_6 earlier today which included updating OpenSSH to 3.4p1 Just do a cvsup and see for yourself. > > Tom Veldhouse > > ----- Original Message ----- > From: "Erik Trulsson" > To: "Gregory Kuhn" > Cc: > Sent: Monday, July 15, 2002 4:03 PM > Subject: Re: OpenSSH > > > > On Mon, Jul 15, 2002 at 02:57:28PM -0600, Gregory Kuhn wrote: > > > Dear FreeBSD-Security, > > > > > > > > > Out of curiosity why hasn't OpenSSH 3.4 been included with the > > > latest stable version? > > > > But it has been. The version of OpenSSH currently included in 4.6-STABLE > > is OpenSSH 3.4p1 which is the latest. > > > > > > -- > > > > Erik Trulsson > > ertr1013@student.uu.se > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 16 11:39:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E320537B405 for ; Tue, 16 Jul 2002 11:39:48 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4153043E58 for ; Tue, 16 Jul 2002 11:39:48 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020716183947.PCCH6023.sccrmhc02.attbi.com@blossom.cjclark.org>; Tue, 16 Jul 2002 18:39:47 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g6GIdkJK020750; Tue, 16 Jul 2002 11:39:46 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g6GIdjNq020749; Tue, 16 Jul 2002 11:39:45 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 16 Jul 2002 11:39:45 -0700 From: "Crist J. Clark" To: "Dmitry S. Rzhavin" Cc: security@FreeBSD.ORG Subject: Re: ipfw and keep-state Message-ID: <20020716183945.GA20381@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <3D32D849.E3D8F2BE@rt.ru> <3D32EEBD.E66100A1@rt.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D32EEBD.E66100A1@rt.ru> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jul 15, 2002 at 07:48:13PM +0400, Dmitry S. Rzhavin wrote: > Dag-Erling Smorgrav wrote: > > > > "Dmitry S. Rzhavin" writes: > > > 10 pass tcp from any to ip2 in keep-state setup > > > ... nothing interesting here > > > 20 deny tcp from any to ip2 > > > > > > > > > Or, in other words, I want to pre-auth some packet with rile 10 to > > > check it later. Then, I decide to drop it. > > > But ipfw creates dynamic rule "inet <-> ip1" and passes this > > > session. I think this is not good. Why does ipfw works this way? > > > > That's what you asked it to do. Rule 10 basically says "if the packet > > is a tcp SYN packet destined for ip2, stop examining it, let it > > through > > nonono! Rule 10 says "let it _in_", not out! Or: > > -------------- > -------- |IPFW is here| > |packet|==[flows in]=>in_if---- out_if > -------- |packet|==>X | > -------------- > fly in is allowed ^^^ ^^^ packet dies here > > So, I expect (at least) dynamic rule to be "pass ip from inet to ip1 _in_". > Or, as the best solution, rule "in" creates dynamic candidate, and stateful > dynamic rule is created only if packet is allowed to go out. If packet dies > inside ipfw, rule dies too. > So, the question is: why this is bad? Why FreeBSD Team choosed to create > dynamic rule "in/out" for "in" static rule? Is it a bug, or a feature? For TCP and UDP packets, a 'keep-state' rule will create a dynamic rule that matches packets with the same set of IP-port pairs coming or going on any interface. Why is it done this way? That's how the original 'keep-state' hack was done. Off of the top of my head, I can't think of firewall software that doesn't work this way. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 16 14: 0:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E0FC37B400 for ; Tue, 16 Jul 2002 14:00:31 -0700 (PDT) Received: from web10107.mail.yahoo.com (web10107.mail.yahoo.com [216.136.130.57]) by mx1.FreeBSD.org (Postfix) with SMTP id C2C9243E31 for ; Tue, 16 Jul 2002 14:00:30 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020716210028.31236.qmail@web10107.mail.yahoo.com> Received: from [68.5.49.41] by web10107.mail.yahoo.com via HTTP; Tue, 16 Jul 2002 14:00:28 PDT Date: Tue, 16 Jul 2002 14:00:28 -0700 (PDT) From: twig les Subject: Snort doc To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks to the folks who pointed out some not-so-genius things I was doing in that snort doc. I sent the new version to brian at snort's site (maintainer) and hopefully he'll put it up. So if you see it up there and wonder why I didn't change something you suggested it's probably cause I have a friggin headache from staring at my screen for so long. :) Now if I could just get my sound to work.... ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 16 14:43:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 172C937B400 for ; Tue, 16 Jul 2002 14:43:56 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D75D43E42 for ; Tue, 16 Jul 2002 14:43:55 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 16E13534A; Tue, 16 Jul 2002 23:43:53 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Thomas T. Veldhouse" Cc: "Erik Trulsson" , Subject: Re: OpenSSH References: <5.1.0.14.2.20020715145432.00a54790@mail.interfold.com> <20020715210345.GA44837@falcon.midgard.homeip.net> <001201c22cd7$e0d28900$3028680a@tgt.com> From: Dag-Erling Smorgrav Date: 16 Jul 2002 23:43:52 +0200 In-Reply-To: <001201c22cd7$e0d28900$3028680a@tgt.com> Message-ID: Lines: 12 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Thomas T. Veldhouse" writes: > It is this "OpenSSH_2.9 FreeBSD localisations 20020307, SSH protocols > 1.5/2.0, OpenSSL 0x0090601f" in FreeBSD 4.6-RELEASE-p2. Seems to me that > should be updated as well considering the current hole in S-Key > authentication. The version of OpenSSH that shipped with 4.6-RELEASE is not vulnerable to that hole. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 16 15:46:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34B7D37B400 for ; Tue, 16 Jul 2002 15:46:35 -0700 (PDT) Received: from fep2.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACF0D43E65 for ; Tue, 16 Jul 2002 15:46:34 -0700 (PDT) (envelope-from markd@cogeco.ca) Received: from promethium (d141-146-131.home.cgocable.net [24.141.146.131]) by fep2.cogeco.net (Postfix) with ESMTP id 603F0EDC for ; Tue, 16 Jul 2002 18:46:33 -0400 (EDT) Reply-To: From: "Mark D" To: Subject: ipfw and it's glory... Date: Tue, 16 Jul 2002 18:46:38 -0400 Message-ID: <000101c22d1a$a54d6e70$6401a8c0@promethium> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, First, I hope this is appropriate for this list, if not I'll gladly repost. I thought this could be a freebsd-questions question, but hey, I took a chance. Alright, here we go... I plan to run http, ftp, ssh, smtp, and pop on a lan box (I'm going to treat it as a real box - just so I can be ready for when I do this in the future). I'd like http, ftp, pop, and smtp to be open to anyone and for ssh connections to be only allowed when I add the rule (to allow that specific host). I've read the man pages on ipfw and some other documents but am still confused. Here is what I've put together so far (go easy on me); allow ip from trusted-ip-addy-1 to any allow ip from trusted-ip-addy-2 to any allow log tcp from any to any established allow log tcp from trusted-ip-addy-1 to any 22 in setup allow log udp from internal-addy to any 53 allow log udp from any 53 to internal-addy allow log tcp from any to internal-addy 80,21,110,15 setup - 65535 deny ip from any to any So... I'm not sure if that is the best approach (maybe adding a 'check state' here and a 'established' there ;p), but I'm hoping the subscribers of this list could give me some insight on securing it properly and only allowing in/out what I've specified above. I thank you in advance. - Mark D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 16 19:27:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34EBB37B400; Tue, 16 Jul 2002 19:27:18 -0700 (PDT) Received: from mail5.ec.rr.com (fe5.southeast.rr.com [24.93.67.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7EAC243E4A; Tue, 16 Jul 2002 19:27:17 -0700 (PDT) (envelope-from freebsd@ec.rr.com) Received: from makayla ([66.26.7.34]) by mail5.ec.rr.com with Microsoft SMTPSVC(5.5.1877.757.75); Tue, 16 Jul 2002 21:40:27 -0400 Date: Tue, 16 Jul 2002 21:42:48 -0400 From: Michael Sharp To: freebsd-questions@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: Dynamic Rules with IPFW Message-Id: <20020716214248.3fef4af2.freebsd@ec.rr.com> X-Mailer: FreeBSD Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I use Dynamic rulesets with IPFW: ipfw add check-state ipfw add deny tcp from any to any established ipfw add allow tcp from my-net to any setup keep-state But I also have services I need anyone on the net to get to, without me making a connection first from " my-net ". I allow such services with: allow tcp from any to my-net 25,80,443 setup in via xl0 keep-state This works fine for 25,80, and 443. However, when I apply the same rule for SSH, and login to my box remotely, about 10 minutes later, the connection just dies, and it dies with every connection. Removing the keep-state option for ssh effectively closes 22 obviously. Would check-state be a better option here? Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 16 20: 3:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D62D537B400; Tue, 16 Jul 2002 20:03:43 -0700 (PDT) Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8180643E6E; Tue, 16 Jul 2002 20:03:33 -0700 (PDT) (envelope-from marka@drugs.dv.isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.12.5/8.12.5) with ESMTP id g6H330Je077763; Wed, 17 Jul 2002 13:03:00 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200207170303.g6H330Je077763@drugs.dv.isc.org> To: Michael Sharp Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: Dynamic Rules with IPFW In-reply-to: Your message of "Tue, 16 Jul 2002 21:42:48 -0400." <20020716214248.3fef4af2.freebsd@ec.rr.com> Date: Wed, 17 Jul 2002 13:03:00 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I use Dynamic rulesets with IPFW: > > ipfw add check-state > ipfw add deny tcp from any to any established > ipfw add allow tcp from my-net to any setup keep-state > > But I also have services I need anyone on the net to get to, without me makin > g a connection first from " my-net ". I allow such services with: > > allow tcp from any to my-net 25,80,443 setup in via xl0 keep-state > > This works fine for 25,80, and 443. However, when I apply the same rule for S > SH, and login to my box remotely, about 10 minutes later, the connection just > dies, and it dies with every connection. Removing the keep-state option for > ssh effectively closes 22 obviously. Would check-state be a better option he > re? > > Michael > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message smtp, http and https are short lived connections with very little idle time. ssh is a long lived connection with large amounts of idle time. You need to have the dynamic lifetime exceed the keep alive timer or allow established ssh connections to continue to exist. Mark -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 0: 4: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89C4437B400 for ; Wed, 17 Jul 2002 00:04:00 -0700 (PDT) Received: from heresy.dreamflow.nl (heresy.dreamflow.nl [62.58.36.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 77D0E43E4A for ; Wed, 17 Jul 2002 00:03:59 -0700 (PDT) (envelope-from bart@dreamflow.nl) Received: (qmail 38836 invoked by uid 1000); 17 Jul 2002 07:03:49 -0000 Date: Wed, 17 Jul 2002 09:03:49 +0200 From: Bart Matthaei To: Mark D Cc: security@freebsd.org Subject: Re: ipfw and it's glory... Message-ID: <20020717070349.GA38299@heresy.dreamflow.nl> References: <000101c22d1a$a54d6e70$6401a8c0@promethium> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Nq2Wo0NMKNjxTN9z" Content-Disposition: inline In-Reply-To: <000101c22d1a$a54d6e70$6401a8c0@promethium> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Nq2Wo0NMKNjxTN9z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 16, 2002 at 06:46:38PM -0400, Mark D wrote: [snip] > Alright, here we go... I plan to run http, ftp, ssh, smtp, and > pop on a lan box (I'm going to treat it as a real box - just so I can be > ready for when I do this in the future). I'd like http, ftp, pop, and > smtp to be open to anyone and for ssh connections to be only allowed > when I add the rule (to allow that specific host). >=20 > I've read the man pages on ipfw and some other documents but am > still confused. Here is what I've put together so far (go easy on me); >=20 > allow ip from trusted-ip-addy-1 to any > allow ip from trusted-ip-addy-2 to any > allow log tcp from any to any established > allow log tcp from trusted-ip-addy-1 to any 22 in setup > allow log udp from internal-addy to any 53 > allow log udp from any 53 to internal-addy > allow log tcp from any to internal-addy 80,21,110,15 setup > - > 65535 deny ip from any to any First of all. Avoid using ip adresses when adressing the "self"-box. Use 'me' instead.=20 Second, here's a basic setup that works for your situation: # Allow "local" traffic ipfw add allow all from any to any via lo0 # Allow all outgoing trafic ipfw add allow all from any to any out # Allow IP fragments (for more info, see ipfw manpage) ipfw add allow all from any to any frag # Allow established tcp connections ipfw add allow tcp from any to any established # Allow tcp connections to the box > 1024 (In order to make # various clients work on the box) ipfw add pass tcp from any to me 1024-65535 setup # Allow udp connections to the box > 1024 (same shit) ipfw add pass udp from any to me 1024-65535 # Allow dns querys ipfw add allow udp from any to any 53 # Allow the trusted ip's to the ssh port ipfw add allow tcp from $trusted_ip1 to me 22 ipfw add allow tcp from $trusted_ip2 to me 22 # Allow ftp, smtp, http and pop and auth (I'm sure you want that) ipfw add allow tcp from any to me 21,25,80,110,113 setup # I've added auth. If you don't want auth, make sure to reset all #traffic going to port 113, or ident lookups to your box will time-out. #use 'reset tcp from any to me 113' # Allow icmptypes 0 3 8 and 11 ipfw add allow icmp from any to any icmptypes 0,3,8,11 # Deny everything else ipfw add deny all from any to any This is a basic setup. Add more rules for specific network setups. ipfw isn't difficult, you just need to figure the syntax and specific options out. Cheers, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 If at first you don't succeed, redefine success. --Nq2Wo0NMKNjxTN9z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9NRbVQLMKY3ENEPcRAga6AKCaAvmjL5u2WP1c75ddouBmQ8+SxgCfW4Xc TAZ3hJSVmUNUSR8wLo0riaI= =UKxo -----END PGP SIGNATURE----- --Nq2Wo0NMKNjxTN9z-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 0:30:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C7B937B400 for ; Wed, 17 Jul 2002 00:30:21 -0700 (PDT) Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id D6CA743E65 for ; Wed, 17 Jul 2002 00:30:19 -0700 (PDT) (envelope-from marka@drugs.dv.isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.12.5/8.12.5) with ESMTP id g6H7TtJe081341; Wed, 17 Jul 2002 17:29:55 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200207170729.g6H7TtJe081341@drugs.dv.isc.org> To: Bart Matthaei Cc: Mark D , security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: ipfw and it's glory... In-reply-to: Your message of "Wed, 17 Jul 2002 09:03:49 +0200." <20020717070349.GA38299@heresy.dreamflow.nl> Date: Wed, 17 Jul 2002 17:29:55 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > --Nq2Wo0NMKNjxTN9z > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > On Tue, Jul 16, 2002 at 06:46:38PM -0400, Mark D wrote: > [snip] > > Alright, here we go... I plan to run http, ftp, ssh, smtp, and > > pop on a lan box (I'm going to treat it as a real box - just so I can be > > ready for when I do this in the future). I'd like http, ftp, pop, and > > smtp to be open to anyone and for ssh connections to be only allowed > > when I add the rule (to allow that specific host). > >=20 > > I've read the man pages on ipfw and some other documents but am > > still confused. Here is what I've put together so far (go easy on me); > >=20 > > allow ip from trusted-ip-addy-1 to any > > allow ip from trusted-ip-addy-2 to any > > allow log tcp from any to any established > > allow log tcp from trusted-ip-addy-1 to any 22 in setup > > allow log udp from internal-addy to any 53 > > allow log udp from any 53 to internal-addy > > allow log tcp from any to internal-addy 80,21,110,15 setup > > - > > 65535 deny ip from any to any > > First of all. Avoid using ip adresses when adressing the "self"-box. > Use 'me' instead.=20 > > Second, here's a basic setup that works for your situation: > > # Allow "local" traffic > ipfw add allow all from any to any via lo0 > > # Allow all outgoing trafic > ipfw add allow all from any to any out This is a bad idea. You should only allow out what you will accept back in. If you don't you will eventually be guilty of pounding some poor server because you havn't allowed the answers to come back. > # Allow IP fragments (for more info, see ipfw manpage) > ipfw add allow all from any to any frag > > # Allow established tcp connections > ipfw add allow tcp from any to any established > > # Allow tcp connections to the box > 1024 (In order to make > # various clients work on the box) > ipfw add pass tcp from any to me 1024-65535 setup > > # Allow udp connections to the box > 1024 (same shit) > ipfw add pass udp from any to me 1024-65535 > > # Allow dns querys > ipfw add allow udp from any to any 53 > > # Allow the trusted ip's to the ssh port > ipfw add allow tcp from $trusted_ip1 to me 22 > ipfw add allow tcp from $trusted_ip2 to me 22 > > # Allow ftp, smtp, http and pop and auth (I'm sure you want that) > ipfw add allow tcp from any to me 21,25,80,110,113 setup > > # I've added auth. If you don't want auth, make sure to reset all > #traffic going to port 113, or ident lookups to your box will time-out. > #use 'reset tcp from any to me 113' > > # Allow icmptypes 0 3 8 and 11 > ipfw add allow icmp from any to any icmptypes 0,3,8,11 > > # Deny everything else > ipfw add deny all from any to any > > This is a basic setup. Add more rules for specific network setups. > ipfw isn't difficult, you just need to figure the syntax and specific > options out. > > Cheers, > > Bart > > --=20 > Bart Matthaei bart@dreamflow.nl=20 > > If at first you don't succeed, redefine success. > > --Nq2Wo0NMKNjxTN9z > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (FreeBSD) > > iD8DBQE9NRbVQLMKY3ENEPcRAga6AKCaAvmjL5u2WP1c75ddouBmQ8+SxgCfW4Xc > TAZ3hJSVmUNUSR8wLo0riaI= > =UKxo > -----END PGP SIGNATURE----- > > --Nq2Wo0NMKNjxTN9z-- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 0:42:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0FBA37B401 for ; Wed, 17 Jul 2002 00:42:20 -0700 (PDT) Received: from heresy.dreamflow.nl (heresy.dreamflow.nl [62.58.36.22]) by mx1.FreeBSD.org (Postfix) with SMTP id A98D443E31 for ; Wed, 17 Jul 2002 00:42:19 -0700 (PDT) (envelope-from bart@dreamflow.nl) Received: (qmail 39099 invoked by uid 1000); 17 Jul 2002 07:42:12 -0000 Date: Wed, 17 Jul 2002 09:42:12 +0200 From: Bart Matthaei To: Mark.Andrews@isc.org Cc: Mark D , security@FreeBSD.ORG Subject: Re: ipfw and it's glory... Message-ID: <20020717074212.GB38299@heresy.dreamflow.nl> References: <20020717070349.GA38299@heresy.dreamflow.nl> <200207170729.g6H7TtJe081341@drugs.dv.isc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200207170729.g6H7TtJe081341@drugs.dv.isc.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 17, 2002 at 05:29:55PM +1000, Mark.Andrews@isc.org wrote: [snip] > > # Allow all outgoing trafic > > ipfw add allow all from any to any out > > This is a bad idea. You should only allow out what you > will accept back in. If you don't you will eventually be > guilty of pounding some poor server because you havn't > allowed the answers to come back. This ruleset allows all traffic to any tcp port > 1024, and some ports < 1024. For example, access to tcp port 443 is denied, so there's no way there will be a connection coming from port 443 on the box. But, your right, since you deny access to port 443, it's tidy to deny traffic coming _from_ port 443. Or isn't this the point your trying to make ? Cheers, Bart > > # Allow IP fragments (for more info, see ipfw manpage) > > ipfw add allow all from any to any frag > > > > # Allow established tcp connections > > ipfw add allow tcp from any to any established > > > > # Allow tcp connections to the box > 1024 (In order to make > > # various clients work on the box) > > ipfw add pass tcp from any to me 1024-65535 setup > > > > # Allow udp connections to the box > 1024 (same shit) > > ipfw add pass udp from any to me 1024-65535 > > > > # Allow dns querys > > ipfw add allow udp from any to any 53 > > > > # Allow the trusted ip's to the ssh port > > ipfw add allow tcp from $trusted_ip1 to me 22 > > ipfw add allow tcp from $trusted_ip2 to me 22 > > > > # Allow ftp, smtp, http and pop and auth (I'm sure you want that) > > ipfw add allow tcp from any to me 21,25,80,110,113 setup > > > > # I've added auth. If you don't want auth, make sure to reset all > > #traffic going to port 113, or ident lookups to your box will time-out. > > #use 'reset tcp from any to me 113' > > > > # Allow icmptypes 0 3 8 and 11 > > ipfw add allow icmp from any to any icmptypes 0,3,8,11 > > > > # Deny everything else > > ipfw add deny all from any to any -- Bart Matthaei bart@dreamflow.nl If at first you don't succeed, redefine success. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 1: 2:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D4B637B400 for ; Wed, 17 Jul 2002 01:02:06 -0700 (PDT) Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8290143E42 for ; Wed, 17 Jul 2002 01:02:03 -0700 (PDT) (envelope-from marka@drugs.dv.isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.12.5/8.12.5) with ESMTP id g6H81sJe083568; Wed, 17 Jul 2002 18:01:55 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200207170801.g6H81sJe083568@drugs.dv.isc.org> To: Bart Matthaei Cc: Mark D , security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: ipfw and it's glory... In-reply-to: Your message of "Wed, 17 Jul 2002 09:42:12 +0200." <20020717074212.GB38299@heresy.dreamflow.nl> Date: Wed, 17 Jul 2002 18:01:54 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Wed, Jul 17, 2002 at 05:29:55PM +1000, Mark.Andrews@isc.org wrote: > [snip] > > > # Allow all outgoing trafic > > > ipfw add allow all from any to any out > > > > This is a bad idea. You should only allow out what you > > will accept back in. If you don't you will eventually be > > guilty of pounding some poor server because you havn't > > allowed the answers to come back. > > This ruleset allows all traffic to any tcp port > 1024, and some ports > < 1024. It allows everything out. ALL TCP + ALL UDP + everything else. > For example, access to tcp port 443 is denied, so there's no way there > will be a connection coming from port 443 on the box. > But, your right, since you deny access to port 443, it's tidy to deny > traffic coming _from_ port 443. It's not only tidy, its essential if you want to be a good net citizen. I've see the results of firewalls that don't do this. > Or isn't this the point your trying to make ? > > Cheers, > > Bart > > > > # Allow IP fragments (for more info, see ipfw manpage) > > > ipfw add allow all from any to any frag > > > > > > # Allow established tcp connections > > > ipfw add allow tcp from any to any established > > > > > > # Allow tcp connections to the box > 1024 (In order to make > > > # various clients work on the box) > > > ipfw add pass tcp from any to me 1024-65535 setup > > > > > > # Allow udp connections to the box > 1024 (same shit) > > > ipfw add pass udp from any to me 1024-65535 > > > > > > # Allow dns querys > > > ipfw add allow udp from any to any 53 > > > > > > # Allow the trusted ip's to the ssh port > > > ipfw add allow tcp from $trusted_ip1 to me 22 > > > ipfw add allow tcp from $trusted_ip2 to me 22 > > > > > > # Allow ftp, smtp, http and pop and auth (I'm sure you want that) > > > ipfw add allow tcp from any to me 21,25,80,110,113 setup > > > > > > # I've added auth. If you don't want auth, make sure to reset all > > > #traffic going to port 113, or ident lookups to your box will time-out. > > > #use 'reset tcp from any to me 113' > > > > > > # Allow icmptypes 0 3 8 and 11 > > > ipfw add allow icmp from any to any icmptypes 0,3,8,11 > > > > > > # Deny everything else > > > ipfw add deny all from any to any > > -- > Bart Matthaei bart@dreamflow.nl > > If at first you don't succeed, redefine success. -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 1:20:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B96D37B400 for ; Wed, 17 Jul 2002 01:20:50 -0700 (PDT) Received: from mail1.ing.nl (mail1.ing.nl [145.221.93.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 296F543E42 for ; Wed, 17 Jul 2002 01:20:49 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Subject: RE: ipfw and it's glory... Date: Wed, 17 Jul 2002 09:09:34 +0200 Message-ID: <6C506EA550443D44A061432F1E92EA4C6C5353@citsnl045.europe.intranet> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: ipfw and it's glory... Importance: normal Thread-Index: AcItGq++OnNNBKRvTQW8P7vb4t84XQAROPEw From: "Carroll, D. (Danny)" To: , X-OriginalArrivalTime: 17 Jul 2002 07:09:35.0373 (UTC) FILETIME=[E8170BD0:01C22D60] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Here are a couple of simple things I noticed. Check in-line... : allow ip from trusted-ip-addy-1 to any : allow ip from trusted-ip-addy-2 to any : allow log tcp from any to any established This rule is redundant. Rule 1 gets it. : allow log tcp from trusted-ip-addy-1 to any 22 in setup If you want to be paranoid then you could make these only applicable to the DNS servers of your ISP. : allow log udp from internal-addy to any 53 : allow log udp from any 53 to internal-addy Internal-addy. Is that a RFC1918 addresses??? Or is it a real (routable) internet address. If it is routable then I would consider using the alias "external addy" to save confusion. If it is 1918 the I assume this is a multi nic server and you probably need nat to do some address translation. : allow log tcp from any to internal-addy 80,21,110,15 setup : - : 65535 deny ip from any to any Other than what you have I'd consider logging the deny, and adding specific denies for address spoofing protection. By that I mean disallow 192.168.x.x or 127.x.x.x et al traffic comming IN from the OUTSIDE. But then again, you do not seem to be specifically allowing anything from the *inside* so it's not that important IMHO. Simpler is often better. Just consider it (spoofing) if you want to start doing this. Hope this helps.. -D -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 1:45:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C28D537B400 for ; Wed, 17 Jul 2002 01:45:57 -0700 (PDT) Received: from es.infosec.ru (es.infosec.ru [194.135.141.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F8A143E42 for ; Wed, 17 Jul 2002 01:45:51 -0700 (PDT) (envelope-from blaze@infosec.ru) Received: from xen.infosec.ru ([200.0.0.51] RDNS failed) by es.infosec.ru with Microsoft SMTPSVC(5.0.2195.4453); Wed, 17 Jul 2002 12:44:58 +0400 Subject: Re: FS encryption From: Andrey Sverdlichenko To: security@FreeBSD.ORG In-Reply-To: <20020716102032.M31686-100000@hellbell.unshadow.net> References: <20020716102032.M31686-100000@hellbell.unshadow.net> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.3 Date: 17 Jul 2002 13:50:21 +0500 Message-Id: <1026895821.4229.9.camel@xen.infosec.ru> Mime-Version: 1.0 X-OriginalArrivalTime: 17 Jul 2002 08:44:58.0436 (UTC) FILETIME=[3B4D2840:01C22D6E] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 2002-07-16 at 11:21, Alexey Zakirov wrote: >> Can someone tell me if there is a port to encrypt a filesystem (except >> cfs) that uses the AES finalists (especially Serpent) like the >> international kernelpatch for linux does? > > Try to look at http://vncrypt.sourceforge.net/ Sorry, no Serpent here :) vncrypt uses blowfish and Rijndael, that already exist in kernel. No new algorithms were added. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 3:45:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5011E37B400 for ; Wed, 17 Jul 2002 03:45:30 -0700 (PDT) Received: from mail1.ing.nl (mail1.ing.nl [145.221.93.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4527B43E64 for ; Wed, 17 Jul 2002 03:45:29 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: ipfw and it's glory... X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Date: Wed, 17 Jul 2002 12:44:51 +0200 Message-ID: <6C506EA550443D44A061432F1E92EA4C6C5359@citsnl045.europe.intranet> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: ipfw and it's glory... Thread-Index: AcIteu2y32GGMy+cTPKur5+ChxB8ugAA5VTg Importance: normal From: "Carroll, D. (Danny)" To: "Bart Matthaei" , "Mark D" Cc: X-OriginalArrivalTime: 17 Jul 2002 10:45:02.0224 (UTC) FILETIME=[0117F900:01C22D7F] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I disagree with te 1024-65535 rules. In my experience you can get it to work without allowing all of these. Plus the way you have it setup, if you ever have X running then port 6000 is open and I really hate that idea. Of course most agree that X on a firewall is a bad idea(tm) but I thought it was worth mentioning. Nice ruleset with the Auth and ICMP stuff, I forgot about those... -D :First of all. Avoid using ip adresses when adressing the "self"-box. :Use 'me' instead.=20 : :Second, here's a basic setup that works for your situation: : :# Allow "local" traffic :ipfw add allow all from any to any via lo0 : :# Allow all outgoing trafic :ipfw add allow all from any to any out : :# Allow IP fragments (for more info, see ipfw manpage) :ipfw add allow all from any to any frag : :# Allow established tcp connections :ipfw add allow tcp from any to any established : :# Allow tcp connections to the box > 1024 (In order to make :# various clients work on the box) :ipfw add pass tcp from any to me 1024-65535 setup : :# Allow udp connections to the box > 1024 (same shit) :ipfw add pass udp from any to me 1024-65535 : :# Allow dns querys :ipfw add allow udp from any to any 53 : :# Allow the trusted ip's to the ssh port :ipfw add allow tcp from $trusted_ip1 to me 22 :ipfw add allow tcp from $trusted_ip2 to me 22 : :# Allow ftp, smtp, http and pop and auth (I'm sure you want that) :ipfw add allow tcp from any to me 21,25,80,110,113 setup : :# I've added auth. If you don't want auth, make sure to reset all :#traffic going to port 113, or ident lookups to your box will time-out. :#use 'reset tcp from any to me 113' : :# Allow icmptypes 0 3 8 and 11 :ipfw add allow icmp from any to any icmptypes 0,3,8,11 : :# Deny everything else :ipfw add deny all from any to any : :This is a basic setup. Add more rules for specific network setups. :ipfw isn't difficult, you just need to figure the syntax and specific :options out. : :Cheers, : :Bart : :--=20 :Bart Matthaei bart@dreamflow.nl=20 : :If at first you don't succeed, redefine success. : -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 4:10:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15ADF37B401 for ; Wed, 17 Jul 2002 04:10:31 -0700 (PDT) Received: from heresy.dreamflow.nl (heresy.dreamflow.nl [62.58.36.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 3E97443E75 for ; Wed, 17 Jul 2002 04:10:30 -0700 (PDT) (envelope-from bart@dreamflow.nl) Received: (qmail 40750 invoked by uid 1000); 17 Jul 2002 11:10:29 -0000 Date: Wed, 17 Jul 2002 13:10:29 +0200 From: Bart Matthaei To: "Carroll, D. (Danny)" Cc: security@freebsd.org Subject: Re: ipfw and it's glory... Message-ID: <20020717111029.GA40276@heresy.dreamflow.nl> References: <6C506EA550443D44A061432F1E92EA4C6C5359@citsnl045.europe.intranet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6C506EA550443D44A061432F1E92EA4C6C5359@citsnl045.europe.intranet> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 17, 2002 at 12:44:51PM +0200, Carroll, D. (Danny) wrote: > I disagree with te 1024-65535 rules. > In my experience you can get it to work without allowing all of these. Some things tend to break when you leave it out. I can't give you any examples atm, since I don't recall them :) > Plus the way you have it setup, if you ever have X running then port > 6000 is open and I really hate that idea. Then add deny rules for port 6000 :) Cheers, Bart -- Bart Matthaei bart@dreamflow.nl If at first you don't succeed, redefine success. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 4:58:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 931B637B400 for ; Wed, 17 Jul 2002 04:58:10 -0700 (PDT) Received: from mail1.ing.nl (mail1.ing.nl [145.221.93.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 319A143E31 for ; Wed, 17 Jul 2002 04:58:09 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: ipfw and it's glory... Date: Wed, 17 Jul 2002 13:57:40 +0200 Importance: normal Message-ID: <6C506EA550443D44A061432F1E92EA4C6C535A@ing.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: ipfw and it's glory... thread-index: AcItgo3N2D4kBIwmR32W6JRC7BjD1AABlI8A From: "Carroll, D. (Danny)" To: "Bart Matthaei" Cc: X-OriginalArrivalTime: 17 Jul 2002 11:57:51.0481 (UTC) FILETIME=[2D5FAE90:01C22D89] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :Some things tend to break when you leave it out. I can't give you any :examples atm, since I don't recall them :) Been in that world of hurt but I managed to get everything *I* need... (FTP, IRC, ICQ) The only exception was LiveUpdate for Symantec. Punch_FW with natd works for me in these cases, but without nat running I guess it would be harder. :Then add deny rules for port 6000 :) And anything else that might get forgotten... ;) -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 5: 3:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B871837B405 for ; Wed, 17 Jul 2002 05:03:23 -0700 (PDT) Received: from heresy.dreamflow.nl (heresy.dreamflow.nl [62.58.36.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 30CD943E58 for ; Wed, 17 Jul 2002 05:03:21 -0700 (PDT) (envelope-from bart@dreamflow.nl) Received: (qmail 41166 invoked by uid 1000); 17 Jul 2002 12:02:31 -0000 Date: Wed, 17 Jul 2002 14:02:31 +0200 From: Bart Matthaei To: "Carroll, D. (Danny)" Cc: security@freebsd.org Subject: Re: ipfw and it's glory... Message-ID: <20020717120231.GB40276@heresy.dreamflow.nl> References: <6C506EA550443D44A061432F1E92EA4C6C535A@ing.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6C506EA550443D44A061432F1E92EA4C6C535A@ing.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 17, 2002 at 01:57:40PM +0200, Carroll, D. (Danny) wrote: > :Some things tend to break when you leave it out. I can't give you any > :examples atm, since I don't recall them :) > > Been in that world of hurt but I managed to get everything *I* need... > (FTP, IRC, ICQ) > The only exception was LiveUpdate for Symantec. > > Punch_FW with natd works for me in these cases, but without nat running > I guess it would be harder. Natd on a firewall ? Firewalling a public network ? I don't think so :) > :Then add deny rules for port 6000 :) > > And anything else that might get forgotten... ;) You know what your running, So if your forgetting, your a messy admin :) Cheers, Bart -- Bart Matthaei bart@dreamflow.nl If at first you don't succeed, redefine success. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 5:16:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5ADA37B400 for ; Wed, 17 Jul 2002 05:16:39 -0700 (PDT) Received: from doos.cluecentral.net (cluecentral.net [193.109.122.221]) by mx1.FreeBSD.org (Postfix) with SMTP id 3672B43E58 for ; Wed, 17 Jul 2002 05:16:38 -0700 (PDT) (envelope-from sabri@cluecentral.net) Received: (qmail 83731 invoked by uid 1000); 17 Jul 2002 12:16:29 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Jul 2002 12:16:29 -0000 Date: Wed, 17 Jul 2002 14:16:29 +0200 (CEST) From: Sabri Berisha To: Bart Matthaei Cc: "Carroll, D. (Danny)" , Subject: Re: ipfw and it's glory... In-Reply-To: <20020717120231.GB40276@heresy.dreamflow.nl> Message-ID: <20020717141338.M82632-100000@doos.cluecentral.net> X-NCC-Regid: nl.bit X-No-Archive: yes Approved: sabri@pfy.nl MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 17 Jul 2002, Bart Matthaei wrote: > On Wed, Jul 17, 2002 at 01:57:40PM +0200, Carroll, D. (Danny) wrote: > > :Some things tend to break when you leave it out. I can't give you any > > :examples atm, since I don't recall them :) How about DNS? You send out a query from an high udp port to a dns server's port 53. It will send you an udp packet to that high port. > > Been in that world of hurt but I managed to get everything *I* need... > > (FTP, IRC, ICQ) > > The only exception was LiveUpdate for Symantec. > > > > Punch_FW with natd works for me in these cases, but without nat running > > I guess it would be harder. > > Natd on a firewall ? Firewalling a public network ? I don't think so > :) Nothing wrong with that. In fact, you might even want to consider using natd only if you don't use the box for another purpose. -- Sabri Berisha - www.megabit.nl - "I route, therefore you are" - http://www.fordreallysucks.com/more_info.html - 'that particular feeding of Martijn Bevelander, notorious spammer and whiney repeat-posting troll, was almost a work of art.' (nanae) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 5:26:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52FB737B400 for ; Wed, 17 Jul 2002 05:26:08 -0700 (PDT) Received: from heresy.dreamflow.nl (heresy.dreamflow.nl [62.58.36.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 88B7D43E31 for ; Wed, 17 Jul 2002 05:26:07 -0700 (PDT) (envelope-from bart@dreamflow.nl) Received: (qmail 41420 invoked by uid 1000); 17 Jul 2002 12:26:06 -0000 Date: Wed, 17 Jul 2002 14:26:06 +0200 From: Bart Matthaei To: Sabri Berisha Cc: "Carroll, D. (Danny)" , security@freebsd.org Subject: Re: ipfw and it's glory... Message-ID: <20020717122606.GD40276@heresy.dreamflow.nl> References: <20020717120231.GB40276@heresy.dreamflow.nl> <20020717141338.M82632-100000@doos.cluecentral.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020717141338.M82632-100000@doos.cluecentral.net> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 17, 2002 at 02:16:29PM +0200, Sabri Berisha wrote: > > Natd on a firewall ? Firewalling a public network ? I don't think so > > :) > > Nothing wrong with that. In fact, you might even want to consider using > natd only if you don't use the box for another purpose. I wouldn't advise running natd on a firewall serving a large network, since it runs in userland. IPnat is an option, though. Anyway, back to the original issue: I'd rather not use PunchFW on a large network. They don't call > 1024 un-privileged for nothing. No need firewalling all of them. Just a few daemons that use them, like Mysql and X. Cheers, Bart -- Bart Matthaei bart@dreamflow.nl If at first you don't succeed, redefine success. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 5:28:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8966D37B400 for ; Wed, 17 Jul 2002 05:28:18 -0700 (PDT) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id BEA5D43E42 for ; Wed, 17 Jul 2002 05:28:17 -0700 (PDT) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 95619 invoked by uid 0); 17 Jul 2002 12:28:17 -0000 Received: from greg.panula@dolaninformation.com by proxy with qmail-scanner-0.96 (. Clean. Processed in 0.330122 secs); 17 Jul 2002 12:28:17 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: markd@cogeco.ca,freebsd-security@freebsd.org X-Qmail-Scanner: 0.96 (No viruses found. Processed in 0.330122 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 17 Jul 2002 12:28:16 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 17 Jul 2002 07:28:16 -0500 Message-ID: <3D3562E0.A204EE05@dolaninformation.com> Date: Wed, 17 Jul 2002 07:28:16 -0500 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: markd@cogeco.ca Cc: freebsd-security@freebsd.org Subject: Re: ipfw and it's glory... References: <000101c22d1a$a54d6e70$6401a8c0@promethium> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mark D wrote: > > Hello, > > First, I hope this is appropriate for this list, if not I'll > gladly repost. I thought this could be a freebsd-questions question, but > hey, I took a chance. > > Alright, here we go... I plan to run http, ftp, ssh, smtp, and > pop on a lan box (I'm going to treat it as a real box - just so I can be > ready for when I do this in the future). I'd like http, ftp, pop, and > smtp to be open to anyone and for ssh connections to be only allowed > when I add the rule (to allow that specific host). > > I've read the man pages on ipfw and some other documents but am > still confused. Here is what I've put together so far (go easy on me); > > allow ip from trusted-ip-addy-1 to any > allow ip from trusted-ip-addy-2 to any > allow log tcp from any to any established > allow log tcp from trusted-ip-addy-1 to any 22 in setup > allow log udp from internal-addy to any 53 > allow log udp from any 53 to internal-addy > allow log tcp from any to internal-addy 80,21,110,15 setup > - > 65535 deny ip from any to any > > So... I'm not sure if that is the best approach (maybe adding a > 'check state' here and a 'established' there ;p), but I'm hoping the > subscribers of this list could give me some insight on securing it > properly and only allowing in/out what I've specified above. > > I thank you in advance. > Here's my two bits... suitable for cut&paste into /etc/rc.firewall even. [Mm][Aa][Rr][Kk]) pip="" pnic="" t1="" t2="" # allow traffic to flow unrestricted across the loopback interface ${fwcmd} add allow ip from any to any via lo0 # allow certain icmp traffic to flow to&from the box # optional but useful ${fwcmd} add allow icmp from any to ${pip} icmptype 0,3,4,8,11,12 ${fwcmd} add allow icmp from ${pip} to any icmptype 0,3,4,8,11,12 # check the state table ${fwcmd} add 10000 check-state # allow in certain services(ftp,smtp,http,pop3) # and add it to the state table ${fwcmd} add allow tcp from any to ${pip} 21,25,80,110 keep-state in via ${pnic} # allow outbound dns queries from the box ${fwcmd} add allow udp from ${pip} to any 53 keep-state out via ${pnic} # allow inbound ssh traffic from trusted addresses ${fwcmd} add allow tcp from ${t1} to ${pip} 22 keep-state in via ${pnic} ${fwcmd} add allow tcp from ${t2} to ${pip} 22 keep-state in via ${pnic} # deny and log the rest ${fwcmd} add 65000 deny log ip from any to any echo firewall ruleset mark loaded ;; Then in /etc/rc.conf just add firewall_enable="YES" firewall_type="MARK" firewall_logging="YES" good luck, greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 6:29: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F5F637B400 for ; Wed, 17 Jul 2002 06:29:03 -0700 (PDT) Received: from mail1.ing.nl (mail1.ing.nl [145.221.93.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B94F343E4A for ; Wed, 17 Jul 2002 06:29:02 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: ipfw and it's glory... Date: Wed, 17 Jul 2002 15:26:12 +0200 Importance: normal Message-ID: <6C506EA550443D44A061432F1E92EA4C6C5363@ing.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: ipfw and it's glory... thread-index: AcItidHCPBYVCjSGRVC6dJ+VX8OwgQAC4IHg From: "Carroll, D. (Danny)" To: "Bart Matthaei" Cc: X-OriginalArrivalTime: 17 Jul 2002 13:26:29.0493 (UTC) FILETIME=[8F27EA50:01C22D95] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :Natd on a firewall ? Firewalling a public network ? I don't think so ::) If it's for a home network or small office then you might... :You know what your running, So if your forgetting, your a messy :admin :) Agreed, but the original poster did not really specify. -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 6:31:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99E7F37B400 for ; Wed, 17 Jul 2002 06:31:10 -0700 (PDT) Received: from mail1.ing.nl (mail1.ing.nl [145.221.93.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B02EE43E58 for ; Wed, 17 Jul 2002 06:31:09 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: ipfw and it's glory... Date: Wed, 17 Jul 2002 15:28:54 +0200 Importance: normal Message-ID: <6C506EA550443D44A061432F1E92EA4C6C5364@ing.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: ipfw and it's glory... thread-index: AcIti8t62qf+YuyoSQePB44J5LTxcwACdwWQ From: "Carroll, D. (Danny)" To: "Sabri Berisha" , "Bart Matthaei" Cc: X-OriginalArrivalTime: 17 Jul 2002 13:29:05.0673 (UTC) FILETIME=[EC3F1790:01C22D95] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :How about DNS? You send out a query from an high udp port to a dns :server's port 53. It will send you an udp packet to that high port. But it's source port will be 53. So you can put in a rule for that. Plus it's only 1 or 2 servers so you can put in special rules for them. :> Natd on a firewall ? Firewalling a public network ? I don't think so :> :) : :Nothing wrong with that. In fact, you might even want to consider using :natd only if you don't use the box for another purpose. yup. -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 6:37:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2E2D37B400 for ; Wed, 17 Jul 2002 06:37:15 -0700 (PDT) Received: from doos.cluecentral.net (cluecentral.net [193.109.122.221]) by mx1.FreeBSD.org (Postfix) with SMTP id 4896243E5E for ; Wed, 17 Jul 2002 06:37:14 -0700 (PDT) (envelope-from sabri@cluecentral.net) Received: (qmail 86255 invoked by uid 1000); 17 Jul 2002 13:37:06 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Jul 2002 13:37:06 -0000 Date: Wed, 17 Jul 2002 15:37:06 +0200 (CEST) From: Sabri Berisha To: "Carroll, D. (Danny)" Cc: Bart Matthaei , Subject: RE: ipfw and it's glory... In-Reply-To: <6C506EA550443D44A061432F1E92EA4C6C5364@ing.com> Message-ID: <20020717153409.Y86012-100000@doos.cluecentral.net> X-NCC-Regid: nl.bit X-No-Archive: yes Approved: sabri@pfy.nl MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 17 Jul 2002, Carroll, D. (Danny) wrote: > :How about DNS? You send out a query from an high udp port to a dns > :server's port 53. It will send you an udp packet to that high port. > > But it's source port will be 53. So you can put in a rule for that. > Plus it's only 1 or 2 servers so you can put in special rules for them. Unless you run a local dnscache (which I would do). -- Sabri Berisha - www.megabit.nl - "I route, therefore you are" - http://www.fordreallysucks.com/more_info.html - 'that particular feeding of Martijn Bevelander, notorious spammer and whiney repeat-posting troll, was almost a work of art.' (nanae) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 6:50:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C439637B400 for ; Wed, 17 Jul 2002 06:50:40 -0700 (PDT) Received: from nippur.irb.hr (nippur.irb.hr [161.53.128.127]) by mx1.FreeBSD.org (Postfix) with ESMTP id D969F43E58 for ; Wed, 17 Jul 2002 06:50:38 -0700 (PDT) (envelope-from mario.pranjic@irb.hr) Received: from localhost (keeper@localhost) by nippur.irb.hr (8.9.3/8.9.3) with ESMTP id PAA24995 for ; Wed, 17 Jul 2002 15:50:36 +0200 (MET DST) Date: Wed, 17 Jul 2002 15:50:36 +0200 (MET DST) From: Mario Pranjic To: Subject: sendmail and /etc/hosts Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I don't know if it's smart but I'd like to configure sendmail so that it first checks /etc/hosts file and after that DNS entries. Is that possible? Thanks! Mario Pranjic, dipl.ing. sistem administrator Knjiznica, Institut Rudjer Boskovic ------------------------------------- e-mail: mario.pranjic@irb.hr ICQ: 72059629 tel: +385 1 45 60 954 (interni: 1293) ------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 8:28:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E9E5F37B400 for ; Wed, 17 Jul 2002 08:28:20 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 507AE43E3B for ; Wed, 17 Jul 2002 08:28:20 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 5E614534A; Wed, 17 Jul 2002 17:28:16 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Carroll, D. (Danny)" Cc: "Bart Matthaei" , "Mark D" , Subject: Re: ipfw and it's glory... References: <6C506EA550443D44A061432F1E92EA4C6C5359@citsnl045.europe.intranet> From: Dag-Erling Smorgrav Date: 17 Jul 2002 17:28:15 +0200 In-Reply-To: <6C506EA550443D44A061432F1E92EA4C6C5359@citsnl045.europe.intranet> Message-ID: Lines: 9 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Carroll, D. (Danny)" writes: > Plus the way you have it setup, if you ever have X running then port > 6000 is open and I really hate that idea. # sed -i.orig '/^:[[:digit:]]/s/$/ -nolisten tcp/' /etc/X11/xdm/Xservers DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 8:50:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 067AC37B400 for ; Wed, 17 Jul 2002 08:50:25 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 9A7ED43E31 for ; Wed, 17 Jul 2002 08:50:19 -0700 (PDT) (envelope-from roam@straylight.ringlet.net) Received: (qmail 98257 invoked by uid 85); 17 Jul 2002 15:57:18 -0000 Received: from sbnd.online.bg (HELO straylight.ringlet.net) (217.75.129.196) by south.nanolink.com with SMTP; 17 Jul 2002 15:57:16 -0000 Received: (qmail 4391 invoked by uid 1000); 17 Jul 2002 15:43:29 -0000 Date: Wed, 17 Jul 2002 18:43:29 +0300 From: Peter Pentchev To: Mario Pranjic Cc: security@FreeBSD.ORG Subject: Re: sendmail and /etc/hosts Message-ID: <20020717154329.GB408@straylight.oblivion.bg> Mail-Followup-To: Mario Pranjic , security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="K8nIJk4ghYZn606h" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --K8nIJk4ghYZn606h Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 17, 2002 at 03:50:36PM +0200, Mario Pranjic wrote: > Hi! >=20 > I don't know if it's smart but I'd like to configure sendmail so that it > first checks /etc/hosts file and after that DNS entries. >=20 > Is that possible? A quick look through /etc/mail/freebsd.mc picked up a reference to /usr/share/sendmail/cf/README. A search for /etc/hosts in that file found the confHOSTS_FILE option, and immediately above it the confSERVICE_SWITCH_FILE option. Apparently, sendmail checks for the presence of the file pointed to by the confSERVICE_SWITCH_FILE option, or the /etc/mail/service.switch file by default; if that file is present, sendmail uses its settings just as all other programs use /etc/host.conf on -STABLE and /etc/nsswitch.conf on -CURRENT. Thus, it would seem that all you need to do is create an /etc/mail/service.switch file, and put the following two lines in it: file dns Disclaimer: I have not used Sendmail in the past couple of years, and I have never configured Sendmail; the information above is just what I found with a quick glimpse at the docs. Hope that helps :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am not the subject of this sentence. --K8nIJk4ghYZn606h Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9NZCh7Ri2jRYZRVMRAmB9AJ9A62bf5wht9S2pMLJx9OI3qvuCLACgxSt2 R6w7dE835S7Mk+K9eJmNDvM= =9q2M -----END PGP SIGNATURE----- --K8nIJk4ghYZn606h-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 9:49:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1038E37B400 for ; Wed, 17 Jul 2002 09:49:51 -0700 (PDT) Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CD5543E31 for ; Wed, 17 Jul 2002 09:49:50 -0700 (PDT) (envelope-from kzaraska@student.uci.agh.edu.pl) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id C86051EC5; Wed, 17 Jul 2002 18:49:46 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 8AC775711; Wed, 17 Jul 2002 18:49:46 +0200 (CEST) Date: Wed, 17 Jul 2002 18:49:45 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: Mario Pranjic Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Intrusion Detection Systems In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 16 Jul 2002, Mario Pranjic wrote: > I'm looking for some references on Intrusion Detection Systems on FreeBSD > or other UNIX systems. http://www.networkintrusion.co.uk/ // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // Prelude IDS: http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 10:46:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A22A37B400 for ; Wed, 17 Jul 2002 10:46:40 -0700 (PDT) Received: from web10103.mail.yahoo.com (web10103.mail.yahoo.com [216.136.130.53]) by mx1.FreeBSD.org (Postfix) with SMTP id 1F75143E58 for ; Wed, 17 Jul 2002 10:46:40 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020717174639.61219.qmail@web10103.mail.yahoo.com> Received: from [68.5.49.41] by web10103.mail.yahoo.com via HTTP; Wed, 17 Jul 2002 10:46:39 PDT Date: Wed, 17 Jul 2002 10:46:39 -0700 (PDT) From: twig les Subject: SSH clients To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey *, I'd like to tinker around with some different SSH clients, does anyone know of any that have some convenient features like session logging and stuff? I know I could use the script command, and there is nothing really wrong with OpenSSH's client. I'm just curious as to any options. ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 10:55:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C03F37B400 for ; Wed, 17 Jul 2002 10:55:27 -0700 (PDT) Received: from ic.ucsb.edu (ic.ucsb.edu [128.111.151.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 265E943E4A for ; Wed, 17 Jul 2002 10:55:26 -0700 (PDT) (envelope-from lopaka@ic.ucsb.edu) Received: from viper.ic.ucsb.edu ([128.111.151.7] helo=ic.ucsb.edu) by ic.ucsb.edu with esmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #2) id 17Ut1H-000981-00; Wed, 17 Jul 2002 10:55:23 -0700 Message-ID: <3D35AF8B.9000902@ic.ucsb.edu> Date: Wed, 17 Jul 2002 10:55:23 -0700 From: Lopaka Delp Organization: Instructional Computing - Electronic Communications Group User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020530 X-Accept-Language: en-us, en MIME-Version: 1.0 To: twig les Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH clients References: <20020717174639.61219.qmail@web10103.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following site should get you started: http://www.freessh.org/unix.html good luck. --> Lopaka twig les wrote: > Hey *, I'd like to tinker around with some different > SSH clients, does anyone know of any that have some > convenient features like session logging and stuff? I > know I could use the script command, and there is > nothing really wrong with OpenSSH's client. I'm just > curious as to any options. > > ===== > ----------------------------------------------------------- > All warfare is based on deception. > ----------------------------------------------------------- > > __________________________________________________ > Do You Yahoo!? > Yahoo! Autos - Get free new car price quotes > http://autos.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Lopaka K. Delp e-mail: lopaka@ic.ucsb.edu UNIX Systems Administrator phone : (805)893-4561 Instructional Computing cell : (805)895-9257 University of California, WWW : http://www.ic.ucsb.edu/~lopaka Santa Barbara To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 12:10:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49D8537B400 for ; Wed, 17 Jul 2002 12:10:17 -0700 (PDT) Received: from web10101.mail.yahoo.com (web10101.mail.yahoo.com [216.136.130.51]) by mx1.FreeBSD.org (Postfix) with SMTP id B5ECE43E42 for ; Wed, 17 Jul 2002 12:10:16 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020717191016.32480.qmail@web10101.mail.yahoo.com> Received: from [68.5.49.41] by web10101.mail.yahoo.com via HTTP; Wed, 17 Jul 2002 12:10:16 PDT Date: Wed, 17 Jul 2002 12:10:16 -0700 (PDT) From: twig les Subject: Re: SSH clients To: Lopaka Delp Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3D35AF8B.9000902@ic.ucsb.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks a lot. This site led me to http://www.pingx.net/secpanel/ which seems to be exactly what I was looking for. Secpanel even has a port hidden quite cleverly in /usr/ports/security :-P. --- Lopaka Delp wrote: > The following site should get you started: > > http://www.freessh.org/unix.html > > good luck. > > --> Lopaka > > twig les wrote: > > Hey *, I'd like to tinker around with some > different > > SSH clients, does anyone know of any that have > some > > convenient features like session logging and > stuff? I > > know I could use the script command, and there is > > nothing really wrong with OpenSSH's client. I'm > just > > curious as to any options. > > > > ===== > > > ----------------------------------------------------------- > > All warfare is based on deception. > > > ----------------------------------------------------------- > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Autos - Get free new car price quotes > > http://autos.yahoo.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > the message > > > > -- > Lopaka K. Delp e-mail: > lopaka@ic.ucsb.edu > UNIX Systems Administrator phone : > (805)893-4561 > Instructional Computing cell : > (805)895-9257 > University of California, WWW : > http://www.ic.ucsb.edu/~lopaka > Santa Barbara > ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 12:14:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FFCB37B400 for ; Wed, 17 Jul 2002 12:14:32 -0700 (PDT) Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id E476743E91 for ; Wed, 17 Jul 2002 12:14:31 -0700 (PDT) (envelope-from klaus@kobold.compt.com) Date: Wed, 17 Jul 2002 15:14:29 -0400 From: Klaus Steden To: freebsd-security@FreeBSD.ORG Subject: Weird messages reported by kernel ... Message-ID: <20020717151429.J48097@cthulu.compt.com> References: <20020711170957.U318-100000@gabba.so.cpt1.za.uu.net> <20020711153708.GF25321@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020711153708.GF25321@straylight.oblivion.bg>; from roam@ringlet.net on Thu, Jul 11, 2002 at 06:37:08PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi there, I've noticed a couple of messages show up in my daily reports from our DMZ mail server that I can't explain, and I'm wondering if they indicate some attempted exploit. Specifically ... Jul 16 18:52:36 cthulu sendmail[1067]: g6GMqah01067: SYSERR: putoutmsg (CPE014140013297.cpe.net.cable.rogers.com): error on output channel sending "500 5.5.1 Command unrecognized: "Content-Type: text/html;"": Broken pipe Jul 16 21:56:21 cthulu sendmail[3984]: g6H1uLh03984: SYSERR: putoutmsg (adsl-66-124-102-179.dsl.mtry01.pacbell.net): error on output channel sending "500 5.5.1 Command unrecognized: "Content-Type: text/html;"": Broken pipe Anyone seen this before? Anyone have an inkling as to what it is, besides someone not understanding SMTP? cheers, Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 12:26:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB26B37B400 for ; Wed, 17 Jul 2002 12:26:06 -0700 (PDT) Received: from kknd.mweb.co.za (kknd.mweb.co.za [196.2.45.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C71143E70 for ; Wed, 17 Jul 2002 12:26:05 -0700 (PDT) (envelope-from savage@savage.za.org) Received: from cpt-dial-196-30-179-68.mweb.co.za ([196.30.179.68] helo=netsonic.megalan.co.za) by kknd.mweb.co.za with esmtp (Exim 4.01) id 17UuKw-0000Aj-00; Wed, 17 Jul 2002 21:19:52 +0200 Received: from genocide.megalan.co.za ([192.168.1.254] helo=genocide) by netsonic.megalan.co.za with smtp (Exim 3.36 #2) id 17UuS5-00092R-47; Wed, 17 Jul 2002 21:27:09 +0200 Message-ID: <018901c22dc7$c02f43a0$fe01a8c0@genocide> From: "Chris Knipe" To: "Klaus Steden" , References: <20020711170957.U318-100000@gabba.so.cpt1.za.uu.net> <20020711153708.GF25321@straylight.oblivion.bg> <20020717151429.J48097@cthulu.compt.com> Subject: Re: Weird messages reported by kernel ... Date: Wed, 17 Jul 2002 21:25:45 +0200 Organization: MegaLAN Corporate Networking Services MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It looks like it's trying to send HTML code to your mail server... Nothing to serious... Just a seriously disturbed individual... But I don't think any harm can come from it... Regards, Chris Knipe Cell: (072) 434-7582 MegaLAN Corporate Networking Services ----- Original Message ----- From: "Klaus Steden" To: Sent: Wednesday, July 17, 2002 9:14 PM Subject: Weird messages reported by kernel ... > Hi there, > > I've noticed a couple of messages show up in my daily reports from our DMZ > mail server that I can't explain, and I'm wondering if they indicate some > attempted exploit. Specifically ... > > Jul 16 18:52:36 cthulu sendmail[1067]: g6GMqah01067: SYSERR: putoutmsg (CPE014140013297.cpe.net.cable.rogers.com): error on output channel sending "500 5.5.1 Command unrecognized: "Content-Type: text/html;"": Broken pipe > Jul 16 21:56:21 cthulu sendmail[3984]: g6H1uLh03984: SYSERR: putoutmsg (adsl-66-124-102-179.dsl.mtry01.pacbell.net): error on output channel sending "500 5.5.1 Command unrecognized: "Content-Type: text/html;"": Broken pipe > > Anyone seen this before? Anyone have an inkling as to what it is, besides > someone not understanding SMTP? > > cheers, > Klaus > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 17 13:21: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C3FF37B400 for ; Wed, 17 Jul 2002 13:20:59 -0700 (PDT) Received: from mail.po-1.com (mail.po-1.com [130.94.25.165]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0016143E3B for ; Wed, 17 Jul 2002 13:20:58 -0700 (PDT) (envelope-from BC704190M15C6W-4EXF4717528-23F7K7X@ted2.net) Received: from PO-1.COM (130.94.20.196) by mail.po-1.com (PowerMTA(TM) v1.5); Wed, 17 Jul 2002 15:59:29 -0400 (envelope-from ) From: "itsImazing.com Network " To: security@FreeBSD.org Date: Wed, 17 Jul 2002 16:07:42 -0500 Subject: $500 in Coupons Now! X-RTToken: BC704190M15C6W-4EXF4717528-23F7K7X MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_2fpo3i2093f4oixl" Message-Id: <20020717202059.0016143E3B@mx1.FreeBSD.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. --=_NextPart_2fpo3i2093f4oixl Content-Type: text/plain Content-Transfer-Encoding: 7bit Dear DON, Thank you for registering at www.outerspacegames.com for a chance to win our $50,000 Bundled Bonanza Giveaway ($10,000 worth of gift certificates from Wal-Mart, Home Depot, Target, JC Penney, and Best Buy). The drawing will be held on October 20th. Good luck! In connection with your registration, you have been automatically enrolled in the itsImazing Network. Our goal is to deliver offers that you will find appealing from nationally known catalogers, retailers and financial services companies. During the next few months you can expect to receive invitations and offers from our newest partners including PlazaDirect, TargitInteractive, Postalink/Email Plus, ImazingOffers, SmartReminders and MeMailDirect. Our first offer to you: $500 in Free Coupons Now! Click on the link below, complete the brief survey, and automatically receive $500 worth of free shopping coupons, plus a chance to win in the $100,000 Give Away IV from RightOffers! Click now! http://www.itsimazing.com/cgi-bin/W?C=744195M8526F&S=RGT0000210 As part of our itsImazing.com pledge, we will continue to seek out other opportunities for you to get more free "stuff". We hope as a new member you find these services just as helpful as our millions of current members have reported. Thank you again for your participation and good luck with the drawing! ====================================================================================== These messages are only sent to members of the itsImazing.com Network, who have specifically requested or agreed to receive our special offers, discounts, coupons, and other information via email from us and/or our select partners. If, for any reason, you wish to cancel your FREE, no-obligation membership, simply click on the link below or copy it into your browser: http://www.itsimazing.com/cgi-bin/P?C=744195M8526F&S=ECF0717021 for automatic deletion from our membership. It's that easy. --=_NextPart_2fpo3i2093f4oixl Content-Type: text/html; Content-Transfer-Encoding: quoted-printable

3D"itsImazing


Dear DON,

Thank you for registering at www.oute= rspacegames.com for a chance to win our $50,000 Bundled Bonanza Giveaway ($10,000 worth of gift c= ertificates from Wal-Mart, Home Depot, Target, JC Penney, and Best Buy). Th= e drawing will be held on October 20th. Good luck!

In connection with your registration, you have been = automatically enrolled in the itsImazing Network. Ou= r goal is to deliver offers that you will find appealing from nationally kn= own catalogers, retailers and financial services companies. During the next= few months you can expect to receive invitations and offers from our newes= t partners including PlazaDirect, TargitInteractive, Postalink/Email Plus, = ImazingOffers, SmartReminders and MeMailDirect.

Our first= offer to you: $500 in Free Co= upons Now!
Click on the link below, complete the brief survey, and automatically recei= ve $500 worth of free shopping coupons, plus a chance to win in the $100,00= 0 Give Away IV from RightOffers! Click now!

As part of our itsImazing.com pledge, we will co= ntinue to seek out other opportunities for you to get more free "stuff". We= hope as a new member you find these services just as helpful as our millio= ns of current members have reported.

Thank you again for your participation and good luck with the drawing!

=
These messages are only sent to members of the itsImazing.com Network, who = have specifically requested or agreed to receive our special offers, discou= nts, coupons, and other information via email from us and/or our select pa= rtners. If, for any reason, you wish to cancel your FREE, no-obligation members= hip, simply click on the link below or copy it into your browser:http://www.itsimazing.com/cgi-bin/P?C=3D744195M8= 526F&S=3DECF0717021
--=_NextPart_2fpo3i2093f4oixl-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 10:48:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88B0F37B400 for ; Thu, 18 Jul 2002 10:48:17 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7676343E58 for ; Thu, 18 Jul 2002 10:48:13 -0700 (PDT) (envelope-from craig@millerfam.net) Received: from Desktop ([12.236.220.188]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with SMTP id <20020718174813.ONOS6023.sccrmhc02.attbi.com@Desktop> for ; Thu, 18 Jul 2002 17:48:13 +0000 Message-ID: <006301c22e83$2b3d5b30$fe01a8c0@Desktop> From: "Craig Miller" To: "freebsd-security" Subject: wierdness in my security report Date: Thu, 18 Jul 2002 10:47:21 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0060_01C22E48.7E79A6E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0060_01C22E48.7E79A6E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Anyone have any ideas as to what might be causing the following to = appear in my security report? arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on = dc0 > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from = 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on = dc0 > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from = 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 I thought those : delimited fields would be MAC addresses, but they = don't match the MAC addresses of either of the two cards in my free-bsd = box. I have not checked the MAC addresses of the other network cards on = my network. Also, where does the "server /kernel" name come from. "kernel" is not = the name I gave my kernel, so I am suspicious. Thanks, --Craig ------=_NextPart_000_0060_01C22E48.7E79A6E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Anyone have any ideas as to what might = be causing=20 the following to appear in my security report?
 
 arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to = 00:b0:64:b7:6f:a8=20 on dc0
> Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved = from=20 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0
> arp: 12.236.220.1 = moved=20 from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0
> Jul 17 = 05:47:57=20 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to=20 00:b0:64:b7:6f:54 on dc0
I thought those : delimited fields = would be MAC=20 addresses, but they don't match the MAC addresses of either of the two = cards in=20 my free-bsd box.  I have not checked the MAC addresses of the other = network=20 cards on my network.
 
Also, where does the "server /kernel" = name come=20 from.  "kernel" is not the name I gave my kernel, so I am=20 suspicious.
 
Thanks,
 
--Craig
 
------=_NextPart_000_0060_01C22E48.7E79A6E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 10:53:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 541A437B400 for ; Thu, 18 Jul 2002 10:53:06 -0700 (PDT) Received: from 119.216-123-194-0.interbaun.com (118.216-123-194-0.interbaun.com [216.123.194.118]) by mx1.FreeBSD.org (Postfix) with SMTP id 4178343E58 for ; Thu, 18 Jul 2002 10:53:00 -0700 (PDT) (envelope-from j.laurenson@epicmail.ca) Received: (qmail 27931 invoked from network); 18 Jul 2002 17:57:10 -0000 Received: from unknown (HELO epicjim) (216.123.194.122) by 10.0.1.2 with SMTP; 18 Jul 2002 17:57:10 -0000 From: "Jim Laurenson" To: "Craig Miller" , "freebsd-security" Subject: RE: wierdness in my security report Date: Thu, 18 Jul 2002 11:53:58 -0600 Message-ID: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0036_01C22E51.CCC61F00" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: <006301c22e83$2b3d5b30$fe01a8c0@Desktop> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0036_01C22E51.CCC61F00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit I have found the same logs on one of my older builds (4.3 I think). The offending MAC address was found to be a Cisco router on my ISP's network. I found no solution for it though. Jim Laurenson -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller Sent: July 18, 2002 11:47 AM To: freebsd-security Subject: wierdness in my security report Anyone have any ideas as to what might be causing the following to appear in my security report? arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network. Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious. Thanks, --Craig ------=_NextPart_000_0036_01C22E51.CCC61F00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I=20 have found the same logs on one of my older builds (4.3 I think). The = offending=20 MAC address was found to be a Cisco router on my ISP's network. I found = no=20 solution for it though.
 
Jim Laurenson
-----Original Message-----
From:=20 owner-freebsd-security@FreeBSD.ORG=20 [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig=20 Miller
Sent: July 18, 2002 11:47 AM
To:=20 freebsd-security
Subject: wierdness in my security=20 report

Anyone have any ideas as to what = might be causing=20 the following to appear in my security report?
 
 arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to = 00:b0:64:b7:6f:a8=20 on dc0
> Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved = from=20 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0
> arp: = 12.236.220.1 moved=20 from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0
> Jul 17 = 05:47:57=20 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to=20 00:b0:64:b7:6f:54 on dc0
I thought those : delimited fields = would be MAC=20 addresses, but they don't match the MAC addresses of either of the two = cards=20 in my free-bsd box.  I have not checked the MAC addresses of the = other=20 network cards on my network.
 
Also, where does the "server /kernel" = name come=20 from.  "kernel" is not the name I gave my kernel, so I am=20 suspicious.
 
Thanks,
 
--Craig
 
------=_NextPart_000_0036_01C22E51.CCC61F00-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 11: 3:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8953137B400 for ; Thu, 18 Jul 2002 11:03:37 -0700 (PDT) Received: from hotmail.com (oe23.law7.hotmail.com [216.33.236.243]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4143643E31 for ; Thu, 18 Jul 2002 11:03:37 -0700 (PDT) (envelope-from elerrordlmilenio@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 18 Jul 2002 11:03:37 -0700 X-Originating-IP: [196.40.43.74] From: "El Error del Milenio" To: "Klaus Steden" , References: <20020711170957.U318-100000@gabba.so.cpt1.za.uu.net> <20020711153708.GF25321@straylight.oblivion.bg> <20020717151429.J48097@cthulu.compt.com> Subject: Re: Weird messages reported by kernel ... Date: Thu, 18 Jul 2002 12:03:59 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: X-OriginalArrivalTime: 18 Jul 2002 18:03:37.0229 (UTC) FILETIME=[7078D3D0:01C22E85] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This days, I've been receiving: > Jul 8 07:18:12 bella sendmail[22540]: g68DI7X22540: SYSERR: putoutmsg ([212.163.66.50]): error on output channel sending "220 bella.ghp.co.cr ESMTP server ready": Broken pipe I dont understand why. ----- Original Message ----- From: "Klaus Steden" To: Sent: Wednesday, July 17, 2002 1:14 PM Subject: Weird messages reported by kernel ... > Hi there, > > I've noticed a couple of messages show up in my daily reports from our DMZ > mail server that I can't explain, and I'm wondering if they indicate some > attempted exploit. Specifically ... > > Jul 16 18:52:36 cthulu sendmail[1067]: g6GMqah01067: SYSERR: putoutmsg (CPE014140013297.cpe.net.cable.rogers.com): error on output channel sending "500 5.5.1 Command unrecognized: "Content-Type: text/html;"": Broken pipe > Jul 16 21:56:21 cthulu sendmail[3984]: g6H1uLh03984: SYSERR: putoutmsg (adsl-66-124-102-179.dsl.mtry01.pacbell.net): error on output channel sending "500 5.5.1 Command unrecognized: "Content-Type: text/html;"": Broken pipe > > Anyone seen this before? Anyone have an inkling as to what it is, besides > someone not understanding SMTP? > > cheers, > Klaus > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 11: 5:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AE2437B406 for ; Thu, 18 Jul 2002 11:05:10 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1CA543E58 for ; Thu, 18 Jul 2002 11:05:07 -0700 (PDT) (envelope-from bmah@employees.org) Received: from bmah.dyndns.org ([12.233.149.189]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020718180507.PLHM6023.sccrmhc02.attbi.com@bmah.dyndns.org>; Thu, 18 Jul 2002 18:05:07 +0000 Received: from intruder.bmah.org (localhost [IPv6:::1]) by bmah.dyndns.org (8.12.5/8.12.5) with ESMTP id g6II56eU080058; Thu, 18 Jul 2002 11:05:06 -0700 (PDT) (envelope-from bmah@intruder.bmah.org) Received: (from bmah@localhost) by intruder.bmah.org (8.12.5/8.12.5/Submit) id g6II56ew080057; Thu, 18 Jul 2002 11:05:06 -0700 (PDT) Message-Id: <200207181805.g6II56ew080057@intruder.bmah.org> X-Mailer: exmh version 2.5+ 20020506 with nmh-1.0.4 To: "Craig Miller" Cc: "freebsd-security" Subject: Re: wierdness in my security report In-Reply-To: <006301c22e83$2b3d5b30$fe01a8c0@Desktop> References: <006301c22e83$2b3d5b30$fe01a8c0@Desktop> Comments: In-reply-to "Craig Miller" message dated "Thu, 18 Jul 2002 10:47:21 -0700." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-1543745570P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 18 Jul 2002 11:05:06 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==_Exmh_-1543745570P Content-Type: text/plain; charset=us-ascii If memory serves me right, "Craig Miller" wrote: > Anyone have any ideas as to what might be causing the following to = > appear in my security report? > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on = > dc0 > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from = > 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on = > dc0 > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from = > 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > I thought those : delimited fields would be MAC addresses, but they = > don't match the MAC addresses of either of the two cards in my free-bsd = > box. I have not checked the MAC addresses of the other network cards on = > my network. It means that the MAC layer address associated with the IP address 12.236.220.1 changed. You don't get these messages for *your* interfaces; you get them for other interfaces on networks directly connected to your (in this case, dc0) interface. If you and I have machines with interfaces on the same network, and I power mine down, replace the network interface, and reboot, you'd get this notification about my machine. You could also see this if someone was successful at hijacking my IP address. There's many other explanations, some benign and some not. See arp(4) for more details. > Also, where does the "server /kernel" name come from. "kernel" is not = > the name I gave my kernel, so I am suspicious. /kernel is the pathname to your kernel (which is not the same as the kernel configuration name). Bruce. PS. Please don't post multipart text and HTML emails to the lists. --==_Exmh_-1543745570P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: Exmh version 2.5+ 20020506 iD8DBQE9NwNR2MoxcVugUsMRAgtfAKDUvTXWejFPeJDjIgI5pJ3wPpDgMwCgujb4 Lf+Fkalx3qyMtQp+xOOCmKM= =jylm -----END PGP SIGNATURE----- --==_Exmh_-1543745570P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 11:11:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8C3F37B400 for ; Thu, 18 Jul 2002 11:11:18 -0700 (PDT) Received: from kknd.mweb.co.za (kknd.mweb.co.za [196.2.45.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id EECAE43E67 for ; Thu, 18 Jul 2002 11:11:14 -0700 (PDT) (envelope-from savage@savage.za.org) Received: from cpt-dial-196-30-179-228.mweb.co.za ([196.30.179.228] helo=netsonic.megalan.co.za) by kknd.mweb.co.za with esmtp (Exim 4.01) id 17VFdg-0000Kx-00; Thu, 18 Jul 2002 20:04:33 +0200 Received: from genocide.megalan.co.za ([192.168.1.254] helo=genocide) by netsonic.megalan.co.za with smtp (Exim 3.36 #2) id 17VFjX-000CnC-47; Thu, 18 Jul 2002 20:10:35 +0200 Message-ID: <002f01c22e86$6507caa0$fe01a8c0@genocide> From: "Chris Knipe" To: "Jim Laurenson" , "Craig Miller" , "freebsd-security" References: Subject: Re: wierdness in my security report Date: Thu, 18 Jul 2002 20:10:18 +0200 Organization: MegaLAN Corporate Networking Services MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0026_01C22E97.22FA3EC0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0026_01C22E97.22FA3EC0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable If it is Cisco, it's more than likely HSRP (Host Standby Router = Protocol). It happens where two different routers are configured in a redundancy = scenario with a "virtual" IP. What will happen, is that x.x.x.1 is a = virtual IP, while x.x.x.2 and x.x.x.3 is assigned to the Ethernet ports. Router 1 which is x.x.x.2 will have the virtual IP of x.x.x.1 on .2's = MAC address, however, when the router goes down, Router 2 reclaims the = virtual IP .1, on the MAC address of .3 =20 Therefore, the MAC address changes, and to my understanding that is what = causes the message to be displayed. I can however, be wrong and the = change or "switching" of one IP to another MAC address may have nothing = to do with the cause of the log message. -- me ----- Original Message -----=20 From: Jim Laurenson=20 To: Craig Miller ; freebsd-security=20 Sent: Thursday, July 18, 2002 7:53 PM Subject: RE: wierdness in my security report I have found the same logs on one of my older builds (4.3 I think). = The offending MAC address was found to be a Cisco router on my ISP's = network. I found no solution for it though. Jim Laurenson -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG = [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller Sent: July 18, 2002 11:47 AM To: freebsd-security Subject: wierdness in my security report Anyone have any ideas as to what might be causing the following to = appear in my security report? arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 = on dc0 > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from = 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to = 00:b0:64:b7:6f:54 on dc0 > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from = 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 I thought those : delimited fields would be MAC addresses, but they = don't match the MAC addresses of either of the two cards in my free-bsd = box. I have not checked the MAC addresses of the other network cards on = my network. Also, where does the "server /kernel" name come from. "kernel" is = not the name I gave my kernel, so I am suspicious. Thanks, --Craig ------=_NextPart_000_0026_01C22E97.22FA3EC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
If it is Cisco, it's more than likely = HSRP (Host=20 Standby Router Protocol).
 
It happens where two different routers = are=20 configured in a redundancy scenario with a "virtual" IP.  What will = happen,=20 is that x.x.x.1 is a virtual IP, while x.x.x.2 and x.x.x.3 is assigned = to the=20 Ethernet ports.
 
Router 1 which is x.x.x.2 will have the = virtual IP=20 of x.x.x.1 on .2's MAC address, however, when the router goes down, = Router 2=20 reclaims the virtual IP .1, on the MAC address of .3 
 
Therefore, the MAC address changes, and = to my=20 understanding that is what causes the message to be displayed.  I = can=20 however, be wrong and the change or "switching" of one IP to another MAC = address=20 may have nothing to do with the cause of the log message.
 
--
me
 
 
----- Original Message -----
From:=20 Jim=20 Laurenson
To: Craig Miller ; freebsd-security =
Sent: Thursday, July 18, 2002 = 7:53=20 PM
Subject: RE: wierdness in my = security=20 report

I=20 have found the same logs on one of my older builds (4.3 I think). The=20 offending MAC address was found to be a Cisco router on my ISP's = network. I=20 found no solution for it though.
 
Jim Laurenson
-----Original Message-----
From: owner-freebsd-security= @FreeBSD.ORG=20 [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig = Miller
Sent: July 18, 2002 11:47 AM
To:=20 freebsd-security
Subject: wierdness in my security=20 report

Anyone have any ideas as to what = might be=20 causing the following to appear in my security report?
 
 arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to=20 00:b0:64:b7:6f:a8 on dc0
> Jul 17 05:47:56 server /kernel: = arp:=20 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on=20 dc0
> arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to=20 00:b0:64:b7:6f:54 on dc0
> Jul 17 05:47:57 server /kernel: = arp:=20 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on=20 dc0
I thought those : delimited fields = would be MAC=20 addresses, but they don't match the MAC addresses of either of the = two cards=20 in my free-bsd box.  I have not checked the MAC addresses of = the other=20 network cards on my network.
 
Also, where does the "server = /kernel" name come=20 from.  "kernel" is not the name I gave my kernel, so I am=20 suspicious.
 
Thanks,
 
--Craig
 
------=_NextPart_000_0026_01C22E97.22FA3EC0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 11:14: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDCE337B400 for ; Thu, 18 Jul 2002 11:14:06 -0700 (PDT) Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAFDA43E6A for ; Thu, 18 Jul 2002 11:14:05 -0700 (PDT) (envelope-from kdk@daleco.biz) Received: from daleco [12.145.226.149] by mail.gbronline.com (SMTPD32-7.11) id A57ED280222; Thu, 18 Jul 2002 13:14:22 -0500 Message-ID: <027101c22e86$dc4fae20$95e2910c@fbccarthage.com> From: "Kevin Kinsey, DaleCo, S.P." To: "Jim Laurenson" , "Craig Miller" , "freebsd-security" References: Subject: Re: wierdness in my security report Date: Thu, 18 Jul 2002 13:13:46 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Somebody, somewhere, changed something that changed a route your kernel had established. How many machines in your LAN? What are the chances one has a new NIC? KDK ----- Original Message ----- From: Jim Laurenson To: Craig Miller ; freebsd-security Sent: Thursday, July 18, 2002 12:53 PM Subject: RE: wierdness in my security report I have found the same logs on one of my older builds (4.3 I think). The offending MAC address was found to be a Cisco router on my ISP's network. I found no solution for it though. Jim Laurenson -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller Sent: July 18, 2002 11:47 AM To: freebsd-security Subject: wierdness in my security report Anyone have any ideas as to what might be causing the following to appear in my security report? arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network. Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious. Thanks, --Craig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 11:16: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F07FA37B400 for ; Thu, 18 Jul 2002 11:15:58 -0700 (PDT) Received: from ns1.pu.net (ns1.pu.net [216.87.139.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 637FE43E58 for ; Thu, 18 Jul 2002 11:15:58 -0700 (PDT) (envelope-from bugs@ns1.pu.net) Received: (from bugs@localhost) by ns1.pu.net (8.12.5/8.11.6) id g6IIFqBs011069 for freebsd-security@freebsd.org; Thu, 18 Jul 2002 13:15:52 -0500 (CDT) (envelope-from bugs) From: Mark Hittinger Message-Id: <200207181815.g6IIFqBs011069@ns1.pu.net> Subject: today's bugtraq flock issue To: freebsd-security@freebsd.org Date: Thu, 18 Jul 2002 13:15:52 -0500 (CDT) X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just saw the flock issue on bugtraq. This probably needs some discussion. Should file locking only be permitted on files that are either owned by the caller or are writeable to the caller? What will break if software can't lock files that aren't writeable or belong to someone else? The only problem I can see is performance. I don't think we want to have more overhead during each lock call as this will hurt database speed. Could we have the kernel decide on "lockability" during the open call and keep track of that state? Subsequent lock calls on that fd would then be permitted or denied based on "lockability". Later Mark Hittinger bugs@pu.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 11:29:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6D9637B400 for ; Thu, 18 Jul 2002 11:29:46 -0700 (PDT) Received: from hotmail.com (oe21.law7.hotmail.com [216.33.236.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 911A343E42 for ; Thu, 18 Jul 2002 11:29:46 -0700 (PDT) (envelope-from elerrordlmilenio@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 18 Jul 2002 11:29:46 -0700 X-Originating-IP: [196.40.43.74] From: "El Error del Milenio" To: "Craig Miller" , "freebsd-security" References: <006301c22e83$2b3d5b30$fe01a8c0@Desktop> Subject: Re: wierdness in my security report Date: Thu, 18 Jul 2002 12:30:05 -0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_005C_01C22E56.D8C8D220" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: X-OriginalArrivalTime: 18 Jul 2002 18:29:46.0563 (UTC) FILETIME=[17DE3130:01C22E89] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_005C_01C22E56.D8C8D220 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I'm also having: > arp: 10.0.0.147 moved from 00:e0:7d:a9:c8:3c to 00:b0:d0:a5:4d:e0 on = rl0 > Jul 1 15:29:26 bella /kernel: arp: 10.0.0.147 moved from = 00:e0:7d:a9:c8:3c to 00:b0:d0:a5:4d:e0 on rl0 I thought it was because of dhcp addresses changing, but now I am in = doubt, since my kernel is not named "kernel" either. ----- Original Message -----=20 From: Craig Miller=20 To: freebsd-security=20 Sent: Thursday, July 18, 2002 11:47 AM Subject: wierdness in my security report Anyone have any ideas as to what might be causing the following to = appear in my security report? arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 = on dc0 > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from = 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 = on dc0 > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from = 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 I thought those : delimited fields would be MAC addresses, but they = don't match the MAC addresses of either of the two cards in my free-bsd = box. I have not checked the MAC addresses of the other network cards on = my network. Also, where does the "server /kernel" name come from. "kernel" is not = the name I gave my kernel, so I am suspicious. Thanks, --Craig ------=_NextPart_000_005C_01C22E56.D8C8D220 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I'm also having:
 
> arp: 10.0.0.147 moved from 00:e0:7d:a9:c8:3c to = 00:b0:d0:a5:4d:e0 on=20 rl0
> Jul  1 15:29:26 bella /kernel: arp: 10.0.0.147 moved = from=20 00:e0:7d:a9:c8:3c to 00:b0:d0:a5:4d:e0 on rl0
I=20 thought it was because of dhcp addresses changing, but now I am in = doubt, since=20 my kernel is not named "kernel" either.
 
----- Original Message -----
From:=20 Craig=20 Miller
Sent: Thursday, July 18, 2002 = 11:47=20 AM
Subject: wierdness in my = security=20 report

Anyone have any ideas as to what = might be causing=20 the following to appear in my security report?
 
 arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to = 00:b0:64:b7:6f:a8=20 on dc0
> Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved = from=20 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0
> arp: = 12.236.220.1 moved=20 from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0
> Jul 17 = 05:47:57=20 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to=20 00:b0:64:b7:6f:54 on dc0
I thought those : delimited fields = would be MAC=20 addresses, but they don't match the MAC addresses of either of the two = cards=20 in my free-bsd box.  I have not checked the MAC addresses of the = other=20 network cards on my network.
 
Also, where does the "server /kernel" = name come=20 from.  "kernel" is not the name I gave my kernel, so I am=20 suspicious.
 
Thanks,
 
--Craig
 
------=_NextPart_000_005C_01C22E56.D8C8D220-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 11:46: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E45937B400 for ; Thu, 18 Jul 2002 11:46:01 -0700 (PDT) Received: from 119.216-123-194-0.interbaun.com (118.216-123-194-0.interbaun.com [216.123.194.118]) by mx1.FreeBSD.org (Postfix) with SMTP id 8E0EB43E4A for ; Thu, 18 Jul 2002 11:46:00 -0700 (PDT) (envelope-from j.laurenson@epicmail.ca) Received: (qmail 28285 invoked from network); 18 Jul 2002 18:50:21 -0000 Received: from unknown (HELO epicjim) (216.123.194.122) by 10.0.1.2 with SMTP; 18 Jul 2002 18:50:21 -0000 From: "Jim Laurenson" To: "Kevin Kinsey, DaleCo, S.P." , "Craig Miller" , "freebsd-security" Subject: RE: wierdness in my security report Date: Thu, 18 Jul 2002 12:47:08 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: <027101c22e86$dc4fae20$95e2910c@fbccarthage.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org My setup included multiple machines (2 of them, one running 4.3 and ht eother running 4.4, both getting the error listed below) connected through a Docsis modem. These errors started just after the systems were built. After one of the systems became redundant I removed it from the network and the errors disappeared from the other system. Yet neither of the systems error messages were mentioning the other, just the MAC address of the Cisco router on my ISPs side. Jim Laurenson -----Original Message----- From: Kevin Kinsey, DaleCo, S.P. [mailto:kdk@daleco.biz] Sent: July 18, 2002 12:14 PM To: Jim Laurenson; Craig Miller; freebsd-security Subject: Re: wierdness in my security report Somebody, somewhere, changed something that changed a route your kernel had established. How many machines in your LAN? What are the chances one has a new NIC? KDK ----- Original Message ----- From: Jim Laurenson To: Craig Miller ; freebsd-security Sent: Thursday, July 18, 2002 12:53 PM Subject: RE: wierdness in my security report I have found the same logs on one of my older builds (4.3 I think). The offending MAC address was found to be a Cisco router on my ISP's network. I found no solution for it though. Jim Laurenson -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller Sent: July 18, 2002 11:47 AM To: freebsd-security Subject: wierdness in my security report Anyone have any ideas as to what might be causing the following to appear in my security report? arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network. Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious. Thanks, --Craig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 12:18:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 849A537B400 for ; Thu, 18 Jul 2002 12:18:15 -0700 (PDT) Received: from apexch.apogeetelecom.com (apexch.apogeetelecom.com [64.245.60.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1455343E58 for ; Thu, 18 Jul 2002 12:18:15 -0700 (PDT) (envelope-from CBoyd@apogeetelecom.com) Received: by apexch.apogeetelecom.com with Internet Mail Service (5.5.2653.19) id <313NPXCJ>; Thu, 18 Jul 2002 14:28:39 -0500 Message-ID: <5A1E91591378D243B6B6C5425F2B2B3E1DE9B1@apexch.apogeetelecom.com> From: Chris Boyd To: 'Jim Laurenson' , Craig Miller , freebsd-security Subject: RE: wierdness in my security report Date: Thu, 18 Jul 2002 14:28:38 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This looks like a customer facing router on ATT Broaband's cable Internet service. They apparently replaced the router interface at the headend, and thus it got a new MAC address on the Ethernet. Since there are a lot of man-in-the-middle attacks that involve changing MAC to IP ARP tables, the FreeBSD box logs a warning, and the warning comes from the kernel. > -----Original Message----- > From: Jim Laurenson [SMTP:j.laurenson@epicmail.ca] > Sent: Thursday, July 18, 2002 12:54 PM > To: Craig Miller; freebsd-security > Subject: RE: wierdness in my security report > > I have found the same logs on one of my older builds (4.3 I think). The > offending MAC address was found to be a Cisco router on my ISP's network. > I found no solution for it though. > > Jim Laurenson > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller > Sent: July 18, 2002 11:47 AM > To: freebsd-security > Subject: wierdness in my security report > > > Anyone have any ideas as to what might be causing the following to > appear in my security report? > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 > on dc0 > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from > 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to > 00:b0:64:b7:6f:54 on dc0 > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from > 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > I thought those : delimited fields would be MAC addresses, but they > don't match the MAC addresses of either of the two cards in my free-bsd > box. I have not checked the MAC addresses of the other network cards on > my network. > > Also, where does the "server /kernel" name come from. "kernel" is > not the name I gave my kernel, so I am suspicious. > > Thanks, > > --Craig > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 13: 4: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AF8937B400 for ; Thu, 18 Jul 2002 13:04:01 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFD6543E58 for ; Thu, 18 Jul 2002 13:03:59 -0700 (PDT) (envelope-from campbell@babayaga.neotext.ca) Received: from babayaga.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.11.6/8.11.0) with ESMTP id g6IK47X01052 for ; Thu, 18 Jul 2002 14:04:08 -0600 (MDT) (envelope-from campbell@babayaga.neotext.ca) From: "Duncan Patton a Campbell is Dhu" To: freebsd-security@FreeBSD.ORG Subject: RE: wierdness in my security report Date: Thu, 18 Jul 2002 14:04:07 -0600 Message-Id: <20020718200407.M28012@babayaga.neotext.ca> In-Reply-To: References: <027101c22e86$dc4fae20$95e2910c@fbccarthage.com> X-Mailer: Open WebMail 1.70 20020712 X-OriginatingIP: 127.0.0.1 (campbell) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've had something that looked like this. Is it possible that your isp maintains an IP <-> MAC (ethernet) mapping somewhere? What is happening is that 12.236.220.1 is moving from one ethernet address/card to another (and back). I guess their router claims 12.236.220.1 is attached to it, while you also have a ethernet card in the Box 12.236.220.1 that is arping out in complete disagreement. IFF you are using static (unless you have some reason for it ;-) routing you should switch to DHCP and a setup that requests a specific IP. edit this for your /etc/dhclient.conf: #Change this to your ethercards device name interface "ed0" { #Add hostname send host-name "your.host.na"; #Get your ethercard's devicename from ifconfig -a and put it here: send dhcp-client-identifier hh:hh:hh:hh:hh:hh ; send dhcp-lease-time 36000; #Put all forms of your machine's name supersede domain-name "your.host.na www.host.ca host.na"; #IF and onle IF you are running a DNS # prepend domain-name-servers 127.0.0.1; request subnet-mask, broadcast-address, time-offset, routers; require subnet-mask, domain-name-servers; script "/sbin/dhclient-script"; media "media 10baseT/UTP"; } This will permit DHCP to negotiate the underprotocols for ethernet mapping (arp >< rarp etc.) so you won't see all that noise in your messages log. Duncan Patton a Campbell is Duibh ;-) ---------- Original Message ----------- From: "Jim Laurenson" To: "Kevin Kinsey, DaleCo, S.P." , "Craig Miller" , "freebsd-security" Sent: Thu, 18 Jul 2002 12:47:08 -0600 Subject: RE: wierdness in my security report > My setup included multiple machines (2 of them, one > running 4.3 and ht eother running 4.4, both getting > the error listed below) connected through a Docsis > modem. These errors started just after the systems > were built. After one of the systems became redundant > I removed it from the network and the errors > disappeared from the other system. Yet neither of the > systems error messages were mentioning the other, just > the MAC address of the Cisco router on my ISPs side. > > Jim Laurenson > > -----Original Message----- > From: Kevin Kinsey, DaleCo, S.P. > [mailto:kdk@daleco.biz] Sent: July 18, 2002 12:14 PM > To: Jim Laurenson; Craig Miller; freebsd-security > Subject: Re: wierdness in my security report > > Somebody, somewhere, changed something that changed a route > your kernel had established. How many machines in > your LAN? What are the chances one has a new NIC? > > KDK > > ----- Original Message ----- > From: Jim Laurenson > To: Craig Miller ; freebsd-security > Sent: Thursday, July 18, 2002 12:53 PM > Subject: RE: wierdness in my security report > > I have found the same logs on one of my older builds > (4.3 I think). The offending MAC address was found to > be a Cisco router on my ISP's network. I found no > solution for it though. > > Jim Laurenson > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf > Of Craig Miller Sent: July 18, 2002 11:47 AM To: > freebsd-security Subject: wierdness in my security report > > Anyone have any ideas as to what might be causing the > following to appear in my security report? > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to > 00:b0:64:b7:6f:a8 on dc0 > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from > 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from > 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > I thought those : delimited fields would be MAC > addresses, but they don't match the MAC addresses of > either of the two cards in my free-bsd box. I have > not checked the MAC addresses of the other network > cards on my network. > > Also, where does the "server /kernel" name come from. > "kernel" is not the name I gave my kernel, so I am suspicious. > > Thanks, > > --Craig > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the > message ------- End of Original Message ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 13: 8:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACC9F37B405 for ; Thu, 18 Jul 2002 13:08:11 -0700 (PDT) Received: from apexch.apogeetelecom.com (apexch.apogeetelecom.com [64.245.60.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id B533243E97 for ; Thu, 18 Jul 2002 13:06:32 -0700 (PDT) (envelope-from CBoyd@apogeetelecom.com) Received: by apexch.apogeetelecom.com with Internet Mail Service (5.5.2653.19) id <313NPXDK>; Thu, 18 Jul 2002 15:15:54 -0500 Message-ID: <5A1E91591378D243B6B6C5425F2B2B3E1DE9B3@apexch.apogeetelecom.com> From: Chris Boyd To: 'Chris Knipe' , Jim Laurenson , Craig Miller , freebsd-security Subject: RE: wierdness in my security report Date: Thu, 18 Jul 2002 15:15:53 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hm. I though that HSRP cloned the MAC as well, so as not to break all those retro source route bridged protocols. Time to go hit the books for me.... > -----Original Message----- > From: Chris Knipe [SMTP:savage@savage.za.org] > Sent: Thursday, July 18, 2002 1:10 PM > To: Jim Laurenson; Craig Miller; freebsd-security > Subject: Re: wierdness in my security report > > If it is Cisco, it's more than likely HSRP (Host Standby Router Protocol). > > It happens where two different routers are configured in a redundancy > scenario with a "virtual" IP. What will happen, is that x.x.x.1 is a > virtual IP, while x.x.x.2 and x.x.x.3 is assigned to the Ethernet ports. > > Router 1 which is x.x.x.2 will have the virtual IP of x.x.x.1 on .2's MAC > address, however, when the router goes down, Router 2 reclaims the virtual > IP .1, on the MAC address of .3 > > Therefore, the MAC address changes, and to my understanding that is what > causes the message to be displayed. I can however, be wrong and the > change or "switching" of one IP to another MAC address may have nothing to > do with the cause of the log message. > > -- > me > > > > ----- Original Message ----- > From: Jim Laurenson > To: Craig Miller ; freebsd-security > > Sent: Thursday, July 18, 2002 7:53 PM > Subject: RE: wierdness in my security report > > I have found the same logs on one of my older builds (4.3 I think). > The offending MAC address was found to be a Cisco router on my ISP's > network. I found no solution for it though. > > Jim Laurenson > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller > Sent: July 18, 2002 11:47 AM > To: freebsd-security > Subject: wierdness in my security report > > > Anyone have any ideas as to what might be causing the > following to appear in my security report? > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to > 00:b0:64:b7:6f:a8 on dc0 > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved > from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to > 00:b0:64:b7:6f:54 on dc0 > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved > from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > I thought those : delimited fields would be MAC addresses, > but they don't match the MAC addresses of either of the two cards in my > free-bsd box. I have not checked the MAC addresses of the other network > cards on my network. > > Also, where does the "server /kernel" name come from. > "kernel" is not the name I gave my kernel, so I am suspicious. > > Thanks, > > --Craig > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 13:12:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78C9B37B400 for ; Thu, 18 Jul 2002 13:12:54 -0700 (PDT) Received: from tenchi.dreamlabs.com (tenchi.dreamlabs.com [216.220.37.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA71843E42 for ; Thu, 18 Jul 2002 13:12:53 -0700 (PDT) (envelope-from mitayai@dreamlabs.com) Received: from localhost (localhost [127.0.0.1]) by tenchi.dreamlabs.com (Postfix) with ESMTP id E69E4390B6B; Thu, 18 Jul 2002 16:12:46 -0400 (EDT) Received: from shadow (unknown [24.103.70.150]) by tenchi.dreamlabs.com (Postfix) with ESMTP id C5683390B6A; Thu, 18 Jul 2002 16:12:29 -0400 (EDT) Reply-To: From: "Will Mitayai Keeso Rowe" To: "'Jim Laurenson'" , "'Craig Miller'" , "'freebsd-security'" Subject: RE: wierdness in my security report Date: Thu, 18 Jul 2002 16:12:25 -0400 Organization: DreamLabs.Com Message-ID: <007901c22e97$771f13e0$6400a8c0@shadow> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Virus-Scanned: by AMaViS snapshot-20020300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org MAC addresses are prefixed (usually) based on manufacturer. I use http://www.coe.uky.edu/~stu/nic/nic.cfm to help me identify problem machines based on the MAC address... i usually know what cards are in what machines. So... 00b064 is assigned to Cisco Systems, Inc. Now, a caveat: MAC addresses can be spoofed. I used to do it with my cable provider (who assigned IP leases based on MAC address) all the time to make sure I got the same IP address assigned even though I plugged the cable into different machines. -Mit -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Jim Laurenson Sent: July 18, 2002 1:54 PM To: Craig Miller; freebsd-security Subject: RE: wierdness in my security report I have found the same logs on one of my older builds (4.3 I think). The offending MAC address was found to be a Cisco router on my ISP's network. I found no solution for it though. Jim Laurenson -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller Sent: July 18, 2002 11:47 AM To: freebsd-security Subject: wierdness in my security report Anyone have any ideas as to what might be causing the following to appear in my security report? arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network. Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious. Thanks, --Craig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 13:24:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B67E37B400 for ; Thu, 18 Jul 2002 13:24:23 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FE8D43E3B for ; Thu, 18 Jul 2002 13:24:22 -0700 (PDT) (envelope-from campbell@babayaga.neotext.ca) Received: from babayaga.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.11.6/8.11.0) with ESMTP id g6IKOTX01108; Thu, 18 Jul 2002 14:24:29 -0600 (MDT) (envelope-from campbell@babayaga.neotext.ca) From: "Duncan Patton a Campbell is Dhu" To: "Craig Miller" , "freebsd-security" Subject: Re: wierdness in my security report Date: Thu, 18 Jul 2002 14:24:29 -0600 Message-Id: <20020718202429.M96897@babayaga.neotext.ca> In-Reply-To: <006301c22e83$2b3d5b30$fe01a8c0@Desktop> References: <006301c22e83$2b3d5b30$fe01a8c0@Desktop> X-Mailer: Open WebMail 1.70 20020712 X-OriginatingIP: 127.0.0.1 (campbell) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Further, it is possible that some other machine is trying to hijack the .1 ip address. As for the /kernel part, this could be an artifact of logging ( like, the code might just say "logerr("system /kernel %s"... )" somewhere... Duncan Patton a Campbell is Duibh ;-) ---------- Original Message ----------- From: "Craig Miller" To: "freebsd-security" Sent: Thu, 18 Jul 2002 10:47:21 -0700 Subject: wierdness in my security report > Anyone have any ideas as to what might be causing the > following to appear in my security report? > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to > 00:b0:64:b7:6f:a8 on dc0 > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > I thought those : delimited fields would be MAC > addresses, but they don't match the MAC addresses of > either of the two cards in my free-bsd box. I have > not checked the MAC addresses of the other network > cards on my network. > > Also, where does the "server /kernel" name come from. > "kernel" is not the name I gave my kernel, so I am suspicious. > > Thanks, > > --Craig ------- End of Original Message ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 13:38:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 20BC737B400 for ; Thu, 18 Jul 2002 13:38:22 -0700 (PDT) Received: from natto.numachi.com (natto.numachi.com [198.175.254.216]) by mx1.FreeBSD.org (Postfix) with SMTP id 7289443E3B for ; Thu, 18 Jul 2002 13:38:18 -0700 (PDT) (envelope-from reichert@numachi.com) Received: (qmail 87589 invoked by uid 1001); 18 Jul 2002 20:38:15 -0000 Date: Thu, 18 Jul 2002 16:38:15 -0400 From: Brian Reichert To: Duncan Patton a Campbell is Dhu Cc: freebsd-security@FreeBSD.ORG Subject: Re: wierdness in my security report Message-ID: <20020718163815.P259@numachi.com> References: <027101c22e86$dc4fae20$95e2910c@fbccarthage.com> <20020718200407.M28012@babayaga.neotext.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020718200407.M28012@babayaga.neotext.ca>; from campbell@neotext.ca on Thu, Jul 18, 2002 at 02:04:07PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 18, 2002 at 02:04:07PM -0600, Duncan Patton a Campbell is Dhu wrote: > I've had something that looked like this. Is it possible that > your isp > maintains an IP <-> MAC (ethernet) mapping somewhere? What > is happening is that 12.236.220.1 is moving from one ethernet > address/card to another (and back). Don't some crappy switches leak ARP info, if you move hosts around? -- Brian 'you Bastard' Reichert 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA Intel architecture: the left-hand path To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 13:41:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD21837B400 for ; Thu, 18 Jul 2002 13:41:23 -0700 (PDT) Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5CA1443E5E for ; Thu, 18 Jul 2002 13:41:23 -0700 (PDT) (envelope-from fasty@shell.i-sphere.com) Received: from shell.i-sphere.com (fasty@localhost [127.0.0.1]) by I-Sphere.COM (8.12.3/8.12.3) with ESMTP id g6IKg3us071567; Thu, 18 Jul 2002 13:42:03 -0700 (PDT) (envelope-from fasty@shell.i-sphere.com) Received: (from fasty@localhost) by shell.i-sphere.com (8.12.3/8.12.3/Submit) id g6IKg3G9071566; Thu, 18 Jul 2002 13:42:03 -0700 (PDT) Date: Thu, 18 Jul 2002 13:42:03 -0700 From: faSty To: Craig Miller Cc: freebsd-security@freebsd.org Subject: Re: wierdness in my security report Message-ID: <20020718204203.GA71330@i-sphere.com> Mail-Followup-To: faSty , Craig Miller , freebsd-security@freebsd.org References: <006301c22e83$2b3d5b30$fe01a8c0@Desktop> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <006301c22e83$2b3d5b30$fe01a8c0@Desktop> User-Agent: Mutt/1.4i X-Virus-Scanned: by amavisd-milter (http://amavis.org/) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org DO you have bridge on your server? I have that same similar and the bridge 2 ethernet port fight over who master the primary IP address. -fasty On Thu, Jul 18, 2002 at 10:47:21AM -0700, Craig Miller wrote: > Anyone have any ideas as to what might be causing the following to appear in my security report? > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network. > > Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious. > > Thanks, > > --Craig > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 13:44:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 938F237B4A8 for ; Thu, 18 Jul 2002 13:44:15 -0700 (PDT) Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8364B43E42 for ; Thu, 18 Jul 2002 13:44:14 -0700 (PDT) (envelope-from cfaber@fpsn.net) Received: from fpsn.net (mirc-sucks@unixgr.com [63.224.69.60]) (authenticated) by mail.fpsn.net (8.11.6/8.11.6) with ESMTP id g6IKi7V28377 for ; Thu, 18 Jul 2002 14:44:07 -0600 (MDT) Message-ID: <3D37287D.595B812D@fpsn.net> Date: Thu, 18 Jul 2002 14:43:41 -0600 From: Colin Faber Organization: fpsn.net, Inc. (http://www.fpsn.net) X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 Cc: freebsd-security@FreeBSD.ORG Subject: Re: wierdness in my security report References: <027101c22e86$dc4fae20$95e2910c@fbccarthage.com> <20020718200407.M28012@babayaga.neotext.ca> <20020718163815.P259@numachi.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Wasn't this a bug which was corrected in 4.x? I still have a few old 3.x machines and I see the same thing when I have more than one network card in the box. Brian Reichert wrote: > > On Thu, Jul 18, 2002 at 02:04:07PM -0600, Duncan Patton a Campbell is Dhu wrote: > > I've had something that looked like this. Is it possible that > > your isp > > maintains an IP <-> MAC (ethernet) mapping somewhere? What > > is happening is that 12.236.220.1 is moving from one ethernet > > address/card to another (and back). > > Don't some crappy switches leak ARP info, if you move hosts around? > > -- > Brian 'you Bastard' Reichert > 37 Crystal Ave. #303 Daytime number: (603) 434-6842 > Derry NH 03038-1713 USA Intel architecture: the left-hand path > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Colin Faber (303) 736-5160 fpsn.net, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 13:48:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 705EA37B405 for ; Thu, 18 Jul 2002 13:48:45 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79D9A43E64 for ; Thu, 18 Jul 2002 13:48:44 -0700 (PDT) (envelope-from campbell@babayaga.neotext.ca) Received: from babayaga.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.11.6/8.11.0) with ESMTP id g6IKmeX01203; Thu, 18 Jul 2002 14:48:40 -0600 (MDT) (envelope-from campbell@babayaga.neotext.ca) From: "Duncan Patton a Campbell is Dhu" To: faSty , Craig Miller Cc: freebsd-security@FreeBSD.ORG Subject: Re: wierdness in my security report Date: Thu, 18 Jul 2002 14:48:40 -0600 Message-Id: <20020718204840.M67510@babayaga.neotext.ca> In-Reply-To: <20020718204203.GA71330@i-sphere.com> References: <006301c22e83$2b3d5b30$fe01a8c0@Desktop> <20020718204203.GA71330@i-sphere.com> X-Mailer: Open WebMail 1.70 20020712 X-OriginatingIP: 127.0.0.1 (campbell) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This I've seen too, but he sez the mac's aren't his.... Duncan Patton a Campbell is Duibh ;-) ---------- Original Message ----------- From: faSty To: Craig Miller Sent: Thu, 18 Jul 2002 13:42:03 -0700 Subject: Re: wierdness in my security report > DO you have bridge on your server? > > I have that same similar and the bridge 2 ethernet > port fight over who master the primary IP address. > > -fasty > > On Thu, Jul 18, 2002 at 10:47:21AM -0700, Craig Miller > wrote: > > Anyone have any ideas as to what might be causing the following to appear in my security report? > > > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > > > I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network. > > > > Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious. > > > > Thanks, > > > > --Craig > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the > message ------- End of Original Message ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 13:53: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0BE937B400 for ; Thu, 18 Jul 2002 13:52:57 -0700 (PDT) Received: from mxout1.cac.washington.edu (mxout1.cac.washington.edu [140.142.32.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 77EDD43E31 for ; Thu, 18 Jul 2002 13:52:53 -0700 (PDT) (envelope-from zfrazier@u.washington.edu) Received: from mailscan-out1.cac.washington.edu (mailscan-out1.cac.washington.edu [140.142.32.17]) by mxout1.cac.washington.edu (8.12.1+UW01.12/8.12.1+UW02.06) with SMTP id g6IKqqR6010585 for ; Thu, 18 Jul 2002 13:52:52 -0700 Received: FROM dante35.u.washington.edu BY mailscan-out1.cac.washington.edu ; Thu Jul 18 13:52:52 2002 -0700 Received: from localhost (zfrazier@localhost) by dante35.u.washington.edu (8.12.1+UW01.12/8.12.1+UW02.01) with ESMTP id g6IKqpRI008258; Thu, 18 Jul 2002 13:52:51 -0700 Date: Thu, 18 Jul 2002 13:52:51 -0700 (PDT) From: "Z. Frazier" To: faSty Cc: Craig Miller , Subject: Re: wierdness in my security report In-Reply-To: <20020718204203.GA71330@i-sphere.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I dont have my logs in front of me, but i remember getting something similar when my ATT cable connection goes down. You are right that they disagree over who gets the IP address, the owner will switch everytime the ATT network goes down and comes back up. I am however basing most of this on what a freind told me about my similar logs. The good news is that you can parse your logs for such events and get reimbursed for the time your network was down. -zach On Thu, 18 Jul 2002, faSty wrote: > DO you have bridge on your server? > > I have that same similar and the bridge 2 ethernet port fight over who master the > primary IP address. > > -fasty > > On Thu, Jul 18, 2002 at 10:47:21AM -0700, Craig Miller wrote: > > Anyone have any ideas as to what might be causing the following to appear in my security report? > > > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > > > I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network. > > > > Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious. > > > > Thanks, > > > > --Craig > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 14: 8: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E48C937B400 for ; Thu, 18 Jul 2002 14:07:55 -0700 (PDT) Received: from stargate.compuware.com (stargate.compuware.com [166.90.248.158]) by mx1.FreeBSD.org (Postfix) with SMTP id 2F71243E6A for ; Thu, 18 Jul 2002 14:07:55 -0700 (PDT) (envelope-from Bill.Barkell@compuware.com) Received: from [199.186.16.12] by stargate.compuware.com via smtpd (for mx1.FreeBSD.org [216.136.204.125]) with SMTP; 18 Jul 2002 21:07:55 UT Received: from bh1.compuware.com (compuware.com [172.22.1.239]) by cwus-dtw-mr02.compuware.com (Postfix) with ESMTP id 6826574CCB; Thu, 18 Jul 2002 17:07:20 -0400 (EDT) Received: by bh1.compuware.com with Internet Mail Service (5.5.2653.19) id <302N4NBQ>; Thu, 18 Jul 2002 17:07:20 -0400 Message-ID: From: "Barkell, Bill" To: "'Z. Frazier'" , faSty Cc: Craig Miller , freebsd-security@FreeBSD.ORG Subject: RE: wierdness in my security report Date: Thu, 18 Jul 2002 17:07:18 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm not sure if I'm repeating anything here or not, but it looks like 12.236.220.1 may be a router. If so, it's possible for an attacker to poison your arp cache to make your machine think the attacker's machine is 12.236.220.1. This would cause the mac address change. Packets for the net can then be routed thru the attacker's machine, allowing him/her to view everything. One must look at mac address changes of the router address very carefully (and suspiciously). There are programs available that do this arp cache poisoning (dsniff suite and others). Bill Barkell, CISSP -----Original Message----- From: Z. Frazier [mailto:zfrazier@u.washington.edu] Sent: Thursday, July 18, 2002 4:53 PM To: faSty Cc: Craig Miller; freebsd-security@FreeBSD.ORG Subject: Re: wierdness in my security report I dont have my logs in front of me, but i remember getting something similar when my ATT cable connection goes down. You are right that they disagree over who gets the IP address, the owner will switch everytime the ATT network goes down and comes back up. I am however basing most of this on what a freind told me about my similar logs. The good news is that you can parse your logs for such events and get reimbursed for the time your network was down. -zach On Thu, 18 Jul 2002, faSty wrote: > DO you have bridge on your server? > > I have that same similar and the bridge 2 ethernet port fight over who master the > primary IP address. > > -fasty > > On Thu, Jul 18, 2002 at 10:47:21AM -0700, Craig Miller wrote: > > Anyone have any ideas as to what might be causing the following to appear in my security report? > > > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > > > I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network. > > > > Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious. > > > > Thanks, > > > > --Craig > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 14:15:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A9CC37B400 for ; Thu, 18 Jul 2002 14:15:34 -0700 (PDT) Received: from micko.boca.verio.net (r00.nat.boca.verio.net [208.55.254.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id 57AF443E31 for ; Thu, 18 Jul 2002 14:15:33 -0700 (PDT) (envelope-from micko@micko.boca.verio.net) Received: (from micko@localhost) by micko.boca.verio.net (8.11.6/8.11.6) id g6ILP7u40257; Thu, 18 Jul 2002 17:25:07 -0400 (EDT) (envelope-from micko) Date: Thu, 18 Jul 2002 17:25:07 -0400 From: Dragan Mickovic To: "Z. Frazier" Cc: faSty , Craig Miller , freebsd-security@freebsd.org Subject: Re: wierdness in my security report Message-ID: <20020718172507.A40165@verio.net> References: <20020718204203.GA71330@i-sphere.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from zfrazier@u.washington.edu on Thu, Jul 18, 2002 at 01:52:51PM -0700 X-Operating-System: FreeBSD micko.boca.verio.net 4.5-STABLE FreeBSD 4.5-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As somebody previosly stated on this list, this is normal for HSRP. 12.236.220.1 is a virtual IP and has 2 or more switch's in the background. So anytime the primary goes down (reset, overload, load balancing, error), the HSRP will switch to the backup line and there for the MAC address will change. I don't know how they have it configured, but if the primary comes back to normal operation and has a higher prioraty than the secondary switch the RP will go back to using the primary switch and there for will change the MAC address again. dragan On Thu, Jul 18, 2002 at 01:52:51PM -0700, Z. Frazier wrote: > > I dont have my logs in front of me, but i remember getting something > similar when my ATT cable connection goes down. > > You are right that they disagree over who gets the IP address, the owner > will switch everytime the ATT network goes down and comes back up. > > I am however basing most of this on what a freind told me about my similar > logs. > > The good news is that you can parse your logs for such events and get > reimbursed for the time your network was down. > > > -zach > > On Thu, 18 Jul 2002, faSty wrote: > > > DO you have bridge on your server? > > > > I have that same similar and the bridge 2 ethernet port fight over who master the > > primary IP address. > > > > -fasty > > > > On Thu, Jul 18, 2002 at 10:47:21AM -0700, Craig Miller wrote: > > > Anyone have any ideas as to what might be causing the following to appear in my security report? > > > > > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > > > > > I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network. > > > > > > Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious. > > > > > > Thanks, > > > > > > --Craig > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Dragan Mickovic UNIX Systems Administrator NTT/Verio x.4012 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 14:32: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F57337B400 for ; Thu, 18 Jul 2002 14:32:04 -0700 (PDT) Received: from starcraft.mweb.co.za (starcraft.mweb.co.za [196.2.45.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8CEE43E42 for ; Thu, 18 Jul 2002 14:32:01 -0700 (PDT) (envelope-from savage@savage.za.org) Received: from cpt-dial-196-30-179-228.mweb.co.za ([196.30.179.228] helo=netsonic.megalan.co.za) by starcraft.mweb.co.za with esmtp (Exim 4.01) id 17VIqQ-0007bu-00; Thu, 18 Jul 2002 23:29:55 +0200 Received: from genocide.megalan.co.za ([192.168.1.254] helo=genocide) by netsonic.megalan.co.za with smtp (Exim 3.36 #2) id 17VIsD-000DN6-47; Thu, 18 Jul 2002 23:31:45 +0200 Message-ID: <00c601c22ea2$768eb9c0$fe01a8c0@genocide> From: "Chris Knipe" To: "Dragan Mickovic" , "Z. Frazier" Cc: "faSty" , "Craig Miller" , References: <20020718204203.GA71330@i-sphere.com> <20020718172507.A40165@verio.net> Subject: Re: wierdness in my security report Date: Thu, 18 Jul 2002 23:30:21 +0200 Organization: MegaLAN Corporate Networking Services MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just FYI... > there for the MAC address will change. I don't know how they have it configured, > but if the primary comes back to normal operation and has a higher prioraty > than the secondary switch the RP will go back to using the primary switch > and there for will change the MAC address again. The primary router has a priority lower than the secondaries (lowest available priority gets the virtual IP). Routers running HSRP communicate HSRP information between each other, via HSRP hello packets. These packets are sent to the destination IP multicast address 224.0.0.2 (reserved multicast address used to communicate to all routers) on User Datagram Protocol (UDP) port 1985. These hello packets are sourced with the configured IP address on the interface and the burned-in MAC address of the interface, as opposed to the HSRP or virtual IP and MAC address. This use of source addressing is necessary so that HSRP routers can correctly identify each other. The only exception to the above behavior is for Cisco 2500, 4000, and 4500 routers. These routers have Ethernet hardware that only recognizes a single MAC address. Therefore, these routers will use the HSRP MAC address when they are the active router, and their burned-in address for HSRP hello packets. http://www.cisco.com/warp/public/473/62.shtml Might be helpfull. It explains how to understand and troubleshoot HSRP, and also gives a complete detailed explanation of how HSRP actually works (in much more depth than I just did here)... -- me To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 16: 1:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8425237B400 for ; Thu, 18 Jul 2002 16:01:07 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB81143E6A for ; Thu, 18 Jul 2002 16:01:06 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020718230106.FUNO6023.sccrmhc02.attbi.com@blossom.cjclark.org>; Thu, 18 Jul 2002 23:01:06 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g6IN15JK032459; Thu, 18 Jul 2002 16:01:05 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g6IN135W032458; Thu, 18 Jul 2002 16:01:03 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Thu, 18 Jul 2002 16:01:03 -0700 From: "Crist J. Clark" To: Mark Hittinger Cc: freebsd-security@FreeBSD.ORG Subject: Re: today's bugtraq flock issue Message-ID: <20020718230103.GC31150@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <200207181815.g6IIFqBs011069@ns1.pu.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200207181815.g6IIFqBs011069@ns1.pu.net> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 18, 2002 at 01:15:52PM -0500, Mark Hittinger wrote: > > Just saw the flock issue on bugtraq. This probably needs some discussion. > > Should file locking only be permitted on files that are either owned by the > caller or are writeable to the caller? Locks are permitted if you can _read_ the file. # chmod 660 /etc/dumpdates Will "fix" dump(8). Not sure where tip(1) might block up if aculog is locked. It doesn't appear to lock it. aculog is just a log file. I don't see a reason to block on opening it. Just change that. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 19:20:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D8B537B400; Thu, 18 Jul 2002 19:20:36 -0700 (PDT) Received: from probsd.ws (ilm26-7-034.ec.rr.com [66.26.7.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCEB743E5E; Thu, 18 Jul 2002 19:20:35 -0700 (PDT) (envelope-from freebsd@ec.rr.com) Received: by probsd.ws (Postfix, from userid 80) id 39D29106B1; Thu, 18 Jul 2002 22:22:59 -0400 (EDT) Message-ID: <1085.192.168.1.4.1027045379.squirrel@webmail.probsd.ws> Date: Thu, 18 Jul 2002 22:22:59 -0400 (EDT) Subject: chroot From: "Michael Sharp" To: X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: X-Mailer: SquirrelMail (version 1.2.7) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I installed ( or so I thought ) a chroot env last night and ran into some difficulties. Could someone very familiar with openssh/chroot glance over http://probsd.ws/chroot.txt and tell me what I did wrong please? chroot.txt is an EXTREMELY detailed example of what I did, and script output of the ssh connection to the chroot. Thx, michael freebsd@ec.rr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 19:56:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A910937B400; Thu, 18 Jul 2002 19:56:09 -0700 (PDT) Received: from ns2.austclear.com.au (ns2.austclear.com.au [192.43.185.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B5C143E58; Thu, 18 Jul 2002 19:56:08 -0700 (PDT) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.166.65]) by ns2.austclear.com.au (8.11.2/8.11.3) with ESMTP id g6J2u7t11018; Fri, 19 Jul 2002 12:56:07 +1000 (EST) (envelope-from ahl@austclear.com.au) Received: from tungsten (tungsten [192.168.166.65]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id MAA00937; Fri, 19 Jul 2002 12:56:06 +1000 (EST) Message-Id: <200207190256.MAA00937@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: "Michael Sharp" Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: chroot In-Reply-To: Message from "Michael Sharp" of "Thu, 18 Jul 2002 22:22:59 -0400." <1085.192.168.1.4.1027045379.squirrel@webmail.probsd.ws> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 19 Jul 2002 12:56:05 +1000 From: Tony Landells Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org How very interesting... For a start, you can't copy devices with "cp"--you need something smarter like "tar", "cpio", ... Pretty much anything that could be used for backups should understand the niceties of copying a device. As an alternative you could use "mknod" to create them. Here is how to do it with cpio: cd /dev find null random urandom -print | cpio -pdmuv /home/chrootuser/dev/ and then compare the results with ls -l to make sure you're happy. Specifically, using "cp" to copy /dev/null is a method of creating a new empty file, or completely emptying out an existing file. Secondly, are you sure you weren't connected? If you could use control-d to terminate the connection it looks to me like you were connected but had no prompt. Control-d is an "end of file" indicator; when you give it to a shell that means "there are no more commands". Since the sole purpose of a shell is to let you execute commands, this results in it terminating (as it does for any program that primarily processes input). However "end of file" is only meaningful if it's read by something. It doesn't generate any sort of "signal" to catch the attention of a hung program. Try connecting again and typing a command that should work, like "/bin/ls /bin" or even something more basic like "set" (which is builtin to all the shells). If you get something, you're connected. Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 22:21:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E70D037B400 for ; Thu, 18 Jul 2002 22:21:40 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id B90A543E42 for ; Thu, 18 Jul 2002 22:21:39 -0700 (PDT) (envelope-from campbell@babayaga.neotext.ca) Received: from babayaga.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.11.6/8.11.0) with ESMTP id g6J5Lmp01056 for ; Thu, 18 Jul 2002 23:21:48 -0600 (MDT) (envelope-from campbell@babayaga.neotext.ca) From: "Duncan Patton a Campbell is Dhu" To: Subject: wierdness in ipsec Date: Thu, 18 Jul 2002 23:21:48 -0600 Message-Id: <20020719052148.M71433@babayaga.neotext.ca> In-Reply-To: <00c601c22ea2$768eb9c0$fe01a8c0@genocide> References: <20020718204203.GA71330@i-sphere.com> <20020718172507.A40165@verio.net> <00c601c22ea2$768eb9c0$fe01a8c0@genocide> X-Mailer: Open WebMail 1.70 20020712 X-OriginatingIP: 127.0.0.1 (campbell) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm running ipsec with some manual setkey statments. For a week or so everything seemed to work fine. Then I find that HTTP doesn't work between my nodes thu an ipsec link. Everything else works. Problem seems only one way too: A# telnet B 80 hangs, B# telnet A 80 Connected to A. Escape character is '^]'. Very strange... any ideas? Dhu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 18 22:55:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7EF6337B400 for ; Thu, 18 Jul 2002 22:55:39 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB51F43E67 for ; Thu, 18 Jul 2002 22:55:38 -0700 (PDT) (envelope-from campbell@babayaga.neotext.ca) Received: from babayaga.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.11.6/8.11.0) with ESMTP id g6J5tlp01144; Thu, 18 Jul 2002 23:55:47 -0600 (MDT) (envelope-from campbell@babayaga.neotext.ca) From: "Duncan Patton a Campbell is Dhu" To: "Duncan Patton a Campbell is Dhu" , Subject: Re: wierdness in ipsec Date: Thu, 18 Jul 2002 23:55:47 -0600 Message-Id: <20020719055547.M35426@babayaga.neotext.ca> In-Reply-To: <20020719052148.M71433@babayaga.neotext.ca> References: <20020718204203.GA71330@i-sphere.com> <20020718172507.A40165@verio.net> <00c601c22ea2$768eb9c0$fe01a8c0@genocide> <20020719052148.M71433@babayaga.neotext.ca> X-Mailer: Open WebMail 1.70 20020712 X-OriginatingIP: 127.0.0.1 (campbell) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This turns out to be interesting -- the problem disappeared when I set the listen directive in httpd.conf. So mebbe one of the TCP flags isn't getting thru the ESP right? Duncan Patton a Campbell is Duibh ;-) ---------- Original Message ----------- From: "Duncan Patton a Campbell is Dhu" To: Sent: Thu, 18 Jul 2002 23:21:48 -0600 Subject: wierdness in ipsec > I'm running ipsec with some manual setkey statments. > For a week or so everything seemed to work fine. > Then I find that HTTP doesn't work between my nodes > thu an ipsec link. Everything else works. Problem seems > only one way > too: > > A# telnet B 80 > hangs, > B# telnet A 80 > Connected to A. > Escape character is '^]'. > > Very strange... any ideas? > > Dhu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the > message ------- End of Original Message ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 19 1: 2:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E75337B400; Fri, 19 Jul 2002 01:02:18 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id C624743E6A; Fri, 19 Jul 2002 01:02:16 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.5/8.12.5) with ESMTP id g6J81VXZ005392; Fri, 19 Jul 2002 09:01:31 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.5/8.12.5/Submit) id g6J81Pru005391; Fri, 19 Jul 2002 09:01:25 +0100 (BST) Date: Fri, 19 Jul 2002 09:01:25 +0100 From: Matthew Seaman To: Michael Sharp Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: chroot Message-ID: <20020719080125.GA4662@happy-idiot-talk.infracaninophi> References: <1085.192.168.1.4.1027045379.squirrel@webmail.probsd.ws> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1085.192.168.1.4.1027045379.squirrel@webmail.probsd.ws> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 18, 2002 at 10:22:59PM -0400, Michael Sharp wrote: > I installed ( or so I thought ) a chroot env last night and ran into some > difficulties. Could someone very familiar with openssh/chroot glance > over http://probsd.ws/chroot.txt and tell me what I did wrong please? > > chroot.txt is an EXTREMELY detailed example of what I did, and script > output of the ssh connection to the chroot. Hmmm... you are almost reinventing the concept of jail(8) here, which might be a better solution for you. The main difference from what you're doing is that a jailed sshd process would get it's own separate IP number. Some things you might find usefull: i) Copy /dev/MAKEDEV into your chrooted area and use that to create the device files you need: cp -p /dev/MAKEDEV /home/chrootuser/dev sh /home/chrootuser/dev/MAKEDEV jail --- the `jail' target should get you an appropriate set of devices. ii) Set up an additional logging socket in your chroot area and modify your syslogd flags to pick up syslog messages from there. You'll also need a copy of /etc/localtime in the chroot area so that your syslog messages get the correct timestamp.: mkdir -p /home/chrootuser/var/run cp -p /etc/localtime /home/chrootuser/etc/localtime cp /etc/rc.conf /etc/rc.conf.bak echo 'syslogd_flags="-s -l /home/chrootuser/var/run/log"' >> /etc/rc.conf kill `cat /var/run/syslogd.pid` /usr/sbin/syslogd -s -l /home/chrootuser/var/run/log You can then turn up the logging level in /home/chrootuser/etc/ssh/sshd_config by altering the LogLevel value: a LogLevel of DEBUG3 will give you a great deal of output showing a blow by blow account of just about everything the sshd does. iii) Make sure you can resolve addresses in the DNS from your chroot environment. It should be sufficient to copy over /etc/resolv.conf cp -p /etc/resolv.conf /home/chrootuser/etc/resolv.conf iv) If you want to be able to run ps(1) from the chroot area, then you need to mount a procfs(5) file system inside your chroot area. This isn't really necessary for sshd to operate correctly though: cp /etc/fstab /etc/fstab.bak cat <>/etc/fstab proc /home/chrootuser/proc procfs rw 0 0 EOF mount /home/chrootuser/proc cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 19 5:46:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E4D637B400 for ; Fri, 19 Jul 2002 05:46:50 -0700 (PDT) Received: from memphis.mephi.ru (memphis.mephi.ru [194.67.67.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9A5E43E58 for ; Fri, 19 Jul 2002 05:46:48 -0700 (PDT) (envelope-from timon@memphis.mephi.ru) Received: (from timon@localhost) by memphis.mephi.ru (8.11.6/8.11.6) id g6JCkVd30425; Fri, 19 Jul 2002 16:46:31 +0400 (MSD) (envelope-from timon) Date: Fri, 19 Jul 2002 16:46:30 +0400 From: "Artem 'Zazoobr' Ignatjev" To: Craig Miller , freebsd-security@FreeBSD.ORG Subject: Re: wierdness in my security report Message-ID: <20020719164630.B26458@memphis.mephi.ru> References: <006301c22e83$2b3d5b30$fe01a8c0@Desktop> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <006301c22e83$2b3d5b30$fe01a8c0@Desktop>; from craig@millerfam.net on Thu, Jul 18, 2002 at 10:47:21AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 18, 2002 at 10:47:21AM -0700, Craig Miller wrote: > Anyone have any ideas as to what might be causing the following to appear in my security report? > >> Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 >> arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 >> Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two >cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network. > Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious. errr... ls /kernel I think you meant that IDENT line of your kernel configs isn't about kernel, but it installs into / as kernel. The message you see tells you, that IP address changed it hardware addr, and delimited fields really are old and new addys. Sinceherely yours, Artem 'Zazoobr' Ignatjev. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 19 12:11: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6671437B400 for ; Fri, 19 Jul 2002 12:11:04 -0700 (PDT) Received: from mailer.cia-g.com (mailer.cia-g.com [65.100.115.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id F316B43E58 for ; Fri, 19 Jul 2002 12:11:03 -0700 (PDT) (envelope-from raz@cygnus.cia-g.com) Received: from cygnus.cia-g.com (data.cia-g.com [65.100.119.165]) by mailer.cia-g.com (Postfix) with ESMTP id 2DB5C34C2 for ; Fri, 19 Jul 2002 13:28:18 -0600 (MDT) Received: from raz by cygnus.cia-g.com with local (Exim 3.12 #1 (Debian)) id 17Vd9X-0007fl-00 for ; Fri, 19 Jul 2002 13:10:59 -0600 Date: Fri, 19 Jul 2002 13:10:58 -0600 From: David Wilk To: freebsd-security@freebsd.org Subject: RELENG_4_6 and openssh-3.4p1 depend failure Message-ID: <20020719131058.A29282@cygnus.wks.Gallup.cia-g.com> Mail-Followup-To: David Wilk , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Howdy, I've been waiting for OpenSSH-3.4p1 to make it into RELENG_4_6 and now that it's there, there appears to be a problem. I had just finished a successful make world from the 7/12/2002 RELENG_4_6 and decided to CVSup today. Here's what I get when I go to /usr/src/secure and do a make depend (after make cleandir and make obj of course): /usr/src/secure/lib/libssh/../../../crypto/openssh/includes.h:147: readpassphrase.h: No such file or directory In file included from /usr/src/secure/lib/libssh/../../../crypto/openssh/entropy.c:25: /usr/src/secure/lib/libssh/../../../crypto/openssh/includes.h:147: readpassphrase.h: No such file or directory In file included from /usr/src/secure/lib/libssh/../../../crypto/openssh/version.c:28: /usr/src/secure/lib/libssh/../../../crypto/openssh/includes.h:147: readpassphrase.h: No such file or directory mkdep: compile failed *** Error code 1 Stop in /usr/src/secure/lib/libssh. *** Error code 1 Stop in /usr/src/secure/lib. *** Error code 1 Stop in /usr/src/secure. this is prepended by alot more of the above complaints that readpassphrase.h is not found. I checked and there's a readpass.h and readpass.c but no readpassphrase.h or .c. anyone else have trouble with this? Dave -- ******************************* David Wilk System Administrator Community Internet Access, Inc. admin@cia-g.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 19 13:21:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D56037B400 for ; Fri, 19 Jul 2002 13:21:44 -0700 (PDT) Received: from everlast.whitebird.no (everlast.whitebird.no [217.118.36.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5EF2B43E3B for ; Fri, 19 Jul 2002 13:21:43 -0700 (PDT) (envelope-from arvinn@whitebird.no) Received: from everlast.whitebird.no (localhost.whitebird.no [127.0.0.1]) by everlast.whitebird.no (Postfix) with SMTP id 523CC57C3; Fri, 19 Jul 2002 22:26:55 +0200 (CEST) Received: from 217.118.33.65 (SquirrelMail authenticated user arvinn) by everlast.whitebird.no with HTTP; Fri, 19 Jul 2002 22:26:55 +0200 (CEST) Message-ID: <4181.217.118.33.65.1027110415.squirrel@everlast.whitebird.no> Date: Fri, 19 Jul 2002 22:26:55 +0200 (CEST) Subject: RE: ipfw and it's glory... From: "=?iso-8859-1?Q?Arvinn_L=F8kkebakken?=" To: In-Reply-To: <20020717153409.Y86012-100000@doos.cluecentral.net> References: <6C506EA550443D44A061432F1E92EA4C6C5364@ing.com> <20020717153409.Y86012-100000@doos.cluecentral.net> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: , , X-Mailer: SquirrelMail (version 1.2.7) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >> But it's source port will be 53. So you can put in a rule for that. >> Plus it's only 1 or 2 servers so you can put in special rules for >> them. > > Unless you run a local dnscache (which I would do). > So what? The scenario is the same! Even though it's cahing dns info it have to go out there to get the info in the first place. Computers on the inside segment though doesn't need to get through the firewall to port 53, but the dns server itself has to! Arvinn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 19 13:37:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4BCC37B400 for ; Fri, 19 Jul 2002 13:37:16 -0700 (PDT) Received: from everlast.whitebird.no (everlast.whitebird.no [217.118.36.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id DFA2443E58 for ; Fri, 19 Jul 2002 13:37:12 -0700 (PDT) (envelope-from arvinn@whitebird.no) Received: from everlast.whitebird.no (localhost.whitebird.no [127.0.0.1]) by everlast.whitebird.no (Postfix) with SMTP id 306D657C3; Fri, 19 Jul 2002 22:42:25 +0200 (CEST) Received: from 217.118.33.65 (SquirrelMail authenticated user arvinn) by everlast.whitebird.no with HTTP; Fri, 19 Jul 2002 22:42:25 +0200 (CEST) Message-ID: <4210.217.118.33.65.1027111345.squirrel@everlast.whitebird.no> Date: Fri, 19 Jul 2002 22:42:25 +0200 (CEST) Subject: Re: ipfw and it's glory... From: "=?iso-8859-1?Q?Arvinn_L=F8kkebakken?=" To: In-Reply-To: <200207170729.g6H7TtJe081341@drugs.dv.isc.org> References: Your message of "Wed, 17 Jul 2002 09:03:49 +0200." <200207170729.g6H7TtJe081341@drugs.dv.isc.org> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: , , X-Mailer: SquirrelMail (version 1.2.7) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >> # Allow "local" traffic >> ipfw add allow all from any to any via lo0 >> >> # Allow all outgoing trafic >> ipfw add allow all from any to any out > > This is a bad idea. You should only allow out what you > will accept back in. If you don't you will eventually be > guilty of pounding some poor server because you havn't > allowed the answers to come back. I can't see why that's a bad idea. ipfw does allow tcp ACK back through the firewall doesn't it? What do you mean only allow out what will accept in? The source and destinations ports never have the same port numbers anyway. Arvinn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 19 13:43:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C68E37B400 for ; Fri, 19 Jul 2002 13:43:29 -0700 (PDT) Received: from doos.cluecentral.net (cluecentral.net [193.109.122.221]) by mx1.FreeBSD.org (Postfix) with SMTP id DB27F43E3B for ; Fri, 19 Jul 2002 13:43:27 -0700 (PDT) (envelope-from sabri@cluecentral.net) Received: (qmail 61946 invoked by uid 1000); 19 Jul 2002 20:43:17 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Jul 2002 20:43:17 -0000 Date: Fri, 19 Jul 2002 22:43:17 +0200 (CEST) From: Sabri Berisha To: =?iso-8859-1?Q?Arvinn_L=F8kkebakken?= Cc: , , Subject: RE: ipfw and it's glory... In-Reply-To: <4181.217.118.33.65.1027110415.squirrel@everlast.whitebird.no> Message-ID: <20020719223957.O61716-100000@doos.cluecentral.net> X-NCC-Regid: nl.bit X-No-Archive: yes Approved: sabri@pfy.nl MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 19 Jul 2002, Arvinn L=F8kkebakken wrote: > >> But it's source port will be 53. So you can put in a rule for that. > >> Plus it's only 1 or 2 servers so you can put in special rules for > >> them. > > > > Unless you run a local dnscache (which I would do). > > So what? The scenario is the same! Even though it's cahing dns info it > have to go out there to get the info in the first place. Computers on the > inside segment though doesn't need to get through the firewall to port 53= , > but the dns server itself has to! If you don't run a local dnscache and your external dnscache gets rooted, someone is able to send false responses to your firewall and thus possibly 'trusting' untrusted hosts. Additionally, running a local dnscache reduces traffic to your dnsservers, limiting exposure of what you (or the hosts inside) are doing (no, this is not security by obscurity). --=20 Sabri Berisha - www.megabit.nl=09- "I route, therefore you are" - http://www.fordreallysucks.com/more_info.html - 'that particular feeding of Martijn Bevelander, notorious spammer and whiney repeat-posting troll, was almost a work of art.' (nanae) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 19 16:55: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78EE937B400 for ; Fri, 19 Jul 2002 16:55:02 -0700 (PDT) Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DB4843E6D for ; Fri, 19 Jul 2002 16:55:00 -0700 (PDT) (envelope-from marka@drugs.dv.isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.12.5/8.12.5) with ESMTP id g6JNsSJe016025; Sat, 20 Jul 2002 09:54:30 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200207192354.g6JNsSJe016025@drugs.dv.isc.org> To: "=?iso-8859-1?Q?Arvinn_L=F8kkebakken?=" Cc: Mark_Andrews@isc.org, bart@dreamflow.nl, markd@cogeco.ca, security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: ipfw and it's glory... In-reply-to: Your message of "Fri, 19 Jul 2002 22:42:25 +0200." <4210.217.118.33.65.1027111345.squirrel@everlast.whitebird.no> Date: Sat, 20 Jul 2002 09:54:28 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > >> # Allow "local" traffic > >> ipfw add allow all from any to any via lo0 > >> > >> # Allow all outgoing trafic > >> ipfw add allow all from any to any out > > > > This is a bad idea. You should only allow out what you > > will accept back in. If you don't you will eventually be > > guilty of pounding some poor server because you havn't > > allowed the answers to come back. > > I can't see why that's a bad idea. > ipfw does allow tcp ACK back through the firewall doesn't it? Not by default. The example this came from didn't allow the ACK's back in all cases. > What do you mean only allow out what will accept in? Communication is a two way street. For TCP and UDP you have . If you allow a packet out from to you should allow packets from to back it. Or to put it another way if you don't let to in then you don't let to out. If you have "ipfw add allow all from any to any out" then you should have "ipfw add allow all from any to any in". The firewall was not configured like that. It restricted in bound traffic so it should similarly restrict out bound traffic. You should also allow back in any ICMP traffic that may be generated as a result of allowing those UDP and TCP packet out. Similarly you should allow out any ICMP traffic generated as a result of letting TCP and UDP packets in. This is essential for correct operation of IP, UDP and TCP. Mark > The source and destinations ports never have the same port numbers > anyway. > > Arvinn > -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 19 19: 2:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AAEF37B400 for ; Fri, 19 Jul 2002 19:02:53 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB92543E64 for ; Fri, 19 Jul 2002 19:02:52 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id B11C5535C; Sat, 20 Jul 2002 04:02:50 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: David Wilk Cc: freebsd-security@freebsd.org Subject: Re: RELENG_4_6 and openssh-3.4p1 depend failure References: <20020719131058.A29282@cygnus.wks.Gallup.cia-g.com> From: Dag-Erling Smorgrav Date: 20 Jul 2002 04:02:49 +0200 In-Reply-To: <20020719131058.A29282@cygnus.wks.Gallup.cia-g.com> Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org David Wilk writes: > I had just finished a successful make world from the 7/12/2002 RELENG_4_6 > and decided to CVSup today. Here's what I get when I go to /usr/src/secure > and do a make depend (after make cleandir and make obj of course): That is not a supported upgrade path. Please use 'make world'. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 19 20:22:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8129B37B400; Fri, 19 Jul 2002 20:22:47 -0700 (PDT) Received: from everyday.com (host66-233.pool217141.interbusiness.it [217.141.233.66]) by mx1.FreeBSD.org (Postfix) with SMTP id E9DEE43E3B; Fri, 19 Jul 2002 20:22:38 -0700 (PDT) (envelope-from alisia_morelli@everyday.com) Received: from 66.119.111.151 ([66.119.111.151]) by asy100.as122.sol.superonline.com with smtp; Sat, 20 Jul 2002 02:35:49 +0100 Received: from [71.251.195.73] by mta05bw.bigpond.com with local; 20 Jul 2002 12:35:09 -0900 Received: from smtp-server6.tampabay.rr.com ([44.6.38.78]) by smtp013.mail.yahoo.com with local; 20 Jul 2002 03:34:29 -0000 Received: from anther.webhostingtalk.com ([153.167.34.13]) by smtp4.cyberec.com with local; 19 Jul 2002 20:33:49 +0700 Reply-To: Message-ID: <025b88d87d4d$7332e5e7$0ea71de1@onxsat> From: To: Member@FreeBSD.ORG Subject: domain names now only $14.95 Date: Sat, 20 Jul 2002 11:25:24 -0800 MiME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: The Bat! (v1.52f) Business Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org PUBLIC ANNOUNCEMENT: The new domain names are finally available to the general public at discount prices. Now you can register one of the exciting new .BIZ or .INFO domain names, as well as the original .COM and .NET names for just $14.95. These brand new domain extensions were recently approved by ICANN and have the same rights as the original .COM and .NET domain names. The biggest benefit is of-course that the .BIZ and .INFO domain names are currently more available. i.e. it will be much easier to register an attractive and easy-to-remember domain name for the same price. Visit: http://www.affordable-domains.com today for more info. Register your domain name today for just $14.95 at: http://www.affordable-domains.com/ Registration fees include full access to an easy-to-use control panel to manage your domain name in the future. Sincerely, Domain Administrator Affordable Domains To remove your email address from further promotional mailings from this company, click here: http://www.centralremovalservice.com/cgi-bin/domain-remove.cgi 8275HiSK2-398l12 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 19 21:16:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A27B337B400 for ; Fri, 19 Jul 2002 21:16:32 -0700 (PDT) Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by mx1.FreeBSD.org (Postfix) with SMTP id CC28E43E3B for ; Fri, 19 Jul 2002 21:16:31 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 56599 invoked by uid 1001); 20 Jul 2002 04:16:30 -0000 Date: Sat, 20 Jul 2002 00:16:30 -0400 From: "Peter C. Lai" To: Mark.Andrews@isc.org Cc: =?iso-8859-1?Q?Arvinn_L=F8kkebakken?= , Mark_Andrews@isc.org, bart@dreamflow.nl, markd@cogeco.ca, security@FreeBSD.ORG Subject: Re: ipfw and it's glory... Message-ID: <20020720001630.A56591@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <4210.217.118.33.65.1027111345.squirrel@everlast.whitebird.no> <200207192354.g6JNsSJe016025@drugs.dv.isc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200207192354.g6JNsSJe016025@drugs.dv.isc.org>; from Mark.Andrews@isc.org on Sat, Jul 20, 2002 at 09:54:28AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jul 20, 2002 at 09:54:28AM +1000, Mark.Andrews@isc.org wrote: > > > >> # Allow "local" traffic > > >> ipfw add allow all from any to any via lo0 > > >> > > >> # Allow all outgoing trafic > > >> ipfw add allow all from any to any out > > > > > > This is a bad idea. You should only allow out what you > > > will accept back in. If you don't you will eventually be > > > guilty of pounding some poor server because you havn't > > > allowed the answers to come back. > > > > I can't see why that's a bad idea. > > ipfw does allow tcp ACK back through the firewall doesn't it? > > Not by default. The example this came from didn't allow > the ACK's back in all cases. > > > What do you mean only allow out what will accept in? > > Communication is a two way street. For TCP and UDP > you have . > > If you allow a packet out from to > you should allow packets from > to > back it. Or to put it another way if you don't let > to in > then you don't let to remote-port> out. > > If you have "ipfw add allow all from any to any out" then > you should have "ipfw add allow all from any to any in". > Or use a rule like 'allow all from any to any out [setup|keep-state] to keep the channel open. (with setup, you'll need an 'allow from any to any in established' rule and with keep-state you'll need to check-state). > The firewall was not configured like that. It restricted > in bound traffic so it should similarly restrict out bound > traffic. > > You should also allow back in any ICMP traffic that may be > generated as a result of allowing those UDP and TCP packet > out. Similarly you should allow out any ICMP traffic > generated as a result of letting TCP and UDP packets in. > This is essential for correct operation of IP, UDP and TCP. > > Mark > > > The source and destinations ports never have the same port numbers > > anyway. > > > > Arvinn > > > > -- > Mark Andrews, Internet Software Consortium > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant Yale University School of Medicine Center for Medical Informatics | Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 20 1:51:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E7CC437B400 for ; Sat, 20 Jul 2002 01:51:34 -0700 (PDT) Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5479243E42 for ; Sat, 20 Jul 2002 01:51:33 -0700 (PDT) (envelope-from marka@drugs.dv.isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.12.5/8.12.5) with ESMTP id g6K8pCJe016634; Sat, 20 Jul 2002 18:51:12 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200207200851.g6K8pCJe016634@drugs.dv.isc.org> To: peter.lai@uconn.edu Cc: =?iso-8859-1?Q?Arvinn_L=F8kkebakken?= , bart@dreamflow.nl, markd@cogeco.ca, security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: ipfw and it's glory... In-reply-to: Your message of "Sat, 20 Jul 2002 00:16:30 -0400." <20020720001630.A56591@cowbert.2y.net> Date: Sat, 20 Jul 2002 18:51:12 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Sat, Jul 20, 2002 at 09:54:28AM +1000, Mark.Andrews@isc.org wrote: > > > > > >> # Allow "local" traffic > > > >> ipfw add allow all from any to any via lo0 > > > >> > > > >> # Allow all outgoing trafic > > > >> ipfw add allow all from any to any out > > > > > > > > This is a bad idea. You should only allow out what you > > > > will accept back in. If you don't you will eventually be > > > > guilty of pounding some poor server because you havn't > > > > allowed the answers to come back. > > > > > > I can't see why that's a bad idea. > > > ipfw does allow tcp ACK back through the firewall doesn't it? > > > > Not by default. The example this came from didn't allow > > the ACK's back in all cases. > > > > > What do you mean only allow out what will accept in? > > > > Communication is a two way street. For TCP and UDP > > you have . > > > > If you allow a packet out from to > > you should allow packets from > > to > > back it. Or to put it another way if you don't let > > to in > > then you don't let to > remote-port> out. > > > > If you have "ipfw add allow all from any to any out" then > > you should have "ipfw add allow all from any to any in". > > > > Or use a rule like 'allow all from any to any out [setup|keep-state] > to keep the channel open. (with setup, you'll need an 'allow from > any to any in established' rule and with keep-state you'll need > to check-state). Sure there are plenty of ways to solve the problem, keep-state amongst them. The point still is that you should not allow out what you will not allow back in. Mark -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 20 7: 7: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4F5237B400 for ; Sat, 20 Jul 2002 07:07:03 -0700 (PDT) Received: from fep8.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A69A43E65 for ; Sat, 20 Jul 2002 07:07:03 -0700 (PDT) (envelope-from markd@cogeco.ca) Received: from promethium (d141-146-131.home.cgocable.net [24.141.146.131]) by fep8.cogeco.net (Postfix) with ESMTP id A24CC537A for ; Sat, 20 Jul 2002 10:07:01 -0400 (EDT) Reply-To: From: "Mark D" To: Subject: RE: ipfw and it's glory... (thanks...) Date: Sat, 20 Jul 2002 10:07:10 -0400 Message-ID: <001201c22ff6$bd99aaa0$fb00000a@promethium> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <20020717070349.GA38299@heresy.dreamflow.nl> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I just wanted to extend my appreciation for all those who responded, I've read through all of them and feel there is some extra knowledge stuffed in my head. Thanks again, Mark D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 20 10:53:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56FBC37B400 for ; Sat, 20 Jul 2002 10:53:08 -0700 (PDT) Received: from om12.customoffersmail.com (om12.customoffersmail.com [216.109.72.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id C8E7E43E99 for ; Sat, 20 Jul 2002 10:53:07 -0700 (PDT) (envelope-from OWNER-NOLIST-3493*SECURITY**FREEBSD*-ORG@OC10.CUSTOMOFFERSMAIL.COM) Received: from OC3 (oc3.customoffers.com) by om12.customoffersmail.com (LSMTP for Windows NT v1.1b) with SMTP id <15.0000002F@om12.customoffersmail.com>; Sat, 20 Jul 2002 12:17:27 -0400 Date: Sat, 20 Jul 2002 12:27:01 -0400 From: "Financial Freedom" Subject: Double Your Salary! Reply-To: mailings@customoffers.com To: SECURITY@FREEBSD.ORG MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="06986E0E1E196312E032AFBC" Message-Id: <20020720175307.C8E7E43E99@mx1.FreeBSD.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. If you are reading this text, you may want to consider changing to a mail reader or gateway that understands how to properly handle MIME multipart messages. --06986E0E1E196312E032AFBC Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Did you know that the average home-based business owner makes TWO TIMES as much money as the average hard-working American? http://web1.customoffers.com/click.asp?lnk=6264&email=SECURITY@FREEBSD.ORG It's something to think about. A 100% raise. Just from working at home - and being totally average at it! Are you ready to: * Be Your Own Boss * Create Financial Security with the Time to Enjoy it * Take Control of your Future If so, we can help! Click here for FREE information on how you can earn $500-$5000 next month from home! http://web1.customoffers.com/click.asp?lnk=6264&email=SECURITY@FREEBSD.ORG ________________________________________________________________________ Your privacy is extremely important to us. You requested to receive this mailing, by registering at CustomOffers.com or by subscribing through one of our marketing partners. As a leader in email marketing, we are committed to delivering a highly rewarding experience, with offers that include bargains, entertainment, and money-making ideas. However, if you wish to unsubscribe, please copy and paste the following link into your web browser: http://web1.customoffers.com/unsubscribe.asp?emid=3493&email=SECURITY@FREEBSD.ORG Third-party offers contained in this email are the sole responsibility of the offer originator. ________________________________________________________________________ --06986E0E1E196312E032AFBC Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Earn What You're Worth!


If the above links do not work or appear, simply copy this URL and paste it into your browser's address field:
 http://web1.customoffers.com/click.asp?lnk=6264&email=SECURITY@FREEBSD.ORG


Your privacy is extremely important to us. You requested to receive this mailing, by registering at CustomOffers.com or by subscribing through one of our marketing partners. As a leader in email marketing, we are committed to delivering a highly rewarding experience, with offers that include bargains, entertainment, and money-making ideas. However, if you wish to unsubscribe, click here or link to http://web1.customoffers.com/unsubscribe.asp?emid=3493&email=SECURITY@FREEBSD.ORG Third-party offers contained in this email are the sole responsibility of the offer originator. --06986E0E1E196312E032AFBC-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 20 17:20:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32B8337B400; Sat, 20 Jul 2002 17:20:07 -0700 (PDT) Received: from internal.mail.telinco.net (internal.mail.telinco.net [212.1.128.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 468B243E58; Sat, 20 Jul 2002 17:20:06 -0700 (PDT) (envelope-from chris.scott@uk.tiscali.com) Received: from mk-fw-1.router.uk.worldonline.com ([212.74.112.53] helo=viper) by internal.mail.telinco.net with smtp (Exim 3.22 #1) id 17W4SC-000M4q-00; Sun, 21 Jul 2002 01:20:04 +0100 Message-ID: <008501c2304c$59fbd800$a4102c0a@viper> From: "chris scott" To: , Subject: roaming ipsec policies and racoon Date: Sun, 21 Jul 2002 01:16:18 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0082_01C23054.373A02D0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0082_01C23054.373A02D0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, I am currently trying playing with IPSEC and racoon to provide a secure = services for my users. They all use either freebsd or windows 2k/XP = clients. They unfortunately all have dynamic ips 8(. I have successfully = configured the ipsec policies and have got round the dynamic IP problem = with the freebsd clients by using racoons peer and my identifier = features to initiate the shared key communication. This all works fine. = However I don't know how to do the same thing with windows 2000/XP. I = can setup the ipsec policies on the clients easily enough, as I can the = preshared key. I have no idea how to set the identifiers though. Without = this racoon doesn't match a key on the psk.txt file as it uses the hosts = ip rather than whatever@this.com and hence fails the key exchange. Has = anyone got any clues to point me in the correct direction? sample og the severs racoon conf remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; my_identifier user_fqdn "random@wirdo.com"; peers_identifier user_fqdn "grebbit@wolly.com"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } corresponding psk entry grebbit@wolly.com myrandomkey sample of freebsd clients racoon config remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; my_identifier user_fqdn grebbit@wolly.com; peers_identifier user_fqdn "random@wirdo.com"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } regards Chris Scott IMPORTANT NOTICE: This email may be confidential, may be legally privileged, and is for = the intended recipient only. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and email confirmation to = the sender. ------=_NextPart_000_0082_01C23054.373A02D0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hi,
 
I am currently trying playing with = IPSEC and racoon=20 to provide a secure services for my users. They all use either freebsd = or=20 windows 2k/XP clients. They unfortunately all have dynamic ips 8(. I = have=20 successfully configured the ipsec policies and have got round the = dynamic IP=20 problem with the freebsd clients by using  racoons peer and my = identifier  features to initiate the shared key = communication.=20 This all works fine. However I don't know how to do the same thing with = windows=20 2000/XP. I can setup the ipsec policies on the clients easily enough, as = I can=20 the preshared key. I have no idea how to set the identifiers though. = Without=20 this racoon doesn't match a key on the psk.txt file as it uses the hosts = ip=20 rather than whatever@this.com and=20 hence fails the key exchange. Has anyone got any clues to point me in = the=20 correct direction?
 
sample og the severs racoon = conf
 
remote=20 anonymous
{
        = #exchange_mode=20 main,aggressive;
        = exchange_mode=20 aggressive,main;
        doi=20 ipsec_doi;
        situation=20 identity_only;
 
       =20 #my_identifier address;
       =20 my_identifier user_fqdn "random@wirdo.com";
   &n= bsp;   =20 peers_identifier user_fqdn "grebbit@wolly.com";
   &nb= sp;   =20 #certificate_type x509 "mycert" "mypriv";
 
       =20 nonce_size 16;
        lifetime = time 1=20 hour;   # = sec,min,hour
       =20 initial_contact on;
        = support_mip6=20 on;
        proposal_check=20 obey;    # obey, strict or claim
 
        proposal=20 {
           &n= bsp;   =20 encryption_algorithm=20 3des;
          &nbs= p;    =20 hash_algorithm=20 sha1;
          &nbs= p;    =20 authentication_method pre_shared_key=20 ;
           &n= bsp;   =20 dh_group 2 ;
        = }
}
 
corresponding psk entry
grebbit@wolly.com myrandomkey
 
 
sample of freebsd clients racoon=20 config
 
remote=20 anonymous
{
        = #exchange_mode=20 main,aggressive;
        = exchange_mode=20 aggressive,main;
        doi=20 ipsec_doi;
        situation=20 identity_only;
 
       =20 #my_identifier address;
       =20 my_identifier user_fqdn grebbit@wolly.com;
   =     =20 peers_identifier user_fqdn "random@wirdo.com";
   &n= bsp;   =20 #certificate_type x509 "mycert" "mypriv";
 
       =20 nonce_size 16;
        lifetime = time 1=20 hour;   # = sec,min,hour
       =20 initial_contact on;
        = support_mip6=20 on;
        proposal_check=20 obey;    # obey, strict or claim
 
        proposal=20 {
           &n= bsp;   =20 encryption_algorithm=20 3des;
          &nbs= p;    =20 hash_algorithm=20 sha1;
          &nbs= p;    =20 authentication_method pre_shared_key=20 ;
           &n= bsp;   =20 dh_group 2 ;
        = }
}
 
 
 
 
 
 
 
 
 
 
regards
 

Chris Scott

IMPORTANT NOTICE:
This email may be confidential, may be = legally=20 privileged, and is for the
intended recipient only.  Access, = disclosure,=20 copying, distribution, or
reliance on any of it by anyone else is = prohibited=20 and may be a criminal
offence.  Please delete if obtained in = error and=20 email confirmation to the
sender.
------=_NextPart_000_0082_01C23054.373A02D0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 20 17:30:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF4CF37B400; Sat, 20 Jul 2002 17:30:01 -0700 (PDT) Received: from internal.mail.telinco.net (internal.mail.telinco.net [212.1.128.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 614E443E31; Sat, 20 Jul 2002 17:30:01 -0700 (PDT) (envelope-from chris.scott@uk.tiscali.com) Received: from mk-fw-1.router.uk.worldonline.com ([212.74.112.53] helo=viper) by internal.mail.telinco.net with smtp (Exim 3.22 #1) id 17W4bo-000MLS-00; Sun, 21 Jul 2002 01:30:00 +0100 Message-ID: <009301c2304d$bf21e5c0$a4102c0a@viper> From: "chris scott" To: , Subject: roaming ipsec policies and racoon Date: Sun, 21 Jul 2002 01:29:59 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I am currently trying playing with IPSEC and racoon to provide a secure services for my users. They all use either freebsd or windows 2k/XP clients. They unfortunately all have dynamic ips 8(. I have successfully configured the ipsec policies and have got round the dynamic IP problem with the freebsd clients by using racoons peer and my identifier features to initiate the shared key communication. This all works fine. However I don't know how to do the same thing with windows 2000/XP. I can setup the ipsec policies on the clients easily enough, as I can the preshared key. I have no idea how to set the identifiers though. Without this racoon doesn't match a key on the psk.txt file as it uses the hosts ip rather than whatever@this.com and hence fails the key exchange. Has anyone got any clues to point me in the correct direction? sample og the severs racoon conf remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; my_identifier user_fqdn "random@wirdo.com"; peers_identifier user_fqdn "grebbit@wolly.com"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } corresponding psk entry grebbit@wolly.com myrandomkey sample of freebsd clients racoon config remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; my_identifier user_fqdn grebbit@wolly.com; peers_identifier user_fqdn "random@wirdo.com"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } regards Chris Scott IMPORTANT NOTICE: This email may be confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and email confirmation to the sender. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 20 17:35:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF66137B400; Sat, 20 Jul 2002 17:35:11 -0700 (PDT) Received: from internal.mail.telinco.net (internal.mail.telinco.net [212.1.128.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D14343E5E; Sat, 20 Jul 2002 17:35:11 -0700 (PDT) (envelope-from chris.scott@uk.tiscali.com) Received: from mk-fw-1.router.uk.worldonline.com ([212.74.112.53] helo=viper) by internal.mail.telinco.net with smtp (Exim 3.22 #1) id 17W4gn-000MVL-00; Sun, 21 Jul 2002 01:35:09 +0100 Message-ID: <00a401c2304e$7762c820$a4102c0a@viper> From: "chris scott" To: Cc: , References: <008501c2304c$59fbd800$a4102c0a@viper> <1048.68.49.119.89.1027211092.squirrel@webmail.xinu.com> Subject: Re: roaming ipsec policies and racoon Date: Sun, 21 Jul 2002 01:35:08 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org yes it does I believe. I have not looked into this ye thought, does this mean I have to have a proper one from an authority that will cost me and arm and a leg? ----- Original Message ----- From: "James Bristle" To: Sent: Sunday, July 21, 2002 1:24 AM Subject: Re: roaming ipsec policies and racoon > does windows support certs ? > > > > Hi, > > > > I am currently trying playing with IPSEC and racoon to provide a secure > > services for my users. They all use either freebsd or windows 2k/XP > > clients. They unfortunately all have dynamic ips 8(. I have > > successfully configured the ipsec policies and have got round the > > dynamic IP problem with the freebsd clients by using racoons peer and > > my identifier features to initiate the shared key communication. This > > all works fine. However I don't know how to do the same thing with > > windows 2000/XP. I can setup the ipsec policies on the clients easily > > enough, as I can the preshared key. I have no idea how to set the > > identifiers though. Without this racoon doesn't match a key on the > > psk.txt file as it uses the hosts ip rather than whatever@this.com and > > hence fails the key exchange. Has anyone got any clues to point me in > > the correct direction? > > > > sample og the severs racoon conf > > > > remote anonymous > > { > > #exchange_mode main,aggressive; > > exchange_mode aggressive,main; > > doi ipsec_doi; > > situation identity_only; > > > > #my_identifier address; > > my_identifier user_fqdn "random@wirdo.com"; > > peers_identifier user_fqdn "grebbit@wolly.com"; > > #certificate_type x509 "mycert" "mypriv"; > > > > nonce_size 16; > > lifetime time 1 hour; # sec,min,hour > > initial_contact on; > > support_mip6 on; > > proposal_check obey; # obey, strict or claim > > > > proposal { > > encryption_algorithm 3des; > > hash_algorithm sha1; > > authentication_method pre_shared_key ; > > dh_group 2 ; > > } > > } > > > > corresponding psk entry > > grebbit@wolly.com myrandomkey > > > > > > sample of freebsd clients racoon config > > > > remote anonymous > > { > > #exchange_mode main,aggressive; > > exchange_mode aggressive,main; > > doi ipsec_doi; > > situation identity_only; > > > > #my_identifier address; > > my_identifier user_fqdn grebbit@wolly.com; > > peers_identifier user_fqdn "random@wirdo.com"; > > #certificate_type x509 "mycert" "mypriv"; > > > > nonce_size 16; > > lifetime time 1 hour; # sec,min,hour > > initial_contact on; > > support_mip6 on; > > proposal_check obey; # obey, strict or claim > > > > proposal { > > encryption_algorithm 3des; > > hash_algorithm sha1; > > authentication_method pre_shared_key ; > > dh_group 2 ; > > } > > } > > > > > > > > > > > > > > > > > > > > > > regards > > > > > > Chris Scott > > > > > > IMPORTANT NOTICE: > > This email may be confidential, may be legally privileged, and is for > > the intended recipient only. Access, disclosure, copying, > > distribution, or reliance on any of it by anyone else is prohibited and > > may be a criminal offence. Please delete if obtained in error and > > email confirmation to the sender. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message