From owner-freebsd-audit Sun Mar 19 23:12:10 2000 Delivered-To: freebsd-audit@freebsd.org Received: from MailAndNews.com (MailAndNews.com [199.29.68.160]) by hub.freebsd.org (Postfix) with ESMTP id ED4FB37B53C for ; Sun, 19 Mar 2000 23:12:05 -0800 (PST) (envelope-from mheffner@mailandnews.com) Received: from muriel.penguinpowered.com [208.138.199.76] (mheffner@mailandnews.com); Mon, 20 Mar 2000 02:11:58 -0500 X-WM-Posted-At: MailAndNews.com; Mon, 20 Mar 00 02:11:58 -0500 Content-Length: 3935 Message-ID: X-Mailer: XFMail 1.4.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Mon, 20 Mar 2000 02:12:42 -0500 (EST) Reply-To: Mike Heffner From: Mike Heffner To: FreeBSD-audit Subject: three small patches - oflows Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, Here are three small patches that fix misc. overflows. Could someone take a quick look at them, and possibly commit :) - ed patch, fixes "ed [4096]" overflow Index: bin/ed/main.c =================================================================== RCS file: /home/ncvs/src/bin/ed/main.c,v retrieving revision 1.14 diff -u -r1.14 main.c --- main.c 1999/08/27 23:14:14 1.14 +++ main.c 2000/03/20 07:08:33 @@ -175,7 +175,9 @@ if (read_file(*argv, 0) < 0 && !isatty(0)) quit(2); else if (**argv != '!') - strcpy(old_filename, *argv); + if(strlcpy(old_filename, *argv, + sizeof(old_filename))>=sizeof(old_filename)) + quit(2); } else if (argc) { fputs("?\n", stderr); if (**argv == '\0') @@ -1346,7 +1348,7 @@ REALLOC(file, filesz, MAXPATHLEN + 1, NULL); /* assert: no trailing escape */ - while ((file[i++] = (*s == '\\') ? *++s : *s)) + while (i < filesz-1 && (file[i++] = (*s == '\\') ? *++s : *s)) s++; return file; } - natd patch, fixes "natd -w [17000] blah" overflow Index: sbin/natd/natd.c =================================================================== RCS file: /home/ncvs/src/sbin/natd/natd.c,v retrieving revision 1.25 diff -u -r1.25 natd.c --- natd.c 2000/02/25 11:34:38 1.25 +++ natd.c 2000/03/04 03:42:07 @@ -421,9 +421,9 @@ static void ParseArgs (int argc, char** argv) { int arg; - char* parm; char* opt; char parmBuf[256]; + int len; /* bounds checking */ for (arg = 1; arg < argc; arg++) { @@ -434,23 +434,25 @@ Usage (); } - parm = NULL; parmBuf[0] = '\0'; + len = 0; while (arg < argc - 1) { if (argv[arg + 1][0] == '-') break; - if (parm) - strcat (parmBuf, " "); + if (len){ + strncat (parmBuf, " ", sizeof(parmBuf)-len-1); + len += strlen(parmBuf+len); + } ++arg; - parm = parmBuf; - strcat (parmBuf, argv[arg]); + strncat (parmBuf, argv[arg], sizeof(parmBuf)-len-1); + len += strlen(parmBuf+len); } - ParseOption (opt + 1, parm, 1); + ParseOption (opt + 1, (len ? parmBuf : NULL), 1); } } - startslip patch, fixes "startslip -d [8192] -c [8192]" overflow Index: sbin/startslip/startslip.c =================================================================== RCS file: /home/ncvs/src/sbin/startslip/startslip.c,v retrieving revision 1.31 diff -u -r1.31 startslip.c --- startslip.c 1999/08/28 00:14:27 1.31 +++ startslip.c 2000/03/20 06:57:33 @@ -214,7 +214,9 @@ dvname = devicename; else dvname++; - sprintf(pidfile, PIDFILE, _PATH_VARRUN, dvname); + if(snprintf(pidfile, sizeof(pidfile), PIDFILE, _PATH_VARRUN, dvname) >= + sizeof(pidfile) ) + usage(); if ((pfd = fopen(pidfile, "r")) != NULL) { if (fscanf(pfd, "%ld\n", &lpid) == 1) { pid = lpid; Thanks, /**************************************** * Mike Heffner * * Fredericksburg, VA -- ICQ# 882073 * * Sent at: 20-Mar-2000 -- 01:59:00 EST * * http://my.ispchannel.com/~mheffner * ****************************************/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Mar 21 10:26:10 2000 Delivered-To: freebsd-audit@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 875B537BD47; Tue, 21 Mar 2000 10:26:09 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id KAA29995; Tue, 21 Mar 2000 10:26:03 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 21 Mar 2000 10:26:03 -0800 (PST) From: Kris Kennaway To: Mike Heffner Cc: FreeBSD-audit Subject: Re: three small patches - oflows In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 20 Mar 2000, Mike Heffner wrote: > Hi, > > Here are three small patches that fix misc. overflows. Could someone take a > quick look at them, and possibly commit :) I'll try and take a look at these soon. I just wanted to let you know that you're not being ignored - there are several messages in this list I want to go back over and take another look at now that 4.0-R is out and doesn't seem to have any problems which are my fault :-) Of course, it would be nice if someone else picked them up too :-) Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Mar 21 15:50:25 2000 Delivered-To: freebsd-audit@freebsd.org Received: from MailAndNews.com (MailAndNews.com [199.29.68.160]) by hub.freebsd.org (Postfix) with ESMTP id ECD2437BE12; Tue, 21 Mar 2000 15:50:21 -0800 (PST) (envelope-from mheffner@mailandnews.com) Received: from muriel.penguinpowered.com [208.138.199.76] (mheffner@mailandnews.com); Tue, 21 Mar 2000 18:50:08 -0500 X-WM-Posted-At: MailAndNews.com; Tue, 21 Mar 00 18:50:08 -0500 Content-Length: 1126 Message-ID: X-Mailer: XFMail 1.4.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Tue, 21 Mar 2000 18:50:01 -0500 (EST) Reply-To: Mike Heffner From: Mike Heffner To: Kris Kennaway Subject: Re: three small patches - oflows Cc: FreeBSD-audit , Mike Heffner Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG No problem, the rollout of 4.0R was much more important =) By the way, what happened to the big momentum we had several months ago in regards to doing a full code audit? Will that return now that the release is out of the way? Do we have a webpage setup for it? On 21-Mar-2000 Kris Kennaway wrote: | On Mon, 20 Mar 2000, Mike Heffner wrote: | |> Hi, |> |> Here are three small patches that fix misc. overflows. Could someone take |> a |> quick look at them, and possibly commit :) | | I'll try and take a look at these soon. I just wanted to let you know that | you're not being ignored - there are several messages in this list I want | to go back over and take another look at now that 4.0-R is out and doesn't | seem to have any problems which are my fault :-) | | Of course, it would be nice if someone else picked them up too :-) /**************************************** * Mike Heffner * * Fredericksburg, VA -- ICQ# 882073 * * Sent at: 21-Mar-2000 -- 18:48:57 EST * * http://my.ispchannel.com/~mheffner * ****************************************/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Mar 21 18:15: 2 2000 Delivered-To: freebsd-audit@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 4611937BC6E; Tue, 21 Mar 2000 18:15:00 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id SAA81836; Tue, 21 Mar 2000 18:15:00 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 21 Mar 2000 18:14:59 -0800 (PST) From: Kris Kennaway To: Mike Heffner Cc: FreeBSD-audit Subject: Re: three small patches - oflows In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, 21 Mar 2000, Mike Heffner wrote: > No problem, the rollout of 4.0R was much more important =) > > By the way, what happened to the big momentum we had several months ago > in regards to doing a full code audit? Will that return now that the release is > out of the way? Do we have a webpage setup for it? It should pick up again, I hope. I haven't heard about the webpage at all..who was working on that? Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Mar 22 5:23:42 2000 Delivered-To: freebsd-audit@freebsd.org Received: from erouter0.it-datacntr.louisville.edu (erouter0.it-datacntr.louisville.edu [136.165.1.36]) by hub.freebsd.org (Postfix) with ESMTP id 984A637BC5E; Wed, 22 Mar 2000 05:23:40 -0800 (PST) (envelope-from k.stevenson@louisville.edu) Received: from osaka.louisville.edu (osaka.louisville.edu [136.165.1.114]) by erouter0.it-datacntr.louisville.edu (Postfix) with ESMTP id 8905124D2E; Wed, 22 Mar 2000 08:23:39 -0500 (EST) Received: by osaka.louisville.edu (Postfix, from userid 15) id 89CFC18605; Wed, 22 Mar 2000 08:23:38 -0500 (EST) Date: Wed, 22 Mar 2000 08:23:38 -0500 From: Keith Stevenson To: Kris Kennaway Cc: Mike Heffner , FreeBSD-audit Subject: Re: three small patches - oflows Message-ID: <20000322082338.B8858@osaka.louisville.edu> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Mar 21, 2000 at 06:14:59PM -0800, Kris Kennaway wrote: > > It should pick up again, I hope. I haven't heard about the webpage at > all..who was working on that? I was working on it, but got sidetracked when my son was born. Having a 2 month old has severely crimped my non-work programming time. I'll start trying again. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Mar 22 11:39:17 2000 Delivered-To: freebsd-audit@freebsd.org Received: from MailAndNews.com (MailAndNews.com [199.29.68.160]) by hub.freebsd.org (Postfix) with ESMTP id 7910637B807; Wed, 22 Mar 2000 11:39:12 -0800 (PST) (envelope-from mheffner@mailandnews.com) Received: from muriel.penguinpowered.com [208.138.199.76] (mheffner@mailandnews.com); Wed, 22 Mar 2000 14:39:01 -0500 X-WM-Posted-At: MailAndNews.com; Wed, 22 Mar 00 14:39:01 -0500 Content-Length: 640 Message-ID: X-Mailer: XFMail 1.4.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20000322082338.B8858@osaka.louisville.edu> Date: Wed, 22 Mar 2000 14:39:08 -0500 (EST) Reply-To: Mike Heffner From: Mike Heffner To: Keith Stevenson Subject: -audit webpage, (was Re: three small patches - oflows) Cc: FreeBSD-audit , Kris Kennaway Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 22-Mar-2000 Keith Stevenson wrote: | | I was working on it, but got sidetracked when my son was born. Having a 2 | month old has severely crimped my non-work programming time. I'll start | trying again. | If you need any help or anything let me know. I'm not very html-savvy, but would be willing to help out with some behind-the-scenes database stuff or something. /**************************************** * Mike Heffner * * Fredericksburg, VA ICQ# 882073 * * Sent at: 22-Mar-2000 -- 14:33:41 EST * * http://my.ispchannel.com/~mheffner * ****************************************/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Mar 23 11:19:57 2000 Delivered-To: freebsd-audit@freebsd.org Received: from cypherpunks.ai (cypherpunks.ai [209.88.68.47]) by hub.freebsd.org (Postfix) with ESMTP id 5979337BE11 for ; Thu, 23 Mar 2000 11:19:51 -0800 (PST) (envelope-from jeroen@vangelderen.org) Received: from vangelderen.org (intefix.ai [209.88.68.216]) by cypherpunks.ai (Postfix) with ESMTP id CAA1349 for ; Thu, 23 Mar 2000 15:19:44 -0400 (AST) Message-ID: <38DA6D77.FB93FC36@vangelderen.org> Date: Thu, 23 Mar 2000 15:16:07 -0400 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Audit List Subject: Portmapper enabled, IPv6 circumvents FW Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I'm wondering whether this is appropriate for the audit list: 1. Portmapper is enabled by default on freshly installed FreeBSD 4.0 systems. I think this is undesirable for security reasons. 2. The GENERIC kernel has IPv6 enabled by default and interfaces automatically assign themselves link-local IPv6 addresses. This is a problem because people will generally be unaware of the fact that IPFW does not filter IPv6 addresses. Setting up a strict firewall using IPFW therefore leaves you open for attacks via link-local IPv6. An extra nuisanse is that FreeBSD does not provide a kernel module for IP6FW. I'd suggest disabling the portmapper in a default installation unless there is a good reason not to. Another solution is to add a comment to /etc/inetd.conf because that's what people usually edit on new systems (because FreeBSD *still* runs ftpd and telnetd by default). For IPv6 there is a number of potential solutions. I'd be most happy if interfaces did not assign themselves IPv6 addresses unless and until they are requested to do so. Opinions? Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org Kick-ass crypto for you: http://www.cryptix.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Mar 23 11:23:22 2000 Delivered-To: freebsd-audit@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 89DE737BC3F for ; Thu, 23 Mar 2000 11:23:11 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id MAA34947; Thu, 23 Mar 2000 12:23:08 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id MAA42847; Thu, 23 Mar 2000 12:23:05 -0700 (MST) Message-Id: <200003231923.MAA42847@harmony.village.org> To: "Jeroen C. van Gelderen" Subject: Re: Portmapper enabled, IPv6 circumvents FW Cc: FreeBSD Audit List In-reply-to: Your message of "Thu, 23 Mar 2000 15:16:07 -0400." <38DA6D77.FB93FC36@vangelderen.org> References: <38DA6D77.FB93FC36@vangelderen.org> Date: Thu, 23 Mar 2000 12:23:05 -0700 From: Warner Losh Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <38DA6D77.FB93FC36@vangelderen.org> "Jeroen C. van Gelderen" writes: : I'd suggest disabling the portmapper in a default installation : unless there is a good reason not to. Sadly too many people want NFS :-(. It is a big pita to run nfs w/o portmapper. : Another solution is to add a comment to /etc/inetd.conf because : that's what people usually edit on new systems (because FreeBSD : *still* runs ftpd and telnetd by default). Agreed. : Opinions? I've been sent patches that make *ALL* network services off by default. I'm thinking seriously about committing them to at least -current and maybe to -stable also. These patches also hack sysinstall to enable them in /etc/rc.conf so as to not effectively change our system defaults. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Mar 23 11:34:23 2000 Delivered-To: freebsd-audit@freebsd.org Received: from cypherpunks.ai (cypherpunks.ai [209.88.68.47]) by hub.freebsd.org (Postfix) with ESMTP id 79D8E37B88E for ; Thu, 23 Mar 2000 11:34:19 -0800 (PST) (envelope-from jeroen@vangelderen.org) Received: from vangelderen.org (intefix.ai [209.88.68.216]) by cypherpunks.ai (Postfix) with ESMTP id 3C15F49; Thu, 23 Mar 2000 15:33:29 -0400 (AST) Message-ID: <38DA70B2.96AF6B6D@vangelderen.org> Date: Thu, 23 Mar 2000 15:29:54 -0400 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Warner Losh Cc: FreeBSD Audit List Subject: Re: Portmapper enabled, IPv6 circumvents FW References: <38DA6D77.FB93FC36@vangelderen.org> <200003231923.MAA42847@harmony.village.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Warner Losh wrote: > > In message <38DA6D77.FB93FC36@vangelderen.org> "Jeroen C. van Gelderen" writes: > : I'd suggest disabling the portmapper in a default installation > : unless there is a good reason not to. > > Sadly too many people want NFS :-(. It is a big pita to run nfs w/o > portmapper. But why not enable portmapper contingent on NFS being enabled? Not possible? > : Another solution is to add a comment to /etc/inetd.conf because > : that's what people usually edit on new systems (because FreeBSD > : *still* runs ftpd and telnetd by default). > > Agreed. > > : Opinions? > > I've been sent patches that make *ALL* network services off by > default. I'm thinking seriously about committing them to at least > -current and maybe to -stable also. These patches also hack > sysinstall to enable them in /etc/rc.conf so as to not effectively > change our system defaults. Interesting, would this include disabling sendmail by default? (Please say yes.) Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org Kick-ass crypto for you: http://www.cryptix.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Mar 23 11:34:48 2000 Delivered-To: freebsd-audit@freebsd.org Received: from morpheus.skynet.be (morpheus.skynet.be [195.238.2.39]) by hub.freebsd.org (Postfix) with ESMTP id A779B37BA3E for ; Thu, 23 Mar 2000 11:34:46 -0800 (PST) (envelope-from blk@skynet.be) Received: from [195.238.1.121] (brad.techos.skynet.be [195.238.1.121]) by morpheus.skynet.be (Postfix) with ESMTP id 11DFDDB72; Thu, 23 Mar 2000 20:34:27 +0100 (MET) Mime-Version: 1.0 X-Sender: blk@pop.skynet.be Message-Id: In-Reply-To: <200003231923.MAA42847@harmony.village.org> References: <38DA6D77.FB93FC36@vangelderen.org> <200003231923.MAA42847@harmony.village.org> Date: Thu, 23 Mar 2000 20:34:13 +0100 To: Warner Losh , "Jeroen C. van Gelderen" From: Brad Knowles Subject: Re: Portmapper enabled, IPv6 circumvents FW Cc: FreeBSD Audit List Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 12:23 PM -0700 2000/3/23, Warner Losh wrote: > I've been sent patches that make *ALL* network services off by > default. I'm thinking seriously about committing them to at least > -current and maybe to -stable also. These patches also hack > sysinstall to enable them in /etc/rc.conf so as to not effectively > change our system defaults. I would like very much to see these patches get committed, so that the box tends to be secure by default out-of-the-box, and then you turn on the additional features you want/need. I know that this may make the system a bit harder to use, but I think that's a better alternative than making the boxes easier to DoS or break into by default. Myself, after I've got a machine done with the initial install, I go through and turn off virtually everything, before I start adding stuff. If I can install from CD, that means I don't even connect the network until the base OS is on the box and I've turned off everything I possibly can. It would be nice for me if this installation procedure were a little easier to do, because that's the way the OS installs out-of-the-box. -- These are my opinions -- not to be taken as official Skynet policy ====================================================================== Brad Knowles, || Belgacom Skynet SA/NV Systems Architect, Mail/News/FTP/Proxy Admin || Rue Colonel Bourg, 124 Phone/Fax: +32-2-706.13.11/12.49 || B-1140 Brussels http://www.skynet.be || Belgium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Mar 23 11:36:43 2000 Delivered-To: freebsd-audit@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 9638C37B57F for ; Thu, 23 Mar 2000 11:36:40 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id MAA35050; Thu, 23 Mar 2000 12:36:36 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id MAA43081; Thu, 23 Mar 2000 12:36:32 -0700 (MST) Message-Id: <200003231936.MAA43081@harmony.village.org> To: "Jeroen C. van Gelderen" Subject: Re: Portmapper enabled, IPv6 circumvents FW Cc: FreeBSD Audit List In-reply-to: Your message of "Thu, 23 Mar 2000 15:29:54 -0400." <38DA70B2.96AF6B6D@vangelderen.org> References: <38DA70B2.96AF6B6D@vangelderen.org> <38DA6D77.FB93FC36@vangelderen.org> <200003231923.MAA42847@harmony.village.org> Date: Thu, 23 Mar 2000 12:36:32 -0700 From: Warner Losh Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <38DA70B2.96AF6B6D@vangelderen.org> "Jeroen C. van Gelderen" writes: : But why not enable portmapper contingent on NFS being enabled? Not : possible? Yes, this is possible. : Interesting, would this include disabling sendmail by default? : (Please say yes.) ALL NETWORK SERVICES. All of them. sendmail, cron, inetd, lpd, portmapper and maybe a couple others. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Mar 23 11:37:57 2000 Delivered-To: freebsd-audit@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id BA42C37BA3E for ; Thu, 23 Mar 2000 11:37:49 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id MAA35058; Thu, 23 Mar 2000 12:37:38 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id MAA43099; Thu, 23 Mar 2000 12:37:35 -0700 (MST) Message-Id: <200003231937.MAA43099@harmony.village.org> To: Brad Knowles Subject: Re: Portmapper enabled, IPv6 circumvents FW Cc: "Jeroen C. van Gelderen" , FreeBSD Audit List In-reply-to: Your message of "Thu, 23 Mar 2000 20:34:13 +0100." References: <38DA6D77.FB93FC36@vangelderen.org> <200003231923.MAA42847@harmony.village.org> Date: Thu, 23 Mar 2000 12:37:35 -0700 From: Warner Losh Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message Brad Knowles writes: : I would like very much to see these patches get committed, so : that the box tends to be secure by default out-of-the-box, and then : you turn on the additional features you want/need. Eivind submitted them a while ago. I'll have to dust it off and see about committing it. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Mar 23 21:35:31 2000 Delivered-To: freebsd-audit@freebsd.org Received: from berlin.atlantic.net (berlin.atlantic.net [209.208.0.20]) by hub.freebsd.org (Postfix) with ESMTP id E358F37B57E for ; Thu, 23 Mar 2000 21:35:22 -0800 (PST) (envelope-from bobj@atlantic.net) Received: from mail.atlantic.net (mail.atlantic.net [209.208.0.71]) by berlin.atlantic.net (8.9.3/8.9.3) with ESMTP id AAA02193; Fri, 24 Mar 2000 00:38:16 -0500 Received: from bsd.cisi.com (ocalflifanb-as-1-r1-ip-156.atlantic.net [209.208.28.156]) by mail.atlantic.net (8.9.3/8.9.3) with ESMTP id AAA26072; Fri, 24 Mar 2000 00:34:42 -0500 Received: from nancy.cisi.com (nancy.cisi.com [192.168.0.131]) by bsd.cisi.com (8.9.3/8.9.3) with SMTP id AAA19622; Fri, 24 Mar 2000 00:30:13 -0500 (EST) (envelope-from bobj@atlantic.net) Message-Id: <3.0.6.32.20000324003034.009ad530@rio.atlantic.net> X-Sender: bobj@rio.atlantic.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Fri, 24 Mar 2000 00:30:34 -0500 To: Warner Losh From: Bob Johnson Subject: Re: Portmapper enabled, IPv6 circumvents FW Cc: audit@freebsd.org In-Reply-To: <200003231937.MAA43099@harmony.village.org> References: <38DA6D77.FB93FC36@vangelderen.org> <200003231923.MAA42847@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Please, please, please do it! It's bad enough that I have to keep begging people on our networks to turn off all network services as soon as they do an install. If Red Hat starts disabling them by default before FreeBSD does, I won't even be able to say "you should have used FreeBSD". -- Bob At 12:37 PM 03/23/2000 -0700, you wrote: >In message Brad Knowles writes: >: I would like very much to see these patches get committed, so >: that the box tends to be secure by default out-of-the-box, and then >: you turn on the additional features you want/need. > >Eivind submitted them a while ago. I'll have to dust it off and see >about committing it. > >Warner > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-audit" in the body of the message > > +-------------------------------------------------------- | Bob Johnson | bobj@atlantic.net +-------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Mar 24 5:42:28 2000 Delivered-To: freebsd-audit@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 6792F37B633 for ; Fri, 24 Mar 2000 05:42:23 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id IAA38286; Fri, 24 Mar 2000 08:42:10 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Fri, 24 Mar 2000 08:42:10 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Bob Johnson Cc: Warner Losh , audit@freebsd.org Subject: Re: Portmapper enabled, IPv6 circumvents FW In-Reply-To: <3.0.6.32.20000324003034.009ad530@rio.atlantic.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Another possibility would be a configuration choice during the install that let you specify the ``openness'' of the initial inetd.conf. This could be easily hacked up in the form of ``enable network services by default?'' and just having two, or having sysinstall provide an actual management interface. And especially on the IPv6 side, ``Do you wish to enable IPv6 network services?'' where at least at first, there will not be many consumers. Presumably each of these choices, unlike todays install selections, would come with a description of what the choice means. And without too many double negatives. :-) One reason that you might find objection to actually disabling telnet and so on by default is a loss of functionality in the case of serial installs, although that can be put down to a failure of sysinstall to initially configure /etc/ttys correctly. Robert On Fri, 24 Mar 2000, Bob Johnson wrote: > Please, please, please do it! > > It's bad enough that I have to keep begging people on our networks > to turn off all network services as soon as they do an install. > > If Red Hat starts disabling them by default before FreeBSD does, > I won't even be able to say "you should have used FreeBSD". > > -- Bob > > At 12:37 PM 03/23/2000 -0700, you wrote: > >In message Brad Knowles writes: > >: I would like very much to see these patches get committed, so > >: that the box tends to be secure by default out-of-the-box, and then > >: you turn on the additional features you want/need. > > > >Eivind submitted them a while ago. I'll have to dust it off and see > >about committing it. > > > >Warner > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-audit" in the body of the message > > > > > > +-------------------------------------------------------- > | Bob Johnson > | bobj@atlantic.net > +-------------------------------------------------------- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-audit" in the body of the message > Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Mar 24 9: 7:49 2000 Delivered-To: freebsd-audit@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 1AD1937B7B6 for ; Fri, 24 Mar 2000 09:07:46 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id MAA272698; Fri, 24 Mar 2000 12:07:10 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: References: Date: Fri, 24 Mar 2000 12:07:50 -0500 To: Robert Watson , Bob Johnson From: Garance A Drosihn Subject: Re: Portmapper enabled, IPv6 circumvents FW Cc: Warner Losh , audit@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 8:42 AM -0500 3/24/00, Robert Watson wrote: >Another possibility would be a configuration choice during the install >that let you specify the ``openness'' of the initial inetd.conf. This >could be easily hacked up in the form of ``enable network services by >default?'' and just having two, or having sysinstall provide an actual >management interface. And especially on the IPv6 side, ``Do you wish to >enable IPv6 network services?'' where at least at first, there will not be >many consumers. Presumably each of these choices, unlike todays install >selections, would come with a description of what the choice means. And >without too many double negatives. :-) You don't need to describe them too much. I'd have a panel of the more useful services in sysinstall, where the user can turn them on or off. The advice at the bottom would be "Leave these turned off unless you know you want one on and why you want it on". Apple does something like this with it's MacOS server install. They have a nice GUI user-interface panel for "Network/Services", which has radio buttons for Remote Shell, Remote Login, Remote Printing, Remote Mach IPC, FTP server, Telnet server, Finger Server, Mail Server. All the other network services are turned off, and people need to go off and edit inetd.conf if they really want to turn them on. In different message, Warner Losh wrote: > : Interesting, would this include disabling sendmail by default? > : (Please say yes.) > > ALL NETWORK SERVICES. All of them. sendmail, cron, inetd, lpd, > portmapper and maybe a couple others. This reminds me... PR bin/12308 includes an update so one can start up lpd (so local users can print) WITHOUT having it accept jobs from remote hosts. I think this is a good idea. I'd go so far as to say that this should be added, and that we should start lpd with this new option by default. Thus, you really would have an option for enabling "remote printing" separate from "printing for local users". I don't know what knobs freebsd has for sendmail, but perhaps we could have a similar option there. Setup sendmail so people can 'mail' other people (running sendmail via crontab to empty out any pending messages), but not accept mail? I am not sure that is a really good idea though... --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Mar 24 10:35: 6 2000 Delivered-To: freebsd-audit@freebsd.org Received: from mout0.freenet.de (mout0.freenet.de [194.97.50.131]) by hub.freebsd.org (Postfix) with ESMTP id 067FD37BA62 for ; Fri, 24 Mar 2000 10:34:57 -0800 (PST) (envelope-from netchild@leidinger.net) Received: from [62.104.201.2] (helo=mx1.freenet.de) by mout0.freenet.de with esmtp (Exim 3.13 #1) id 12YYuu-0003oi-00; Fri, 24 Mar 2000 19:34:40 +0100 Received: from [213.6.56.209] (helo=Magelan.Leidinger.net) by mx1.freenet.de with esmtp (Exim 3.13 #1) id 12YYuk-0000jJ-00; Fri, 24 Mar 2000 19:34:31 +0100 Received: from Leidinger.net (netchild@localhost [127.0.0.1]) by Magelan.Leidinger.net (8.9.3/8.9.3) with ESMTP id RAA01403; Fri, 24 Mar 2000 17:06:40 +0100 (CET) (envelope-from netchild@Leidinger.net) Message-Id: <200003241606.RAA01403@Magelan.Leidinger.net> Date: Fri, 24 Mar 2000 17:06:39 +0100 (CET) From: Alexander Leidinger Subject: Re: Portmapper enabled, IPv6 circumvents FW To: imp@village.org Cc: jeroen@vangelderen.org, freebsd-audit@FreeBSD.ORG In-Reply-To: <200003231936.MAA43081@harmony.village.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 23 Mar, Warner Losh wrote: > : Interesting, would this include disabling sendmail by default? > : (Please say yes.) > > ALL NETWORK SERVICES. All of them. sendmail, cron, inetd, lpd, > portmapper and maybe a couple others. cron is a network service? Willing to learn something new, Alexander. -- The three Rs of Microsoft support: Retry, Reboot, Reinstall. http://www.Leidinger.net Alexander+Home @ Leidinger.net Key fingerprint = 7423 F3E6 3A7E B334 A9CC B10A 1F5F 130A A638 6E7E To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Mar 24 11:33:24 2000 Delivered-To: freebsd-audit@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 482E537B9F3 for ; Fri, 24 Mar 2000 11:33:01 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id MAA40152; Fri, 24 Mar 2000 12:32:55 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id MAA51737; Fri, 24 Mar 2000 12:32:48 -0700 (MST) Message-Id: <200003241932.MAA51737@harmony.village.org> To: Alexander Leidinger Subject: Re: Portmapper enabled, IPv6 circumvents FW Cc: jeroen@vangelderen.org, freebsd-audit@FreeBSD.ORG In-reply-to: Your message of "Fri, 24 Mar 2000 17:06:39 +0100." <200003241606.RAA01403@Magelan.Leidinger.net> References: <200003241606.RAA01403@Magelan.Leidinger.net> Date: Fri, 24 Mar 2000 12:32:48 -0700 From: Warner Losh Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <200003241606.RAA01403@Magelan.Leidinger.net> Alexander Leidinger writes: : cron is a network service? cron is dangerous, just like network services. Unless you need it for something, you should disable it. Like most networking services, many people will choose to enable it because most people need it. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Mar 24 15:40:14 2000 Delivered-To: freebsd-audit@freebsd.org Received: from trinity.skynet.be (trinity.skynet.be [195.238.2.38]) by hub.freebsd.org (Postfix) with ESMTP id F241937B5B2 for ; Fri, 24 Mar 2000 15:40:12 -0800 (PST) (envelope-from blk@skynet.be) Received: from [194.78.234.186] (dialup1722.brussels.skynet.be [194.78.234.186]) by trinity.skynet.be (Postfix) with ESMTP id 25B2718150; Sat, 25 Mar 2000 00:39:54 +0100 (MET) Mime-Version: 1.0 X-Sender: blk@pop.skynet.be Message-Id: In-Reply-To: References: Date: Fri, 24 Mar 2000 23:55:38 +0100 To: Garance A Drosihn , Robert Watson , Bob Johnson From: Brad Knowles Subject: Re: Portmapper enabled, IPv6 circumvents FW Cc: Warner Losh , audit@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 12:07 PM -0500 2000/3/24, Garance A Drosihn wrote: > I don't know what knobs freebsd has for sendmail, but perhaps > we could have a similar option there. Setup sendmail so people > can 'mail' other people (running sendmail via crontab to empty > out any pending messages), but not accept mail? I am not sure > that is a really good idea though... rc.conf has default flags to pass to the sendmail daemon, if you're going to start it up. I suggest leaving off "-bd" by default, so that it will fire off queue runners when necessary, but won't listen to port 25 unless this option is specifically added. -- These are my opinions -- not to be taken as official Skynet policy ====================================================================== Brad Knowles, || Belgacom Skynet SA/NV Systems Architect, Mail/News/FTP/Proxy Admin || Rue Colonel Bourg, 124 Phone/Fax: +32-2-706.13.11/12.49 || B-1140 Brussels http://www.skynet.be || Belgium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Mar 24 16:59:33 2000 Delivered-To: freebsd-audit@freebsd.org Received: from berlin.atlantic.net (berlin.atlantic.net [209.208.0.20]) by hub.freebsd.org (Postfix) with ESMTP id 0A96737BE33 for ; Fri, 24 Mar 2000 16:59:12 -0800 (PST) (envelope-from bobj@atlantic.net) Received: from mail.atlantic.net (mail.atlantic.net [209.208.0.71]) by berlin.atlantic.net (8.9.3/8.9.3) with ESMTP id UAA14340; Fri, 24 Mar 2000 20:02:00 -0500 Received: from bsd.cisi.com (ocalflifanb-as-1-r1-ip-269.atlantic.net [209.208.29.15]) by mail.atlantic.net (8.9.3/8.9.3) with ESMTP id TAA24221; Fri, 24 Mar 2000 19:58:44 -0500 Received: from nancy.cisi.com (nancy.cisi.com [192.168.0.131]) by bsd.cisi.com (8.9.3/8.9.3) with SMTP id TAA20894; Fri, 24 Mar 2000 19:56:40 -0500 (EST) (envelope-from bobj@atlantic.net) Message-Id: <3.0.6.32.20000324195712.009ab100@rio.atlantic.net> X-Sender: bobj@rio.atlantic.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Fri, 24 Mar 2000 19:57:12 -0500 To: Brad Knowles , Garance A Drosihn , Robert Watson , Bob Johnson From: Bob Johnson Subject: Re: Portmapper enabled, IPv6 circumvents FW Cc: Warner Losh , audit@FreeBSD.ORG In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 11:55 PM 03/24/2000 +0100, Brad Knowles wrote: >At 12:07 PM -0500 2000/3/24, Garance A Drosihn wrote: > >> I don't know what knobs freebsd has for sendmail, but perhaps >> we could have a similar option there. Setup sendmail so people >> can 'mail' other people (running sendmail via crontab to empty >> out any pending messages), but not accept mail? I am not sure >> that is a really good idea though... > > rc.conf has default flags to pass to the sendmail daemon, if >you're going to start it up. I suggest leaving off "-bd" by default, >so that it will fire off queue runners when necessary, but won't >listen to port 25 unless this option is specifically added. > I don't run sendmail as a daemon on my personal workstation. What I tell anyone who will listen (not many) is that they should make a clear distinction between setting up a workstation or setting up a server. Servers get no user shell accounts except those required to manage them. A workstation gets no network services except the very few that have some specific reason to exist on that system. Most new users of Linux (many of which we hope will end up with FreeBSD) seem to be setting up what are primarily single-user workstations that sometimes serve as the www/ftp server for a workgroup. Such a system does not need sendmail running, because all of its mail needs are handled by an organizational pop/imap/ smtp server. It also is not part of any collection of trusted hosts, so it has no need for another handful of daemons that are mysteriously enabled by default on many Linux distributions. So, what _I_ would like to see (if something more elaborate is not feasible) is an install process that includes two basic choices: (1) set up a workstation, or (2) set up a server. The details of what that means are a matter of personal taste, but beginners need some guidance in developing that taste 8). I'd limit a workstation configuration to offering no network services other than ssh, maybe telnet with S/KEY already enabled and initialized (if that can be arranged), and (as an option) Samba plus something that makes it easy to participate in a Windows workgroup or domain as a client (I haven't used Samba recently, but it didn't make a convenient client last time I did). I know some of this doesn't fit the current install process very cleanly, but I think the general concept is worth persuing. I'd move this discussion to another list, but I'm not sure where it belongs. I'm pretty sure it no longer fits audit. -- Bob +-------------------------------------------------------- | Bob Johnson | bobj@atlantic.net +-------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Mar 24 17:12:22 2000 Delivered-To: freebsd-audit@freebsd.org Received: from trinity.skynet.be (trinity.skynet.be [195.238.2.38]) by hub.freebsd.org (Postfix) with ESMTP id DCB9C37C06D for ; Fri, 24 Mar 2000 17:12:10 -0800 (PST) (envelope-from blk@skynet.be) Received: from [194.78.234.186] (dialup1722.brussels.skynet.be [194.78.234.186]) by trinity.skynet.be (Postfix) with ESMTP id AE9D818119; Sat, 25 Mar 2000 02:12:04 +0100 (MET) Mime-Version: 1.0 X-Sender: blk@pop.skynet.be Message-Id: In-Reply-To: <3.0.6.32.20000324195712.009ab100@rio.atlantic.net> References: <3.0.6.32.20000324195712.009ab100@rio.atlantic.net> Date: Sat, 25 Mar 2000 02:11:22 +0100 To: Bob Johnson , Garance A Drosihn , Robert Watson From: Brad Knowles Subject: Re: Portmapper enabled, IPv6 circumvents FW Cc: Warner Losh , audit@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 7:57 PM -0500 2000/3/24, Bob Johnson wrote: > So, what _I_ would like to see (if something more elaborate is > not feasible) is an install process that includes two basic > choices: (1) set up a workstation, or (2) set up a server. I disagree. When you set up a server, it's usually for a particular service. So, an ftp server doesn't need sendmail, or much of anything else. Likewise, a mail server doesn't need ftp, or much of anything else. I think the "default to all services turned off, then allow the admin to turn on certain selected services" is the best overall way to go. There's just no way we can successfully second-guess what someone is going to want to do with these boxes when they set them up, and there's no sense in us trying to do so. > I'd move this discussion to another list, but I'm not sure > where it belongs. I'm pretty sure it no longer fits audit. Since we're talking about the overall security posture of the OS, if there were a freebsd-security list, than that would probably be it. However, I don't know of such a list that exists, and I think this is probably the next closest thing. If I'm wrong, I hope that someone will be kind enough to provide the correct information. -- These are my opinions -- not to be taken as official Skynet policy ====================================================================== Brad Knowles, || Belgacom Skynet SA/NV Systems Architect, Mail/News/FTP/Proxy Admin || Rue Colonel Bourg, 124 Phone/Fax: +32-2-706.13.11/12.49 || B-1140 Brussels http://www.skynet.be || Belgium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Mar 24 17:27: 2 2000 Delivered-To: freebsd-audit@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 9955D37B573; Fri, 24 Mar 2000 17:27:00 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id RAA95718; Fri, 24 Mar 2000 17:27:00 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Fri, 24 Mar 2000 17:26:55 -0800 (PST) From: Kris Kennaway To: Brad Knowles Cc: Bob Johnson , Garance A Drosihn , Robert Watson , Warner Losh , audit@FreeBSD.ORG Subject: Re: Portmapper enabled, IPv6 circumvents FW In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 25 Mar 2000, Brad Knowles wrote: > Since we're talking about the overall security posture of the OS, > if there were a freebsd-security list, than that would probably be > it. However, I don't know of such a list that exists, and I think > this is probably the next closest thing. freebsd-security certainly exists and has for much longer than this one has :-) Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Mar 24 17:54:41 2000 Delivered-To: freebsd-audit@freebsd.org Received: from morpheus.skynet.be (morpheus.skynet.be [195.238.2.39]) by hub.freebsd.org (Postfix) with ESMTP id CDFB237B80B; Fri, 24 Mar 2000 17:54:37 -0800 (PST) (envelope-from blk@skynet.be) Received: from [194.78.234.186] (dialup1722.brussels.skynet.be [194.78.234.186]) by morpheus.skynet.be (Postfix) with ESMTP id 2C1D3DAE0; Sat, 25 Mar 2000 02:54:35 +0100 (MET) Mime-Version: 1.0 X-Sender: blk@pop.skynet.be Message-Id: In-Reply-To: References: Date: Sat, 25 Mar 2000 02:53:40 +0100 To: Kris Kennaway From: Brad Knowles Subject: Re: Portmapper enabled, IPv6 circumvents FW Cc: Bob Johnson , Garance A Drosihn , Robert Watson , Warner Losh , audit@FreeBSD.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 5:26 PM -0800 2000/3/24, Kris Kennaway wrote: > freebsd-security certainly exists and has for much longer than this one > has :-) Well, I'm not on it, and I hadn't heard of it until now. ;-) You guys are welcome to move this discussion there, if you like. -- These are my opinions -- not to be taken as official Skynet policy ====================================================================== Brad Knowles, || Belgacom Skynet SA/NV Systems Architect, Mail/News/FTP/Proxy Admin || Rue Colonel Bourg, 124 Phone/Fax: +32-2-706.13.11/12.49 || B-1140 Brussels http://www.skynet.be || Belgium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message