From owner-freebsd-security@FreeBSD.ORG Sat Jan 29 20:00:15 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4135516A4CF for ; Sat, 29 Jan 2005 20:00:15 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id B6BC343D39 for ; Sat, 29 Jan 2005 20:00:14 +0000 (GMT) (envelope-from swhetzel@gmail.com) Received: by wproxy.gmail.com with SMTP id 58so27927wri for ; Sat, 29 Jan 2005 12:00:14 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=PZySzSea+yfls4gqA6DvjielLtWcUCBfhnejp4g5RpAt4YguUdnGBDeBQbcmfYdP0N2Lb3zI3XpvyhS5/+etho2LsLl85JBPI9lwqD6n5EOBA0L7VDeiki5pFFLJ2XUyreftmmjdzRt1RGelI80/mkskE5nnz7WduqpdLDlzkBE= Received: by 10.54.28.80 with SMTP id b80mr5830wrb; Sat, 29 Jan 2005 12:00:14 -0800 (PST) Received: by 10.54.29.48 with HTTP; Sat, 29 Jan 2005 12:00:13 -0800 (PST) Message-ID: <790a9fff0501291200160fe8f1@mail.gmail.com> Date: Sat, 29 Jan 2005 14:00:13 -0600 From: Scot Hetzel To: Mikhail Teterin In-Reply-To: <200501282159.21711.mi+mx@aldan.algebra.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200501282159.21711.mi+mx@aldan.algebra.com> X-Mailman-Approved-At: Sun, 30 Jan 2005 14:02:00 +0000 cc: questions@freebsd.org Subject: Re: Cyrus IMAP crashes after reading /etc/krb5.conf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Scot Hetzel List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jan 2005 20:00:15 -0000 On Fri, 28 Jan 2005 21:59:21 -0500, Mikhail Teterin wrote: > Hello! > > I'm trying to configure a freshly built mail/cyrus-imapd22 to work and > authenticate accounts -- Kerberos and plain text. > > The GSSAPI authentication works already. After doing kinit, I can do ``imtest > -m GSSAPI hostname'' and it succeeds. > > Now I'm trying to login with plain text (over SSL). Cyrus' imapd keeps > crashing from SIGBUS. According to ktrace, this happens right after reading > the krb5.conf (I replaced our domain with "example" below): > The freebsd-security list is for security issue with the FreeBSD operating system. Your question involves a port question. freebsd-questions, cyrus mailing list, or freebsd-ports is where you should have posted. You'll need to use gdb on the cyrus-imapd .core file to find out where it is failing. You'll also need a version of the cyrus-imapd compiled with debugging symbols to get something usefull out of gdb. i.e. gdb /usr/ports/mail/cyrus-imapd22/work/cyrus-imapd-2.2*// -c //.core (check the man page, I'm not sure -c is correct for the core file) then use bt (backtrace) in gdb and it will show you the src file & function where the failure is occuring. You may also want to look at the values of some of the variables (i.e. p varname, p *varname, p &varname) Scot PS. I BCC freebsd-security, do not post any replies there. From owner-freebsd-security@FreeBSD.ORG Tue Feb 1 18:07:03 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A06316A4CF for ; Tue, 1 Feb 2005 18:07:03 +0000 (GMT) Received: from loncoche.terra.com.br (loncoche.terra.com.br [200.154.55.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2830A43D55 for ; Tue, 1 Feb 2005 18:07:02 +0000 (GMT) (envelope-from fcastro@smsweb.com.br) Received: from estero.terra.com.br (estero.terra.com.br [200.154.55.138]) by loncoche.terra.com.br (Postfix) with ESMTP id B0685E78638 for ; Tue, 1 Feb 2005 16:07:00 -0200 (BRST) X-Terra-Karma: -2% X-Terra-Hash: dd4e5b8cbb6e1d2fa7331c3f682431e3 Received: from LAPELENICE (200-204-151-139.dsl.telesp.net.br [200.204.151.139]) (authenticated user castro13) by estero.terra.com.br (Postfix) with ESMTP id 8F2833C016 for ; Tue, 1 Feb 2005 16:06:59 -0200 (BRST) From: "Fernando Castro" To: Date: Tue, 1 Feb 2005 16:07:07 -0200 Message-ID: <000101c50888$d7e80a10$8b97ccc8@LAPELENICE> MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailman-Approved-At: Wed, 02 Feb 2005 14:00:12 +0000 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Informatio request - FreeBSD Native Firewall Certificate X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Feb 2005 18:07:03 -0000 I'd like to request information about the FreeBSD native firewall software Does the firewall attends to the security certification at International Computer Security Association (ICSA Labs Firewall Certification Program) Labs or Trust Technology Assessment Program (TTAP) or similar programs? Thanks for your attention Fernando Castro fcastro@smsweb.com.br From owner-freebsd-security@FreeBSD.ORG Wed Feb 2 20:17:11 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1F4416A4CE for ; Wed, 2 Feb 2005 20:17:11 +0000 (GMT) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78E8E43D2F for ; Wed, 2 Feb 2005 20:17:11 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id E7CC05EF1; Wed, 2 Feb 2005 15:17:10 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 84779-04; Wed, 2 Feb 2005 15:17:08 -0500 (EST) Received: from [192.168.1.3] (pool-68-161-50-112.ny325.east.verizon.net [68.161.50.112]) by pi.codefab.com (Postfix) with ESMTP id 665815DC3; Wed, 2 Feb 2005 15:17:08 -0500 (EST) Message-ID: <4201352A.4030305@mac.com> Date: Wed, 02 Feb 2005 15:16:42 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041217 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Fernando Castro References: <000101c50888$d7e80a10$8b97ccc8@LAPELENICE> In-Reply-To: <000101c50888$d7e80a10$8b97ccc8@LAPELENICE> X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com cc: freebsd-security@freebsd.org Subject: Re: Informatio request - FreeBSD Native Firewall Certificate X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Feb 2005 20:17:11 -0000 Fernando Castro wrote: > Does the firewall attends to the security certification at > International Computer Security Association (ICSA Labs Firewall > Certification Program) Labs or Trust Technology Assessment Program > (TTAP) or similar programs? The FreeBSD project has likely never bothered to pay ICSA to certify that the firewall software available with FreeBSD meet their criteria, but companies like Nokia have used technology from FreeBSD to create ISCA-certified products: http://www.icsalabs.com/html/communities/firewalls/certification/rxvendors/nokiaip650/index.shtml -- -Chuck [ reply-to set to a more appropriate list ] From owner-freebsd-security@FreeBSD.ORG Thu Feb 3 19:49:18 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1674B16A4CF for ; Thu, 3 Feb 2005 19:49:18 +0000 (GMT) Received: from mtiwmhc12.worldnet.att.net (mtiwmhc12.worldnet.att.net [204.127.131.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67EBB43D1F for ; Thu, 3 Feb 2005 19:49:09 +0000 (GMT) (envelope-from dwinner-lists@worldnet.att.net) Received: from [10.10.100.49] (unknown[216.113.237.29]) by worldnet.att.net (mtiwmhc12) with ESMTP id <2005020319490811200qra44e> (Authid: duanewinner); Thu, 3 Feb 2005 19:49:08 +0000 Message-ID: <42028032.2020701@att.net> Date: Thu, 03 Feb 2005 14:49:06 -0500 From: Duane Winner User-Agent: Mozilla Thunderbird 1.0 (X11/20050125) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: need ipfw clarification X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Feb 2005 19:49:18 -0000 Hello, I noticed that after enabling firewall in my kernel (5.3-release), my dmesg now gives me this: ipfw2 initialized, divert disabled, rule-based forwarding disabled, default to accept, logging limited to 5 packets/entry by default On 5.2.1, I used to get this: ipfw2 initialized, divert disabled, rule-based forwarding enabled, default to accept, logging disabled If both cases, I am adding this to my KERNEL config: options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT It seems that the major difference between 5.2.1 and 5.3 is that now rule-based forwarding is disabled. Is this correct? And what exactly is rule-based forwarding? I'm guessing that it doesn't really apply to my situation, as in these cases, I am using IPFW to create a deny all inbound to my laptop when I'm on the road. But I just want to make sure. Thanks, DW From owner-freebsd-security@FreeBSD.ORG Thu Feb 3 20:02:40 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEBFC16A4CE for ; Thu, 3 Feb 2005 20:02:40 +0000 (GMT) Received: from mail.dti.supsi.ch (mail.dti.supsi.ch [193.5.153.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2443943D48 for ; Thu, 3 Feb 2005 20:02:39 +0000 (GMT) (envelope-from roberto.nunnari@supsi.ch) Received: from [193.5.152.27] (pcm2027.dti.supsi.ch [193.5.152.27]) by mail.dti.supsi.ch (8.11.6/8.11.6) with ESMTP id j13K2au14481; Thu, 3 Feb 2005 21:02:36 +0100 Message-ID: <4202834D.7030000@supsi.ch> Date: Thu, 03 Feb 2005 21:02:21 +0100 From: Roberto Nunnari User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041217 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Duane Winner References: <42028032.2020701@att.net> In-Reply-To: <42028032.2020701@att.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: need ipfw clarification X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Feb 2005 20:02:40 -0000 Hi Duane. I had the same problem.. With 5.2.1 I had working forward rules and that were broke with 5.3 after some fiddling I managed to have that work again.. just add them to your kernel: options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_FORWARD if you don't add them to your kernel, forwarding in ipfw will be disabled. Ciao. Duane Winner wrote: > Hello, > > I noticed that after enabling firewall in my kernel (5.3-release), my > dmesg now gives me this: > > ipfw2 initialized, divert disabled, rule-based forwarding disabled, > default to accept, logging limited to 5 packets/entry by default > > > On 5.2.1, I used to get this: > > ipfw2 initialized, divert disabled, rule-based forwarding enabled, > default to accept, logging disabled > > If both cases, I am adding this to my KERNEL config: > > options IPFIREWALL > options IPFIREWALL_DEFAULT_TO_ACCEPT > > > It seems that the major difference between 5.2.1 and 5.3 is that now > rule-based forwarding is disabled. > > Is this correct? And what exactly is rule-based forwarding? I'm guessing > that it doesn't really apply to my situation, as in these cases, I am > using IPFW to create a deny all inbound to my laptop when I'm on the > road. But I just want to make sure. > > Thanks, > DW > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Roberto Nunnari -software engineer- mailto:roberto.nunnari@supsi.ch Scuola Universitaria Professionale della Svizzera Italiana Dipartimento Tecnologie Innovative http://www.dti.supsi.ch SUPSI-DTI Via Cantonale tel: +41-91-6108561 6928 Manno """ fax: +41-91-6108570 Switzerland (o o) =======================oOO==(_)==OOo======================== From owner-freebsd-security@FreeBSD.ORG Thu Feb 3 21:05:21 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B673C16A4CE for ; Thu, 3 Feb 2005 21:05:21 +0000 (GMT) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F8B943D39 for ; Thu, 3 Feb 2005 21:05:21 +0000 (GMT) (envelope-from M0rchand@comcast.net) Received: from comcast.net (166-220-044-097.mobile.attwireless.net[166.220.44.97]) by comcast.net (rwcrmhc12) with SMTP id <20050203210519014002kou1e>; Thu, 3 Feb 2005 21:05:19 +0000 Mime-Version: 1.0 X-Mailer: Handspring Mail (1.0) From: =?ISO-8859-1?Q?Tom=20Marchand?= To: freebsd-security@freebsd.org Date: 03 Feb 2005 16:06:46 -0500 Content-Type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable Message-Id: <20050203210521.8F8B943D39@mx1.FreeBSD.org> Subject: RE: Firwall certifcate X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Feb 2005 21:05:21 -0000 How important is it to certify the firewall? From owner-freebsd-security@FreeBSD.ORG Fri Feb 4 07:30:18 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 830C316A4CE for ; Fri, 4 Feb 2005 07:30:18 +0000 (GMT) Received: from torch.higis.ru (gate.higis.ru [81.195.168.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C0C743D1D for ; Fri, 4 Feb 2005 07:30:17 +0000 (GMT) (envelope-from dimma@torch.higis.ru) Received: from localhost (localhost [127.0.0.1]) by torch.higis.ru (8.12.10/8.12.10) with ESMTP id j147UChV021542 for ; Fri, 4 Feb 2005 10:30:12 +0300 (MSK) (envelope-from dimma@torch.higis.ru) Received: from torch.higis.ru ([127.0.0.1]) by localhost (torch.higis.ru [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 21203-01 for ; Fri, 4 Feb 2005 10:30:10 +0300 (MSK) Received: from torch.higis.ru (localhost [127.0.0.1]) by torch.higis.ru (8.12.10/8.12.10) with ESMTP id j147UAaf021537 for ; Fri, 4 Feb 2005 10:30:10 +0300 (MSK) (envelope-from dimma@torch.higis.ru) Received: (from dimma@localhost) by torch.higis.ru (8.12.10/8.12.10/Submit) id j147U9uK021532 for freebsd-security@freebsd.org; Fri, 4 Feb 2005 10:30:09 +0300 (MSK) (envelope-from dimma) Date: Fri, 4 Feb 2005 10:30:09 +0300 From: Dmitriy Kirhlarov To: freebsd-security@freebsd.org Message-ID: <20050204073008.GE65749@torch.higis.ru> References: <42028032.2020701@att.net> <4202834D.7030000@supsi.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <4202834D.7030000@supsi.ch> User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new at higis.ru Subject: Re: need ipfw clarification X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Feb 2005 07:30:18 -0000 Moin Roberto! Roberto Nunnari schrieb am Thursday, den 03. February 2005: > options IPFIREWALL_FORWARD > > if you don't add them to your kernel, forwarding in ipfw will > be disabled. IPFIREWALL_FORWARD silently removed from kernel. And: http://www.freebsd.org/cgi/query-pr.cgi?pr=73129 By. Dmitriy From owner-freebsd-security@FreeBSD.ORG Fri Feb 4 20:02:18 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5FAF16A4CE for ; Fri, 4 Feb 2005 20:02:18 +0000 (GMT) Received: from mtiwmhc13.worldnet.att.net (mtiwmhc13.worldnet.att.net [204.127.131.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F56A43D41 for ; Fri, 4 Feb 2005 20:02:16 +0000 (GMT) (envelope-from dwinner-lists@worldnet.att.net) Received: from [10.10.100.49] (unknown[216.113.237.29]) by worldnet.att.net (mtiwmhc13) with ESMTP id <2005020420020611300o2vtve> (Authid: duanewinner); Fri, 4 Feb 2005 20:02:06 +0000 Message-ID: <4203D4BC.30409@att.net> Date: Fri, 04 Feb 2005 15:02:04 -0500 From: Duane Winner User-Agent: Mozilla Thunderbird 1.0 (X11/20050125) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Roberto Nunnari References: <42028032.2020701@att.net> <4202834D.7030000@supsi.ch> In-Reply-To: <4202834D.7030000@supsi.ch> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: need ipfw clarification X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Feb 2005 20:02:18 -0000 Thanks Roberto, Just to make sure I understand though, I only need to be concerned "forwarding" and "forward rules" if I'm setting up a multi-homed host (i.e., router), is this correct? If I'm just using ipfw for single-host based firewall protection, then forwarding doesn't apply, right? Thanks again, Duane Roberto Nunnari wrote: > Hi Duane. > > I had the same problem.. With 5.2.1 I had working forward rules > and that were broke with 5.3 > > after some fiddling I managed to have that work again.. just > add them to your kernel: > > options IPFIREWALL > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFIREWALL_VERBOSE > options IPFIREWALL_FORWARD > > if you don't add them to your kernel, forwarding in ipfw will > be disabled. > > Ciao. > > > Duane Winner wrote: > >> Hello, >> >> I noticed that after enabling firewall in my kernel (5.3-release), my >> dmesg now gives me this: >> >> ipfw2 initialized, divert disabled, rule-based forwarding disabled, >> default to accept, logging limited to 5 packets/entry by default >> >> >> On 5.2.1, I used to get this: >> >> ipfw2 initialized, divert disabled, rule-based forwarding enabled, >> default to accept, logging disabled >> >> If both cases, I am adding this to my KERNEL config: >> >> options IPFIREWALL >> options IPFIREWALL_DEFAULT_TO_ACCEPT >> >> >> It seems that the major difference between 5.2.1 and 5.3 is that now >> rule-based forwarding is disabled. >> >> Is this correct? And what exactly is rule-based forwarding? I'm >> guessing that it doesn't really apply to my situation, as in these >> cases, I am using IPFW to create a deny all inbound to my laptop when >> I'm on the road. But I just want to make sure. >> >> Thanks, >> DW >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" > > > From owner-freebsd-security@FreeBSD.ORG Fri Feb 4 20:09:41 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33A7716A4CE for ; Fri, 4 Feb 2005 20:09:41 +0000 (GMT) Received: from internet.potentialtech.com (h-66-167-251-6.phlapafg.covad.net [66.167.251.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5244743D2D for ; Fri, 4 Feb 2005 20:09:38 +0000 (GMT) (envelope-from wmoran@potentialtech.com) Received: from localhost (pa-plum-cmts1e-68-68-113-64.pittpa.adelphia.net [68.68.113.64]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by internet.potentialtech.com (Postfix) with ESMTP id 8D27569A40; Fri, 4 Feb 2005 15:09:37 -0500 (EST) Date: Fri, 4 Feb 2005 15:09:36 -0500 From: Bill Moran To: Duane Winner Message-Id: <20050204150936.70e843fd.wmoran@potentialtech.com> In-Reply-To: <4203D4BC.30409@att.net> References: <42028032.2020701@att.net> <4202834D.7030000@supsi.ch> <4203D4BC.30409@att.net> Organization: Potential Technologies X-Mailer: Sylpheed version 1.0.0rc (GTK+ 1.2.10; i386-portbld-freebsd5.3) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="Signature=_Fri__4_Feb_2005_15_09_36_-0500_yi97vpzL6z1h7xWg" cc: freebsd-security@freebsd.org Subject: Re: need ipfw clarification X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Feb 2005 20:09:41 -0000 --Signature=_Fri__4_Feb_2005_15_09_36_-0500_yi97vpzL6z1h7xWg Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 7bit Duane Winner wrote: > Thanks Roberto, > > Just to make sure I understand though, I only need to be concerned > "forwarding" and "forward rules" if I'm setting up a multi-homed host > (i.e., router), is this correct? It doesn't even apply then. IPFW forwarding forwards packets and rewrites their IP headers to make one machine look like another. While this is commonly used on firewalls, it's not the same thing as turning on forwarding (i.e. routing between interfaces) and isn't required to set up a multi-homed "router". For example, I use IPFW forwarding so that my firewall forwards VNC packets to my desktop, so outsiders can connect directly to my desktop through the firewall. > If I'm just using ipfw for single-host based firewall protection, then > forwarding doesn't apply, right? That's correct. > > Thanks again, > Duane > > > > Roberto Nunnari wrote: > > > Hi Duane. > > > > I had the same problem.. With 5.2.1 I had working forward rules > > and that were broke with 5.3 > > > > after some fiddling I managed to have that work again.. just > > add them to your kernel: > > > > options IPFIREWALL > > options IPFIREWALL_DEFAULT_TO_ACCEPT > > options IPFIREWALL_VERBOSE > > options IPFIREWALL_FORWARD > > > > if you don't add them to your kernel, forwarding in ipfw will > > be disabled. > > > > Ciao. > > > > > > Duane Winner wrote: > > > >> Hello, > >> > >> I noticed that after enabling firewall in my kernel (5.3-release), my > >> dmesg now gives me this: > >> > >> ipfw2 initialized, divert disabled, rule-based forwarding disabled, > >> default to accept, logging limited to 5 packets/entry by default > >> > >> > >> On 5.2.1, I used to get this: > >> > >> ipfw2 initialized, divert disabled, rule-based forwarding enabled, > >> default to accept, logging disabled > >> > >> If both cases, I am adding this to my KERNEL config: > >> > >> options IPFIREWALL > >> options IPFIREWALL_DEFAULT_TO_ACCEPT > >> > >> > >> It seems that the major difference between 5.2.1 and 5.3 is that now > >> rule-based forwarding is disabled. > >> > >> Is this correct? And what exactly is rule-based forwarding? I'm > >> guessing that it doesn't really apply to my situation, as in these > >> cases, I am using IPFW to create a deny all inbound to my laptop when > >> I'm on the road. But I just want to make sure. > >> > >> Thanks, > >> DW > >> _______________________________________________ > >> freebsd-security@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-security > >> To unsubscribe, send any mail to > >> "freebsd-security-unsubscribe@freebsd.org" > > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Bill Moran Potential Technologies http://www.potentialtech.com --Signature=_Fri__4_Feb_2005_15_09_36_-0500_yi97vpzL6z1h7xWg Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCA9aAYOm/CGAEZUARAiN/AKCC042SSDQ+q1TI1Z4W27ZibXnlfACgzQcT rdStOrfppkVtN9df5Lpc30U= =uEg4 -----END PGP SIGNATURE----- --Signature=_Fri__4_Feb_2005_15_09_36_-0500_yi97vpzL6z1h7xWg-- From owner-freebsd-security@FreeBSD.ORG Fri Feb 4 21:40:19 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A313A16A4D0 for ; Fri, 4 Feb 2005 21:40:19 +0000 (GMT) Received: from internet.potentialtech.com (h-66-167-251-6.phlapafg.covad.net [66.167.251.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F11643D60 for ; Fri, 4 Feb 2005 21:40:19 +0000 (GMT) (envelope-from wmoran@potentialtech.com) Received: from localhost (pa-plum-cmts1e-68-68-113-64.pittpa.adelphia.net [68.68.113.64]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by internet.potentialtech.com (Postfix) with ESMTP id 4416869A40; Fri, 4 Feb 2005 16:40:18 -0500 (EST) Date: Fri, 4 Feb 2005 16:40:17 -0500 From: Bill Moran To: Julian Elischer Message-Id: <20050204164017.402680f3.wmoran@potentialtech.com> In-Reply-To: <4203DA87.3080508@elischer.org> References: <42028032.2020701@att.net> <4202834D.7030000@supsi.ch> <4203D4BC.30409@att.net> <20050204150936.70e843fd.wmoran@potentialtech.com> <4203DA87.3080508@elischer.org> Organization: Potential Technologies X-Mailer: Sylpheed version 1.0.0rc (GTK+ 1.2.10; i386-portbld-freebsd5.3) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="Signature=_Fri__4_Feb_2005_16_40_17_-0500_cz.I/xDMzV_9iYGP" cc: freebsd-security@freebsd.org Subject: Re: need ipfw clarification X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Feb 2005 21:40:19 -0000 --Signature=_Fri__4_Feb_2005_16_40_17_-0500_cz.I/xDMzV_9iYGP Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 7bit I'm confusing natd forwarding with IPFW forwarding. My apoligies for posting incorrect information, and thanks to Julian for correcting me. Julian Elischer wrote: > > Bill Moran wrote: > > >Duane Winner wrote: > > > > > > > >>Thanks Roberto, > >> > >>Just to make sure I understand though, I only need to be concerned > >>"forwarding" and "forward rules" if I'm setting up a multi-homed host > >>(i.e., router), is this correct? > >> > >> > > > >It doesn't even apply then. IPFW forwarding forwards packets and rewrites > >their IP headers to make one machine look like another. While this is > >commonly used on firewalls, it's not the same thing as turning on > >forwarding (i.e. routing between interfaces) and isn't required to set > >up a multi-homed "router". > > > > > Actually that's not QUITE correct.. > ipfw forwarding works as it does because it does NOT rewrite any headers. > The packet just shows up at the other place without any clue as to how > it got there. :-) > > > > >For example, I use IPFW forwarding so that my firewall forwards VNC > >packets to my desktop, so outsiders can connect directly to my desktop > >through the firewall. > > > > > ipfw forwarding is actually two different services. > > What it does is different depending on whether the forwarding target is > the local machine or > is another machine. > > When forwarding to another machine, the unalterred packet is sent to > that machine without > alteration. If that other machine feels that the packet belongs > elsewhere, it may send it on or > even back. > > The second form is when the local machine is the target. The packet is > sent to the socket listenning on > the nominated port locally, regardless of what destination machine it is > supposed to go to. > > If you use type 1 to forward to another machine then if the packet is > not naturally destined for that > machine, you may need the same rule (working in the second form) on > that machine to make sure > that it is used on that machine instead of being forwarded elsewhere. > > The neat part about local forwarding is that the local socket itself > thinks it is on the intended destination > machine so doing a getsockname() returns the address of the intended target. > This makes proxying an absolutly simple process, as the sockaddr > returned can be used directly to open > a socket to the intended target.. > > > > > > > >>If I'm just using ipfw for single-host based firewall protection, then > >>forwarding doesn't apply, right? > >> > >> > > > >That's correct. > > > > > > > >>Thanks again, > >>Duane > >> > >> > >> > >>Roberto Nunnari wrote: > >> > >> > >> > >>>Hi Duane. > >>> > >>>I had the same problem.. With 5.2.1 I had working forward rules > >>>and that were broke with 5.3 > >>> > >>>after some fiddling I managed to have that work again.. just > >>>add them to your kernel: > >>> > >>>options IPFIREWALL > >>>options IPFIREWALL_DEFAULT_TO_ACCEPT > >>>options IPFIREWALL_VERBOSE > >>>options IPFIREWALL_FORWARD > >>> > >>>if you don't add them to your kernel, forwarding in ipfw will > >>>be disabled. > >>> > >>>Ciao. > >>> > >>> > >>>Duane Winner wrote: > >>> > >>> > >>> > >>>>Hello, > >>>> > >>>>I noticed that after enabling firewall in my kernel (5.3-release), my > >>>>dmesg now gives me this: > >>>> > >>>>ipfw2 initialized, divert disabled, rule-based forwarding disabled, > >>>>default to accept, logging limited to 5 packets/entry by default > >>>> > >>>> > >>>>On 5.2.1, I used to get this: > >>>> > >>>>ipfw2 initialized, divert disabled, rule-based forwarding enabled, > >>>>default to accept, logging disabled > >>>> > >>>>If both cases, I am adding this to my KERNEL config: > >>>> > >>>>options IPFIREWALL > >>>>options IPFIREWALL_DEFAULT_TO_ACCEPT > >>>> > >>>> > >>>>It seems that the major difference between 5.2.1 and 5.3 is that now > >>>>rule-based forwarding is disabled. > >>>> > >>>>Is this correct? And what exactly is rule-based forwarding? I'm > >>>>guessing that it doesn't really apply to my situation, as in these > >>>>cases, I am using IPFW to create a deny all inbound to my laptop when > >>>>I'm on the road. But I just want to make sure. > >>>> > >>>>Thanks, > >>>>DW > >>>>_______________________________________________ > >>>>freebsd-security@freebsd.org mailing list > >>>>http://lists.freebsd.org/mailman/listinfo/freebsd-security > >>>>To unsubscribe, send any mail to > >>>>"freebsd-security-unsubscribe@freebsd.org" > >>>> > >>>> > >>> > >>> > >>> > >>_______________________________________________ > >>freebsd-security@freebsd.org mailing list > >>http://lists.freebsd.org/mailman/listinfo/freebsd-security > >>To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >> > >> > > > > > > > > > -- Bill Moran Potential Technologies http://www.potentialtech.com --Signature=_Fri__4_Feb_2005_16_40_17_-0500_cz.I/xDMzV_9iYGP Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCA+vBYOm/CGAEZUARAgPZAKCfUVuUg1TLrq8ByDWnh3FimaLdWQCdGVpT BeY1QJeAcDTnaTQgWkkb/lQ= =plHf -----END PGP SIGNATURE----- --Signature=_Fri__4_Feb_2005_16_40_17_-0500_cz.I/xDMzV_9iYGP-- From owner-freebsd-security@FreeBSD.ORG Fri Feb 4 20:26:48 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A5D116A4CE for ; Fri, 4 Feb 2005 20:26:48 +0000 (GMT) Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4D7B43D2F for ; Fri, 4 Feb 2005 20:26:47 +0000 (GMT) (envelope-from julian@elischer.org) Received: from elischer.org (julian.vicor-nb.com [208.206.78.97]) by mail.vicor-nb.com (Postfix) with ESMTP id 712CE7A439; Fri, 4 Feb 2005 12:26:47 -0800 (PST) Message-ID: <4203DA87.3080508@elischer.org> Date: Fri, 04 Feb 2005 12:26:47 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030516 X-Accept-Language: en, hu MIME-Version: 1.0 To: Bill Moran References: <42028032.2020701@att.net> <4202834D.7030000@supsi.ch> <4203D4BC.30409@att.net> <20050204150936.70e843fd.wmoran@potentialtech.com> In-Reply-To: <20050204150936.70e843fd.wmoran@potentialtech.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 05 Feb 2005 13:39:02 +0000 cc: freebsd-security@freebsd.org cc: Duane Winner Subject: Re: need ipfw clarification X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Feb 2005 20:26:48 -0000 Bill Moran wrote: >Duane Winner wrote: > > > >>Thanks Roberto, >> >>Just to make sure I understand though, I only need to be concerned >>"forwarding" and "forward rules" if I'm setting up a multi-homed host >>(i.e., router), is this correct? >> >> > >It doesn't even apply then. IPFW forwarding forwards packets and rewrites >their IP headers to make one machine look like another. While this is >commonly used on firewalls, it's not the same thing as turning on >forwarding (i.e. routing between interfaces) and isn't required to set >up a multi-homed "router". > Actually that's not QUITE correct.. ipfw forwarding works as it does because it does NOT rewrite any headers. The packet just shows up at the other place without any clue as to how it got there. :-) > >For example, I use IPFW forwarding so that my firewall forwards VNC >packets to my desktop, so outsiders can connect directly to my desktop >through the firewall. > > ipfw forwarding is actually two different services. What it does is different depending on whether the forwarding target is the local machine or is another machine. When forwarding to another machine, the unalterred packet is sent to that machine without alteration. If that other machine feels that the packet belongs elsewhere, it may send it on or even back. The second form is when the local machine is the target. The packet is sent to the socket listenning on the nominated port locally, regardless of what destination machine it is supposed to go to. If you use type 1 to forward to another machine then if the packet is not naturally destined for that machine, you may need the same rule (working in the second form) on that machine to make sure that it is used on that machine instead of being forwarded elsewhere. The neat part about local forwarding is that the local socket itself thinks it is on the intended destination machine so doing a getsockname() returns the address of the intended target. This makes proxying an absolutly simple process, as the sockaddr returned can be used directly to open a socket to the intended target.. > > >>If I'm just using ipfw for single-host based firewall protection, then >>forwarding doesn't apply, right? >> >> > >That's correct. > > > >>Thanks again, >>Duane >> >> >> >>Roberto Nunnari wrote: >> >> >> >>>Hi Duane. >>> >>>I had the same problem.. With 5.2.1 I had working forward rules >>>and that were broke with 5.3 >>> >>>after some fiddling I managed to have that work again.. just >>>add them to your kernel: >>> >>>options IPFIREWALL >>>options IPFIREWALL_DEFAULT_TO_ACCEPT >>>options IPFIREWALL_VERBOSE >>>options IPFIREWALL_FORWARD >>> >>>if you don't add them to your kernel, forwarding in ipfw will >>>be disabled. >>> >>>Ciao. >>> >>> >>>Duane Winner wrote: >>> >>> >>> >>>>Hello, >>>> >>>>I noticed that after enabling firewall in my kernel (5.3-release), my >>>>dmesg now gives me this: >>>> >>>>ipfw2 initialized, divert disabled, rule-based forwarding disabled, >>>>default to accept, logging limited to 5 packets/entry by default >>>> >>>> >>>>On 5.2.1, I used to get this: >>>> >>>>ipfw2 initialized, divert disabled, rule-based forwarding enabled, >>>>default to accept, logging disabled >>>> >>>>If both cases, I am adding this to my KERNEL config: >>>> >>>>options IPFIREWALL >>>>options IPFIREWALL_DEFAULT_TO_ACCEPT >>>> >>>> >>>>It seems that the major difference between 5.2.1 and 5.3 is that now >>>>rule-based forwarding is disabled. >>>> >>>>Is this correct? And what exactly is rule-based forwarding? I'm >>>>guessing that it doesn't really apply to my situation, as in these >>>>cases, I am using IPFW to create a deny all inbound to my laptop when >>>>I'm on the road. But I just want to make sure. >>>> >>>>Thanks, >>>>DW >>>>_______________________________________________ >>>>freebsd-security@freebsd.org mailing list >>>>http://lists.freebsd.org/mailman/listinfo/freebsd-security >>>>To unsubscribe, send any mail to >>>>"freebsd-security-unsubscribe@freebsd.org" >>>> >>>> >>> >>> >>> >>_______________________________________________ >>freebsd-security@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-security >>To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >> >> > > > >