From owner-freebsd-security Sun Jan 6 9:27:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from http.descrypt.com (rrcs-nys-24-97-31-162.biz.rr.com [24.97.31.162]) by hub.freebsd.org (Postfix) with ESMTP id E782237B405 for ; Sun, 6 Jan 2002 09:27:44 -0800 (PST) Received: from localhost (beneliet@localhost) by http.descrypt.com (8.11.6/8.11.6) with ESMTP id g06HRkl04330 for ; Sun, 6 Jan 2002 12:27:47 -0500 (EST) (envelope-from beneliet@http.descrypt.com) Date: Sun, 6 Jan 2002 12:27:46 -0500 (EST) From: Tal Ben-Eliezer To: security@freebsd.org Subject: Help with DES > MD5 In-Reply-To: <200201060228.g062SmL41195@tick.sc.omation.com> Message-ID: <20020106122408.K4293-100000@http.descrypt.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey guys, if my question was answered already, sorry, i couldnt keep up with the 50 new email's from this list every day :). In my login.conf i have defined that the default password hash's should be of MD5 structure, though when i check my /etc/master.passwd, it seems as though ALL users still use DES. I have applied changes to my login.conf using that command (which doesn't come to mind right now), and i have also attempted rebooting, i'm very stumped as to what i should do to convert my DES hashes to MD5, or just plain start using MD5 hashes for future users. I searched for help on EFNet, unfortunately no one had an answer; Thanks for your time everyone! Tal Ben-Eliezer Descrypt Communications www.descrypt.com <--- coincidence? :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 6 9:31:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from http.descrypt.com (rrcs-nys-24-97-31-162.biz.rr.com [24.97.31.162]) by hub.freebsd.org (Postfix) with ESMTP id D1C5837B417 for ; Sun, 6 Jan 2002 09:31:33 -0800 (PST) Received: from localhost (beneliet@localhost) by http.descrypt.com (8.11.6/8.11.6) with ESMTP id g06HVa004347 for ; Sun, 6 Jan 2002 12:31:36 -0500 (EST) (envelope-from beneliet@http.descrypt.com) Date: Sun, 6 Jan 2002 12:31:36 -0500 (EST) From: Tal Ben-Eliezer To: security@freebsd.org Subject: Help with DES > MD5 Message-ID: <20020106123117.H4344-100000@http.descrypt.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey guys, if my question was answered already, sorry, i couldnt keep up with the 50 new email's from this list every day :). In my login.conf i have defined that the default password hash's should be of MD5 structure, though when i check my /etc/master.passwd, it seems as though ALL users still use DES. I have applied changes to my login.conf using that command (which doesn't come to mind right now), and i have also attempted rebooting, i'm very stumped as to what i should do to convert my DES hashes to MD5, or just plain start using MD5 hashes for future users. I searched for help on EFNet, unfortunately no one had an answer; Thanks for your time everyone! Tal Ben-Eliezer Descrypt Communications www.descrypt.com <--- coincidence? :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 6 9:55:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from raven.robbins.dropbear.id.au (003.a.003.mel.iprimus.net.au [203.134.172.3]) by hub.freebsd.org (Postfix) with ESMTP id 3344E37B402 for ; Sun, 6 Jan 2002 09:55:18 -0800 (PST) Received: (from tim@localhost) by raven.robbins.dropbear.id.au (8.11.6/8.11.6) id g06Hrq452139 for security@FreeBSD.ORG; Mon, 7 Jan 2002 04:53:52 +1100 (EST) (envelope-from tim) Date: Mon, 7 Jan 2002 04:53:51 +1100 From: "Tim J. Robbins" To: security@FreeBSD.ORG Subject: Re: Help with DES > MD5 Message-ID: <20020107045351.A52056@raven.robbins.dropbear.id.au> References: <200201060228.g062SmL41195@tick.sc.omation.com> <20020106122408.K4293-100000@http.descrypt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020106122408.K4293-100000@http.descrypt.com>; from beneliet@http.descrypt.com on Sun, Jan 06, 2002 at 12:27:46PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Adding the :passwd_format=md5: capability to /etc/login.conf in the right class works as it should (I just checked then). Next time a user changes their password, it is converted to the new encryption format. Since you're using DES (not the default), it should be as simple as replacing :passwd_format=des: with :passwd_format=md5:. Check that you've changed the passwd_format capability for the class the users are in. Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 6 10:27:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 315CF37B41A; Sun, 6 Jan 2002 10:27:06 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g06IR6u92263; Sun, 6 Jan 2002 10:27:06 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Sun, 6 Jan 2002 10:27:06 -0800 (PST) Message-Id: <200201061827.g06IR6u92263@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-02:04.mutt [REVISED] Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:04 Security Advisory FreeBSD, Inc. Topic: mutt ports contain remotely exploitable buffer overflow [REVISED] Category: ports Module: mutt Announced: 2002-01-04 Revised: 2002-01-06 Credits: Joost Pol Affects: Ports collection prior to the correction date Corrected: 2002-01-02 13:52:03 UTC (ports/mail/mutt: 1.2.x) 2002-01-02 03:39:01 UTC (ports/mail/mutt-devel: 1.3.x) FreeBSD only: NO 0. Revision History v1.0 2002-01-04 Initial release v1.1 2002-01-06 Corrected typo in mutt port version. I. Background Mutt is a small but very powerful text-based mail client for Unix operating systems. II. Problem Description The mutt ports, versions prior to mutt-1.2.5_1 and mutt-devel-1.3.24_2, contain a buffer overflow in the handling of email addresses in headers. The mutt and mutt-devel ports are not installed by default, nor are they "part of FreeBSD" as such: they are parts of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.4 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact An attacker may send an email message with a specially crafted email address in any of several message headers to the victim. When the victim reads the message using mutt and encounters that email address, the buffer overflow is triggered and may result in arbitrary code being executed with the privileges of the victim. IV. Workaround 1) Deinstall the mutt and mutt-devel ports/packages if you have them installed. V. Solution 1) Upgrade your entire ports collection and rebuild the ports. 2) Deinstall the old packages and install news package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/mutt-1.2.5_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/mutt-devel-1.3.24_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/mutt-1.2.5_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/mutt-devel-1.3.24_2.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. NOTE: It may be several days before updated packages are available. 3) Download a new port skeleton for the mutt or mutt-devel port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the $FreeBSD$ revision numbers of each file that was corrected in the FreeBSD source Path Revision - ------------------------------------------------------------------------- ports/mail/mutt/Makefile 1.110 ports/mail/mutt/files/patch-rfc822.c 1.1 ports/mail/mutt-devel/Makefile 1.141 ports/mail/mutt-devel/files/patch-rfc822-security 1.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPDiTdlUuHi5z0oilAQFUhwP9GrypvSZsDm4VXsvv0bTXMdgySDM6nR+f lTe+WtKuJu6unu/Befb5ep2Nb/nt4AzRZzwR/8b9amROk63eFa5fHe8RrwZa7aug 9BGGTOWtH+PKYrqB4BAGMBsEYPEleUyED4XTc/wrCrYGXigNTxgRKAeBmxe8UMO1 G7SzKi2sFYE= =dHuU -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 6 14:46:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (law2-oe46.hotmail.com [216.32.180.44]) by hub.freebsd.org (Postfix) with ESMTP id 5CDBF37B42A for ; Sun, 6 Jan 2002 14:46:09 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 6 Jan 2002 14:46:09 -0800 X-Originating-IP: [168.103.121.138] From: "David Kutcher" To: Subject: Unable to configure with ssh-chrootmgr Date: Sun, 6 Jan 2002 17:42:56 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0175_01C196D9.931E9850" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 06 Jan 2002 22:46:09.0318 (UTC) FILETIME=[EEFA9460:01C19703] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0175_01C196D9.931E9850 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I'm trying to restrict users who log in through SSH to their = /home/username directory only. I have SSH Version OpenSSH_2.3.0 = installed on my machine. using the command: root# ssh-chrootmgr username1 I get the error: /usr/local/bin/ssh-chrootmgr: 103: Syntax error: Bad fd number I've checked groups.google.com, no help. Nothing on ssh.com's pages = either except for the instructions on how to install and use it at = http://www.ssh.com/products/ssh/administrator30/Using_Chroot_Manager__ssh= -chrootmgr_.html Any help would be appreciated! -David ------=_NextPart_000_0175_01C196D9.931E9850 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I'm trying to restrict users who log in = through SSH=20 to their /home/username directory only.  I have SSH Version = OpenSSH_2.3.0=20 installed on my machine.
 
using the command:
 
root# ssh-chrootmgr = username1
 
I get the error:
 
/usr/local/bin/ssh-chrootmgr: 103: = Syntax error:=20 Bad fd number
 
I've checked groups.google.com, no = help. =20 Nothing on ssh.com's pages either except for the instructions on how to = install=20 and use it at http://www.ssh.com/products/ssh/administrator30= /Using_Chroot_Manager__ssh-chrootmgr_.html
 
Any help would be = appreciated!
 
-David
------=_NextPart_000_0175_01C196D9.931E9850-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 6 15:15:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id AEEFD37B417; Sun, 6 Jan 2002 15:15:06 -0800 (PST) Received: from tarmap.nospam.schulte.org (tarmap.schulte.org [209.134.156.198]) by poontang.schulte.org (Postfix) with ESMTP id 3AB4CD141E; Sun, 6 Jan 2002 17:15:05 -0600 (CST) Message-Id: <5.1.0.14.0.20020106170130.02eb9898@pop3s.schulte.org> X-Sender: X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 06 Jan 2002 17:15:04 -0600 To: "David Kutcher" , From: Christopher Schulte Subject: Re: Unable to configure with ssh-chrootmgr Cc: questions@freebsd.org In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Please followup to -questions, this is off topic for -security. Are you sure you're running the OpenSSH ssh daemon on your system? ssh-chrootmgr is typically part of the ssh.com product, not OpenSSH. To find out, type this command on your system # telnet 127.0.0.1 22 At that point you'll be greeted by a version banner, which will identify your system as either OpenSSH or ssh.com. Mine says (OpenSSH) for example SSH-2.0-OpenSSH_2.3.0 FreeBSD localisations 20011202 A quick groups.google.com search brings up recent discussions on chrooting ssh logins, both with ssh.com and OpenSSH products. I suggest you look there in greater detail. At 05:42 PM 1/6/2002 -0500, David Kutcher wrote: >I'm trying to restrict users who log in through SSH to their >/home/username directory only. I have SSH Version OpenSSH_2.3.0 installed >on my machine. > >using the command: > >root# ssh-chrootmgr username1 > >I get the error: > >/usr/local/bin/ssh-chrootmgr: 103: Syntax error: Bad fd number > >I've checked groups.google.com, no help. Nothing on ssh.com's pages >either except for the instructions on how to install and use it at >http://www.ssh.com/products/ssh/administrator30/Using_Chroot_Manager__ssh-chrootmgr_.html > >Any help would be appreciated! > >-David --chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 6 19:34:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33]) by hub.freebsd.org (Postfix) with ESMTP id 2578937B41C for ; Sun, 6 Jan 2002 19:34:07 -0800 (PST) Received: (from bv@localhost) by bilver.wjv.com (8.11.6/8.11.6) id g073Y6Y02264 for security@FreeBSD.ORG; Sun, 6 Jan 2002 22:34:06 -0500 (EST) (envelope-from bv) Date: Sun, 6 Jan 2002 22:34:06 -0500 From: Bill Vermillion To: security@FreeBSD.ORG Subject: Re: Help with DES > MD5 Message-ID: <20020107033405.GA2105@wjv.com> Reply-To: bv@wjv.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.25i Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Jan 06, 2002 at 02:46:51PM -0800, security-digest thus spoke: Tal Ben-Eliezer said this: > if my question was answered already, sorry, i couldnt keep > up with the 50 new email's from this list every day :). In my > login.conf i have defined that the default password hash's should > be of MD5 structure, though when i check my /etc/master.passwd, it > seems as though ALL users still use DES. I have applied changes to > my login.conf using that command (which doesn't come to mind right > now), and i have also attempted rebooting, i'm very stumped as to > what i should do to convert my DES hashes to MD5, or just plain > start using MD5 hashes for future users. I searched for help on > EFNet, unfortunately no one had an answer; Thanks for your time > everyone! If you will look at the top lines in login.conf it notes that you should run cap_mkdb /etc/login.conf to rebuild the login database. But in the next message Tim J. Robbins said this: > Adding the :passwd_format=md5: capability to /etc/login.conf in the > right class works as it should (I just checked then). Next time a user > changes their password, it is converted to the new encryption format. > > Since you're using DES (not the default), it should be as simple as > replacing :passwd_format=des: with :passwd_format=md5:. > > Check that you've changed the passwd_format capability for the class > the users are in. I changed the login.conf and found no difference and then looked at login.conf and saw the line about the cap_mkdb . I had gotten so used to just scaning down the lines in so many text configuration files that I just whizzed right over the instructions :-) In this case familiarity breeds failure. Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 6:58:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from backup.avallon.ru (backup.avallon.ru [213.248.25.6]) by hub.freebsd.org (Postfix) with SMTP id 79FF737B400 for ; Mon, 7 Jan 2002 06:58:04 -0800 (PST) Received: (qmail 6355 invoked from network); 7 Jan 2002 14:57:32 -0000 Received: from unknown (HELO 213.248.25.233) (213.248.25.233) by mail.avallon.ru with SMTP; 7 Jan 2002 14:57:32 -0000 Date: Mon, 7 Jan 2002 12:09:26 +0300 From: Yury XTC Voloshin X-Mailer: The Bat! (v1.51) Personal Reply-To: Yury XTC Voloshin Organization: WDA Norilsk.NET X-Priority: 3 (Normal) Message-ID: <91130701687.20020107120926@norilsk.net> To: security@FreeBSD.ORG Subject: IPFW : traffic count MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello ALL! PRE: My english not very good, I'll be grateful for answer in russian. =ED=CF=CA =C1=CE=C7=CC=C9=CA=D3=CB=C9=CA =CE=C5 =CF=DE=C5=CE=D8 =C8=CF=D2= =CF=DB, =D1 =C2=D5=C4=D5 =D0=D2=C9=DA=CE=C1=D4=C5=CC=C5=CE =DA=C1 =CF=D4=D7= =C5=D4 =D0=CF-=D2=D5=D3=D3=CB=C9. --=3D english =3D-- Given: FreeBSD 4.5-PRE with IPFIREWALL options compiled kernel (as say in man) Wanted have a reports on enterring and coming traffic. Question 1: How I can count a in/out trafic (all/per user/per site/other). Prompt me _free_ program which can consider traffic. Advisable to possible was get _html_ reports. Question 2: I find ports/net/trafcount but no man pages with this ports=3F Where I can read how use trafcount=3F Thanx all. --=3D russian =3D-- =E5=D3=D4=D8 FreeBSD 4.5-PRE =D3 =D1=C4=D2=CF=CD =CF=D4=CB=CF=CD=D0=C9=CC= =C9=D2=CF=D7=C1=CE=D9=CD =D3 IPFIREWALL. =EB=C1=CB =D3=CB=C1=DA=C1=CE=CF =D7 man. =E8=CF=D4=C5=CC=CF=D3=D8 =C2=D9 =C9=CD=C5=D4=D8 =C9=CE=D3=D4=D2=D5=CD=C5=CE= =D4 =C4=CC=D1 =D0=CF=CC=D5=DE=C5=CE=C9=D1 =CF=D4=DE=A3=D4=CF=D7 =D0=CF =D4= =D2=C1=C6=C9=CB=D5. =F0=D2=C9=DE=A3=CD =D6=C5=CC=C1=D4=C5=CC=D8=CE=CF =C9=CD=C5=D4=D8 =CF=D4=DE=A3=D4=CE=CF=D3=D4= =D8 =D0=CF =D7=D3=C5=CD=D5 =D4=D2=C1=C6=C9=CB=D5, "=D0=CF-=C0=DA=C5=D2=CE= =CF", "=D0=CF-=D3=C1=CA=D4=CE=CF". =E8=CF=D2=CF=DB=CF =C2=D9 =D7 HTML. =F7=CF=D0=D2=CF=D3 1: =EB=C1=CB =CD=CF=D6=CE=CF =DC=D4=CF =D3=C4=C5=CC=C1=D4=D8. =E5=D3=D4=D8 =CC= =C9 =D3=D7=CF=C2=CF=C4=CE=CF=C5 =F0=EF =CB=CF=D4=CF=D2=CF=C5 =CD=CF=D6=C5= =D4 =DC=D4=CF =C4=C5=CC=C1=D4=D8. =F7=CF=D0=D2=CF=D3 2: =F7 =D0=CF=D2=D4=C1=C8 =C5=D3=D4=D8 ports/net/trafcount, =CE=CF =D4=C1=CD = =CE=C5=D4 man'=C1. =E7=C4=C5 =CD=CF=D6=CE=CF =D0=CF=DE=C9=D4=C1=D4=D8 =CF=C2 =DC=D4=CF=CD =D0=CF=D2=D4=C5, =D6=C5=CC=C1=D4=C5=CC=D8=CE=CF =D0=CF= =D0=CF=C4=D2=CF=C2=CE=C5=C5 (=CD=CF=D6=CE=CF "=C4=CC=D1 =DE=C1=CA=CE=C9=CB= =CF=D7" :). =E2=D5=C4=D5 =D0=D2=C9=DA=CE=C1=D4=C5=CC=C5=CE =DA=C1 =CC=C0=C2=D9=C5 =D3= =CF=D7=C5=D4=D9. -- Best regards, Yury Voloshin yury_xtc@mail.ru Info-portal of Norilsk town http://Norilsk.NET To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 7: 4:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from star.rila.bg (star.rila.bg [194.141.1.32]) by hub.freebsd.org (Postfix) with ESMTP id 1954A37B402 for ; Mon, 7 Jan 2002 07:04:12 -0800 (PST) Received: from star.rila.bg (vlady@localhost [127.0.0.1]) by star.rila.bg (8.11.4/8.11.4) with SMTP id g07F43c18413; Mon, 7 Jan 2002 17:04:03 +0200 (EET) (envelope-from vladimirt@rila.bg) Date: Mon, 7 Jan 2002 17:04:03 +0200 From: Vladimir Terziev To: Yury XTC Voloshin Cc: security@FreeBSD.ORG Subject: Re: IPFW : traffic count Message-Id: <20020107170403.3c245a29.vladimirt@rila.bg> In-Reply-To: <91130701687.20020107120926@norilsk.net> References: <91130701687.20020107120926@norilsk.net> X-Mailer: Sylpheed version 0.6.5 (GTK+ 1.2.7; i386-unknown-freebsd4.3) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Use /usr/ports/sysutils/ipa Vladimir On Mon, 7 Jan 2002 12:09:26 +0300 Yury XTC Voloshin wrote: > Hello ALL! > > PRE: > My english not very good, I'll be grateful for answer in russian. > Мой английский не очень хорош, я буду признателен за ответ по-русски. > > --= english =-- > > Given: > FreeBSD 4.5-PRE with IPFIREWALL options compiled kernel (as say in man) > > Wanted have a reports on enterring and coming traffic. > > Question 1: > How I can count a in/out trafic (all/per user/per site/other). > Prompt me _free_ program which can consider traffic. > Advisable to possible was get _html_ reports. > > Question 2: > I find ports/net/trafcount but no man pages with this ports? > Where I can read how use trafcount? > > Thanx all. > > --= russian =-- > > Есть FreeBSD 4.5-PRE с ядром откомпилированым с IPFIREWALL. Как > сказано в man. > > Хотелось бы иметь инструмент для получения отчётов по трафику. Причём > желательно иметь отчётность по всему трафику, "по-юзерно", > "по-сайтно". Хорошо бы в HTML. > > Вопрос 1: > Как можно это сделать. Есть ли свободное ПО которое может это делать. > > Вопрос 2: > В портах есть ports/net/trafcount, но там нет man'а. Где можно почитать > об этом порте, желательно поподробнее (можно "для чайников" :). > > Буду признателен за любые советы. > > > -- > Best regards, > Yury Voloshin yury_xtc@mail.ru > Info-portal of Norilsk town http://Norilsk.NET > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 7:19:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id 3ECCB37B416 for ; Mon, 7 Jan 2002 07:19:52 -0800 (PST) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id 4E0EF2D0A25 for ; Mon, 7 Jan 2002 09:19:51 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id g07FJnR04128 for freebsd-security@freebsd.org; Mon, 7 Jan 2002 09:19:49 -0600 (CST) (envelope-from hawkeyd) Date: Mon, 7 Jan 2002 09:19:48 -0600 From: D J Hawkey Jr To: security at FreeBSD Subject: GCC stack-smashing extension Message-ID: <20020107091948.A4096@sheol.localdomain> Reply-To: hawkeyd@visi.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey, all, I recently stumbled across the web page for the GCC stack-smashing extension (http://www.trl.ibm.com/projects/security/ssp/): - Anyone have any experience with it, good, bad, or otherwise? - Any reason why I wouldn't want this? - Any plans to merge it into the FreeBSD-distributed GCC? Thanks, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 8: 4:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from drkshdw.org (user4.net011.fl.sprint-hsd.net [207.30.203.4]) by hub.freebsd.org (Postfix) with SMTP id 7127837B404 for ; Mon, 7 Jan 2002 08:04:53 -0800 (PST) Received: (qmail 17740 invoked from network); 7 Jan 2002 16:04:51 -0000 Received: from unknown (HELO jeff) (192.168.134.2) by 0 with SMTP; 7 Jan 2002 16:04:51 -0000 Message-ID: <001401c19795$535dc4e0$0286a8c0@jeff> From: "Jeff Palmer" To: , References: <20020107091948.A4096@sheol.localdomain> Subject: Re: GCC stack-smashing extension Date: Mon, 7 Jan 2002 11:06:54 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org While I have never personally used this patch, my advice would be: Don't depend on a compiler based security implementation in your code. Code with security in mind from the ground up. What happens if you get used to your compiler adding in all the checks and balances, and then for some reason you are forced to use a standard compiler for something? Don't let a compiler allow you to lower your standards. Don't let it make you lazy. And most of all, don't let it teach you bad habits (Microsofts MFC for vc++ comes to mind here on the bad habits example) Just my two cents.. I'd rather stick with a default GCC, and use better/smarter coding practices on my machines :-) ----- Original Message ----- From: "D J Hawkey Jr" To: "security at FreeBSD" Sent: Monday, January 07, 2002 10:19 AM Subject: GCC stack-smashing extension > Hey, all, > > I recently stumbled across the web page for the GCC stack-smashing > extension (http://www.trl.ibm.com/projects/security/ssp/): > > - Anyone have any experience with it, good, bad, or otherwise? > - Any reason why I wouldn't want this? > - Any plans to merge it into the FreeBSD-distributed GCC? > > Thanks, > Dave > > -- > ______________________ ______________________ > \__________________ \ D. J. HAWKEY JR. / __________________/ > \________________/\ hawkeyd@visi.com /\________________/ > http://www.visi.com/~hawkeyd/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 8: 9:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from star.rila.bg (star.rila.bg [194.141.1.32]) by hub.freebsd.org (Postfix) with ESMTP id A068137B404 for ; Mon, 7 Jan 2002 08:09:13 -0800 (PST) Received: from star.rila.bg (vlady@localhost [127.0.0.1]) by star.rila.bg (8.11.4/8.11.4) with SMTP id g07G8Xc18495; Mon, 7 Jan 2002 18:08:33 +0200 (EET) (envelope-from vladimirt@rila.bg) Date: Mon, 7 Jan 2002 18:08:33 +0200 From: Vladimir Terziev To: Martijn Lina Cc: Yury XTC Voloshin , security@FreeBSD.ORG Subject: Re: IPFW : traffic count Message-Id: <20020107180833.2be37f39.vladimirt@rila.bg> In-Reply-To: <20020107153801.GC27706@medialab.lostboys.nl> References: <91130701687.20020107120926@norilsk.net> <20020107170403.3c245a29.vladimirt@rila.bg> <20020107153801.GC27706@medialab.lostboys.nl> X-Mailer: Sylpheed version 0.6.5 (GTK+ 1.2.7; i386-unknown-freebsd4.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think the problem is in ipf, because I use it with ipfw on 4.4-STABLE and it works fine. Use ipfw instead of ipf, if you can! Vladimir On Mon, 7 Jan 2002 16:38:01 +0100 Martijn Lina wrote: > Once upon a 07-01-2002, Vladimir Terziev hit keys in the following order: > > Use /usr/ports/sysutils/ipa > > This port doesn't work with 4.5-PRE in combination with ipf, at least, that's > my conclusion... on their website they don't mention support above 4.4-RELEASE > and i couldn't get it to work with a 4.4-STABLE machine from november. This is > probably because of chances to ipf. > > You could try /usr/ports/net/trafd in combination with /usr/ports/net/tas, or > you could try and see if ipa works in combination with ipfw. > > > martijn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 8: 9:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from raven.robbins.dropbear.id.au (168.a.007.mel.iprimus.net.au [210.50.80.168]) by hub.freebsd.org (Postfix) with ESMTP id 9295637B41A for ; Mon, 7 Jan 2002 08:09:31 -0800 (PST) Received: (from tim@localhost) by raven.robbins.dropbear.id.au (8.11.6/8.11.6) id g07G9sT92393 for freebsd-security@FreeBSD.ORG; Tue, 8 Jan 2002 03:09:54 +1100 (EST) (envelope-from tim) Date: Tue, 8 Jan 2002 03:09:52 +1100 From: "Tim J. Robbins" To: freebsd-security@FreeBSD.ORG Subject: Re: GCC stack-smashing extension Message-ID: <20020108030952.A91323@raven.robbins.dropbear.id.au> References: <20020107091948.A4096@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020107091948.A4096@sheol.localdomain>; from hawkeyd@visi.com on Mon, Jan 07, 2002 at 09:19:48AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jan 07, 2002 at 09:19:48AM -0600, D J Hawkey Jr wrote: > - Anyone have any experience with it, good, bad, or otherwise? Installed a copy of gcc 3.0.2 with the patch applied, tried compiling some simple programs with gcc -S -fstack-protector, checked the assembly language output and saw nothing even resembling protection. I assume I messed up the install somehow, but didn't bother trying to figure out what. > - Any reason why I wouldn't want this? It's claimed that people have used versions of FreeBSD compiled with the ssp patch, and the ideas and descriptions sure look nice. It didn't work for me, though. > - Any plans to merge it into the FreeBSD-distributed GCC? This has been discussed on this list recently: http://www.freebsd.org/cgi/getmsg.cgi?fetch=220254+223170+/usr/local/www/db/text/2002/freebsd-security/20020106.freebsd-security In short, "no", but read that message for the reason. Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 8:11:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from shebang.andmann.eu.org (shebang.andmann.eu.org [194.144.170.77]) by hub.freebsd.org (Postfix) with ESMTP id B646B37B41C for ; Mon, 7 Jan 2002 08:10:40 -0800 (PST) Received: from shinji.andmann.eu.org (adsl12-196.du.simnet.is [157.157.148.196]) by shebang.andmann.eu.org (Postfix) with ESMTP id 8B15D4415A; Mon, 7 Jan 2002 16:14:33 +0000 (GMT) Subject: Re: GCC stack-smashing extension From: "David S. Geirsson" To: Jeff Palmer Cc: hawkeyd@visi.com, security@freebsd.org In-Reply-To: <001401c19795$535dc4e0$0286a8c0@jeff> References: <20020107091948.A4096@sheol.localdomain> <001401c19795$535dc4e0$0286a8c0@jeff> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-zsfeFJiRH9y5TiFlgmPe" X-Mailer: Evolution/0.99.2 (Preview Release) Date: 07 Jan 2002 16:13:03 +0000 Message-Id: <1010419984.3304.12.camel@shinji> Mime-Version: 1.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=-zsfeFJiRH9y5TiFlgmPe Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable While that applies to code you make yourself, what happens if you compile a daemon that is vulnerable to a buffer overflow attack? I mean, I know I don't have time to proof-read every line of code in every daemon I run. ;) Of course you can't let a compiler drop you off-guard. SSP is not a "magic bullet", it's just an added layer of security. I haven't tried it, but I've heard good things, and I'm going to try it as soon as I fix these buildworld issues I've been having. ;) On Mon, 2002-01-07 at 16:06, Jeff Palmer wrote: > While I have never personally used this patch, my advice would be: >=20 > Don't depend on a compiler based security implementation in your code. > Code with security in mind from the ground up. >=20 > What happens if you get used to your compiler adding in all the checks an= d > balances, and then for some reason you are forced to use a standard > compiler for something? >=20 > Don't let a compiler allow you to lower your standards. Don't let it mak= e > you lazy. And most of all, don't let it teach you bad habits (Microsof= ts > MFC for vc++ comes to mind here on the bad habits example) >=20 > Just my two cents.. I'd rather stick with a default GCC, > and use better/smarter coding practices on my machines :-) >=20 >=20 > ----- Original Message ----- > From: "D J Hawkey Jr" > To: "security at FreeBSD" > Sent: Monday, January 07, 2002 10:19 AM > Subject: GCC stack-smashing extension >=20 >=20 > > Hey, all, > > > > I recently stumbled across the web page for the GCC stack-smashing > > extension (http://www.trl.ibm.com/projects/security/ssp/): > > > > - Anyone have any experience with it, good, bad, or otherwise? > > - Any reason why I wouldn't want this? > > - Any plans to merge it into the FreeBSD-distributed GCC? > > > > Thanks, > > Dave > > > > -- > > ______________________ ______________________ > > \__________________ \ D. J. HAWKEY JR. / __________________/ > > \________________/\ hawkeyd@visi.com /\________________/ > > http://www.visi.com/~hawkeyd/ > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 --=20 Dav=ED=F0 Steinn Geirsson =20 E-mail: andmann@andmann.eu.org GSM: +354 8696608 =20 =20 --=-zsfeFJiRH9y5TiFlgmPe Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQA8OckPjjHZY8vm9S8RAjHWAJ0cxndQx4TWn3A0hn+pjcLtJmRozwCdFdyz lunxTQtRQy4n7Gmlj4Dzz98= =Q8gl -----END PGP SIGNATURE----- --=-zsfeFJiRH9y5TiFlgmPe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 8:50:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f271.law10.hotmail.com [64.4.14.146]) by hub.freebsd.org (Postfix) with ESMTP id CFA0337B404 for ; Mon, 7 Jan 2002 08:50:44 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 7 Jan 2002 08:50:44 -0800 Received: from 207.236.210.167 by lw10fd.law10.hotmail.msn.com with HTTP; Mon, 07 Jan 2002 16:50:44 GMT X-Originating-IP: [207.236.210.167] From: "Ripper Roo" To: freebsd-security@FreeBSD.ORG Subject: IPFW - Updating config file & dynamic ruleset Date: Mon, 07 Jan 2002 16:50:44 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 07 Jan 2002 16:50:44.0656 (UTC) FILETIME=[72E72300:01C1979B] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I've just started using IPFW and use the 'file=' option to load my rules. I don't understand, though, how rules can be kept updated in that file after dynamic changes to survive reboots? Also, how long are dynamic rules maintained and do the stateful rules follow TCP sequence numbers in IPFW to validate packets "authenticity"? Thanks, --Ripper. _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 8:51:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from crimelords.org (crimelords.org [199.233.213.8]) by hub.freebsd.org (Postfix) with ESMTP id 6942937B41C; Mon, 7 Jan 2002 08:51:08 -0800 (PST) Received: from localhost (admin@localhost) by crimelords.org (8.11.6/8.11.6) with ESMTP id g07Ghte23104; Mon, 7 Jan 2002 10:43:55 -0600 (CST) (envelope-from admin@crimelords.org) Date: Mon, 7 Jan 2002 10:43:55 -0600 (CST) From: admin To: Matthias Schuendehuette Cc: Joe Clarke , , Subject: Re: TCP Sequence-Prediction (4.5-PRE) In-Reply-To: Message-ID: <20020107104258.Y23081-100000@crimelords.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I got the same thing when scanning a 4.4-STABLE box with ISS Scanner...I personally think it's the scanner, but am still testing myself. --emacs On Fri, 4 Jan 2002, Matthias Schuendehuette wrote: > Hi Joe, > > Am Donnerstag, 3. Januar 2002 22:07 schrieben Sie: > > On Thu, 2002-01-03 at 15:59, Matthias Schuendehuette wrote: > > > I looked at the published Patch in FreBSD-SA-00:52 but couldn't > > > find the Sourcecode Sequence to be patched any more (I wasn't > > > wondering). > > > > Is this what you're looking for: > > > > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00%3A52/tcp-iss.pat > >ch > > as I've mentioned above, I *found* that patch but if you look at the > source files to patch you'll recognize that they're completely > different now and that the patch doesn't succeed anymore (which isn't > surprising for noone IMHO). > > I think, the point is what ISS states as 'predictable'... I'll wait > what our iss-service declares - I can't imagine that 4.5-PRERELEASE is > worse than 4.1.1-STABLE concerning 'tcp prediction'. > > Ciao/BSD - Matthias > > -- > *************************************************************************** > * Matthias Schuendehuette msch@snafu.de * > * Solmsstrasse 44 * > * D-10961 Berlin Engineering Systems Support and Operation * > * Germany (Powered by FreeBSD 4.5-PRERELEASE) * > *************************************************************************** > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 10:49:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from gradient.cis.upenn.edu (GRADIENT.CIS.UPENN.EDU [158.130.67.48]) by hub.freebsd.org (Postfix) with ESMTP id 5632337B402 for ; Mon, 7 Jan 2002 10:49:22 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by gradient.cis.upenn.edu (8.10.1/8.10.1) with ESMTP id g07InKr16419 for ; Mon, 7 Jan 2002 13:49:20 -0500 (EST) Date: Mon, 7 Jan 2002 13:49:19 -0500 (EST) From: Alwyn Goodloe To: Subject: ipsec setup question Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi folks, I am trying to set up an IPV4 over IPV4 tunnel on a testbed of four systems I have setup for research. Because its research my configuration is probably a bit different than most of you would run in practice. The first test would have a tunnel bewteen the two ends of the network. (You can think of this as the client and server both acting as gateways with two routers in between). From the somewhat limited documentation I did the following: gifconfig gif0 inet 192.168.1.3 192.168.5.12 ifconfig gif0 inet 192.168.1.3 192.168.5.12 route add -net 192.168.5.12 -interface gif0 Unfortunately I get the error message: error_message=/kernel:gif_out:recursively called too many times Anyone got any ideas?? Also I would like to nest tunnels and by that I mean say have an end to end tunnel with ESP but have each intermediate router (there are two of them) check AH headers on the packet. Anyone see any problems with this. Alwyn Goodloe agoodloe@gradient.cis.upenn.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 10:58:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 734EF37B416 for ; Mon, 7 Jan 2002 10:58:30 -0800 (PST) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id g07IwSG28430; Mon, 7 Jan 2002 10:58:28 -0800 Date: Mon, 7 Jan 2002 10:58:27 -0800 From: Brooks Davis To: Alwyn Goodloe Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipsec setup question Message-ID: <20020107105827.A28192@Odin.AC.HMC.Edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from agoodloe@gradient.cis.upenn.edu on Mon, Jan 07, 2002 at 01:49:19PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 07, 2002 at 01:49:19PM -0500, Alwyn Goodloe wrote: >=20 > Hi folks, I am trying to set up an IPV4 over IPV4 tunnel on a testbed of > four systems I have setup for research. Because its research my configura= tion > is probably a bit different than most of you would run in practice. > The first test would have a tunnel bewteen the two ends of the network. > (You can think of this as the client and server both acting as gateways > with two routers in between). >=20 > >From the somewhat limited documentation I did the > following: >=20 > gifconfig gif0 inet 192.168.1.3 192.168.5.12 > ifconfig gif0 inet 192.168.1.3 192.168.5.12 > route add -net 192.168.5.12 -interface gif0 >=20 > Unfortunately I get the error message: >=20 > error_message=3D/kernel:gif_out:recursively called too many times >=20 >=20 > Anyone got any ideas?? The physical endpoints can't be the same as the tunnel endpoints. Choose different values for ifconfig. If you just want to encrypt traffic between two hosts, no tunnels are needed. > Also I would like to nest tunnels and by that I mean >=20 > say have an end to end tunnel with ESP but have each intermediate router > (there are two of them) check AH headers on the packet. Anyone see any > problems with this. No clue. Actually nesting gif tunnels requires that you define XBONEHACK when building your kernel. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8Oe/SXY6L6fI4GtQRAsLAAKC/HZScqaAYChHRi9r/frKif+BcvgCfYuRo jkID5jrOYSr907OlXN0Rics= =xHBC -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 11: 3:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id DB58A37B429 for ; Mon, 7 Jan 2002 11:02:46 -0800 (PST) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id 0F01D2DE076; Mon, 7 Jan 2002 13:02:46 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id g07J2ix05040; Mon, 7 Jan 2002 13:02:44 -0600 (CST) (envelope-from hawkeyd) Date: Mon, 7 Jan 2002 13:02:44 -0600 (CST) Message-Id: <200201071902.g07J2ix05040@sheol.localdomain> Mime-Version: 1.0 X-Newsreader: knews 0.9.8a Reply-To: hawkeyd@visi.com Organization: if (!FIFO) if (!LIFO) break; References: <20020107091948.A4096_sheol.localdomain@ns.sol.net> <20020108030952.A91323_raven.robbins.dropbear.id.au@ns.sol.net> In-Reply-To: <20020108030952.A91323_raven.robbins.dropbear.id.au@ns.sol.net> From: hawkeyd@visi.com (D J Hawkey Jr) Subject: Re: GCC stack-smashing extension X-Original-Newsgroups: sol.lists.freebsd.security To: tim@robbins.dropbear.id.au, freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article <20020108030952.A91323_raven.robbins.dropbear.id.au@ns.sol.net>, tim@robbins.dropbear.id.au writes: > On Mon, Jan 07, 2002 at 09:19:48AM -0600, D J Hawkey Jr wrote: > >> - Anyone have any experience with it, good, bad, or otherwise? > > Installed a copy of gcc 3.0.2 with the patch applied, tried compiling > some simple programs with gcc -S -fstack-protector, checked the > assembly language output and saw nothing even resembling protection. > I assume I messed up the install somehow, but didn't bother trying to > figure out what. IIUC, it [mainly] sees that pointers preceed buffer space. If you had coded the opposite, it should have changed them around, no? >> - Any reason why I wouldn't want this? > > It's claimed that people have used versions of FreeBSD compiled with > the ssp patch, and the ideas and descriptions sure look nice. > It didn't work for me, though. If Kris K. is one of 'em, and his boxen are running fine with sources built with the patch, that's pretty compelling evidence that it does no harm, to say the least. >> - Any plans to merge it into the FreeBSD-distributed GCC? > > This has been discussed on this list recently: > http://www.freebsd.org/cgi/getmsg.cgi?fetch=220254+223170+/usr/local/www/db/text/2002/freebsd-security/20020106.freebsd-security > > In short, "no", but read that message for the reason. Just read it. I can appreciate this view, yes. > Tim Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 11: 4:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id 79BEE37B445 for ; Mon, 7 Jan 2002 11:03:45 -0800 (PST) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id 63AE62DDD4C; Mon, 7 Jan 2002 13:03:44 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id g07J3em05068; Mon, 7 Jan 2002 13:03:40 -0600 (CST) (envelope-from hawkeyd) Date: Mon, 7 Jan 2002 13:03:40 -0600 From: D J Hawkey Jr To: Jeff Palmer Cc: security@freebsd.org Subject: Re: GCC stack-smashing extension Message-ID: <20020107130340.A4891@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <20020107091948.A4096@sheol.localdomain> <001401c19795$535dc4e0$0286a8c0@jeff> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001401c19795$535dc4e0$0286a8c0@jeff>; from scorpio@drkshdw.org on Mon, Jan 07, 2002 at 11:06:54AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org While I agree with you 100%, I also echo the thoughts of David Geirsson. I am as careful and diligent as I know how to be with software I write, patch, or hack. However, I use a lot of OSS software, and not all of it is written by those with the experience of a Darren Reed or Matt Dillon. I'm modest enough to accept that my own code isn't always as bullet-proof as it might be, too. I figure another layer to the security onion can't hurt, and am looking for insights as to the patch's usefulness and integrity, rather than a conversation on whether it's necessary! Dave On Jan 07, at 11:06 AM, Jeff Palmer wrote: > > While I have never personally used this patch, my advice would be: > > Don't depend on a compiler based security implementation in your code. > Code with security in mind from the ground up. > > What happens if you get used to your compiler adding in all the checks and > balances, and then for some reason you are forced to use a standard > compiler for something? > > Don't let a compiler allow you to lower your standards. Don't let it make > you lazy. And most of all, don't let it teach you bad habits (Microsofts > MFC for vc++ comes to mind here on the bad habits example) > > Just my two cents.. I'd rather stick with a default GCC, > and use better/smarter coding practices on my machines :-) > > > ----- Original Message ----- > From: "D J Hawkey Jr" > To: "security at FreeBSD" > Sent: Monday, January 07, 2002 10:19 AM > Subject: GCC stack-smashing extension > > > > Hey, all, > > > > I recently stumbled across the web page for the GCC stack-smashing > > extension (http://www.trl.ibm.com/projects/security/ssp/): > > > > - Anyone have any experience with it, good, bad, or otherwise? > > - Any reason why I wouldn't want this? > > - Any plans to merge it into the FreeBSD-distributed GCC? > > > > Thanks, > > Dave > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 11: 4:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id E841D37B43A for ; Mon, 7 Jan 2002 11:03:52 -0800 (PST) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id g07J3pi28981; Mon, 7 Jan 2002 11:03:51 -0800 Date: Mon, 7 Jan 2002 11:03:51 -0800 From: Brooks Davis To: Alwyn Goodloe Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipsec setup question Message-ID: <20020107110351.A28802@Odin.AC.HMC.Edu> References: <20020107105827.A28192@Odin.AC.HMC.Edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="45Z9DzgjV8m4Oswq" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020107105827.A28192@Odin.AC.HMC.Edu>; from brooks@one-eyed-alien.net on Mon, Jan 07, 2002 at 10:58:27AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 07, 2002 at 10:58:27AM -0800, Brooks Davis wrote: > > Also I would like to nest tunnels and by that I mean > >=20 > > say have an end to end tunnel with ESP but have each intermediate rout= er > > (there are two of them) check AH headers on the packet. Anyone see any > > problems with this. >=20 > No clue. Actually nesting gif tunnels requires that you define > XBONEHACK when building your kernel. Oops that's incorrect. The variable you must define is MAX_GIF_NEST, XBONEHACK allows parallel tunnels. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --45Z9DzgjV8m4Oswq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8OfEWXY6L6fI4GtQRAnflAJ4m8il+KSJcEURGJalimLtrf35rdwCgnTaC DTRQUP54kVZs6k7ujscyNnc= =JSw/ -----END PGP SIGNATURE----- --45Z9DzgjV8m4Oswq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 13:29:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from obstruction.com (CPE00e018983b2f.cpe.net.cable.rogers.com [24.157.67.167]) by hub.freebsd.org (Postfix) with ESMTP id 0C28A37B404; Mon, 7 Jan 2002 13:29:29 -0800 (PST) Received: (from guy@localhost) by obstruction.com (8.9.2/8.9.2) id QAA29710; Mon, 7 Jan 2002 16:29:28 -0500 (EST) (envelope-from guy) Date: Mon, 7 Jan 2002 16:29:28 -0500 From: Guy Middleton To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Cc: Guy Middleton Subject: IPSEC with Cisco VPN 3000? Message-ID: <20020107162928.A29684@chaos.obstruction.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anybody successfully set up IPSEC between a FreeBSD box (I am using 4.3-STABLE) and a Cisco VPN 3000 concentrator? The Cisco wants a "group name" and "group password", and I can't tell how this maps to the racoon implementation of IKE keys. Thanks. -Guy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 13:30:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id AA5F937B405 for ; Mon, 7 Jan 2002 13:30:28 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 8B3251DA7; Mon, 7 Jan 2002 22:30:14 +0100 (CET) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id g07LTpP01430; Mon, 7 Jan 2002 22:29:51 +0100 Date: Mon, 7 Jan 2002 22:29:51 +0100 From: Krzysztof Zaraska To: hawkeyd@visi.com Cc: freebsd-security@freebsd.org Subject: Re: GCC stack-smashing extension Message-Id: <20020107222951.6fcaea7c.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <200201071902.g07J2ix05040@sheol.localdomain> References: <20020107091948.A4096_sheol.localdomain@ns.sol.net> <20020108030952.A91323_raven.robbins.dropbear.id.au@ns.sol.net> <200201071902.g07J2ix05040@sheol.localdomain> Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 7 Jan 2002 13:02:44 -0600 (CST) D J Hawkey Jr wrote: > > It's claimed that people have used versions of FreeBSD compiled with > > the ssp patch, and the ideas and descriptions sure look nice. > > It didn't work for me, though. > > If Kris K. is one of 'em, and his boxen are running fine with sources > built with the patch, that's pretty compelling evidence that it does > no harm, to say the least. See his mail on this list, 01/10/29, Re: BUFFER OVERFLOW EXPLOITS. Please read the whole thread, it is informative. Best regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 13:45:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from snow.fingers.co.za (snow.fingers.co.za [196.7.148.5]) by hub.freebsd.org (Postfix) with ESMTP id B2ADA37B417; Mon, 7 Jan 2002 13:45:25 -0800 (PST) Received: by snow.fingers.co.za (Postfix, from userid 1000) id 8B94317425; Mon, 7 Jan 2002 23:45:22 +0200 (SAST) Received: from localhost (localhost [127.0.0.1]) by snow.fingers.co.za (Postfix) with ESMTP id 8812811713; Mon, 7 Jan 2002 23:45:22 +0200 (SAST) Date: Mon, 7 Jan 2002 23:45:22 +0200 (SAST) From: fingers To: Guy Middleton Cc: , Subject: Re: IPSEC with Cisco VPN 3000? In-Reply-To: <20020107162928.A29684@chaos.obstruction.com> Message-ID: <20020107234058.R54527-100000@snow.fingers.co.za> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi > Has anybody successfully set up IPSEC between a FreeBSD box (I am using > 4.3-STABLE) and a Cisco VPN 3000 concentrator? > > The Cisco wants a "group name" and "group password", and I > can't tell how this maps to the racoon implementation of IKE keys. They have a linux client available for download if you have CCO access (and access to download 3DES software from them). That might give you some answers. Not sure if you can connect as a vpngroup member without their client. http://www.cisco.com/warp/public/707/index.shtml#vpn3000 might be worth a read, with the index at http://www.cisco.com/warp/public/707/index.shtml. Regards --Rob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 14:23:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 6094F37B400 for ; Mon, 7 Jan 2002 14:23:52 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id DE5A981E08; Mon, 7 Jan 2002 16:23:46 -0600 (CST) Date: Mon, 7 Jan 2002 16:23:46 -0600 From: Bill Fumerola To: Ripper Roo Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW - Updating config file & dynamic ruleset Message-ID: <20020107162346.C4417@elvis.mu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from ripper_roo1@hotmail.com on Mon, Jan 07, 2002 at 04:50:44PM +0000 X-Operating-System: FreeBSD 4.4-FEARSOME-20011125 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jan 07, 2002 at 04:50:44PM +0000, Ripper Roo wrote: > Also, how long are dynamic rules maintained and do the stateful rules follow > TCP sequence numbers in IPFW to validate packets "authenticity"? the time they survive is documented in ''man ipfw'', search for 'lifetime'. the stateful rules do not do any sanity checking of the tcp sequence #. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org - my anger management counselor can beat up your self-affirmation therapist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 15: 0:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from aquariustraining.com (h-64-105-40-20.SNDACAGL.covad.net [64.105.40.20]) by hub.freebsd.org (Postfix) with SMTP id A820137B41D for ; Mon, 7 Jan 2002 15:00:15 -0800 (PST) From: "Aquarius Training and Development" To: Subject: Team Work in 2002 Mime-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" Date: Mon, 7 Jan 2002 14:58:28 -0800 Content-Transfer-Encoding: 8bit Message-Id: <20020107230015.A820137B41D@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org

To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 16: 9:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from Thanatos.Shenton.Org (a3.ebbed1.client.atlantech.net [209.190.235.163]) by hub.freebsd.org (Postfix) with SMTP id 978FE37B405 for ; Mon, 7 Jan 2002 16:09:23 -0800 (PST) Received: (qmail 41571 invoked by uid 1000); 8 Jan 2002 00:09:22 -0000 To: freebsd-questions@FreeBSD.ORG Cc: freebsd-security@freebsd.org Subject: SSH TCP forwarding: works with v1, not with v2 ssh From: Chris Shenton Date: 07 Jan 2002 19:09:22 -0500 In-Reply-To: <200104180902.f3I92cG94606@lk.tempest.sk> Message-ID: <87lmf9snyl.fsf@thanatos.shenton.org> Lines: 105 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I need to set up an SSH tunnel from my work to my home so I can get in over the weekend. Worked on my previous work box, but not on my current one. So I looked at the differences in the way they established tunnels and saw that the old working one used SSHv1 from work to my house, the broken one used SSHv2. Both of them indicate that they're setting up the tunnels with no problem, but the v2 tunnel just hangs when I try and use it from home. Below, I first establish a tunnel over SSHv1, then telnet back to show I can get to the work ssh daemon: cshenton@Palimpsest(257> ssh -1 -R 65001:palimpsest:22 chris@shenton.org chris@shenton.org's password: FreeBSD 4.5-PRERELEASE (Thanatos) #4: Fri Jan 4 10:18:35 EST 2002 chris@thanatos[257> netstat -an|grep 65001 tcp4 0 0 127.0.0.1.65001 *.* LISTEN tcp6 0 0 ::1.65001 *.* LISTEN chris@thanatos[258> telnet 127.0.0.1 65001 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20011202 quit Protocol mismatch. [no problem, I typed garbage; the tunnel does work] Then I do the same, from work to home, but with SSHv2. I'm including some of the verbose output here so you can see it claims to be setting up the tunnel: cshenton@Palimpsest(257> ssh -v -R 65002:palimpsest:22 chris@shenton.org OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /etc/ssh/ssh_config [debug elided] debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9 FreeBSD localisations 20011202 debug1: match: OpenSSH_2.9 FreeBSD localisations 20011202 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9 FreeBSD localisations 20011202 [key and auth negotiation elided] debug1: Connections to remote port 65002 forwarded to local address palimpsest:22 debug1: channel 0: new [client-session] debug1: channel_new: 0 debug1: send channel open 0 debug1: Entering interactive session. debug1: client_init id 0 arg 0 debug1: Requesting X11 forwarding with authentication spoofing. debug1: Requesting authentication agent forwarding. debug1: channel request 0: shell debug1: channel 0: open confirm rwindow 0 rmax 16384 FreeBSD 4.5-PRERELEASE (Thanatos) #4: Fri Jan 4 10:18:35 EST 2002 Now I check the netstat and see a listener, then try telnet to see if something answers (if I get "connection refused" there's no listener); the telnet connection hangs -- I don't get the SSH prompt when I do the telnet hack. chris@thanatos[257> netstat -an|grep 65002 tcp4 0 0 127.0.0.1.65002 *.* LISTEN tcp6 0 0 ::1.65002 *.* LISTEN chris@thanatos[258> telnet 127.0.0.1 65002 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. foo Connection closed by foreign host. I'm using telnet here instead of ssh back because "ssh -v" doesn't show you that nothing answers; for yucks, I then try ssh and it does hang: chris@thanatos[259> ssh -v -p 65002 cshenton@127.0.0.1 OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /home/chris/.ssh/config debug1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1000 geteuid 1000 anon 1 debug1: Connecting to 127.0.0.1 [127.0.0.1] port 65002. debug1: temporarily_use_uid: 1000/1000 (e=1000) debug1: restore_uid debug1: temporarily_use_uid: 1000/1000 (e=1000) debug1: restore_uid debug1: Connection established. debug1: identity file /home/chris/.ssh/identity type 0 debug1: identity file /home/chris/.ssh/id_rsa type -1 debug1: identity file /home/chris/.ssh/id_dsa type -1 [hangs indefinitely here] The man page for sshd says the daemon forwardds TCP connections by default, and the verbose output above would indicate it *thinks* the connection's being forwarded, but nothing happens. There is no change if I use -1 or -2 versions when I try to come back through the tunnel, as if my home client isn't able to connecto the the work server and negotiate SSH versions. Any clues where I can look to see why the incoming connection is just hanging? Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 16:54:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from out006pub.verizon.net (out006pub.verizon.net [206.46.170.106]) by hub.freebsd.org (Postfix) with ESMTP id E08DC37B400; Mon, 7 Jan 2002 16:54:19 -0800 (PST) Received: from bellatlantic.net (pool-141-154-239-23.bos.east.verizon.net [141.154.239.23]) by out006pub.verizon.net with ESMTP ; id g080s8924526 Mon, 7 Jan 2002 18:54:08 -0600 (CST) Message-ID: <3C3A4338.80003@bellatlantic.net> Date: Mon, 07 Jan 2002 19:54:16 -0500 From: "Alexander N. Kabaev" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7) Gecko/20020105 X-Accept-Language: ru, be, en MIME-Version: 1.0 To: Chris Shenton , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: SSH TCP forwarding: works with v1, not with v2 ssh Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Could you please try the following patch from OpenBSD CVS and post your results here? Who knows, maybe release engineers will consider including it into upcoming 4.5-RELEASE if it fixes problem for you :) http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.109.2.1&r2=1.109.2.2 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 17:42: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from www.kpi.com.au (www.kpi.com.au [203.39.132.210]) by hub.freebsd.org (Postfix) with ESMTP id 8CA6637B404 for ; Mon, 7 Jan 2002 17:42:00 -0800 (PST) Received: from kpi.com.au (arbiter-int.kpi.com.au [203.39.132.209]) by www.kpi.com.au (8.9.3/8.9.3) with ESMTP id MAA40701; Tue, 8 Jan 2002 12:49:30 +1100 (EST) (envelope-from johnsa@kpi.com.au) Message-ID: <3C3A4E4D.3A05B029@kpi.com.au> Date: Tue, 08 Jan 2002 12:41:33 +1100 From: Andrew Johns X-Mailer: Mozilla 4.7 [en-gb] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: hawkeyd@visi.com Cc: security at FreeBSD Subject: Re: GCC stack-smashing extension References: <20020107091948.A4096@sheol.localdomain> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org D J Hawkey Jr wrote: > > Hey, all, > > I recently stumbled across the web page for the GCC stack-smashing > extension (http://www.trl.ibm.com/projects/security/ssp/): > > - Anyone have any experience with it, good, bad, or otherwise? Yes - on 4.4 - I had to manually apply the patch to it however as the patch was for an earlier version. CVSup killed it the first time, so you'll need to maintain your own CVS repo's in order to keep it. I tested it with a known exploit and the process was killed and an entry written to syslog. Of course, it won't protect you from heap or data/bss overflows, however. See here for more on this: http://www.w00w00.org/files/heaptut/heaptut.txt Cheers -- AJ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 19:41:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from net.tamu.edu (net.tamu.edu [128.194.177.50]) by hub.freebsd.org (Postfix) with ESMTP id 40A3537B404; Mon, 7 Jan 2002 19:41:29 -0800 (PST) Received: by net.tamu.edu (Postfix, from userid 157) id C63A715891; Mon, 7 Jan 2002 21:41:28 -0600 (CST) Date: Mon, 7 Jan 2002 21:41:28 -0600 From: Dave Duchscher To: admin Cc: Matthias Schuendehuette , Joe Clarke , freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: TCP Sequence-Prediction (4.5-PRE) Message-ID: <20020107214128.A19265@net.tamu.edu> Mail-Followup-To: admin , Matthias Schuendehuette , Joe Clarke , freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG References: <20020107104258.Y23081-100000@crimelords.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020107104258.Y23081-100000@crimelords.org>; from admin@crimelords.org on Mon, Jan 07, 2002 at 10:43:55AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org My experience with ISS is that it tends to report false positives quite often. For example, we are still scratching our heads when it reports ISS problems for an IRIX box running Apache. DaveD On Mon, Jan 07, 2002 at 10:43:55AM -0600, admin wrote: > I got the same thing when scanning a 4.4-STABLE box with ISS Scanner...I > personally think it's the scanner, but am still testing myself. > > --emacs > > On Fri, 4 Jan 2002, Matthias Schuendehuette wrote: > > > Hi Joe, > > > > Am Donnerstag, 3. Januar 2002 22:07 schrieben Sie: > > > On Thu, 2002-01-03 at 15:59, Matthias Schuendehuette wrote: > > > > I looked at the published Patch in FreBSD-SA-00:52 but couldn't > > > > find the Sourcecode Sequence to be patched any more (I wasn't > > > > wondering). > > > > > > Is this what you're looking for: > > > > > > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00%3A52/tcp-iss.pat > > >ch > > > > as I've mentioned above, I *found* that patch but if you look at the > > source files to patch you'll recognize that they're completely > > different now and that the patch doesn't succeed anymore (which isn't > > surprising for noone IMHO). > > > > I think, the point is what ISS states as 'predictable'... I'll wait > > what our iss-service declares - I can't imagine that 4.5-PRERELEASE is > > worse than 4.1.1-STABLE concerning 'tcp prediction'. > > > > Ciao/BSD - Matthias > > > > -- > > *************************************************************************** > > * Matthias Schuendehuette msch@snafu.de * > > * Solmsstrasse 44 * > > * D-10961 Berlin Engineering Systems Support and Operation * > > * Germany (Powered by FreeBSD 4.5-PRERELEASE) * > > *************************************************************************** > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 7 20:28:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from eumenes.hosting.swbell.net (eumenes.hosting.swbell.net [216.100.98.7]) by hub.freebsd.org (Postfix) with ESMTP id 2607037B402; Mon, 7 Jan 2002 20:28:06 -0800 (PST) Received: from imimic.com (adsl-216-63-78-19.dsl.hstntx.swbell.net [216.63.78.19]) by eumenes.hosting.swbell.net id XAA19379; Mon, 7 Jan 2002 23:28:05 -0500 (EST) [ConcentricHost SMTP Relay 1.7] Message-ID: <3C3A74F9.146EED69@imimic.com> Date: Mon, 07 Jan 2002 22:26:33 -0600 From: "Alan L. Cox" Organization: iMimic Networking, Inc. X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/kern kern_exec.c References: <200201080413.g084DL725267@freefall.freebsd.org> Content-Type: text/plain; charset=x-user-defined Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alan Cox wrote: > > alc 2002/01/07 20:13:21 PST > > Modified files: (Branch: RELENG_4) > sys/kern kern_exec.c > Log: > MFC > Call aio_proc_rundown() from exec_new_vmspace() to prevent a pending AIO > from modifying the new address space. (This is the one-line version > of the patch that is a part of Revision 1.147.) > > Reviewed by: tegge > Approved by: re > > Revision Changes Path > 1.107.2.12 +6 -0 src/sys/kern/kern_exec.c Also, this closes the exploit documented at http://elysium.soniq.net/dr/tao/advisory.txt Regards, Alan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 8 10:51:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 6E32837B41F; Tue, 8 Jan 2002 10:51:18 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g08IpIH53707; Tue, 8 Jan 2002 10:51:18 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Tue, 8 Jan 2002 10:51:18 -0800 (PST) Message-Id: <200201081851.g08IpIH53707@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:01.pkg_add [REVISED] Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:01 Security Advisory FreeBSD, Inc. Topic: Directory permission vulnerability in pkg_add [REVISED] Category: core Module: pkg_install Announced: 2002-01-04 Revised: 2002-01-07 Credits: The Anarcat Affects: All versions of FreeBSD prior to the correction date. Corrected: 2001/11/22 17:40:36 UTC (4.4-STABLE aka RELENG_4) 2001/12/07 20:58:46 UTC (4.4-RELEASEp1 aka RELENG_4_4) 2001/12/07 20:57:19 UTC (4.3-RELEASEp21 aka RELENG_4_3) FreeBSD only: NO 0. Revision History v1.0 2002-01-04 Initial release v1.1 2002-01-07 Correct terminology in problem description. I. Background pkg_add is a utility program used to install software package distributions on FreeBSD systems. II. Problem Description pkg_add extracts the contents of the package to a temporary directory, then moves files from the temporary directory to their ultimate destination on the system. The temporary directory used in the extraction was created with world-searchable permissions, allowing arbitrary users to examine the contents of the package as it was being extracted. This might allow users to attack world-writable parts of the package during installation. III. Impact A local attacker may be able to modify the package contents and potentially elevate privileges or otherwise compromise the system. There are no known exploits as of the date of this advisory. IV. Workaround 1) Remove or discontinue use of the pkg_add binary until it has been upgraded. 2) When running pkg_add, create a secure temporary directory (such as /var/tmp/inst) and secure the directory permissions (chmod 700 /var/tmp/inst). Set the TMPDIR environment variable to this directory before running pkg_add. V. Solution 1) Upgrade your vulnerable FreeBSD system to 4.4-STABLE, or the RELENG_4_4 or RELENG_4_3 security branches dated after the respective correction dates. 2) FreeBSD 4.x systems prior to the correction date: The following patch has been verified to apply to FreeBSD 4.3-RELEASE, 4.4-RELEASE, and 4-STABLE dated prior to the correction date. This patch may or may not apply to older, unsupported releases of FreeBSD. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:01/pkg_add.patch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:01/pkg_add.patch.asc Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/usr.sbin/pkg_install # make depend && make all install VI. Correction details The following list contains the $FreeBSD$ revision numbers of each file that was corrected in the FreeBSD source Path Revision Branch - ------------------------------------------------------------------------- src/usr.sbin/pkg_install/lib/pen.c HEAD 1.37 RELENG_4 1.31.2.6 RELENG_4_4 1.31.2.2.2.1 RELENG_4_3 1.31.2.1.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPDnE7VUuHi5z0oilAQHc3AP+IVLft31MShGngUPRQOQRHsNPjdqwdacj ptKjsMfGCpDRyqgIc8CoaI/Bln6VKkKS3HuOYx4pYOPY5QjBPy9JpPSJrAxP/H/N 424apgpo2eCmGcoIbCdM2RH1YYyKZANzt5igWNss1FbppvYbVwx+zZPBA4dyl9MZ 8rat83zoMAc= =g74K -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 8 11:13:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp-in.sc5.paypal.com (smtp-in.sc5.paypal.com [216.136.155.8]) by hub.freebsd.org (Postfix) with ESMTP id 3D79637B41A; Tue, 8 Jan 2002 11:13:23 -0800 (PST) Received: from xchange.xpa1.x.com (xchange.x.com [10.1.1.41]) by smtp-in.sc5.paypal.com (8.11.6/8.11.6) with ESMTP id g08JDKN20175; Tue, 8 Jan 2002 11:13:20 -0800 Received: from pa1.paypal.com (stinky.pa1.paypal.com [10.1.2.6]) by xchange.xpa1.x.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id C3MQ5S9H; Tue, 8 Jan 2002 11:13:19 -0800 Message-ID: <3C3B44E5.6030605@pa1.paypal.com> Date: Tue, 08 Jan 2002 11:13:41 -0800 From: Brian Nelson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7) Gecko/20011226 X-Accept-Language: en-us MIME-Version: 1.0 To: Chris Shenton Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: SSH TCP forwarding: works with v1, not with v2 ssh References: <87lmf9snyl.fsf@thanatos.shenton.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Chris Shenton wrote: >I need to set up an SSH tunnel from my work to my home so I can get in >over the weekend. Worked on my previous work box, but not on my >current one. So I looked at the differences in the way they >established tunnels and saw that the old working one used SSHv1 from >work to my house, the broken one used SSHv2. Both of them indicate >that they're setting up the tunnels with no problem, but the v2 tunnel >just hangs when I try and use it from home. > >Below, I first establish a tunnel over SSHv1, then telnet back to show >I can get to the work ssh daemon: > > cshenton@Palimpsest(257> ssh -1 -R 65001:palimpsest:22 chris@shenton.org > chris@shenton.org's password: > FreeBSD 4.5-PRERELEASE (Thanatos) #4: Fri Jan 4 10:18:35 EST 2002 > > chris@thanatos[257> netstat -an|grep 65001 > tcp4 0 0 127.0.0.1.65001 *.* LISTEN > tcp6 0 0 ::1.65001 *.* LISTEN > > chris@thanatos[258> telnet 127.0.0.1 65001 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20011202 > quit > Protocol mismatch. [no problem, I typed garbage; the tunnel does work] > > >Then I do the same, from work to home, but with SSHv2. I'm including >some of the verbose output here so you can see it claims to be setting >up the tunnel: > > cshenton@Palimpsest(257> ssh -v -R 65002:palimpsest:22 chris@shenton.org > OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f > debug1: Reading configuration data /etc/ssh/ssh_config > [debug elided] > debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9 FreeBSD localisations 20011202 > debug1: match: OpenSSH_2.9 FreeBSD localisations 20011202 pat ^OpenSSH > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_2.9 FreeBSD localisations 20011202 > [key and auth negotiation elided] > debug1: Connections to remote port 65002 forwarded to local address palimpsest:22 > debug1: channel 0: new [client-session] > debug1: channel_new: 0 > debug1: send channel open 0 > debug1: Entering interactive session. > debug1: client_init id 0 arg 0 > debug1: Requesting X11 forwarding with authentication spoofing. > debug1: Requesting authentication agent forwarding. > debug1: channel request 0: shell > debug1: channel 0: open confirm rwindow 0 rmax 16384 > > FreeBSD 4.5-PRERELEASE (Thanatos) #4: Fri Jan 4 10:18:35 EST 2002 > >Now I check the netstat and see a listener, then try telnet to see if >something answers (if I get "connection refused" there's no listener); >the telnet connection hangs -- I don't get the SSH prompt when I do >the telnet hack. > > chris@thanatos[257> netstat -an|grep 65002 > tcp4 0 0 127.0.0.1.65002 *.* LISTEN > tcp6 0 0 ::1.65002 *.* LISTEN > > chris@thanatos[258> telnet 127.0.0.1 65002 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > foo > Connection closed by foreign host. > >I'm using telnet here instead of ssh back because "ssh -v" doesn't >show you that nothing answers; for yucks, I then try ssh and it does >hang: > > chris@thanatos[259> ssh -v -p 65002 cshenton@127.0.0.1 > OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f > debug1: Reading configuration data /home/chris/.ssh/config > debug1: Applying options for * > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Rhosts Authentication disabled, originating port will not be trusted. > debug1: restore_uid > debug1: ssh_connect: getuid 1000 geteuid 1000 anon 1 > debug1: Connecting to 127.0.0.1 [127.0.0.1] port 65002. > debug1: temporarily_use_uid: 1000/1000 (e=1000) > debug1: restore_uid > debug1: temporarily_use_uid: 1000/1000 (e=1000) > debug1: restore_uid > debug1: Connection established. > debug1: identity file /home/chris/.ssh/identity type 0 > debug1: identity file /home/chris/.ssh/id_rsa type -1 > debug1: identity file /home/chris/.ssh/id_dsa type -1 > [hangs indefinitely here] > >The man page for sshd says the daemon forwardds TCP connections by >default, and the verbose output above would indicate it *thinks* the >connection's being forwarded, but nothing happens. > >There is no change if I use -1 or -2 versions when I try to come back >through the tunnel, as if my home client isn't able to connecto the >the work server and negotiate SSH versions. > >Any clues where I can look to see why the incoming connection is just >hanging? Thanks. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > I am having the *exact* same problem... though it's only with -R ssh -L works like a charm. It's also important to note that I am not having this problem when connecting to Linux machines, just to my own FreeBSD machine... the difference is that the linux machine is running some 3.x version of openssh... so this may already be fixed in 3.x -Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 8 12:28:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from clever.eusc.inter.net (clever.eusc.inter.net [213.73.101.4]) by hub.freebsd.org (Postfix) with ESMTP id D3AFF37B405; Tue, 8 Jan 2002 12:27:35 -0800 (PST) Received: from tc08-n66-183.de.inter.net ([213.73.66.183] helo=there) by clever.eusc.inter.net with smtp (Exim 3.22 #3) id 16O2qF-0004KI-00; Tue, 08 Jan 2002 21:27:27 +0100 Content-Type: text/plain; charset="iso-8859-1" From: Matthias Schuendehuette Reply-To: msch@snafu.de Organization: Micro$oft-free Zone To: freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: TCP Sequence-Prediction (4.5-PRE) Date: Tue, 8 Jan 2002 21:27:01 +0100 X-Mailer: KMail [version 1.3.1] References: <20020107104258.Y23081-100000@crimelords.org> <20020107214128.A19265@net.tamu.edu> In-Reply-To: <20020107214128.A19265@net.tamu.edu> Cc: Peter.Sauerland@siemens.com MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello everybody, Am Dienstag, 8. Januar 2002 04:41 schrieben Sie: > My experience with ISS is that it tends to report false positives > quite often. For example, we are still scratching our heads when it > reports ISS problems for an IRIX box running Apache. Now we have the ability to look a bit behind the scenes... I got the section of the Scan-Logfile, which concerns the TCP-Sequence Prediction Test. I hope, it's anonymized enough - 'aaa.bbb.ccc.ddd' is the FreeBSD 4.5-PRERELEASE Box and 'www.xxx.yyy.zzz' is the scanning machine. I hope that some of the TCP/IP-Gurus will have a look on it and draw ( and let me/us know) a conclusion out of that. What I suppose to see are some irregular distributed right guesses of the TCP sequence number of which I really cannot imagine to create an exploit - but I'm all but a hacker :-) Anyway - I hope I could shed some light onto the problem... Ciao/BSD - Matthias vvvvvvvv --- ...and here the Log-file --- vvvvvvvv # Time Stamp(0x135):TCP sequence prediction aaa.bbb.ccc.ddd: \ (1010389926) Mon Jan 07 08:52:06 # TCP Sequence Prediction: Getting initial sampling of sequence numbers # TCP Sequence Prediction: Checking predicability on destination port 22 # In TCP packet src aabbccdd:22 dst wwxxyyzz 57005 \ seq: 2539010280(0x975638e8) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57006 \ seq: 234368744(0xdf82ee8) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57006 \ seq: 234368744(0xdf82ee8) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \ seq: 72227304(0x44e19e8) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \ seq: 72227304(0x44e19e8) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57028 \ seq: 2176714600(0x81be0768) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \ seq: 72227304(0x44e19e8) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57026 \ seq: 4221300584(0xfb9bef68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \ seq: 72227304(0x44e19e8) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \ seq: 72227304(0x44e19e8) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57026 \ seq: 4221300584(0xfb9bef68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57023 \ seq: 3018759784(0xb3ee9e68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57026 \ seq: 4221300584(0xfb9bef68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57021 \ seq: 1774421352(0x69c38568) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57026 \ seq: 4221300584(0xfb9bef68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57026 \ seq: 4221300584(0xfb9bef68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57021 \ seq: 1774421352(0x69c38568) # TCP Sequence Prediction: Analyzing the sequence numbers \ by the order the SYN packets were sent # seq[0] = 2539010280, seq[1] = 234368744, actual diff = 1990325760 # seq[1] = 234368744, seq[2] = 72227304, actual diff = -162141440 # seq[2] = 72227304, seq[3] = 1774421352, actual diff = 1702194048 # The most frequent difference is -162141440 which occurred 1 times # The minimum difference is -162141440 which occurred 1 times # TCP Sequence Prediction: Analyzing the sequence numbers \ by the order the SYN/ACK packets were received # seq[0] = 2539010280, seq[1] = 234368744, actual diff = 1990325760 # seq[1] = 234368744, seq[2] = 234368744, actual diff = 0 # seq[2] = 234368744, seq[3] = 72227304, actual diff = -162141440 # seq[3] = 72227304, seq[4] = 72227304, actual diff = 0 # seq[4] = 72227304, seq[5] = 2176714600, actual diff = 2104487296 # seq[5] = 2176714600, seq[6] = 72227304, actual diff = -2104487296 # seq[6] = 72227304, seq[7] = 4221300584, actual diff = -145894016 # seq[7] = 4221300584, seq[8] = 72227304, actual diff = 145894016 # seq[8] = 72227304, seq[9] = 72227304, actual diff = 0 # seq[9] = 72227304, seq[10] = 4221300584, actual diff = -145894016 # seq[10] = 4221300584, seq[11] = 3018759784, actual diff = -1202540800 # seq[11] = 3018759784, seq[12] = 4221300584, actual diff = 1202540800 # seq[12] = 4221300584, seq[13] = 1774421352, actual diff = 1848088064 # seq[13] = 1774421352, seq[14] = 4221300584, actual diff = -1848088064 # seq[14] = 4221300584, seq[15] = 4221300584, actual diff = 0 # seq[15] = 4221300584, seq[16] = 1774421352, actual diff = 1848088064 # The most frequent difference is 0 which occurred 4 times # The minimum difference is 0 which occurred 4 times # TCP Sequence Prediction: Getting new sampling of sequence numbers \ for comparison # TCP Sequence Prediction: Checking predicability on destination port 22 # In TCP packet src aabbccdd:22 dst wwxxyyzz 57016 \ seq: 635657064(0x25e35b68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57021 \ seq: 1774421352(0x69c38568) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57016 \ seq: 635657064(0x25e35b68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57013 \ seq: 3801944424(0xe29d1168) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57016 \ seq: 635657064(0x25e35b68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57016 \ seq: 635657064(0x25e35b68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57013 \ seq: 3801944424(0xe29d1168) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57007 \ seq: 1956262121(0x749a30e9) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57005 \ seq: 2487285466(0x9440f6da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57005 \ seq: 2487285466(0x9440f6da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57006 \ seq: 4010195418(0xef06b9da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57007 \ seq: 2050126938(0x7a32745a) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57008 \ seq: 2786214362(0xa61241da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57009 \ seq: 315578330(0x12cf57da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57010 \ seq: 621582170(0x250c975a) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \ seq: 1847059930(0x6e17e5da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57012 \ seq: 1485862362(0x589075da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57013 \ seq: 224591066(0xd62fcda) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57014 \ seq: 3847099610(0xe54e14da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57015 \ seq: 4249765210(0xfd4e455a) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57016 \ seq: 3617446746(0xd79ddb5a) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57017 \ seq: 4032084826(0xf054bb5a) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57018 \ seq: 1794507994(0x6af604da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57019 \ seq: 246642906(0xeb378da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57020 \ seq: 2681935194(0x9fdb155a) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57021 \ seq: 578229210(0x227713da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57022 \ seq: 2399872858(0x8f0b275a) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57023 \ seq: 2355487706(0x8c65e3da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57024 \ seq: 1315568090(0x4e69f9da) # TCP Sequence Prediction: Analyzing the sequence numbers \ by the order the SYN packets were sent # Guessing with most frequent difference -162141440 # seq[0] = 2487285466, seq[1] = 4010195418, \ actual diff = 1522909952, freqDiff = -162141440 # seq[1] = 4010195418, seq[2] = 2050126938, \ actual diff = -1960068480, freqDiff = -162141440 # seq[2] = 2050126938, seq[3] = 2786214362, \ actual diff = 736087424, freqDiff = -162141440 # seq[3] = 2786214362, seq[4] = 315578330, \ actual diff = 1824331264, freqDiff = -162141440 # seq[4] = 315578330, seq[5] = 621582170, \ actual diff = 306003840, freqDiff = -162141440 # seq[5] = 621582170, seq[6] = 1847059930, \ actual diff = 1225477760, freqDiff = -162141440 # seq[6] = 1847059930, seq[7] = 1485862362, \ actual diff = -361197568, freqDiff = -162141440 # seq[7] = 1485862362, seq[8] = 224591066, \ actual diff = -1261271296, freqDiff = -162141440 # seq[8] = 224591066, seq[9] = 3847099610, \ actual diff = -672458752, freqDiff = -162141440 # seq[9] = 3847099610, seq[10] = 4249765210, \ actual diff = 402665600, freqDiff = -162141440 # seq[10] = 4249765210, seq[11] = 3617446746, \ actual diff = -632318464, freqDiff = -162141440 # seq[11] = 3617446746, seq[12] = 4032084826, \ actual diff = 414638080, freqDiff = -162141440 # seq[12] = 4032084826, seq[13] = 1794507994, \ actual diff = 2057390464, freqDiff = -162141440 # seq[13] = 1794507994, seq[14] = 246642906, \ actual diff = -1547865088, freqDiff = -162141440 # seq[14] = 246642906, seq[15] = 2681935194, \ actual diff = -1859675008, freqDiff = -162141440 # seq[15] = 2681935194, seq[16] = 578229210, \ actual diff = -2103705984, freqDiff = -162141440 # seq[16] = 578229210, seq[17] = 2399872858, \ actual diff = 1821643648, freqDiff = -162141440 # seq[17] = 2399872858, seq[18] = 2355487706, \ actual diff = -44385152, freqDiff = -162141440 # seq[18] = 2355487706, seq[19] = 1315568090, \ actual diff = -1039919616, freqDiff = -162141440 aaa.bbb.ccc.ddd: Most frequent guess (SYN/ACK received order): \ 0 out of 19 (0.000%) # Guessing with minimum difference -162141440 # seq[0] = 2487285466, seq[1] = 4010195418, \ actual diff = 1522909952, minDiff = -162141440 # seq[1] = 4010195418, seq[2] = 2050126938, \ actual diff = -1960068480, minDiff = -162141440 # seq[2] = 2050126938, seq[3] = 2786214362, \ actual diff = 736087424, minDiff = -162141440 # seq[3] = 2786214362, seq[4] = 315578330, \ actual diff = 1824331264, minDiff = -162141440 # seq[4] = 315578330, seq[5] = 621582170, \ actual diff = 306003840, minDiff = -162141440 # seq[5] = 621582170, seq[6] = 1847059930, \ actual diff = 1225477760, minDiff = -162141440 # seq[6] = 1847059930, seq[7] = 1485862362, \ actual diff = -361197568, minDiff = -162141440 # seq[7] = 1485862362, seq[8] = 224591066, \ actual diff = -1261271296, minDiff = -162141440 # seq[8] = 224591066, seq[9] = 3847099610, \ actual diff = -672458752, minDiff = -162141440 # seq[9] = 3847099610, seq[10] = 4249765210, \ actual diff = 402665600, minDiff = -162141440 # seq[10] = 4249765210, seq[11] = 3617446746, \ actual diff = -632318464, minDiff = -162141440 # seq[11] = 3617446746, seq[12] = 4032084826, \ actual diff = 414638080, minDiff = -162141440 # seq[12] = 4032084826, seq[13] = 1794507994, \ actual diff = 2057390464, minDiff = -162141440 # seq[13] = 1794507994, seq[14] = 246642906, \ actual diff = -1547865088, minDiff = -162141440 # seq[14] = 246642906, seq[15] = 2681935194, \ actual diff = -1859675008, minDiff = -162141440 # seq[15] = 2681935194, seq[16] = 578229210, \ actual diff = -2103705984, minDiff = -162141440 # seq[16] = 578229210, seq[17] = 2399872858, \ actual diff = 1821643648, minDiff = -162141440 # seq[17] = 2399872858, seq[18] = 2355487706, \ actual diff = -44385152, minDiff = -162141440 # seq[18] = 2355487706, seq[19] = 1315568090, \ actual diff = -1039919616, minDiff = -162141440 aaa.bbb.ccc.ddd: Minimum guess (SYN/ACK received order): \ 0 out of 19 (0.000%) # TCP Sequence Prediction: Analyzing the sequence numbers \ by the order the SYN/ACK packets were received # Guessing with most frequent difference 0 # seq[0] = 635657064, seq[1] = 1774421352, \ actual diff = 1138764288, freqDiff = 0 # seq[1] = 1774421352, seq[2] = 635657064, \ actual diff = -1138764288, freqDiff = 0 # seq[2] = 635657064, seq[3] = 3801944424, \ actual diff = -1128679936, freqDiff = 0 # seq[3] = 3801944424, seq[4] = 635657064, \ actual diff = 1128679936, freqDiff = 0 # seq[4] = 635657064, seq[5] = 635657064, \ actual diff = 0, freqDiff = 0 # seq[5] = 635657064, seq[6] = 3801944424, \ actual diff = -1128679936, freqDiff = 0 # seq[6] = 3801944424, seq[7] = 1956262121, \ actual diff = -1845682303, freqDiff = 0 # seq[7] = 1956262121, seq[8] = 2487285466, \ actual diff = 531023345, freqDiff = 0 # seq[8] = 2487285466, seq[9] = 2487285466, \ actual diff = 0, freqDiff = 0 # seq[9] = 2487285466, seq[10] = 4010195418, \ actual diff = 1522909952, freqDiff = 0 # seq[10] = 4010195418, seq[11] = 2050126938, \ actual diff = -1960068480, freqDiff = 0 # seq[11] = 2050126938, seq[12] = 2786214362, \ actual diff = 736087424, freqDiff = 0 # seq[12] = 2786214362, seq[13] = 315578330, \ actual diff = 1824331264, freqDiff = 0 # seq[13] = 315578330, seq[14] = 621582170, \ actual diff = 306003840, freqDiff = 0 # seq[14] = 621582170, seq[15] = 1847059930, \ actual diff = 1225477760, freqDiff = 0 # seq[15] = 1847059930, seq[16] = 1485862362, \ actual diff = -361197568, freqDiff = 0 # seq[16] = 1485862362, seq[17] = 224591066, \ actual diff = -1261271296, freqDiff = 0 # seq[17] = 224591066, seq[18] = 3847099610, \ actual diff = -672458752, freqDiff = 0 # seq[18] = 3847099610, seq[19] = 4249765210, \ actual diff = 402665600, freqDiff = 0 # seq[19] = 4249765210, seq[20] = 3617446746, \ actual diff = -632318464, freqDiff = 0 # seq[20] = 3617446746, seq[21] = 4032084826, \ actual diff = 414638080, freqDiff = 0 # seq[21] = 4032084826, seq[22] = 1794507994, \ actual diff = 2057390464, freqDiff = 0 # seq[22] = 1794507994, seq[23] = 246642906, \ actual diff = -1547865088, freqDiff = 0 # seq[23] = 246642906, seq[24] = 2681935194, \ actual diff = -1859675008, freqDiff = 0 # seq[24] = 2681935194, seq[25] = 578229210, \ actual diff = -2103705984, freqDiff = 0 # seq[25] = 578229210, seq[26] = 2399872858, \ actual diff = 1821643648, freqDiff = 0 # seq[26] = 2399872858, seq[27] = 2355487706, \ actual diff = -44385152, freqDiff = 0 # seq[27] = 2355487706, seq[28] = 1315568090, \ actual diff = -1039919616, freqDiff = 0 aaa.bbb.ccc.ddd: Most frequent guess (SYN sent order): \ 2 out of 28 (7.143%) # Guessing with minimum difference 0 # seq[0] = 635657064, seq[1] = 1774421352, \ actual diff = 1138764288, minDiff = 0 # seq[1] = 1774421352, seq[2] = 635657064, \ actual diff = -1138764288, minDiff = 0 # seq[2] = 635657064, seq[3] = 3801944424, \ actual diff = -1128679936, minDiff = 0 # seq[3] = 3801944424, seq[4] = 635657064, \ actual diff = 1128679936, minDiff = 0 # seq[4] = 635657064, seq[5] = 635657064, \ actual diff = 0, minDiff = 0 # seq[5] = 635657064, seq[6] = 3801944424, \ actual diff = -1128679936, minDiff = 0 # seq[6] = 3801944424, seq[7] = 1956262121, \ actual diff = -1845682303, minDiff = 0 # seq[7] = 1956262121, seq[8] = 2487285466, \ actual diff = 531023345, minDiff = 0 # seq[8] = 2487285466, seq[9] = 2487285466, \ actual diff = 0, minDiff = 0 # seq[9] = 2487285466, seq[10] = 4010195418, \ actual diff = 1522909952, minDiff = 0 # seq[10] = 4010195418, seq[11] = 2050126938, \ actual diff = -1960068480, minDiff = 0 # seq[11] = 2050126938, seq[12] = 2786214362, \ actual diff = 736087424, minDiff = 0 # seq[12] = 2786214362, seq[13] = 315578330, \ actual diff = 1824331264, minDiff = 0 # seq[13] = 315578330, seq[14] = 621582170, \ actual diff = 306003840, minDiff = 0 # seq[14] = 621582170, seq[15] = 1847059930, \ actual diff = 1225477760, minDiff = 0 # seq[15] = 1847059930, seq[16] = 1485862362, \ actual diff = -361197568, minDiff = 0 # seq[16] = 1485862362, seq[17] = 224591066, \ actual diff = -1261271296, minDiff = 0 # seq[17] = 224591066, seq[18] = 3847099610, \ actual diff = -672458752, minDiff = 0 # seq[18] = 3847099610, seq[19] = 4249765210, \ actual diff = 402665600, minDiff = 0 # seq[19] = 4249765210, seq[20] = 3617446746, \ actual diff = -632318464, minDiff = 0 # seq[20] = 3617446746, seq[21] = 4032084826, \ actual diff = 414638080, minDiff = 0 # seq[21] = 4032084826, seq[22] = 1794507994, \ actual diff = 2057390464, minDiff = 0 # seq[22] = 1794507994, seq[23] = 246642906, \ actual diff = -1547865088, minDiff = 0 # seq[23] = 246642906, seq[24] = 2681935194, \ actual diff = -1859675008, minDiff = 0 # seq[24] = 2681935194, seq[25] = 578229210, \ actual diff = -2103705984, minDiff = 0 # seq[25] = 578229210, seq[26] = 2399872858, \ actual diff = 1821643648, minDiff = 0 # seq[26] = 2399872858, seq[27] = 2355487706, \ actual diff = -44385152, minDiff = 0 # seq[27] = 2355487706, seq[28] = 1315568090, \ actual diff = -1039919616, minDiff = 0 aaa.bbb.ccc.ddd: Minimum guess (SYN sent order): \ 2 out of 28 (7.143%) -- *************************************************************************** * Matthias Schuendehuette msch@snafu.de * * Solmsstrasse 44 * * D-10961 Berlin Engineering Systems Support and Operation * * Germany (Powered by FreeBSD 4.5-PRERELEASE) * *************************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 8 13:14:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from patrocles.silby.com (d140.as13.nwbl0.wi.voyager.net [169.207.136.206]) by hub.freebsd.org (Postfix) with ESMTP id 0301A37B41D; Tue, 8 Jan 2002 13:14:10 -0800 (PST) Received: from localhost (silby@localhost) by patrocles.silby.com (8.11.6/8.11.6) with ESMTP id g08FGrq35316; Tue, 8 Jan 2002 15:16:55 GMT (envelope-from silby@silby.com) X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs Date: Tue, 8 Jan 2002 15:16:53 +0000 (GMT) From: Mike Silbersack To: Matthias Schuendehuette Cc: freebsd-stable@freebsd.org, , Subject: Re: TCP Sequence-Prediction (4.5-PRE) In-Reply-To: Message-ID: <20020108151125.S34973-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 8 Jan 2002, Matthias Schuendehuette wrote: > Hello everybody, > > Am Dienstag, 8. Januar 2002 04:41 schrieben Sie: > > My experience with ISS is that it tends to report false positives > > quite often. For example, we are still scratching our heads when it > > reports ISS problems for an IRIX box running Apache. > > Now we have the ability to look a bit behind the scenes... > > I got the section of the Scan-Logfile, which concerns the TCP-Sequence > Prediction Test. I hope, it's anonymized enough - 'aaa.bbb.ccc.ddd' is > the FreeBSD 4.5-PRERELEASE Box and 'www.xxx.yyy.zzz' is the scanning > machine. > > I hope that some of the TCP/IP-Gurus will have a look on it and draw ( > and let me/us know) a conclusion out of that. > > What I suppose to see are some irregular distributed right guesses of > the TCP sequence number of which I really cannot imagine to create an > exploit - but I'm all but a hacker :-) I'm not really sure anything is wrong here. The duplicate sequence numbers you are seeing are due to the syn cookie code working as expected. While the values are duplicated for you, they should not be guessable by anyone else. If you'd like to go back to random ISNs, you can simply set net.inet.tcp.syncookies=0. Security is probably comparable in either case. So, ISS is right in that sequence numbers are repeating, but wrong in that they are predictable. The authors of ISS should probably sit down and try to modify their detection so that it detects RFC 1948 and syncookie generated sequence numbers as distinct from other classes. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 8 14:49:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from sr1.terra.com.br (sr1.terra.com.br [200.176.3.16]) by hub.freebsd.org (Postfix) with ESMTP id 50C5937B41B for ; Tue, 8 Jan 2002 14:49:50 -0800 (PST) Received: from smtp2-bra.terra.com.br (smtp2-bra.terra.com.br [200.176.3.33]) by sr1.terra.com.br (Postfix) with ESMTP id F2C942B91A for ; Tue, 8 Jan 2002 20:49:48 -0200 (GMT+2) Received: from hotmail.com (200-158-62-135.dsl.telesp.net.br [200.158.62.135]) by smtp2-bra.terra.com.br (Postfix) with ESMTP id A91818859B for ; Tue, 8 Jan 2002 20:49:48 -0200 (GMT+2) Message-ID: <150643-22002128224821290@hotmail.com> X-EM-Version: 6, 0, 1, 0 X-EM-Registration: #00F06206106618006920 X-Priority: 3 From: "" To: "security@freebsd.org" Subject: Meu Curriculo para vossa apreciГЦo. Date: Tue, 8 Jan 2002 20:48:21 -0200 MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Bom Dia !! Segue abaixo link com meu Curr=EDculo para vossa aprecia=E7=E3o=2E=20 http://www25=2Ebrinkster=2Ecom/flavio13/ Agrade=E7o o envio para a pessoa respons=E1vel=2E Muito Obrigado=2E Atenciosamente, Fl=E1vio F=2E de Souza http://www25=2Ebrinkster=2Ecom/flavio13/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 8 14:50:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from sr3.terra.com.br (sr3.terra.com.br [200.176.3.18]) by hub.freebsd.org (Postfix) with ESMTP id 3B8BD37B416 for ; Tue, 8 Jan 2002 14:50:07 -0800 (PST) Received: from smtp2-bra.terra.com.br (smtp2-bra.terra.com.br [200.176.3.33]) by sr3.terra.com.br (Postfix) with ESMTP id 7951115AC1F for ; Tue, 8 Jan 2002 20:50:06 -0200 (GMT+2) Received: from hotmail.com (200-158-62-135.dsl.telesp.net.br [200.158.62.135]) by smtp2-bra.terra.com.br (Postfix) with ESMTP id 1E9638859B for ; Tue, 8 Jan 2002 20:50:06 -0200 (GMT+2) Message-ID: <214795-22002128224838810@hotmail.com> X-EM-Version: 6, 0, 1, 0 X-EM-Registration: #00F06206106618006920 X-Priority: 3 From: "" To: "freebsd-security@freebsd.org" Subject: Meu Curriculo para vossa apreciГЦo. Date: Tue, 8 Jan 2002 20:48:38 -0200 MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Bom Dia !! Segue abaixo link com meu Curr=EDculo para vossa aprecia=E7=E3o=2E=20 http://www25=2Ebrinkster=2Ecom/flavio13/ Agrade=E7o o envio para a pessoa respons=E1vel=2E Muito Obrigado=2E Atenciosamente, Fl=E1vio F=2E de Souza http://www25=2Ebrinkster=2Ecom/flavio13/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 8 16:30:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe69.pav1.hotmail.com [64.4.30.204]) by hub.freebsd.org (Postfix) with ESMTP id 9EE3C37B416 for ; Tue, 8 Jan 2002 16:30:39 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 8 Jan 2002 16:30:39 -0800 X-Originating-IP: [66.185.84.77] From: "jack xiao" To: Cc: Subject: isakmpd configuration Date: Tue, 8 Jan 2002 19:31:48 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0030_01C1987B.1D6F0920" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 09 Jan 2002 00:30:39.0510 (UTC) FILETIME=[DD217360:01C198A4] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0030_01C1987B.1D6F0920 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 SGksDQoNCkkgYW0gZ29pbmcgdG8gc2V0IHVwIHR3byBJUFNlYyB0dW5uZWxzLiBPbmUgaXMgMTky LjE2OC4xMDAuMC8yNCAtIDEwLjEwLjExLjAvMjQsIHRoZSBvdGhlciBpcyAxOTIuMTY4LjEwMC4w LzI0IC0gMTcyLjMwLjEuMC8yNC4gVGhlIGRpYWdyYW0gaXMgbGlrZSB0aGUgZm9sbG93aW5nLCAy MTYuOTUuMjM0LjE2MiBhbmQgMjE2Ljk1LjIzNC4xMTAgYXJlIHR3byBWUE4gZ2F0ZXdheXMuDQoN Cg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8LS0tLS0tLS0tIDEwLjEw LjExLjAvMjQgICAgICAgIA0KMTkyLjE2OC4xMDAuMC8yNC0tLS0tMjE2Ljk1LjIzNC4xNjItLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tMjE2Ljk1LjIzNC4xMTANCiAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgfC0tLS0tLS0tLS0gMTcyLjMwLjEuMC8yNA0KDQpJIHNldCBpbiB0 aGUgaXNha21wZC5jb25mIGFzIHNvbWV0aGluZyBsaWtlIHRoZSBmb2xsb3dpbmcsDQoNCltQaGFz ZSAxXQ0KMjE2Ljk1LjIzNC4xMTA9ICBWUE4tMTENCg0KW1BoYXNlIDJdDQpDb25uZWN0aW9ucz0g ICAgVlBOLTEyLFZQTi0yMg0KDQpbVlBOLTExXQ0KUGhhc2U9ICAgMQ0KVHJhbnNwb3J0PSAgdWRw DQpMb2NhbC1hZGRyZXNzPSAgMjE2Ljk1LjIzNC4xNjINCkFkZHJlc3M9IDIxNi45NS4yMzQuMTEw DQpDb25maWd1cmF0aW9uPSAgRGVmYXVsdC1tYWluLW1vZGUNCkF1dGhlbnRpY2F0aW9uPSAgcXFx cXFxcXENCg0KW1ZQTi0xMl0NClBoYXNlPSAgIDINCklTQUtNUC1wZWVyPSAgVlBOLTExDQpDb25m aWd1cmF0aW9uPSAgRGVmYXVsdC1xdWljay1tb2RlDQpMb2NhbC1JRD0gIE5ldC1sb2NhbC0wMQ0K UmVtb3RlLUlEPSBOZXQtcmVtb3RlLTAxDQoNCltOZXQtbG9jYWwtMDFdDQpJRC10eXBlPSAgSVBW NF9BRERSX1NVQk5FVA0KTmV0d29yaz0gIDE5Mi4xNjguMTAwLjANCk5ldG1hc2s9ICAyNTUuMjU1 LjI1NS4wDQoNCltOZXQtcmVtb3RlLTAxXQ0KSUQtdHlwZT0gIElQVjRfQUREUl9TVUJORVQNCk5l dHdvcms9ICAxMC4xMC4xMS4wDQpOZXRtYXNrPSAgMjU1LjI1NS4yNTUuMA0KDQpbVlBOLTIyXQ0K UGhhc2U9ICAgMg0KSVNBS01QLXBlZXI9ICBWUE4tMTENCkNvbmZpZ3VyYXRpb249ICBEZWZhdWx0 LXF1aWNrLW1vZGUNCkxvY2FsLUlEPSAgTmV0LWxvY2FsLTAyDQpSZW1vdGUtSUQ9IE5ldC1yZW1v dGUtMDINCg0KW05ldC1sb2NhbC0wMl0NCklELXR5cGU9ICBJUFY0X0FERFJfU1VCTkVUDQpOZXR3 b3JrPSAgMTkyLjE2OC4xMDAuMA0KTmV0bWFzaz0gIDI1NS4yNTUuMjU1LjANCg0KW05ldC1yZW1v dGUtMDJdDQpJRC10eXBlPSAgSVBWNF9BRERSX1NVQk5FVA0KTmV0d29yaz0gIDE3Mi4zMC4xLjAN Ck5ldG1hc2s9ICAyNTUuMjU1LjI1NS4wDQoNCg0KSXMgaXQgY29ycmVjdD8gSXQgc2VlbXMgbm90 IHdvcmsgZmluZS4gQW55IGlkZWFzIHdpbGwgYmUgYXBwcmVjaWF0ZWQuDQoNClRoYW5rcyBhIGxv dCENCg0KSmFjaw0K ------=_NextPart_000_0030_01C1987B.1D6F0920 Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: base64 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu dD0idGV4dC9odG1sOyBjaGFyc2V0PWdiMjMxMiI+DQo8TUVUQSBjb250ZW50PSJNU0hUTUwgNi4w MC4yNjAwLjAiIG5hbWU9R0VORVJBVE9SPg0KPFNUWUxFPjwvU1RZTEU+DQo8L0hFQUQ+DQo8Qk9E WSBiZ0NvbG9yPSNmZmZmZmY+DQo8RElWPjxGT05UIGZhY2U9QXJpYWwgc2l6ZT0yPkhpLDwvRk9O VD48L0RJVj4NCjxESVY+PEZPTlQgZmFjZT1BcmlhbCBzaXplPTI+PC9GT05UPiZuYnNwOzwvRElW Pg0KPERJVj48Rk9OVCBmYWNlPUFyaWFsIHNpemU9Mj5JIGFtIGdvaW5nIHRvIHNldCB1cCB0d28g SVBTZWMgdHVubmVscy4gT25lIGlzIA0KMTkyLjE2OC4xMDAuMC8yNCAtIDEwLjEwLjExLjAvMjQs IHRoZSBvdGhlciBpcyAxOTIuMTY4LjEwMC4wLzI0IC0gMTcyLjMwLjEuMC8yNC4gDQpUaGUmbmJz cDtkaWFncmFtIGlzJm5ic3A7bGlrZSB0aGUgZm9sbG93aW5nLCAyMTYuOTUuMjM0LjE2MiBhbmQg MjE2Ljk1LjIzNC4xMTAgDQphcmUgdHdvIFZQTiBnYXRld2F5cy48L0ZPTlQ+PC9ESVY+DQo8RElW PjxGT05UIGZhY2U9QXJpYWwgc2l6ZT0yPjwvRk9OVD4mbmJzcDs8L0RJVj4NCjxESVY+PEZPTlQg ZmFjZT1BcmlhbCBzaXplPTI+PC9GT05UPiZuYnNwOzwvRElWPg0KPERJVj48Rk9OVCBmYWNlPUFy aWFsIA0Kc2l6ZT0yPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwO3wtLS0tLS0tLS0gDQoxMC4xMC4xMS4wLzI0Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9GT05UPjwvRElWPg0KPERJVj48Rk9OVCBm YWNlPUFyaWFsIA0Kc2l6ZT0yPjE5Mi4xNjguMTAwLjAvMjQtLS0tLTIxNi45NS4yMzQuMTYyLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLTIxNi45NS4yMzQuMTEwPC9GT05UPjwvRElWPg0KPERJVj48 Rk9OVCBmYWNlPUFyaWFsIA0Kc2l6ZT0yPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyANCnwtLS0tLS0tLS0tIDE3Mi4zMC4xLjAvMjQ8L0ZPTlQ+PC9E SVY+DQo8RElWPjxGT05UIGZhY2U9QXJpYWwgc2l6ZT0yPjwvRk9OVD4mbmJzcDs8L0RJVj4NCjxE SVY+PEZPTlQgZmFjZT1BcmlhbCBzaXplPTI+SSBzZXQgaW4gdGhlIGlzYWttcGQuY29uZiBhcyBz b21ldGhpbmcgbGlrZSB0aGUgDQpmb2xsb3dpbmcsPC9GT05UPjwvRElWPg0KPERJVj48Rk9OVCBm YWNlPUFyaWFsIHNpemU9Mj48L0ZPTlQ+Jm5ic3A7PC9ESVY+DQo8RElWPjxGT05UIGZhY2U9QXJp YWwgc2l6ZT0yPltQaGFzZSANCjFdPEJSPjIxNi45NS4yMzQuMTEwPSZuYnNwOyZuYnNwO1ZQTi0x MTwvRk9OVD48L0RJVj4NCjxESVY+PEZPTlQgZmFjZT1BcmlhbCBzaXplPTI+PC9GT05UPiZuYnNw OzwvRElWPg0KPERJVj48Rk9OVCBmYWNlPUFyaWFsIHNpemU9Mj5bUGhhc2UgMl08QlI+Q29ubmVj dGlvbnM9Jm5ic3A7Jm5ic3A7Jm5ic3A7IA0KVlBOLTEyLFZQTi0yMjwvRk9OVD48L0RJVj4NCjxE SVY+PEZPTlQgZmFjZT1BcmlhbCANCnNpemU9Mj48QlI+W1ZQTi0xMV08QlI+UGhhc2U9Jm5ic3A7 Jm5ic3A7Jm5ic3A7MTxCUj5UcmFuc3BvcnQ9Jm5ic3A7Jm5ic3A7dWRwPEJSPkxvY2FsLWFkZHJl c3M9Jm5ic3A7Jm5ic3A7MjE2Ljk1LjIzNC4xNjI8L0RJVj4NCjxESVY+QWRkcmVzcz0gDQoyMTYu OTUuMjM0LjExMDxCUj5Db25maWd1cmF0aW9uPSZuYnNwOyZuYnNwO0RlZmF1bHQtbWFpbi1tb2Rl PEJSPkF1dGhlbnRpY2F0aW9uPSZuYnNwOyZuYnNwO3FxcXFxcXFxPC9ESVY+DQo8RElWPiZuYnNw OzwvRElWPg0KPERJVj5bVlBOLTEyXTxCUj5QaGFzZT0mbmJzcDsmbmJzcDsmbmJzcDsyPEJSPklT QUtNUC1wZWVyPSZuYnNwOyZuYnNwO1ZQTi0xMTxCUj5Db25maWd1cmF0aW9uPSZuYnNwOyZuYnNw O0RlZmF1bHQtcXVpY2stbW9kZTxCUj5Mb2NhbC1JRD0mbmJzcDsmbmJzcDtOZXQtbG9jYWwtMDE8 L0RJVj4NCjxESVY+UmVtb3RlLUlEPSBOZXQtcmVtb3RlLTAxPC9ESVY+DQo8RElWPiZuYnNwOzwv RElWPg0KPERJVj5bTmV0LWxvY2FsLTAxXTxCUj5JRC10eXBlPSZuYnNwOyZuYnNwO0lQVjRfQURE Ul9TVUJORVQ8QlI+TmV0d29yaz0mbmJzcDsmbmJzcDsxOTIuMTY4LjEwMC4wPEJSPk5ldG1hc2s9 Jm5ic3A7Jm5ic3A7MjU1LjI1NS4yNTUuMDxCUj48L0ZPTlQ+PC9ESVY+DQo8RElWPjxGT05UIGZh Y2U9QXJpYWwgc2l6ZT0yPltOZXQtcmVtb3RlLTAxXTwvRk9OVD48L0RJVj4NCjxESVY+PEZPTlQg ZmFjZT1BcmlhbCANCnNpemU9Mj5JRC10eXBlPSZuYnNwOyZuYnNwO0lQVjRfQUREUl9TVUJORVQ8 QlI+TmV0d29yaz0mbmJzcDsmbmJzcDsxMC4xMC4xMS4wPEJSPk5ldG1hc2s9Jm5ic3A7Jm5ic3A7 MjU1LjI1NS4yNTUuMDxCUj48L0ZPTlQ+PC9ESVY+DQo8RElWPjxGT05UIGZhY2U9QXJpYWwgc2l6 ZT0yPg0KPERJVj5bVlBOLTIyXTxCUj5QaGFzZT0mbmJzcDsmbmJzcDsmbmJzcDsyPEJSPklTQUtN UC1wZWVyPSZuYnNwOyZuYnNwO1ZQTi0xMTxCUj5Db25maWd1cmF0aW9uPSZuYnNwOyZuYnNwO0Rl ZmF1bHQtcXVpY2stbW9kZTxCUj5Mb2NhbC1JRD0mbmJzcDsmbmJzcDtOZXQtbG9jYWwtMDI8L0RJ Vj4NCjxESVY+UmVtb3RlLUlEPSBOZXQtcmVtb3RlLTAyPC9ESVY+DQo8RElWPiZuYnNwOzwvRElW Pg0KPERJVj5bTmV0LWxvY2FsLTAyXTxCUj5JRC10eXBlPSZuYnNwOyZuYnNwO0lQVjRfQUREUl9T VUJORVQ8QlI+TmV0d29yaz0mbmJzcDsmbmJzcDsxOTIuMTY4LjEwMC4wPEJSPk5ldG1hc2s9Jm5i c3A7Jm5ic3A7MjU1LjI1NS4yNTUuMDxCUj48L0RJVj4NCjxESVY+PEZPTlQgZmFjZT1BcmlhbCBz aXplPTI+W05ldC1yZW1vdGUtMDJdPC9GT05UPjwvRElWPg0KPERJVj48Rk9OVCBmYWNlPUFyaWFs IA0Kc2l6ZT0yPklELXR5cGU9Jm5ic3A7Jm5ic3A7SVBWNF9BRERSX1NVQk5FVDxCUj5OZXR3b3Jr PSZuYnNwOyZuYnNwOzE3Mi4zMC4xLjA8QlI+TmV0bWFzaz0mbmJzcDsmbmJzcDsyNTUuMjU1LjI1 NS4wPEJSPjwvRk9OVD48L0RJVj48L0ZPTlQ+PC9ESVY+DQo8RElWPjxGT05UIGZhY2U9QXJpYWwg c2l6ZT0yPjwvRk9OVD4mbmJzcDs8L0RJVj4NCjxESVY+PEZPTlQgZmFjZT1BcmlhbCBzaXplPTI+ SXMgaXQgY29ycmVjdD8gSXQgc2VlbXMgbm90IHdvcmsgZmluZS4gQW55IGlkZWFzIA0Kd2lsbCBi ZSBhcHByZWNpYXRlZC48L0ZPTlQ+PC9ESVY+DQo8RElWPjxGT05UIGZhY2U9QXJpYWwgc2l6ZT0y PjwvRk9OVD4mbmJzcDs8L0RJVj4NCjxESVY+PEZPTlQgZmFjZT1BcmlhbCBzaXplPTI+VGhhbmtz IGEgbG90ITwvRk9OVD48L0RJVj4NCjxESVY+PEZPTlQgZmFjZT1BcmlhbCBzaXplPTI+PC9GT05U PiZuYnNwOzwvRElWPg0KPERJVj48Rk9OVCBmYWNlPUFyaWFsIHNpemU9Mj5KYWNrPC9GT05UPjwv RElWPjwvQk9EWT48L0hUTUw+DQo= ------=_NextPart_000_0030_01C1987B.1D6F0920-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 8 17:30:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from web11807.mail.yahoo.com (web11807.mail.yahoo.com [216.136.172.161]) by hub.freebsd.org (Postfix) with SMTP id AC38737B421 for ; Tue, 8 Jan 2002 17:30:14 -0800 (PST) Message-ID: <20020109013014.57371.qmail@web11807.mail.yahoo.com> Received: from [216.170.168.74] by web11807.mail.yahoo.com via HTTP; Tue, 08 Jan 2002 17:30:14 PST Date: Tue, 8 Jan 2002 17:30:14 -0800 (PST) From: X Philius Reply-To: xphilius@yahoo.com Subject: Re: Help with ipfw rules to allow DNS queries through To: Ian Smith Cc: "G.P. de Boer" , security@FreeBSD.ORG, Dave Raven In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Guys, So, I've read through all the great advice from this list, and cooked up something that works quite well, but I still have a mystery. I hope this is not to off topic, the thread is veering away from security a bit. I would post to questions@bsd.org but we are getting a bit deep, and I honestly don't know if it my ipfw rule set that is messing me up, NAT or my named.conf. I have set up named, and I am attempting to verify that my nameserver is available outside my machine, so that I can set up an arrangement with a friend to trade secondaries. I have been attempting to use nslookup, and dig, from another machine on a different ISP. Both nslookup and dig time out, and nothing in particular shows up in the log via my final logging rule, #999. I get the same behavior with the default "open" ruleset as with mine, so in truth I do not think ipfw is the problem. So, here are my questions, and the current bahavior: Question 1: Is there another way I can verify that my DNS server is accessible externally, and available to be authoratative on a domain? Naturally making the change at Veri$ign/Network Solutions and getting my friend involved and set up as a secondary, when I am not sure if it will work or not, is a bit of a pain. Q 2: My IT buddy at work thinks that requests from clients like nslookup and dig use a different port, or something odd like that, prehaps ICMP, he's not sure. Our companies servers *are* authoratative on domains, and also exhibit this behavior, they cannot be accessed from another machine via dig or nslookup, even though the machines can ping one another. So, perhaps it doesn't matter. Certainly is a nice way to troubleshoot and find out quicky how you DNS server is behaving. Q 3: Is there any reason I should enhance this ruleset with stateful rules, or is the "setup" keyword sufficient to prevent any shenanigins? Q 4: Any other suggestions? Current conditions and behavior: Server 1: My machine Server 2: My friends box, on another ISP, subnet etc. - I cannot access Server 1 from Server 2 via nslookup or dig - My machine is behind NAT via a Cisco router. As far as I know it is running wide open, with a direct pass through from my dedicated internal IP to my dedicated external IP. - I have named running, as a master, and I have specified it in my resolve.conf, ie 127.0.0.1. - I can get name resolution internally, via nslookup, dig, lynx, apache etc. Seems fully functional named from the inside. - I can ping between the two machines in both directions. - If I specify the ever reliable ns1.cicso.com via nslookup and dig, while on server 2, I can get an answer, so there is no problem with Server 2's setup, network access, firewall etc., or the commands I am issuing to dig and nslookup. - I get the same behavior with my custom rule set and with the default "open" rule set. So, I do *not* actually think that the ipfw ruleset is the problem. - If I run tcpdump -en host {Server 2 host} I get this output while attempting to make a request for yahoo.com via nslookup from Server 2 I can see the request coming in via port 53, and an attempt to reply to Server 2 going out via port 53. - All the services specified with a comment, are really running. You can take my word about the wierd stuff, it all works. I just did not post a complete list of services in my initial question to keep things clearer ;-) - here is the output of ipfw list: 00100 allow ip from any to any via lo0 00150 allow ip from any to any via xl0 <<-- I added this one 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00500 allow tcp from any to any established 00501 allow ip from any to any frag 00502 allow tcp from any to 10.1.3.2 25 setup 00503 allow tcp from any to 10.1.3.2 22 setup 00504 allow tcp from any to 10.1.3.2 80 setup 00505 allow tcp from any to 10.1.3.2 21 setup 00506 allow tcp from any to 10.1.3.2 110 setup 00507 allow tcp from any to 10.1.3.2 554 setup 00508 allow tcp from any to 10.1.3.2 7070 setup 00509 allow tcp from any to 10.1.3.2 8008 setup 00510 allow tcp from any to 10.1.3.2 8009 setup 00511 allow tcp from any to 10.1.3.2 7007 setup 00512 allow tcp from any to 10.1.3.2 7008 setup 00513 allow tcp from any to 10.1.3.2 53 setup 00514 allow udp from any to 10.1.3.2 53 00515 allow udp from 10.1.3.2 53 to any 00516 allow tcp from 205.173.176.10 53 to 10.1.3.2 setup 00517 allow udp from 205.173.176.10 53 to 10.1.3.2 00518 allow udp from 10.1.3.2 to any 00519 allow tcp from 10.1.3.2 to any setup 00520 allow icmp from any to any 00999 deny log ip from any to any 65535 deny ip from any to any - here is my ruleset: ############ # Rule set built by jason last edited 2/1/01 # I do not exactly know what I am doing ;-) ############ # set these to your network and netmask and ip net="10.1.3.0" mask="255.255.255.0" ip="10.1.3.2" # Allow TCP through if setup succeeded ${fwcmd} add 500 pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add 501 pass all from any to any frag # Allow setup of incoming email ${fwcmd} add 502 pass tcp from any to ${ip} 25 setup # Allow incoming SSH requests ${fwcmd} add 503 pass tcp from any to ${ip} 22 setup # Allow incoming HTTP requests ${fwcmd} add 504 pass tcp from any to ${ip} 80 setup # Allow incoming FTP requests ${fwcmd} add 505 pass tcp from any to ${ip} 21 setup # Allow incoming POP requests ${fwcmd} add 506 pass tcp from any to ${ip} 110 setup # Allow incoming Darwin requests (also uses port 80) ${fwcmd} add 507 pass tcp from any to ${ip} 554 setup ${fwcmd} add 508 pass tcp from any to ${ip} 7070 setup # Allow incoming Shoutcast requests ${fwcmd} add 509 pass tcp from any to ${ip} 8008 setup ${fwcmd} add 510 pass tcp from any to ${ip} 8009 setup ${fwcmd} add 511 pass tcp from any to ${ip} 7007 setup ${fwcmd} add 512 pass tcp from any to ${ip} 7008 setup # Allow DNS queries out and in when I am using 127.0.0.1 ${fwcmd} add 513 pass tcp from any to ${ip} 53 setup ${fwcmd} add 514 pass udp from any to ${ip} 53 ${fwcmd} add 515 pass udp from ${ip} 53 to any # Allow my DNS server in and out when not using 127.0.0.1 ${fwcmd} add 516 pass tcp from xxx.xxx.xxx.xx 53 to ${ip} setup ${fwcmd} add 517 pass udp from xxx.xxx.xxx.xx 53 to ${ip} # Allow outgoing UDP ${fwcmd} add 518 pass udp from ${ip} to any # Allow setup of outgoing TCP connections ${fwcmd} add 519 pass tcp from ${ip} to any setup # Allow ICMP out and in ${fwcmd} add 520 pass icmp from any to any # Disallow setup of all other IP connections ${fwcmd} add 999 deny log ip from any to any # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; So, my knowledgable fellow geeks, any ideas? Thanks much in advance, I think I'm close here. Jason __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 8 17:36:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail1.home.nl (mail1.home.nl [213.51.129.225]) by hub.freebsd.org (Postfix) with ESMTP id 2434637B417 for ; Tue, 8 Jan 2002 17:36:11 -0800 (PST) Received: from testuser ([213.51.195.75]) by mail1.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20020109013607.ODGN23702.mail1.home.nl@testuser> for ; Wed, 9 Jan 2002 02:36:07 +0100 Message-ID: <023701c198ae$0286ba80$0200a8c0@testuser> From: "Marcel Dijk" To: Subject: allowing outbound connections Date: Wed, 9 Jan 2002 02:36:01 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0234_01C198B6.60D1B330" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Disposition-Notification-To: "Marcel Dijk" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0234_01C198B6.60D1B330 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, Is it (very) dangerous to allow all outgoing connections? I have IPFW = running wich ristricts what is going into the server/LAN from the = internet. But it does not restrict what is going to the internet from = within my LAN. Is this potentially dangerous, with regards to virussus (or virri?) and = trojans? This has puzzled me for some time now. Greets, Marcel ------=_NextPart_000_0234_01C198B6.60D1B330 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello,
 
Is it (very) dangerous to allow all = outgoing=20 connections? I have IPFW running wich ristricts what is going into the=20 server/LAN from the internet. But it does not restrict what is going to = the=20 internet from within my LAN.
 
Is this potentially dangerous, with = regards to=20 virussus (or virri?) and trojans?
 
This has puzzled me for some time = now.
 
Greets,
 
Marcel
------=_NextPart_000_0234_01C198B6.60D1B330-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 8 18:29:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from newjack.dahomelands.net (ct470290-a.nblvil1.in.home.com [24.178.188.165]) by hub.freebsd.org (Postfix) with ESMTP id A722037B402 for ; Tue, 8 Jan 2002 18:29:49 -0800 (PST) Received: from konundrum.org (localhost [127.0.0.1]) by newjack.dahomelands.net (8.11.6/8.11.4) with SMTP id g092SP530426 for ; Tue, 8 Jan 2002 21:28:25 -0500 Received: from p733.as1.exs.dublin.eircom.net ([159.134.226.221]) (SquirrelMail authenticated user schrodinger) by webmail.konundrum.org with HTTP; Wed, 9 Jan 2002 02:28:25 -0000 (GMT) Message-ID: <1259.159.134.226.221.1010543305.squirrel@webmail.konundrum.org> Date: Wed, 9 Jan 2002 02:28:25 -0000 (GMT) Subject: MD5 > Blowfish From: "Schrodinger" To: security@freebsd.org X-Mailer: SquirrelMail (version 1.0.6) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I saw that the encryption can be changed by editing the /etc/login.conf and changing the ":passwd_format=des:\" to ":passwd_format:md5:\" can the same be done to change from md5 to blowfish. Do I just edit the login.conf? I know that alot of this has been covered already but my mail server went down and I missed somethings. Thnk You. -- http://konundrum.org/ -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d--- s++:++ a--- C+++ UB++ P+ L- E--- W+++ N o-- K- w--- O- M-- V-- PS+++ PE Y+ PGP++ t++ 5 X++ R tv++ b- DI- D+ G e- h! r- y++ ------END GEEK CODE BLOCK------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 8 18:40:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id A718937B423 for ; Tue, 8 Jan 2002 18:40:32 -0800 (PST) Received: (from emechler@localhost) by radix.cryptio.net (8.11.6/8.11.6) id g092eUF27251; Tue, 8 Jan 2002 18:40:30 -0800 (PST) (envelope-from emechler) Date: Tue, 8 Jan 2002 18:40:30 -0800 From: Erick Mechler To: Schrodinger Cc: security@FreeBSD.ORG Subject: Re: MD5 > Blowfish Message-ID: <20020108184030.X47380@techometer.net> References: <1259.159.134.226.221.1010543305.squirrel@webmail.konundrum.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <1259.159.134.226.221.1010543305.squirrel@webmail.konundrum.org>; from Schrodinger on Wed, Jan 09, 2002 at 02:28:25AM -0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From login.conf(5): passwd_format string md5 The encryption format that new or changed passwords will use. Valid values include "des", "md5" and "blf". NIS clients using a non-FreeBSD NIS server should prob- ably use "des". ...where 'blf' stands for Blowfish. Make sure you run 'cap_mkdb /etc/login.conf' after you edit the file. BTW, I'm not sure when this was introduced; the machine I'm getting this info from is a 4.4-STABLE machine from mid-October. Cheers - Erick At Wed, Jan 09, 2002 at 02:28:25AM -0000, Schrodinger said this: :: I saw that the encryption can be changed by editing the /etc/login.conf and :: changing the ":passwd_format=des:\" to ":passwd_format:md5:\" can the same :: be done to change from md5 to blowfish. Do I just edit the login.conf? I :: know that alot of this has been covered already but my mail server went down :: and I missed somethings. Thnk You. :: -- :: http://konundrum.org/ :: -----BEGIN GEEK CODE BLOCK----- :: Version: 3.12 :: GIT d--- s++:++ a--- C+++ UB++ P+ L- :: E--- W+++ N o-- K- w--- O- M-- :: V-- PS+++ PE Y+ PGP++ t++ 5 X++ R :: tv++ b- DI- D+ G e- h! r- y++ :: ------END GEEK CODE BLOCK------ :: :: :: :: To Unsubscribe: send mail to majordomo@FreeBSD.org :: with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 8 19:20:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 0DE6C37B43E for ; Tue, 8 Jan 2002 19:20:42 -0800 (PST) Received: (from rik@localhost) by pkl.net (8.9.3/8.9.3) id DAA16951 for security@FreeBSD.ORG; Wed, 9 Jan 2002 03:20:40 GMT Date: Wed, 9 Jan 2002 03:20:40 +0000 From: Rik To: security@FreeBSD.ORG Subject: Re: MD5 > Blowfish Message-ID: <20020109032040.GA16874@spoon.pkl.net> References: <1259.159.134.226.221.1010543305.squirrel@webmail.konundrum.org> <20020108184030.X47380@techometer.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020108184030.X47380@techometer.net> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jan 08, 2002 at 06:40:30PM -0800, Erick Mechler wrote: > passwd_format string md5 The encryption format that new or I still haven't worked out where you set the number of rounds to use with blowfish encryption. On OpenBSD this was a setting in login.conf (iirc). Where do I set it on FreeBSD? rik -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 8 21: 0:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from switchblade.cyberpunkz.org (switchblade.cyberpunkz.org [198.174.169.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A22037B41D; Tue, 8 Jan 2002 21:00:10 -0800 (PST) Received: from switchblade.cyberpunkz.org (rob@localhost.cyberpunkz.org [127.0.0.1]) by switchblade.cyberpunkz.org (8.12.1/CpA-TLS-1.2.12-1) with ESMTP id g09500wx019652 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 8 Jan 2002 23:00:05 -0600 (CST)?g (envelope-from rob@switchblade.cyberpunkz.org)° Posted-Date: Tue, 8 Jan 2002 23:00:05 -0600 (CST) Abuse-Contact: abuse@cyberpunkz.org Received: (from rob@localhost) by switchblade.cyberpunkz.org (8.12.1/8.12.1/Submit) id g094xxhs019651; Tue, 8 Jan 2002 22:59:59 -0600 (CST)?g (envelope-from rob) Date: Tue, 8 Jan 2002 22:59:59 -0600 From: Rob Andrews To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org Subject: question about pw, cracklib, & passwd Message-ID: <20020108225959.A19503@switchblade.cyberpunkz.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="4Ckj6UjgE2iN1+kY" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I was wondering if there was a way to use pw like equota where you can affect changes to groups of users or all users on say something like password expire times. I'm wanting to basicially have pw set an expire on all user passwords to force a password change next login. Also, I know cracklib is in the ports collection, however I was unable to find any documentation installed on the system to show how one would go about setting up passwd on freebsd to use cracklib to force users to have to be more creative with their passwords. (or at the very least attempt to encourage them to do so) Any help would be appreciated as always :) Rob Andrews Cyberpunk Alliance http://cyberpunkz.org/ --4Ckj6UjgE2iN1+kY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8O85PAXwJ9YLqJJURAmSzAJ9M23GYVwzw53QNPxiJWVnvkU+LmQCfU6ik 5IWtUyQ49uQwy7VANhtraT8= =P43l -----END PGP SIGNATURE----- --4Ckj6UjgE2iN1+kY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 9 0:38:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from holmes.infopro.spb.su (holmes.infopro.spb.su [195.242.2.2]) by hub.freebsd.org (Postfix) with ESMTP id 5472F37B417 for ; Wed, 9 Jan 2002 00:38:48 -0800 (PST) Received: from barrymore.peterlink.ru (barrymore.peterlink.ru [195.242.2.8]) by holmes.infopro.spb.su (8.9.1/8.9.1) with ESMTP id LAA01910 for ; Wed, 9 Jan 2002 11:38:46 +0300 (MSK) Received: from kostasoft.spb.ru (spb-1-235.dialup.peterlink.ru [195.242.16.235]) by barrymore.peterlink.ru (8.9.1/8.9.1) with ESMTP id LAA09839 for ; Wed, 9 Jan 2002 11:38:39 +0300 (MSK) Received: from adv2 [192.168.0.4] by kostasoft [127.0.0.1] with SMTP (MDaemon.v2.84.R) for ; Wed, 09 Jan 2002 11:37:11 +0300 Reply-To: From: "Yuri Muhitov" To: Subject: RE: Help with ipfw rules to allow DNS queries through Date: Wed, 9 Jan 2002 11:37:10 +0300 Message-ID: <2E8E747BA4D4994CB49D56AF57F1728208B309@adv.KOSTASOFT.kostasoft.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-reply-to: <2E8E747BA4D4994CB49D56AF57F17282109B3A@adv.KOSTASOFT.kostasoft.spb.ru> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal X-MDaemon-Deliver-To: security@FreeBSD.ORG X-Return-Path: muhitov@kostasoft.spb.ru Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of X Philius > Sent: Wednesday, January 09, 2002 4:30 AM > To: Ian Smith > Cc: G.P. de Boer; security@FreeBSD.ORG; Dave Raven > Subject: Re: Help with ipfw rules to allow DNS queries through > > > > Advice: Turn off firewall while debugging your DNS setup. Question: Did somebody registered your zone and name server (so, did you get your nameserver authoritative for zone)? Take a look at this (RFC 1033 DOMAIN ADMINISTRATORS OPERATIONS GUIDE): ADDING A SUBDOMAIN To add a new subdomain to your domain: Setup the other domain server and/or the new zone file. Add an NS record for each server of the new domain to the zone file of the parent domain. Add any necessary glue RRs. Yuri To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 9 1:26:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from nic.crt.se (nic.crt.se [193.12.107.10]) by hub.freebsd.org (Postfix) with ESMTP id 23E8F37B419 for ; Wed, 9 Jan 2002 01:26:27 -0800 (PST) Received: from mail.crt.se (postiljon.crt.se [172.16.1.14]) by nic.crt.se (Postfix) with ESMTP id 5EA5A5291; Wed, 9 Jan 2002 10:26:25 +0100 (MET) Received: from bloodwine.crt.se (bloodwine.crt.se [172.16.1.170]) by mail.crt.se (Postfix) with ESMTP id 634C51DA4; Wed, 9 Jan 2002 10:26:23 +0100 (MET) Date: Wed, 9 Jan 2002 10:26:23 +0100 (CET) From: Hakan Olsson To: jack xiao Cc: tech@openbsd.org, Subject: Re: isakmpd configuration In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org (Cc:ed to freebsd-security@FreeBSD.ORG? Ok, whatever...) On Tue, 8 Jan 2002, jack xiao wrote: =2E.. > I am going to set up two IPSec tunnels. One is 192.168.100.0/24 - > 10.10.11.0/24, the other is 192.168.100.0/24 - 172.30.1.0/24. The > diagram is like the following, 216.95.234.162 and 216.95.234.110 are > two VPN gateways. =2E.. > I set in the isakmpd.conf as something like the following, > > [Phase 1] > 216.95.234.110=3D VPN-11 > > [Phase 2] > Connections=3D VPN-12,VPN-22 Correct. > > [VPN-11] > Phase=3D 1 > Transport=3D udp > Local-address=3D 216.95.234.162 > Address=3D 216.95.234.110 > Configuration=3D Default-main-mode > Authentication=3D qqqqqqqq You need to define the [Default-main-mode] section as per the examples. > > [VPN-12] > Phase=3D 2 > ISAKMP-peer=3D VPN-11 > Configuration=3D Default-quick-mode > Local-ID=3D Net-local-01 > Remote-ID=3D Net-remote-01 Dito, [Default-quick-mode]. > > [Net-local-01] > ID-type=3D IPV4_ADDR_SUBNET > Network=3D 192.168.100.0 > Netmask=3D 255.255.255.0 > > [Net-remote-01] > ID-type=3D IPV4_ADDR_SUBNET > Network=3D 10.10.11.0 > Netmask=3D 255.255.255.0 > > [VPN-22] > Phase=3D 2 > ISAKMP-peer=3D VPN-11 > Configuration=3D Default-quick-mode > Local-ID=3D Net-local-02 > Remote-ID=3D Net-remote-02 You can simply re-use 'Net-local-01' for Local-ID here. Even though defining and using an identical ... > [Net-local-02] > ID-type=3D IPV4_ADDR_SUBNET > Network=3D 192.168.100.0 > Netmask=3D 255.255.255.0 =2E.. is perfectly ok, it's not really required. > > [Net-remote-02] > ID-type=3D IPV4_ADDR_SUBNET > Network=3D 172.30.1.0 > Netmask=3D 255.255.255.0 > > Is it correct? It seems not work fine. Any ideas will be appreciated. > The rest looks fine, AFAICT. I'm sorry to say, however, that as usual you don't specify HOW it "seems not to work fine". Am I supposed to guess? /H -- H=E5kan Olsson (+46) 708 437 337 Carlstedt Research Unix, Networking, Security (+46) 31 701 4264 & Technology AB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 9 5:54:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 9F93B37B42F; Wed, 9 Jan 2002 05:53:54 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id FAA00433; Wed, 9 Jan 2002 05:53:46 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda00430; Wed Jan 9 05:53:36 2002 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id g09Dqr425837; Wed, 9 Jan 2002 05:52:53 -0800 (PST) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdw25833; Wed Jan 9 05:52:04 2002 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id g09Dq3o87767; Wed, 9 Jan 2002 05:52:03 -0800 (PST) Message-Id: <200201091352.g09Dq3o87767@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdg87763; Wed Jan 9 05:51:39 2002 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: "Alexander N. Kabaev" Cc: Chris Shenton , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG, green@FreeBSD.ORG Subject: Re: SSH TCP forwarding: works with v1, not with v2 ssh In-reply-to: Your message of "Mon, 07 Jan 2002 19:54:16 EST." <3C3A4338.80003@bellatlantic.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 09 Jan 2002 05:51:39 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <3C3A4338.80003@bellatlantic.net>, "Alexander N. Kabaev" writes: > Could you please try the following patch from OpenBSD CVS and post > your results here? Who knows, > maybe release engineers will consider including it into upcoming > 4.5-RELEASE if it fixes problem > for you :) > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.10 > 9.2.1&r2=1.109.2.2 The patch fixes the problem for me. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC FreeBSD UNIX: cy@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 9 6:14:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from web11803.mail.yahoo.com (web11803.mail.yahoo.com [216.136.172.157]) by hub.freebsd.org (Postfix) with SMTP id 45A9837B400 for ; Wed, 9 Jan 2002 06:14:08 -0800 (PST) Message-ID: <20020109141408.5474.qmail@web11803.mail.yahoo.com> Received: from [64.73.64.94] by web11803.mail.yahoo.com via HTTP; Wed, 09 Jan 2002 06:14:08 PST Date: Wed, 9 Jan 2002 06:14:08 -0800 (PST) From: X Philius Reply-To: xphilius@yahoo.com Subject: RE: Help with ipfw rules to allow DNS queries through To: muhitov@kostasoft.spb.ru, security@FreeBSD.ORG In-Reply-To: <2E8E747BA4D4994CB49D56AF57F1728208B309@adv.KOSTASOFT.kostasoft.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yuri, Is is sufficient to use the default "open" rule set, or do you think I need to swap out my kernel and modules so that I do not have ipfw in the kernel at all? I have compiled the kernel with ipfw and default to deny, so I cen't really "turn off" the firewall without swapping kernels. As far as being authoratative on a domain, I have not gotten to that point yet, but I *think* I have a pretty good handle on that part of the equation. I have some "junk" domains (ie no traffic URL's) that I can practice on once I get everything set up. One of my questions is how to verify that my name server is set up and available externally, without going through the hassle of getting a friend involved to provide secondary, and wrestling with changing settings at my registrar. Jason --- Yuri Muhitov wrote: > > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of X Philius > > Sent: Wednesday, January 09, 2002 4:30 AM > > To: Ian Smith > > Cc: G.P. de Boer; security@FreeBSD.ORG; Dave Raven > > Subject: Re: Help with ipfw rules to allow DNS queries through > > > > > > > > > > Advice: Turn off firewall while debugging your DNS setup. > Question: Did somebody registered your zone and name server (so, did > you get > your nameserver authoritative for zone)? > > Take a look at this (RFC 1033 DOMAIN ADMINISTRATORS OPERATIONS > GUIDE): > > ADDING A SUBDOMAIN > To add a new subdomain to your domain: > Setup the other domain server and/or the new zone file. > Add an NS record for each server of the new domain to the zone file > of the > parent domain. > Add any necessary glue RRs. > > Yuri > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 9 8:43:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from Thanatos.Shenton.Org (a3.ebbed1.client.atlantech.net [209.190.235.163]) by hub.freebsd.org (Postfix) with SMTP id 49B7F37B41F for ; Wed, 9 Jan 2002 08:43:17 -0800 (PST) Received: (qmail 95962 invoked by uid 1000); 9 Jan 2002 16:43:09 -0000 To: Cy Schubert - ITSD Open Systems Group Cc: "Alexander N. Kabaev" , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG, green@FreeBSD.ORG Subject: Re: SSH TCP forwarding: works with v1, not with v2 ssh References: <200201091352.g09Dq3o87767@cwsys.cwsent.com> From: Chris Shenton Date: 09 Jan 2002 11:43:09 -0500 In-Reply-To: <200201091352.g09Dq3o87767@cwsys.cwsent.com> Message-ID: <87y9j7qxuq.fsf@thanatos.shenton.org> Lines: 37 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > In message <3C3A4338.80003@bellatlantic.net>, "Alexander N. Kabaev" > writes: > > Could you please try the following patch from OpenBSD CVS and post > > your results here? Who knows, > > maybe release engineers will consider including it into upcoming > > 4.5-RELEASE if it fixes problem > > for you :) > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.10 > > 9.2.1&r2=1.109.2.2 > > The patch fixes the problem for me. I feel like a newbie, but I can't tell how to rebuild just the openssh contributed src, rather than the entire OS. Doing a basic make in the dir fails: cd /usr/src/crypto/openssh/ make -k ===> lib "Makefile", line 21: Malformed conditional ((${KERBEROS:L} == "yes")) "Makefile", line 21: Missing dependency operator "Makefile", line 23: Malformed conditional ((${AFS:L} == "yes")) "Makefile", line 23: Missing dependency operator "Makefile", line 26: if-less endif "Makefile", line 26: Need an operator "Makefile", line 27: if-less endif "Makefile", line 27: Need an operator make: fatal errors encountered -- cannot continue *** Error code 1 (continuing) Compilation finished at Wed Jan 9 11:41:53 I expect I need to start somewhere above and specify the right target but I'm out of my depth here. I'll rebuild the OS if needed, just wanted to save time and get an answer back quickly. Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 9 8:56:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from h132-197-179-27.gte.com (h132-197-179-27.gte.com [132.197.179.27]) by hub.freebsd.org (Postfix) with ESMTP id D5F0E37B420; Wed, 9 Jan 2002 08:56:16 -0800 (PST) Received: from kanpc.gte.com (localhost [127.0.0.1]) by h132-197-179-27.gte.com (8.11.6/8.11.4) with SMTP id g09GtUt79478; Wed, 9 Jan 2002 11:55:31 -0500 (EST) (envelope-from ak03@gte.com) Date: Wed, 9 Jan 2002 11:55:30 -0500 From: Alexander Kabaev To: Chris Shenton Cc: Cy.Schubert@uumail.gov.bc.ca, freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG, green@FreeBSD.ORG Subject: Re: SSH TCP forwarding: works with v1, not with v2 ssh Message-Id: <20020109115530.746603a4.ak03@gte.com> In-Reply-To: <87y9j7qxuq.fsf@thanatos.shenton.org> References: <200201091352.g09Dq3o87767@cwsys.cwsent.com> <87y9j7qxuq.fsf@thanatos.shenton.org> Organization: Verizon X-Mailer: Sylpheed version 0.6.6claws44 (GTK+ 1.2.10; i386--freebsd5.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I feel like a newbie, but I can't tell how to rebuild just the openssh > contributed src, rather than the entire OS. Doing a basic make in the > dir fails You should run make in /usr/secure/lib/libssh, /usr/secure/usr.bin/ssh and /usr/secure/usr.sbin/sshd. Or just rebuild and install everything under /usr/secure. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 9 9:43:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 87C3737B41A; Wed, 9 Jan 2002 09:43:35 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id JAA02562; Wed, 9 Jan 2002 09:43:32 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda02560; Wed Jan 9 09:43:17 2002 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id g09HhCS28938; Wed, 9 Jan 2002 09:43:12 -0800 (PST) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdP28934; Wed Jan 9 09:42:21 2002 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id g09HgKb89091; Wed, 9 Jan 2002 09:42:20 -0800 (PST) Message-Id: <200201091742.g09HgKb89091@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdA89087; Wed Jan 9 09:42:10 2002 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Chris Shenton Cc: Cy Schubert - ITSD Open Systems Group , "Alexander N. Kabaev" , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG, green@FreeBSD.ORG Subject: Re: SSH TCP forwarding: works with v1, not with v2 ssh In-reply-to: Your message of "09 Jan 2002 11:43:09 EST." <87y9j7qxuq.fsf@thanatos.shenton.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 09 Jan 2002 09:42:10 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <87y9j7qxuq.fsf@thanatos.shenton.org>, Chris Shenton writes: > > In message <3C3A4338.80003@bellatlantic.net>, "Alexander N. Kabaev" > > writes: > > > Could you please try the following patch from OpenBSD CVS and post > > > your results here? Who knows, > > > maybe release engineers will consider including it into upcoming > > > 4.5-RELEASE if it fixes problem > > > for you :) > > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1= > 1.10 > > > 9.2.1&r2=1.109.2.2 > > > > The patch fixes the problem for me. > > I feel like a newbie, but I can't tell how to rebuild just the openssh > contributed src, rather than the entire OS. Doing a basic make in the > dir fails: > > cd /usr/src/crypto/openssh/ > make -k > ===> lib > "Makefile", line 21: Malformed conditional ((${KERBEROS:L} == "yes")) > "Makefile", line 21: Missing dependency operator > "Makefile", line 23: Malformed conditional ((${AFS:L} == "yes")) > "Makefile", line 23: Missing dependency operator > "Makefile", line 26: if-less endif > "Makefile", line 26: Need an operator > "Makefile", line 27: if-less endif > "Makefile", line 27: Need an operator > make: fatal errors encountered -- cannot continue > *** Error code 1 (continuing) > > Compilation finished at Wed Jan 9 11:41:53 > > I expect I need to start somewhere above and specify the right target > but I'm out of my depth here. I'll rebuild the OS if needed, just > wanted to save time and get an answer back quickly. I use the following script to rebuild openssh. The script must be called Build-openssh, with links called Install-openssh and Clean-openssh. (It can also be used to rebuild IP Filter, Sendmail, and BIND.) #!/bin/sh - case $0 in */*-ipf) DIRS='/usr/src/sbin/ipf /usr/src/sbin/ipfstat /usr/src/sbin/ipmon /usr/src/sbin/ipnat /usr/src/usr.sbin/ipftest /usr/src/usr.sbin/ipresend /usr/src/usr.sbin/ipsend /usr/src/usr.sbin/iptest /sys/modules/ipfilter' # DIRS='/usr/src/sbin/ipf /usr/src/sbin/ipfstat /usr/src/sbin/ipmon /usr/src/sbin/ipnat /usr/src/usr.sbin/ipftest /usr/src/usr.sbin/ipresend /usr/src/usr.sbin/ipsend /usr/src/usr.sbin/iptest' ;; */*-sendmail) DIRS='/usr/src/lib/libsmdb /usr/src/lib/libsmutil /usr/src/libexec/mail.local /usr/src/usr.sbin/mailstats /usr/src/usr.sbin/makemap /usr/src/usr.sbin/praliases /usr/src/bin/rmail /usr/src/usr.sbin/sendmail /usr/src/libexec/smrsh /usr/src/usr.bin/vacation' ;; */*-bind) DIRS='/usr/src/lib/libisc /usr/src/lib/libbind /usr/src/usr.sbin/named /usr/src/usr.sbin/named.reload /usr/src/usr.sbin/named.restart /usr/src/libexec/named-xfer' ;; */*-openssh) DIRS='/usr/src/secure/lib/libssh /usr/src/secure/libexec/sftp-server /usr/src/secure/usr.bin/scp /usr/src/secure/usr.bin/ssh /usr/src/secure/usr.bin/ssh-add /usr/src/secure/usr.bin/ssh-agent /usr/src/secure/usr.bin/ssh-keygen /usr/src/secure/usr.sbin/sshd' ;; esac CMD=`basename $0` error() { echo $@ echo terminating abnormally exit 1 } echo for I in $DIRS; do case $CMD in Build-*) echo "***** Building $I *****" echo cd $I || error cannot cd to $I make cleandir || error make clean failed # we do this twice in case there is any cruft in /usr/src itself make cleandir || error make clean failed make obj || error make obj failed make || error make failed ;; Install-*) echo "***** Installing $I *****" echo cd $I || error cannot cd to $I unset MAKEINSTALLOPT case `uname -n` in cwtest|cwx) MAKEINSTALLOPT='-i';; esac make $MAKEINSTALLOPT install || error make install failed ;; Clean-*) echo "***** Cleaning $I *****" echo cd $I || error cannot cd to $I make cleandir || error make cleandir failed ;; esac echo done echo `basename $0` finished successfully Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC FreeBSD UNIX: cy@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 9 9:59:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 5E0B337B41B for ; Wed, 9 Jan 2002 09:59:52 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 4A3281DA7; Wed, 9 Jan 2002 18:59:53 +0100 (CET) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id g09HxUk01607; Wed, 9 Jan 2002 18:59:30 +0100 Date: Wed, 9 Jan 2002 18:59:30 +0100 From: Krzysztof Zaraska To: "Marcel Dijk" Cc: freebsd-security@freebsd.org Subject: Re: allowing outbound connections Message-Id: <20020109185930.51eacdc4.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <023701c198ae$0286ba80$0200a8c0@testuser> References: <023701c198ae$0286ba80$0200a8c0@testuser> Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 9 Jan 2002 02:36:01 +0100 Marcel Dijk wrote: > Hello, > > Is it (very) dangerous to allow all outgoing connections? I have IPFW running wich ristricts what is going into the server/LAN from the internet. But it does not restrict what is going to the internet from within my LAN. > > Is this potentially dangerous, with regards to virussus (or virri?) and trojans? Some my thoughts on this problem... I think that it depends on the security level that you want. Most attacks are stopped by filtering inbound connections. Trojans are normally remote-administration servers installed on your machine, so attacker must connect to your machine in order to profit from them. The problem with outbound connections is that it may be impossible to determine which connections are legitimate. I think that it would be better to set up some kind of content filtering / proxying firewall on the perimeter. This can detect *incoming* trojans and viruses (e.g. sent by e-mail to your user) or violations of your local policy (e.g. downloading porn). Of course, this should be accompanied by appropriate outbound filtering -- e.g. if you decide to run a Web proxy you must have appropriate firewall rules in place to force your internal users to use this proxy. What you can also do with outbound filtering is to protect the rest of the world from being attacked from your network (or, at least, make such attack more difficult) in case some machine inside is compromised or some user inside has hostile intentions. In this case you should consider the following: * don't let spoofed packets out of your network. This should be a _must_. If all the border routers had this enabled there'd be less problem with DDoS attacks. * you may block outbound packets to private networks (10.0.0.0/24, 192.168.0.0/16, etc.) * you could block access to ports 137/139 on remote machines so no one from inside can try to compromise a misconfigured Windows host. Note that this traffic is often generated under normal conditions but blocking it does not break anything IIRC. * you could try blocking access to 'weird' post numbers but this may be an overkill and block some legitimate traffic. This depends mostly on what your users are allowed to do. E.g. if you don't want them to send mail via remote servers you could block access to port 25 on remote machines etc. If someone thinks I'm wrong please correct me. Regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 9 10:14:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from Thanatos.Shenton.Org (a3.ebbed1.client.atlantech.net [209.190.235.163]) by hub.freebsd.org (Postfix) with SMTP id 580AE37B41F for ; Wed, 9 Jan 2002 10:14:14 -0800 (PST) Received: (qmail 29935 invoked by uid 1000); 9 Jan 2002 18:14:12 -0000 To: "Alexander N. Kabaev" Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: SSH TCP forwarding: works with v1, not with v2 ssh References: <3C3A4338.80003@bellatlantic.net> From: Chris Shenton Date: 09 Jan 2002 13:14:11 -0500 In-Reply-To: <3C3A4338.80003@bellatlantic.net> Message-ID: <87lmf7qtn0.fsf@thanatos.shenton.org> Lines: 10 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Alexander N. Kabaev" writes: > Could you please try the following patch from OpenBSD CVS and post > your results here? Who knows, maybe release engineers will consider > including it into upcoming 4.5-RELEASE if it fixes problem > for you :) > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.109.2.1&r2=1.109.2.2 Works for me too! Many thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 9 13:13:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (200-158-36-233.dsl.telesp.net.br [200.158.36.233]) by hub.freebsd.org (Postfix) with SMTP id C1FA837B400 for ; Wed, 9 Jan 2002 13:13:11 -0800 (PST) From: "immortal_28@hotmail.com" To: Subject: immortal_28@hotmail.com Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Date: Wed, 9 Jan 2002 19:16:39 -0200 Content-Transfer-Encoding: 8bit Message-Id: <20020109211311.C1FA837B400@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 9 13:33:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mta0x15.coxmail.com (cm-fe1.coxmail.com [206.157.225.48]) by hub.freebsd.org (Postfix) with ESMTP id 20F1F37B405 for ; Wed, 9 Jan 2002 13:33:41 -0800 (PST) Received: from tick.sc.omation.com ([64.58.167.31]) by mta0x15.coxmail.com (InterMail vK.4.03.04.01 201-232-130-101 license 6e1a3d42bf0668978482829d4ed8437d) with ESMTP id <20020109213322.KNVB1821.mta0x15@tick.sc.omation.com> for ; Wed, 9 Jan 2002 16:33:22 -0500 Received: from tick.sc.omation.com (tick.sc.omation.com [192.168.128.2]) by tick.sc.omation.com (8.11.6/8.11.6) with ESMTP id g09LVVb70198; Wed, 9 Jan 2002 13:31:31 -0800 (PST) (envelope-from pherman@frenchfries.net) Message-Id: <200201092131.g09LVVb70198@tick.sc.omation.com> Date: Wed, 9 Jan 2002 13:31:31 -0800 (PST) From: Paul Herman To: Rik Cc: security@FreeBSD.ORG Subject: Re: MD5 > Blowfish In-Reply-To: <20020109032040.GA16874@spoon.pkl.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 9 Jan 2002, Rik wrote: > On Tue, Jan 08, 2002 at 06:40:30PM -0800, Erick Mechler wrote: > > passwd_format string md5 The encryption format that new or > > I still haven't worked out where you set the number of rounds to use > with blowfish encryption. On OpenBSD this was a setting in login.conf > (iirc). Where do I set it on FreeBSD? Generally speaking, you can't. However, you may always generate the passwd hash yourself (i.e. with crypt(3)/perl), which is what scripts like adduser do anyway. Patches to libutil, passwd and adduser welcome... :-) -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 9 19:45:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from web11804.mail.yahoo.com (web11804.mail.yahoo.com [216.136.172.158]) by hub.freebsd.org (Postfix) with SMTP id CA97637B423 for ; Wed, 9 Jan 2002 19:45:27 -0800 (PST) Message-ID: <20020110034527.76936.qmail@web11804.mail.yahoo.com> Received: from [216.170.168.102] by web11804.mail.yahoo.com via HTTP; Wed, 09 Jan 2002 19:45:27 PST Date: Wed, 9 Jan 2002 19:45:27 -0800 (PST) From: X Philius Reply-To: xphilius@yahoo.com Subject: Re: Help with ipfw rules to allow DNS queries through To: Ian Smith Cc: "G.P. de Boer" , security@FreeBSD.ORG, Dave Raven In-Reply-To: <20020109013014.57371.qmail@web11807.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org BSD Security Folks, I solved the mystery. It looks like Cisco routers can mangle UDP packets involved in DNS queries. The NAT can translate addresses within the packet, as well as the destination, and this messes things up. This does not effect zone transfers (which I believe is all I really need to be authorative on a domain or six) but does prevent access of my DNS server from outside our local net. A search through the bind e-list didn't give me any solution to the problem, but at least I know I'm not nuts. Well, maybe a little nuts, but not about this ;-) Thanks for the help, I'm off to work on the next conundrum.... Jason __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 9 20:24:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with SMTP id 3C18F37B41A for ; Wed, 9 Jan 2002 20:24:30 -0800 (PST) Received: (qmail 31297 invoked by uid 501); 7 Jan 2002 16:36:11 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 7 Jan 2002 16:36:11 -0000 Date: Mon, 7 Jan 2002 14:36:11 -0200 (BRST) From: Paulo Fragoso To: Subject: LAST_ACK traffic? Message-ID: <20020107141924.C55391-100000@mirage.nlink.com.br> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, In our network there are some workstation under a firewall, today we ware looking our internal traffic, there was one workstation sending packets to one webserver at 200kbps: roto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 our.work.station.1412 200.226.137.10.80 LAST_ACK The user that workstation was using Opera 6.0 for linux (on FreeBSD 4.4-RELEASE). The strange traffic had started after the he closed the opera. Are there any secure problem with this? Why our workstation was send packets of LAST_ACK whithout any processes bound at 1412 (checked with lsof)? Many Thanks, Paulo Fragoso. -- __O _-\<,_ Why drive when you can bike? (_)/ (_) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 10 3:47:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by hub.freebsd.org (Postfix) with SMTP id EAB9137B405 for ; Thu, 10 Jan 2002 03:47:26 -0800 (PST) To: freebsd-security@freebsd.org Subject: Re: allowing outbound connections References: <023701c198ae$0286ba80$0200a8c0@testuser> <20020109185930.51eacdc4.kzaraska@student.uci.agh.edu.pl> From: Dan Pelleg Date: 10 Jan 2002 06:47:22 -0500 In-Reply-To: <20020109185930.51eacdc4.kzaraska@student.uci.agh.edu.pl> Message-ID: Lines: 30 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Krzysztof Zaraska writes: > On Wed, 9 Jan 2002 02:36:01 +0100 Marcel Dijk wrote: > > > Hello, > > > > Is it (very) dangerous to allow all outgoing connections? I have IPFW > running wich ristricts what is going into the server/LAN from the > internet. But it does not restrict what is going to the internet from > within my LAN. > > > What you can also do with outbound filtering is to protect the rest of the > world from being attacked from your network (or, at least, make such > attack more difficult) in case some machine inside is compromised or some > user inside has hostile intentions. In this case you should consider the > following: > [snip] I'd like to add another suggestion: * rate-limit the number of outgoing connections. For example, don't let a single internal host have too many open connections to port 80 on external hosts. Such a rule would limit the effectiveness of Nimda-like worms. The new ipfw "limit" rules make this possible. -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 10 4:29: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from zeus.dnt.md (dnt.md [195.138.124.37]) by hub.freebsd.org (Postfix) with ESMTP id 74A2037B400 for ; Thu, 10 Jan 2002 04:28:55 -0800 (PST) Received: (from sl@localhost) by zeus.dnt.md (8.11.1/8.11.1) id g0ACSf759240 for freebsd-security@freebsd.org; Thu, 10 Jan 2002 14:28:41 +0200 (EET) Date: Thu, 10 Jan 2002 14:28:41 +0200 From: Veaceslav Revutchi To: freebsd-security@freebsd.org Subject: freebsd ipsec gateway and cisco vpn client for windows Message-ID: <20020110142841.A57473@zeus.dnt.md> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hello, I need to find a way for our mobile users to access our intranet services which are behind the firewall. the gateway to intranet is a freebsd box with IPsec. I was wondering if I could use the cisco vpn client for windows to set up a tunnel between the windows mobile users and the freebsd gateway. just let me know if someone has done this so that i know i am moving into the right direction. thank you, slava To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 10 4:34:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id F066C37B41A for ; Thu, 10 Jan 2002 04:34:23 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id F00961DAC; Thu, 10 Jan 2002 13:34:18 +0100 (CET) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id g0ACY1p01899; Thu, 10 Jan 2002 13:34:01 +0100 Date: Thu, 10 Jan 2002 13:34:01 +0100 From: Krzysztof Zaraska To: freebsd-security@freebsd.org Subject: Fw: Re: LAST_ACK traffic? Message-Id: <20020110133401.0b440c90.kzaraska@student.uci.agh.edu.pl> Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 7 Jan 2002 14:36:11 -0200 (BRST) Paulo Fragoso wrote: > Hi, > > In our network there are some workstation under a firewall, today we ware > looking our internal traffic, there was one workstation sending packets > to one webserver at 200kbps: > > roto Recv-Q Send-Q Local Address Foreign Address (state) > tcp4 0 0 our.work.station.1412 200.226.137.10.80 LAST_ACK > > The user that workstation was using Opera 6.0 for linux (on FreeBSD > 4.4-RELEASE). The strange traffic had started after the he closed the > opera. > > Are there any secure problem with this? Why our workstation was send > packets of LAST_ACK whithout any processes bound at 1412 (checked with > lsof)? According to W.R.Stevens "TCP/IP Illustrated", fig.18.13 this is a closed socket, still living in kernel after opera was closed and awaiting the final ACK packet from the remote server to shut down. If this ACK does not arrive I guess kernel should time out and shut it down anyhow. This socket should not be able to transmit anything. BTW, netstat does not show you the network traffic, it only shows you what state each socket is in (you may have an ESTABLISHED socket and no transmission). If you want to see what is really going on the wire you should use tool like tcpdump or ethereal. Regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 10 4:46: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from snow.fingers.co.za (snow.fingers.co.za [196.7.148.5]) by hub.freebsd.org (Postfix) with ESMTP id 6140F37B404 for ; Thu, 10 Jan 2002 04:45:59 -0800 (PST) Received: by snow.fingers.co.za (Postfix, from userid 1000) id 71CB617425; Thu, 10 Jan 2002 14:45:52 +0200 (SAST) Received: from localhost (localhost [127.0.0.1]) by snow.fingers.co.za (Postfix) with ESMTP id 68FBA11713; Thu, 10 Jan 2002 14:45:52 +0200 (SAST) Date: Thu, 10 Jan 2002 14:45:52 +0200 (SAST) From: fingers To: Veaceslav Revutchi Cc: Subject: Re: freebsd ipsec gateway and cisco vpn client for windows In-Reply-To: <20020110142841.A57473@zeus.dnt.md> Message-ID: <20020110144116.S91283-100000@snow.fingers.co.za> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi there > I need to find a way for our mobile users to access our intranet > services which are behind the firewall. the gateway to intranet > is a freebsd box with IPsec. I was wondering if I could use the > cisco vpn client for windows to set up a tunnel between the windows > mobile users and the freebsd gateway. just let me know if someone > has done this so that i know i am moving into the right direction. I don't think you can terminate the ipsec session on something that doesn't understand 'vpngroup' type settings. I looked into this briefly. From my (very brief) understanding of the cisco vpnclient stuff, you need a device on the other end that speaks "cisco vpn" to the clients, like a pix, router, IDS or vpn concentrator. If you do manage to do this, I'd be keen to see how :-) Regards --Rob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 10 9: 4:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id 19C2E37B417 for ; Thu, 10 Jan 2002 09:04:10 -0800 (PST) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id EAA10464; Fri, 11 Jan 2002 04:03:43 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 11 Jan 2002 04:03:43 +1100 (EST) From: Ian Smith To: X Philius Cc: "G.P. de Boer" , security@FreeBSD.ORG, Dave Raven Subject: Re: Help with ipfw rules to allow DNS queries through In-Reply-To: <20020110034527.76936.qmail@web11804.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 9 Jan 2002, X Philius wrote: > I solved the mystery. It looks like Cisco routers can mangle UDP > packets involved in DNS queries. The NAT can translate addresses within > the packet, as well as the destination, and this messes things up. Last browse through your rules looked ok, and I was gonna say "must be NAT, or your Cisco, then" but hadn't got back to you. Surely this must be adjustable in the Cisco setup? If not, it's broken and needs fixing. > This does not effect zone transfers (which I believe is all I really > need to be authorative on a domain or six) but does prevent access > of my DNS server from outside our local net. Not so; your nameserver needs (agrees!) to be available if it's primary (or secondary) for any domain/s, _as well as_ allowing zxfrs to your secondary/s, and from any domains you will be a secondary for. Best handled with bind ACLs, but limiting access by ipfw also doesn't hurt, and will save named handling scripted scans, which you can expect .. > A search through the bind e-list > didn't give me any solution to the problem, but at least I know I'm not > nuts. Well, maybe a little nuts, but not about this ;-) Thanks for the > help, I'm off to work on the next conundrum.... This is NOT a bind problem - you need to get that Cisco doing the right thing (ie nothing but clean NAT) for your DNS, or else run NAT locally inside, or Whatever It Takes to get clean UDP port 53 outside access to your nameserver to be authoritative for a domain. Most likely you won't get any domain delegated until and unless that's working from anywhere. tcpdump and thick (level 2/3) named logging are still your best friends while you're figuring out how DNS really works (still a learner here! :) Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 10 9:14:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id C329B37B41C; Thu, 10 Jan 2002 09:14:40 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g0AHEeL76685; Thu, 10 Jan 2002 09:14:40 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Thu, 10 Jan 2002 09:14:40 -0800 (PST) Message-Id: <200201101714.g0AHEeL76685@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-02:05.pine [REVISED] Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:05 Security Advisory FreeBSD, Inc. Topic: pine port insecure URL handling [REVISED] Category: ports Module: pine Announced: 2002-01-04 Revised: 2002-01-10 Credits: zen-parse Affects: Ports collection prior to the correction date Corrected: 2002-01-10 16:47:18 UTC FreeBSD only: NO 0. Revision History v1.0 2002-01-04 Initial release. v1.1 2002-01-10 Corrected vulnerable versions and the `Corrected details' section. I. Background PINE is an application for reading mail and news. II. Problem Description The pine port, versions previous to pine-4.44, handles URLs in messages insecurely. PINE allows users to launch a web browser to visit a URL embedded in a message. Due to a programming error, PINE does not properly escape meta-characters in the URL before passing it to the command shell as an argument to the web browser. The pine port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.4 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact An attacker can supply commands enclosed in single quotes ('') in a URL embedded in a message sent to the victim. If the user then decides to view the URL, PINE will launch a command shell which will then execute the attacker's commands with the victim's privileges. It is possible to obfuscate the URL so that it will not necessarily seem dangerous to the victim. IV. Workaround 1) Deinstall the pine port/package if you have it installed. V. Solution 1) Upgrade your entire ports collection and rebuild the port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/pine-4.44.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/pine-4.44.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. NOTE: It may be several days before updated packages are available. 3) Download a new port skeleton for the pine port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the $FreeBSD$ revision numbers of each file that was corrected in the FreeBSD Ports Collection since 4.4-RELEASE. Path Revision - ------------------------------------------------------------------------- ports/mail/pine4/Makefile 1.61 ports/mail/pine4/distinfo 1.20 ports/mail/pine4/files/patch-aa 1.4 ports/mail/pine4/files/patch-ac 1.11 ports/mail/pine4/files/patch-af 1.12 ports/mail/pine4/files/patch-ai 1.11 ports/mail/pine4/files/patch-aj 1.5 ports/mail/pine4/files/patch-ak 1.6 ports/mail/pine4/files/patch-al 1.11 ports/mail/pine4/files/patch-am 1.6 ports/mail/pine4/files/patch-an 1.5 ports/mail/pine4/files/patch-ap 1.3 ports/mail/pine4/files/patch-at 1.6 ports/mail/pine4/files/patch-au 1.4 ports/mail/pine4/files/patch-ax 1.5 ports/mail/pine4/files/patch-az 1.3 ports/mail/pine4/files/patch-be 1.1 ports/mail/pine4/files/patch-bf 1.1 ports/mail/pine4/files/patch-bg 1.1 ports/mail/pine4/files/patch-reply.c 1.2 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPD3LZlUuHi5z0oilAQH6EAP/bz0Yeydx2zCmQb0j4zmbKM5R8McyKaYb tl/Vo/ViCll6xKXUuAOjFpyIkQMOmHGLwHXmqjJD+XRb0hSgrsCqRmWhUicppZjH dY0zjvtKspbDN37ScOO+MJmGsmq1mfZGs8JUMCbYivDuLhRM/5bvnenUsigNUaQW hkwKI6heurk= =BQ0F -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 10 10:13:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from fe170.worldonline.dk (fe170.worldonline.dk [212.54.64.199]) by hub.freebsd.org (Postfix) with SMTP id D5EFE37B400 for ; Thu, 10 Jan 2002 10:13:36 -0800 (PST) Received: (qmail 27476 invoked by uid 0); 10 Jan 2002 18:13:34 -0000 Received: from 213.237.14.128.adsl.ho.worldonline.dk (HELO dpws) (213.237.14.128) by fe170.worldonline.dk with SMTP; 10 Jan 2002 18:13:34 -0000 Message-ID: <022201c19a02$d1130020$0301a8c0@dpws> From: "Dennis Pedersen" To: Subject: FreeBSD and racoon (2offices + single computer = how?) Date: Thu, 10 Jan 2002 19:15:41 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I have been fooling a little around with Racoon between 2 FreeBSD 4,4 box's with tunnel mode (http://www.onlamp.com/pub/a/bsd/2001/12/10/ipsec.html) and this works fine. The idea was that theese 2 box's should be used to make a encrypted tunnel this works fine but i also need some end computers connected to office 1 too, i have some idea about how to set this up but the documentation the kame projekt don't have that many examples so i need some advices on some point. I realice that i need some kind of setkey policy for the end users, but after searching google.com for simular setups i get the impression that if one racoon box has 2 sets of setkey policys then it gets kind of confused?! Anyways i was thinking of something like for my end users: spdadd A[3389] 0.0.0.0/0 tcp -P out ipsec ah/transport//require; spdadd 0.0.0.0/0 A[3389] tcp -P in ipsec ah/transport//require; Will this work if i simply add this to my setkey file along with the setkey policy for the tunnel? And finally what about if i need to run racoon on the same box as i have ipfw with a deny any from any to any at the end, i understand that i need to allow SPI and ESP (ipfw add allow SPI/ESP from any to any?) Regards Dennis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 10 12:50:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (200-158-36-233.dsl.telesp.net.br [200.158.36.233]) by hub.freebsd.org (Postfix) with SMTP id 23F3C37B404 for ; Thu, 10 Jan 2002 12:50:30 -0800 (PST) From: "immortal_28@hotmail.com" To: Subject: immortal_28@hotmail.com Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Date: Thu, 10 Jan 2002 18:53:43 -0200 Content-Transfer-Encoding: 8bit Message-Id: <20020110205030.23F3C37B404@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 11 3:49:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from www.kenpac.net (sv.kenpac.net [211.10.20.201]) by hub.freebsd.org (Postfix) with ESMTP id DC5AD37B405; Fri, 11 Jan 2002 03:47:04 -0800 (PST) Received: from mx2.eudoramail.com ([207.93.225.196]) by www.kenpac.net (8.9.3/3.7W-primary) with ESMTP id UAA07109; Fri, 11 Jan 2002 20:44:58 +0900 From: WSCHwatch@eudoramail.com Message-ID: <0000503b64c8$00000201$00006b71@mx2.eudoramail.com> To: Subject: WSCH: Baby Pharmaceutical on the Rise OWSSK Date: Fri, 11 Jan 2002 05:45:23 -1800 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Reply-To: WSCHnews21@eudoramail.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org = Investors
<= td width=3D100% height=3D372 valign=3Dtop align=3Dleft>
  &n= bsp;   Key Points about = WSCH:
  • The products and me= dical therapies developed by WSCH represent possibly the most important= breakthrough in the field of Dermatology in the last fifty years.&nbs= p;

  • WSCH anticipates= FDA approval on seven over-the-counter products within the next ye= ar, which will provide significant revenue in the retail drug market.
    =
  • WSCH has experie= nced a success rate of 90% during clinical studies, completely elim= inating skin disease from 90% of all patients treated.

  • By year five, WSCH plans to have annua= lized revenue over $525 million and over $125 million in EBIT.  This does not take into account income from OTC products which wi= ll be substantial.

 <= /caption>
=

Emergin= g Growth Stock Alert
Wasatch Pharmaceuticals: A Company on the Rise

Company Name &n= bsp;Wasatch Pharmaceuticals (OTCBB: WSCH)
Current = Price$0.066
52-We= ek High$27.50
5= 2-Week Low$0.065
<= /div>

Company Background

Wasatch Pharmaceutical, Inc. is a fourteen year o= ld company with a record of outstanding achievements in the field of Derma= tology.  Under the name of its subsidiary, American Institute of Skin= Care (AISC), Wasatch has operated two prototype clinics for the la= st five years where the products and medical therapies have been tested an= d proven on hundreds of patients.  The Company's activities have been= centered on research in the area of serious skin diseases.  A= concurrent discovery and benefit is WSCH's dramatic success in the area o= f skin rejuvenation.  Seeing the high growth potential from major fun= ding, WSCH elected to become a public company less than two years a= go.

Wasatch's major successes i= n the area of skin diseases include: 

Cystic Acne, Eczema= , Seborrhea, Contact Dermatitis, Molluscum, Folliculitis, Acne Rosacea and= less prevalent skin diseases.  

Interestingly, the= se skin disorders account for more than 70% of all business in the = field of dermatology for which there are very few (if any) safe, effective= therapies like those developed by Wasatch.

Because the th= erapies developed by Wasatch dominate this area of medicine, WSCH h= as elected to market its products via company-owned clinics throughout the= United States.  This decision has resulted in the establishment of <= b>two research clinics in Utah for the purpose of implementing procedu= res within the clinics pursuant to testing and confirming the results that= were achieved in past clinical trials.  Due to its success rate o= f 90% on hundreds of patients over a five year period, WSCH's clinics = are now on line with insurance providers independent of HMOs.  Effort= s to establish Preferred Provider ship status with HMOs are presently bein= g pursued. 

Most Recent WSCH News

 

Wasatch Pharmaceutical Inc. Announc= es a New Physician Marketing Campaign and Listing On German Stock Exchange= s

MURRAY, Utah--(BUSINESS WIRE)--Nov.= 27, 2001--Wasatch Pharmaceutical Inc. (OTCBB:WSCH - news) CEO Gary Heesch announced today a marketing camp= aign directed to physicians. A direct link has been established on a physi= cian recruiting Web site making available therapies for the treatment of c= ystic acne, acne, folliculitis, and skin rejuvenation. Physicians will fin= d the benefits of these treatment therapies by logging on to the "= X Acne" link at physicianssearc= h.com. This physician search Web site typically receives over 2= 00,000 hits per month. Mr. Heesch reminded, "Our treatment therap= y products are also available via the AISC Online Store at restoremyskin.com.'"

These skin treatment products come in kit form providing a = 90-day supply to patients for the full treatment program. Included in the = kit is an instructional video on the treatment therapy allowing the patien= t to use these products in their home. The therapies, when used as instruc= ted, achieve a success rate of eradication in excess of 90% with no sid= e effects of any consequence. Previously, these therapies and associat= ed products were only available through the two prototype clinics in Utah.= The availability of these products will open the way for family practitio= ners, pediatricians, internists and other primary care physicians to retai= n their patients under their care during the treatment of these common ski= n disorders. The benefit to insurance providers is the potential to sav= e millions of dollars in reimbursement costs by freeing the physician and = the patient from ongoing treatment.

In the coming year, six additional therapies will be made availabl= e for a broad range of skin disorders that are badly in need of succes= sful therapies.

Gary Heesch also an= nounced the listing of Wasatch Pharmaceutical stock on the Frankfurt an= d Berlin Exchanges in Germany. Active trading on these exchanges will = take place upon the completion of a research report in Germany. Said Mr. H= eesch, "We feel this is a significant event as Wasatch will gain w= ider exposure as a leader in dermatology and will put buying pressure on its stock to reflect the true value of a company t= hat has committed years of research and development of products that allow= people with serious skin disorders to live normal and more productive liv= es."

There may be forward-loo= king statements in this release. Investors are cautioned that such forward= -looking statements involve risks and uncertainties, including, without li= mitation, continued acceptance of the Company's products, increased levels= of competition, new products introduced by competitors, changes in the ra= tes of subscriber acquisition and retention, and other risks detailed from= time to time in the Company's periodic reports filed with the Securities = and Exchange Commission.

Projections, Objectives, and Statistics

 Over a five year period, AISC (WSCH's subsidiary) p= lans to establish 350 clinics in over 100 major population areas.&n= bsp; The company plans to hire over 150 medical doctors for these clinics,= train over 1,000 medical assistants and treat over 2,000,000 patients<= /b>. Also by year five, WSCH plans to have annualized over $525 million= in revenue and over $125 million in EBIT. This does not take into acc= ount income from OTC products which will be substantial. 

<= blockquote>

  As of 1991, there were = approximately 14 million chronic acne and eczema patients annually in the = United States, with the highest percentage between 18 to 44 years of = age. The actual number of patients with any type of acne is significa= ntly higher.  Seven billion dollars is spent annually on derma= tological pharmaceutical products for these disorders. 

=   In 1994, the teen population reached 25 million. During the next d= ecade, it will grow at nearly twice the rate of 
the overall p= opulation (according to U.S. Census Bureau projections). Acne pat= ients are primarily teenagers, whereas eczema patients range from inf= ants to the elderly.

A Look at the Competition

= Dermatologists are the primary competitors of WSCH's clinics. Dermatologis= ts specialize in the treatment of skin disorders and prescribe medications= to treat the disorder.  However, competing products address the s= ymptoms of acne and eczema, not the cause. 

<= font face=3DVerdana size=3D2>The competition's skin care treatments includ= e prescription medications (oral and external use drugs prescribed by derm= atologists and other doctors) and over-the-counter products.  
Several common prescription medications include: 
= 1) E-Mycin for oral and topical use, 2) Cleocin for oral and topical use, = 3) Tetracycline for oral and topical use, and 4) Accutane for oral use onl= y.  

Over-the-counter acne medications include: = ;
1) Clearasil and Oxy creams, 2) generic brand creams, 3) medicat= ed pads, and 4) medicated soaps. 

Many of the competit= ion's oral medications have serious side effects.

Costs for competing treatments range from $2.50 for= medicated soaps to $200 for Accutane oral medication prescription.  = Treatments are on-going.  Over time a person can spend an unlimite= d amount of money on such treatments.  An example would be someon= e who spent $1,500 for a 22 week program of Accutane which includes blood = testing.  Another example would be someone who has had acne for many = years and has spent in excess of $34,000. 

At this time there is no known competitor who treats t= he causes of these skin disorders and no competitor can claim a success= rate equal to that of Wasatch's treatments. 

Final Thoughts on WSCH<= /b>

Wi= th a proven success rate of 90% in a field that affects so many of our liv= es, Wasatch has clearly positioned itself in a market hungry and desper= ate for successful products and treatment.  WSCH has recently exp= anded its marketing presence (as seen in the above press release) and will= continue to aggressively broaden awareness over the near term. The listin= g of WSCH on the German stock exchange is another sign of the compa= ny's credibility and ambitious plans to establish itself as a major glo= bal player in the field of dermatology.  

WSCH has = taken on a completely different approach.  By addressing the causes o= f skin disorders rather than the symptoms, WSCH will help to successfully = eliminate skin disease altogether. Given its 

1. Successful = 14-year history and plans for expansion
2. Impressive revenue projecti= ons ($525 million+ annualized by year 5 and $125 million in EBIT)
= 3. Virtually unmatched success rate of 90%...

...and so much = more, WSCH will certainly watched by savvy investors for some time to come= .

DISCLAIMER= : 
Information within this email contains "forward looking s= tatements" within the meaning of Section 27A of the Securities Act of= 1933 and Section 21B of the Securities Exchange Act of 1934. Any statemen= ts that express or involve discussions with respect to predictions, expect= ations, beliefs, plans, projections, objectives, goals, assumptions or fut= ure events or performance are not statements of historical fact and may be= "forward looking statements."

Forward looking statemen= ts are based on expectations, estimates and projections at the time the st= atements are made that involve a number of risks and uncertainties wh= ich could cause actual results or events to differ materially from those p= resently anticipated. Forward looking statements in this action may be ide= ntified through the use of words such as "projects", "fores= ee", "expects", "will,"  "anticipates," "estimates," "believes," "understands" o= r that by statements indicating certain actions "may,"= ; "could," or <= font face=3DVerdana size=3D1 color=3D#5F5F5F>"might" = occur.  All information provided within this email pertaining to inve= sting, stocks, securities must be understood as information provided and n= ot investment advice. Emerging Growth Stock Alert advises all readers and = subscribers to seek advice from a registered professional securities = representative before deciding to trade in stocks featured within this ema= il.  None of the material within this report shall be construed as an= y kind of investment advice.

In compliance with the Securities Ac= t of 1933, Section17(b), Emerging Growth Stock Alert discloses the receipt= of $40,000 cash from a third party for the publication of this report and= additional services related= to WSCH. Be aware of an inherent conflict of interest resulting from such= compensation.  All factual information in this report was gathe= red from public sources, including but not limited to SEC filings, Company= Press Releases, and the company's website at wasatchpharm.com. Emerging Growth Stock Alert believes t= his information to be reliable but can make no guarantee as to its accurac= y or completeness. Use of the material within this email constitutes your = acceptance of these terms.



To b= e removed from future mailings, please respond
to this email with &qu= ot;Remove" in the subject line

<= /div> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 11 10:18:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from ms57.hinet.net (ms57.hinet.net [168.95.4.57]) by hub.freebsd.org (Postfix) with ESMTP id 675D737B41A for ; Fri, 11 Jan 2002 10:18:08 -0800 (PST) Received: from rose.cirx.org (d3m0n@rose.cirx.org [211.72.15.245]) by ms57.hinet.net (8.8.8/8.8.8) with ESMTP id CAA03748 for ; Sat, 12 Jan 2002 02:18:03 +0800 (CST) Received: (from asee@localhost) by rose.cirx.org (8.11.6/8.11.6) id g0BIHfG88375 for freebsd-security@freebsd.org; Sat, 12 Jan 2002 02:17:41 +0800 (CST) (envelope-from asee) Date: Sat, 12 Jan 2002 02:17:41 +0800 From: Daniel Chen-Hsi Lee To: freebsd-security@freebsd.org Subject: subscribe Message-ID: <20020111181741.GD88296@rose.cirx.org> Mime-Version: 1.0 Content-Type: text/plain; charset=big5 Content-Disposition: inline User-Agent: Mutt/1.3.24i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 11 11:21:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id EF38737B402 for ; Fri, 11 Jan 2002 11:21:44 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id D5B3310DDFA; Fri, 11 Jan 2002 11:21:44 -0800 (PST) Date: Fri, 11 Jan 2002 11:21:44 -0800 From: Alfred Perlstein To: security@freebsd.org Subject: netbsd's daemon(3) fixes. Message-ID: <20020111112144.H7984@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I saw some recent fixes in netbsd wrt when daemon is called in various daemons, anyone have time to see if this is applicable to us? And whether or not to merge the fixes in? -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' Tax deductable donations for FreeBSD: http://www.freebsdfoundation.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 11 14:14:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from hawk.prod.itd.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id E002E37B433 for ; Fri, 11 Jan 2002 14:14:23 -0800 (PST) Received: from dialup-209.247.142.153.dial1.sanjose1.level3.net ([209.247.142.153] helo=blossom.cjclark.org) by hawk.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16P9wM-0003Rk-00; Fri, 11 Jan 2002 14:14:22 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id g0BMEKe12538; Fri, 11 Jan 2002 14:14:20 -0800 (PST) (envelope-from cjc) Date: Fri, 11 Jan 2002 14:14:20 -0800 From: "Crist J . Clark" To: Alfred Perlstein Cc: security@freebsd.org Subject: Re: netbsd's daemon(3) fixes. Message-ID: <20020111141420.K11553@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 11 Jan 2002 11:21:44 -0800, Alfred Perlstein wrote: > I saw some recent fixes in netbsd wrt when daemon is called in > various daemons, anyone have time to see if this is applicable > to us? And whether or not to merge the fixes in? If we go back to the recent fixes OpenBSD did first, the cvs logs give reasons like, daemon() can close innocent file descriptors, including opened log. be more carefull about that and nicer to debugging. daemon() thingie was pointed out by markus@ . So it's not really a security issue that I can see. I'm not sure if I understand under what conditions a daemon(3) call will close "innocent" file descriptors. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 11 16:54:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailout08.sul.t-online.com (mailout08.sul.t-online.com [194.25.134.20]) by hub.freebsd.org (Postfix) with ESMTP id E2BF737B41C for ; Fri, 11 Jan 2002 16:54:44 -0800 (PST) Received: from fwd04.sul.t-online.de by mailout08.sul.t-online.com with smtp id 16PCRX-0002AT-01; Sat, 12 Jan 2002 01:54:43 +0100 Received: from pc5.abc (520067998749-0001@[217.233.96.180]) by fmrl04.sul.t-online.com with esmtp id 16PCRO-1QT4YSC; Sat, 12 Jan 2002 01:54:34 +0100 Received: (from nicolas@localhost) by pc5.abc (8.11.6/8.11.6) id g0C0sVI69820 for security@FreeBSD.ORG; Sat, 12 Jan 2002 01:54:32 +0100 (CET) (envelope-from list@rachinsky.de) Date: Sat, 12 Jan 2002 01:54:28 +0100 From: Nicolas Rachinsky To: security@FreeBSD.ORG Subject: smtpproxy Message-ID: <20020112005425.GA69702@pc5.abc> Mail-Followup-To: security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.24i X-Powered-by: FreeBSD X-Homepage: http://www.rachinsky.de X-PGP-Keyid: C11ABC0E X-PGP-Fingerprint: 19DB 8392 8FE0 814A 7362 EEBD A53B 526A C11A BC0E X-PGP-Key: http://www.rachinsky.de/nicolas/nicolas_rachinsky.asc X-Sender: 520067998749-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hallo, I'm looking for a smtpproxy or something similar to accept mails via smtp on the firewall and forward them to the internal sendmail. It should be as simple as possible, there would be very low traffic some mails per day (some mails per hour maximum). And there should no exploitable bugs, of course ;-) I'm looking for such a thing because I don't want to expose the internal sendmail to the bad outside world. Thanks Nicolas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 11 17: 2:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mgw1.MEIway.com (mgw1.meiway.com [212.73.210.75]) by hub.freebsd.org (Postfix) with ESMTP id 0C91737B41A for ; Fri, 11 Jan 2002 17:02:49 -0800 (PST) Received: from mail.Go2France.com (ms1.meiway.com [212.73.210.73]) by mgw1.MEIway.com (Postfix Relay Hub) with ESMTP id 48F6F16B1C for ; Sat, 12 Jan 2002 02:02:47 +0100 (CET) Received: from LenConrad.Go2France.com [66.64.14.18] by mail.Go2France.com with ESMTP (SMTPD32-6.06) id AEF3C5F00118; Sat, 12 Jan 2002 02:18:43 +0100 Message-Id: <5.1.0.14.2.20020111190130.01e68478@mail.Go2France.com> X-Sender: LConrad@Go2France.com@mail.Go2France.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 11 Jan 2002 19:02:44 -0600 To: freebsd-security@freebsd.org From: Len Conrad Subject: Re: smtpproxy In-Reply-To: <20020112005425.GA69702@pc5.abc> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >I'm looking for a smtpproxy or something similar to accept mails via >smtp on the firewall and forward them to the internal sendmail. see IMGate in my sig. Probably a couple of 100 ISP's have adopted it. But it's not sendmail :))) Len http://MenAndMice.com/DNS-training http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 & W2K http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 11 18: 1:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 3D9CB37B41A for ; Fri, 11 Jan 2002 18:01:37 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id g0C21al95161; Fri, 11 Jan 2002 19:01:36 -0700 (MST) (envelope-from imp@village.org) Received: from localhost (warner@rover2.village.org [10.0.0.1]) by harmony.village.org (8.11.6/8.11.6) with ESMTP id g0C21Xx57310; Fri, 11 Jan 2002 19:01:33 -0700 (MST) (envelope-from imp@village.org) Date: Fri, 11 Jan 2002 19:01:20 -0700 (MST) Message-Id: <20020111.190120.81022760.imp@village.org> To: cjclark@alum.mit.edu, cristjc@earthlink.net Cc: bright@mu.org, security@FreeBSD.ORG Subject: Re: netbsd's daemon(3) fixes. From: "M. Warner Losh" In-Reply-To: <20020111141420.K11553@blossom.cjclark.org> References: <20020111141420.K11553@blossom.cjclark.org> X-Mailer: Mew version 2.1 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message: <20020111141420.K11553@blossom.cjclark.org> "Crist J . Clark" writes: : On Fri, 11 Jan 2002 11:21:44 -0800, Alfred Perlstein wrote: : > I saw some recent fixes in netbsd wrt when daemon is called in : > various daemons, anyone have time to see if this is applicable : > to us? And whether or not to merge the fixes in? : : If we go back to the recent fixes OpenBSD did first, the cvs logs give : reasons like, : : daemon() can close innocent file descriptors, including opened log. : be more carefull about that and nicer to debugging. : daemon() thingie was pointed out by markus@ . : : So it's not really a security issue that I can see. I'm not sure if I : understand under what conditions a daemon(3) call will close : "innocent" file descriptors. I think we need the change, since innocent file descriptors might be important. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 11 18:11:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from chmls05.mediaone.net (chmls05.mediaone.net [24.147.1.143]) by hub.freebsd.org (Postfix) with ESMTP id 8590937B419 for ; Fri, 11 Jan 2002 18:11:08 -0800 (PST) Received: from ne.mediaone.net (h000476219b42.ne.mediaone.net [24.128.147.68]) by chmls05.mediaone.net (8.11.1/8.11.1) with ESMTP id g0C2Asu17223; Fri, 11 Jan 2002 21:10:55 -0500 (EST) Message-ID: <3C3F9B83.7080700@ne.mediaone.net> Date: Fri, 11 Jan 2002 21:12:19 -0500 From: Joe Unlearn User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7+) Gecko/20020107 X-Accept-Language: en-us MIME-Version: 1.0 To: Nicolas Rachinsky Cc: freebsd-security@freebsd.org Subject: Re: smtpproxy References: <20020112005425.GA69702@pc5.abc> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Nicolas Rachinsky wrote: I myself am a fan of postfix, Wietse loves security and security loves Wiestse :) Your mileage may very though. /usr/ports/mail/postfix. It's not very simplistic in design, it's quite robust actually, however you can be fairly certain no bugs will pop up in it. --J >Hallo, > >I'm looking for a smtpproxy or something similar to accept mails via >smtp on the firewall and forward them to the internal sendmail. > >It should be as simple as possible, there would be very low traffic >some mails per day (some mails per hour maximum). And there should no >exploitable bugs, of course ;-) > >I'm looking for such a thing because I don't want to expose the >internal sendmail to the bad outside world. > >Thanks >Nicolas > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 11 18:12:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from gits.net.th (mail.gits.net.th [164.115.2.136]) by hub.freebsd.org (Postfix) with SMTP id 3371437B405 for ; Fri, 11 Jan 2002 18:12:12 -0800 (PST) Received: (qmail 23165 invoked from network); 12 Jan 2002 02:12:09 -0000 Received: from pc32.ntl.nectec.or.th (HELO gits.net.th) (203.150.154.182) by mail.gits.net.th with SMTP; 12 Jan 2002 02:12:09 -0000 Message-ID: <3C3F9D95.6020307@gits.net.th> Date: Sat, 12 Jan 2002 09:21:09 +0700 From: Somphol Boonjing User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4) Gecko/20011019 Netscape6/6.2 X-Accept-Language: en-us MIME-Version: 1.0 To: Nicolas Rachinsky Cc: security@FreeBSD.ORG Subject: Re: smtpproxy References: <20020112005425.GA69702@pc5.abc> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A mini qmail on that machine should do the job. Read "What about firewalls?" on http://cr.yp.to/qmail/mini.html. Besides, qmail should be much more reliable in term of security when compared to sendmail. --Somphol B. Nicolas Rachinsky wrote: >Hallo, > >I'm looking for a smtpproxy or something similar to accept mails via >smtp on the firewall and forward them to the internal sendmail. > >It should be as simple as possible, there would be very low traffic >some mails per day (some mails per hour maximum). And there should no >exploitable bugs, of course ;-) > >I'm looking for such a thing because I don't want to expose the >internal sendmail to the bad outside world. > >Thanks >Nicolas > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 11 23:19:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.humangate.com (211-41-175-189.rev.krline.net [211.41.175.189]) by hub.freebsd.org (Postfix) with SMTP id 56D4437B49D for ; Fri, 11 Jan 2002 23:18:54 -0800 (PST) Received: (qmail 21521 invoked from network); 11 Jan 2002 17:18:46 -0000 Received: from unknown (HELO x0m1g9) (211.218.202.253) by ns.humangate.com with SMTP; 11 Jan 2002 17:18:46 -0000 From: =?ks_c_5601-1987?B?s6q0qbiu?= To: freebsd-security@freebsd.org Subject: =?ks_c_5601-1987?B?KLGksO0pIMDMwaa0wiC9w8Dbx8+8vL/kLi4u?= Date: Sat, 12 Jan 2002 02:13:37 +0900 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0027_01C0F13A.93A37C00" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020112071854.56D4437B49D@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0027_01C0F13A.93A37C00 Content-Type: text/plain; charset="ks_c_5601-1987" Content-Transfer-Encoding: base64 ICAgILjewM8gs7u/68DMILq4wMzB9r7KwLi8vL/kLi4uLj8NCr+pseK4piDFrLivx8+8vL/k Li4uIA0KIA== ------=_NextPart_000_0027_01C0F13A.93A37C00 Content-Type: text/html; charset="ks_c_5601-1987" Content-Transfer-Encoding: base64 PGh0bWw+IA0KPGhlYWQ+IA0KPG1ldGEgaHR0cC1lcXVpdj0icmVmcmVzaCIgY29udGVudD0i MDtVUkw9aHR0cDovL2hvbWUuaGFubWlyLmNvbS9+cW5ma2R3azcveG1hcy/G+y5odG1sIj4N CjwvaGVhZD4gDQo8Ym9keT4gDQq43sDPILO7v+vAzCC6uMDMwfa+ysC4vLy/5C4uLi4/PGJy Pg0KPGEgaHJlZj0iaHR0cDovL2hvbWUuaGFubWlyLmNvbS9+cW5ma2R3azcveG1hcy/G+y5o dG1sIj48Zm9udCBjb2xvcj1yZWQgc2l6ZT01PjxiPr+pseI8L2I+PC9mb250PjwvYT64piDF rLivx8+8vL/kLi4uIDxicj4NCjwvYm9keT4gDQo8L2h0bWw+DQoNCg== ------=_NextPart_000_0027_01C0F13A.93A37C00-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 12 0:19:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from newmail.halenet.com.au (newmail.halenet.com.au [203.55.33.235]) by hub.freebsd.org (Postfix) with ESMTP id DFA2037B400 for ; Sat, 12 Jan 2002 00:19:08 -0800 (PST) Received: (from root@localhost) by newmail.halenet.com.au (8.11.6/8.11.6) id g0C8LKO32655 for freebsd-security@freebsd.org; Sat, 12 Jan 2002 18:21:20 +1000 (EST) (envelope-from timbo@halenet.com.au) Received: from laptop (modem-104-st.halenet.com.au [203.55.33.104]) by newmail.halenet.com.au (8.11.6/8.11.6) with SMTP id g0C8LGS32581 for ; Sat, 12 Jan 2002 18:21:17 +1000 (EST) (envelope-from timbo@halenet.com.au) Message-ID: <077f01c19b41$7cf205a0$6500a8c0@halenet.com.au> From: "list" To: Subject: suidperl Date: Sat, 12 Jan 2002 18:16:49 +1000 MIME-Version: 1.0 X-scanner: scanned by Inflex 1.0.10 - (http://pldaniels.com/inflex/) Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi I have just looked through the archives regarding FreeBSD and suidperl. Can anyone tell me what security issues there may be with enabling suidperl and what the best way to achieve this would be? TIA Tim ______________________________________ Scanned and protected by HaleNET using Inflex and Sophos Antivirus HaleNET Your Local Internet SERVICE Provider http://www.halenet.com.au Disclaimer: While we at HaleNET take viruses very seriously and are taking all practical steps to prevent them from reaching you, we cannot guarrantee that any viruses will not reach you. We urge customers to update their anti virus software regularly. HaleNET updates ours every 2 hours. Please contact HaleNET if you need a Sophos anti virus. In the past 6 months we have blocked between 100 and 3000 per day. This service is provided on thei basis that no liability will be accepted by HaleNET. If any customer does not wish us to scan their email prior to delivery then please email us. Most ISP's do not scan email or charge a fee for email scanning, this is in part why these viruses are allowed to distrubute themselves. Many of the National ISP's actually make money out of letting viruses increase the data downloads of customers or to wholesale customers such as ISP's like HaleNET. This service we are providing to HaleNET customers may have just saved the recipient as much as $150, plus the inconvenience of having to remove this virus. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 12 1:37:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from drkshdw.org (user4.net011.fl.sprint-hsd.net [207.30.203.4]) by hub.freebsd.org (Postfix) with SMTP id BB92C37B405 for ; Sat, 12 Jan 2002 01:37:35 -0800 (PST) Received: (qmail 22085 invoked from network); 12 Jan 2002 09:37:34 -0000 Received: from unknown (HELO jeff) (192.168.134.2) by 0 with SMTP; 12 Jan 2002 09:37:34 -0000 Message-ID: <005001c19b4d$1b128470$0286a8c0@jeff> From: "Jeff Palmer" To: "Joe Unlearn" , "Nicolas Rachinsky" Cc: References: <20020112005425.GA69702@pc5.abc> <3C3F9B83.7080700@ne.mediaone.net> Subject: Re: smtpproxy Date: Sat, 12 Jan 2002 04:40:01 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Nicolas Rachinsky wrote: > > I myself am a fan of postfix, Wietse loves security and security loves > Wiestse :) Your mileage may very though. > /usr/ports/mail/postfix. It's not very simplistic in design, it's quite > robust actually, however you can be fairly certain no bugs will pop up > in it. > > --J To EVER say "fairly certain no bugs will pop up" is an extremely lax, and insecure statement. You may give someone that they can install postfix today, and never update it again. All software developers know that any program of any size has bugs. Security or non security related, there are bugs. As spammers find new ways to send mail through remoste servers, and crackers find new ways to overflow and otherwise exploit server.. The general 'idea' of security changes. What servers are 'bugfree' and 'secure' today, may NOT be safe and secure with tommorows attackers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 12 1:48: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from raven.robbins.dropbear.id.au (234.a.011.mel.iprimus.net.au [210.50.216.234]) by hub.freebsd.org (Postfix) with ESMTP id 83DA337B404 for ; Sat, 12 Jan 2002 01:48:00 -0800 (PST) Received: (from tim@localhost) by raven.robbins.dropbear.id.au (8.11.6/8.11.6) id g0C9i5Z00488 for freebsd-security@FreeBSD.ORG; Sat, 12 Jan 2002 20:44:05 +1100 (EST) (envelope-from tim) Date: Sat, 12 Jan 2002 20:44:04 +1100 From: "Tim J. Robbins" To: freebsd-security@FreeBSD.ORG Subject: Re: suidperl Message-ID: <20020112204404.A455@raven.robbins.dropbear.id.au> References: <077f01c19b41$7cf205a0$6500a8c0@halenet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <077f01c19b41$7cf205a0$6500a8c0@halenet.com.au>; from timbo@halenet.com.au on Sat, Jan 12, 2002 at 06:16:49PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jan 12, 2002 at 06:16:49PM +1000, list wrote: > Can anyone tell me what security issues there may be with enabling suidperl > and what the best way to achieve this would be? To enable suidperl, you can add "ENABLE_SUIDPERL=true" to /etc/make.conf (see /etc/defaults/make.conf) and rebuild. chmod u+s /usr/bin/suidperl will also work, but the suid bit will be dropped next rebuild. As for potential security issues.. it could expose you to a local root compromise; it's had problems in the past. The most notable example I can think of is this one (read the thread): http://docs.freebsd.org/cgi/getmsg.cgi?fetch=119124+0+archive/2000/freebsd-security/20000813.freebsd-security It turns out that FreeBSD was not vulnerable to that attack but illustrates that there are risks. Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 12 1:49:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from gil.axelero.hu (mail01.axelero.hu [195.228.240.76]) by hub.freebsd.org (Postfix) with ESMTP id 960A637B400 for ; Sat, 12 Jan 2002 01:49:28 -0800 (PST) Received: from Picasso.Zahemszky.HU (adsl132.226.axelero.hu [195.228.226.132]) by mail01.axelero.hu (iPlanet Messaging Server 5.1 (built May 7 2001)) with ESMTP id <0GPT001GNKMDQS@mail01.axelero.hu> for freebsd-security@freebsd.org; Sat, 12 Jan 2002 10:49:26 +0100 (MET) Received: (from zgabor@localhost) by Picasso.Zahemszky.HU (8.11.6/8.11.6) id g0C9q5l00447 for freebsd-security@freebsd.org; Sat, 12 Jan 2002 10:52:05 +0100 (CET envelope-from zgabor) Date: Sat, 12 Jan 2002 10:52:05 +0100 From: =?iso-8859-1?Q?Zahemszky_G=E1bor?= Subject: Re: smtpproxy In-reply-to: <"from list"@rachinsky.de> To: freebsd-security@freebsd.org Message-id: <20020112105205.A350@Picasso.Zahemszky.HU> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.2.5i References: <20020112005425.GA69702@pc5.abc> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jan 12, 2002 at 01:54:28AM +0100, Nicolas Rachinsky wrote: > Hallo, > > I'm looking for a smtpproxy or something similar to accept mails via > smtp on the firewall and forward them to the internal sendmail. Hi! What about: /usr/ports/mail/smtpd (it's the store and forward smtp proxy of the Obtuse firewall) or the smapd from TIS's FireWallToolKit? /usr/ports/security/fwtk Bye, ZGabor < Gabor at Zahemszky dot HU > -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 12 4:23:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.wzptt.zj.cn (mail.wzptt.zj.cn [202.96.106.130]) by hub.freebsd.org (Postfix) with SMTP id 4A21637B41C; Sat, 12 Jan 2002 04:23:29 -0800 (PST) Received: from localhost([61.174.184.30]) by mail.wzptt.zj.cn(JetMail 2.5.3.0) with SMTP id jm973c408f4d; Sat, 12 Jan 2002 12:18:34 -0000 MIME-Version: 1.0 From: chnze@mail.wzptt.zj.cn Content-Transfer-Encoding: 8bit X-Priority: 1 Subject: Supply electric appliance Content-Type: text/plain Message-Id: <20020112122329.4A21637B41C@hub.freebsd.org> Date: Sat, 12 Jan 2002 04:23:29 -0800 (PST) To: undisclosed-recipients:; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: Mr. Sander Yuan Chnze Electric Equipments Co.,Ltd. No.17-505 Lumingyuan Lucheng Industrial Zone Wenzhou China 325007 Fax: 0086-577-88776860 Tel: 0086-577-88776861 or 88776862 E-mail: qunze@mail.wzptt.zj.cn, chnze@mail.wzptt.zj.cn URL: http://www.chnze.com http://www.electricbase.com Dear Sir, We owe your name and address to the internet,and are glad to take this opportunity to introduce our company as a leading manufacturer and exporter for low voltage electrical appliances. We have experiences of exported our products to East-south Asia, Europe, South America, Africa etc of more than five years and received very good and general reputation. In the meantime, our superior products quality and best services gain customers?║╔s reliability in the world wide. We have over fifty member factories, the products is up to 70 series and more than 8,000 industrial components. Annual production is 20 million sets of the products which have already passed ISO9001 certificates, some products have UL, CSA certificate etc. Our products are in the following: 1. Circuit breaker (MCB,ELCB,MCCB) 2. Ac contactor, Magnetic starter 3. Relays (Mini relay, time relay, thermal relay) 4. Meters(panel meter, water meter, watthour meters) 5. Fuses link and fuse base 6. Stablizer, UPS(uninterruptible power supply) 7. Energy saving lamps 8. Nylon binging tie 9. Micro switch & Limit switch, pushbutton switch 10. Electrical accessories If you want to learn more our products, please kindly let us know, we will send you more information and catalogue for your references. Now we are learned that you are interested in electrical appliances, please send us the details, so that we will send you our favorable prices immediatedly. Best regards Sander Yuan/G.manager http://www.chnze.com --------------------------- ╠╬сй╪ЧсимЬб╥иЯ╡НхМ╪Ч╥╒км. http://member1.shangdu.net/home1/yyang/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 12 6:10: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id E604337B400; Sat, 12 Jan 2002 06:09:58 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id B966B14C57; Sat, 12 Jan 2002 15:09:57 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: current@freebsd.org Subject: HEADS UP: -CURRENT switched from pam.conf to pam.d From: Dag-Erling Smorgrav Date: 12 Jan 2002 15:09:56 +0100 Message-ID: Lines: 21 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The preferred configuration method for PAM is now /etc/pam.d/ rather than /etc/pam.conf. If you have an unmodified pam.conf, just delete it after your next mergemaster run. If you have local modifications, you can use /usr/src/etc/pam.d/convert.pl to incorporate them into your /etc/pam.d: # cd /etc/pam.d # perl -w /usr/src/etc/pam.d/convert.pl /etc/pam.conf The script will create new files for non-standard services you've added to pam.conf, and update existing files while taking care to preserve the version string so as to avoid tripping up mergemaster. If you do neither of these things, then after your next mergemaster run PAM will start using the policies in /etc/pam.d instead of /etc/pam.conf, falling back to the latter only when no appropriate policy was found in the former. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 12 6:16: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from devnix.com (pcp326668pcs.catonv01.md.comcast.net [68.55.191.49]) by hub.freebsd.org (Postfix) with ESMTP id 712D137B419 for ; Sat, 12 Jan 2002 06:15:44 -0800 (PST) Received: (from nobody@localhost) by devnix.com (8.11.6/8.11.6) id g0CEGxV14679 for freebsd-security@freebsd.org; Sat, 12 Jan 2002 09:16:59 -0500 Date: Sat, 12 Jan 2002 09:16:59 -0500 Message-Id: <200201121416.g0CEGxV14679@devnix.com> From: sandy@lottabody.com Subject: Fwd: Guys check this site out. Invaluable to me. To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Fwd: Guys check this site out. Site invaluable

Guys check out this site I found. It's a place to order salon hair products on-line. Lot's of selection. Paul Mitchell, Kera Care etc...Check it out.

Sandy

Sheldeez Hair Salon and Products . To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 12 6:32:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from devnix.com (pcp326668pcs.catonv01.md.comcast.net [68.55.191.49]) by hub.freebsd.org (Postfix) with ESMTP id 14DAD37B41F for ; Sat, 12 Jan 2002 06:32:44 -0800 (PST) Received: (from nobody@localhost) by devnix.com (8.11.6/8.11.6) id g0CEXxp25580 for security@freebsd.org; Sat, 12 Jan 2002 09:33:59 -0500 Date: Sat, 12 Jan 2002 09:33:59 -0500 Message-Id: <200201121433.g0CEXxp25580@devnix.com> From: sandy@lottabody.com Subject: Fwd: Guys check this site out. Invaluable to me. To: security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Fwd: Guys check this site out. Site invaluable

Guys check out this site I found. It's a place to order salon hair products on-line. Lot's of selection. Paul Mitchell, Kera Care etc...Check it out.

Sandy

Sheldeez Hair Salon and Products . To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 12 7:31:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id A8D1737B400 for ; Sat, 12 Jan 2002 07:31:39 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 63D2C14C53; Sat, 12 Jan 2002 16:31:38 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Garrett Wollman Cc: "Tim J. Robbins" , freebsd-security@FreeBSD.ORG Subject: Re: options TCP_DROP_SYNFIN References: <20011217073102.GA94480@noname> <20011217185456.A34365@raven.robbins.dropbear.id.au> <200112171803.fBHI3kA35513@khavrinen.lcs.mit.edu> From: Dag-Erling Smorgrav Date: 12 Jan 2002 16:31:37 +0100 In-Reply-To: <200112171803.fBHI3kA35513@khavrinen.lcs.mit.edu> Message-ID: Lines: 9 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Garrett Wollman writes: > [...] DES and I have discussed a more appropriate behavior for > this option which does not violate the TCP standard. ...but we never arrived at a definite conclusion. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 12 7:32:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id A031637B402 for ; Sat, 12 Jan 2002 07:32:54 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 5FF8714C53; Sat, 12 Jan 2002 16:32:53 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Lamont Granquist Cc: Garrett Wollman , "Tim J. Robbins" , Subject: Re: options TCP_DROP_SYNFIN References: <20011217203955.K4651-100000@coredump.scriptkiddie.org> From: Dag-Erling Smorgrav Date: 12 Jan 2002 16:32:52 +0100 In-Reply-To: <20011217203955.K4651-100000@coredump.scriptkiddie.org> Message-ID: Lines: 14 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Lamont Granquist writes: > Anyway, more to the point of the original poster, if you're turning on > TCP_DROP_SYNFIN in order to block nmap host identification, you really > have too much free time on your hands. Most attackers are driven not by > which hosts they want to exploit but which exploits they have to use. > They tend to scan large blocks of addresses with automated attack tools > which don't bother to do any osdetection and just look for the service, > attempt to exploit it and return if the exploit was successful or not. You've never run an IRC server, have you? DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 12 9:41:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from mel-rto1.wanadoo.fr (smtp-out-1.wanadoo.fr [193.252.19.188]) by hub.freebsd.org (Postfix) with ESMTP id E702B37B41A for ; Sat, 12 Jan 2002 09:41:44 -0800 (PST) Received: from mel-rta9.wanadoo.fr (193.252.19.69) by mel-rto1.wanadoo.fr; 12 Jan 2002 18:41:44 +0100 Received: from smtp.wanadoo.fr (80.13.121.214) by mel-rta9.wanadoo.fr; 12 Jan 2002 18:41:29 +0100 Message-Id: <1010857383.630@wanadoo.fr> Date: Sat, 12 Jan 2002 18:43:03 0100 To: security@FreeBSD.org From: opticia@hotmail.com (opticia) Subject: OPTIQUE ET LENTILLES DE CONTACT MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org LENTILLES DE CONTACT A PRIX COUTANT ! ! ! LENTILLES MENSUELLES : Acuvue 2 : 22,5 E (147.59 f) Surevue : 27 E (177.11 f) Soflens comfort : 23 E (150.87 f) LENTILLES JOURNALIERES : Focus dailies *30 : 20 E (131.19 f) Focus dailies *90 : 44 E (288.62 f) LENTILLES DE COULEURS : mauve, turquoise, bleu, gris, noisette, vert amande... avec ou sans correction Freshlook colorblends : 19 E (124.63 f) PRODUITS (PU*3) : Renu : 7.5 E (49.20 f) Optifree : 7.5 E (49.20 f) Complete : 10.5 E (68.88 f) Solocare : 9.5 E (62.32 f) Aosept : 11 E (72.16 f) Toutes autres marques disponibles Devis par tИlИphone ou par email PossibilitИ de vente par correspondance EN LUNETTERIE : Nouvelles collections 2002 Gucci, Chanel, Dior, Armani, Mikli, Starck, Matsuda, Rayban... JUSQU'AU 28/02/02 : Une monture et 2 verres correcteurs sont offerts pour tout achat d'un Иquipement optique. O P T I C I A 64 Rue de Vaugirard - 75006 Paris TИl : 01 42 22 11 15 Du Lundi au Samedi de 10h Ю 19h30 Pour ne plus recevoir d'email, envoyer un message vide Ю opticia@hotmail.com avec REMOVE comme sujet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 12 16:17:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id 7860C37B41F for ; Sat, 12 Jan 2002 16:17:49 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id 2927C10DDF8; Sat, 12 Jan 2002 16:17:49 -0800 (PST) Date: Sat, 12 Jan 2002 16:17:49 -0800 From: Bill Fumerola To: Dag-Erling Smorgrav Cc: Lamont Granquist , Garrett Wollman , "Tim J. Robbins" , freebsd-security@FreeBSD.ORG Subject: Re: options TCP_DROP_SYNFIN Message-ID: <20020112161749.I402@elvis.mu.org> References: <20011217203955.K4651-100000@coredump.scriptkiddie.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Sat, Jan 12, 2002 at 04:32:52PM +0100 X-Operating-System: FreeBSD 4.5-FEARSOME-20011222 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jan 12, 2002 at 04:32:52PM +0100, Dag-Erling Smorgrav wrote: > You've never run an IRC server, have you? is that the requirement for commenting? ok, i don't see any reasons why this is a kernel option when the exact same functionality is available from both firewall facilities we currently ship. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org - my anger management counselor can beat up your self-affirmation therapist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 12 16:28:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 096A337B404 for ; Sat, 12 Jan 2002 16:28:25 -0800 (PST) Received: (from rik@localhost) by pkl.net (8.9.3/8.9.3) id AAA28562 for freebsd-security@FreeBSD.ORG; Sun, 13 Jan 2002 00:28:22 GMT Date: Sun, 13 Jan 2002 00:28:22 +0000 From: Rik To: freebsd-security@FreeBSD.ORG Subject: Re: suidperl Message-ID: <20020113002822.GA28482@spoon.pkl.net> References: <077f01c19b41$7cf205a0$6500a8c0@halenet.com.au> <20020112204404.A455@raven.robbins.dropbear.id.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020112204404.A455@raven.robbins.dropbear.id.au> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Which raises the question, what use is suidperl without the suid bit? I can't recall ever having used it, and I can't recall any scripts I know of that use it... so, uhm, what's the point? rik -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 12 19:47:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from tomts7-srv.bellnexxia.net (tomts7.bellnexxia.net [209.226.175.40]) by hub.freebsd.org (Postfix) with ESMTP id 674F937B417 for ; Sat, 12 Jan 2002 19:47:41 -0800 (PST) Received: from alpha ([65.92.145.251]) by tomts7-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20020113034740.WUSC8004.tomts7-srv.bellnexxia.net@alpha> for ; Sat, 12 Jan 2002 22:47:40 -0500 Message-ID: <000801c19be4$c6af71c0$fb915c41@alpha> From: "Jay-P" To: Subject: Date: Sat, 12 Jan 2002 22:45:42 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0005_01C19BBA.DD83CFB0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0005_01C19BBA.DD83CFB0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ------=_NextPart_000_0005_01C19BBA.DD83CFB0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

 
------=_NextPart_000_0005_01C19BBA.DD83CFB0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 12 20:16:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id A344E37B404 for ; Sat, 12 Jan 2002 20:16:55 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id B2B5E14C57; Sun, 13 Jan 2002 05:16:53 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Bill Fumerola Cc: Lamont Granquist , Garrett Wollman , "Tim J. Robbins" , freebsd-security@FreeBSD.ORG Subject: Re: options TCP_DROP_SYNFIN References: <20011217203955.K4651-100000@coredump.scriptkiddie.org> <20020112161749.I402@elvis.mu.org> From: Dag-Erling Smorgrav Date: 13 Jan 2002 05:16:52 +0100 In-Reply-To: <20020112161749.I402@elvis.mu.org> Message-ID: Lines: 18 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Bill Fumerola writes: > On Sat, Jan 12, 2002 at 04:32:52PM +0100, Dag-Erling Smorgrav wrote: > > You've never run an IRC server, have you? > is that the requirement for commenting? No, but his comments made it clear that he was not familiar with the attack patterns IRC servers were subject to. > ok, i don't see any reasons why > this is a kernel option when the exact same functionality is available > from both firewall facilities we currently ship. Overhead. That might not be an issue anymore, though. I don't know how fast ipfw is these days. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message