From owner-freebsd-security Sun Sep 26 1:41: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id B397914C4A for ; Sun, 26 Sep 1999 01:41:03 -0700 (PDT) (envelope-from bde@zeta.org.au) Received: from d197.syd2.zeta.org.au (beefcake.zeta.org.au [203.26.10.12]) by mailman.zeta.org.au (8.8.7/8.8.7) with ESMTP id SAA10234; Sun, 26 Sep 1999 18:41:09 +1000 Date: Sun, 26 Sep 1999 18:40:32 +1000 (EST) From: Bruce Evans X-Sender: bde@alphplex.bde.org To: Garrett Wollman Cc: cjclark@home.com, Matthew Dillon , freebsd-security@FreeBSD.ORG Subject: Re: dump(8) Insecurity/Misconfiguration In-Reply-To: <199909260216.WAA02587@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 25 Sep 1999, Garrett Wollman wrote: > < said: > > > "Dump cannot do remote backups without being run as root, due to its secu- > > rity history. This will be fixed in a later version of FreeBSD. Present- > > ly, it works if you set it setuid (like it used to be), but this might > > constitute a security risk." > > Oof! Really awful language for a manual page. (Manual pages should > never use the second person.) Where are the man page style guide and the man page style police? Our man pages have 5813 lines matching the regexp " [Yy]ou ". 763 of our 3190 man pages contain such a line (counting links multiply). Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 26 4:22:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 192EB14C16 for ; Sun, 26 Sep 1999 04:22:54 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id NAA20209 for freebsd-security@FreeBSD.ORG; Sun, 26 Sep 1999 13:22:53 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 3B6ED8711; Sun, 26 Sep 1999 12:32:41 +0200 (CEST) Date: Sun, 26 Sep 1999 12:32:41 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: Secure gateway to intranet Message-ID: <19990926123241.B18956@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <4.1.19990923205643.0095ce70@mail.thegrid.net> <199909251858.OAA39078@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0pre2i In-Reply-To: <199909251858.OAA39078@cc942873-a.ewndsr1.nj.home.com> X-Operating-System: FreeBSD 4.0-CURRENT/ELF ctm#5593 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Crist J. Clark: > Hmmm... Is there a reason not to just let ssh take care of this for > you? That is, have the hosts on the other end only accept certain > users? Yes, port forwarding. You have no way to control if a user use port forwarding or not. For incoming connections it is easy to block because you can compile sshd with it port fwd but for outgoing, it is more difficult. One can always recompile a ssh with port fwd... And while port fwd is great (I use it every day for CVSup for example), it can be really abused... -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #74: Thu Sep 9 00:20:51 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 26 4:23: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 2DE9E14C3A for ; Sun, 26 Sep 1999 04:22:57 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id NAA20210 for freebsd-security@FreeBSD.ORG; Sun, 26 Sep 1999 13:22:57 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 0B1D28711; Sun, 26 Sep 1999 12:35:39 +0200 (CEST) Date: Sun, 26 Sep 1999 12:35:39 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: default rc.firewall Message-ID: <19990926123539.C18956@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <4.2.0.58.19990924113626.0480db00@localhost> <4.2.0.58.19990924111600.04809a90@localhost> <3.0.5.32.19990923152232.007c94c0@memes.com> <199909241733.LAA27644@mt.sri.com> <4.2.0.58.19990924113626.0480db00@localhost> <199909241749.LAA27881@mt.sri.com> <4.2.0.58.19990924115715.0480e340@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0pre2i In-Reply-To: <4.2.0.58.19990924115715.0480e340@localhost> X-Operating-System: FreeBSD 4.0-CURRENT/ELF ctm#5593 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Brett Glass: > And remember the eEye IIS exploit? It let you come into the hacked Web > server *on port 80*. So, any Web server that was accessible from the outside Anyone running IIS on a public machine is waiting/asking for security problems. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #74: Thu Sep 9 00:20:51 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 26 5:44:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from news.lucky.net (news.lucky.net [193.193.193.102]) by hub.freebsd.org (Postfix) with ESMTP id 418BC15092 for ; Sun, 26 Sep 1999 05:44:38 -0700 (PDT) (envelope-from ay@sita.kiev.ua) Received: (from mail@localhost) by news.lucky.net (8.Who.Cares/8.Who.Cares) id PRE16197 for freebsd-security@freebsd.org; Sun, 26 Sep 1999 15:44:36 +0300 (envelope-from ay@sita.kiev.ua) To: freebsd-security@freebsd.org From: ay@sita.kiev.ua.europe Subject: Re: URGENT - READ THIS EMAIL BEFORE ANY OTHERS FROM ME Content-Type: text/plain; charset=KOI8-R User-Agent: tin/pre-1.4-980818 ("Laura") (UNIX) (FreeBSD/3.1-RELEASE (i386)) Content-Transfer-Encoding: 8bit Organization: Home Sweet Home Message-ID: References: <005d01bf07d3$07a5e630$fd01a8c0@pacbell.net> Mime-Version: 1.0 Date: Sun, 26 Sep 1999 12:42:32 GMT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John Howie wrote: > Folks, > Unfortunately I have been hit by an email virus. It can potentially damage > your system and it replicates by sending a copy of itself to everyone in an > Address Book. I believe that I managed to catch the virus before it > replicated itself but if you did receive a message from me entitled > "C:\CoolProgs\Pretty Park.exe" DELETE THE EMAIL WITHOUT READING IT. Oops !!! I feel my FreeBSD is affected by this cruel virus !!! Probably, i'we forgotten to turn off "Autorun Attachments" from my "Microsoft Exchange for FreeBSD" ! :(((( I see "ó:\CoolProgs" at my root partition !!! And my /dev/wd0s1a is formatted just now ......... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 26 7: 1:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from peach.ocn.ne.jp (peach.ocn.ne.jp [210.145.254.87]) by hub.freebsd.org (Postfix) with ESMTP id C7B3514BDA; Sun, 26 Sep 1999 07:01:49 -0700 (PDT) (envelope-from dcs@newsguy.com) Received: from newsguy.com by peach.ocn.ne.jp (8.9.1a/OCN) id XAA01994; Sun, 26 Sep 1999 23:01:11 +0900 (JST) Message-ID: <37EE0D35.6D0A0343@newsguy.com> Date: Sun, 26 Sep 1999 21:10:29 +0900 From: "Daniel C. Sobral" X-Mailer: Mozilla 4.6 [en] (Win98; I) X-Accept-Language: en,pt-BR,ja MIME-Version: 1.0 To: Alexander Bezroutchko Cc: Poul-Henning Kamp , freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: about jail References: <19990925171712.A80535@zenon.net> <11744.938266471@critter.freebsd.dk> <19990926015928.C22850@zenon.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alexander Bezroutchko wrote: > > > > And > > > /proc//status must show this value. > > > > It already does. > > ....................................... > vm1# cat /proc/$$/status > zsh 480 479 479 440 5,2 ctty 938282449,544330 0,55195 0,55194 pause 0 0 0,0,0,2,3,4,5,20,31 vm1 > ^^^^ > vm1# hostname qwerty > ^^^^^^ > vm1# cat /proc/$$/status > zsh 480 479 479 440 5,2 ctty 938282449,544330 0,72515 0,56401 pause 0 0 0,0,0,2,3,4,5,20,31 qwerty > ^^^^^^^ > vm1# uname -a > FreeBSD qwerty 4.0-19990918-CURRENT FreeBSD 4.0-19990918-CURRENT #0: Sat Sep 25 18:18:50 MSD 1999 > ^^^^^^^^^^^^^^^^^^^^ > vm1# And your point is? Do the base system or another jail show qwerty too? -- Daniel C. Sobral (8-DCS) dcs@newsguy.com dcs@freebsd.org Rule 69: Do unto other's code as you'd have it do unto yours To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 26 8:18:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay2.aha.ru (relay2.aha.ru [195.2.64.35]) by hub.freebsd.org (Postfix) with ESMTP id 53D0F14C2B; Sun, 26 Sep 1999 08:18:52 -0700 (PDT) (envelope-from abb@zenon.net) Received: from pb.hq.zenon.net (pb [195.2.64.18]) by relay2.aha.ru (8.9.3/8.9.3/aha-r/0.04B) with ESMTP id TAA84042; Sun, 26 Sep 1999 19:18:05 +0400 (MSD) Received: from mp.hq.zenon.net (mp [192.168.9.150]) by pb.hq.zenon.net (8.9.3/8.9.3) with ESMTP id TAA24369; Sun, 26 Sep 1999 19:18:05 +0400 (MSD) Received: (from abb@localhost) by mp.hq.zenon.net (8.9.3/8.9.3) id TAA65181; Sun, 26 Sep 1999 19:18:05 +0400 (MSD) Message-ID: <19990926191804.B57967@zenon.net> Date: Sun, 26 Sep 1999 19:18:04 +0400 From: Alexander Bezroutchko To: "Daniel C. Sobral" Cc: Poul-Henning Kamp , freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: about jail References: <19990925171712.A80535@zenon.net> <11744.938266471@critter.freebsd.dk> <19990926015928.C22850@zenon.net> <37EE0D35.6D0A0343@newsguy.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <37EE0D35.6D0A0343@newsguy.com>; from Daniel C. Sobral on Sun, Sep 26, 1999 at 09:10:29PM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > And your point is? Do the base system or another jail show qwerty too? I think we are talking about slightly different things. I know that jailed process can not change base system's hostname. But it can change it's own. Sometimes it is necessary to obtain the list of processes which belongs to some jail. How will you obtain it ? You can not rely on last field in /proc/PID/status file because it is writable for jailed process. How can you identify a jail the process belongs to ? > > -- > Daniel C. Sobral (8-DCS) > dcs@newsguy.com > dcs@freebsd.org > > Rule 69: Do unto other's code as you'd have it do unto yours > -- Alexander Bezroutchko, Systems Administrator, Zenon N.S.P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 26 9: 4:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 285D014A05 for ; Sun, 26 Sep 1999 09:04:40 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id KAA20546; Sun, 26 Sep 1999 10:04:32 -0600 (MDT) Message-Id: <4.2.0.58.19990926092055.0472f9d0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Sun, 26 Sep 1999 09:22:52 -0600 To: Ollivier Robert , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: default rc.firewall In-Reply-To: <19990926123539.C18956@keltia.freenix.fr> References: <4.2.0.58.19990924115715.0480e340@localhost> <4.2.0.58.19990924113626.0480db00@localhost> <4.2.0.58.19990924111600.04809a90@localhost> <3.0.5.32.19990923152232.007c94c0@memes.com> <199909241733.LAA27644@mt.sri.com> <4.2.0.58.19990924113626.0480db00@localhost> <199909241749.LAA27881@mt.sri.com> <4.2.0.58.19990924115715.0480e340@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:35 PM 9/26/99 +0200, Ollivier Robert wrote: >Anyone running IIS on a public machine is waiting/asking for security problems. You'd be amazed at how many folks are ABSOLUTELY ADAMANT about it. Microsoft has gotten them "locked in" via SQL Server and ASPs, and they are in denial about the risks. I try to help them firewall, but warn them that firewalls cannot do much good when you can break in via HTTP and exploit the hack via port 80. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 26 10:30:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from saturn.psn.net (saturn.psn.net [207.211.58.15]) by hub.freebsd.org (Postfix) with ESMTP id 0CC8615190 for ; Sun, 26 Sep 1999 10:30:36 -0700 (PDT) (envelope-from will@blackdawn.com) Received: from shadow.blackdawn.com (5042-243.008.popsite.net [209.224.140.243]) by saturn.psn.net (8.9.3/8.9.3) with ESMTP id KAA04381; Sun, 26 Sep 1999 10:38:54 -0700 (MST) Received: (from will@localhost) by shadow.blackdawn.com (8.9.3/8.9.3) id NAA02276; Sun, 26 Sep 1999 13:30:16 -0400 (EDT) (envelope-from will) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <005d01bf07d3$07a5e630$fd01a8c0@pacbell.net> Date: Sun, 26 Sep 1999 13:30:16 -0400 (EDT) Reply-To: Will Andrews From: Will Andrews To: John Howie Subject: RE: URGENT - READ THIS EMAIL BEFORE ANY OTHERS FROM ME Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ Sorry, I couldn't resist ] On 26-Sep-99 John Howie wrote: > Unfortunately I have been hit by an email virus. It can potentially damage > your system and it replicates by sending a copy of itself to everyone in an > Address Book. I believe that I managed to catch the virus before it > replicated itself but if you did receive a message from me entitled > "C:\CoolProgs\Pretty Park.exe" DELETE THE EMAIL WITHOUT READING IT. Oh yeah, I just noticed, I have a "C:\CoolProgs\Pretty Park.exe" in my /usr! Yikes, is the program going to run "rm -rf /" suid root when I'm not using my box?!? *AIIEEE* this is calls for Warner Losh's concern!!! -- Will Andrews GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ G++>+++ e->++++ h! r-->+++ y? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 26 12: 1:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from s8-37-26.student.washington.edu (S8-37-26.student.washington.edu [128.208.37.26]) by hub.freebsd.org (Postfix) with ESMTP id 0D1CD14ED0 for ; Sun, 26 Sep 1999 12:01:11 -0700 (PDT) (envelope-from jcwells@u.washington.edu) Received: from localhost (jcw@localhost) by s8-37-26.student.washington.edu (8.9.3/8.9.3) with ESMTP id AAA47010; Mon, 27 Sep 1999 00:00:32 GMT (envelope-from jcwells@u.washington.edu) X-Authentication-Warning: s8-37-26.student.washington.edu: jcw owned process doing -bs Date: Mon, 27 Sep 1999 00:00:32 +0000 (GMT) From: "Jason C. Wells" X-Sender: jcw@s8-37-26.student.washington.edu Reply-To: "Jason C. Wells" To: Will Andrews Cc: security@FreeBSD.ORG Subject: RE: URGENT - READ THIS EMAIL BEFORE ANY OTHERS FROM ME In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 26 Sep 1999, Will Andrews wrote: >Oh yeah, I just noticed, I have a "C:\CoolProgs\Pretty Park.exe" in my /usr! >Yikes, is the program going to run "rm -rf /" suid root when I'm not using my >box?!? *AIIEEE* this is calls for Warner Losh's concern!!! Well, trimmed John Howie out but you didn't. Did you know what that means? It means you just sent your email address directly to a spammer. These sorts of messages are not just an annoyance anymore. They are used to gather addresses from upset people who don't know enough to not reply. Thank You, | http://students.washington.edu/jcwells Jason Wells | "Those who would trade freedom for security deserve neither | freedom nor security." - Benjamin Franklin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 26 12: 2:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.tepucom.nl (mail.tepucom.nl [195.81.12.5]) by hub.freebsd.org (Postfix) with ESMTP id 557FD152CF for ; Sun, 26 Sep 1999 12:02:46 -0700 (PDT) (envelope-from theo@tepucom.nl) Received: from administratie (administratie.tepucom.nl [192.168.1.20]) by mail.tepucom.nl (8.9.3/8.9.3) with SMTP id VAA17070; Sun, 26 Sep 1999 21:01:15 +0200 (CEST) (envelope-from theo@tepucom.nl) Received: by localhost with Microsoft MAPI; Sun, 26 Sep 1999 20:54:12 +0200 Message-ID: <01BF0861.492CDCB0.theo@tepucom.nl> From: "Theo Purmer (Tepucom)" To: "'Jim Flowers'" Cc: "'freebsd-security@FreeBSD.ORG'" Subject: skip acl (was skip and vpn) Date: Sun, 26 Sep 1999 20:54:11 +0200 X-Mailer: Microsoft Internet-e-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok Jim im getting there but its not working quite as it should here's a drawing........ net1 192.168.1.0/24 ---------------------- | -------------- | skiphost 1 | -------------- | ---------- | router | ---------- | ----------- | the net | ----------- | ---------- | router | ---------- | -------------- | skiphost 2 | -------------- | -------------------------- net2 192.168.2.0/24 where net2 and net3 are rfc1918 on skiphost1 ive defined an acl on the external (internet) interface that says for net2 go through tunnel at skiphost2 using encryption etc skiphost -i de0 -a 192.168.2.0 -M 255.255.255.0 -A xxx.x.x.x -v 2 -k DES-C BC -t DES-CBC -m MD5 -r 8 -R kkkkkkkkkkkkk -s 8 -S kkkkkkkkkkkkkkkk when i ping on the console of skiphost1 to the net2 interface on skiphost2 i see the packages go to skiphost2 i see them arrive at skiphost2 but i dont see a response when i ping from a host on net1 to the net2 interface on skiphost2 i see the packages arrive at skiphost1 where they disappear. when i ping on the console of skiphost1 to the internet interface of skiphost2 then i see encrypted packages go to skiphost2 en i see them coming back to. i have not set any routes other then the default route to the internet router i appreciate your help theo ---------- Van: Jim Flowers[SMTP:jflowers@ezo.net] Verzonden: zaterdag 25 september 1999 22:22 Aan: Theo Purmer (Tepucom) CC: 'freebsd-security@FreeBSD.ORG' Onderwerp: Re: skip and vpn Use different subnets for each of your internal rfc1918 networks and then route the opposite end subnet to your local skiphost tunnel end. Only the skiphost ACL record and external interface has to know about the opposite end routable address. Jim Flowers #4 ISP on C|NET, #1 in Ohio On Sat, 25 Sep 1999, Theo Purmer (Tepucom) wrote: > Hi all..... > > got a problem here with skip and a vpn > > ive got two gateways running ipf, ipnat and skip. > it all works the gateways are on the internet...(far apart) > > on the inside of the gateways im using rfc1918 > networks. I want to be able to go from one internal > network via the vpn (using skip for encryption) to > the other internal network. > > but i cannot just set up a route for the other internal > network using the other skip gateway. I then get arp > errors cuz it wants the other gateway to be on his > subnet > > anybody got any ideas as how to get the tunnel running? > > thanks > > theo purmer > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 26 15:48:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from tinker.com (troll.tinker.com [204.214.7.146]) by hub.freebsd.org (Postfix) with ESMTP id EE3F414C44; Sun, 26 Sep 1999 15:48:17 -0700 (PDT) (envelope-from carol@tinker.com) Received: by localhost (8.8.5/8.8.5) Received: by mail.tinker.com via smap (V2.0) id xma008455; Sun Sep 26 17:25:55 1999 Received: by localhost (8.8.8/8.8.8) id RAA19535; Sun, 26 Sep 1999 17:48:03 -0500 (CDT) Message-ID: <37EEA27E.244DCF9A@tinker.com> Date: Sun, 26 Sep 1999 17:47:26 -0500 From: Carol Deihl Organization: Shrier and Deihl X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 2.2.8-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: chroot could chdir? (was Re: about jail) References: <199909251302.RAA58030@grendel.sovlink.ru> <19990925171712.A80535@zenon.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alexander Bezroutchko wrote: > it is possible to escape from jail > Following program escapes from jail (tested under 4.0-19990918-CURRENT): [snip program code that chroot's but doesn't then chdir inside the new area] As we all know, the chroot can be escaped because the sample program doesn't change the current working directory, and it's still pointing outside the chrooted area. What if chroot itself chdir'ed to it's new root directory? Would this break existing programs? I'd expect that well-behaved programs would chdir someplace useful before continuing anyway. At the very end of chroot(), could it just vrele(fdp->fd_cdir); fdp->fd_cdir = nd.ni_vp; before it returns, setting the current dir to the same place it just chrooted to? Carol -- Carol Deihl - principal, Shrier and Deihl - mailto:carol@tinker.com Remote Unix Network Admin, Security, Internet Software Development Tinker Internet Services - Superior FreeBSD-based Web Hosting http://www.tinker.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 26 15:49:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from po7.andrew.cmu.edu (PO7.ANDREW.CMU.EDU [128.2.10.107]) by hub.freebsd.org (Postfix) with ESMTP id 1A84E14BFA for ; Sun, 26 Sep 1999 15:48:59 -0700 (PDT) (envelope-from tcrimi+@andrew.cmu.edu) Received: (from postman@localhost) by po7.andrew.cmu.edu (8.9.3/8.9.3) id SAA04222 for freebsd-security@FreeBSD.ORG; Sun, 26 Sep 1999 18:48:57 -0400 (EDT) Received: via switchmail; Sun, 26 Sep 1999 18:48:57 -0400 (EDT) Received: from unix12.andrew.cmu.edu via qmail ID ; Sun, 26 Sep 1999 18:47:05 -0400 (EDT) Received: from unix12.andrew.cmu.edu via qmail ID ; Sun, 26 Sep 1999 18:47:05 -0400 (EDT) Received: from mms.4.60.Jun.27.1996.03.02.53.sun4.51.EzMail.2.0.CUILIB.3.45.SNAP.NOT.LINKED.unix12.andrew.cmu.edu.sun4m.54 via MS.5.6.unix12.andrew.cmu.edu.sun4_51; Sun, 26 Sep 1999 18:47:05 -0400 (EDT) Message-ID: Date: Sun, 26 Sep 1999 18:47:05 -0400 (EDT) From: Thomas Valentino Crimi To: freebsd-security@FreeBSD.ORG Subject: Re: dump(8) Insecurity/Misconfiguration Cc: In-Reply-To: <199909260203.WAA48170@cc942873-a.ewndsr1.nj.home.com> References: <199909260203.WAA48170@cc942873-a.ewndsr1.nj.home.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Excerpts from FreeBSD-Security: 25-Sep-99 Re: dump(8) Insecurity/Misc.. by "Crist J. Clark"@cc94287 > "Dump cannot do remote backups without being run as root, due to its secu- > > rity history. This will be fixed in a later version of FreeBSD. Present- > > ly, it works if you set it setuid (like it used to be), but this might > constitute a security risk." Speaking of this, this summer I adopted NetBSD's ability to use ssh rather than rsh-style connections to do remote dump. It was a modification to rcmd() which read in the environmental variable RCMD_CMD (IIRC), used that program if set. If people are interested in this, I'd be glad to clean up and submit these patches. Any features/changes that would be handy? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 26 16: 1:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from bekool.com (ns2.netquick.net [216.48.34.2]) by hub.freebsd.org (Postfix) with ESMTP id 2C9F414C25; Sun, 26 Sep 1999 16:01:34 -0700 (PDT) (envelope-from trouble@hackfurby.com) Received: from angelsguardian.netquick.net ([199.72.47.239] helo=hackfurby.com) by bekool.com with esmtp (Exim 3.03 #1) id 11VNb5-0008Zg-00; Sun, 26 Sep 1999 23:20:48 +0000 Message-ID: <37F00602.96D098D3@hackfurby.com> Date: Mon, 27 Sep 1999 19:04:19 -0500 From: TrouBle Reply-To: trouble@hackfurby.com X-Mailer: Mozilla 4.61 [en] (X11; I; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Carol Deihl Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: chroot could chdir? (was Re: about jail) References: <199909251302.RAA58030@grendel.sovlink.ru> <19990925171712.A80535@zenon.net> <37EEA27E.244DCF9A@tinker.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ummm sorry but i think you have goten this backwards it is more secure to chdir, then chrrot, not chroot then chdir.... I believe what you have here is backwards > > As we all know, the chroot can be escaped because the sample > program doesn't change the current working directory, and it's > still pointing outside the chrooted area. > > What if chroot itself chdir'ed to it's new root directory? Would > this break existing programs? I'd expect that well-behaved > programs would chdir someplace useful before continuing anyway. > > At the very end of chroot(), could it just > vrele(fdp->fd_cdir); > fdp->fd_cdir = nd.ni_vp; > before it returns, setting the current dir to the same place it > just chrooted to? > > Carol > -- > Carol Deihl - principal, Shrier and Deihl - mailto:carol@tinker.com > Remote Unix Network Admin, Security, Internet Software Development > Tinker Internet Services - Superior FreeBSD-based Web Hosting > http://www.tinker.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 26 16: 3:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from bekool.com (ns2.netquick.net [216.48.34.2]) by hub.freebsd.org (Postfix) with ESMTP id 733EA153F2; Sun, 26 Sep 1999 16:03:18 -0700 (PDT) (envelope-from trouble@hackfurby.com) Received: from angelsguardian.netquick.net ([199.72.47.239] helo=hackfurby.com) by bekool.com with esmtp (Exim 3.03 #1) id 11VNco-0008ab-00; Sun, 26 Sep 1999 23:22:34 +0000 Message-ID: <37F00675.67D198FD@hackfurby.com> Date: Mon, 27 Sep 1999 19:06:13 -0500 From: TrouBle Reply-To: trouble@hackfurby.com X-Mailer: Mozilla 4.61 [en] (X11; I; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Carol Deihl Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: chroot could chdir? (was Re: about jail) References: <199909251302.RAA58030@grendel.sovlink.ru> <19990925171712.A80535@zenon.net> <37EEA27E.244DCF9A@tinker.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Umm I think you have gotten this backwards, it is more secure to chdir first then chroot.... I think you have this backwards..... in my virtual environment i chdir working dir, then chroot....... ive not been able to escape my chrooted jail setup yet..... nor have i seen any code that will > > > As we all know, the chroot can be escaped because the sample > program doesn't change the current working directory, and it's > still pointing outside the chrooted area. > > What if chroot itself chdir'ed to it's new root directory? Would > this break existing programs? I'd expect that well-behaved > programs would chdir someplace useful before continuing anyway. > > At the very end of chroot(), could it just > vrele(fdp->fd_cdir); > fdp->fd_cdir = nd.ni_vp; > before it returns, setting the current dir to the same place it > just chrooted to? > > Carol > -- > Carol Deihl - principal, Shrier and Deihl - mailto:carol@tinker.com > Remote Unix Network Admin, Security, Internet Software Development > Tinker Internet Services - Superior FreeBSD-based Web Hosting > http://www.tinker.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 26 16: 8:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from bekool.com (ns2.netquick.net [216.48.34.2]) by hub.freebsd.org (Postfix) with ESMTP id 9E6BD14A0B; Sun, 26 Sep 1999 16:08:44 -0700 (PDT) (envelope-from trouble@hackfurby.com) Received: from angelsguardian.netquick.net ([199.72.47.239] helo=hackfurby.com) by bekool.com with esmtp (Exim 3.03 #1) id 11VNi9-0008bZ-00; Sun, 26 Sep 1999 23:28:06 +0000 Message-ID: <37F007C0.C068FB21@hackfurby.com> Date: Mon, 27 Sep 1999 19:11:44 -0500 From: TrouBle Reply-To: trouble@hackfurby.com X-Mailer: Mozilla 4.61 [en] (X11; I; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Carol Deihl , freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: chroot could chdir? (was Re: about jail) References: <199909251302.RAA58030@grendel.sovlink.ru> <19990925171712.A80535@zenon.net> <37EEA27E.244DCF9A@tinker.com> <37F00602.96D098D3@hackfurby.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I actually currently use -----SNIP - EDITED FOR SECURITY ------------- syslog (LOG_NOTICE,"Changing directory/root to %s",path if (chdir (path) || chroot (path)) return 1; }else{ syslog (LOG_NOTICE,"No ("EDITED FOR SECURITY" ) directory for %s: using main" } } execv (argv[0],argv+1); return 1; } -------END - SNIP -------------------------- > > > At the very end of chroot(), could it just > > vrele(fdp->fd_cdir); > > fdp->fd_cdir = nd.ni_vp; > > before it returns, setting the current dir to the same place it > > just chrooted to? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 26 17: 1:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (Postfix) with ESMTP id 1CC0114F89; Sun, 26 Sep 1999 17:01:51 -0700 (PDT) (envelope-from julian@whistle.com) Received: from home.elischer.org (home.elischer.org [207.76.204.203]) by alpo.whistle.com (8.9.1a/8.9.1) with ESMTP id RAA92968; Sun, 26 Sep 1999 17:01:35 -0700 (PDT) Date: Sun, 26 Sep 1999 17:01:35 -0700 (PDT) From: Julian Elischer X-Sender: julian@home.elischer.org To: Carol Deihl Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: chroot could chdir? (was Re: about jail) In-Reply-To: <37EEA27E.244DCF9A@tinker.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You have to examine ALL fd's in case one has a directory open that is outside the chroot.. (see man fchdir(2)) julian On Sun, 26 Sep 1999, Carol Deihl wrote: > Alexander Bezroutchko wrote: > > it is possible to escape from jail > > Following program escapes from jail (tested under 4.0-19990918-CURRENT): > [snip program code that chroot's but doesn't then chdir inside > the new area] > > As we all know, the chroot can be escaped because the sample > program doesn't change the current working directory, and it's > still pointing outside the chrooted area. > > What if chroot itself chdir'ed to it's new root directory? Would > this break existing programs? I'd expect that well-behaved > programs would chdir someplace useful before continuing anyway. > > At the very end of chroot(), could it just > vrele(fdp->fd_cdir); > fdp->fd_cdir = nd.ni_vp; > before it returns, setting the current dir to the same place it > just chrooted to? > > Carol > -- > Carol Deihl - principal, Shrier and Deihl - mailto:carol@tinker.com > Remote Unix Network Admin, Security, Internet Software Development > Tinker Internet Services - Superior FreeBSD-based Web Hosting > http://www.tinker.com/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 26 21:39: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 4944414BF3 for ; Sun, 26 Sep 1999 21:39:00 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id WAA23242; Sun, 26 Sep 1999 22:38:34 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id WAA07202; Sun, 26 Sep 1999 22:39:15 -0600 (MDT) Message-Id: <199909270439.WAA07202@harmony.village.org> To: Thomas Valentino Crimi Subject: Re: dump(8) Insecurity/Misconfiguration Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sun, 26 Sep 1999 18:47:05 EDT." References: <199909260203.WAA48170@cc942873-a.ewndsr1.nj.home.com> Date: Sun, 26 Sep 1999 22:39:15 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Thomas Valentino Crimi writes: : (IIRC), used that program if set. If people are interested in this, I'd : be glad to clean up and submit these patches. Any features/changes that : would be handy? I'd be interested. The other feature that would be nice is to bring in the OpenBSD changes to make dump use write(1) rather than being set gid tty. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 26 23: 5:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 781B714E69; Sun, 26 Sep 1999 23:05:40 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id IAA18591; Mon, 27 Sep 1999 08:05:14 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Julian Elischer Cc: Carol Deihl , freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: chroot could chdir? (was Re: about jail) In-reply-to: Your message of "Sun, 26 Sep 1999 17:01:35 PDT." Date: Mon, 27 Sep 1999 08:05:14 +0200 Message-ID: <18589.938412314@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Julian Elischer writes: >You have to examine ALL fd's in case one has a directory open that is >outside the chroot.. >(see man fchdir(2)) We do. See source. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 0:31:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (Postfix) with ESMTP id AFD7C14D6E; Mon, 27 Sep 1999 00:31:10 -0700 (PDT) (envelope-from julian@whistle.com) Received: from home.elischer.org (home.elischer.org [207.76.204.203]) by alpo.whistle.com (8.9.1a/8.9.1) with ESMTP id AAA01431; Mon, 27 Sep 1999 00:30:29 -0700 (PDT) Date: Mon, 27 Sep 1999 00:30:29 -0700 (PDT) From: Julian Elischer X-Sender: julian@home.elischer.org To: Poul-Henning Kamp Cc: Carol Deihl , freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: chroot could chdir? (was Re: about jail) In-Reply-To: <18589.938412314@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I read it as her talking about chroot in general. On Mon, 27 Sep 1999, Poul-Henning Kamp wrote: > In message , Julian > Elischer writes: > > >You have to examine ALL fd's in case one has a directory open that is > >outside the chroot.. > >(see man fchdir(2)) > > We do. See source. > > -- > Poul-Henning Kamp FreeBSD coreteam member > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > FreeBSD -- It will take a long time before progress goes too far! > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 0:37:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 3069114E28; Mon, 27 Sep 1999 00:37:16 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id JAA19099; Mon, 27 Sep 1999 09:36:24 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Julian Elischer Cc: Carol Deihl , freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: chroot could chdir? (was Re: about jail) In-reply-to: Your message of "Mon, 27 Sep 1999 00:30:29 PDT." Date: Mon, 27 Sep 1999 09:36:24 +0200 Message-ID: <19097.938417784@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Julian Elischer writes: >I read it as her talking about chroot in general. We do. See source. :-) > >On Mon, 27 Sep 1999, Poul-Henning Kamp wrote: > >> In message , Julian >> Elischer writes: >> >> >You have to examine ALL fd's in case one has a directory open that is >> >outside the chroot.. >> >(see man fchdir(2)) >> >> We do. See source. >> >> -- >> Poul-Henning Kamp FreeBSD coreteam member >> phk@FreeBSD.ORG "Real hackers run -current on their laptop." >> FreeBSD -- It will take a long time before progress goes too far! >> > > -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 1:13:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from imo23.mx.aol.com (imo23.mx.aol.com [198.81.17.67]) by hub.freebsd.org (Postfix) with ESMTP id 053A614D38 for ; Mon, 27 Sep 1999 01:13:16 -0700 (PDT) (envelope-from JosephHook@aol.com) Received: from JosephHook@aol.com by imo23.mx.aol.com (mail_out_v22.4.) id nIERa28872 (4362) for ; Mon, 27 Sep 1999 04:13:08 -0400 (EDT) From: JosephHook@aol.com Message-ID: Date: Mon, 27 Sep 1999 04:13:07 EDT Subject: (no subject) To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: AOL 4.0.i for Windows 95 sub 33 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 7: 0:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 49E1114D6E for ; Mon, 27 Sep 1999 07:00:20 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA14697; Mon, 27 Sep 1999 07:00:19 -0700 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda14686; Mon Sep 27 06:59:59 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id GAA53200; Mon, 27 Sep 1999 06:59:56 -0700 (PDT) Message-Id: <199909271359.GAA53200@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdS53095; Mon Sep 27 06:59:18 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.3-RELEASE X-Sender: cy To: cjclark@home.com Cc: dillon@apollo.backplane.com (Matthew Dillon), freebsd-security@FreeBSD.ORG Subject: Re: dump(8) Insecurity/Misconfiguration In-reply-to: Your message of "Sat, 25 Sep 1999 22:03:23 EDT." <199909260203.WAA48170@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 27 Sep 1999 06:59:17 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199909260203.WAA48170@cc942873-a.ewndsr1.nj.home.com>, "Crist J. Cl ark" writes: > Matthew Dillon wrote, > I am used to only doing it as root since the manpage says, > > "Dump cannot do remote backups without being run as root, due to its secu > - > rity history. This will be fixed in a later version of FreeBSD. Present > - > ly, it works if you set it setuid (like it used to be), but this might > constitute a security risk." The reason for this is that dump(8) uses the rsh protocol to issue an rmt(8) command on the remote host. The rsh protocol requires that the remote rshd(8) open a connection to a privileged port being listened to by the rsh client. Running dump as root isn't as big a security problem than the firewall issues that this rsh issue raises, not to mention cleartext. Due to it's copyright restrictions use of the SSH protocol may not be too wise, however various VPN solutions do help. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 9:14:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 954B01536F for ; Mon, 27 Sep 1999 09:14:23 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id MAA92288; Mon, 27 Sep 1999 12:15:30 -0400 (EDT) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199909271615.MAA92288@cc942873-a.ewndsr1.nj.home.com> Subject: Re: dump(8) Insecurity/Misconfiguration In-Reply-To: <199909271359.GAA53200@cwsys.cwsent.com> from Cy Schubert - ITSD Open Systems Group at "Sep 27, 1999 06:59:17 am" To: Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group) Date: Mon, 27 Sep 1999 12:15:30 -0400 (EDT) Cc: cjclark@home.com, dillon@apollo.backplane.com (Matthew Dillon), freebsd-security@FreeBSD.ORG Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Cy Schubert - ITSD Open Systems Group wrote, > Running dump as root isn't as big a security problem than the firewall > issues that this rsh issue raises, not to mention cleartext. Due to > it's copyright restrictions use of the SSH protocol may not be too > wise, however various VPN solutions do help. OK, you are the second person to mention this about SSH. I've always thought using SSH (/not/ SSH2) at a commercial site was fine providedit falls within the following limits (from the COPYING file that comes with the SSH tarball), "Companies are permitted to use this program as long as it is not used for revenue-generating purposes. For example, an Internet service provider is allowed to install this program on their systems and permit clients to use SSH to connect; however, actively distributing SSH to clients for the purpose of providing added value requires separate licensing. Similarly, a consultant may freely install this software on a client's machine for his own use, but if he/she sells the client a system that uses SSH as a component, a separate license is required." I'm no lawyer, but it seems like using SSH for helping with dumps would fall well within this license since backing up files does not really generate much revenue for us. Is there something in the licese I've missed? You all have me nervous now. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 9:41:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 4E14415405 for ; Mon, 27 Sep 1999 09:41:12 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id MAA09294; Mon, 27 Sep 1999 12:36:06 -0400 (EDT) (envelope-from wollman) Date: Mon, 27 Sep 1999 12:36:06 -0400 (EDT) From: Garrett Wollman Message-Id: <199909271636.MAA09294@khavrinen.lcs.mit.edu> To: cjclark@home.com Cc: Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), dillon@apollo.backplane.com (Matthew Dillon), freebsd-security@FreeBSD.ORG Subject: Re: dump(8) Insecurity/Misconfiguration In-Reply-To: <199909271615.MAA92288@cc942873-a.ewndsr1.nj.home.com> References: <199909271359.GAA53200@cwsys.cwsent.com> <199909271615.MAA92288@cc942873-a.ewndsr1.nj.home.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I'm no lawyer, but it seems like using SSH for helping with dumps > would fall well within this license since backing up files does not > really generate much revenue for us. > Is there something in the licese I've missed? You all have me nervous > now. You missed the part about: The RSA algorithm and even the concept of public key encryption are claimed to be patented in the United States. These patents may interfere with your right to use this software. The ``public key'' and Diffie-Hellman patents have now expired, but the RSA patent does not expire until next year. Therefore, RSAREF's is the license to which you must adhere. From a quick read-through of this, you may still be in the clear (but ask your lawyers first). You also should compile SSH with IDEA encryption disabled, as it is also patented. Disclaimer: although I work for the owner (assignee) of the RSA patent, I don't speak for them, particularly in this arena. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 10: 9:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 9674215240 for ; Mon, 27 Sep 1999 10:09:06 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA15498; Mon, 27 Sep 1999 10:09:06 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda15496; Mon Sep 27 10:08:59 1999 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id KAA01034; Mon, 27 Sep 1999 10:08:59 -0700 (PDT) Message-Id: <199909271708.KAA01034@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdBo1029; Mon Sep 27 10:08:23 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.2-RELEASE X-Sender: cschuber To: cjclark@home.com Cc: Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), dillon@apollo.backplane.com (Matthew Dillon), freebsd-security@FreeBSD.ORG Subject: Re: dump(8) Insecurity/Misconfiguration In-reply-to: Your message of "Mon, 27 Sep 1999 12:15:30 EDT." <199909271615.MAA92288@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 27 Sep 1999 10:08:23 -0700 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199909271615.MAA92288@cc942873-a.ewndsr1.nj.home.com>, "Crist J. Cl ark" writes: > Cy Schubert - ITSD Open Systems Group wrote, > > Running dump as root isn't as big a security problem than the firewall > > issues that this rsh issue raises, not to mention cleartext. Due to > > it's copyright restrictions use of the SSH protocol may not be too > > wise, however various VPN solutions do help. > > OK, you are the second person to mention this about SSH. I've always > thought using SSH (/not/ SSH2) at a commercial site was fine > providedit falls within the following limits (from the COPYING file > that comes with the SSH tarball), > > "Companies are permitted to use this program as long as it is not used for > revenue-generating purposes. For example, an Internet service provider is > allowed to install this program on their systems and permit clients to use > SSH to connect; however, actively distributing SSH to clients for the > purpose of providing added value requires separate licensing. Similarly, > a consultant may freely install this software on a client's machine for > his own use, but if he/she sells the client a system that uses SSH as a > component, a separate license is required." > > I'm no lawyer, but it seems like using SSH for helping with dumps > would fall well within this license since backing up files does not > really generate much revenue for us. > > Is there something in the licese I've missed? You all have me nervous > now. I'm not a lawyer either (thank god), however I remember (haven't looked at the copyright lately) that it cannot be used by any commercial organization. One of my clients, a non-profit organization attached at arms length to the Government of BC which provides services to universities here in the province, did some research a couple of months ago and found that they would have to purchase the product in order to use it legally. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 11:11:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.veriguard.com (relay.securify.com [207.5.63.61]) by hub.freebsd.org (Postfix) with ESMTP id B1E3914BE9 for ; Mon, 27 Sep 1999 11:11:40 -0700 (PDT) (envelope-from tomb@cgf.net) Received: by relay.veriguard.com; id LAA25135; Mon, 27 Sep 1999 11:10:03 -0700 (PDT) Received: from unknown(10.5.63.100) by relay.veriguard.com via smap (4.1) id xma025070; Mon, 27 Sep 99 11:09:10 -0700 Message-ID: <37EFB2C6.6240D4D3@cgf.net> Date: Mon, 27 Sep 1999 11:09:10 -0700 From: tomb X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: What's this jail thing? References: <11744.938266471@critter.freebsd.dk> <37EE876A.C55AC0E0@hackfurby.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Would someone be kind enought to point me toward an explanation of what the jail concept is, it sounds like it could be an interesting security feature. Thanks In advance. Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 11:36:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 6B3AA14A07 for ; Mon, 27 Sep 1999 11:36:06 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id UAA21905; Mon, 27 Sep 1999 20:35:54 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: tomb Cc: freebsd-security@FreeBSD.ORG Subject: Re: What's this jail thing? In-reply-to: Your message of "Mon, 27 Sep 1999 11:09:10 PDT." <37EFB2C6.6240D4D3@cgf.net> Date: Mon, 27 Sep 1999 20:35:54 +0200 Message-ID: <21903.938457354@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <37EFB2C6.6240D4D3@cgf.net>, tomb writes: >Would someone be kind enought to point me toward an explanation of what >the jail concept is, it sounds like it could be an interesting security >feature. JAIL(2) FreeBSD System Calls Manual JAIL(2) NAME jail - Imprison current process and future decendants. SYNOPSIS #include #include int jail(struct jail *jail) DESCRIPTION The jail system call sets up a jail and locks the current process in it. The argument is a pointer to a structure describing the prison: struct jail { char *path; char *hostname; u_int32_t ip_number; }; The ``path'' pointer should be set to the directory which is to be the root of the prison. The ``hostname'' pointer can be set the hostname of the prison. This can be changed from the inside of the prison. The ``ip_number'' can be set to the IP number assigned to the prison. PRISON ? Once a process has been put in a prison, it and its decendants cannot es- cape the prison. It is not possible to add a process to a preexisting prison. Inside the prison, the concept of "superuser" is very diluted, in general it can be assumed that nothing can be mangled from inside a prison, that doesn't exist inside that prison (ie: the directory tree below ``path''. All IP activity will be forced to happen to/from the IP number specified, which should be an alias on one of the systems interfaces. It is possible to identify a process as jailed by examining ``/proc//status'': it will show a field near the end of the line, either as a single hyphen for a process at large, or the hostname cur- rently set for the prison for jailed processes. ERRORS Jail() calls chroot(2) internally, so the it can fail for all the same reasons. Please consult the chroot(2) manual page for details. SEE ALSO chroot(2) chdir(2) HISTORY The jail() function call appeared in FreeBSD 4.0. The jail feature was written by Poul-Henning Kamp for R&D Associates ``http://www.rndassociates.com/'' who contributed it to FreeBSD. FreeBSD 4.0 April 28, 1999 1 -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 11:44:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 2510814E7D for ; Mon, 27 Sep 1999 11:44:06 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id LAA12907; Mon, 27 Sep 1999 11:41:00 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909271841.LAA12907@gndrsh.dnsmgr.net> Subject: Re: dump(8) Insecurity/Misconfiguration In-Reply-To: <199909271615.MAA92288@cc942873-a.ewndsr1.nj.home.com> from "Crist J. Clark" at "Sep 27, 1999 12:15:30 pm" To: cjclark@home.com Date: Mon, 27 Sep 1999 11:41:00 -0700 (PDT) Cc: Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), dillon@apollo.backplane.com (Matthew Dillon), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ... > "Companies are permitted to use this program as long as it is not used for > revenue-generating purposes. For example, an Internet service provider is > allowed to install this program on their systems and permit clients to use > SSH to connect; however, actively distributing SSH to clients for the > purpose of providing added value requires separate licensing. Similarly, > a consultant may freely install this software on a client's machine for > his own use, but if he/she sells the client a system that uses SSH as a > component, a separate license is required." > > I'm no lawyer, but it seems like using SSH for helping with dumps > would fall well within this license since backing up files does not > really generate much revenue for us. I'm not a lawyer either, but I'll play the advocate here and show you why you are at risk. First, you used the word ``much'' in the above sentence. _Any_ is _some_ and is _not_ none, henceforth you voilate ``not used for ...''. Second, since backups are a critical piece of keeping your business operating, and your business, hopefully at least, generates revenue you would be in vilation of ``revenue-generating purposes'', though it would be indirectly. > Is there something in the licese I've missed? You all have me nervous > now. A lot of people will say I have overstated the intent of the licence, I'll simply say that I am applying Blacks Legal dictionary to extract what _I_ see as the letter of the agreement. In real law intent is more important than letter, but I would ask this licensor for a written yes/no on what you are doing to protect yourself. You may also find that the license fee is quite low for what you want to do. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 11:51:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.free.fr (smtp2.free.fr [212.27.32.6]) by hub.freebsd.org (Postfix) with ESMTP id 7D4A2153B9 for ; Mon, 27 Sep 1999 11:51:28 -0700 (PDT) (envelope-from m.hallgren@free.fr) Received: from roam (paris11-51-194.dial.proxad.net [212.27.51.194]) by smtp2.free.fr (8.9.3/8.9.3/Debian/GNU) with SMTP id UAA26163; Mon, 27 Sep 1999 20:51:16 +0200 Message-ID: <002c01bf0919$4968caa0$b8014b0a@fisystem.fr> From: "Michael Hallgren" To: "Bert Wijnen" Cc: References: <199909270910.FAA264640@northrelay03.pok.ibm.com> Subject: Re: FYI - Summary of "interim cross-wg meeting" Date: Mon, 27 Sep 1999 20:51:14 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That's why you should go https://domain/image.gif rather than http://domain/image.gif http:// triggers the browser to connect to the HTTP default port (80), wheras https:// makes it connect to the port (443) serving content over SSL. Cheers mh > Here is the summary and action points that resulted from our > "by invitation only meeting" that we had in Chicago 16/17 Sept 1999. > > Bert > ------------------ follwoing is a copy ------------------------- > Date: 26 Sep 1999 > From: Bert Wijnen > To: various WGs: diffserv, rap, policy framework, ipsp > Subject: Summary of "interim cross-wg meeting" > > As posted to various mailing lists a few weeks ago, the responsible > ADs for the above WGs did call for a cross-wg meeting (by invitation) > to discuss cross-wg issues and requirements. > In addition the WG chairs and some others WG members, we had also > invited a few "SNMP proponents" to help discuss/evaluate the > question "Why COPS and PIBs instead or in addition to SNMP and MIBs". > > Some people at the meeting though that there was a lot of anarchy > during the meeting. However, I myself would rather say that it was > clear that individual members of various WGs had different views on > how Policy-based management (or configuration management in general) > should work. There was also a difference in focus. Some people > focus on hig level abrstract policies and others focus on device > specific policies and configuration. Given the charters of the > involved WGs, this is understandable. But at the other hand, all > these WGs have the obligation to interact with each other where > needed, so that a total solution can emerge from the combined work > of the different WGs. > > So, I would like to report on the positive side. > > The meeting got the WGs talking to each other. People were "nice" > to each other, and I think we all came away with the feeling that > we need to align the work of these WGs better. To that goal, the > meeting decided to form 3 Design Teams as follows: > > 1. Design Team to document Terminology > > 2. Design Team to document Use Cases for Policy Based Management > > 3. Design Team for Requirements for Configuration Management > > The members of each team and the "charter" for each team are > listed below. As you can see, they have a very aggressive schedule > and we plan to discuss their results at the next IETF in Wash. D.C. > > I would like to encourage everybody to contribute as much as you can, > either by sending your input/views/conserns to the ONE of the > mailing lists. From each WG we have members in the DT, so there is > no need to send a comment to all 3 or 4 mailing lists. > My suggestion would be to use these mailing lists: > > - Diffserv for Terminology > - Policy for Use Cases > - Rap for Configuration Management > > Bert > --------------------------------------------------------------- > > Design Team to document Terminology > > Design Team members: > > Francis Reichmeyer - FranR@iphighway.com > Mark Stevens - markstevens@lucent.com > Dan Grossman - dan@dma.isg.mot.com > Matt Condell - mcondell@bbn.com > > Fran is the team leader. > > The team is chartered to: > > - Document the terminology to be used for Policy Based Management. > This terminology is intended to be used in all Policy related > WGs and in WGs like RAP, Diffserv, IPSP and possibly others. > > Milestones: > 11 OCt 99 - checkpoint, possibly publish/post an interim doc > so other can see where DT is going and comment > 22 Oct 99 - publish document as an I-D > 07 Nov 99 - discuss document (possibly in a BOF) at 46th IETF > > Discussions can/should take place on one or all of the > Policy/RAP/Diffserv/IPSP mailing lists. > > Bert > --------------------------------------------------------------- > > Design Team to document Use Cases for Policy Based Management > > Design Team members: > > Hugh F. Mahon - mhugh@xpeditio.cnd.hp.com > Shai Herzog - herzog@iphighway.com > Yoram Bernet - yoramb@exchange.microsoft.com > Luis A. Sanchez - lsanchez@bbn.com > > Hugh is the team leader. > > The team is chartered to: > > - Document various Use Case Scenarios for Policy Based Management > in such a way that readers can understand: > - At what levels of Abstraction a Policy can be specified > via some sort of Gui tool > - How that Policy specification gets stored in a repository > - How that Policy gets distributed to the Policy Servers > (Consumers?) and Network Devices (Targets?). > - What the various levels of abstraction are at each point > and how translation (conversion/mapping?) gets done from > one level of abstraction to the next > - How external events impact such Policies > - How changes to a Policy data (from a GUI) get notified to > Policy servers/targets > - How Policy Servers and Targets report back to the users > at the Gui (or a management station) if and how the Policy > has been installed. > - How and where conflict resolution is done > > For those pieces for which we do not intern to define a > standard, you can describe the use of one or more existing > tools or concepts. > > Milestones: > 11 Oct 99 - checkpoint, possibly publish/post an interim doc > so others can see where DT is going and comment > 22 Oct 99 - publish document as an I-D > 07 Nov 99 - discuss document in Policy WG > (Brian/Kathy to include it in their agenda) > > Bert > --------------------------------------------------------------- > > Design Team for Requirements for Configuration Management > > The design team has the following tasks: > > 1) Write a document that specifies the requirements for > configuration management. This includes reuirements for a > data model, information model, and protocols. The requirments > should be specified such that current/future proposals > can be evaluated. > > 2) Evaluate (and document such evaluation) the COPS-PR/SoPI > and SNMP/SMI against these requirements. > This task will produce a document that shows how well the > current COPS-PR/SoPI and SNMP/SMI meet those requirements. > In addition, potential changes will be listed to each of > the 2 packages by which they would meet the requirements. > > 3) Evaluate implementation and deployment costs. > - Cost of implementation > - Time to implement > - Impact on Deployed systems > - Impact on management staffs > > Milestones: > > 20 Sep 99 - Start. > Attendees of meeting send requirements to the mailing > list: mumble@ops.ietf.org > (to subscribe send email to mumble-request@opts.ietf.org > and put the word subscribe in the body) > The sooner everyone sends in requirements, the better. > > 01 Oct 99 - No more requirements accepted, > > 08 Oct 99 - or earlier > Design Team (DT) publishes requirements to mumble > list so everyone can check them and comment > > 15 Oct 99 - or earlier > Design Team (DT) publishes a first cut of the evaluation > to the mumble list so everyone can check and comment > > 22 Oct 99 - or earlier > Design Team submits document(s) to I-D repository > under the names of: > draft-ops-mumble--00.txt > > 07 Nov 99 - Documents presented/evaluated at 46th IETF in mumble-BOF > (name of BOF to be determined) > > Design Team Members: > > Luis Sanchez (ipsp) - lsanchez@bbn.com > Jon Saperia (snmp) - saperia@mediaone.net > Keith McCloghrie (cops) - kzm@cisco.com > > Design Team Leader: Luis Sanchez > > Notes: > - Would be great if Design Team can create/maintain a web page > listing the submitted requirments.(Juergen may be able to > help, he has done so for quite a few other design teams). > - Mailing list and comments are restricted to attendees/invitees > of the "interim policy/rap/diffserv" meeting so as to be able > to be productive and focused. > - There is no discussion of an SNMPv4. We're documenting a set > of requirements and evaluating 2 tool-sets and we have to have > no rumours about a possible SNMPv4. > - The team members can consult with anybody they like on any > items/issues they want/need help with. > - The ADs (and IESG) will evaluate the situation after the 46th > IETF meeting. > > > Bert Wijnen - IETF co-AD for Operations and Management > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 11:53:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.free.fr (smtp2.free.fr [212.27.32.6]) by hub.freebsd.org (Postfix) with ESMTP id E213515781 for ; Mon, 27 Sep 1999 11:53:24 -0700 (PDT) (envelope-from m.hallgren@free.fr) Received: from roam (paris11-51-194.dial.proxad.net [212.27.51.194]) by smtp2.free.fr (8.9.3/8.9.3/Debian/GNU) with SMTP id UAA26433; Mon, 27 Sep 1999 20:53:12 +0200 Message-ID: <003701bf0919$8c217ae0$b8014b0a@fisystem.fr> From: "Michael Hallgren" To: Cc: Subject: Tr: FYI - Summary of "interim cross-wg meeting" Date: Mon, 27 Sep 1999 20:53:10 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry, freebsd-security crowd, and real follow-up to modssl-users, ... my MUA built by Mr Gates fooled me ;) mh >That's why you should go > > https://domain/image.gif > >rather than http://domain/image.gif > >http:// triggers the browser to connect to the HTTP default port (80), >wheras https:// makes it connect to the port (443) serving content over SSL. > > >Cheers > >mh > > > >> Here is the summary and action points that resulted from our >> "by invitation only meeting" that we had in Chicago 16/17 Sept 1999. >> >> Bert >> ------------------ follwoing is a copy ------------------------- >> Date: 26 Sep 1999 >> From: Bert Wijnen >> To: various WGs: diffserv, rap, policy framework, ipsp >> Subject: Summary of "interim cross-wg meeting" >> >> As posted to various mailing lists a few weeks ago, the responsible >> ADs for the above WGs did call for a cross-wg meeting (by invitation) >> to discuss cross-wg issues and requirements. >> In addition the WG chairs and some others WG members, we had also >> invited a few "SNMP proponents" to help discuss/evaluate the >> question "Why COPS and PIBs instead or in addition to SNMP and MIBs". >> >> Some people at the meeting though that there was a lot of anarchy >> during the meeting. However, I myself would rather say that it was >> clear that individual members of various WGs had different views on >> how Policy-based management (or configuration management in general) >> should work. There was also a difference in focus. Some people >> focus on hig level abrstract policies and others focus on device >> specific policies and configuration. Given the charters of the >> involved WGs, this is understandable. But at the other hand, all >> these WGs have the obligation to interact with each other where >> needed, so that a total solution can emerge from the combined work >> of the different WGs. >> >> So, I would like to report on the positive side. >> >> The meeting got the WGs talking to each other. People were "nice" >> to each other, and I think we all came away with the feeling that >> we need to align the work of these WGs better. To that goal, the >> meeting decided to form 3 Design Teams as follows: >> >> 1. Design Team to document Terminology >> >> 2. Design Team to document Use Cases for Policy Based Management >> >> 3. Design Team for Requirements for Configuration Management >> >> The members of each team and the "charter" for each team are >> listed below. As you can see, they have a very aggressive schedule >> and we plan to discuss their results at the next IETF in Wash. D.C. >> >> I would like to encourage everybody to contribute as much as you can, >> either by sending your input/views/conserns to the ONE of the >> mailing lists. From each WG we have members in the DT, so there is >> no need to send a comment to all 3 or 4 mailing lists. >> My suggestion would be to use these mailing lists: >> >> - Diffserv for Terminology >> - Policy for Use Cases >> - Rap for Configuration Management >> >> Bert >> --------------------------------------------------------------- >> >> Design Team to document Terminology >> >> Design Team members: >> >> Francis Reichmeyer - FranR@iphighway.com >> Mark Stevens - markstevens@lucent.com >> Dan Grossman - dan@dma.isg.mot.com >> Matt Condell - mcondell@bbn.com >> >> Fran is the team leader. >> >> The team is chartered to: >> >> - Document the terminology to be used for Policy Based Management. >> This terminology is intended to be used in all Policy related >> WGs and in WGs like RAP, Diffserv, IPSP and possibly others. >> >> Milestones: >> 11 OCt 99 - checkpoint, possibly publish/post an interim doc >> so other can see where DT is going and comment >> 22 Oct 99 - publish document as an I-D >> 07 Nov 99 - discuss document (possibly in a BOF) at 46th IETF >> >> Discussions can/should take place on one or all of the >> Policy/RAP/Diffserv/IPSP mailing lists. >> >> Bert >> --------------------------------------------------------------- >> >> Design Team to document Use Cases for Policy Based Management >> >> Design Team members: >> >> Hugh F. Mahon - mhugh@xpeditio.cnd.hp.com >> Shai Herzog - herzog@iphighway.com >> Yoram Bernet - yoramb@exchange.microsoft.com >> Luis A. Sanchez - lsanchez@bbn.com >> >> Hugh is the team leader. >> >> The team is chartered to: >> >> - Document various Use Case Scenarios for Policy Based Management >> in such a way that readers can understand: >> - At what levels of Abstraction a Policy can be specified >> via some sort of Gui tool >> - How that Policy specification gets stored in a repository >> - How that Policy gets distributed to the Policy Servers >> (Consumers?) and Network Devices (Targets?). >> - What the various levels of abstraction are at each point >> and how translation (conversion/mapping?) gets done from >> one level of abstraction to the next >> - How external events impact such Policies >> - How changes to a Policy data (from a GUI) get notified to >> Policy servers/targets >> - How Policy Servers and Targets report back to the users >> at the Gui (or a management station) if and how the Policy >> has been installed. >> - How and where conflict resolution is done >> >> For those pieces for which we do not intern to define a >> standard, you can describe the use of one or more existing >> tools or concepts. >> >> Milestones: >> 11 Oct 99 - checkpoint, possibly publish/post an interim doc >> so others can see where DT is going and comment >> 22 Oct 99 - publish document as an I-D >> 07 Nov 99 - discuss document in Policy WG >> (Brian/Kathy to include it in their agenda) >> >> Bert >> --------------------------------------------------------------- >> >> Design Team for Requirements for Configuration Management >> >> The design team has the following tasks: >> >> 1) Write a document that specifies the requirements for >> configuration management. This includes reuirements for a >> data model, information model, and protocols. The requirments >> should be specified such that current/future proposals >> can be evaluated. >> >> 2) Evaluate (and document such evaluation) the COPS-PR/SoPI >> and SNMP/SMI against these requirements. >> This task will produce a document that shows how well the >> current COPS-PR/SoPI and SNMP/SMI meet those requirements. >> In addition, potential changes will be listed to each of >> the 2 packages by which they would meet the requirements. >> >> 3) Evaluate implementation and deployment costs. >> - Cost of implementation >> - Time to implement >> - Impact on Deployed systems >> - Impact on management staffs >> >> Milestones: >> >> 20 Sep 99 - Start. >> Attendees of meeting send requirements to the mailing >> list: mumble@ops.ietf.org >> (to subscribe send email to mumble-request@opts.ietf.org >> and put the word subscribe in the body) >> The sooner everyone sends in requirements, the better. >> >> 01 Oct 99 - No more requirements accepted, >> >> 08 Oct 99 - or earlier >> Design Team (DT) publishes requirements to mumble >> list so everyone can check them and comment >> >> 15 Oct 99 - or earlier >> Design Team (DT) publishes a first cut of the evaluation >> to the mumble list so everyone can check and comment >> >> 22 Oct 99 - or earlier >> Design Team submits document(s) to I-D repository >> under the names of: >> draft-ops-mumble--00.txt >> >> 07 Nov 99 - Documents presented/evaluated at 46th IETF in mumble-BOF >> (name of BOF to be determined) >> >> Design Team Members: >> >> Luis Sanchez (ipsp) - lsanchez@bbn.com >> Jon Saperia (snmp) - saperia@mediaone.net >> Keith McCloghrie (cops) - kzm@cisco.com >> >> Design Team Leader: Luis Sanchez >> >> Notes: >> - Would be great if Design Team can create/maintain a web page >> listing the submitted requirments.(Juergen may be able to >> help, he has done so for quite a few other design teams). >> - Mailing list and comments are restricted to attendees/invitees >> of the "interim policy/rap/diffserv" meeting so as to be able >> to be productive and focused. >> - There is no discussion of an SNMPv4. We're documenting a set >> of requirements and evaluating 2 tool-sets and we have to have >> no rumours about a possible SNMPv4. >> - The team members can consult with anybody they like on any >> items/issues they want/need help with. >> - The ADs (and IESG) will evaluate the situation after the 46th >> IETF meeting. >> >> >> Bert Wijnen - IETF co-AD for Operations and Management >> > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 12: 4:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 481B31542C for ; Mon, 27 Sep 1999 12:04:11 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id NAA27565; Mon, 27 Sep 1999 13:03:10 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id NAA11566; Mon, 27 Sep 1999 13:03:08 -0600 Date: Mon, 27 Sep 1999 13:03:08 -0600 Message-Id: <199909271903.NAA11566@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Rodney W. Grimes" Cc: cjclark@home.com, Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), dillon@apollo.backplane.com (Matthew Dillon), freebsd-security@FreeBSD.ORG Subject: Re: dump(8) Insecurity/Misconfiguration In-Reply-To: <199909271841.LAA12907@gndrsh.dnsmgr.net> References: <199909271615.MAA92288@cc942873-a.ewndsr1.nj.home.com> <199909271841.LAA12907@gndrsh.dnsmgr.net> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ Rod, you *really* need to get out more ] > > "Companies are permitted to use this program as long as it is not used for > > revenue-generating purposes. For example, an Internet service provider is > > allowed to install this program on their systems and permit clients to use > > SSH to connect; however, actively distributing SSH to clients for the > > purpose of providing added value requires separate licensing. Similarly, > > a consultant may freely install this software on a client's machine for > > his own use, but if he/she sells the client a system that uses SSH as a > > component, a separate license is required." > > > > I'm no lawyer, but it seems like using SSH for helping with dumps > > would fall well within this license since backing up files does not > > really generate much revenue for us. > > I'm not a lawyer either, but I'll play the advocate here and show > you why you are at risk. First, you used the word ``much'' in the > above sentence. _Any_ is _some_ and is _not_ none, henceforth you > voilate ``not used for ...''. Second, since backups are a critical > piece of keeping your business operating No, they are not. Many (most?) businesses are reliably operating *today* without a working backup strategy. Yes, it's stupid, but it doesn't effect their ability to do business. It's just that might not work *as* reliably if a disk goes down, but stuff gets done even without backups, since backups are rarely needed. > A lot of people will say I have overstated the intent of the licence, > I'll simply say that I am applying Blacks Legal dictionary to extract > what _I_ see as the letter of the agreement. Good thing you are aren't a lawyer. > You may also find that the license fee is quite low for what you want to do. NOT! Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 12:25:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id EF3E614FA2 for ; Mon, 27 Sep 1999 12:25:04 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id MAA13029; Mon, 27 Sep 1999 12:23:40 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909271923.MAA13029@gndrsh.dnsmgr.net> Subject: Re: dump(8) Insecurity/Misconfiguration In-Reply-To: <199909271903.NAA11566@mt.sri.com> from Nate Williams at "Sep 27, 1999 01:03:08 pm" To: nate@mt.sri.com (Nate Williams) Date: Mon, 27 Sep 1999 12:23:40 -0700 (PDT) Cc: cjclark@home.com, Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), dillon@apollo.backplane.com (Matthew Dillon), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > [ Rod, you *really* need to get out more ] What, I spent 5 hours yesterday cleaning the side yard at the shop, is that ``out'' enough for you :-) :-) :-) > > > > "Companies are permitted to use this program as long as it is not used for > > > revenue-generating purposes. For example, an Internet service provider is > > > allowed to install this program on their systems and permit clients to use > > > SSH to connect; however, actively distributing SSH to clients for the > > > purpose of providing added value requires separate licensing. Similarly, > > > a consultant may freely install this software on a client's machine for > > > his own use, but if he/she sells the client a system that uses SSH as a > > > component, a separate license is required." > > > > > > I'm no lawyer, but it seems like using SSH for helping with dumps > > > would fall well within this license since backing up files does not > > > really generate much revenue for us. > > > > I'm not a lawyer either, but I'll play the advocate here and show > > you why you are at risk. First, you used the word ``much'' in the > > above sentence. _Any_ is _some_ and is _not_ none, henceforth you > > voilate ``not used for ...''. Second, since backups are a critical > > piece of keeping your business operating > > No, they are not. Many (most?) businesses are reliably operating > *today* without a working backup strategy. Yes, it's stupid, but it > doesn't effect their ability to do business. It's just that might not > work *as* reliably if a disk goes down, but stuff gets done even without > backups, since backups are rarely needed. I stated up front I was playing advocate, maybe I should have said devils advocate, but non the less I think I could make a pretty good case in a court room that backups are infact a critical piece of keeping a business running that is dependent upon stored data to run. Just as insurance in pretty critical, yet thousands of businesses run around without it. I'll bet you dollars to a dog turd that the SSH licensor considers this a licensable situation. > > > A lot of people will say I have overstated the intent of the licence, > > I'll simply say that I am applying Blacks Legal dictionary to extract > > what _I_ see as the letter of the agreement. > > Good thing you are aren't a lawyer. Probably, I'd be so rich I could be dictating this instead of typing it :-) > > > You may also find that the license fee is quite low for what you want to do. > > NOT! Then it is even more likely to be outside of the scope of the shareware license. If the few is going to be huge for what he wants to do with it how could you possibly think it would be zero? -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 12:36:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 4E39415389 for ; Mon, 27 Sep 1999 12:35:58 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id NAA27837; Mon, 27 Sep 1999 13:32:34 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id NAA11712; Mon, 27 Sep 1999 13:32:32 -0600 Date: Mon, 27 Sep 1999 13:32:32 -0600 Message-Id: <199909271932.NAA11712@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Rodney W. Grimes" Cc: nate@mt.sri.com (Nate Williams), cjclark@home.com, Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), dillon@apollo.backplane.com (Matthew Dillon), freebsd-security@FreeBSD.ORG Subject: Re: dump(8) Insecurity/Misconfiguration In-Reply-To: <199909271923.MAA13029@gndrsh.dnsmgr.net> References: <199909271903.NAA11566@mt.sri.com> <199909271923.MAA13029@gndrsh.dnsmgr.net> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > [ Rod, you *really* need to get out more ] > > What, I spent 5 hours yesterday cleaning the side yard at the shop, is > that ``out'' enough for you :-) :-) :-) No, cause it's work related. Go jump out of a plane or something. :) [ Rod asserts that using SSH for backups is a revenue-generating task, and as such violates the 'free' use of the SSH license. ] > I'll bet you dollars to a dog turd that the SSH licensor considers this > a licensable situation. I've got the dog turd, so the bet is on. >>> You may also find that the license fee is quite low for what you >>> want to do. >> >> NOT! > Then it is even more likely to be outside of the scope of the shareware > license. It's not a shareware license, or even close to one. It basically says that if you make money from using this product (not, if you make money *AND* use this product), then you must pay for it. The amount of money you pay is not dependant on how much money you make, it's a fixed fee based on the the number of 'machines' it's installed on. (Last I bought the commercial product, it was $2K/CPU, but that was a couple of years ago.) We pay this, but it's because we needed some additional features that the commercial version had. I could have hacked the code myself, but that assumed I could do it less than 40 hours, and I doubt I could have it done/tested/documented in that amount of time, hence we just bought it for the one box that needed the feature. The other boxes all run the 'free' version. However, $2K/seat is alot of money for an ISP to charge for something as trivial as backups, especially when minimum cost is $4K (one for the tape server, and one for the remote client). It's simply not worth it, IMO. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 13:39:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from tinker.com (troll.tinker.com [204.214.7.146]) by hub.freebsd.org (Postfix) with ESMTP id 37F4814D0E; Mon, 27 Sep 1999 13:39:04 -0700 (PDT) (envelope-from carol@tinker.com) Received: by localhost (8.8.5/8.8.5) Received: by mail.tinker.com via smap (V2.0) id xma012399; Mon Sep 27 15:16:02 1999 Received: by localhost (8.8.8/8.8.8) id PAA13704; Mon, 27 Sep 1999 15:38:09 -0500 (CDT) Message-ID: <37EFD593.A6900748@tinker.com> Date: Mon, 27 Sep 1999 15:37:39 -0500 From: Carol Deihl Organization: Shrier and Deihl X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 2.2.8-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: trouble@hackfurby.com Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: chroot could chdir? (was Re: about jail) References: <199909251302.RAA58030@grendel.sovlink.ru> <19990925171712.A80535@zenon.net> <37EEA27E.244DCF9A@tinker.com> <37F00602.96D098D3@hackfurby.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I was referring to the practice of chdir-ing to someplace within the chrooted area right *after* doing the chroot, before doing anything else. Otherwise, the current working directory may be pointing to a directory *outside* the chrooted area. Of course, if you set the current working directory to someplace inside the chrooted area *before* doing the chroot, that's fine too. However, it is a danger that some programmers are not careful (or are malicious), and neither set an appropriate current dir before chrooting, nor afterwards. Since this allows one to break out of a chrooted area, I'm looking for a solution to this security problem. Carol TrouBle wrote: > > Ummm sorry but i think you have goten this backwards it is more secure to > chdir, then chrrot, not chroot then chdir.... I believe what you have here is > backwards > > > > > As we all know, the chroot can be escaped because the sample > > program doesn't change the current working directory, and it's > > still pointing outside the chrooted area. > > > > What if chroot itself chdir'ed to it's new root directory? Would > > this break existing programs? I'd expect that well-behaved > > programs would chdir someplace useful before continuing anyway. > > > > At the very end of chroot(), could it just > > vrele(fdp->fd_cdir); > > fdp->fd_cdir = nd.ni_vp; > > before it returns, setting the current dir to the same place it > > just chrooted to? -- Carol Deihl - principal, Shrier and Deihl - mailto:carol@tinker.com Remote Unix Network Admin, Security, Internet Software Development Tinker Internet Services - Superior FreeBSD-based Web Hosting http://www.tinker.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 13:41:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from tinker.com (troll.tinker.com [204.214.7.146]) by hub.freebsd.org (Postfix) with ESMTP id BDBD115362; Mon, 27 Sep 1999 13:41:36 -0700 (PDT) (envelope-from carol@tinker.com) Received: by localhost (8.8.5/8.8.5) Received: by mail.tinker.com via smap (V2.0) id xma012420; Mon Sep 27 15:18:42 1999 Received: by localhost (8.8.8/8.8.8) id PAA14572; Mon, 27 Sep 1999 15:40:52 -0500 (CDT) Message-ID: <37EFD638.528A5C9@tinker.com> Date: Mon, 27 Sep 1999 15:40:24 -0500 From: Carol Deihl Organization: Shrier and Deihl X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 2.2.8-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Poul-Henning Kamp Cc: Julian Elischer , freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: chroot could chdir? (was Re: about jail) References: <19097.938417784@critter.freebsd.dk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Poul-Henning Kamp wrote: > > In message , Julian Elischer writes: > >I read it as her talking about chroot in general. Yep, I was. > We do. See source. :-) Are you talking about the new jail() call only, or does this apply to chroot() (especially in 3.2) ? (And I am looking in the source now, I'm just not too familiar with it... :-) ) Carol > >> >You have to examine ALL fd's in case one has a directory open that is > >> >outside the chroot.. > >> >(see man fchdir(2)) > >> > >> We do. See source. -- Carol Deihl - principal, Shrier and Deihl - mailto:carol@tinker.com Remote Unix Network Admin, Security, Internet Software Development Tinker Internet Services - Superior FreeBSD-based Web Hosting http://www.tinker.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 13:48:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id D225114BDD for ; Mon, 27 Sep 1999 13:48:00 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id NAA13161; Mon, 27 Sep 1999 13:38:05 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909272038.NAA13161@gndrsh.dnsmgr.net> Subject: Re: dump(8) Insecurity/Misconfiguration In-Reply-To: <199909271932.NAA11712@mt.sri.com> from Nate Williams at "Sep 27, 1999 01:32:32 pm" To: nate@mt.sri.com (Nate Williams) Date: Mon, 27 Sep 1999 13:38:05 -0700 (PDT) Cc: cjclark@home.com, Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), dillon@apollo.backplane.com (Matthew Dillon), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > [ Rod, you *really* need to get out more ] > > > > What, I spent 5 hours yesterday cleaning the side yard at the shop, is > > that ``out'' enough for you :-) :-) :-) > > No, cause it's work related. Go jump out of a plane or something. :) I wish I could, medical reasons have had me grounded for over 2 years now :-( :-(. > [ > Rod asserts that using SSH for backups is a revenue-generating task, and > as such violates the 'free' use of the SSH license. > ] > > > I'll bet you dollars to a dog turd that the SSH licensor considers this > > a licensable situation. > > I've got the dog turd, so the bet is on. Okay. Who do I call or email?? > >>> You may also find that the license fee is quite low for what you > >>> want to do. > >> > >> NOT! > > > Then it is even more likely to be outside of the scope of the shareware > > license. > > It's not a shareware license, or even close to one. It basically says > that if you make money from using this product (not, if you make money > *AND* use this product), then you must pay for it. > > The amount of money you pay is not dependant on how much money you make, > it's a fixed fee based on the the number of 'machines' it's installed > on. > > (Last I bought the commercial product, it was $2K/CPU, but that was a > couple of years ago.) Not unreasonable, but probably a set back to those who are use to the freeness of open source. > > We pay this, but it's because we needed some additional features that > the commercial version had. I could have hacked the code myself, but > that assumed I could do it less than 40 hours, and I doubt I could have > it done/tested/documented in that amount of time, hence we just bought > it for the one box that needed the feature. > > The other boxes all run the 'free' version. > > However, $2K/seat is alot of money for an ISP to charge for something as > trivial as backups, especially when minimum cost is $4K (one for the > tape server, and one for the remote client). Hummmm.... twice what a reasonable capacity tape drive is a bit much!! But it is much less than some of the backup solutions we have done for clients, with DLT robots and such. > It's simply not worth it, IMO. It could be worth it, if Licenese violations where at concerned the normal allowable damages would far exceed the $4K. The real simple solution for this person is to simply go use amanda, that is how we eliminated this whole issue! -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 14: 5:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 042AA14E34 for ; Mon, 27 Sep 1999 14:05:05 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id PAA28897; Mon, 27 Sep 1999 15:03:42 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id PAA12558; Mon, 27 Sep 1999 15:03:41 -0600 Date: Mon, 27 Sep 1999 15:03:41 -0600 Message-Id: <199909272103.PAA12558@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Rodney W. Grimes" Cc: nate@mt.sri.com (Nate Williams), cjclark@home.com, Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), dillon@apollo.backplane.com (Matthew Dillon), freebsd-security@FreeBSD.ORG Subject: Re: dump(8) Insecurity/Misconfiguration In-Reply-To: <199909272038.NAA13161@gndrsh.dnsmgr.net> References: <199909271932.NAA11712@mt.sri.com> <199909272038.NAA13161@gndrsh.dnsmgr.net> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > [ > > Rod asserts that using SSH for backups is a revenue-generating task, and > > as such violates the 'free' use of the SSH license. > > ] > > > > > I'll bet you dollars to a dog turd that the SSH licensor considers this > > > a licensable situation. > > > > I've got the dog turd, so the bet is on. > > Okay. Who do I call or email?? www.datafellows.com However, realize that ignorance is somewhat bliss here, so don't go off sicking DataFellows on a bunch of unsuspecting people because of the way you define what backups are. > > However, $2K/seat is alot of money for an ISP to charge for something as > > trivial as backups, especially when minimum cost is $4K (one for the > > tape server, and one for the remote client). > > Hummmm.... twice what a reasonable capacity tape drive is a bit much!! > But it is much less than some of the backup solutions we have done for > clients, with DLT robots and such. > > > It's simply not worth it, IMO. > > It could be worth it, if Licenese violations where at concerned the > normal allowable damages would far exceed the $4K. > > The real simple solution for this person is to simply go use amanda, > that is how we eliminated this whole issue! Amanda doesn't solve the security issue. :( Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 14:21:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id E581E15435 for ; Mon, 27 Sep 1999 14:21:05 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id OAA13248; Mon, 27 Sep 1999 14:11:52 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909272111.OAA13248@gndrsh.dnsmgr.net> Subject: Re: dump(8) Insecurity/Misconfiguration In-Reply-To: <199909272103.PAA12558@mt.sri.com> from Nate Williams at "Sep 27, 1999 03:03:41 pm" To: nate@mt.sri.com (Nate Williams) Date: Mon, 27 Sep 1999 14:11:52 -0700 (PDT) Cc: cjclark@home.com, Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), dillon@apollo.backplane.com (Matthew Dillon), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > [ > > > Rod asserts that using SSH for backups is a revenue-generating task, and > > > as such violates the 'free' use of the SSH license. > > > ] > > > > > > > I'll bet you dollars to a dog turd that the SSH licensor considers this > > > > a licensable situation. > > > > > > I've got the dog turd, so the bet is on. > > > > Okay. Who do I call or email?? > > www.datafellows.com > > However, realize that ignorance is somewhat bliss here, so don't go off > sicking DataFellows on a bunch of unsuspecting people because of the way > you define what backups are. I'm pretty good at playing a stupid luser who just wants to know if he can do this or not... :-) > > > > However, $2K/seat is alot of money for an ISP to charge for something as > > > trivial as backups, especially when minimum cost is $4K (one for the > > > tape server, and one for the remote client). > > > > Hummmm.... twice what a reasonable capacity tape drive is a bit much!! > > But it is much less than some of the backup solutions we have done for > > clients, with DLT robots and such. > > > > > It's simply not worth it, IMO. > > > > It could be worth it, if Licenese violations where at concerned the > > normal allowable damages would far exceed the $4K. > > > > The real simple solution for this person is to simply go use amanda, > > that is how we eliminated this whole issue! > > Amanda doesn't solve the security issue. :( I beg to differ, it goes a long ways to fixing the security problems that rdump/rsh introduce. It uses it's own daemon with it's own .amandahosts file with it's own protocol. It can easily be filtered at boarders, and you can't use the username to even log in if things are done correctly. IMHO, it is more secure than a dump run over ssh, unless you also needed to connection encrypted, which could be hacked into amanda easy enough. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 14:45:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from web1006.mail.yahoo.com (web1006.mail.yahoo.com [128.11.23.96]) by hub.freebsd.org (Postfix) with SMTP id 48D3F14CA9 for ; Mon, 27 Sep 1999 14:45:03 -0700 (PDT) (envelope-from pram512@yahoo.com) Message-ID: <19990927220012.20408.rocketmail@web1006.mail.yahoo.com> Received: from [207.149.0.59] by web1006.mail.yahoo.com; Mon, 27 Sep 1999 15:00:12 PDT Date: Mon, 27 Sep 1999 15:00:12 -0700 (PDT) From: "Me Uh, K." Reply-To: pram512@yahoo.com Subject: Fwd: Re: dump(8) Insecurity/Misconfiguration To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [I meant to send this to the list earlier today, but like an idiot sent it to the very nice Rodney W. Grimes (freebsd@gndrsh.dnsmgr.net), who was kind enough to reply - which I'm also posting to the list] Just a side question, mostly-off topic - [SNIP] > For example, an Internet service provider is allowed > to install this program on their systems and permit > clients to use SSH to connect; however, actively > distributing SSH to clients for the purpose of > providing added value requires separate licensing. Would it be all right to distribute: A) at the customer's request? B) if there are no additional charges for the SSH? (the actual value of the service goes up, but most ISP customers don't even use telnet for anything other than uploading thier webpages - yet it still comes with most ISP software bundles, and the ISP doesn't charge any additional fees for the ability, or for the software- course, last I checked, it's always been a free program, anyway) I know we're not lawyers here, and that answers are only theoretical interpretations, ect. -mia k. (wishing she'd stop mailing busy people her relatively irrelevant questions, and wondering what she's doing subscribed to Security when she can't figure out who her replies are going to ;) __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 14:45:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from web1003.mail.yahoo.com (web1003.mail.yahoo.com [128.11.23.93]) by hub.freebsd.org (Postfix) with SMTP id 31065156A6 for ; Mon, 27 Sep 1999 14:45:40 -0700 (PDT) (envelope-from pram512@yahoo.com) Message-ID: <19990927220015.29715.rocketmail@web1003.mail.yahoo.com> Received: from [207.149.0.59] by web1003.mail.yahoo.com; Mon, 27 Sep 1999 15:00:15 PDT Date: Mon, 27 Sep 1999 15:00:15 -0700 (PDT) From: "Me Uh, K." Reply-To: pram512@yahoo.com Subject: Fwd: Re: dump(8) Insecurity/Misconfiguration To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [Mr. Grimes' reply, as mentioned in previous email] --- "Rodney W. Grimes" wrote: > From: "Rodney W. Grimes" > Subject: Re: dump(8) Insecurity/Misconfiguration > To: pram512@yahoo.com > Date: Mon, 27 Sep 1999 12:32:34 -0700 (PDT) > > [This should have really been on the list, with your > permission please forward this reply back onto the > list] > > > Just a side question, off topic - > > > > [SNIP] > > > For example, an Internet service provider is > allowed > > to install this program on their systems and > permit > > clients to use SSH to connect; however, actively > > distributing SSH to clients for the purpose of > > providing added value requires separate licensing. > > > > > Would it be all right to distribute: > > A) at the customer's request? > > Not if it ``provided added value''. I think you > would > be safest just creating a link to allow you client > to > down load it. That would then make it ``passive > distribution'' and > not ``active distribution'', and then the ``purpose > of > prociding added value'' clause looks to become a > moot point since > you didn't do it actively. > > > B) if there are no additional charges for the SSH? > > > (the actual value of the service goes up, but most > ISP > > customers don't even use telnet for anything other > > than uploading thier webpages - yet it still comes > > with most ISP software bundles, and the ISP > doesn't > > charge any additional fees for the ability, or for > the > > software- course, last I checked, it's always been > a > > free program, anyway) > > That one is a slippery slope, it would take careful > legal > evalutation for letter and intent of the license. > Just > because you didn't charge for that specific item > doesn't > mean your not using it to add value. > > > > > I know we're not lawyers here, and that answers > are > > only theoretical interpretations, ect. > > And given that we are looking at only snippets of a > larger > document much of what any of us say here could > easily be > invalidated by other parts of the document. I have > not > read any part of it other than the pieces posted in > the > thread before us. > > -- > Rod Grimes - KD7CAX - (RWG25) > rgrimes@gndrsh.dnsmgr.net > __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 14:53:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 0E39914C80 for ; Mon, 27 Sep 1999 14:53:36 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id RAA92701; Mon, 27 Sep 1999 17:54:21 -0400 (EDT) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199909272154.RAA92701@cc942873-a.ewndsr1.nj.home.com> Subject: Re: dump(8) Insecurity/Misconfiguration In-Reply-To: <199909271841.LAA12907@gndrsh.dnsmgr.net> from "Rodney W. Grimes" at "Sep 27, 1999 11:41:00 am" To: freebsd@gndrsh.dnsmgr.net (Rodney W. Grimes) Date: Mon, 27 Sep 1999 17:54:21 -0400 (EDT) Cc: cjclark@home.com, Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), dillon@apollo.backplane.com (Matthew Dillon), freebsd-security@FreeBSD.ORG Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Rodney W. Grimes wrote, > ... > > "Companies are permitted to use this program as long as it is not used for > > revenue-generating purposes. For example, an Internet service provider is > > allowed to install this program on their systems and permit clients to use > > SSH to connect; however, actively distributing SSH to clients for the > > purpose of providing added value requires separate licensing. Similarly, > > a consultant may freely install this software on a client's machine for > > his own use, but if he/she sells the client a system that uses SSH as a > > component, a separate license is required." > > > > I'm no lawyer, but it seems like using SSH for helping with dumps > > would fall well within this license since backing up files does not > > really generate much revenue for us. > > I'm not a lawyer either, but I'll play the advocate here and show > you why you are at risk. First, you used the word ``much'' in the > above sentence. _Any_ is _some_ and is _not_ none, henceforth you > voilate ``not used for ...''. I forgot the Smiley. I meant 'much' sarcastically, as in, doing backups generates no revenue. In fact, it costs us money. > Second, since backups are a critical > piece of keeping your business operating, and your business, hopefully > at least, generates revenue you would be in vilation of ``revenue-generating > purposes'', though it would be indirectly. But it gives the specific example of an ISP using SSH to _service_ customers, which is something that does generate revenue. Once you consider their example of what is acceptable use, it seems quite clear to me that our use is many steps farther away from revenu generating and therefore would be permitted. As for the other comment someone made about RSA, their license is basically the same. It prohibits commercial us for "revenue generating," but otherwise permitted. Thanks to everyone for all of your information and opinions on this. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 15:10:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from totally.morphed.com (totally.morphed.com [207.66.106.134]) by hub.freebsd.org (Postfix) with ESMTP id 5A6BD15699 for ; Mon, 27 Sep 1999 15:10:42 -0700 (PDT) (envelope-from root@totally.morphed.com) Received: from localhost (root@localhost) by totally.morphed.com (8.9.3/8.9.2) with ESMTP id QAA12399 for ; Mon, 27 Sep 1999 16:10:40 -0600 (MDT) (envelope-from root@totally.morphed.com) Date: Mon, 27 Sep 1999 16:10:40 -0600 (MDT) From: "Jason L. Schwab" To: freebsd-security@freebsd.org Subject: sysctl command to log ALL connections.. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What is the 'sysctl' command to LOG ALL connections on any port and any interface to syslog? also, is there a line for it in rc.conf? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 16:54:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from entic.net (shell.entic.net [209.157.122.66]) by hub.freebsd.org (Postfix) with SMTP id 55C5A1570B for ; Mon, 27 Sep 1999 16:54:43 -0700 (PDT) (envelope-from aj@entic.net) Received: (qmail 10797 invoked by uid 1000); 27 Sep 1999 23:54:17 -0000 Date: Mon, 27 Sep 1999 16:54:17 -0700 (PDT) From: Anil Jangity To: freebsd-security@freebsd.org Subject: Undelivered Mail Returned to Sender (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Anyone fix this yet? -Anil ---------- Forwarded message ---------- Date: Mon, 27 Sep 1999 16:45:31 -0700 (PDT) From: Mail Delivery System To: aj@entic.net Subject: Undelivered Mail Returned to Sender This is the Postfix program at host hub.freebsd.org. I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations. For further assistance, please contact If you do so, please include this problem report. You can delete your own text from the message returned below. The Postfix program --- Delivery error report follows --- : system resource problem. Command output: wrapper: Trying to exec /home/majordomo/mreply2 failed: No such file or directory Did you define PERL correctly in the Makefile? HOME is HOME=/home/majordomo, PATH is PATH=/bin:/usr/bin, SHELL is SHELL=/bin/sh, MAJORDOMO_CF is MAJORDOMO_CF=/home/majordomo/majordomo.cf --- Undelivered message follows --- Received: from entic.net (shell.entic.net [209.157.122.66]) by hub.freebsd.org (Postfix) with SMTP id 1A66414C94 for ; Wed, 22 Sep 1999 16:24:24 -0700 (PDT) (envelope-from aj@entic.net) Received: (qmail 25346 invoked by uid 1000); 22 Sep 1999 23:23:37 -0000 Date: Wed, 22 Sep 1999 16:23:37 -0700 (PDT) From: Anil Jangity To: info@freebsd.org Subject: cvs needs to be updated for CY drivers Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII ---------- Forwarded message ---------- Date: Wed, 22 Sep 1999 16:17:06 -0700 (PDT) From: Anil Jangity To: andrew@werple.apana.org.au Subject: cvs needs to be updated for CY drivers The CY drivers on FreeBSD2.2.8 STABLE are older then the ones at the Cyclades web site. ftp://ftp.cyclades.com/pub/cyclades/cyclom-y/freebsd/2.2.x/ Kind regards, Anil Jangity aj@entic.net "Work like you don't need money, love like you've never been hurt, and dance like no one's watching." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 17: 4: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from server.computeralt.com (server.computeralt.com [207.41.29.10]) by hub.freebsd.org (Postfix) with ESMTP id 9202014A2D for ; Mon, 27 Sep 1999 17:03:48 -0700 (PDT) (envelope-from scott@computeralt.com) Received: from scott (scott.computeralt.com [207.41.29.100]) by server.computeralt.com (8.9.1/8.9.1) with ESMTP id UAA02944 for ; Mon, 27 Sep 1999 20:03:37 -0400 (EDT) Message-Id: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com> X-Sender: scott@mail.computeralt.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.1.4 (Beta) Date: Mon, 27 Sep 1999 20:05:24 -0400 To: freebsd-security@freebsd.org From: "Scott I. Remick" Subject: Help me win the MS-Proxy/ipfw war Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Any advice to a small-time network admin for a small (32 employees) company that is stuck in the MS_WAY = ONLY_WAY mindset? We are overdue for a firewall but the PHB wants NT/MS-Proxy installed, while I'm arguing for FreeBSD/ipfw instead. We already have a FreeBSD server managing various tasks (and has done them VERY well, and doesn't crash), so this isn't totally new (ipfw is but I've got books on order and will be reading up). THEY (everyone but me) want MS Proxy because we're a MCSP and they want us to use what we're going to sell, so that we're familiar with it (the suggestion that we use FreeBSD/ipfw and sell that too seems to have fallen on deaf ears). Of course, the fact is that no one actually spends time on this stuff other than me anyway, even though it's set up with the intent that all techs can learn from what we have installed in-house. That argument, too, seems to not be working. Nor the vast difference in hardware requirements (what would you consider the recommended hardware for a FreeBSD firewall gateway to a 128K ISDN link?). Cost of the actual software is $0 in either event, as we get to use MS software for free due to our MCSP status. I need help, as it's me against the masses and I seem to be unable to win them over. The best I've managed is to keep them from making the final decision (only reason we don't have a firewall already). I'm also faced with them wanting to move ALL mail services to the Exchange server (right now only internal Exchange mail gets handled by it, and it routes all internet mail through the FreeBSD box. The Exchange server itself is blocked from the internet at the router) as well as move our website from FreeBSD/Apache to NT/IIS (UGH!). I wish there were more advocates on my side working here to back me up, but alas, we are small, and it's just me, and the boss is in bed with MS it seems. We have some networking techs who do stuff for customers, and they're against me because 1) MS software failures give them a daily source of billable hours, and 2) they resent the FreeBSD server because it makes them look bad, never crashing, while their NT servers need constant attention/reboots. Thanks in advance. ----------------------- Scott I. Remick scott@computeralt.com Network and Information (802)388-7545 ext. 236 Systems Manager FAX:(802)388-3697 Computer Alternatives, Inc. http://www.computeralt.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 17:15:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from atdot.dotat.org (atdot.dotat.org [150.101.89.3]) by hub.freebsd.org (Postfix) with ESMTP id 5D6AE1548C for ; Mon, 27 Sep 1999 17:15:48 -0700 (PDT) (envelope-from newton@atdot.dotat.org) Received: (from newton@localhost) by atdot.dotat.org (8.9.3/8.7) id JAA13329; Tue, 28 Sep 1999 09:42:01 +0930 (CST) From: Mark Newton Message-Id: <199909280012.JAA13329@atdot.dotat.org> Subject: Re: Help me win the MS-Proxy/ipfw war To: scott@computeralt.com (Scott I. Remick) Date: Tue, 28 Sep 1999 09:42:01 +0930 (CST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com> from "Scott I. Remick" at Sep 27, 99 08:05:24 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Scott I. Remick wrote: > Any advice to a small-time network admin for a small (32 employees) company > that is stuck in the MS_WAY = ONLY_WAY mindset? We are overdue for a > firewall but the PHB wants NT/MS-Proxy installed, while I'm arguing for > FreeBSD/ipfw instead. Go in after work one night and install FreeBSD. Once your firewall is a fait accomplis, inertia will help you get your way. [ on the other hand, if management is that dense you might want to "solve" the problem by changing employers - I doubt the boss' belligerence is confined to FreeBSD, if you see what I mean... ] - mark :-) -------------------------------------------------------------------- I tried an internal modem, newton@atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 17:34:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from cx47987-b.escnd1.sdca.home.com (cx47987-b.escnd1.sdca.home.com [24.0.175.250]) by hub.freebsd.org (Postfix) with ESMTP id 5EAA8156BC for ; Mon, 27 Sep 1999 17:34:34 -0700 (PDT) (envelope-from larry@mail.interactivate.com) Received: from cx47987-c (cx47987-c.escnd1.sdca.home.com [24.0.175.251]) by cx47987-b.escnd1.sdca.home.com (8.9.3/8.9.3) with ESMTP id RAA02806; Mon, 27 Sep 1999 17:33:56 -0700 (PDT) (envelope-from larry@mail.interactivate.com) Message-Id: <4.2.0.58.19990927172008.00a59b40@mail.interactivate.com> X-Sender: larry@mail.interactivate.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Mon, 27 Sep 1999 17:25:05 -0700 To: "Scott I. Remick" , freebsd-security@FreeBSD.ORG From: Lawrence Sica Subject: Re: Help me win the MS-Proxy/ipfw war In-Reply-To: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:05 PM 9/27/99 -0400, Scott I. Remick wrote: >Any advice to a small-time network admin for a small (32 employees) >company that is stuck in the MS_WAY = ONLY_WAY mindset? We are overdue >for a firewall but the PHB wants NT/MS-Proxy installed, while I'm arguing >for FreeBSD/ipfw instead. We already have a FreeBSD server managing >various tasks (and has done them VERY well, and doesn't crash), so this >isn't totally new (ipfw is but I've got books on order and will be reading up). > >THEY (everyone but me) want MS Proxy because we're a MCSP and they want us >to use what we're going to sell, so that we're familiar with it (the >suggestion that we use FreeBSD/ipfw and sell that too seems to have fallen >on deaf ears). Of course, the fact is that no one actually spends time on >this stuff other than me anyway, even though it's set up with the intent >that all techs can learn from what we have installed in-house. That >argument, too, seems to not be working. Nor the vast difference in >hardware requirements (what would you consider the recommended hardware >for a FreeBSD firewall gateway to a 128K ISDN link?). Cost of the actual >software is $0 in either event, as we get to use MS software for free due >to our MCSP status. You could do it for a $1000 or less server easily. Also MS Proxy isn;t a true firewall i believe, it's a proxy server. >I need help, as it's me against the masses and I seem to be unable to win >them over. The best I've managed is to keep them from making the final >decision (only reason we don't have a firewall already). I'm also faced >with them wanting to move ALL mail services to the Exchange server (right >now only internal Exchange mail gets handled by it, and it routes all >internet mail through the FreeBSD box. The Exchange server itself is >blocked from the internet at the router) as well as move our website from >FreeBSD/Apache to NT/IIS (UGH!). You could point out that MS itself uses FreeBSD for Hotmail. Also Yahoo, cdrom.com, mp3.com and alot of high traffic sites use FreeBSD with no ill effect. As for moving mail service..mention how the Melissa virus was spread so easily due to MS-Exchange servers that should make them think. Also what about the if it aint broke dont fix it philosophy? >I wish there were more advocates on my side working here to back me up, >but alas, we are small, and it's just me, and the boss is in bed with MS >it seems. We have some networking techs who do stuff for customers, and >they're against me because 1) MS software failures give them a daily >source of billable hours, and 2) they resent the FreeBSD server because it >makes them look bad, never crashing, while their NT servers need constant >attention/reboots. Well telling the boss that it will be cheaper in administration costs could help. Do a breakdown of time spent admin each server and show him the cost analysis that way. Say it wil lbe X dollars per month and maybe a breakdown of downtime? If they servers need daily attention then make a chart showing it..like the commercials for kinko's.. Suits love graphs and numbers..if you could present hard numbers and pretty pictures that might help sway them.. HTH --larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 17:53:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from toaster.sun4c.net (toaster.sun4c.net [63.193.27.6]) by hub.freebsd.org (Postfix) with ESMTP id 91B6214E9C for ; Mon, 27 Sep 1999 17:53:37 -0700 (PDT) (envelope-from andre@toaster.sun4c.net) Received: (from andre@localhost) by toaster.sun4c.net (8.9.3/8.9.3) id SAA25099; Mon, 27 Sep 1999 18:13:11 -0700 (PDT) Date: Mon, 27 Sep 1999 18:13:10 -0700 From: Andre Gironda To: "Scott I. Remick" Cc: freebsd-security@freebsd.org Subject: Re: Help me win the MS-Proxy/ipfw war Message-ID: <19990927181310.G24486@toaster.sun4c.net> References: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com>; from Scott I. Remick on Mon, Sep 27, 1999 at 08:05:24PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Sep 27, 1999 at 08:05:24PM -0400, Scott I. Remick wrote: > Any advice to a small-time network admin for a small (32 employees) company > that is stuck in the MS_WAY = ONLY_WAY mindset? We are overdue for a > firewall but the PHB wants NT/MS-Proxy installed, while I'm arguing for > FreeBSD/ipfw instead. We already have a FreeBSD server managing various > tasks (and has done them VERY well, and doesn't crash), so this isn't > totally new (ipfw is but I've got books on order and will be reading up). NT cannot be used in an Internet environment (or as a bastion host) because of the serious security implications. Netbios, IIS, and WINS are very insecure and instable applications/protocols. The only way I have heard of putting an NT box on the Internet precludes the use of a Cisco PIX or equivalent firewall to handle the stateful inpection of _every_ packet, as well as re-sequencing of tcp_iss port numbers, and SYN flood and smurf protection. So, tell them that they can use MS-Proxy as long as you buy a $14k PIX and block all incoming connections (especially to Netbios and IIS). Present that as Option 1. Option 2 could be FreeBSD with ipfw. You can put other options in there as well. Present it as a paper for immediate review. If they don't understand, then your paper will cleary state and document that fact -- so when you do get attacked (and believe me, you will get attacked), you have some sort of paper trail and migration plan. dre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 18: 4:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from vasquez.zip.com.au (vasquez.zip.com.au [203.12.97.41]) by hub.freebsd.org (Postfix) with ESMTP id 7395414A2D for ; Mon, 27 Sep 1999 18:04:49 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from zipperii.zip.com.au (ncb@zipperii.zip.com.au [203.12.97.87]) by vasquez.zip.com.au (8.9.2/8.9.1) with ESMTP id KAA28563; Tue, 28 Sep 1999 10:49:25 +1000 (EST) Date: Tue, 28 Sep 1999 11:05:36 +1000 (EST) From: Nicholas Brawn To: "Scott I. Remick" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Help me win the MS-Proxy/ipfw war In-Reply-To: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Sep 1999, Scott I. Remick wrote: > Any advice to a small-time network admin for a small (32 employees) company > that is stuck in the MS_WAY = ONLY_WAY mindset? We are overdue for a > firewall but the PHB wants NT/MS-Proxy installed, while I'm arguing for > FreeBSD/ipfw instead. We already have a FreeBSD server managing various > tasks (and has done them VERY well, and doesn't crash), so this isn't > totally new (ipfw is but I've got books on order and will be reading up). > I recently migrated one network from using a permanent ppp connection with a wintel machine running wingate to a freebsd system running a combination of tis fwtk and ipfw. As I can assure you, the performance and reliability of the connection, not to mention the security, is quite impressive (comparitively speaking). In terms of whether such a setup will suit your environment, you really need to outline what it is your system will need to be able to do. This will help you identify what you will need to provide that functionality The reality is that whatever solution you go for, will end up sitting in the corner being maintained on a fairly infrequent basis - so long as it does its job. The argument that "we sell it therefore we must use it" is a valid one. But you don't "tinker" or "practice" on a production machine running as a gateway. If they sincerely want to get MS Proxy in use internally, then give them a development box to play with. My $0.02. Cheers, Nick -- Email: ncb@zip.com.au (or) nicholas.brawn@hushmail.com Key fingerprint = 71C5 2EA8 903B 0BC4 8EEE 9122 7349 EADC 49C1 424E To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 18:13:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id AC035153C4; Mon, 27 Sep 1999 18:13:30 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 8F5DA1C2B; Mon, 27 Sep 1999 20:17:07 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by jade.chc-chimes.com (Postfix) with ESMTP id 8BFBB3817; Mon, 27 Sep 1999 20:17:07 -0400 (EDT) Date: Mon, 27 Sep 1999 20:17:07 -0400 (EDT) From: Bill Fumerola To: Andre Gironda Cc: "Scott I. Remick" , freebsd-chat@FreeBSD.org Subject: Re: Help me win the MS-Proxy/ipfw war In-Reply-To: <19990927181310.G24486@toaster.sun4c.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Sep 1999, Andre Gironda wrote: > So, tell them that they can use MS-Proxy as long as you buy a $14k > PIX and block all incoming connections (especially to Netbios and IIS). If you're paying $14k for a PIX firewall, you're paying too much. I paid $8k for mine. -- - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 18:20:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsd.tcc-comp.com.au (jane.tcc-comp.com.au [203.43.148.92]) by hub.freebsd.org (Postfix) with ESMTP id 51D941558C for ; Mon, 27 Sep 1999 18:20:52 -0700 (PDT) (envelope-from curl@tcc-comp.com.au) Received: from bsd.tcc-comp.com.au (bsd.tcc-comp.com.au [203.36.225.1]) by bsd.tcc-comp.com.au (8.9.3/8.9.3) with SMTP id LAA08961 for ; Tue, 28 Sep 1999 11:20:56 +1000 (EST) Date: Tue, 28 Sep 1999 11:20:56 +1000 (EST) From: Stephen Walsh To: freebsd-security@freebsd.org Subject: Re: Help me win the MS-Proxy/ipfw war In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 28 Sep 1999, Nicholas Brawn wrote: > > Any advice to a small-time network admin for a small (32 employees) company > > that is stuck in the MS_WAY = ONLY_WAY mindset? We are overdue for a [...] > But you don't "tinker" or "practice" on a production machine > running as a gateway. If they sincerely want to get MS Proxy in use > internally, then give them a development box to play with. I'll second this.. Nerver playround with new idea's etc on a production machine. How about running the freebsd system in front of the win system's and just hiding the freebsd system in the corner... === Stephen Walsh - VK3HEG TCC Computers (Internet Services) http://www.tcc-comp.com.au Ph: +61-3-53334699 Mobile: (+61)-0409-149641 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 19:50:11 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 8173215724; Mon, 27 Sep 1999 19:50:05 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 621C01CD476; Mon, 27 Sep 1999 19:50:05 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Mon, 27 Sep 1999 19:50:05 -0700 (PDT) From: Kris Kennaway To: "Scott I. Remick" Cc: security@freebsd.org, advocacy@freebsd.org Subject: Re: Help me win the MS-Proxy/ipfw war In-Reply-To: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Sep 1999, Scott I. Remick wrote: > THEY (everyone but me) want MS Proxy because we're a MCSP and they want us > to use what we're going to sell, so that we're familiar with it (the > suggestion that we use FreeBSD/ipfw and sell that too seems to have fallen > on deaf ears). Of course, the fact is that no one actually spends time on > this stuff other than me anyway, even though it's set up with the intent > that all techs can learn from what we have installed in-house. That > argument, too, seems to not be working. Nor the vast difference in > hardware requirements (what would you consider the recommended hardware for > a FreeBSD firewall gateway to a 128K ISDN link?). Cost of the actual > software is $0 in either event, as we get to use MS software for free due > to our MCSP status. This is more of an advocacy question than a security one, so I've directed this reply there. Please remove -security from any further responses. Giving management a concise (installation and projected ongoing) cost breakdown of the two solutions based on prior performance of the FreeBSD system vs. the NT one, plus supporting material like the hotmail/yahoo/BEST/etc cases, is probably a good solution. Point out that the system should be "set and forget", and if it's something which you need to keep tinkering with, then it's not a good solution. Many people have been jaded into thinking that all computers crash at least once a day, because these are the high-profile ones, so the little UNIX box which chugs over in the corner for a year without falling over is very easy to forget about. As you mentioned, it's in the best interests of the admins to have a system which is high-maintenance, so this keeps them in a job. Management may not like having this made clear to them or being played for fools, especially if the admins have said it outright :-) Hardware-wise, you really don't need much at all for a small organisation - an old pentium would probably handle the job just fine, and certainly the smallest new PC you can find thesedays would be overkill. Lots of people seem to have trouble accepting this - after all, if Intel sell Pentium III 550 chips to go in servers, that must be what you need thesedays for a server, right? The fact that ftp.cdrom.com is a single-CPU machine with and is the world's busiest FTP server (and is I/O limited, not CPU limited) may help your case here. Ultimately, if they're really not listening to your expertise and you're not likely to get any additional internal support, then vote with your feet and find a more open-minded employee who isn't in the back pocket of M$. On the other hand, you might like to wait a month or two for all the problems to develop with NT so you can see if they become more receptive :-) I guess this is an easy position to take for companies who spend all those dollars per year getting MSCP status (disclaimer: I don't know what sort of money is involved), so they "might as well just use" the M$ software they get for free as a result, because it's "obviously better" than the other stuff they can get for free. Good luck! Kris P.S. Dante (www.inet.no/dante) allegedly works well as an MS-PROXY server (as well as SOCKS5) and is under a nice BSD license, but gethostbyname() proxying doesn't work under FreeBSD last I checked, so this probably doesn't help you at all :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 19:58:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.xmission.com (mail.xmission.com [198.60.22.22]) by hub.freebsd.org (Postfix) with ESMTP id 78FEE15723 for ; Mon, 27 Sep 1999 19:58:44 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [204.68.178.39] (helo=softweyr.com) by mail.xmission.com with esmtp (Exim 2.12 #2) id 11VnTQ-00026E-00; Mon, 27 Sep 1999 20:58:37 -0600 Message-ID: <37F02EED.A959E352@softweyr.com> Date: Mon, 27 Sep 1999 20:58:53 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Mark Newton Cc: "Scott I. Remick" , freebsd-security@FreeBSD.ORG Subject: Re: Help me win the MS-Proxy/ipfw war References: <199909280012.JAA13329@atdot.dotat.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mark Newton wrote: > > Scott I. Remick wrote: > > > Any advice to a small-time network admin for a small (32 employees) company > > that is stuck in the MS_WAY = ONLY_WAY mindset? We are overdue for a > > firewall but the PHB wants NT/MS-Proxy installed, while I'm arguing for > > FreeBSD/ipfw instead. > > Go in after work one night and install FreeBSD. Once your firewall > is a fait accomplis, inertia will help you get your way. > > [ on the other hand, if management is that dense you might want to > "solve" the problem by changing employers - I doubt the boss' > belligerence is confined to FreeBSD, if you see what I mean... ] I'll second this motion. Vote with your feet. You're not likely to "englighten" an MSCP. (Isn't that Mediocresoft Certifiable Pricks or something?) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 20: 6:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from dfw-ix6.ix.netcom.com (dfw-ix6.ix.netcom.com [206.214.98.6]) by hub.freebsd.org (Postfix) with ESMTP id 8004014D98 for ; Mon, 27 Sep 1999 20:06:27 -0700 (PDT) (envelope-from scrantr@ix.netcom.com) Received: (from smap@localhost) by dfw-ix6.ix.netcom.com (8.8.4/8.8.4) id WAA09807; Mon, 27 Sep 1999 22:05:35 -0500 (CDT) Received: from col-oh34-18.ix.netcom.com(207.220.178.18) by dfw-ix6.ix.netcom.com via smap (V1.3) id rma009430; Mon Sep 27 22:04:03 1999 Message-ID: <37F0302D.9300CB87@ix.netcom.com> Date: Mon, 27 Sep 1999 23:04:13 -0400 From: Richard Scranton Reply-To: scrantr@ix.netcom.com Organization: Computer Associates, Global Professional Services X-Mailer: Mozilla 4.61 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: "Scott I. Remick" , freebsd-security@freebsd.org Subject: Re: Help me win the MS-Proxy/ipfw war References: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To quote Bill Clinton, "I feel your pain." I work for Computer Associates Global Professional Services, and there is much of the same sentiment here. The M$ dreck is a very real source of revenue that no one wants to impair. Here, they've gone so far as to reorganize the various departments so that "Open Systems" includes Microsoft products. You can well imagine how long someone who know better would choke on that one. The way I've dealt with it up to now is to install the FreeBSD solution at several client sites as "an after-thought" to allow on-site developers safe and cheap access to the internet while they are working. At the conclusion of the project, the customer almost always asks that we "leave the FreeBSD proxy/firewall system in place." That establishes the particular technology as "prior art" at a customer site. The customers are delighted, and my M$-blinded coworkers are treated to periodic tirades from me about "How is it we sell this stuff and have no clue how to use it ourselves?" whenever the latest batch of bad bits from Redmond falls over. Then follows the observation that "companies XXX and ZZZ have been using one of our firewall/proxy installations for months without trouble. What are *you* doing wrong?" :) I'm very popular there. :) :) "Scott I. Remick" wrote: > > Any advice to a small-time network admin for a small (32 employees) company > that is stuck in the MS_WAY = ONLY_WAY mindset? We are overdue for a > firewall but the PHB wants NT/MS-Proxy installed, while I'm arguing for > FreeBSD/ipfw instead. We already have a FreeBSD server managing various > tasks (and has done them VERY well, and doesn't crash), so this isn't > totally new (ipfw is but I've got books on order and will be reading up). > > THEY (everyone but me) want MS Proxy because we're a MCSP and they want us > to use what we're going to sell, so that we're familiar with it (the > suggestion that we use FreeBSD/ipfw and sell that too seems to have fallen > on deaf ears). Of course, the fact is that no one actually spends time on > this stuff other than me anyway, even though it's set up with the intent > that all techs can learn from what we have installed in-house. That > argument, too, seems to not be working. Nor the vast difference in > hardware requirements (what would you consider the recommended hardware for > a FreeBSD firewall gateway to a 128K ISDN link?). Cost of the actual > software is $0 in either event, as we get to use MS software for free due > to our MCSP status. > > I need help, as it's me against the masses and I seem to be unable to win > them over. The best I've managed is to keep them from making the final > decision (only reason we don't have a firewall already). I'm also faced > with them wanting to move ALL mail services to the Exchange server (right > now only internal Exchange mail gets handled by it, and it routes all > internet mail through the FreeBSD box. The Exchange server itself is > blocked from the internet at the router) as well as move our website from > FreeBSD/Apache to NT/IIS (UGH!). > > I wish there were more advocates on my side working here to back me up, but > alas, we are small, and it's just me, and the boss is in bed with MS it > seems. We have some networking techs who do stuff for customers, and > they're against me because 1) MS software failures give them a daily source > of billable hours, and 2) they resent the FreeBSD server because it makes > them look bad, never crashing, while their NT servers need constant > attention/reboots. > > Thanks in advance. > > ----------------------- > Scott I. Remick scott@computeralt.com > Network and Information (802)388-7545 ext. 236 > Systems Manager FAX:(802)388-3697 > Computer Alternatives, Inc. http://www.computeralt.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- You can have it fast, good, and cheap. Pick any two. _________________________________________________________________ web page email To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 20: 9:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 8D9C21574A for ; Mon, 27 Sep 1999 20:09:16 -0700 (PDT) (envelope-from JHowie@msn.com) Received: from JHowie - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Mon, 27 Sep 1999 20:08:36 -0700 Message-ID: <014201bf095f$c1c50180$fd01a8c0@pacbell.net> From: "John Howie" To: , "Scott I. Remick" References: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com> Subject: Re: Help me win the MS-Proxy/ipfw war Date: Mon, 27 Sep 1999 20:15:46 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Scott, Tough call. But pass this on to your boss... I reckon our company has spent weeks configuring and reconfiguring our Proxy Server since it was first installed back in February. It has failed at least twice to our knowledge and we have had to reboot the damned thing on several occasions. You will be spending hours reconfiguring each desktop to install the client software (IEAK goes someway, but not all of the way, to helping you out) and if you run non-Microsoft OSes on the internal LAN they will not be able to access the Internet easily, if at all. We are now moving to FreeBSD for our firewall/NAT solution. After our pains it was easy to recommend and get acceptance on, but my partners at least trust my decisions pretty much without question. Final clincher: Microsoft are incorporating NAT functionality into RRAS for Windows 2000 Server. If you'd like more details please feel free to contact me. john... BTW Common mistake: you do not necessarily get to use Microsoft products for free just because you are an MCSP. There are license restrictions that must be adhered to. ----- Original Message ----- From: Scott I. Remick To: Sent: Monday, September 27, 1999 5:05 PM Subject: Help me win the MS-Proxy/ipfw war > Any advice to a small-time network admin for a small (32 employees) company > that is stuck in the MS_WAY = ONLY_WAY mindset? We are overdue for a > firewall but the PHB wants NT/MS-Proxy installed, while I'm arguing for > FreeBSD/ipfw instead. We already have a FreeBSD server managing various > tasks (and has done them VERY well, and doesn't crash), so this isn't > totally new (ipfw is but I've got books on order and will be reading up). > > THEY (everyone but me) want MS Proxy because we're a MCSP and they want us > to use what we're going to sell, so that we're familiar with it (the > suggestion that we use FreeBSD/ipfw and sell that too seems to have fallen > on deaf ears). Of course, the fact is that no one actually spends time on > this stuff other than me anyway, even though it's set up with the intent > that all techs can learn from what we have installed in-house. That > argument, too, seems to not be working. Nor the vast difference in > hardware requirements (what would you consider the recommended hardware for > a FreeBSD firewall gateway to a 128K ISDN link?). Cost of the actual > software is $0 in either event, as we get to use MS software for free due > to our MCSP status. > > I need help, as it's me against the masses and I seem to be unable to win > them over. The best I've managed is to keep them from making the final > decision (only reason we don't have a firewall already). I'm also faced > with them wanting to move ALL mail services to the Exchange server (right > now only internal Exchange mail gets handled by it, and it routes all > internet mail through the FreeBSD box. The Exchange server itself is > blocked from the internet at the router) as well as move our website from > FreeBSD/Apache to NT/IIS (UGH!). > > I wish there were more advocates on my side working here to back me up, but > alas, we are small, and it's just me, and the boss is in bed with MS it > seems. We have some networking techs who do stuff for customers, and > they're against me because 1) MS software failures give them a daily source > of billable hours, and 2) they resent the FreeBSD server because it makes > them look bad, never crashing, while their NT servers need constant > attention/reboots. > > Thanks in advance. > > ----------------------- > Scott I. Remick scott@computeralt.com > Network and Information (802)388-7545 ext. 236 > Systems Manager FAX:(802)388-3697 > Computer Alternatives, Inc. http://www.computeralt.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 20:18: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 7CCDC14D98 for ; Mon, 27 Sep 1999 20:17:55 -0700 (PDT) (envelope-from JHowie@msn.com) Received: from JHowie - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Mon, 27 Sep 1999 20:17:24 -0700 Message-ID: <016e01bf0960$fc536f20$fd01a8c0@pacbell.net> From: "John Howie" To: "Andre Gironda" , "Scott I. Remick" Cc: References: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com> <19990927181310.G24486@toaster.sun4c.net> Subject: Re: Help me win the MS-Proxy/ipfw war Date: Mon, 27 Sep 1999 20:24:33 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: Andre Gironda To: Scott I. Remick Cc: Sent: Monday, September 27, 1999 6:13 PM Subject: Re: Help me win the MS-Proxy/ipfw war > NT cannot be used in an Internet environment (or as a bastion host) > because of the serious security implications. Netbios, IIS, and WINS > are very insecure and instable applications/protocols It is possible to tighten these holes up and to make your NT system secure on the external (Internet) interface... But then you can't do remote administration using the external network interface as you need access to the NetBIOS ports (use a VPN to access the internal interface and you can). You will spend most of your time making sure that your system is secure but always have the nagging doubt that you missed something or a new hole has been discovered. All I can say is "God bless Microsoft", they keep me in a job securing Windows NT installations, usually by using FreeBSD :-) as a firewall. john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 21:49:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 7994714DE2 for ; Mon, 27 Sep 1999 21:49:31 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id WAA03246 for ; Mon, 27 Sep 1999 22:49:30 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id WAA14300; Mon, 27 Sep 1999 22:49:29 -0600 Date: Mon, 27 Sep 1999 22:49:29 -0600 Message-Id: <199909280449.WAA14300@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-security@FreeBSD.org Subject: DNS Concern? X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From my logfile (not modified to protect the innocent..) ---------------------------------------------- Sep 24 23:21:26 ns named[17685]: ns_resp: query(hackerz.org) A RR negative cache entry (216.181.127.2:) Sep 24 23:21:26 ns named[17685]: ns_resp: query(hackerz.org) All possible A RR's lame Sep 24 23:21:26 ns named[17685]: ns_forw: query(hackerz.org) A RR negative cache entry (216.181.127.2:) Sep 24 23:21:26 ns named[17685]: ns_forw: query(hackerz.org) All possible A RR's lame ---------------------------------------------- Is this anything to be concerned about? Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 27 22:34:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id BFCF114F0E for ; Mon, 27 Sep 1999 22:34:14 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id WAA86235; Mon, 27 Sep 1999 22:34:12 -0700 (PDT) (envelope-from dillon) Date: Mon, 27 Sep 1999 22:34:12 -0700 (PDT) From: Matthew Dillon Message-Id: <199909280534.WAA86235@apollo.backplane.com> To: Nate Williams Cc: freebsd-security@FreeBSD.ORG Subject: Re: DNS Concern? References: <199909280449.WAA14300@mt.sri.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :>From my logfile (not modified to protect the innocent..) :---------------------------------------------- :Sep 24 23:21:26 ns named[17685]: ns_resp: query(hackerz.org) A RR negative cache entry (216.181.127.2:) :Sep 24 23:21:26 ns named[17685]: ns_resp: query(hackerz.org) All possible A RR's lame :Sep 24 23:21:26 ns named[17685]: ns_forw: query(hackerz.org) A RR negative cache entry (216.181.127.2:) :Sep 24 23:21:26 ns named[17685]: ns_forw: query(hackerz.org) All possible A RR's lame :---------------------------------------------- : : :Is this anything to be concerned about? : : :Nate No. 216.181.127.2 is listed as a NS record by hackerz.org's two DNS sites. hackerz.org must have screwed something up, which doesn't surprise me at all. Their NIC listed NS records do not match their zone-listed NS records. While this isn't illegal (NIC listed NS records are used like a bootstrap), my opinion from reading their zone is that they are somewhat confused. In anycase, it means that your machine is fine: it's using information gotten from the right place rather then information spoofed into your DNS cache. Your log entry simply indicates that 216.181.127.2 was not returning authoritative information on the zone on that day, yet was listed as an NS record (i.e. sites which must return authoritative data). It looks like they fixed whatever the problem wa, 216.181.127.2 is now returning authoritative information. I find the reverse lookup for 216.181.127.2 to be highly amusing: apollo:/home/dillon> nslookup 216.181.127.2 Server: apollo.backplane.com Address: 216.240.41.2 Name: theinternicsucksshit.com Address: 216.181.127.2 heh heh. There is no forward lookup for theinternicsucksshit.com, which may also be causing a problem. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 28 0: 9:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 84F6914E61 for ; Tue, 28 Sep 1999 00:09:16 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id AAA14136; Tue, 28 Sep 1999 00:07:14 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909280707.AAA14136@gndrsh.dnsmgr.net> Subject: Re: dump(8) Insecurity/Misconfiguration In-Reply-To: <199909272154.RAA92701@cc942873-a.ewndsr1.nj.home.com> from "Crist J. Clark" at "Sep 27, 1999 05:54:21 pm" To: cjclark@home.com Date: Tue, 28 Sep 1999 00:07:14 -0700 (PDT) Cc: Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), dillon@apollo.backplane.com (Matthew Dillon), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Rodney W. Grimes wrote, > > ... > > > "Companies are permitted to use this program as long as it is not used for > > > revenue-generating purposes. For example, an Internet service provider is > > > allowed to install this program on their systems and permit clients to use > > > SSH to connect; however, actively distributing SSH to clients for the > > > purpose of providing added value requires separate licensing. Similarly, > > > a consultant may freely install this software on a client's machine for > > > his own use, but if he/she sells the client a system that uses SSH as a > > > component, a separate license is required." > > > > > > I'm no lawyer, but it seems like using SSH for helping with dumps > > > would fall well within this license since backing up files does not > > > really generate much revenue for us. > > > > I'm not a lawyer either, but I'll play the advocate here and show > > you why you are at risk. First, you used the word ``much'' in the > > above sentence. _Any_ is _some_ and is _not_ none, henceforth you > > violate ``not used for ...''. > > I forgot the Smiley. I meant 'much' sarcastically, as in, doing > backups generates no revenue. In fact, it costs us money. I think you need to examine your business financial/risk model again. Backup systems have a calculable ROI, if they didn't you wouldn't need one at all.... if you need someone to show you how to calculate this ROI contact me off list. A Return On Investment is revenue by definition, hence forth backup systems are ``revenue generating'' (Note the missing hyphen in that). > > Second, since backups are a critical > > piece of keeping your business operating, and your business, hopefully > > at least, generates revenue you would be in violation of ``revenue-generating > > purposes'', though it would be indirectly. > > But it gives the specific example of an ISP using SSH to _service_ > customers, which is something that does generate revenue. Once you > consider their example of what is acceptable use, it seems quite clear > to me that our use is many steps farther away from revenue generating > and therefore would be permitted. I am having a hard time reading that into what it says. ``and permit clients to use SSH to connect'' is probably what you are trying to use as a basis for this extrapolation. The problem is it is just an example, a poor thing to do in a ``license agreement''. You really have to look through a Blacks Legal dictionary and try to find as many things as you can in the sentence before it and figure out just what is and is not ``revenue-generating'', unless you are doing exactly what the example is. > > As for the other comment someone made about RSA, their license is > basically the same. It prohibits commercial us for "revenue > generating," but otherwise permitted. Again, you need a good definition of ``revenue generating'' in this context, a lawyer can write one for you for <$100.00 :-). Or you could call/email the licensor with a more specific example and see what they have to say about it. The second example in the paragraph at the top of this message starting ``a consultant may freely install this software on a client's'' is an even worse example than the first from a legal prespective. First, ``contractors'' rarely sell ``systems'', they sell consulting, which is a service, systems are not a service, henceforth the example is poorly defined. It also fails to addresses the people who do sell systems, which are normally businesses in there various forms. So though I can install SSH and use it freely as a contractor on a clients machine, the example does not allow us as ``Accurate Automation, Inc.'' to install it on a _customers_ machine for our ``own use''. Is anyone starting to catch the drift here... this is a really badly written license, open to wide and varied interpretations due to what appears to be lack of complete contract law knowledge by the author, or purposefully written in a poor manner to allow wide legal opinion and interpretation as to just what it says. (From certain source I have heard that the GNU GPL was specifically written to be vague, poorly defined and ambiguous in many areas by very crafty lawyers, making it hard for people like me who pay lawyers to tell them what it means to get a real clear answer on certain questions.) > Thanks to everyone for all of your information and opinions on this. Your welcome, and as always the non-standard disclaimer, I am not a lawyer, I am a business man who spends money for real legal advice, might I suggest you do the same. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 28 0:31:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id B66ED14D8F for ; Tue, 28 Sep 1999 00:31:39 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id AAA14183; Tue, 28 Sep 1999 00:31:24 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909280731.AAA14183@gndrsh.dnsmgr.net> Subject: Re: Help me win the MS-Proxy/ipfw war In-Reply-To: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com> from "Scott I. Remick" at "Sep 27, 1999 08:05:24 pm" To: scott@computeralt.com (Scott I. Remick) Date: Tue, 28 Sep 1999 00:31:24 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Any advice to a small-time network admin for a small (32 employees) company > that is stuck in the MS_WAY = ONLY_WAY mind set? We are overdue for a > firewall but the PHB wants NT/MS-Proxy installed, while I'm arguing for > FreeBSD/ipfw instead. We already have a FreeBSD server managing various > tasks (and has done them VERY well, and doesn't crash), so this isn't > totally new (ipfw is but I've got books on order and will be reading up). ... Do what some companies lower management/techies do when they want to do something different than upper/middle management, bring in an outside expert in the field that can wave his magic hands around in the air, explaining and detailing the advantages and disadvantages of each type of solution in a way that PHB can understand. Often an outside expert opinion that is not biased, or at least does not appear to be biased, is the best way to settle one of these arguments. If they balk at that idea, point again at the fact that they should really practice what they preach, and if the are an MCSP they do plenty of ``outside consulting'' for their customer base! It may even end up convincing the PHB that FreeBSD/ipfw is what should be preached to customers, and forgo the revenue generating stream that NT/MS-Proxy service calls brings them in favor of not having to worry about a law suite when the damn thing doesn't due the job and some customer decides it was your companies fault. [I'd make sure my product liability insurance coverage was up to snuff before selling any copies of NT/MS-Proxy to anyone...] ... > hardware requirements (what would you consider the recommended hardware for > a FreeBSD firewall gateway to a 128K ISDN link?). Ahhhh.. not much, depends on rule set length and complexity, we are running a 322 rule set on a FreeBSD based 128K ISDN to 100BaseTX router running full BGP4 dual view routing tables on a P100/32MB memory/300MB disk. You can cut the memory to 16MB if you forgo the BGP. We have also run Multi-link PPP over Bonding mode 1 (256Kb/s) with the same hardware and software configuration. > Cost of the actual > software is $0 in either event, as we get to use MS software for free due > to our MCSP status. But when you sell it to your client this is no longer $0 cost to you, and especially not to your client. Your revenue model could be higher for the FreeBSD/ipfw solution due to your $0 cost and the competing products high MSRP. > I need help, as it's me against the masses and I seem to be unable to win > them over. The best I've managed is to keep them from making the final > decision (only reason we don't have a firewall already). I'm also faced > with them wanting to move ALL mail services to the Exchange server (right > now only internal Exchange mail gets handled by it, and it routes all > Internet mail through the FreeBSD box. The Exchange server itself is > blocked from the Internet at the router) as well as move our website from > FreeBSD/Apache to NT/IIS (UGH!). Let them do it, keep your FreeBSD box up to date and ready to take over this task on a moments notice. When it blows up in their face, bail them out and be the hero. If the NET/IIS doesn't fail, well, you have some pretty good NT folks in house is about all I can say! > I wish there were more advocates on my side working here to back me up, but > alas, we are small, and it's just me, and the boss is in bed with MS it > seems. We have some networking techs who do stuff for customers, and > they're against me because 1) MS software failures give them a daily source > of billable hours, and 2) they resent the FreeBSD server because it makes > them look bad, never crashing, while their NT servers need constant > attention/reboots. That paragraph makes me want to ask just how attached to this job are you? There are lots of job openings for skilled Unix admin who know how to make this new found ``open source'' software work for all sorts of companies. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 28 4:26:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 9B43D14DDC for ; Tue, 28 Sep 1999 04:26:14 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id NAA04002; Tue, 28 Sep 1999 13:26:08 +0200 (CEST) (envelope-from des) To: "Scott I. Remick" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Help me win the MS-Proxy/ipfw war References: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com> From: Dag-Erling Smorgrav Date: 28 Sep 1999 13:26:08 +0200 In-Reply-To: "Scott I. Remick"'s message of "Mon, 27 Sep 1999 20:05:24 -0400" Message-ID: Lines: 14 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Scott I. Remick" writes: > (what would you consider the recommended hardware for > a FreeBSD firewall gateway to a 128K ISDN link?). P90 with 32 MB RAM, an 800 MB disk, a high-speed RS232 port and an NE2000 network adapter. Of course, that kind of stuff is so obsolete (thank you, Microsoft) that you'd have a hard time getting your hands on it, so go for a Celeron 350 or something. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 28 7: 2:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.ca (trooper.velocet.net [216.126.82.226]) by hub.freebsd.org (Postfix) with ESMTP id BE94A14F68 for ; Tue, 28 Sep 1999 07:02:06 -0700 (PDT) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.9.3/8.9.3) id KAA65168; Tue, 28 Sep 1999 10:01:46 -0400 (EDT) (envelope-from dgilbert) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14320.51785.809392.455054@trooper.velocet.ca> Date: Tue, 28 Sep 1999 10:01:45 -0400 (EDT) To: scott@computeralt.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Help me win the MS-Proxy/ipfw war In-Reply-To: References: X-Mailer: VM 6.71 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I wish majordomo correctly formatted digests, but here's my reply anyways... It would be cool if between the various OS communities we organized a free 'tiger team' to hack on cases like this --- with the purpose of helping sysadmins prove NT not capable outside the internal environment such that they could then deploy an OSS. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 28 8:44:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id EF4F01536D for ; Tue, 28 Sep 1999 08:44:43 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA14375; Tue, 28 Sep 1999 11:44:35 -0400 (EDT) (envelope-from wollman) Date: Tue, 28 Sep 1999 11:44:35 -0400 (EDT) From: Garrett Wollman Message-Id: <199909281544.LAA14375@khavrinen.lcs.mit.edu> To: "Rodney W. Grimes" Cc: freebsd-security@FreeBSD.ORG Subject: Re: dump(8) Insecurity/Misconfiguration In-Reply-To: <199909280707.AAA14136@gndrsh.dnsmgr.net> References: <199909272154.RAA92701@cc942873-a.ewndsr1.nj.home.com> <199909280707.AAA14136@gndrsh.dnsmgr.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Is anyone starting to catch the drift here... this is a really badly > written license, open to wide and varied interpretations due to what > appears to be lack of complete contract law knowledge by the author, Keep in mind that the author comes from a totally different legal system than ours. It is entirely possible that the SSH license is totally clear and unambiguous when translated into the original Finnish.... -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 28 9:49:51 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 608) id C20A415779; Tue, 28 Sep 1999 09:49:38 -0700 (PDT) From: "Jonathan M. Bresler" To: andre@sun4c.net Cc: scott@computeralt.com, freebsd-security@freebsd.org In-reply-to: <19990927181310.G24486@toaster.sun4c.net> (message from Andre Gironda on Mon, 27 Sep 1999 18:13:10 -0700) Subject: Re: Help me win the MS-Proxy/ipfw war Message-Id: <19990928164938.C20A415779@hub.freebsd.org> Date: Tue, 28 Sep 1999 09:49:38 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > So, tell them that they can use MS-Proxy as long as you buy a $14k > PIX and block all incoming connections (especially to Netbios and IIS). > Present that as Option 1. Option 2 could be FreeBSD with ipfw. You > can put other options in there as well. Present it as a paper for > immediate review. If they don't understand, then your paper will > cleary state and document that fact -- so when you do get attacked > (and believe me, you will get attacked), you have some sort of paper > trail and migration plan. if they still cant understand, buy the PIX, remove the flash-style harddisk card, put the picoBSD version of FreeBSD on a floppy and use ipfw. using it here that way ;) jmb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 28 13:55:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [216.69.69.123]) by hub.freebsd.org (Postfix) with ESMTP id B1E8515052 for ; Tue, 28 Sep 1999 13:55:38 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.9.3/ignatz) with ESMTP id NAA64466; Tue, 28 Sep 1999 13:55:05 -0700 (PDT) Date: Tue, 28 Sep 1999 13:55:05 -0700 (PDT) From: "f.johan.beisser" To: Dag-Erling Smorgrav Cc: "Scott I. Remick" , freebsd-security@FreeBSD.ORG Subject: Re: Help me win the MS-Proxy/ipfw war In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org i've been using a p90, 16mb of ram quite successfully. no HD, it's a slightly customised version of picobsd, running from an ordinary floppy. pretty cool, actually. and really cheap. you could offer this up for someones home LAN.. well, i would, at least. -- jan On 28 Sep 1999, Dag-Erling Smorgrav wrote: > "Scott I. Remick" writes: > > (what would you consider the recommended hardware for > > a FreeBSD firewall gateway to a 128K ISDN link?). > > P90 with 32 MB RAM, an 800 MB disk, a high-speed RS232 port and an > NE2000 network adapter. > > Of course, that kind of stuff is so obsolete (thank you, Microsoft) > that you'd have a hard time getting your hands on it, so go for a > Celeron 350 or something. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 28 14:56:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3B72914EF5 for ; Tue, 28 Sep 1999 14:56:07 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id XAA05731; Tue, 28 Sep 1999 23:56:02 +0200 (CEST) (envelope-from des) To: "f.johan.beisser" Cc: Dag-Erling Smorgrav , "Scott I. Remick" , freebsd-security@FreeBSD.ORG Subject: Re: Help me win the MS-Proxy/ipfw war References: From: Dag-Erling Smorgrav Date: 28 Sep 1999 23:56:01 +0200 In-Reply-To: "f.johan.beisser"'s message of "Tue, 28 Sep 1999 13:55:05 -0700 (PDT)" Message-ID: Lines: 11 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "f.johan.beisser" writes: > i've been using a p90, 16mb of ram quite successfully. no HD, it's > a slightly customised version of picobsd, running from an ordinary floppy. I wouldn't run a diskless firewall unless I had provisions for remote logging. And in any case, disks are so cheap nowadays - the added flexibility is well worth the added cost. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 28 15:30:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [216.69.69.123]) by hub.freebsd.org (Postfix) with ESMTP id DDAC014FF1 for ; Tue, 28 Sep 1999 15:30:08 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.9.3/ignatz) with ESMTP id PAA64620; Tue, 28 Sep 1999 15:29:51 -0700 (PDT) Date: Tue, 28 Sep 1999 15:29:51 -0700 (PDT) From: "f.johan.beisser" To: Dag-Erling Smorgrav Cc: "Scott I. Remick" , freebsd-security@FreeBSD.ORG Subject: Re: Help me win the MS-Proxy/ipfw war In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org funny that.. the software provides a syslogd, and it can be configured for off machine logging (and, yes, it can run it through a serial port to a machine too..).. right now, though, my only complaint is that there isn't a picobsd ssh client that'll fit on the floppy aswell. give it time though, and i think someone with the programming expertise to do this, will.. the design for this is more oriented for home use, on your DSL link. it would sit between the DSL router and your LAN. this rather flexible, and yes, if you really wanted to have the disk, you could do it that way too. the kernel can support a HD/cdrom. i've just chosen to remove that part, because all i really want is a simple, diskless, low cost FW/NAT box. logging can take place on a loghost, behind the firewall. -- jan On 28 Sep 1999, Dag-Erling Smorgrav wrote: > "f.johan.beisser" writes: > > i've been using a p90, 16mb of ram quite successfully. no HD, it's > > a slightly customised version of picobsd, running from an ordinary floppy. > > I wouldn't run a diskless firewall unless I had provisions for remote > logging. And in any case, disks are so cheap nowadays - the added > flexibility is well worth the added cost. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 28 16:20:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 3696314FA5 for ; Tue, 28 Sep 1999 16:20:41 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40321>; Wed, 29 Sep 1999 09:17:38 +1000 Content-return: prohibited Date: Wed, 29 Sep 1999 09:20:31 +1000 From: Peter Jeremy Subject: Re: Help me win the MS-Proxy/ipfw war In-reply-to: To: "f.johan.beisser" Cc: freebsd-security@FreeBSD.ORG Reply-To: peter.jeremy@alcatel.com.au Message-Id: <99Sep29.091738est.40321@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0pre3i Content-type: text/plain; charset=us-ascii References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Sep 29, 1999 at 08:29:51AM +1000, f.johan.beisser wrote: >funny that.. the software provides a syslogd, and it can be configured for >off machine logging (and, yes, it can run it through a serial port to a >machine too..).. There are still assorted DOS problems with syslod. >right now, though, my only complaint is that there isn't a picobsd ssh >client that'll fit on the floppy aswell. One problem is that ssh is `export-controlled' (under whichever set of regulations apply today) and isn't part of the standard FreeBSD system. That said, I had no real difficultly in adding the ssh _server_ to a custom PicoBSD floppy. I'm not sure why you'd want want the client, but I'm sure that would fit as well. Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5982 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 28 18: 0:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from phluffy.fks.bt (mail.amc-inc.com [156.46.122.130]) by hub.freebsd.org (Postfix) with ESMTP id B0AD315838 for ; Tue, 28 Sep 1999 18:00:17 -0700 (PDT) (envelope-from myke@ees.com) Received: from localhost (myke@localhost) by phluffy.fks.bt (8.8.8/8.8.8) with ESMTP id MAA00721; Tue, 28 Sep 1999 12:45:13 -0500 (CDT) (envelope-from myke@ees.com) X-Authentication-Warning: phluffy.fks.bt: myke owned process doing -bs Date: Tue, 28 Sep 1999 12:45:12 -0500 (CDT) From: Mike Holling X-Sender: myke@phluffy.fks.bt To: Dag-Erling Smorgrav Cc: "f.johan.beisser" , "Scott I. Remick" , freebsd-security@FreeBSD.ORG Subject: Re: Help me win the MS-Proxy/ipfw war In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I wouldn't run a diskless firewall unless I had provisions for remote > logging. And in any case, disks are so cheap nowadays - the added > flexibility is well worth the added cost. I sell PicoBSD-based NAT systems for mostly home/SOHO DSL/cablemodem users. The benefit of no hard drive is there's no hard drive to fail, and even the floppy only has to work at boot time. Makes the units much quieter too. - Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 28 18:57:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [216.69.69.123]) by hub.freebsd.org (Postfix) with ESMTP id 251A414DDD for ; Tue, 28 Sep 1999 18:57:34 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.9.3/ignatz) with ESMTP id SAA64942; Tue, 28 Sep 1999 18:57:16 -0700 (PDT) Date: Tue, 28 Sep 1999 18:57:15 -0700 (PDT) From: "f.johan.beisser" To: peter.jeremy@alcatel.com.au Cc: freebsd-security@FreeBSD.ORG Subject: Re: Help me win the MS-Proxy/ipfw war In-Reply-To: <99Sep29.091741est.40322@border.alcanet.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 29 Sep 1999, Peter Jeremy wrote: > One problem is that ssh is `export-controlled' (under whichever set of > regulations apply today) and isn't part of the standard FreeBSD system. > > That said, I had no real difficultly in adding the ssh _server_ to a > custom PicoBSD floppy. I'm not sure why you'd want want the client, > but I'm sure that would fit as well. WHOOOPS! thanks for catching that. i ment the server side. although, i have to admit having the client on there would be handy for creating secured tunnels to other networks aswell. -- jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 28 19:15:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail-gw.pacbell.net (mail-gw.pacbell.net [206.13.28.25]) by hub.freebsd.org (Postfix) with ESMTP id 077ED15880 for ; Tue, 28 Sep 1999 19:15:23 -0700 (PDT) (envelope-from madscientist@thegrid.net) Received: from remus (adsl-63-193-246-169.dsl.snfc21.pacbell.net [63.193.246.169]) by mail-gw.pacbell.net (8.9.3/8.9.3) with SMTP id TAA21655 for ; Tue, 28 Sep 1999 19:15:23 -0700 (PDT) Message-Id: <4.1.19990928190928.0097cf00@mail.thegrid.net> X-Sender: i289861@mail.thegrid.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 28 Sep 1999 19:15:46 -0700 To: freebsd-security@freebsd.org From: The Mad Scientist Subject: Syslog over serial (Was: Re: Help me win the MS-Proxy/ipfw war) In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:29 PM 9/28/99 -0700, you wrote: > >funny that.. the software provides a syslogd, and it can be configured for >off machine logging (and, yes, it can run it through a serial port to a >machine too..).. I've always seen this as the "recommended" way to do things. How do you set logging over serial lines up? Do I log to something like /dev/cuaa1? What do i set up on the other side? TIA, Dean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 28 20:55:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 15E2514C7F for ; Tue, 28 Sep 1999 20:55:34 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id XAA96944; Tue, 28 Sep 1999 23:58:01 -0400 (EDT) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199909290358.XAA96944@cc942873-a.ewndsr1.nj.home.com> Subject: Re: dump(8) Insecurity/Misconfiguration In-Reply-To: <199909280707.AAA14136@gndrsh.dnsmgr.net> from "Rodney W. Grimes" at "Sep 28, 1999 00:07:14 am" To: freebsd@gndrsh.dnsmgr.net (Rodney W. Grimes) Date: Tue, 28 Sep 1999 23:58:01 -0400 (EDT) Cc: cjclark@home.com, Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), dillon@apollo.backplane.com (Matthew Dillon), freebsd-security@FreeBSD.ORG Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [My last post on this. I promise.] Rodney W. Grimes wrote, > > Rodney W. Grimes wrote, > > > ... > > > > "Companies are permitted to use this program as long as it is not used for > > > > revenue-generating purposes. For example, an Internet service provider is > > > > allowed to install this program on their systems and permit clients to use > > > > SSH to connect; however, actively distributing SSH to clients for the > > > > purpose of providing added value requires separate licensing. Similarly, > > > > a consultant may freely install this software on a client's machine for > > > > his own use, but if he/she sells the client a system that uses SSH as a > > > > component, a separate license is required." > > > > > > > > I'm no lawyer, but it seems like using SSH for helping with dumps > > > > would fall well within this license since backing up files does not > > > > really generate much revenue for us. > > > > > > I'm not a lawyer either, but I'll play the advocate here and show > > > you why you are at risk. First, you used the word ``much'' in the > > > above sentence. _Any_ is _some_ and is _not_ none, henceforth you > > > violate ``not used for ...''. > > > > I forgot the Smiley. I meant 'much' sarcastically, as in, doing > > backups generates no revenue. In fact, it costs us money. > > I think you need to examine your business financial/risk model again. > Backup systems have a calculable ROI, if they didn't you wouldn't need > one at all.... if you need someone to show you how to calculate this > ROI contact me off list. A Return On Investment is revenue by definition, > hence forth backup systems are ``revenue generating'' (Note the missing > hyphen in that). Wow, backing up systems generates revenue. Amazing, I think I'm going to quit my job at work and just sit at home repeatedly backing up my HDD and watch the revenue roll in. Last time I looked at how accountants define 'revenue' it was simply gross income. Doing backups does not generate income. Sure, it can prevent some loss of income, and in some economic perspectives, avoiding a loss is just like making gain (a penny saved is a penny earned). But on the accountant's ledger, which is where 'revenue' has a real-life meaning, they are definately not the same. Backups cost money, they do not generate revenue. To use an analogy that you brought up in another post, doing backups is like buying insurance... and I don't see how anyone can argue that paying for insurance is a revenue generating activity. It is a cost. It is a cost that reduces risk of incuring losses, but it is a cost. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 28 22:40: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3a123.neo.rr.com [24.93.180.123]) by hub.freebsd.org (Postfix) with ESMTP id CFF6D14D68 for ; Tue, 28 Sep 1999 22:39:59 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id BAA01663; Wed, 29 Sep 1999 01:39:46 -0400 Date: Wed, 29 Sep 1999 01:39:45 -0400 (EDT) From: Mike Nowlin To: "Scott I. Remick" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Help me win the MS-Proxy/ipfw war In-Reply-To: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Any advice to a small-time network admin for a small (32 employees) company > that is stuck in the MS_WAY = ONLY_WAY mindset? We are overdue for a > Scott I. Remick scott@computeralt.com > Network and Information (802)388-7545 ext. 236 > Systems Manager FAX:(802)388-3697 > Computer Alternatives, Inc. http://www.computeralt.com > I'd suggest to them that if they stick with this way of thinking, that they change the name of the company... mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 29 0:36:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 1969914BFD for ; Wed, 29 Sep 1999 00:36:03 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id CAA16167; Wed, 29 Sep 1999 02:36:01 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-248.tnt1.rac.cyberlynk.net(209.224.182.248) by peak.mountin.net via smap (V1.3) id sma016165; Wed Sep 29 02:35:51 1999 Message-Id: <3.0.3.32.19990929023302.020cf670@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 29 Sep 1999 02:33:02 -0500 To: cjclark@home.com From: "Jeffrey J. Mountin" Subject: Re: dump(8) Insecurity/Misconfiguration Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199909290358.XAA96944@cc942873-a.ewndsr1.nj.home.com> References: <199909280707.AAA14136@gndrsh.dnsmgr.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:58 PM 9/28/99 -0400, Crist J. Clark wrote: >[My last post on this. I promise.] 8-) >Wow, backing up systems generates revenue. Amazing, I think I'm going >to quit my job at work and just sit at home repeatedly backing up my >HDD and watch the revenue roll in. >Last time I looked at how accountants define 'revenue' it was simply >gross income. Doing backups does not generate income. Sure, it can >prevent some loss of income, and in some economic perspectives, >avoiding a loss is just like making gain (a penny saved is a penny >earned). But on the accountant's ledger, which is where 'revenue' >has a real-life meaning, they are definately not the same. Backups >cost money, they do not generate revenue. The be serious, this is very much a grey area. In the same light as using ssh to secure a remote back, say an ISP offers telnet as well as ftp to a commericial web server. Let's say that they are included in the service. One could argue that if no extra charge is made for opting to SSH over telnet, then no revenue is generated for that service, per se. >To use an analogy that you brought up in another post, doing backups >is like buying insurance... and I don't see how anyone can argue that >paying for insurance is a revenue generating activity. It is a >cost. It is a cost that reduces risk of incuring losses, but it is a >cost. Every server I build has SSH, but that is for my use. My logic dictates that since I am connecting to their server and they are paying me at such times, then it most certainly isn't a "revenue generating" use. Just the opposite in fact. Should they make use of it internally it is suggested that they purchase a license. If their clients use it, then it becomes more of a would be a good idea and in a way provides them insurance or in cases where they have a legal department a bit of extra work. Last comment in on the difference between the English and Finnish legal docs. Is there a difference? If you don't speak the language.... Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve '86 Yamaha MaxiumX (not FBSD powered) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 29 3: 7:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.dtt.co.za (mail.dtt.co.za [196.34.84.70]) by hub.freebsd.org (Postfix) with ESMTP id E87391510E for ; Wed, 29 Sep 1999 03:07:12 -0700 (PDT) (envelope-from ROpperma@dtt.co.za) Received: from ccMail by mailgate.dtt.co.za (IMA Internet Exchange 3.13) id 000F7337; Wed, 29 Sep 1999 11:58:06 +0200 Mime-Version: 1.0 Date: Wed, 29 Sep 1999 11:56:56 +0200 Message-ID: <000F7337.C21325@dtt.co.za> From: ROpperma@dtt.co.za (Rudi Opperman) To: Mike Holling Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: Help me win the MS-Proxy/ipfw war Content-Type: multipart/mixed; boundary="IMA.Boundary.6809958390" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --IMA.Boundary.6809958390 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Hi A little bit off topic but... I understand the benefits of diskless operations - but are floppies/stiffies such a good idea? Isn't their mtf worse than hdd? Would booting off some other type of media (zip /cd / 120mbfloppy), configured readonly, be better? bye rudi > I wouldn't run a diskless firewall unless I had provisions for remote > logging. And in any case, disks are so cheap nowadays - the added > flexibility is well worth the added cost. I sell PicoBSD-based NAT systems for mostly home/SOHO DSL/cablemodem users. The benefit of no hard drive is there's no hard drive to fail, and even the floppy only has to work at boot time. Makes the units much quieter too. - Mike --IMA.Boundary.6809958390 Content-Type: text/plain; charset="US-ASCII"; name="RFC822 message headers" Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Content-Disposition: inline; filename="RFC822 message headers" Received: from internat.freebsd.org ([146.64.8.4]) by mailgate.dtt.co.za with SMTP (IMA Internet Exchange 3.13) id 000F65D8; Wed, 29 Sep 1999 02:57:53 +0200 Received: from hub.freebsd.org (hub.FreeBSD.ORG [204.216.27.18]) by internat.freebsd.org (8.9.3/8.9.3) with ESMTP id DAA13697; Wed, 29 Sep 1999 03:01:20 +0200 (SAST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: by hub.freebsd.org (Postfix, from userid 538) id EAD0C1582B; Tue, 28 Sep 1999 18:00:29 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with SMTP id ADF291CD474; Tue, 28 Sep 1999 18:00:29 -0700 (PDT) (envelope-from owner-freebsd-security) Received: by hub.freebsd.org (bulk_mailer v1.12); Tue, 28 Sep 1999 18:00:29 -0700 Delivered-To: freebsd-security@freebsd.org Received: from phluffy.fks.bt (mail.amc-inc.com [156.46.122.130]) by hub.freebsd.org (Postfix) with ESMTP id B0AD315838 for ; Tue, 28 Sep 1999 18:00:17 -0700 (PDT) (envelope-from myke@ees.com) Received: from localhost (myke@localhost) by phluffy.fks.bt (8.8.8/8.8.8) with ESMTP id MAA00721; Tue, 28 Sep 1999 12:45:13 -0500 (CDT) (envelope-from myke@ees.com) X-Authentication-Warning: phluffy.fks.bt: myke owned process doing -bs Date: Tue, 28 Sep 1999 12:45:12 -0500 (CDT) From: Mike Holling X-Sender: myke@phluffy.fks.bt To: Dag-Erling Smorgrav Cc: "f.johan.beisser" , "Scott I. Remick" , freebsd-security@FreeBSD.ORG Subject: Re: Help me win the MS-Proxy/ipfw war In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk --IMA.Boundary.6809958390-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 29 6:31:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from atdot.dotat.org (atdot.dotat.org [150.101.89.3]) by hub.freebsd.org (Postfix) with ESMTP id 71EAE14CE9 for ; Wed, 29 Sep 1999 06:30:11 -0700 (PDT) (envelope-from newton@atdot.dotat.org) Received: (from newton@localhost) by atdot.dotat.org (8.9.3/8.7) id WAA22821; Wed, 29 Sep 1999 22:56:54 +0930 (CST) From: Mark Newton Message-Id: <199909291326.WAA22821@atdot.dotat.org> Subject: Re: Help me win the MS-Proxy/ipfw war To: freebsd@gndrsh.dnsmgr.net (Rodney W. Grimes) Date: Wed, 29 Sep 1999 22:56:54 +0930 (CST) Cc: scott@computeralt.com, freebsd-security@FreeBSD.ORG In-Reply-To: <199909280731.AAA14183@gndrsh.dnsmgr.net> from "Rodney W. Grimes" at Sep 28, 99 00:31:24 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Rodney W. Grimes wrote: [ outside consultancy ] > It may even end up convincing the PHB that FreeBSD/ipfw is what should > be preached to customers, and forgo the revenue generating stream that > NT/MS-Proxy service calls brings them in favor of not having to worry > about a law suite when the damn thing doesn't due the job and some customer > decides it was your companies fault. Well, yeah. I'm often left wondering why companies that sell IT services don't use open-source solutions for things like firewalls. Consider what happens when you install an MS-based firewall solution: You quote a price which is twice as high as it should be to install software which won't work (and which will thereby give you a bad reputation), and most of the revenue you get from doing the work will go back to MS in license fees for the exorbitantly expensive software you end up installing to do the job. On the other hand, you can install a FreeBSD box with ipfilter/ipfw, charge half the amount, spend half the time setting it up, never worry about whether it's going to spontaneously stop working, and keep all of the cash for yourself. I'm astonished that this stuff isn't obvious to MSCE types; Then again, if they were of the kind of mindset that found things like this obvious they wouldn't have set out to get MSCE status in the first place... - mark -------------------------------------------------------------------- I tried an internal modem, newton@atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 29 6:53:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 6325F15056 for ; Wed, 29 Sep 1999 06:53:16 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA24478 for ; Wed, 29 Sep 1999 06:53:16 -0700 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda24476; Wed Sep 29 06:52:57 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id GAA31310 for ; Wed, 29 Sep 1999 06:52:55 -0700 (PDT) Message-Id: <199909291352.GAA31310@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdJ31306; Wed Sep 29 06:52:25 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.3-RELEASE X-Sender: cy To: freebsd-security@freebsd.org Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 29 Sep 1999 06:52:24 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Following is a post to BUGTRAQ. It appears that SSH under FreeBSD is also "vulnerable" to bind(2) following synlinks during UNIX Domain Socket creation. My question is: Is this an application bug, e.g. not checking for a symlink prior to creating the socket, or would this be an O/S bug, e.g. FreeBSD should not follow symlinks when creating UNIX Domain Sockets? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" ------- Forwarded Message [Some header lines deleted] Date: Mon, 27 Sep 1999 11:35:44 -0400 Reply-To: Dan Astoorian Sender: Bugtraq List From: Dan Astoorian Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] X-To: Marc SPARC X-cc: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: Your message of "Thu, 23 Sep 1999 22:53:16 EDT." <37EAE79C.AB730A71@mucom.co.il> Resent-To: cy Resent-Date: Mon, 27 Sep 1999 13:19:02 -0700 Resent-From: Cy Schubert - -------_NextPart_10190 Content-Type: text/plain Content-Transfer-Encoding: 7bit I'm surprised that nothing further has been reported to Bugtraq about this, but the problem appears to be that under Linux, a bind() to a Unix-domain socket will follow a dangling symlink, whereas most other Unixes appear to return an EADDRINUSE error. I leave it to the standards lawyers to determine whether the failing is in the operating system for allowing the bind() to succeed, or in SSH for not testing whether the link exists. My vote goes to the OS being at fault, since it's easy enough for it to avoid following the link (and no real practical reason why it *should* follow the link). A trivial demo program that demonstrates the problem is attached. (It needs no special privileges; run it as an unprivileged user in any writable directory.) The program reports "okay" under Solaris 2.5.1 and IRIX 6.5.2, "vulnerable" under RedHat 6. - -- People shouldn't think that it's better to have Dan Astoorian loved and lost than never loved at all. It's Sysadmin, CS Lab not, it's better to have loved and won. All djast@cs.toronto.edu the other options really suck. --Dan Redican - -------_NextPart_10190 Content-Type: text/plain Content-Transfer-Encoding: 7bit #include #include #include #include #include #define FPATH "./bindlinktest" #define LPATH "./bindlinktest0" int main(int argc, char **argv) { int fd; struct sockaddr_un sunaddr; fd = socket(AF_UNIX, SOCK_STREAM, 0); if (fd < 0) { perror("socket");exit(1); }; unlink(FPATH); if (symlink(FPATH, LPATH) < 0) { perror("symlink");exit(1); } memset(&sunaddr, 0, sizeof(sunaddr)); sunaddr.sun_family = AF_UNIX; strncpy(sunaddr.sun_path, LPATH, sizeof(sunaddr.sun_path)); if (bind(fd, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) { if (errno == EADDRINUSE) { printf("bind() returned EADDRINUSE; this system appears to be okay.\n"); } else { perror("bind"); } } else { printf("bind() succeeded; this system appears to be vulnerable.\n"); } close(fd) unlink(FPATH); unlink(LPATH); exit(0); } ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 29 6:56:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.program-products.co.uk (samson.program-products.co.uk [212.240.242.226]) by hub.freebsd.org (Postfix) with ESMTP id 9DD4E15056 for ; Wed, 29 Sep 1999 06:56:18 -0700 (PDT) (envelope-from terry@program-products.co.uk) Received: by mailgate.program-products.co.uk via smap (V2.1) id xma048300; Wed, 29 Sep 99 14:56:15 +0100 To: freebsd-security@freebsd.org Subject: Re: Help me win the MS-Proxy/ipfw war References: <99Sep29.091738est.40321@border.alcanet.com.au> From: Terry Glanfield Date: 29 Sep 1999 14:56:09 +0100 In-Reply-To: jeremyp@gsmx07.alcatel.com.au's message of "29 Sep 1999 00:21:58 +0100" Message-Id: Lines: 14 X-Mailer: Gnus v5.6.44/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org jeremyp@gsmx07.alcatel.com.au (Peter Jeremy) writes: > That said, I had no real difficultly in adding the ssh _server_ to a > custom PicoBSD floppy. I'm not sure why you'd want want the client, > but I'm sure that would fit as well. I have the server running quite happily on my picobsd router. Just add a few lines to crunch.conf: progs sshd special sshd srcdir /usr/src/local/ports/ssh/work/ssh-1.2.26 special sshd objs sshd.o auth-rhosts.o auth-passwd.o ... Terry. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 29 6:59:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop3-3.enteract.com (pop3-3.enteract.com [207.229.143.32]) by hub.freebsd.org (Postfix) with SMTP id 6C6C015056 for ; Wed, 29 Sep 1999 06:59:12 -0700 (PDT) (envelope-from dscheidt@enteract.com) Received: (qmail 6099 invoked from network); 29 Sep 1999 13:59:11 -0000 Received: from shell-3.enteract.com (dscheidt@207.229.143.42) by pop3-3.enteract.com with SMTP; 29 Sep 1999 13:59:11 -0000 Date: Wed, 29 Sep 1999 08:59:11 -0500 (CDT) From: David Scheidt To: Rudi Opperman Cc: Mike Holling , freebsd-security@FreeBSD.ORG Subject: Re: Re[2]: Help me win the MS-Proxy/ipfw war In-Reply-To: <000F7337.C21325@dtt.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 29 Sep 1999, Rudi Opperman wrote: > Hi > > A little bit off topic but... > > I understand the benefits of diskless operations - but are floppies/stiffies > such a good idea? Isn't their mtf worse than hdd? Would booting off some other > type of media (zip /cd / 120mbfloppy), configured readonly, be better? Maybe. It would cost more, though. The disk only gets used at boot, which should be only at powerfail time, right? So you read the disk a couple times a year. I wouldn't be too worried about it, especially if you aren't using it for remotely located stuff. David Scheidt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 29 7: 4:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 60D7914EFC for ; Wed, 29 Sep 1999 07:04:16 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA24527; Wed, 29 Sep 1999 07:04:16 -0700 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda24525; Wed Sep 29 07:03:58 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id HAA31344; Wed, 29 Sep 1999 07:03:55 -0700 (PDT) Message-Id: <199909291403.HAA31344@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdr31340; Wed Sep 29 07:03:02 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.3-RELEASE X-Sender: cy To: Mark Newton Cc: scott@computeralt.com (Scott I. Remick), freebsd-security@FreeBSD.ORG Subject: Re: Help me win the MS-Proxy/ipfw war In-reply-to: Your message of "Tue, 28 Sep 1999 09:42:01 +0930." <199909280012.JAA13329@atdot.dotat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 29 Sep 1999 07:03:01 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199909280012.JAA13329@atdot.dotat.org>, Mark Newton writes: > Scott I. Remick wrote: > > > Any advice to a small-time network admin for a small (32 employees) compan > y > > that is stuck in the MS_WAY = ONLY_WAY mindset? We are overdue for a > > firewall but the PHB wants NT/MS-Proxy installed, while I'm arguing for > > FreeBSD/ipfw instead. > > Go in after work one night and install FreeBSD. Once your firewall > is a fait accomplis, inertia will help you get your way. Remember the old axiom: It's easier to get forgiveness than it is to get permission. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 29 7:36:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.xmission.com (mail.xmission.com [198.60.22.22]) by hub.freebsd.org (Postfix) with ESMTP id DDE4A1511F for ; Wed, 29 Sep 1999 07:35:53 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [204.68.178.39] (helo=softweyr.com) by mail.xmission.com with esmtp (Exim 2.12 #2) id 11WKpj-0002uS-00; Wed, 29 Sep 1999 08:35:52 -0600 Message-ID: <37F223CA.CB690B82@softweyr.com> Date: Wed, 29 Sep 1999 08:35:54 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Rudi Opperman Cc: Mike Holling , freebsd-security@FreeBSD.ORG Subject: Re: Help me win the MS-Proxy/ipfw war References: <000F7337.C21325@dtt.co.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Rudi Opperman wrote: > > I understand the benefits of diskless operations - but are floppies/stiffies > such a good idea? Isn't their mtf worse than hdd? Would booting off some other > type of media (zip /cd / 120mbfloppy), configured readonly, be better? Yes. FreeBSD, and consquently picoBSD, now support booting from Disk-On-Chip flash disks, which have very long mttf, especially if you don't write to them very often. Flash capabilities up to 40 MBytes are supported, but flash gets expensive really fast. 2 and 4 MByte solutions seem ideal for booting picoBSD and providing storage for a few configuration files. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 29 7:39:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 47065151A2 for ; Wed, 29 Sep 1999 07:38:59 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id KAA19248; Wed, 29 Sep 1999 10:38:53 -0400 (EDT) (envelope-from wollman) Date: Wed, 29 Sep 1999 10:38:53 -0400 (EDT) From: Garrett Wollman Message-Id: <199909291438.KAA19248@khavrinen.lcs.mit.edu> To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] In-Reply-To: <199909291352.GAA31310@cwsys.cwsent.com> References: <199909291352.GAA31310@cwsys.cwsent.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Following is a post to BUGTRAQ. It appears that SSH under FreeBSD is > also "vulnerable" to bind(2) following synlinks during UNIX Domain > Socket creation. My question is: Is this an application bug, e.g. not > checking for a symlink prior to creating the socket, or would this be > an O/S bug, e.g. FreeBSD should not follow symlinks when creating UNIX > Domain Sockets? Checking for the existence of a symbolic link would simply be a race condition. It is an application bug in that temporary files created by applications should always reside in a newly-created directory which is owned by the appropriate user and mode 700. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 29 11:53:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from hungry.spb.cityline.ru (hungry.spb.cityline.ru [212.46.192.3]) by hub.freebsd.org (Postfix) with ESMTP id EC8E41590F for ; Wed, 29 Sep 1999 11:52:57 -0700 (PDT) (envelope-from lev@imc.macro.ru) Received: from lev.sereb.net (ip-772.dialup.cl.spb.ru [212.46.197.58]) by hungry.spb.cityline.ru (8.8.8/8.8/CL) with ESMTP id WAA20826 for ; Wed, 29 Sep 1999 22:50:43 +0400 (MSD) Date: Wed, 29 Sep 1999 22:51:28 +0300 From: Lev Serebryakov X-Mailer: The Bat! (v1.34a) UNREG / CD5BF9353B3B7091 Reply-To: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <18952.990929@imc.macro.ru> To: freebsd-security@FreeBSD.ORG Subject: Filesystem with ACLs Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, All! Is here some FS with ACLs (NT or Novell Netware-like) for FreeBSD or some project to add ACLs to FFS? Lev Serebryakov, 2:5030/661.0 !>WARNING; Wed, 29 Sep 1999 20:56:20 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA38150; Wed, 29 Sep 1999 21:56:19 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA08428; Wed, 29 Sep 1999 21:56:21 -0600 (MDT) Message-Id: <199909300356.VAA08428@harmony.village.org> To: Garrett Wollman Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Wed, 29 Sep 1999 10:38:53 EDT." <199909291438.KAA19248@khavrinen.lcs.mit.edu> References: <199909291438.KAA19248@khavrinen.lcs.mit.edu> <199909291352.GAA31310@cwsys.cwsent.com> Date: Wed, 29 Sep 1999 21:56:21 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199909291438.KAA19248@khavrinen.lcs.mit.edu> Garrett Wollman writes: : It is an application bug in that temporary files created by : applications should always reside in a newly-created directory which : is owned by the appropriate user and mode 700. Having looking into this more deeply, I agree this is an ssh bug. It needs to verify that /tmp/ssh-user exists, is a directory, and is owned by user *BEFORE* trying to bind. Hacking the kernel to not follow symbolic links isn't the best solution here (commits to -current not with standing). It already creates the directoy if it doesn't exist... I'll have to look at the ssh code to see what a proper fix is. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 29 21: 0:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from Hydro.CAM.ORG (Hydro.CAM.ORG [198.168.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 18814151A9 for ; Wed, 29 Sep 1999 21:00:09 -0700 (PDT) (envelope-from Philippe.Guezou@wanadoo.fr) Received: from sauron.tolkien.cam.org (root@gw-tolkien.TOLKIEN.CAM.ORG [204.19.190.41]) by Hydro.CAM.ORG (8.8.8/8.8.4) with ESMTP id XAA02682; Wed, 29 Sep 1999 23:59:49 -0400 (EDT) From: Philippe.Guezou@wanadoo.fr Received: from uruck (BRennes-1-1-127.abo.wanadoo.fr [193.250.16.127]) by sauron.tolkien.cam.org (8.8.8/8.8.8) with SMTP id XAA28935; Wed, 29 Sep 1999 23:41:40 -0400 (EDT) (envelope-from Philippe.Guezou@wanadoo.fr) Message-Id: <3.0.5.32.19990930061015.007ded30@pop.wanadoo.fr> X-Sender: Philippe.Guezou@pop.wanadoo.fr X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Thu, 30 Sep 1999 06:10:15 +0200 To: The Mad Scientist , freebsd-security@FreeBSD.ORG Subject: Re: Syslog over serial (Was: Re: Help me win the MS-Proxy/ipfw war) In-Reply-To: <4.1.19990928190928.0097cf00@mail.thegrid.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 19:15 28/09/99 -0700, The Mad Scientist wrote: > >I've always seen this as the "recommended" way to do things. How do you >set logging over serial lines up? Do I log to something like /dev/cuaa1? >What do i set up on the other side? quite simply.. just establish a p-t-p IP connection.. through /dev/lp0 for example. use a reserved ip for this.. something like: ifconfig lp0 inet 192.168.0.10 192.168.0.11 netmask 255.255.255.0 (others interface could have a normal IP .. or another reserved ip, it doesn't matter.. if possible, use a completly different reserved class for such things.. ie, if your ether/atm/fddi interface is using 192.168.x.x, well, use 10.x.x.x for this.. just to really hide this ptp interface) then, in your syslog.conf, use something like this: *.emerg;*.alert;*err;*.notice;auth.* @192.168.0.11 >TIA, >Dean hope this helps. Philippe. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > Guezou Philippe http://www.tolkien.cam.org/~fifi Network. System. Admin. email: fifi@tolkien.cam.org fifi@cam.org Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 29 21: 1:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 455E715643 for ; Wed, 29 Sep 1999 21:01:49 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id WAA38173; Wed, 29 Sep 1999 22:01:48 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id WAA08495; Wed, 29 Sep 1999 22:01:49 -0600 (MDT) Message-Id: <199909300401.WAA08495@harmony.village.org> To: Cy Schubert - ITSD Open Systems Group Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Wed, 29 Sep 1999 06:52:24 PDT." <199909291352.GAA31310@cwsys.cwsent.com> References: <199909291352.GAA31310@cwsys.cwsent.com> Date: Wed, 29 Sep 1999 22:01:49 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199909291352.GAA31310@cwsys.cwsent.com> Cy Schubert - ITSD Open Systems Group writes: : Following is a post to BUGTRAQ. It appears that SSH under FreeBSD is : also "vulnerable" to bind(2) following synlinks during UNIX Domain : Socket creation. My question is: Is this an application bug, e.g. not : checking for a symlink prior to creating the socket, or would this be : an O/S bug, e.g. FreeBSD should not follow symlinks when creating UNIX : Domain Sockets? FreeBSD should follow symlinks. In fact in the base system we have /dev/log which points to /var/run/log. ssh really needs to be more careful about creating secure unix domain sockets. I believe the right algorythm is if (mkdir("/tmp/ssh-user", 0700)) { if (errno == EEXIST) { fd = open("/tmp/ssh-user",O_READ); if (fd == -1) punt! if (fchown(fd, user)) punt! if (fchmod(fd, 0700)) punt! } bind("/tmp/ssh-user/socket"); Anything else is asking for trouble... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 29 21:31: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id DAA7D1504E for ; Wed, 29 Sep 1999 21:30:33 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id VAA22377; Wed, 29 Sep 1999 21:30:07 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909300430.VAA22377@gndrsh.dnsmgr.net> Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] In-Reply-To: <199909300401.WAA08495@harmony.village.org> from Warner Losh at "Sep 29, 1999 10:01:49 pm" To: imp@village.org (Warner Losh) Date: Wed, 29 Sep 1999 21:30:06 -0700 (PDT) Cc: Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In message <199909291352.GAA31310@cwsys.cwsent.com> Cy Schubert - ITSD Open Systems Group writes: > : Following is a post to BUGTRAQ. It appears that SSH under FreeBSD is > : also "vulnerable" to bind(2) following synlinks during UNIX Domain > : Socket creation. My question is: Is this an application bug, e.g. not > : checking for a symlink prior to creating the socket, or would this be > : an O/S bug, e.g. FreeBSD should not follow symlinks when creating UNIX > : Domain Sockets? > > FreeBSD should follow symlinks. In fact in the base system we have > /dev/log which points to /var/run/log. > > ssh really needs to be more careful about creating secure unix domain > sockets. I believe the right algorythm is > > if (mkdir("/tmp/ssh-user", 0700)) { > if (errno == EEXIST) { > fd = open("/tmp/ssh-user",O_READ); > if (fd == -1) > punt! > if (fchown(fd, user)) > punt! > if (fchmod(fd, 0700)) > punt! } else { punt! } > } > bind("/tmp/ssh-user/socket"); > > Anything else is asking for trouble... I had to stare at that code for a while to find out what my brain was telling me, I knew something wasn't parsing correctly, wanted to add an else to it, then found the missing }, then found where I wanted the extra else.... -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 29 21:48: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id B543A14CA8 for ; Wed, 29 Sep 1999 21:47:54 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id WAA38272; Wed, 29 Sep 1999 22:47:53 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id WAA08778; Wed, 29 Sep 1999 22:47:55 -0600 (MDT) Message-Id: <199909300447.WAA08778@harmony.village.org> To: "Rodney W. Grimes" Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Cc: Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Wed, 29 Sep 1999 21:30:06 PDT." <199909300430.VAA22377@gndrsh.dnsmgr.net> References: <199909300430.VAA22377@gndrsh.dnsmgr.net> Date: Wed, 29 Sep 1999 22:47:55 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199909300430.VAA22377@gndrsh.dnsmgr.net> "Rodney W. Grimes" writes: : I had to stare at that code for a while to find out what my brain : was telling me, I knew something wasn't parsing correctly, wanted : to add an else to it, then found the missing }, then found where : I wanted the extra else.... I stand corrected. You're right. I forgot to include it... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 29 22:13:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [194.67.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 5FFBA14DCF for ; Wed, 29 Sep 1999 22:13:09 -0700 (PDT) (envelope-from ilmar@ints.ru) Received: (from uucp@localhost) by ints.ru (8.9.2/8.9.2) id JAA26880; Thu, 30 Sep 1999 09:13:08 +0400 (MSD) Received: from ws-ilmar.ints.ru(194.67.173.16) via SMTP by ints.ru, id smtpdY26878; Thu Sep 30 09:13:01 1999 Received: from localhost (localhost [127.0.0.1]) by ws-ilmar.ints.ru (8.9.3/8.9.1) with ESMTP id JAA42674; Thu, 30 Sep 1999 09:12:59 +0400 (MSD) Date: Thu, 30 Sep 1999 09:12:58 +0400 (MSD) From: "Ilmar S. Habibulin" To: Lev Serebryakov Cc: freebsd-security@FreeBSD.ORG Subject: Re: Filesystem with ACLs In-Reply-To: <18952.990929@imc.macro.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 29 Sep 1999, Lev Serebryakov wrote: > Is here some FS with ACLs (NT or Novell Netware-like) for FreeBSD or > some project to add ACLs to FFS? There is no acl implementation right now as i know. But there is a project to implement posix.1e under FreeBSD, which include ACL support. look at FreeBSD hardening project http://www.watson.org/fbsd-hardening/ for more info. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 30 4: 4:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from freja.webgiro.com (freja.webgiro.com [212.209.29.10]) by hub.freebsd.org (Postfix) with ESMTP id 32DCB159BB for ; Thu, 30 Sep 1999 04:04:45 -0700 (PDT) (envelope-from abial@webgiro.com) Received: by freja.webgiro.com (Postfix, from userid 1001) id 068A11925; Thu, 30 Sep 1999 13:04:49 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by freja.webgiro.com (Postfix) with ESMTP id 023A049D8 for ; Thu, 30 Sep 1999 13:04:48 +0200 (CEST) Date: Thu, 30 Sep 1999 13:04:48 +0200 (CEST) From: Andrzej Bialecki To: security@freebsd.org Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] (fwd) Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY=-----_NextPart_10190 Content-ID: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. -------_NextPart_10190 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Hi, Seen on Bugtraq... The other postings mention FreeBSD 3.3 as vulnerable. Andrzej Bialecki // WebGiro AB, Sweden (http://www.webgiro.com) // ------------------------------------------------------------------- // ------ FreeBSD: The Power to Serve. http://www.freebsd.org -------- // --- Small & Embedded FreeBSD: http://www.freebsd.org/~picobsd/ ---- ---------- Forwarded message ---------- Date: Mon, 27 Sep 1999 11:35:44 -0400 From: Dan Astoorian To: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] I'm surprised that nothing further has been reported to Bugtraq about this, but the problem appears to be that under Linux, a bind() to a Unix-domain socket will follow a dangling symlink, whereas most other Unixes appear to return an EADDRINUSE error. I leave it to the standards lawyers to determine whether the failing is in the operating system for allowing the bind() to succeed, or in SSH for not testing whether the link exists. My vote goes to the OS being at fault, since it's easy enough for it to avoid following the link (and no real practical reason why it *should* follow the link). A trivial demo program that demonstrates the problem is attached. (It needs no special privileges; run it as an unprivileged user in any writable directory.) The program reports "okay" under Solaris 2.5.1 and IRIX 6.5.2, "vulnerable" under RedHat 6. -- People shouldn't think that it's better to have Dan Astoorian loved and lost than never loved at all. It's Sysadmin, CS Lab not, it's better to have loved and won. All djast@cs.toronto.edu the other options really suck. --Dan Redican -------_NextPart_10190 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Content-Description: #include #include #include #include #include #define FPATH "./bindlinktest" #define LPATH "./bindlinktest0" int main(int argc, char **argv) { int fd; struct sockaddr_un sunaddr; fd = socket(AF_UNIX, SOCK_STREAM, 0); if (fd < 0) { perror("socket");exit(1); }; unlink(FPATH); if (symlink(FPATH, LPATH) < 0) { perror("symlink");exit(1); } memset(&sunaddr, 0, sizeof(sunaddr)); sunaddr.sun_family = AF_UNIX; strncpy(sunaddr.sun_path, LPATH, sizeof(sunaddr.sun_path)); if (bind(fd, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) { if (errno == EADDRINUSE) { printf("bind() returned EADDRINUSE; this system appears to be okay.\n"); } else { perror("bind"); } } else { printf("bind() succeeded; this system appears to be vulnerable.\n"); } close(fd) unlink(FPATH); unlink(LPATH); exit(0); } -------_NextPart_10190-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 30 7:58:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 51B4A150CF for ; Thu, 30 Sep 1999 07:58:35 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA30957; Thu, 30 Sep 1999 07:58:35 -0700 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda30955; Thu Sep 30 07:58:15 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id HAA94132; Thu, 30 Sep 1999 07:58:13 -0700 (PDT) Message-Id: <199909301458.HAA94132@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdJ94128; Thu Sep 30 07:57:43 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.3-RELEASE X-Sender: cy To: Warner Losh Cc: Garrett Wollman , freebsd-security@FreeBSD.ORG Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] In-reply-to: Your message of "Wed, 29 Sep 1999 21:56:21 MDT." <199909300356.VAA08428@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 30 Sep 1999 07:57:42 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thread from freebsd-security. In message <199909300356.VAA08428@harmony.village.org>, Warner Losh writes: > In message <199909291438.KAA19248@khavrinen.lcs.mit.edu> Garrett > Wollman writes: > : It is an application bug in that temporary files created by > : applications should always reside in a newly-created directory which > : is owned by the appropriate user and mode 700. > > Having looking into this more deeply, I agree this is an ssh bug. It > needs to verify that /tmp/ssh-user exists, is a directory, and is > owned by user *BEFORE* trying to bind. Hacking the kernel to not > follow symbolic links isn't the best solution here (commits to > -current not with standing). It already creates the directoy if it > doesn't exist... I'll have to look at the ssh code to see what a > proper fix is. It's interesting to note the difference in philosophy between FreeBSD and Linux. Where FreeBSD is concerned with correctness and IMO doing the right thing, Linux is concerned with hacking something together that works. Hence differences in rate of development adherence to standards. It's been reported on BUGTRAQ that Linux will have a hack in their next kernel to "fix" this SSH bug. They've also announced that they won't be following symlinks on mknod(2) either. From a security standpoint this looks like it makes sense. (When I put my security administrator's hat on I don't care what I break). Before we go headlong into this, what are the ramifications, e.g. standards, etc. of doing this? (When I put my manager's hat on I need to think about the functional and business ramifications). Maybe what we need to do, after much discussion, is to create a sysctl flag or a per user control in login.conf to disable following symlinks when creating sockets, device nodes, and maybe even files, e.g. one bit in the control byte to control each of these. Then have it default one way or the other, depending on what the FreeBSD community and ultimately core wants. Then there's the people factor. Giving the average administrator the option can lead to disaster. Then again all of this could be overkill of a very simple problem with a very simple solution. In short I think we need to think about this and discuss it a little more before jumping to any conclusions. Any thoughts? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 30 9:43:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.calderasystems.com (phoenix.calderasystems.com [207.179.18.7]) by hub.freebsd.org (Postfix) with ESMTP id B029715A65 for ; Thu, 30 Sep 1999 09:42:53 -0700 (PDT) (envelope-from drdavis@calderasystems.com) Received: from calderasystems.com (drdavis@buddha.calderasystems.com [207.179.18.42]) by phoenix.calderasystems.com (8.8.7/8.8.7) with ESMTP id KAA22780 for ; Thu, 30 Sep 1999 10:42:49 -0600 Message-ID: <37F393A0.14768E61@calderasystems.com> Date: Thu, 30 Sep 1999 10:45:20 -0600 From: "Darren R. Davis" X-Mailer: Mozilla 4.61C-CCK-MCD Caldera Systems OpenLinux [en] (X11; U; Linux 2.2.10 i686) X-Accept-Language: en MIME-Version: 1.0 Cc: freebsd-security@FreeBSD.ORG Subject: Re: Help me win the MS-Proxy/ipfw war References: <000F7337.C21325@dtt.co.za> Content-Type: multipart/mixed; boundary="------------36D628A9BFFCC9C532D7ED25" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------36D628A9BFFCC9C532D7ED25 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To continue the off topic... I built up a firewall using and old Toshiba Notebook that I pulled out the hard drive and replaced with a Sandisk Flash drive (http://www.sandisk.com/oem/1.8drive.htm). I used two 3c589 PCCards and FreeBSD. It should last for a long time. My next goal is to set it up with PicoBSD. Darren Rudi Opperman wrote: > Hi > > A little bit off topic but... > > I understand the benefits of diskless operations - but are floppies/stiffies > such a good idea? Isn't their mtf worse than hdd? Would booting off some other > type of media (zip /cd / 120mbfloppy), configured readonly, be better? > > bye > rudi > > > I wouldn't run a diskless firewall unless I had provisions for remote > > logging. And in any case, disks are so cheap nowadays - the added > > flexibility is well worth the added cost. > > I sell PicoBSD-based NAT systems for mostly home/SOHO DSL/cablemodem > users. The benefit of no hard drive is there's no hard drive to fail, and > even the floppy only has to work at boot time. Makes the units much > quieter too. > > - Mike > > > > > > ------------------------------------------------------------------------ > Received: from internat.freebsd.org ([146.64.8.4]) by mailgate.dtt.co.za with > SMTP > (IMA Internet Exchange 3.13) id 000F65D8; Wed, 29 Sep 1999 02:57:53 +0200 > Received: from hub.freebsd.org (hub.FreeBSD.ORG [204.216.27.18]) > by internat.freebsd.org (8.9.3/8.9.3) with ESMTP id DAA13697; > Wed, 29 Sep 1999 03:01:20 +0200 (SAST) > (envelope-from owner-freebsd-security@FreeBSD.ORG) > Received: by hub.freebsd.org (Postfix, from userid 538) > id EAD0C1582B; Tue, 28 Sep 1999 18:00:29 -0700 (PDT) > Received: from localhost (localhost [127.0.0.1]) > by hub.freebsd.org (Postfix) with SMTP > id ADF291CD474; Tue, 28 Sep 1999 18:00:29 -0700 (PDT) > (envelope-from owner-freebsd-security) > Received: by hub.freebsd.org (bulk_mailer v1.12); Tue, 28 Sep 1999 18:00:29 > -0700 > Delivered-To: freebsd-security@freebsd.org > Received: from phluffy.fks.bt (mail.amc-inc.com [156.46.122.130]) > by hub.freebsd.org (Postfix) with ESMTP id B0AD315838 > for ; Tue, 28 Sep 1999 18:00:17 -0700 (PDT) > (envelope-from myke@ees.com) > Received: from localhost (myke@localhost) > by phluffy.fks.bt (8.8.8/8.8.8) with ESMTP id MAA00721; > Tue, 28 Sep 1999 12:45:13 -0500 (CDT) > (envelope-from myke@ees.com) > X-Authentication-Warning: phluffy.fks.bt: myke owned process doing -bs > Date: Tue, 28 Sep 1999 12:45:12 -0500 (CDT) > From: Mike Holling > X-Sender: myke@phluffy.fks.bt > To: Dag-Erling Smorgrav > Cc: "f.johan.beisser" , > "Scott I. Remick" , > freebsd-security@FreeBSD.ORG > Subject: Re: Help me win the MS-Proxy/ipfw war > In-Reply-To: > Message-ID: > MIME-Version: 1.0 > Content-Type: TEXT/PLAIN; charset=US-ASCII > Sender: owner-freebsd-security@FreeBSD.ORG > X-Loop: FreeBSD.org > Precedence: bulk --------------36D628A9BFFCC9C532D7ED25 Content-Type: text/x-vcard; charset=us-ascii; name="drdavis.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Darren R. Davis Content-Disposition: attachment; filename="drdavis.vcf" begin:vcard n:Davis;Darren tel;fax:801.765.1313 tel;work:801.765.4999 x-mozilla-html:TRUE url:http://www.calderasystems.com org:Caldera Systems, Inc.;Engineering adr:;;240 West Center Street;Orem;UT;84057;USA version:2.1 email;internet:drdavis@calderasystems.com title:Director of Research x-mozilla-cpt:;-5088 fn:Darren Davis end:vcard --------------36D628A9BFFCC9C532D7ED25-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 30 9:50:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from mocha.baileylink.net (mocha.baileylink.net [63.71.213.4]) by hub.freebsd.org (Postfix) with ESMTP id 28A5E155E9 for ; Thu, 30 Sep 1999 09:50:08 -0700 (PDT) (envelope-from brad@baileylink.net) Received: from togo (dhcp51.javabit.com [63.71.213.51]) by mocha.baileylink.net (Netscape Mail Server v2.02) with SMTP id AAA5876; Thu, 30 Sep 1999 11:48:56 -0500 From: brad@baileylink.net To: "f.johan.beisser" Cc: Subject: ssh on picoBSD (was RE: Help me win the MS-Proxy/ipfw war) Date: Thu, 30 Sep 1999 11:42:20 -0500 Message-ID: <000701bf0b62$c3a16ca0$33d5473f@togo.javabit.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry if this is severely off topic, but I use sshd without ssh but with an scp binary on a linux router project box. The lrp package is 160K but you can save 46k (compressed) by removing the ssh-keygen . I then use port forwarding to send tcp/22 traffic to a machine that runs sshd (a shell server). This works like a charm. I can ssh and scp to the router from my private network (but not from the router to anywhere). I hope that this spurs some ideas for you. BMG -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of f.johan.beisser Sent: Tuesday, September 28, 1999 5:30 PM To: Dag-Erling Smorgrav Cc: Scott I. Remick; freebsd-security@FreeBSD.ORG Subject: Re: Help me win the MS-Proxy/ipfw war funny that.. the software provides a syslogd, and it can be configured for off machine logging (and, yes, it can run it through a serial port to a machine too..).. right now, though, my only complaint is that there isn't a picobsd ssh client that'll fit on the floppy aswell. give it time though, and i think someone with the programming expertise to do this, will.. the design for this is more oriented for home use, on your DSL link. it would sit between the DSL router and your LAN. this rather flexible, and yes, if you really wanted to have the disk, you could do it that way too. the kernel can support a HD/cdrom. i've just chosen to remove that part, because all i really want is a simple, diskless, low cost FW/NAT box. logging can take place on a loghost, behind the firewall. -- jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 30 12:22:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 4015715A12 for ; Thu, 30 Sep 1999 12:22:05 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id PAA21253; Thu, 30 Sep 1999 15:21:47 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Thu, 30 Sep 1999 15:21:47 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Lev Serebryakov Cc: freebsd-security@FreeBSD.ORG Subject: Re: Filesystem with ACLs In-Reply-To: <18952.990929@imc.macro.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 29 Sep 1999, Lev Serebryakov wrote: > Hi, All! > > Is here some FS with ACLs (NT or Novell Netware-like) for FreeBSD or > some project to add ACLs to FFS? Over the past couple of years, a number of people have expressed interest in an ACLfs, but the big sticking point has been the way to implement it. The easiest way to implement would be via a file system layer--i.e., rather than modifying FFS itself, have a layer that you slap on top that adds ACLs to an existing FFS file system. However, the layering code is at present broken in FreeBSD, so before a layer like that could be developed, we'd have to wait for layering to be fixed :-). The other alternatives considered include modifying FFS at a disk block level to add space for ACLs, bind them to directories and/or files. This means modifying the FFS code, the file system checker, etc, and that would be fairly painful, and probably less likely to be integrated into the base OS because of the changes. Another alternative is to follow the model of the Quota people--store ACL informatino in t a file in the root directory of the FS, and dump changes out to that file as required. None of these is ideal--the quota and layer mechanisms due to the lack of underlying support, and also because of the consistency issue--ACLs are important when it comes to maintaining consistent versions of meta-data on disk for a file. The modification of FFS introduces significant complications also. If I had to implement ACLfs today, I'd probably do it the quota approach, even though I think that's an ugly solution, as it would be easiest to implement. Anyone who lives in FS-land have ay news about when/whether layering will work again someday? :-) I saw a sequence of posts on freebsd-fs a while back discussing fixes to the infrastructure for locking and aliasing, but I'm really not up on that stuff. As to the semantics of ACLs--Posix.1e defines a set of semantics and utilities for managing ACLs. My personal feeling is that they are overly complex and not all that intuitive (they are the same, for reference, as Solaris ACLs). I prefer the Coda/AFS model of having ACLs on directories, and having only limited permissions on files. While this would be messy for a lot of existing UNIX utitilies/directories, and messes up hard links, it provides a really simple and intuitive approach to ACL management. At first I found it constraining, but in the end it encouraged me to manage my directory structure better :-). And it was certainly easier to manage 90 sets of directory permissions that over 4000 sets of file permissions. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 1 0:47: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from hera.ik.bme.hu (hera.ik.bme.hu [152.66.243.132]) by hub.freebsd.org (Postfix) with ESMTP id 168CA15086 for ; Fri, 1 Oct 1999 00:45:29 -0700 (PDT) (envelope-from mohacsi@hera.ik.bme.hu) Received: from localhost (mohacsi@localhost) by hera.ik.bme.hu (8.9.3/8.9.3) with ESMTP id JAA27924 for ; Fri, 1 Oct 1999 09:45:27 +0200 (MET DST) Date: Fri, 1 Oct 1999 09:45:27 +0200 (MET DST) From: Mohacsi Janos To: freebsd-security@freebsd.org Subject: Re: Filesystem with ACLs In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 30 Sep 1999, Robert Watson wrote: > Over the past couple of years, a number of people have expressed interest > in an ACLfs, but the big sticking point has been the way to implement it. > The easiest way to implement would be via a file system layer--i.e., > rather than modifying FFS itself, have a layer that you slap on top that > adds ACLs to an existing FFS file system. However, the layering code is > at present broken in FreeBSD, so before a layer like that could be > developed, we'd have to wait for layering to be fixed :-). What part of the layering is broken? (e.g. unionfs?) I am interested in fixing it. Janos Mohacsi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 1 16:28:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.tepucom.nl (mail.tepucom.nl [195.81.12.5]) by hub.freebsd.org (Postfix) with ESMTP id 5D10915006 for ; Fri, 1 Oct 1999 16:28:53 -0700 (PDT) (envelope-from theo@tepucom.nl) Received: from administratie (administratie.tepucom.nl [192.168.1.20]) by mail.tepucom.nl (8.9.3/8.9.3) with SMTP id BAA31481 for ; Sat, 2 Oct 1999 01:27:32 +0200 (CEST) (envelope-from theo@tepucom.nl) Received: by localhost with Microsoft MAPI; Sat, 2 Oct 1999 01:20:18 +0200 Message-ID: <01BF0C74.49C91DC0.theo@tepucom.nl> From: "Theo Purmer (Tepucom)" To: "freebsd-security@FreeBSD.ORG" Subject: ipsec port Date: Sat, 2 Oct 1999 01:20:17 +0200 X-Mailer: Microsoft Internet-e-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all does somebody know where to get a ipsec port for freebsd 3.2 (i dont get skip running so im gonna try something else) thanks theo purmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 1 17:40:23 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 336B314C8F; Fri, 1 Oct 1999 17:40:22 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 2723B1CD479; Fri, 1 Oct 1999 17:40:22 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Fri, 1 Oct 1999 17:40:22 -0700 (PDT) From: Kris Kennaway To: "Theo Purmer (Tepucom)" Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: ipsec port In-Reply-To: <01BF0C74.49C91DC0.theo@tepucom.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 2 Oct 1999, Theo Purmer (Tepucom) wrote: > does somebody know where to get a ipsec > port for freebsd 3.2 Check the archives - this comes up regularly. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 2 8:46:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179]) by hub.freebsd.org (Postfix) with ESMTP id D02B214D6E for ; Sat, 2 Oct 1999 08:46:31 -0700 (PDT) (envelope-from fbsd-security@ursine.com) Received: from michael (lambda.ursine.com [209.133.45.69]) by quaggy.ursine.com (8.9.2/8.9.3) with ESMTP id IAA15960 for ; Sat, 2 Oct 1999 08:46:33 -0700 (PDT) Message-ID: <199910020846310710.17F35F81@quaggy.ursine.com> In-Reply-To: <199909300401.WAA08495@harmony.village.org> References: <199909291352.GAA31310@cwsys.cwsent.com> <199909300401.WAA08495@harmony.village.org> X-Mailer: Calypso Version 3.00.00.13 (2) Date: Sat, 02 Oct 1999 08:46:31 -0700 From: "Michael Bryan" To: freebsd-security@FreeBSD.ORG Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 9/29/99 at 10:01 PM Warner Losh wrote: > >FreeBSD should follow symlinks. In fact in the base system we have >/dev/log which points to /var/run/log. Would it make sense to have the following behaviour when bind() encounters a symlink? 1) If a symlink exists and points to a valid Unix-domain socket, go ahead and follow the link. 2) If a symlink points to something other than a valid Unix-domain socket, including a filename that does not yet exist, then do not follow the symlink, and return an appropriate error. This still allows /dev/log -> /var/run/log to work, but prevents abuse in cases of poor code like in ssh. Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 2 15: 2:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail-gw6.pacbell.net (mail-gw6.pacbell.net [206.13.28.41]) by hub.freebsd.org (Postfix) with ESMTP id 0758315409 for ; Sat, 2 Oct 1999 15:02:36 -0700 (PDT) (envelope-from madscientist@thegrid.net) Received: from remus (adsl-63-193-246-169.dsl.snfc21.pacbell.net [63.193.246.169]) by mail-gw6.pacbell.net (8.9.3/8.9.3) with SMTP id PAA01625 for ; Sat, 2 Oct 1999 15:02:29 -0700 (PDT) Message-Id: <4.1.19991002145813.0094ca10@mail.thegrid.net> X-Sender: i289861@mail.thegrid.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sat, 02 Oct 1999 15:02:37 -0700 To: freebsd-security@freebsd.org From: The Mad Scientist Subject: Re: Syslog over serial In-Reply-To: <3.0.5.32.19990930061015.007ded30@pop.wanadoo.fr> References: <4.1.19990928190928.0097cf00@mail.thegrid.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:10 AM 9/30/99 +0200, you wrote: >At 19:15 28/09/99 -0700, The Mad Scientist wrote: >> >>I've always seen this as the "recommended" way to do things. How do you >>set logging over serial lines up? Do I log to something like /dev/cuaa1? >>What do i set up on the other side? > >quite simply.. >just establish a p-t-p IP connection.. through /dev/lp0 for example. >use a reserved ip for this.. > >something like: > ifconfig lp0 inet 192.168.0.10 192.168.0.11 netmask 255.255.255.0 > >(others interface could have a normal IP .. or another reserved ip, it >doesn't matter.. if possible, use a completly different reserved class >for such things.. ie, if your ether/atm/fddi interface is using 192.168.x.x, >well, use 10.x.x.x for this.. just to really hide this ptp interface) > >then, in your syslog.conf, use something like this: > >*.emerg;*.alert;*err;*.notice;auth.* @192.168.0.11 > >>TIA, >>Dean > >hope this helps. > >Philippe. Great, thanks. What about connecting a few machines to a central logging server with this setup? Will I have to get a board for the logging server with a number of parallel ports? Can I get whatever hardware that is used to hook up multiple printers to a single machine? Thanks for the help, Dean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 2 20:22:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3a123.neo.rr.com [24.93.180.123]) by hub.freebsd.org (Postfix) with ESMTP id CFCB414E96 for ; Sat, 2 Oct 1999 20:22:21 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id XAA31828; Sat, 2 Oct 1999 23:22:15 -0400 Date: Sat, 2 Oct 1999 23:22:14 -0400 (EDT) From: Mike Nowlin To: The Mad Scientist Cc: freebsd-security@FreeBSD.ORG Subject: Re: Syslog over serial In-Reply-To: <4.1.19991002145813.0094ca10@mail.thegrid.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Great, thanks. What about connecting a few machines to a central logging > server with this setup? Will I have to get a board for the logging server > with a number of parallel ports? Can I get whatever hardware that is used > to hook up multiple printers to a single machine? > Thanks for the help, > Dean If you want to use parallel ports, it would be a neat trick to find a board with 32 ports on it... :) If you want to use serial ports instead, (the easier way), pretty much any supported multi-serial card will work -- RocketPort and Cyclades are my preferred selections, but you can go with a cheaper model if you want. There probably won't be a whole LOT of data running through them, so speed probably isn't an issue. One of the main problems of running lots of "standard" serial or parallel ports on a machine is that you start running out of I/O ports or interrupts pretty quickly. --mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message